Trouble with Constant Propagation in LLIL for x86 Binary Analysis

[psifertex]

Discussed in #6305

^{Originally posted by twinklestar03 January 7, 2025}
Hi, I'm currently working with LLIL and stumped on some problem of constant propagation. Target binary is x86.

Here's the LLIL I'm working with:

  17 @ 000011c7  ecx = 0x10
  18 @ 000011cc  edx = 0
  19 @ 000011d1  temp2.d = ecx
  20 @ 000011d1  temp0.d = divu.dp.d(edx:eax, temp2.d)
  21 @ 000011d1  temp1.d = modu.dp.d(edx:eax, temp2.d)
  22 @ 000011d1  eax = temp0.d
  23 @ 000011d1  edx = temp1.d

After evaluating temp2.d at line 19, I expect temp2.d to be 0x10 from evaluating the get_reg_value_after. However, it displays as "UndeterminedValue" on binary view.

>>> instr
<LowLevelILSetReg: temp2.d = ecx>
>>> instr.get_reg_value('ecx')
<const 0x10>
>>> instr.dest
<ILRegister: temp2>
>>> instr.get_reg_value_after(instr.dest)
<const 0x10>

Below is a screenshot showing the issue:

Additionally, the value at line 20 is not resolved correctly. Given constants, divu.dp.d should calculate correct result (0x1f // 0x10 == 1), instead it is showing "UndeterminedValue":

>>> instr_20
<LowLevelILSetReg: temp0.d = divu.dp.d(edx:eax, temp2.d)>
>>> instr_20.get_reg_value('edx')
<const 0x0>
>>> instr_20.get_reg_value('eax')
<const 0x1f>
>>> instr_20.get_reg_value(instr_20.src.operands[1].src)
<const 0x10>
>>> instr_20.get_reg_value_after(instr_20.dest)
<undetermined>

Expected Behavior

Given the context and operations performed, static analysis should be able to determine correct values for both temp2.d and division.

Question

Where might I be going wrong in my approach? Could there be an issue with the way I’m interpreting the LLIL? Any help would be greatly appreciated.

[psifertex]

This should be resolved with the internal PR: https://github.com/Vector35/binaryninja/pull/1201

[psifertex]

Actually, this is a duplicate of #6625 follow that to track that issue