when I reverse the binary with IDA gui, all the functions get decompiled without a problem.
but when I am running an automatic script on ida without gui, there is always the same function, that refuses to be decompiled. (when I am openning the same IDB that the automation script worked on, the function get decompiled without a problem)
I am using bip. and using BipFunc.can_decompile to check if a function can get decompiled.
EDIT:
according to an answer bellow, I have tried to add the following:
if not func.can_decompile:
print(f"can't decompile function 0x{func.ea:04x}, trying again")
decomp_all()
if not func.can_decompile:
print(f"can't decompile function 0x{func.ea:04x}, trying again")
decomp_all_twice_cacheclear()
if not func.can_decompile:
print(f"can't decompile function 0x{func.ea:04x}, skipping...")
return
sadly it did not work, I get all 3 prints every time, even on different binaries
it seems to be fixed on IDA Pro 7.6
There is several reason you can get an error on the decompilation from IDA. If it works on some case and other it does not it is probably because of the call analysis. When decompiling a function IDA will try to gather information on the function called by this one and in some case fail to get those information which will make the decompilation fail. But once that function has been decompiled, the information fetched by IDA will be updated, and so the decompilation of the caller function might now work. So basically it means you have to decompile the function in an order, which is a pain, for fixing that the simplest way is to just decompile everything twice, but it can take quite some time if you do it on "big" binaries.
I though I put that in the Bip repository somewhere but I can't find it, so here is a small plugin/code which should allows to do that:
from bip import *
class DecompileAll(BipPlugin):
"""
Plugin for decompiling all the function in the binary.
"""
#menu("Bip/DecompileAll/", "Invalidate hexrays caches")
def clear_hxcCache(self):
HxCFunc.invalidate_all_caches()
#menu("Bip/DecompileAll/", "Decompile all func")
def decomp_all(self):
count = 0
for f in HxCFunc.iter_all():
count += 1
print("0x{:X} functions decompiled".format(count))
#menu("Bip/DecompileAll/", "Decompile twice with cache clear")
def decomp_all_twice_cacheclear(self):
HxCFunc.invalidate_all_caches()
self.decomp_all()
self.decomp_all()
Just for information the basic reason for decompilation error, is that it is not able to make a correct translation of some piece of code because it does not understand the assembly, this is typically true if there is a problem during the analysis and the code is not correctly detected (also happens a lot if you are dealing with obfuscation). You can typically view this case by an error telling you "failed analysis at ADDR" in the IDAPython console, and then look at the problem. Probably not your case but might still help.
Glad to hear you are using bip. So about the BipFunc.can_decompile function: like indicated in the documentation (https://synacktiv.github.io/bip/build/html/base/func.html#bip.base.BipFunction.can_decompile) it will just try to decompile the function and see if an error occurs. The code is pretty straight forward (https://github.com/synacktiv/bip/blob/master/bip/base/func.py#L372), this is mostly written for being done while using one-liner, its the same thing as catching the exception when trying to decompile.
Related
Warning: as the reference types proposal isn't complete yet, this code will not run without toggling flags or setting in order to enable executing experimental code.
If you are on Google Chrome or a Chromium browser, you will need to enable the following flag:
chrome://flags/#enable-experimental-webassembly-features
I had set up a simple handwritten Wasm module for personal use. I could've easily written it in JavaScript, but it was easier and made more sense to use Wasm, and since it was a simple, personal script, I wouldn't care if other people couldn't run it.
I had compiled it using wabt's wat2wasm.
The Wasm module was intended to be fed the entire globalThis object to import from.
From there, it took four TypedArray constructors: Uint8Array, Uint16Array, Uint32Array, and BigUint64Array.
Take note: no code was executed prior to the Wasm, thus there cannot be any interference.
Later, I had realized that that the Wasm wasn't working as intended at all, my math was correct, but the variables were wrong.
I had narrowed my problem down to just this:
;; global -> global variable
(import "globalThis" "Uint8Array" (global $Uint8Array externref))
(import "globalThis" "Uint16Array" (global $Uint16Array externref))
(import "globalThis" "Uint32Array" (global $Uint32Array externref))
(import "globalThis" "BigUint64Array" (global $BigUint64Array externref))
;; func -> function
(import "console" "log" (func $console::log (param externref)))
(start $_start)
(func $_start
global.get $Uint8Array
call $console::log
global.get $Uint16Array
call $console::log
global.get $Uint32Array
call $console::log
global.get $BigUint64Array
call $console::log
)
This Wasm was instantiated like so:
WebAssembly.instantiateStreaming(
fetch(
"test.wasm", {
mode : "same-origin",
credentials : "omit",
cache : "no-store",
redirect : "error",
referrer : "no-referrer"
}
), globalThis
).catch( console.error );
The interesting problem is that the logs all say the same thing: Uint8Array.
I was dumbfounded. This has to be literally impossible. The JavaScript file itself was not cached, the WebAssembly was being fetched with "no-cache," the web page itself wasn't cached.
Then I thought, because I was using XHTML, maybe it didn't happen in HTML files. It did there too.
I tried converting the Wasm file to a TypedArray and just using WebAssembly.instantiate, suddenly, it worked flawlessly.
At this point the server must be serving the wrong file, because the further I go, the more this seems like nonsense.
I almost want to say that this is a Chromium browser or V8 runtime error, but I need to narrow it down a bit more before I blindly attempt to present this as a bug.
I have set up two different versions of the same code, on Repl.it, and on CodeSandBox.io, so that hopefully someone can try running it themself, to confirm the bug, and maybe attempt to debug where I went wrong.
(Could this be a problem with Repl.it's server?)
This was a compiler bug fixed by Chromium in
https://chromium-review.googlesource.com/c/v8/v8/+/2551100.
This was the response that I had gotten from one of the developers:
This is indeed a timing issue that has been fixed in https://chromium-review.googlesource.com/c/v8/v8/+/2551100. The problem happens when there are only imported globals, and compilation of the WebAssembly functions finishes before the stream actually finishes. In this case, the offset calculation happens after the compiler uses the offsets, and therefore produces incorrect code.
A workaround is to define one global that is not imported, as this causes the offset calculation to happen earlier.
Seems like sending a small module that only imports globals instead of functions was breaking the code.
Their code had a threading race condition between the stream and the compiler.
I've built many functions for my QTP 10 tests, and many of those functions rely on other, related functions. I would like to have my functions import any other functions that they require. Currently, I have to go through each of my functions and associate each of their dependencies by hand.
While I'm aware that ExecuteFile "C:\Functions\SampleFunction.vbs" would work, the downside is that QTP is unable to display any of the code it just imported. That means that debugging the code is a nightmare, since QTP will show that yellow debugging pointer on lines that don't correspond to the code actually being run. Long story short, that approach is a mess.
Is there any other command that will import other .vbs files into QTP during runtime, so I can have the functions import the other functions they require?
I found a post by Anish Pillai called "4 Different Ways to Associate Function Libraries to your QTP Scripts", that has some useful info. (See the original post here: http://www.automationrepository.com/2011/09/associate-function-library-to-qtp-script/ )
Method #1 is the usual way to associate functions with a test; nothing new there.
Method #2 Using AOM (Automation Object Model)
I've tried many different variations, but all of them seem to be scripts for launching a specific test from outside of QTP, not for adding a function to a running test.
Here's their code in case it proves useful:
'Open QTP
Set objQTP = CreateObject("QuickTest.Application")
objQTP.Launch
objQTP.Visible = True
'Open a test and associate a function library to the test
objQTP.Open "C:\Automation\SampleTest", False, False
Set objLib = objQTP.Test.Settings.Resources.Libraries
'If the library is not already associated with the test case, associate it..
If objLib.Find("C:\SampleFunctionLibrary.vbs") = -1 Then ' If library is not already added
objLib.Add "C:\SampleFunctionLibrary.vbs", 1 ' Associate the library to the test case
End
Method #3 Using ExecuteFile Method
Has the same downfalls that I brought up in the question. Could be useful, but it's horrible for debugging within QTP 10.
Method #4 Using LoadFunctionLibrary Method
This is the most promising approach. It appears to do exactly what we need it to: load vbscript function libraries while the test is running. The only catch? It appears to be QTP 11+ only. I can't vouch for this method since I don't have QTP 11, but it looks like the perfect approach.
LoadFunctionLibrary "C:\YourFunctionLibrary_1.vbs" 'Associate a single function library
LoadFunctionLibrary "C:\FuncLib_1.vbs", "C:\FuncLib_2.vbs" 'Associate more than 1 function libraries
I wanted to move from one point to other on a spherical earth, and when I looked up, I found there is a function named reckon in matlab that does exactly what I need. But when I call it, it says Undefined function 'reckon' for input arguments of type 'double. Which means that maybe the function is not in my library. So I found the m-file from the internet and tried, but then it leads to same error with a different function, which I found the function reckon depends on. So I included that in my folder too, and then again there is a new function missing... and so on.
I have Matlab R2011b.
These functions seem to be in-built matlab functions as they show up in help, but as I'm new to matlab, maybe I'm wrong. What can be done?
As i just wanted to use the functions of the Mapping Toolbox,after some looking up, i found them all in a single package on a website. If any body else wants them too, and don't have the mapping toolbox, you can get all the functions here.
http://mooring.ucsd.edu/software/matlab/doc/toolbox/geo/index.html
I have been working on something that checks an MySQL Database to check something - however the program stops responding because it is constantly checking the database. Is it possible to have it wait a few seconds to recheck the database? I have tried sleep() but it is giving a strange error:
A call to PInvoke function
'Game!WindowsApplication1.Form1::Sleep' has unbalanced the
stack. This is likely because the managed PInvoke signature
does not match the
unmanaged target signature. Check that the calling convention
and parameters of the
PInvoke signature match the target unmanaged signature.
I have been looking into this for quite a while and i am in a predicament. I do need the MySQL databases to be checked very often. I tried making a web browser refresh before checking it again - but it started to lag the application.
Code:
function updateit()
' SQL Code goes here, it succeeds.
updateit() ' Update it again.
return true
end
updateit()
Your code example shows a recursive function with no base case. The result of that is always a stack overflow (an uncatchable exception in .Net).
Don't call your updateit() function from within the function itself. Instead, just write a loop to call it over and over.
Try doing your checks from a separate thread. Try dragging a BackgroundWorker onto your form and putting your check in that to make your program more responsive. I've never seen that error before though. Is it System.Threading.Thread.Sleep() or something specific to VB?
Looking at your code it looks like you've got infinite recursion. That will cause a stackoverflow... try
while(true)
'SQL code
end
I have a nice fully functioning module (wrtten using tcl/cpp) it works fine.
I want to use ramdebugger to debug scripts using that module
When I enter
load mylib.so
command1_from_lib xx
command2_from lib yy
If (say) command2 returns an error then ramdebugger dies
[paul#paul-es5 ramdebugger7.7.1]$ ./ramdebugger
alloc: invalid block: 0x999c058: 0 0
Aborted
It dies here in libtcl / ResetObjResult
if ((objResultPtr->bytes != NULL)
&& (objResultPtr->bytes != tclEmptyStringRep)) {
ckfree((char *) objResultPtr->bytes);
}
My suspicion is there is confusion over the global tclEmptyStringRep. I think the starkitted(?) ramdebugger has one and the dynamically loaded libtcl has a different one - the bytes pointer should logically be pointing to an empty string but the value there does not match what gdb shows for the global
I am a tcl noob and need any help I can get. Alternatively a suggestion for a different debugger would work
edit: fixed
Use tclStub to defer the link between the extension and the tcl runtime.
This sounds very much like a bug to me, as opposed to a question which this site can answer. You should contact the ramdebugger people to see if they can help.
However, for general Tcl debugging you could also see if the tools produced by ActiveState help; IIRC you can get a free trial to see if they can make any headway. (Myself, I'm of the put-lots-of-printf-calls in school of debugging, so I'm nobody's poster child.)