Custom Flag Conditions #1575

ehntoo · 2020-04-17T23:10:16Z

ehntoo
Apr 17, 2020

I'm hacking on an AVR target and working on a pull request for one of the existing support plugins, but ran into a question about handling flag conditions that don't seem to be represented in LowLevelILFlagCondition.

For lifting branches such as BREQ, I can emit IL like il.flag_condition(LowLevelILFlagCondition.LLFC_E).

What IL should I generate for a conditional branch like BRHC, which branches if the H (Half Carry) flag is clear, or BRID, which branches if the I (Global Interrupt) flag is disabled?

Answered by rssor

Apr 22, 2020

So there are basically 3 different ways flags can be used in lifters. In this case, you don't want flag conditions (LLFC_*) or semantic flags (LLIL_FLAG_GROUP), you're going to have to use custom flag write types with SpecialFlagRole on the flags we don't have existing roles for.

When you emit an expression to read the value of one of those flags with il.Flag, getFlagWriteLowLevelIL in the custom architecture will be invoked with information from the instruction that set that flag, giving you the constant/registers used as arguments, which you then use to build up an LLIL expression reprenting the boolean value of that flag expressed in terms of inputs to the instruction that set the flag…

View full answer

rssor · 2020-04-22T19:03:04Z

rssor
Apr 22, 2020
Maintainer

So there are basically 3 different ways flags can be used in lifters. In this case, you don't want flag conditions (LLFC_*) or semantic flags (LLIL_FLAG_GROUP), you're going to have to use custom flag write types with SpecialFlagRole on the flags we don't have existing roles for.

When you emit an expression to read the value of one of those flags with il.Flag, getFlagWriteLowLevelIL in the custom architecture will be invoked with information from the instruction that set that flag, giving you the constant/registers used as arguments, which you then use to build up an LLIL expression reprenting the boolean value of that flag expressed in terms of inputs to the instruction that set the flags. For an example from the x86 plugin:

		case LLIL_MULU_DP:
			switch (flag)
			{
			case IL_FLAG_O:
				return il.AddExpr(LLIL_CMP_NE, size * 2, 0, il.AddExpr(LLIL_LSR, size * 2, 0,
					il.GetExprForRegisterOrConstantOperation(op, size, operands, operandCount),
					il.AddExpr(LLIL_CONST, 1, 0, size * 8)), il.AddExpr(LLIL_CONST, size * 2, 0, 0));
			}

Which lets us emit IL for the flag value that is useful to the dataflow system.

So, in summary, just read the value of the flag directly just like how il register read expressions work, and allow the flag write IL generation callback to lazily emit IL that's sensible for whatever the semantics of your flag are.

2 replies

plafosse May 6, 2020
Maintainer

@ehntoo If the above answers your question please mark it as answered.

ehntoo May 7, 2020
Author

Sorry, meant to do this when I'd gotten the reply. Thanks for the help!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Custom Flag Conditions #1575

{{title}}

Replies: 1 comment 2 replies

{{title}}

{{title}}

{{title}}

Select a reply

Custom Flag Conditions #1575

ehntoo Apr 17, 2020

Replies: 1 comment · 2 replies

rssor Apr 22, 2020 Maintainer

plafosse May 6, 2020 Maintainer

ehntoo May 7, 2020 Author

ehntoo
Apr 17, 2020

Replies: 1 comment 2 replies

rssor
Apr 22, 2020
Maintainer

plafosse May 6, 2020
Maintainer

ehntoo May 7, 2020
Author