Dealing with a tricky jump table routine #5193
Replies: 3 comments 3 replies
-
|
Could you please share the binary. Its difficult to understand what exactly is going on without it. |
Beta Was this translation helpful? Give feedback.
-
|
Sure thing, but is it OK if I email or share it on google drive with you? Would rather not share it publicly. |
Beta Was this translation helpful? Give feedback.
-
|
Yes email it to: peter [at] vector35 [dot] com |
Beta Was this translation helpful? Give feedback.
-
|
Thanks, sent |
Beta Was this translation helpful? Give feedback.
-
|
Binary shared in internally |
Beta Was this translation helpful? Give feedback.
-
|
Converted this to an issue. |
Beta Was this translation helpful? Give feedback.
-
I'm dealing with an ARM binary that has some jump tables in it. The tricky thing is the jump table logic is encapsulated in its own routine (which I've named doJumpTable):
arg1(r3) is passed as the index into the jump table.lris used to locate the jump table, which exists right after thebl doJumpTablein the caller.I have already worked through the disassembly for one of the callers and resolved the possible jump targets, using this article as inspiration: https://www.lodsb.com/reversing-complex-jumptables-in-binary-ninja.
Question: The "Inline during analysis (experimental)" option is disabled for
doJumpTable. Any ideas why this might be?If it were enabled, I would be able to use UIDF to constrain the
r3input and have Binja trace through the possible jumps. But without the ability to inlinedoJumpTable, Binja doesn't see the jumps. What's the best way to proceed here?Beta Was this translation helpful? Give feedback.
All reactions