public void HPSC_DiscardNodes()
{
Given_Image32(
0x0010000,
"55 8B EC a1 32 12 1a 12 5D c3");
Given_x86_32();
Given_RewriterHost();
Given_NoImportedProcedures();
mr.ReplayAll();
When_DisassembleProcedure();
var hps = new HeuristicProcedureScanner(program, proc, host);
hps.BlockConflictResolution();
var sExp =
#region Expected
@"l00010000: // pred:
push ebp
l00010001: // pred: l00010000
mov ebp,esp
l00010003: // pred: l00010001
mov eax,[121A1232]
l00010008: // pred: l00010003
pop ebp
l00010009: // pred: l00010008
ret
";
#endregion
AssertBlocks(sExp, proc.Cfg);
}
/// Plan of attack:
/// In each unscanned "hole", look for signatures of procedure entries.
/// These are procedure entry candidates.
/// Scan each of the procedure entry candidates heuristically.
///
/// Next scan all executable code segments for:
/// - calls that reach those candidates
/// - jmps to those candidates
/// - pointers to those candidates.
/// Each time we find a call, we increase the score of the candidate.
/// At the end we have a list of scored candidates.
public void ScanImageHeuristically()
{
var sw = new Stopwatch();
sw.Start();
var list = new List<HeuristicBlock>();
var ranges = FindUnscannedRanges();
var fnRanges = FindPossibleFunctions(ranges).ToList();
int n = 0;
foreach (var range in fnRanges)
{
var hproc = DisassembleProcedure(range.Item1, range.Item2);
var hps = new HeuristicProcedureScanner(program, hproc, host);
hps.BlockConflictResolution();
DumpBlocks(hproc.Cfg.Nodes);
hps.GapResolution();
// TODO: add all guessed code to image map -- clearly labelled.
AddBlocks(hproc);
list.AddRange(hproc.Cfg.Nodes);
eventListener.ShowProgress("Estimating procedures", n, fnRanges.Count);
++n;
}
eventListener.Warn(
new Reko.Core.Services.NullCodeLocation("Heuristics"),
string.Format("Scanned image in {0} seconds, finding {1} blocks.",
sw.Elapsed.TotalSeconds, list.Count));
list.ToString();
}
/// Plan of attack:
/// In each unscanned "hole", look for signatures of procedure entries.
/// These are procedure entry candidates.
/// Scan each of the procedure entry candidates heuristically.
///
/// Next scan all executable code segments for:
/// - calls that reach those candidates
/// - jmps to those candidates
/// - pointers to those candidates.
/// Each time we find a call, we increase the score of the candidate.
/// At the end we have a list of scored candidates.
public void ScanImageHeuristically()
{
var ranges = FindUnscannedRanges();
foreach (var range in FindPossibleFunctions(ranges))
{
var hproc = DisassembleProcedure(range.Item1, range.Item2);
var hps = new HeuristicProcedureScanner(program, hproc);
hps.BlockConflictResolution();
hps.GapResolution();
// TODO: add all guessed code to image map -- clearly labelled.
}
}
public void HPSC_TrickyProc()
{
Given_Image32(0x0010000, TrickyProc);
program.SegmentMap.AddSegment(new ImageSegment(
"code",
new MemoryArea(Address.Ptr32(0x11750000), new byte[100]),
AccessMode.ReadExecute));
Given_x86_32();
Given_RewriterHost();
Given_NoImportedProcedures();
mr.ReplayAll();
When_DisassembleProcedure();
var hps = new HeuristicProcedureScanner(program, CreateScanResults(proc.Cfg), proc.IsValidAddress, host);
hps.BlockConflictResolution(proc.BeginAddress);
var sExp =
#region Expected
@"l00010000: // pred:
push ebp
l00010001: // pred: l00010000
mov ebp,esp
l00010003: // pred: l00010001
call 11750008
l0001000A: // pred:
cmp al,00
l0001000C: // pred: l0001000A
jnz 00010014
l0001000E: // pred: l0001000C
mov al,00
l00010010: // pred: l0001000E
jmp 00010019
l00010014: // pred: l0001000C
mov eax,[01740000]
l00010019: // pred: l00010010 l00010014
mov esp,ebp
l0001001B: // pred: l00010019
pop ebp
l0001001C: // pred: l0001001B
ret
";
#endregion
AssertBlocks(sExp, proc.Cfg);
}
public void HPSC_Conflicts_1()
{
Given_Image32(
0x0010000,
"55 89 e5 c3");
Given_x86_32();
Given_RewriterHost();
mr.ReplayAll();
When_DisassembleProcedure();
var conflicts = HeuristicProcedureScanner.BuildConflictGraph(proc.Cfg.Nodes);
var sExp =
@"(l00010001-l00010002)
(l00010002-l00010003)
";
AssertConflicts(sExp, conflicts);
}
public void HPSC_TrickyProc()
{
Given_Image32(0x0010000, TrickyProc);
Given_x86_32();
Given_RewriterHost();
Given_NoImportedProcedures();
mr.ReplayAll();
When_DisassembleProcedure();
var hps = new HeuristicProcedureScanner(program, proc, host);
hps.BlockConflictResolution();
var sExp =
#region Expected
@"l00010000: // pred:
push ebp
l00010001: // pred: l00010000
mov ebp,esp
l00010003: // pred: l00010001
call 11750008
l0001000A: // pred:
cmp al,00
l0001000C: // pred: l0001000A
jnz 00010014
l0001000E: // pred: l0001000C
mov al,00
l00010010: // pred: l0001000E
jmp 00010019
l00010014: // pred: l0001000C
mov eax,[01740000]
l00010019: // pred: l00010010 l00010014
mov esp,ebp
l0001001B: // pred: l00010019
pop ebp
l0001001C: // pred: l0001001B
ret
l0001001D: // pred:
nop
";
#endregion
AssertBlocks(sExp, proc.Cfg);
}
[Test]
public void HPSC_TrickyProc()
{
Given_Image32(0x0010000, TrickyProc);
Given_x86_32();
Given_RewriterHost();
Given_NoImportedProcedures();
mr.ReplayAll();
When_DisassembleProcedure();
var hps = new HeuristicProcedureScanner(prog, proc);
hps.BlockConflictResolution();
var sExp =
#region Expected
@"l00010000: // pred:
push ebp
l00010001: // pred: l00010000
mov ebp,esp
l00010003: // pred: l00010001
call 11750008
l0001000A: // pred:
cmp al,00
l0001000C: // pred: l0001000A
jnz 00010014
l0001000E: // pred: l0001000C
mov al,00
l00010010: // pred: l0001000E
jmp 00010019
l00010014: // pred: l0001000C
mov eax,[01740000]
l00010019: // pred: l00010010 l00010014
mov esp,ebp
l0001001B: // pred: l00010019
pop ebp
l0001001C: // pred: l0001001B
ret
";
#endregion
AssertBlocks(sExp, proc.Cfg);
[Test]
public void HPSC_DiscardNodes()
{
Given_Image32(
0x0010000,
"55 8B EC a1 32 12 1a 12 5D c3");
Given_x86_32();
Given_RewriterHost();
Given_NoImportedProcedures();
mr.ReplayAll();
When_DisassembleProcedure();
var hps = new HeuristicProcedureScanner(prog, proc);
hps.BlockConflictResolution();
var sExp =
#region Expected
@"l00010000: // pred:
push ebp
l00010001: // pred: l00010000
mov ebp,esp
l00010003: // pred: l00010001
mov eax,[121A1232]
l00010008: // pred: l00010003
pop ebp
l00010009: // pred: l00010008
ret
";
#endregion
AssertBlocks(sExp, proc.Cfg);
