You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm reversing a binary in which I came across a function that has some structure written to the stack. However, a key part of that structure is written in a subroutine. Or, more specifically:
a bl instruction is called,
at the point that is branched to a value is put onto to the stack,
the subroutine is returned from
other values are put onto the stack to complete the structure
This behavior is a bit confusing to me, as I though branching messed with the stack pointer. However, that doesn't seem to be the case here. Does Ghidra have any facilities to better recover stack frames that are written to like this?
I ended up having to change the local size of the stack frame as even Ghidra failed to see this stack write and deduced that the stack frame was smaller than it should be (at least, I think that's what happen). Regardless, this ultimately does not help in analysis. I wrote code to find such structures and mark them up, and it does not work on cases like these. I (what I thought was) reasonably assumed that the structures would be written to the stack via instructions all in the same routine. That appears to not always be the case.
EDIT: Marking the subroutine as "inline" seems to have worked (at least for the decomp, I'll look more into it).
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I'm reversing a binary in which I came across a function that has some structure written to the stack. However, a key part of that structure is written in a subroutine. Or, more specifically:
blinstruction is called,This behavior is a bit confusing to me, as I though branching messed with the stack pointer. However, that doesn't seem to be the case here. Does Ghidra have any facilities to better recover stack frames that are written to like this?
I ended up having to change the local size of the stack frame as even Ghidra failed to see this stack write and deduced that the stack frame was smaller than it should be (at least, I think that's what happen). Regardless, this ultimately does not help in analysis. I wrote code to find such structures and mark them up, and it does not work on cases like these. I (what I thought was) reasonably assumed that the structures would be written to the stack via instructions all in the same routine. That appears to not always be the case.
EDIT: Marking the subroutine as "inline" seems to have worked (at least for the decomp, I'll look more into it).
Beta Was this translation helpful? Give feedback.
All reactions