Thanks to Sean Barrett for helping me compile his bb86 app. I let it rip on this code snippet from the Unnamed RE Project. It’s interesting stuff. I omitted the push, pop, and ret instructions since basic blocks pertain to linear sequences of load, store, and arithmetic instructions:
$ ./bb86 < ~/basic-block.asm
Warning: unknown opcode 'bswap' in line 9
mem1 EQU dword+(ebp_0)+08
mem5 EQU dword+(mem4)+((mem3 >> 03))
mem4 EQU dword+(mem1)+10
mem3 EQU dword+(mem1)+04
mem2 EQU dword+(ebp_0)+0c
eax = ((mem5 < < cl_0) >> cl_0)
ebx = mem4
ecx = (00000020 - mem2)
edx = (mem3 >> 03)
esi = mem2
edi = mem1
Floating point stack:
st(0) = fp3
st(1) = fp2
st(2) = fp1
st(3) = fp0
[dword+(mem1)+04] < = (mem3 + mem2)
I am pretty sure that all of those register states are true at the end of the block, though they are listed in the traditional sequence rather than the logical order. I.e., cl needs to be set before eax could be correct.
I tried out bb86 on a basic block of floating point instructions (using a computation I understand, like the distance between 2 points, rather than a Fourier transform), and it was less than successful (crash). But I can not fault the program since I am feeding it data disassembled by objdump (-Mintel) rather than Microsoft's official format. Again, bb86 is an interesting effort, and I was impressed when I examined the output of test.asm that was packaged with the code (seen in Sean's original comment).
Every now and then, someone comes along and writes a short novel of a comment on an older post. Such was the case when Sean Barrett used the occasion of my What RE Looks Like post to take three hours of his rather busy life and compose a “symbolic executor” — a basic block decompiler. It’s a valiant effort and I would like to try my hand at it, as with all RE tools. I am having trouble compiling the source he posted (I converted CR format, but I am still having trouble with missing symbols from his custom library-in-a-header-file). It works on Microsoft-compatible disassembly output but probably would not be too hard to adapt for ‘objdump -Mintel’ in the GNU toolchain.
Many people have gone down this basic block disassembly road. The details are hazy but I seem to recall that I have made the journey as well. It’s a good thing I keep this blog as a journal. I guess the reason I can’t remember what my experiment was called is because it was the “Unnamed RE Project”. It looks like all I accomplished there was straight ASM -> C translation without any effort at higher level language abstraction.
Anyway, I still maintain that figuring out the overriding purpose of these basic blocks is not the biggest challenge in traditional binary reverse engineering– indeed, I personally consider it the most interesting part. No, what I think is the toughest part is figuring out — or more likely guessing — what the sometimes hundreds of referenced variables are actually used for, and assigning them appropriate names. The biggest nightmare is when functions pass around multiple gigantic nested structures and actually use a bunch of variables within.
In other words, true understanding of the underlying algorithm is the goal. But, Sean, I still want to try your tool.
Sometime ago, I complained about all those survey requests that F/OSS developers receive from grad students who insist on surveying people from an academic post vs. obtaining real employment. Normally, I ignore them summarily (and then get testy when the authors send multiple notices or actively follow up to demand why I have not done my part).
However, I have recently been getting survey spam with a slightly different focus. One Marcus Dapp, a Ph.D. student somewhere in Swiss-land, is conducting an exclusive, invitation-only survey about how software patents impact free software projects. Apparently, he doesn’t read Slashdot or any of the thousands of other geek sites out there that consistently lament the topic.
Ironically, I received the survey invite due to my activity with the old TuxNES project (because it’s a Sourceforge project and it’s technically “active” — 89.76% activity last week? huh?), and not due to being on the forefront of the IP powder keg that is multimedia technology. For TuxNES and other 8-bit NES emulators, the patent situation is fairly cut and dried — the NES hardware patents expired years ago.
I started a new effort tonight: I created a mirror of multimedia-related technical documents. I found some documents on my hard drive that have no official home on the internet. Further, it is entirely possible that other documents could disappear at any time. So I am maintaining this mirror. Plus, I have tons of webspace and bandwidth to burn with my hosting plan.
The Wiki page will maintain links to both local mirrors and official links, if official links still exist. The primary Wiki page for a particular subject should link to the official link if it exists, and have a note about the local link as well.
So if you have any orphaned documents laying around that belong on this mirror, please let me know. Things such as MPEG drafts have always been fair game; final MPEG drafts — the kinds for which currency must be exchanged — are not acceptable.