binaryninja-api
binaryninja-api copied to clipboard
PPC isel instruction
Version and Platform (required):
- Binary Ninja Version: 4.1.5902 personal and 4.1.5747 enterprise
- OS: Ubuntu
- OS Version: 22.04
- CPU Architecture: amd64
Bug Description: pseudo C didn't make any sense for function. Disassembly view shows:
isel r3,r9, r3, ERR_FLAG_NAME
Steps To Reproduce: Make an empty binary:
9421fff07c0802a63860000a388000019001001438a1000838000000900100084bfffeed800100083d20beef3c60face2f800000800100147c691f9e382100107c0803a64e800020
Disassemble as BE ppc32
Mine looks like:
00000000 9421fff0 stwu r1, -16(r1) {var_10} {arg_0}
00000004 7c0802a6 mflr r0
00000008 3860000a li r3, 0xa
0000000c 38800001 li r4, 0x1
00000010 90010014 stw r0, 20(r1) {arg_4}
00000014 38a10008 addi r5, r1, 0x8 {var_8}
00000018 38000000 li r0, 0x0
0000001c 90010008 stw r0, 8(r1) {var_8} {sub_0}
00000020 4bfffeed bl 0xffffffffffffff0c
00000024 80010008 lwz r0, 8(r1) {var_8}
00000028 3d20beef lis r9, 0xbeef
0000002c 3c60face lis r3, 0xface
00000030 2f800000 cmpwi cr7, r0, 0x0
00000034 80010014 lwz r0, 20(r1) {arg_4}
00000038 7c691f9e isel r3, r9, r3, ERR_FLAG_NAME {0xbeef0000} {0xface0000}
0000003c 38210010 addi r1, r1, 0x10
00000040 7c0803a6 mtlr r0
00000044 4e800020 blr
The instruction at offset 0x20 i think is signature int32_t do_thing(int32_t, int32_t, uint32_t* retval);
IDA Pro HexRays produced:
int32_t retval;
do_thing(0xa, 1, &retval)
if (retval)
return 0xbeef0000;
return 0xface0000;
versus pseudo-c
00000000 {
0000001c int32_t var_8 = 0;
⚠️00000020 0xffffff0c(0xa, 1, &var_8);
00000038 bool ERR_FLAG_NAME;
00000038
00000038 if (ERR_FLAG_NAME)
00000038 return 0xbeef0000;
00000038
00000038 return 0xface0000;
00000000 }
Expected Behavior: Branch should depend on value of var_8