//helloWorld.c
#include<stdio.h>
int main(){
printf("Hello World!\n");
return 0;
}//helloWorld.abi.c
#include <stdio.h>
__attribute__((used))
void *__mcsema_externs[] = {
(void *) printf
};$ clang-9 -S -emit-llvm helloWorld.abi.c
$ llvm-as helloWorld.abi.ll;helloWorld.abi.ll
; ModuleID = './helloWorld.abi.c'
source_filename = "./helloWorld.abi.c"
target datalayout = "e-m:e-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-pc-linux-gnu"
@__mcsema_externs = dso_local global [1 x i8*] [i8* bitcast (i32 (i8*, ...)* @printf to i8*)], align 8
@llvm.used = appending global [1 x i8*] [i8* bitcast ([1 x i8*]* @__mcsema_externs to i8*)], section "llvm.metadata"
declare dso_local i32 @printf(i8*, ...) #0
attributes #0 = { "correctly-rounded-divide-sqrt-fp-math"="false" "disable-tail-calls"="false" "less-precise-fpmad"="false" "no-frame-pointer-elim"="true" "no-frame-pointer-elim-non-leaf" "no-infs-fp-math"="false" "no-nans-fp-math"="false" "no-signed-zeros-fp-math"="false" "no-trapping-math"="false" "stack-protector-buffer-size"="8" "target-cpu"="x86-64" "target-features"="+cx8,+fxsr,+mmx,+sse,+sse2,+x87" "unsafe-fp-math"="false" "use-soft-float"="false" }
!llvm.module.flags = !{!0}
!llvm.ident = !{!1}
!0 = !{i32 1, !"wchar_size", i32 4}
!1 = !{!"clang version 9.0.0-2~ubuntu18.04.2 (tags/RELEASE_900/final)"}$ mcsema-disass --disassembler /opt/ida-7.1/idat64 --os linux --arch amd64 --binary helloWorld --entrypoint main --log_file helloWorld.log$ mcsema-lift-9.0 --os linux --arch amd64 --cfg helloWorld.cfg --output helloWorld.bc --abi_libraries helloWorld.abi.bc여기에서 에러가 발생합니다.
E20200611 13:46:09.062482 23865 Function.cpp:353] Cannot find target of instruction at 4003ec; the static target 4003f0 is not associated with a lifted subroutine, and it does not have a known call target.
helloWorld: file format elf64-x86-64
Disassembly of section .init:
00000000004003c8 <_init>:
4003c8: 48 83 ec 08 sub $0x8,%rsp
4003cc: 48 8b 05 25 0c 20 00 mov 0x200c25(%rip),%rax # 600ff8 <__gmon_start__>
4003d3: 48 85 c0 test %rax,%rax
4003d6: 74 02 je 4003da <_init+0x12>
4003d8: ff d0 callq *%rax
4003da: 48 83 c4 08 add $0x8,%rsp
4003de: c3 retq
Disassembly of section .plt:
00000000004003e0 <.plt>:
4003e0: ff 35 22 0c 20 00 pushq 0x200c22(%rip) # 601008 <_GLOBAL_OFFSET_TABLE_+0x8>
4003e6: ff 25 24 0c 20 00 jmpq *0x200c24(%rip) # 601010 <_GLOBAL_OFFSET_TABLE_+0x10>
4003ec: 0f 1f 40 00 nopl 0x0(%rax)
00000000004003f0 <printf@plt>:
4003f0: ff 25 22 0c 20 00 jmpq *0x200c22(%rip) # 601018 <printf@GLIBC_2.2.5>
4003f6: 68 00 00 00 00 pushq $0x0
4003fb: e9 e0 ff ff ff jmpq 4003e0 <.plt>
Disassembly of section .text:
0000000000400400 <_start>:
400400: 31 ed xor %ebp,%ebp
400402: 49 89 d1 mov %rdx,%r9
400405: 5e pop %rsi
400406: 48 89 e2 mov %rsp,%rdx
400409: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp
40040d: 50 push %rax
40040e: 54 push %rsp
40040f: 49 c7 c0 90 05 40 00 mov $0x400590,%r8
400416: 48 c7 c1 20 05 40 00 mov $0x400520,%rcx
40041d: 48 c7 c7 f0 04 40 00 mov $0x4004f0,%rdi
400424: ff 15 c6 0b 20 00 callq *0x200bc6(%rip) # 600ff0 <__libc_start_main@GLIBC_2.2.5>
40042a: f4 hlt
40042b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
0000000000400430 <_dl_relocate_static_pie>:
400430: f3 c3 repz retq
400432: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
400439: 00 00 00
40043c: 0f 1f 40 00 nopl 0x0(%rax)
0000000000400440 <deregister_tm_clones>:
400440: 55 push %rbp
400441: b8 30 10 60 00 mov $0x601030,%eax
400446: 48 3d 30 10 60 00 cmp $0x601030,%rax
40044c: 48 89 e5 mov %rsp,%rbp
40044f: 74 17 je 400468 <deregister_tm_clones+0x28>
400451: b8 00 00 00 00 mov $0x0,%eax
400456: 48 85 c0 test %rax,%rax
400459: 74 0d je 400468 <deregister_tm_clones+0x28>
40045b: 5d pop %rbp
40045c: bf 30 10 60 00 mov $0x601030,%edi
400461: ff e0 jmpq *%rax
400463: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
400468: 5d pop %rbp
400469: c3 retq
40046a: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
0000000000400470 <register_tm_clones>:
400470: be 30 10 60 00 mov $0x601030,%esi
400475: 55 push %rbp
400476: 48 81 ee 30 10 60 00 sub $0x601030,%rsi
40047d: 48 89 e5 mov %rsp,%rbp
400480: 48 c1 fe 03 sar $0x3,%rsi
400484: 48 89 f0 mov %rsi,%rax
400487: 48 c1 e8 3f shr $0x3f,%rax
40048b: 48 01 c6 add %rax,%rsi
40048e: 48 d1 fe sar %rsi
400491: 74 15 je 4004a8 <register_tm_clones+0x38>
400493: b8 00 00 00 00 mov $0x0,%eax
400498: 48 85 c0 test %rax,%rax
40049b: 74 0b je 4004a8 <register_tm_clones+0x38>
40049d: 5d pop %rbp
40049e: bf 30 10 60 00 mov $0x601030,%edi
4004a3: ff e0 jmpq *%rax
4004a5: 0f 1f 00 nopl (%rax)
4004a8: 5d pop %rbp
4004a9: c3 retq
4004aa: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
00000000004004b0 <__do_global_dtors_aux>:
4004b0: 80 3d 79 0b 20 00 00 cmpb $0x0,0x200b79(%rip) # 601030 <__TMC_END__>
4004b7: 75 17 jne 4004d0 <__do_global_dtors_aux+0x20>
4004b9: 55 push %rbp
4004ba: 48 89 e5 mov %rsp,%rbp
4004bd: e8 7e ff ff ff callq 400440 <deregister_tm_clones>
4004c2: c6 05 67 0b 20 00 01 movb $0x1,0x200b67(%rip) # 601030 <__TMC_END__>
4004c9: 5d pop %rbp
4004ca: c3 retq
4004cb: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
4004d0: f3 c3 repz retq
4004d2: 0f 1f 40 00 nopl 0x0(%rax)
4004d6: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
4004dd: 00 00 00
00000000004004e0 <frame_dummy>:
4004e0: 55 push %rbp
4004e1: 48 89 e5 mov %rsp,%rbp
4004e4: 5d pop %rbp
4004e5: eb 89 jmp 400470 <register_tm_clones>
4004e7: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
4004ee: 00 00
00000000004004f0 <main>:
4004f0: 55 push %rbp
4004f1: 48 89 e5 mov %rsp,%rbp
4004f4: 48 83 ec 10 sub $0x10,%rsp
4004f8: c7 45 fc 00 00 00 00 movl $0x0,-0x4(%rbp)
4004ff: 48 bf a4 05 40 00 00 movabs $0x4005a4,%rdi
400506: 00 00 00
400509: b0 00 mov $0x0,%al
40050b: e8 e0 fe ff ff callq 4003f0 <printf@plt>
400510: 31 c9 xor %ecx,%ecx
400512: 89 45 f8 mov %eax,-0x8(%rbp)
400515: 89 c8 mov %ecx,%eax
400517: 48 83 c4 10 add $0x10,%rsp
40051b: 5d pop %rbp
40051c: c3 retq
40051d: 0f 1f 00 nopl (%rax)
0000000000400520 <__libc_csu_init>:
400520: 41 57 push %r15
400522: 41 56 push %r14
400524: 49 89 d7 mov %rdx,%r15
400527: 41 55 push %r13
400529: 41 54 push %r12
40052b: 4c 8d 25 de 08 20 00 lea 0x2008de(%rip),%r12 # 600e10 <__frame_dummy_init_array_entry>
400532: 55 push %rbp
400533: 48 8d 2d de 08 20 00 lea 0x2008de(%rip),%rbp # 600e18 <__init_array_end>
40053a: 53 push %rbx
40053b: 41 89 fd mov %edi,%r13d
40053e: 49 89 f6 mov %rsi,%r14
400541: 4c 29 e5 sub %r12,%rbp
400544: 48 83 ec 08 sub $0x8,%rsp
400548: 48 c1 fd 03 sar $0x3,%rbp
40054c: e8 77 fe ff ff callq 4003c8 <_init>
400551: 48 85 ed test %rbp,%rbp
400554: 74 20 je 400576 <__libc_csu_init+0x56>
400556: 31 db xor %ebx,%ebx
400558: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1)
40055f: 00
400560: 4c 89 fa mov %r15,%rdx
400563: 4c 89 f6 mov %r14,%rsi
400566: 44 89 ef mov %r13d,%edi
400569: 41 ff 14 dc callq *(%r12,%rbx,8)
40056d: 48 83 c3 01 add $0x1,%rbx
400571: 48 39 dd cmp %rbx,%rbp
400574: 75 ea jne 400560 <__libc_csu_init+0x40>
400576: 48 83 c4 08 add $0x8,%rsp
40057a: 5b pop %rbx
40057b: 5d pop %rbp
40057c: 41 5c pop %r12
40057e: 41 5d pop %r13
400580: 41 5e pop %r14
400582: 41 5f pop %r15
400584: c3 retq
400585: 90 nop
400586: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
40058d: 00 00 00
0000000000400590 <__libc_csu_fini>:
400590: f3 c3 repz retq
Disassembly of section .fini:
0000000000400594 <_fini>:
400594: 48 83 ec 08 sub $0x8,%rsp
400598: 48 83 c4 08 add $0x8,%rsp
40059c: c3 retq
printf 에 대한 prototype이 제대로 추측되지 않아서 발생한 문제인 것 같습니다.
-abi_libraries 라는 옵션을 사용했는데도 실제로, 리프팅된 bc 파일을 ll 파일로 변환 후에 확인을 해보면, abi_libraries에 선언된 printf 함수가 사용되지 않는 것을 확인할 수 있습니다.