You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Our x86 jump table detection works like this: for every array a accessed by the code through a rip-relative load, if &a is in .rodata, and &a + a[0] is the address of an instruction, then a is a jump table.
This needs some data flow analysis that checks that the value loaded from a is used into an indirect branch.
If possible, it would be cool to check that the code that accesses a has some upper bounds checking on the register used for a's index (which is basically a check for the 'default' case in jumptables)
An example of an array in memory that is falsely detected as a jump table is Case 1 of this issue (HexHive/retrowrite#20)
The text was updated successfully, but these errors were encountered:
Our x86 jump table detection works like this: for every array
aaccessed by the code through a rip-relative load, if&ais in .rodata, and&a + a[0]is the address of an instruction, thenais a jump table.This needs some data flow analysis that checks that the value loaded from
ais used into an indirect branch.If possible, it would be cool to check that the code that accesses
ahas some upper bounds checking on the register used fora's index (which is basically a check for the 'default' case in jumptables)An example of an array in memory that is falsely detected as a jump table is Case 1 of this issue (HexHive/retrowrite#20)
The text was updated successfully, but these errors were encountered: