Help with function cleanup / variable splitting

[bsendpacket]

I'm currently learning how to use Binary Ninja, and I was wondering if anyone knows how to deal with the following:

The value module here is first utilized with offsets that correspond to the PIMAGE_DOS_HEADER structure, and later is used with offsets that match up with the structure PIMAGE_EXPORT_DIRECTORY.
If I change the type of module later to be PIMAGE_EXPORT_DIRECTORY, it makes the pseudocode up to that point incorrect. I'd like to have it so that I can have both parts are cleaned up instead of having it be either one or the other.

In IDA I believe that I can simply split this variable into two and set the second one to PIMAGE_EXPORT_DIRECTORY and leave the first one as PIMAGE_DOS_HEADER, but in Binja it seems that the way that "splitting" a variable works is a bit differently and doesn't work in this case (potentially due to the fact that the variable is passed-in?).

First image is with module set to the type PIMAGE_DOS_HEADER, second image is module set to the type PIMAGE_EXPORT_DIRECTORY

And here is an image of me right-clicking module, to show that there does not seem to be an option to split the variable:

Is there a proper way to clean this up at the moment?

If needed, the sample can be downloaded at:
https://malshare.com/sample.php?action=detail&hash=0cf55c7e1a19a0631b0248fb0e699bbec1d321240208f2862e37f6c9e75894e7
(Please note: the file is malicious!)

My bndb so far for this file can be downloaded at https://files.catbox.moe/10wgyf.bndb - note that there has been some opaque predicate patching done thus far on the file. This bndb should have this patching done, and the function seen in the screenshots is sub_434a60.

Thank you!

[xusheng6]

Here are a few things I noticed so far:

1. I think you made two mistakes when you patch the code, the branch at 0x434ac6 and 0x434ae8 should be jne
2. While patching the code is probably the most straightforward, you might be interested in an alternative way to deal with this, i.e., setting the value of the jump table to constant and let our dataflow analysis solve it automatically -- see Convert switch-case with two cases {0, 1} to an if-else branch #5637. It is not a perfect solution for now since we are not yet converting the switch-case to if-else
3. Regarding your original complaint, I am not sure splitting the variable is a good idea. The register ecx always points to the start of the file and it never changes, and in your second screenshot, although setting its type to PIMAGE_EXPORT_DIRECTORY makes the code more readable, (the fields like AddressOfNames now shows up), technically the semantics of the code is wrong. I am considering whether it is possible to create an intermediate variable module_1 + export_dir_rva, and set its type to PIMAGE_EXPORT_DIRECTORY, which will give us the most accurate output. I will circulate the idea with the team and see whether this is the direction we wish to go with. It is certainly not going to be something easy, so we will also see if there is any alternative route to deal with code like this