-
Notifications
You must be signed in to change notification settings - Fork 190
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initial sanity check failed in ooprolog #250
Comments
The 64-bit question has come up before, for obvious reasons. I'll link to an answer I've provided previously. There's no expectation that you would have been able to find it, I just didn't want to have to type it again. ;-) See this issue comment. If you have more specific questions about that I can answer them. There's a known bug that's been interfering with recovering new() parameters for a while. I think we may have recently fixed it, so please try again with the commits we'll be releasing in the next few days. The TightVNC program looks like it might make a good test program for OOAnalyzer, so thanks for that pointer. |
Thanks for your kind reply. It seems that the |
I will look into the prolog issue with tightvnc. First I'll try to make sure I can reproduce the problem on the newly released version. |
I was able to reproduce the problem using your facts file on the new version. 0x4bf2f0 is This is what reasonMergeClassesK says:
|
0x4bb6b8 (StringStorage::vftable) is related to 0x498550, but is currently on class 0x4bf2f0 (AnsiStringStorage::vftable). How is 0x4bb6b8 related to 0x498550?
Ok, I have a hypothesis of what is going on here. In 0x405a20, there are some conditional branches that control which constructor is invoked. In one case, StringStorage::StringStorage is invoked. In another, AnsiStringStorage::AnsiStringStorage is invoked. We say that these methods are related to each other because they are both (statically) called on the same thisptr. But both calls cannot occur in the same execution because of the control flow. I will need to think a little more about what to do about this. |
To be clear, this is a problem with reasonClassRelatedMethod_B. |
Hi, I'm trying to recover C++ object informations from 32bit tightvnc server with OOAnalyzer. (it's open source and you can check it's source code in the link)
I used following commands to analyze it, and an error occurs at the last command (
ooprolog
).partition --serialize=tvnserver.ser --maximum-memory=128000 --no-semantics ./tvnserver.exe ooanalyzer --serialize=tvnserver.ser --maximum-memory 128000 --no-semantics --prolog-facts=tvnserver-facts.pl --threads=16 --per-function-timeout=60000 ./tvnserver.exe ooprolog --facts tvnserver-facts.pl --results tvnserver-results.pl --log-level=6 >ooprog.log
I got following error message and log.
These files are tightvnc server executable that I used, and facts extracted from
--prolog-facts
option.Also I have some additional questions.
This is a disassembly and decompiled code at 0x004047E2 from IDA.
I think libpharos cannot recognize push instruction before
new
call, due to mov instruction between them. (this pattern often observed in optimized executable)Is it possible to make a patch for this problem?
The text was updated successfully, but these errors were encountered: