Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ironstrings: increase stack size #128

Merged
merged 1 commit into from
Mar 1, 2024
Merged

ironstrings: increase stack size #128

merged 1 commit into from
Mar 1, 2024

Conversation

mr-tz
Copy link
Contributor

@mr-tz mr-tz commented Feb 6, 2024

partly addresses #127

@llebout, can you test this fix on your side as well please?

@llebout
Copy link

llebout commented Feb 6, 2024

@mr-tz On it

@llebout
Copy link

llebout commented Feb 6, 2024

@mr-tz

The patch does seem to help for one function I think (though it may already have worked that way before too, or on some other versions of the sample I have).

0x1802b4d40 - It may have worked this way before too, found 3 strings while in manual analysis I was able to find much more. It seems like the emulator gets stuck on a condition or something and cannot reach all the code paths of the function.
What ironstrings with patch gave:

0x1802B4D40        0x1802B4FE0        0xD50              Function Pal.PalBuildObject.OnBeginInteractBuilding
0x1802B4D40        0x1802B523B        0xDD0              Function Pal.PalNetworkItemComponent.RequestDrop_ToServer
0x1802B4D40        0x1802B5536        0xD90              Function Pal.PalCharacterParameterComponent.OnDamage

Manual analysis string recovery results using a debugger and stepping through:

0x1802b4d40
"Function Pal.PalBuildObject.OnBeginInteractBuilding"
"Function Pal.PalNetworkItemComponent.RequestDrop_ToServer"
"Function Pal.PalCharacterParameterComponent.OnDamage"
"Function WBP_PalNPCHPGauge.WBP_PalNPCHPGauge_C.OnTakeDamage"
"Function Pal.PalPlayerState.SendDamage_ToServer"
"Function Pal.PalPlayerController.OnDamage"
"Function WBP_PlayerUI.WBP_PlayerUI_C.OnPlayerDamage"
"Function BP_MonsterBase.BP_MonsterBase_C.OnInflictDamage"
"Function Pal.PalDamageReactionComponent.ApplyDamageForHP"
"Function Pal.PalCharacterParameterComponent.OnDamage"
"Function Pal.PalDamageReactionComponent.ApplyDamageForHP"
"Function Pal.PalPlayerCharacter.IsGuildMaster"
"Function Pal.PalUIGuildMenu.IsAdminLocalPlayer"
"Function Pal.PalMapObjectDeathDroppedCharacterModel.IsSameGuildInLocalPlayer"
"Function Pal.PalMapObjectDeathPenaltyStorageModel.IsSameGuildInLocalPlayer"
"Function Pal.PalLocationPointBaseCamp.IsSameGuildWithPlayer"
"IsDying"
".OnPullTrigger"
"Function WBP_Map_Base.WBP_Map_Base_C.SetupLocationPointIcon"
"Function Pal.PalPlayerState.EnterChat_Receive"
"Function WBP_PalHUD_InGame_InputListener.WBP_PalHUD_InGame_InputListener_C.OpenChat"
"Function Pal.PalNetworkIndividualComponent.AddPlayerCharacterStatusPoint_ToServer"
"BP_SkillEffect"
"broadcast"

0x180138aa0 - Did not work at all like before, shows this recursion error
ironstrings-issue
, and increasing Python stack size with sys.setrecursionlimit(5000) or higher lets it run for longer but it still cannot discover paths to targets, see log file for debug log.
0x1802ae880 - Did not recover any strings, I know there is numerous strings from manual analysis, one of which is TreasureBox_C

Debug log file, contains a run on single function mode for all three previously problematic functions
ironstrings-issue.log

Overall I think this patch gave mixed results, and the strings that were recovered after the patch I think could already be recovered before and no new strings were discovered.

Thanks a lot for working on this.

@mr-tz
Copy link
Contributor Author

mr-tz commented Feb 7, 2024

Hm, my guess is that not all paths for 0x1802b4d40 are explored correctly in flare-emu (more time would be needed to confirm). The same goes for 0x1802ae880 which has many blocks and paths.
To fix this, I think a closer look at flare-emu's iterateAllPaths and getPathsToTarget functions would be good next steps.

0x180138aa0 is massive (my IDA even complains about to many lines and the function stack is huge as well), so I think it's out of scope for the current usage of ironstrings.

FWIW with the fix here I get the 3 strings you mention above vs. 0 before.

@mr-tz
Copy link
Contributor Author

mr-tz commented Feb 19, 2024

@llebout, what happens if you increase the MAX_CODE_PATHS?

@mr-tz
Copy link
Contributor Author

mr-tz commented Mar 1, 2024

merging this as a small improvement, but it's a not a complete fix

@mr-tz mr-tz merged commit 011cb33 into master Mar 1, 2024
3 checks passed
@mr-tz mr-tz deleted the fix/127 branch March 1, 2024 07:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants