binaryninja-api icon indicating copy to clipboard operation
binaryninja-api copied to clipboard
verified publisher icon Vector35

Recognize va_start

Open joelreymont opened this issue 1 year ago • 0 comments

Version and Platform (required):

  • Binary Ninja Version: 4.1.5260-dev, 7f6bb9ee
  • OS: macos
  • OS Version: 14.4
  • CPU Architecture: arm64

Internal binary major dine favor.

IDA Pro

char *DjiLogger_UserLogOutput(int a1, char *fmt, ...)
{
  char *result; // x0
  __va_list_tag va[1]; // [xsp+10h] [xbp+10h] BYREF
  char *format; // [xsp+30h] [xbp+30h]
  int v5; // [xsp+3Ch] [xbp+3Ch]
  __va_list_tag va1[1]; // [xsp+40h] [xbp+40h] BYREF
  char *buffer; // [xsp+60h] [xbp+60h]
  T_DjiOsalHandler *osal; // [xsp+68h] [xbp+68h]

  v5 = a1;
  format = fmt;
  osal = DjiPlatform_GetOsalHandler();
  DjiDataBuriedPoint_ApiHitRecord("DjiLogger_UserLogOutput", 176LL);
  result = (char *)osal;
  if ( osal )
  {
    result = (char *)osal->Malloc(0x180LL);
    buffer = result;
    if ( result )
    {
      va_start(va1, fmt);
      va_start(va, fmt);
      vsnprintf(buffer, 0x180uLL, format, (__gnuc_va_list *)va);
      DjiLogger_Output("user", v5, "%s", buffer);
      return (char *)((__int64 (__fastcall *)(char *))osal->Free)(buffer);
    }
  }
  return result;
}

Note the recognition of va_start above and compare to the BN decompilation below

000815d0  char* DjiLogger_UserLogOutput(int32_t a1, char* fmt, ...)

000815d8      char var_e4 = a1.b
000815e0      char* functionname
000815e0      char* functionname_1 = functionname
000815e4      int32_t linenum
000815e4      int64_t linenum_1 = linenum
000815e8      int64_t x4
000815e8      int64_t var_20 = x4
000815ec      int64_t x5
000815ec      int64_t var_18 = x5
000815f0      int64_t x6
000815f0      int64_t var_10 = x6
000815f4      int64_t x7
000815f4      int64_t var_8 = x7
000815f8      int128_t v0
000815f8      int128_t var_b0 = v0
000815fc      int128_t v1
000815fc      int128_t var_a0 = v1
00081600      int128_t v2
00081600      int128_t var_90 = v2
00081604      int128_t v3
00081604      int128_t var_80 = v3
00081608      int128_t v4
00081608      int128_t var_70 = v4
0008160c      int128_t v5
0008160c      int128_t var_60 = v5
00081610      int128_t v6
00081610      int128_t var_50 = v6
00081614      int128_t v7
00081614      int128_t var_40 = v7
00081618      struct T_DjiOsalHandler* osal = DjiPlatform_GetOsalHandler()
00081630      struct T_DjiOsalHandler* result = osal
00081638      if (result != 0)
0008164c          char* buffer = osal->Malloc(size: 0x180)
00081650          result = buffer
00081658          if (result != 0)
00081670              char** var_d0_1 = &functionname_1
00081678              int32_t var_c8_1 = 0xffffffd0
00081680              int32_t var_c4_1 = 0xffffff80
00081690              void* ap = &arg_0
00081698              char** var_100_1 = var_d0_1
00081698              int64_t var_f8_1 = var_c8_1.q
000816b0              vsnprintf(str: buffer, size: 0x180, format: fmt, ap: &ap)
000816d0              DjiLogger_Output(level: "user", fmt: zx.q(var_e4), &data_13e5a8, buffer)
000816e0              result = osal->Free(ptr: buffer)
000816f8      return result

joelreymont avatar May 10 '24 10:05 joelreymont