binaryninja-api icon indicating copy to clipboard operation
binaryninja-api copied to clipboard
verified publisher icon Vector35

xor reg1, reg1 is not always simplified to reg1 = 0

Open xusheng6 opened this issue 1 year ago • 0 comments

When we have some code like

xor edx, edx
jne 0x18
Screenshot 2024-10-19 at 12 56 30 PM

The LLIL simplifies the xor instruction to edx = 0, and the jne instruction is treated as opaque predicate and removed in higher level of ILs.

LLIL:

Screenshot 2024-10-19 at 12 57 55 PM

MLIL:

Screenshot 2024-10-19 at 12 58 06 PM

HLIL:

Screenshot 2024-10-19 at 12 58 33 PM

This works perfectly for the above example, however, I noticed that it does not work all of the time. See below for an example:

Screenshot 2024-10-19 at 12 59 41 PM

This is an opaque predicate as well and the left branch is fake. The code always executes the right branch.

LLIL:

Screenshot 2024-10-19 at 1 00 37 PM

MLIL:

Screenshot 2024-10-19 at 1 01 03 PM

HLIL:

Screenshot 2024-10-19 at 1 01 35 PM

While the semantics of the code is still correct and we can see it is still an opaque predicate, we should be able to simplify it automatically.

Database:

Offending binary:

keygenme4.exe.bndb.zip

Address: 0x416ed5

Simple case: xor_simple.bndb.zip

xusheng6 avatar Oct 19 '24 05:10 xusheng6