How to override flow (return from function)?

[saruman9]

I try Binary Ninja demo for my test cases and found that BN don't respect blx lr instruction (ARM v7):

Fig. 1. Function don't return after blx lr

How can I set override instruction flow to return or set end of the function?

Version: Binary Ninja 3.0.3233 demo

[lwerdna]

Can you share the binary?

[saruman9]

test.zip

1. Uncheck analysis.linearSweep.autorun parameter.
2. Set loader.architecture to ARMv7 (load as mapped).
3. Create a function at 0x0 offset.
4. Go to 0x00000458 offset.

[saruman9]

Doesn't answer for a long time mean it's not possible (overriding control flow)?

[saruman9]

Firmware or ARM binaries out of scope or has my question already been answered somewhere or are you try to reproduce? Because I don't understand why my question is ignored.

[lwerdna]

Hi @saruman9, sorry for the delay, I'm looking into it and will answer soon.

[lwerdna]

Analysis doesn't end the function because blx lr is considered a call, despite lr being used as the destination operand. The instruction bx lr is considered a return, and you can test it by assembling this instruction at 0x458 or patching in bytes "\x1e\xff\x2f\xe1".

[saruman9]

I understand that, but the next instruction (0x0000045c) never will be executed in the context of returning from lr register, because lr register will be immediately overwritten (by 0x000003cc: bl sub_4b0). IDA Pro and Ghidra understand this.

Fig. 1. IDA Pro

Fig. 2. Ghidra

So if Binary Ninja can't analyze it, can I set end of the function after blx lr instruction manually?

[lwerdna]

If the link register is being overwritten immediately after sub_3fc() returns, I wonder why the compiler generated blx lr instead of bx lr.

If we make blx behave like a return when its operand is lr then we fall to the simple obfuscations like:

                ; save lr
                ; ...
mov lr, subroutine
blx lr          ; call subroutine
                ; <---- analysis would stop here
                ; ...
                ; restore lr
blx lr          ; return to caller

Unfortunately there is no manual way set a function end. Binja thinks of functions as graphs of basic blocks which can be located at arbitrary addresses, so a definitive function end doesn't completely make sense.

Note that the code immediately after the blx lr starting at 0x45c is a thumb function sub_45c() called from sub_0(). So it looks like nonsense when reading it after falling through from ARM sub_3fc() but not from thumb sub_45c().

Patching all blx lr to bx lr is an option. Another is to modify how Binja sees blx lr with an architecture hook. There's an example in the API.

Was this generated by a compiler? If so, and if this is more common than I think, then that will weigh in favor of lifting blx lr as a return.

2022-03-11 EDIT: Remove link to architecture hook plugin in private repo, replace with public one from API

[saruman9]

I wonder why the compiler generated blx lr instead of bx lr.
...
Was this generated by a compiler? If so, and if this is more common than I think, then that will weigh in favor of lifting blx lr as a return.

This is not the first time I've encountered this. It is firmware (part of a ROM memory) and a compiler (maybe gcc) is used for generating it. So I never seen that instructions after blx lr go further, but your case is possible in theory.

See this example with lines highlighted for "weird call".

I don't have permissions for seeing.

Thank you for detailed answer!

[lwerdna]

Hey, sorry about the link to private repo. Here are some public examples of architecture hooks:

• The api example overrides disassembly to turn "retn" to ret".
• This example turns push+ret in x86 into jumps

Here's one for your situation:

from binaryninja.architecture import Architecture, ArchitectureHook
from binaryninja.function import InstructionInfo, InstructionTextToken
from binaryninja.enums import BranchType, InstructionTextTokenType

encoding = b'\x3e\xff\x2f\xe1' # blx lr

class BlxLrOverride(ArchitectureHook):
    def get_instruction_info(self, data, addr):
        if not data.startswith(encoding):
            return super(BlxLrOverride, self).get_instruction_info(data, addr)

        result = InstructionInfo()
        result.length = 4
        result.add_branch(BranchType.FunctionReturn)
        return result

    def get_instruction_low_level_il(self, data, addr, il):
        if not data.startswith(encoding):
            return super(BlxLrOverride, self).get_instruction_low_level_il(data, addr, il)
        
        il.append(il.ret(il.reg(4, 'lr')))
        return 4

BlxLrOverride(Architecture['armv7']).register()

[lwerdna]

Thank you for reporting the issue. We've decided to lift blx lr as return: Vector35/arch-armv7@662d100

If you have a normal binaryninja license, please update to latest DEV release.

Demo versions have to wait until STABLE release.

2022-03-11 EDIT: Change commit link to public arch-armv7 repo.

[saruman9]

Thank you very much!

[saruman9]

After fixing the link I tested the plugin. It works well. I think, that Thumb's blx lr instruction needed to lift as return too (1, 2).

Fig. 1. blx lr should return

[bpotchik]

As of 3.6.4594-dev, we have added the ability to interpret 'blx lr' given the context of the target register. It should now be translated to a call, or a function return in the correct scenarios.