============================== Sample 1 ============================== ASM: ;************************************************************************************************************************************************************ ;* FUNCTION * ;************************************************************************************************************************************************************ ;undefined parser_isexpr() ;local_10 undefined8 -10 ;local_14 undefined4 -14 ;local_20 undefined8 -20 ;local_28 undefined8 -28 ;local_30 undefined8 -30 PUSH RBP MOV RBP,RSP SUB RSP,0x30 MOV qword ptr [RBP + local_20+0x8],RDI MOV qword ptr [RBP + local_28+0x8],RSI MOV qword ptr [RBP + local_30+0x8],RDX MOV qword ptr [RBP + local_10+0x8],0x0 MOV RAX,qword ptr [RBP + local_20+0x8] TEST RAX,RAX JNZ LAB_00102ebc LEA RDX=>local_20,[RBP + -0x18] MOV RSI,qword ptr [RBP + local_30+0x8] MOV RAX,qword ptr [RBP + local_28+0x8] MOV R9,RDX LEA R8,[.data:PyST_Type] LEA RDX,[.data:keywords.4] MOV RCX=>.data:keywords.4,RDX LEA RDX,[.rodata:s_O!:isexpr_0010d2cc] ;= "O!:isexpr" MOV RDI,RAX MOV EAX,0x0 CALL .plt:PyArg_ParseTupleAndKeywords ;undefined PyArg_ParseTupleAndKeywords() MOV dword ptr [RBP + local_14+0x8],EAX JMP LAB_00102ee5 LAB_00102ebc: MOV RSI,qword ptr [RBP + local_30+0x8] MOV RAX,qword ptr [RBP + local_28+0x8] LEA RDX,[.data:keywords.4[8]] MOV RCX=>.data:keywords.4[8],RDX LEA RDX,[.rodata:s_:isexpr_0010d2d6] ;= ":isexpr" MOV RDI,RAX MOV EAX,0x0 CALL .plt:PyArg_ParseTupleAndKeywords ;undefined PyArg_ParseTupleAndKeywords() MOV dword ptr [RBP + local_14+0x8],EAX LAB_00102ee5: CMP dword ptr [RBP + local_14+0x8],0x0 JZ LAB_00102f37 MOV RAX,qword ptr [RBP + local_20+0x8] MOV EAX,dword ptr [RAX + 0x28] CMP EAX,0x1 JNZ LAB_00102f00 MOV RAX,qword ptr [->_Py_TrueStruct] ;= 00112170 JMP LAB_00102f07 LAB_00102f00: MOV RAX,qword ptr [->_Py_ZeroStruct] ;= 00112020 LAB_00102f07: ; FWD[3,0]: Stack[-0x10],00112020,00112170 MOV qword ptr [RBP + local_10+0x8],RAX=>EXTERNAL:_Py_TrueStruct ;=?? MOV RAX,qword ptr [->_Py_RefTotal] ;= 00112178 MOV RAX=>EXTERNAL:_Py_RefTotal,qword ptr [RAX] ;=?? LEA RDX,[RAX + 0x1] MOV RAX,qword ptr [->_Py_RefTotal] ;= 00112178 MOV qword ptr [RAX]=>EXTERNAL:_Py_RefTotal,RDX ;=?? MOV RAX,qword ptr [RBP + local_10+0x8] ; FWD[2,0]: 00112030,00112180 MOV RAX,qword ptr [RAX + 0x10]=>EXTERNAL:PyDict_New ;=?? LEA RDX,[RAX + 0x1] MOV RAX,qword ptr [RBP + local_10+0x8] ; FWD[2,0]: 00112030,00112180 MOV qword ptr [RAX + 0x10]=>EXTERNAL:PyDict_New,RDX ;=?? LAB_00102f37: ; FWD[3,0]: Stack[-0x10],00112020,00112170 MOV RAX=>EXTERNAL:_Py_TrueStruct,qword ptr [RBP + local_10+0x8] ;=?? LEAVE RET ;************************************************************************************************************************************************************ ;* FUNCTION * ;************************************************************************************************************************************************************ ;undefined parser_issuite() ;local_10 undefined8 -10 ;local_14 undefined4 -14 ;local_20 undefined8 -20 ;local_28 undefined8 -28 ;local_30 undefined8 -30 PUSH RBP Actual src: static PyObject* parser_isexpr(PyST_Object *self, PyObject *args, PyObject *kw) { PyObject* res = 0; int ok; static char *keywords[] = {"ast", NULL}; if (self == NULL) ok = PyArg_ParseTupleAndKeywords(args, kw, "O!:isexpr", keywords, &PyST_Type, &self); else ok = PyArg_ParseTupleAndKeywords(args, kw, ":isexpr", &keywords[1]); if (ok) { /* Check to see if the ST represents an expression or not. */ res = (self->st_type == PyST_EXPR)? Py_True : Py_False; Py_INCREF(res); } return (res); } Predicted src: static PyObject * isis_Type(PyObject *self, PyObject *args) { PyObject *py_Type; PyObject *py_Type; if (!PyArg_ParseTuple(args, "O", &py_Type, &py_Type, &py_Type, &py_Type)) return NULL; Py_INCREF(py_Type); Py_INCREF(py_Type); Py_INCREF(py_Type); return Py_None; } ============================== Sample 2 ============================== ASM: ;************************************************************************************************************************************************************ ;* FUNCTION * ;************************************************************************************************************************************************************ ;undefined L12add_form_to_node_list() ;local_20 undefined8 -20 PUSH R12 MOV R12,RDI PUSH RBP MOV RBP,RSI PUSH RBX SUB RSP,0x10 MOV RAX,qword ptr FS:[0x28] MOV qword ptr [RSP + local_20+0x28],RAX XOR EAX,EAX CALL .plt:::ecl_process_env ;undefined ecl_process_env() MOV RBX,RAX MOV RAX,RSP CMP qword ptr [RBX + 0x2e8],RAX JNC LAB_00129998 LAB_00129942: MOV RAX,qword ptr [.bss:VV] ;=?? MOV RDI,RBX MOV RSI,qword ptr [RAX + 0x218] CALL .plt:::ecl_function_dispatch ;undefined ecl_function_dispatch() MOV RSI,R12 MOV EDI,0x1 MOV R8,RAX XOR EAX,EAX CALL R8 MOV RSI,RBP MOV RDI,RAX CALL .plt:::ecl_cons ;undefined ecl_cons() MOV qword ptr [RBX + 0x8],0x1 MOV RDX,qword ptr [RSP + local_20+0x28] SUB RDX,qword ptr FS:[0x28] JNZ LAB_0012999f ADD RSP,0x10 POP RBX POP RBP POP R12 RET ?? 0Fh ?? 1Fh ?? 40h @ ?? 00h LAB_00129998: CALL .plt:::ecl_cs_overflow ;undefined ecl_cs_overflow() JMP LAB_00129942 LAB_0012999f: CALL .plt:::__stack_chk_fail ;undefined __stack_chk_fail() NOP dword ptr CS:[RAX + RAX*0x1] Actual src: static cl_object L12add_form_to_node_list(cl_object v1form, cl_object v2list) { cl_object T0; cl_object env0 = ECL_NIL; const cl_env_ptr cl_env_copy = ecl_process_env(); cl_object value0; ecl_cs_check(cl_env_copy,value0); { TTL: T0 = ecl_function_dispatch(cl_env_copy,VV[67])(1, v1form) /* C1FORM-PARENTS */; value0 = CONS(T0,v2list); cl_env_copy->nvalues = 1; return value0; } } Predicted src: static VALUE rb_list_list_list(VALUE self, VALUE self) { rb_list_list_list(self, rb_list_list(self)); return self; } ============================== Sample 3 ============================== ASM: ;************************************************************************************************************************************************************ ;* FUNCTION * ;************************************************************************************************************************************************************ ;undefined rpmfiFMode() MOV ESI,0xffffffff TEST RDI,RDI JZ LAB_00141700 MOV ESI,dword ptr [RDI] MOV RDI,qword ptr [RDI + 0x28] LAB_00141700: JMP .plt:rpmfilesFMode ;undefined rpmfilesFMode() ?? 66h f Actual src: RPMFI_ITERFUNC(rpm_mode_t, FMode, i) Predicted src: static void setModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeModeMod ============================== Sample 4 ============================== ASM: ;************************************************************************************************************************************************************ ;* FUNCTION * ;************************************************************************************************************************************************************ ;undefined rpmcpioFree() TEST RDI,RDI JZ LAB_00126500 PUSH RBP CMP qword ptr [RDI],0x0 MOV RBP,RDI JZ LAB_001264f4 CALL .plt:rpmcpioClose ;undefined rpmcpioClose() LAB_001264f4: MOV RDI,RBP CALL .plt.got:::free ;void free(void * __ptr) XOR EAX,EAX POP RBP RET LAB_00126500: XOR EAX,EAX RET ?? 66h f Actual src: rpmcpio_t rpmcpioFree(rpmcpio_t cpio) { if (cpio) { if (cpio->fd) (void) rpmcpioClose(cpio); free(cpio); } return NULL; } Predicted src: int FreeFreeFreeFreeFreeFree(void *ptr) { if (ptr == NULL) return -1; if (ptr == NULL) return -1; free(ptr); return 0; } ============================== Sample 5 ============================== ASM: ;************************************************************************************************************************************************************ ;* FUNCTION * ;************************************************************************************************************************************************************ ;undefined proto_register_irc() SUB RSP,0x8 LEA RDX,[.rodata:s_irc_03795c22+16] ;= "irc" LEA RSI,[.rodata:DAT_034f9416] ;= 49h I LEA RDI,[.rodata:s_Internet_Relay_Chat_038c6d1f] ;= "Internet Relay Chat" CALL .plt:proto_register_protocol ;undefined proto_register_protocol() MOV EDX,0xc LEA RSI,[.data:hf.2] MOV EDI,EAX MOV dword ptr [.data:proto_irc],EAX ;= FFFFFFFFh CALL .plt:proto_register_field_array ;undefined proto_register_field_array() MOV ESI,0x5 LEA RDI,[.data:ett.1] CALL .plt:proto_register_subtree_array ;undefined proto_register_subtree_arr... MOV EDI,dword ptr [.data:proto_irc] ;= FFFFFFFFh CALL .plt:expert_register_protocol ;undefined expert_register_protocol() LEA RSI,[.data:ei.0] MOV EDX,0x6 MOV RDI,RAX CALL .plt:expert_register_field_array ;undefined expert_register_field_array() LEA RSI,[.rodata:TAG_DELIMITER] ;= 0001h LEA RDI,[.bss:pbrk_tag_delimiter] ;=?? ADD RSP,0x8 JMP .plt:::ws_mempbrk_compile ;undefined ws_mempbrk_compile() ?? 66h f Actual src: void proto_register_irc(void) { static hf_register_info hf[] = { { &hf_irc_response, { "Response", "irc.response", FT_STRING, STR_ASCII, NULL, 0x0, "Line of response message", HFILL }}, { &hf_irc_request, { "Request", "irc.request", FT_STRING, STR_ASCII, NULL, 0x0, "Line of request message", HFILL }}, { &hf_irc_request_prefix, { "Prefix", "irc.request.prefix", FT_STRING, STR_ASCII, NULL, 0x0, "Request prefix", HFILL }}, { &hf_irc_request_command, { "Command", "irc.request.command", FT_STRING, STR_ASCII, NULL, 0x0, "Request command", HFILL }}, { &hf_irc_request_command_param, { "Parameter", "irc.request.command_parameter", FT_STRING, STR_ASCII, NULL, 0x0, "Request command parameter", HFILL }}, { &hf_irc_request_trailer, { "Trailer", "irc.request.trailer", FT_STRING, STR_ASCII, NULL, 0x0, "Request trailer", HFILL }}, { &hf_irc_response_prefix, { "Prefix", "irc.response.prefix", FT_STRING, STR_ASCII, NULL, 0x0, "Response prefix", HFILL }}, { &hf_irc_response_command, { "Command", "irc.response.command", FT_STRING, STR_ASCII, NULL, 0x0, "Response command", HFILL }}, { &hf_irc_response_num_command, { "Command", "irc.response.num_command", FT_UINT16, BASE_DEC, NULL, 0x0, "Response (numeric) command", HFILL }}, { &hf_irc_response_command_param, { "Parameter", "irc.response.command_parameter", FT_STRING, STR_ASCII, NULL, 0x0, "Response command parameter", HFILL }}, { &hf_irc_response_trailer, { "Trailer", "irc.response.trailer", FT_STRING, STR_ASCII, NULL, 0x0, "Response trailer", HFILL }}, { &hf_irc_ctcp, { "CTCP Data", "irc.ctcp", FT_STRING, STR_ASCII, NULL, 0x0, "Placeholder to dissect CTCP data", HFILL }} }; static gint *ett[] = { &ett_irc, &ett_irc_request, &ett_irc_request_command, &ett_irc_response, &ett_irc_response_command }; static ei_register_info ei[] = { { &ei_irc_missing_end_delimiter, { "irc.missing_end_delimiter", PI_MALFORMED, PI_ERROR, "Missing ending tag delimiter (0x01)", EXPFILL }}, { &ei_irc_tag_data_invalid, { "irc.tag_data_invalid", PI_PROTOCOL, PI_WARN, "Tag data outside of NOTICE or PRIVMSG command", EXPFILL }}, { &ei_irc_prefix_missing_ending_space, { "irc.prefix_missing_ending_space", PI_MALFORMED, PI_ERROR, "Prefix missing ending ", EXPFILL }}, { &ei_irc_request_command, { "irc.request.command.missing", PI_MALFORMED, PI_ERROR, "Request has no command", EXPFILL }}, { &ei_irc_numeric_request_command, { "irc.request.command.numeric", PI_PROTOCOL, PI_WARN, "Numeric command not allowed in request", EXPFILL }}, { &ei_irc_response_command, { "irc.response.command.missing", PI_MALFORMED, PI_ERROR, "Response has no command", EXPFILL }}, }; expert_module_t* expert_irc; proto_irc = proto_register_protocol("Internet Relay Chat", "IRC", "irc"); proto_register_field_array(proto_irc, hf, array_length(hf)); proto_register_subtree_array(ett, array_length(ett)); expert_irc = expert_register_protocol(proto_irc); expert_register_field_array(expert_irc, ei, array_length(ei)); /* compile patterns */ ws_mempbrk_compile(&pbrk_tag_delimiter, TAG_DELIMITER); } Predicted src: static void proto_register_register(void) { static int n = 0; static const char *name = { { "proto_register_name", "c" }, { "proto_register_array", "c" }, { "proto_register_array", "c" }, { "c" }, { "proto_register_array", "c" }, { "c" }, { "proto_register_array", "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }, { "c" }