Removal of branch in HLIL or greater

[neutered]

so i've been testing things out to see if it's for me and there's something going on that makes me wonder what's going on. w/ disassembly:

0000071c void sub_71c() __noreturn
0000071c 08b5 push {r3, lr} {var_8} {var_4}
0000071e 02f0effa bl #sys_clock
00000722 fff7bfff bl #sys_pwr
00000726 00f013fa bl #usart2_setup
0000072a 134b ldr r3, [pc, #0x4c] {data_778}
0000072c 1b68 ldr r3, [r3] {data_8004000, "ZZZZ"} {0x5a5a5a5a}
0000072e b3f15a3f cmp r3, #0x5a5a5a5a
00000732 0ad0 beq #0x74a {0x1}
00000734 104b ldr r3, [pc, #0x40] {data_778}
00000736 1b68 ldr r3, [r3] {data_8004000, "ZZZZ"} {0x5a5a5a5a}
00000738 b3f15a3f cmp r3, #0x5a5a5a5a
0000073c 16d1 bne #0x76c {0x0}
0000073e 0f48 ldr r0, [pc, #0x3c] {data_77c} {data_8002f18, "\r\n"}
00000740 00f09af8 bl #sub_878
00000744 fff79cff bl #sub_680
00000748 fce7 b #0x744
0000074a 0d4b ldr r3, [pc, #0x34] {data_780}
0000074c 1a68 ldr r2, [r3] {data_8006000}
0000074e 0d4b ldr r3, [pc, #0x34] {data_784}
00000750 1340 ands r3, r2 {0x20000000}
00000752 b3f1005f cmp r3, #0x20000000
00000756 edd1 bne #0x734 {0x0}
00000758 074b ldr r3, [pc, #0x1c] {data_778}
0000075a 5b68 ldr r3, [r3, #4] {0x0} {data_8004000[4]}
0000075c b3f1013f cmp r3, #0x1010101
00000760 e8d0 beq #0x734 {0x0}
00000762 00f007f9 bl #usart2_reset
00000766 00f00ff9 bl #sub_988

w/ pseudo-c (similarly w/ the various intermediate formats that free allows)

0000071c void sub_71c() __noreturn
0000071c {
0000071c int32_t r3;
0000071c int32_t var_8 = r3;
0000071e sys_clock();
00000722 sys_pwr();
00000726 usart2_setup();
00000762 usart2_reset();
00000766 sub_988();
00000766 /* no return */
0000071c }

the whole bit calling sub_878 and sub_680 are just gone from the higher level formats? is this just a free/trial thing or something else?

[emesare]

It's because the branch to get to those calls is never taken, or well, our analysis is under the assumption it is never taken.

0000072a 134b ldr r3, [pc, #0x4c] {data_778}
0000072c 1b68 ldr r3, [r3] {data_8004000, "ZZZZ"} {0x5a5a5a5a}
0000072e b3f15a3f cmp r3, #0x5a5a5a5a // #0x5a5a5a5a == #0x5a5a5a5a
00000732 0ad0 beq #0x74a {0x1} // always branch

There is two things you can do to fix the dataflow from removing unused code.

1. enable analysis.keepDeadCodeBranches which should keep that branch from being removed.
2. Make data_8004000 writable so that the analysis cannot assume its value never changes, and/or patch it to the desired value.

Another thing that can do call removals is pure functions with unused return value:
In the case of pure functions (no side effects) where the return value is unused, the function is eliminated. If that is the case that those are pure functions (denoted by the __pure attribute on the called function), then you can remove the attribute and they should show back up.

[neutered]

0000072a 134b ldr r3, [pc, #0x4c] {data_778}
0000072c 1b68 ldr r3, [r3] {data_8004000, "ZZZZ"} {0x5a5a5a5a}
0000072e b3f15a3f cmp r3, #0x5a5a5a5a // #0x5a5a5a5a == #0x5a5a5a5a
00000732 0ad0 beq #0x74a {0x1} // always branch

ahhh…. i didn’t stare at the disassembly enough before scratching my head at the decompile output. thanks.

[emesare]

No problem! Happy to help, if you have any other questions we also have a slack https://slack.binary.ninja/