lifting-bits
Miss data cross reference due to resetting IDA's analysis flag
I run McSema on binary as that compiled by clang 3.9.0. The compiled binary at link
And I found that McSema misses a data cross reference at address 0x456a70, which is supposed to refer to 0x45fba0.
This is the McSema's log:
Not making reference (A) from 456a70 to 45fba0
I use binary nm to check the symbol at address 0x456a70 and 0x45fba0, it is a reference.
The binary with debug information at link
And the source code related to the symbol is:
I checked the source code of McSema, it turns out that in this location, the full flags of 0x45fba0 is 0. But I check the flags in my ida pro(7.0), its result is 0x9000. It seems that you reset the IDA pro's analysis flag at this location that leads to this situation.
I find this problem with the help of my collaborator @junxzm1990.
@pgoodman
In fact, we do not quite understand why McSEMA alters the default INF_AF options in IDA: https://github.com/trailofbits/mcsema/blob/master/tools/mcsema_disass/ida7/get_cfg.py#L1623
I can fill this in.
When we were working with IDA 6.x, the default auto-analysis was too eager and would find incorrect references often enough to cause us a lot of problems. We disabled it, and attempt to manually identify references by looking for "pointer-like" things in code and data sections, and verifying how "sane" they look.
Can you try to debug why it's not making a reference? looking at the log output, it seems like some check is failing?
Thank you for your answer!
It try to make reference at these two locations(link1 and link2) by using make_xref function. And in make_xref, it takes a check in link3:
if not idc.get_full_flags(to_ea) or is_invalid_ea(to_ea):.
However, the result of idc.get_full_flags(0x45fba0) is 0 if resetting the INF_AF into 0xdfff.
And the log that mcsema produces is at link4. I hope it can help you. Thanks!