Skip to content
This repository was archived by the owner on Jul 8, 2025. It is now read-only.

The FlowChart() contains the basic blocks outside the function. #73

Open
Open
The FlowChart() contains the basic blocks outside the function.#73
Milestone
0.8.0
@bjchan9an

Description

@bjchan9an
bjchan9an
opened on Mar 9, 2020

The following is the display of ida pro. The function sub_3000 is in.plt . Although it is not a user-defined code, it is regarded as a function by IDA Pro. I found that while calling FlowChart() on these functions, python-idb includes the basic blocks outside of the function. This action does not match the logic of ida pro.

.plt:0000000000003000 sub_3000        proc near               ; CODE XREF: .plt:000000000000301B↓j
.plt:0000000000003000                                         ; .plt:000000000000302B↓j ...
.plt:0000000000003000 ; __unwind {
.plt:0000000000003000                 push    cs:qword_226E58
.plt:0000000000003006                 jmp     cs:qword_226E60
.plt:0000000000003006 sub_3000        endp
.plt:0000000000003006
.plt:0000000000003006 ; ---------------------------------------------------------------------------
.plt:000000000000300C                 align 10h
.plt:0000000000003010 ; [00000006 BYTES: COLLAPSED FUNCTION _free. PRESS CTRL-NUMPAD+ TO EXPAND]
.plt:0000000000003016 ; ---------------------------------------------------------------------------
.plt:0000000000003016                 push    0
.plt:000000000000301B                 jmp     sub_3000
.plt:0000000000003020 ; [00000006 BYTES: COLLAPSED FUNCTION _putchar. PRESS CTRL-NUMPAD+ TO EXPAND]
.plt:0000000000003026 ; ---------------------------------------------------------------------------
.plt:0000000000003026                 push    1
.plt:000000000000302B                 jmp     sub_3000
.plt:0000000000003030 ; [00000006 BYTES: COLLAPSED FUNCTION ___vfprintf_chk. PRESS CTRL-NUMPAD+ TO EXPAND]
.plt:0000000000003036 ; ---------------------------------------------------------------------------
.plt:0000000000003036                 push    2
.plt:000000000000303B                 jmp     sub_3000
.plt:0000000000003040 ; [00000006 BYTES: COLLAPSED FUNCTION ___errno_location. PRESS CTRL-NUMPAD+ TO EXPAND]

In IDA pro:

Python>func = idaapi.get_func(0x3000)
Python>[hex(x.startEA) for x in idaapi.FlowChart(func)]
['0x3000L']

In python-idb:

In [4]: func = api.idaapi.get_func(0x3000)

In [5]: hex(func.startEA)
Out[5]: '0x3000'

In [6]: hex(func.endEA)
Out[6]: '0x300c'

In [7]: [hex(x.startEA) for x in api.idaapi.FlowChart(func)]
Out[7]: 
['0x3000',
 '0x3116',
 '0x3086',
 '0x31a6',
 '0x31e6',
 '0x3226',
 '0x3266',
 '0x32a6',
 '0x3096',
...
]

I think a mitigation method is to check if the basic block is in range of (func.startEA, func.endEA) in FlowChart().

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions