How to search a sequence of instructions in Ghidra?

Question

I'd like to identify in Ghidra a specific sequence of instructions, which I get from MSVC Debug in Visual Studio compiling my own function:

What I'm looking for so is (for the same DLL, decompiled in Ghidra) to intercept the sequence movss/movss/movss/movss/lea/lea/lea, in the hoping to intercept the C++ Clamp function I've defined:

template <typename T>
T Clamp(const T& min, const T& max, const T& value)
{
    if (value < min)
    {
        return min;
    }
    else if (value > max)
    {
        return max;
    }
    return value;
}

What's the correct way to do this in Ghidra?

If I try Instruction Pattern Search feature in Ghidra, inserting the first 4 movss of the sequence (selecting the instructions show in the VS Debugger, after enabling Show Code Bytes; i.e. in order f3 0f 10/f3 0f 11/f3 0f 10/f3 0f 11):

it doesn't return any hit.

So, is this a mismatch from VS Code disassembly and the Listing elaborated by Ghidra, or am I searching in a wrong way?

Comments have been moved to chat; please do not continue the discussion here. Before posting a comment below this one, please review the purposes of comments. Comments that do not request clarification or suggest improvements usually belong as an answer, on Reverse Engineering Meta, or in Reverse Engineering Chat. Comments continuing discussion may be removed. — 0xC0000022L, Commented Dec 17, 2023 at 21:28

ynwarcs · Accepted Answer · 2023-12-22 11:24:35Z

I'll post an answer here with the conclusions we came to in the chat, in case anyone finds it useful in the future.

There seems to be a limitation of the Instruction Pattern Search tool in that the patterns must contain a fixed amount of bytes. In the screenshot posted in the original post, the second and fourth pattern are looking for movss [addr], xmm instructions (operands encoded in 5 bytes, first operand is 00...101), while the instructions that need to be found are movss [reg+offs], xmm (operands encoded in 3 bytes, first operand is 01...100). To correct the patterns, one needs to find an appropriate instruction in code or insert the bytes manually into the tool and then unmask the operands (as far as Ghidra allows).

Alternatively, one can also use the memory search ('S' hotkey or Search -> Memory) and insert a pattern matching the instruction bytes. For this specific question, the pattern would be:

f3 0f 10 ?? ?? ?? ?? ?? f3 0f 11 ?? ?? ?? f3 0f 10 ?? ?? ?? ?? ?? f3 0f 11 ?? ?? ??

Ghidra also allows searching in a more dynamic manner via regular expressions. This would allow one to craft a regex pattern that matches against four consecutive movss instructions, regardless of their operands, but may make it more difficult to guard against false positives.

Nice, thanks. For this specific case, can you give an example of regex? Or do you need a new question maybe? — markzzz, Commented Dec 23, 2023 at 7:29
@markzzz, there's two regexes for both instruction types in the chat. Use [DLT\\dlt].. to match the 3-byte operands exactly (the ?? ?? ??), or [\x05\x0D\x15\x1D\x25\x2D\x35].... for the longer ones (the ?? ?? ?? ?? ??), or if you don't care about the variations for the SIB byte at all, the pattern given by @ynwarcs could just be \xF3\x0F\x10.....\xF3\x0F\x11...\xF3\x0F\x10.....\xF3\x0F\x11.... (The '.' character in a regular expression matches any byte). — Ali Rizvi-Santiago, Commented Dec 30, 2023 at 16:36

Stack Exchange Network

How to search a sequence of instructions in Ghidra?

1 Answer 1

Not the answer you're looking for? Browse other questions tagged
c++
ghidra
msvc
or ask your own question.

Hot Network Questions

How to search a sequence of instructions in Ghidra?

1 Answer 1

Not the answer you're looking for? Browse other questions tagged c++ghidramsvc or ask your own question.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
c++
ghidra
msvc
or ask your own question.