Merge pull request #5 from chkp-eyalit/development

Bug fix for issue CheckPointSW#41 in upstream repository
chkp-eyalit · May 27, 2020 · 2fe4160 · 2fe4160
2 parents 3e94c05 + 0e3ab0e
commit 2fe4160
Show file tree

Hide file tree

Showing 6 changed files with 20 additions and 8 deletions.
diff --git a/setup.py b/setup.py
@@ -16,7 +16,7 @@
       url='https://github.com/CheckPointSW/Karta',
       license='MIT',
       packages=find_packages(),
-      install_requires=['elementals', 'sark==2.0', 'pydocstyle', 'flake8', 'click', 'scikit-learn'],
+      install_requires=['elementals', 'sark', 'pydocstyle', 'flake8', 'click', 'scikit-learn'],
       classifiers=[
                     "Programming Language :: Python :: 3",
                     "License :: OSI Approved :: MIT License (MIT License)",

diff --git a/src/thumbs_up/analyzer_utils.py b/src/thumbs_up/analyzer_utils.py
@@ -153,8 +153,10 @@ def functionScan(analyzer, scs):
             if search_func or analyzer.switch_identifier.isSwitchCase(line.start_ea):
                 line = line.next
                 continue
+            original_code_type = analyzer.codeType(line.start_ea)
             # If this is code, check that it matches the start of a function, and make it a function
-            if line.is_code and analyzer.func_classifier.predictFunctionStartMixed(line.start_ea):
+            if line.is_code and analyzer.supportedCodeType(original_code_type) and \
+                        analyzer.func_classifier.predictFunctionStartMixed(line.start_ea):
                 if not ida_funcs.add_func(line.start_ea):
                     line = line.next
                 else:
@@ -168,7 +170,6 @@ def functionScan(analyzer, scs):
             # If unknown, check if a function and don't try to keep the same code type
             if line.is_unknown:
                 guess_code_type = analyzer.func_classifier.predictFunctionStartType(line.start_ea)
-                original_code_type = analyzer.codeType(line.start_ea)
                 if analyzer.func_classifier.predictFunctionStart(line.start_ea, guess_code_type):
                     if original_code_type != guess_code_type:
                         analyzer.setCodeType(line.start_ea, line.start_ea + 1, guess_code_type)

diff --git a/src/thumbs_up/analyzers/analyzer.py b/src/thumbs_up/analyzers/analyzer.py
@@ -247,7 +247,7 @@ def isValidCodePtr(self, ptr_ea):
             True iff the code pointer is valid
         """
         ptr_type = self.ptrCodeType(ptr_ea)
-        return self.isCodeAligned(self.cleanPtr(ptr_ea), ptr_type) and ptr_type in self.activeCodeTypes()
+        return self.isCodeAligned(self.cleanPtr(ptr_ea), ptr_type) and self.supportedCodeType(ptr_type)
 
     def hasCodeTypes(self):
         """Check if the given CPU has multiple code types.
@@ -289,9 +289,20 @@ def disableCodeType(self, code_type):
         Args:
             code_type (int): code type to be disabled
         """
-        if code_type in self._active_code_types:
+        if self.supportedCodeType(code_type):
             self._active_code_types.remove(code_type)
 
+    def supportedCodeType(self, code_type):
+        """Check if a given code_type is actively supported.
+
+        Args:
+            code_type (int): code type to be checked
+
+        Return Value:
+            The code type of the annotated pointer
+        """
+        return code_type in self._active_code_types
+
     def ptrCodeType(self, ptr_ea):
         """Extract the code type of the annotated pointer.
 

diff --git a/src/thumbs_up/utils/fptr.py b/src/thumbs_up/utils/fptr.py
@@ -200,7 +200,7 @@ def locateDataPtrs(self, scs, sds):
                     continue
                 # check for a function ptr
                 value = self._analyzer.parseAdderss(cur_ea)
-                # make sure it is valid
+                # make sure it is valid (enforces that the code_type is active)
                 if self.isValidCodePtr(value, scs):
                     func_value = self._analyzer.cleanPtr(value)
                     code_type  = self._analyzer.ptrCodeType(value)

diff --git a/src/thumbs_up/utils/function.py b/src/thumbs_up/utils/function.py
@@ -65,7 +65,7 @@ def __init__(self, analyzer, feature_size, inner_offset, classifiers_start_offse
         self._mixed_classifiers = {}
         self._type_classifier   = None
         # seed the random generator
-        numpy.random.seed(seed=struct.unpack("L", ida_nalt.retrieve_input_file_md5()[:4])[0])
+        numpy.random.seed(seed=struct.unpack("!I", ida_nalt.retrieve_input_file_md5()[:4])[0])
 
     def isFuncStart(self, ea):
         """Check if the given effective address is the start of a known function.

diff --git a/src/thumbs_up/utils/pattern_observer.py b/src/thumbs_up/utils/pattern_observer.py
@@ -82,7 +82,7 @@ def decide(self):
         # Now check for a basic alignment rule
         seen_eas = list(map(lambda x: x[0], self._records))
         # Deterministic results per binary, but still random
-        random.seed(struct.unpack("L", ida_nalt.retrieve_input_file_md5()[:4])[0])
+        random.seed(struct.unpack("!I", ida_nalt.retrieve_input_file_md5()[:4])[0])
         while True:
             # Check against two random candidates, and always make sure the representative isn't rare
             measure_candidate = seen_eas[random.randint(0, len(seen_eas) - 1)]