============================== Sample 1 ============================== ASM: ;************************************************************************************************************************************************************ ;* FUNCTION * ;************************************************************************************************************************************************************ ;undefined NewChildCB() ;local_20 undefined8 -20 PUSH R13 LEA RCX,[.rodata:s_New_Child_%d_00104004] ;= "New Child %d" MOV EDX,0x1e PUSH R12 MOV R12,RDI PUSH RBP MOV RBP,RSI MOV ESI,0x1 SUB RSP,0x30 MOV R8D,dword ptr [.bss:count.2] MOV RAX,qword ptr FS:[0x28] MOV qword ptr [RSP + local_20+0x48],RAX XOR EAX,EAX MOV R13,RSP LEA EAX,[R8 + 0x1] MOV RDI,R13 MOV dword ptr [.bss:count.2],EAX XOR EAX,EAX CALL .plt:::__sprintf_chk ;undefined __sprintf_chk() XOR ECX,ECX MOV RDX,R13 MOV RSI,R12 MOV RDI,RBP CALL CreateNode ;undefined CreateNode() MOV RAX,qword ptr [RSP + local_20+0x48] SUB RAX,qword ptr FS:[0x28] JNZ LAB_00102a78 ADD RSP,0x30 POP RBP POP R12 POP R13 RET LAB_00102a78: CALL .plt:::__stack_chk_fail ;undefined __stack_chk_fail() NOP dword ptr [RAX] Actual src: static void NewChildCB(Widget w, XtPointer client, XtPointer call) { static int count = 0; char buffer[30]; sprintf (buffer, "New Child %d", count++); CreateNode((Widget)client, w, buffer, XmAlwaysOpen); } Predicted src: static void add_count(Widget w, XtPointer client_data, XtPointer call_data) { char *name = (char *)client_data; char buf[1024]; sprintf(buf, "count %d", name); add_count(name, buf, sizeof(buf)); } ============================== Sample 2 ============================== ASM: ;************************************************************************************************************************************************************ ;* FUNCTION * ;************************************************************************************************************************************************************ ;undefined razer_string_to_bool() ;local_20 undefined8 -20 ;local_1010 undefined8 -1010 ;local_1048 undefined8 -1048 PUSH RBP PUSH RBX SUB RSP,0x1000 OR qword ptr [RSP]=>local_1010,0x0 SUB RSP,0x38 OR qword ptr [RSP]=>local_1048,0x0 ADD RSP,0x1020 MOV RBP,RSI LEA RSI,[.rodata:DAT_0011926e] ;= 79h y MOV RBX,RDI CALL .plt:::strcasecmp ;int strcasecmp(char * __s1, char * _... TEST EAX,EAX JZ LAB_0010b250 LEA RSI,[.rodata:DAT_00119272] ;= 74h t MOV RDI,RBX CALL .plt:::strcasecmp ;int strcasecmp(char * __s1, char * _... TEST EAX,EAX JZ LAB_0010b250 LEA RSI,[.rodata:s_on_0011817d+5] ;= "on" MOV RDI,RBX CALL .plt:::strcasecmp ;int strcasecmp(char * __s1, char * _... TEST EAX,EAX JZ LAB_0010b250 LEA RSI,[.rodata:DAT_00119277] ;= 6Eh n MOV RDI,RBX CALL .plt:::strcasecmp ;int strcasecmp(char * __s1, char * _... TEST EAX,EAX JZ LAB_0010b260 LEA RSI,[.rodata:s_false_0011927a] ;= "false" MOV RDI,RBX CALL .plt:::strcasecmp ;int strcasecmp(char * __s1, char * _... TEST EAX,EAX JZ LAB_0010b260 LEA RSI,[.rodata:DAT_00119280] ;= 6Fh o MOV RDI,RBX CALL .plt:::strcasecmp ;int strcasecmp(char * __s1, char * _... TEST EAX,EAX JZ LAB_0010b260 XOR EDX,EDX LEA RSI=>local_20,[RSP + 0x8] MOV RDI,RBX CALL .plt:::strtol ;long strtol(char * __nptr, char * *... MOV RDX,qword ptr [RSP + local_20+0x28] CMP RBX,RDX JZ LAB_0010b26d CMP byte ptr [RDX],0x0 JNZ LAB_0010b26d TEST EAX,EAX SETNZ byte ptr [RBP] XOR EAX,EAX JMP LAB_0010b256 ?? 90h LAB_0010b250: MOV byte ptr [RBP],0x1 XOR EAX,EAX LAB_0010b256: ADD RSP,0x18 POP RBX POP RBP RET ?? 0Fh ?? 1Fh ?? 00h LAB_0010b260: MOV byte ptr [RBP],0x0 ADD RSP,0x18 XOR EAX,EAX POP RBX POP RBP RET LAB_0010b26d: MOV EAX,0xffffffea JMP LAB_0010b256 ?? 66h f Actual src: int razer_string_to_bool(const char *string, bool *b) { int i; if (strcasecmp(string, "yes") == 0 || strcasecmp(string, "true") == 0 || strcasecmp(string, "on") == 0) { *b = 1; return 0; } if (strcasecmp(string, "no") == 0 || strcasecmp(string, "false") == 0 || strcasecmp(string, "off") == 0) { *b = 0; return 0; } if (!razer_string_to_int(string, &i)) { *b =!!i; return 0; } return -EINVAL; } Predicted src: int bool_bool_to_bool (const char *str, const char *value) { if (!str ||!value) return false; if (!strcasecmp (str, "bool")) return false; if (!strcasecmp (value, "bool")) return false; if (!strcasecmp (value, "bool")) return false; if (!strcasecmp (value, "bool")) return false; if (!strcasecmp (value, "bool")) return false; if (!strcasecmp (value, "bool")) return false; if (!strcasecmp (value, "bool")) return false; if (!strcasecmp (value, "bool")) return false; if (!strcasecmp (value, "bool")) return false; return true; } ============================== Sample 3 ============================== ASM: ;************************************************************************************************************************************************************ ;* FUNCTION * ;************************************************************************************************************************************************************ ;undefined fnct_RelateMatch() PUSH R13 PUSH R12 PUSH RBP MOV RBP,RDI PUSH RBX MOV RBX,RDX SUB RSP,0x8 MOV RAX,qword ptr [.bss:sqlite3_api] ;=?? CALL qword ptr [RAX + 0x328] MOV RDI,qword ptr [RBX] MOV R12,RAX MOV RAX,qword ptr [.bss:sqlite3_api] ;=?? CALL qword ptr [RAX + 0x388] CMP EAX,0x3 JNZ LAB_001be1ee MOV RAX,qword ptr [.bss:sqlite3_api] ;=?? MOV RDI,qword ptr [RBX] CALL qword ptr [RAX + 0x368] MOV RDI,qword ptr [RBX + 0x8] MOV R13,RAX MOV RAX,qword ptr [.bss:sqlite3_api] ;=?? CALL qword ptr [RAX + 0x388] CMP EAX,0x3 JZ LAB_001be210 LAB_001be1ee: MOV RAX,qword ptr [.bss:sqlite3_api] ;=?? MOV RDI,RBP MOV ESI,0xffffffff MOV RAX,qword ptr [RAX + 0x290] ADD RSP,0x8 POP RBX POP RBP POP R12 POP R13 JMP RAX LAB_001be210: MOV RAX,qword ptr [.bss:sqlite3_api] ;=?? MOV RDI,qword ptr [RBX + 0x8] CALL qword ptr [RAX + 0x368] MOV RDX,RAX TEST R12,R12 JZ LAB_001be258 MOV RSI,R13 MOV RDI,R12 CALL .plt:gaiaIntersectionMatrixPatternMatch_r ;undefined gaiaIntersectionMatrixPatt... MOV ESI,EAX LAB_001be236: MOV RAX,qword ptr [.bss:sqlite3_api] ;=?? MOV RDI,RBP MOV RAX,qword ptr [RAX + 0x290] ADD RSP,0x8 POP RBX POP RBP POP R12 POP R13 JMP RAX ?? 0Fh ?? 1Fh ?? 44h D ?? 00h ?? 00h LAB_001be258: MOV RSI,RAX MOV RDI,R13 CALL .plt:gaiaIntersectionMatrixPatternMatch ;undefined gaiaIntersectionMatrixPatt... MOV ESI,EAX JMP LAB_001be236 ?? 66h f Actual src: static void fnct_RelateMatch (sqlite3_context * context, int argc, sqlite3_value ** argv) { /* SQL function: / ST_RelateMatch(string matrix, string pattern) / / returns: / 1 if the intersection matrix satisfies the intersection pattern / 0 otherwise / or -1 if any error is encountered */ int ret; const char *matrix; const char *pattern; void *data = sqlite3_user_data (context); GAIA_UNUSED (); /* LCOV_EXCL_LINE */ if (sqlite3_value_type (argv[0])!= SQLITE_TEXT) { sqlite3_result_int (context, -1); return; } else matrix = (char *) sqlite3_value_text (argv[0]); if (sqlite3_value_type (argv[1])!= SQLITE_TEXT) { sqlite3_result_int (context, -1); return; } else pattern = (char *) sqlite3_value_text (argv[1]); if (data!= NULL) ret = gaiaIntersectionMatrixPatternMatch_r (data, matrix, pattern); else ret = gaiaIntersectionMatrixPatternMatch (matrix, pattern); sqlite3_result_int (context, ret); } Predicted src: static int sqlite3_sqlite_sqlite_sqlite3_sqlite3_sqlite_sqlite3_sqlite(sqlite3_context *ctx, int argc, sqlite3_value **argv) { sqlite3_sqlite3_sqlite3_sqlite3 *sqlite3 = (sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite *) argv[0]; int ret; sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3 *sqlite3 = (sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3 *) argv[1]; sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3 *sqlite3 = (sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3 *) argv[2]; sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3 *sqlite3 = (sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3 *) argv[3]; sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3 *sqlite3 = (sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3 *) argv[3]; sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3 *sqlite3 = (sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3 *) argv[3]; sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3(sqlite3,sqlite3); sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3(sqlite3); sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3(sqlite3); sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite(sqlite3); sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite(sqlite3); sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite(sqlite3); sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite(sqlite3); sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite(sqlite3); sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlite3_sqlit ============================== Sample 4 ============================== ASM: ;************************************************************************************************************************************************************ ;* RGWGetBucketPolicyStatus_ObjStore_S3::send_response() * ;************************************************************************************************************************************************************ ;undefined send_response(RGWGetBucketPolicyStatus_ObjStore_S3 * this) ;this RGWGetBucke... RDI PUSH RBX MOV ESI,dword ptr [this + 0x70] MOV RBX,this TEST ESI,ESI JNZ LAB_00902160 LAB_0090209f: MOV this,qword ptr [RBX + 0x8] CALL dump_errno ;undefined dump_errno(req_state * par... MOV this,qword ptr [RBX + 0x8] XOR R9D,R9D XOR R8D,R8D MOV RCX,-0x1 LEA RDX,[.rodata:s_application/xml_00be3a9c] ;= "application/xml" MOV RSI,RBX CALL end_header ;undefined end_header(req_state * par... MOV this,qword ptr [RBX + 0x8] CALL dump_start ;undefined dump_start(req_state * par... MOV RAX,qword ptr [RBX + 0x8] LEA RCX,[.rodata:s_http://s3.amazonaws.com/doc/2006_00bba808] ;= "http://s3.amazonaws.com/doc/2006-... MOV ESI,0xc LEA RDX,[.rodata:s_PolicyStatus_00c1d571+12] ;= "PolicyStatus" MOV this,qword ptr [RAX + 0x28] MOV RAX,qword ptr [this] CALL qword ptr [RAX + 0x58] MOV RAX,qword ptr [RBX + 0x8] MOVZX ECX,byte ptr [RBX + 0x74] MOV this,qword ptr [RAX + 0x28] MOV R9,qword ptr [this] MOV RAX,qword ptr [R9 + 0x88] CMP RAX,qword ptr [->ceph::Formatter::dump_bool] ;= 004e9af0 JNZ LAB_00902170 TEST CL,CL LEA RAX,[.rodata:s_false_00b9dbb7] ;= "false" LEA R8,[.rodata:DAT_00ba59e0] ;= 74h MOV ESI,0x8 CMOVZ R8,RAX LEA RCX,[.rodata:s_%s_00c380b4+25] ;= "%s" LEA RDX,[.rodata:s_IsPublic_00bfb2e5] ;= "IsPublic" XOR EAX,EAX CALL qword ptr [R9 + 0xb0] LAB_00902141: MOV RAX,qword ptr [RBX + 0x8] MOV this,qword ptr [RAX + 0x28] MOV RAX,qword ptr [this] CALL qword ptr [RAX + 0x60] MOV this,qword ptr [RBX + 0x8] POP RBX MOV RSI,qword ptr [this + 0x28] JMP rgw_flush_formatter_and_reset ;undefined rgw_flush_formatter_and_re... ?? 0Fh ?? 1Fh ?? 00h LAB_00902160: MOV this,qword ptr [this + 0x8] CALL set_req_state_err ;undefined set_req_state_err(req_stat... JMP LAB_0090209f ?? 66h f ?? 90h LAB_00902170: MOV ESI,0x8 LEA RDX,[.rodata:s_IsPublic_00bfb2e5] ;= "IsPublic" CALL RAX JMP LAB_00902141 ;************************************************************************************************************************************************************ ;*boost::date_time::date::TEMPNAMEPLACEHOLDERVALUE(boost::gr...* ;************************************************************************************************************************************************************ ;undefined operator-(date * this, date * param_1) ;this dateformatter->open_object_section_in_ns("PolicyStatus", XMLNS_AWS_S3); // https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETPolicyStatus.html // mentions TRUE and FALSE, but boto/aws official clients seem to want lower // case which is returned by AWS as well; so let's be bug to bug compatible // with the API s->formatter->dump_bool("IsPublic", isPublic); s->formatter->close_section(); rgw_flush_formatter_and_reset(s, s->formatter); } Predicted src: void on_state::on_host_state() { this->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m_state->m ============================== Sample 5 ============================== ASM: ;************************************************************************************************************************************************************ ;* FUNCTION * ;************************************************************************************************************************************************************ ;undefined bio_close() PUSH RBP MOV RBP,RDI PUSH RBX SUB RSP,0x8 CMP byte ptr [RDI + 0x24],0x1 JZ LAB_0010c0e0 LAB_0010c0af: CMP byte ptr [RBP + 0x25],0x0 MOV EDI,dword ptr [RBP + 0x28] JNZ LAB_0010c0d8 CALL .plt:::close ;int close(int __fd) LAB_0010c0bd: MOV RDI,qword ptr [RBP] CALL .plt.got:::free ;void free(void * __ptr) ADD RSP,0x8 MOV RDI,RBP POP RBX POP RBP JMP .plt.got:::free ;void free(void * __ptr) ?? 0Fh ?? 1Fh ?? 40h @ ?? 00h LAB_0010c0d8: CALL tcpclose ;undefined tcpclose() JMP LAB_0010c0bd ?? 90h LAB_0010c0e0: CMP byte ptr [RDI + 0x26],0x0 JNZ LAB_0010c0af MOV EBX,dword ptr [RDI + 0xc] TEST EBX,EBX JZ LAB_0010c0af CMP byte ptr [RBP + 0x25],0x0 MOV EDI,dword ptr [RDI + 0x28] MOV RSI,qword ptr [RBP] JZ LAB_0010c120 MOV ECX,dword ptr [RBP + 0x14] MOV EDX,EBX CALL tcptowrite ;undefined tcptowrite() LAB_0010c104: CMP EBX,EAX JLE LAB_0010c110 MOV byte ptr [RBP + 0x26],0x1 TEST EAX,EAX JS LAB_0010c116 LAB_0010c110: CDQE ADD qword ptr [RBP + 0x18],RAX LAB_0010c116: MOV dword ptr [RBP + 0xc],0x0 JMP LAB_0010c0af ?? 90h LAB_0010c120: MOV EDX,EBX CALL .plt:::write ;ssize_t write(int __fd, void * __buf... JMP LAB_0010c104 ?? 0Fh Actual src: void bio_close(bio *b) { if (b->direction==BIO_WRITE) { bio_flush(b); } if (b->type==0) { close(b->fd); } else { tcpclose(b->fd); } free(b->buff); free(b); } Predicted src: static void write_close(void *data) { struct close_data *data = data; int i; if (data->fd >= 0) close(data->fd); if (data->fd >= 0) close(data->fd); if (data->fd >= 0) close(data->fd); if (data->fd >= 0) close(data->fd); if (data->fd >= 0) close(data->fd); if (data->fd >= 0) close(data->fd); }