Scanner

The role of the Reko scanner is to take a loaded, relocated binary image and determine its [control flow graph] (CFG). Guided by the CFG, Reko will rewrite the machine code into basic blocks of RTL.

Reko's current scanner traverses the binary by starting at all known entry points and starts disassembling. When jump, branch, or call instructions are encountered, the scanner will continue tracing at the respective instruction's destination. When indirect jumps are encountered, the scanner attempts to determine the targets of the jumps by backtracking a few basic blocks and performing a slicing operation to determine the possible target addresses of the indirect jump. This process continues recursively until no new destinations are encountered.

The procedure described above is sound, but may miss a lot of instructions that can't be reached because Reko can't discover the targets of indirect calls and jumps. A new scanner implementation is underway that hopefully will improve on this by implementing a shingled disassembler and a novel algorithm described "Compiler-Agnostic Function Detection in Binaries", by Dennis Andriesse, Asia Slowinska, and Herbert Bos.