DEV IN PROGRESS

There have been 31 commits for this month, and the statistics provide a small overview of the done work:

git diff --stat 027305c..HEAD | tail -1
 157 files changed, 14424 insertions(+), 3393 deletions(-)

Bugs have been fixed, some new features have been implemented and but many ideas are still pending...

It is hard to find enough time to code everything!

The following news is based on commit ebe248f, so you can give this version of Chrysalide a try by running:

git clone http://git.0xdeadc0de.fr/chrysalide.git
cd chrysalide
git checkout ebe248f

As usual, the next step is to follow the installation procedure.

Memory usage

Once again the memory footprint has been reduced!

At first, the size of operands with no alternative rendering has been compressed (commit 0320d85).

Then the access lock to instruction operands (commit 12b8a06) prepares the migration to a new kind of arrays, with integrated locks and low memory footprint (commit c0b4029).

Finally the number of produced reference links between instructions has been reduced (commits 009f00f and faa334f).

A memory leak in the disassembling process has been fixed, too (commit f2f54bb).

Assembly rendering

The first change is about displayed binary raw code: its rendering has been restored (commit b3471e0, but it got hidden by default (commit c447efb) and the quantity of binary code shown for arrays has been limited (commit 9703198).

The expected behavior of the reference naming convention was restored by the commit 222c14b: the "sub_" prefix is now always assigned to subroutines and the "loc_" one to code labels.

String handles have been heavyly improved by several commits (02993e7 and cd95622):

  • all string symbols referenced by instructions now get a label.
  • the last byte is taken into account when analyzing the string section.

So we leaved this initial situation:

To get this final state:

An eye candy function summary has been created based on an idea from @williballenthin. The commit b7347c9 now produces this kind of digest as tooltip:

Then this has been extended to various items by the commit a2f149e: immediate operands and strings.

For routines, the number of displayed items is defined from the global configuration (commit 4f3f96c).

The last part targets immediate operand conversions: a bug in the production of binary values has been fixed in commit 78169fc. A validation in the test suite has been added thanks to the new Python bindings for immediate operands brought by the commit 4319c0a.

Debugging with Chrysalide

Initial support for the GDB Remote Serial Protocol has been added. This is a big change (see commit 94fd405).

Currently the following new features can only be reached though the Python bindings:

  • resume or run step by step a static ARM binary.
  • read or write registers.
  • read or write memory.
  • define user breakpoints.
  • get the call stack.

Rebasing a disassembled code or driving a debugging session from the GUI is scheduled for later!

Improved ELF support

The remaining space is now checked before inserting new instructions (commit 499f009).

Moreover, all sections which are not allocated in the memory of a running process are handled (commit b8d5a53).

This drives to new special situations, such as handling overlapping sections:

[Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
...
[24] .bss              NOBITS          00012088 002084 000044 00  WA  0   0  8
[25] .ARM.attributes   ARM_ATTRIBUTES  00000000 002084 000037 00      0   0  1
[26] .shstrtab         STRTAB          00000000 0020bb 0000ed 00      0   0  1

Handling more sections also pointed that the built binary portion tree was not accurate. A proper algorithm has been implemented to fix the building (commit 2409614). It adds more checks, but nothing that can be noticed at runtime.

Finally, strings are searched from extra ELF sections (".interp", ".shstrtab" and ".strtab") with the commit ebe248f.

Testing bits in bitfields has also been improved. The old test_in_bit_field() method was processing a range of bits and was providing true if all bits were set. But false as result didn't mean that all bits were unset. So two new functions called test_all_in_bit_field() and test_none_in_bit_field() have been created, and test_in_bit_field() now only tests one bit (commit dda6863).

Misc

The instruction link type meaning there is no link has been removed (commit 404c117).

The useless STP_FUNCTION symbol type has been removed and replaced by STP_ROUTINE when needed (commit e5bda75).

The connection to the database is working again: buggy code involved when updating database for connected clients (commit 94792f7) and various copy/paste mistakes in the database protocol (packing vs unpacking data: commit 1de9967) have been fixed.

The rendering of lines in the "Goto" dialog box is back (commit 88e34a0). Thus the first line content of each entry point is displayed again for instance.


Posted on March 31, 2017 at 20:43.