RTTI object locator included in vftable size?

[sei-eschwartz]

[eschwartz@pd4 analysis]$ cat -n ../code/testcases/legoavengers/unknown.exe.results.log | fgrep 'VFTableSizeGTE' | fgrep '0x6c).'                                                                                                                                                                                                                     
17563784        reasonVFTableSizeGTE_A(0x192389c, 0x6c).
17563869        reasonVFTableSizeGTE_A(0x194d444, 0x6c).
17564339        Concluding factVFTableSizeGTE(0x194d444, 0x6c).
17564930        Concluding factVFTableSizeGTE(0x192389c, 0x6c).
18251192        Fail-Retracting factVFTableSizeGTE(0x194d444, 0x6c)...
18251277        Fail-Retracting factVFTableSizeGTE(0x192389c, 0x6c)...
18338065        reasonVFTableSizeGTE_A(0x194d444, 0x6c).
18338099        Concluding factVFTableSizeGTE(0x194d444, 0x6c).
18380125        Fail-Retracting factVFTableSizeGTE(0x194d444, 0x6c)...
18382623        reasonVFTableSizeGTE_A(0x194d444, 0x6c).
18382642        Concluding factVFTableSizeGTE(0x194d444, 0x6c).
18740005        reasonVFTableSizeGTE_A(0x19bed24, 0x6c).
18740027        Concluding factVFTableSizeGTE(0x19bed24, 0x6c).
18831387        reasonVFTableSizeGTE_A(0x192389c, 0x6c).
18831797        Concluding factVFTableSizeGTE(0x192389c, 0x6c).
19223024        reasonVFTableSizeGTE_A(0x19fb9f8, 0x6c).
19223063        Concluding factVFTableSizeGTE(0x19fb9f8, 0x6c).
19340871        reasonVFTableSizeGTE_B(0x19fc2bc, 0x19fc2bc, 0, 0x19fb9f8, 0x19fb9f8, 0x19fc2bc, 0x6c).
19340872        Concluding factVFTableSizeGTE(0x19fc2bc, 0x6c).
19421129        Fail-Retracting factVFTableSizeGTE(0x19fc2bc, 0x6c)...
19438746        reasonVFTableSizeGTE_B(0x19fc2bc, 0x19fc2bc, 0, 0x19fb9f8, 0x19fb9f8, 0x19fc2bc, 0x6c).
19438747        Concluding factVFTableSizeGTE(0x19fc2bc, 0x6c).
19439307        Fail-Retracting factVFTableSizeGTE(0x19fc2bc, 0x6c)...
19439547        reasonVFTableSizeGTE_B(0x19fc2bc, 0x19fc2bc, 0, 0x19fb9f8, 0x19fb9f8, 0x19fc2bc, 0x6c).
19439548        Concluding factVFTableSizeGTE(0x19fc2bc, 0x6c).
19439776        Fail-Retracting factVFTableSizeGTE(0x19fc2bc, 0x6c)...
19439906        reasonVFTableSizeGTE_B(0x19fc2bc, 0x19fc2bc, 0, 0x19fb9f8, 0x19fb9f8, 0x19fc2bc, 0x6c).
19439907        Concluding factVFTableSizeGTE(0x19fc2bc, 0x6c).
19440035        Fail-Retracting factVFTableSizeGTE(0x19fc2bc, 0x6c)...
19440109        reasonVFTableSizeGTE_B(0x19fc2bc, 0x19fc2bc, 0, 0x19fb9f8, 0x19fb9f8, 0x19fc2bc, 0x6c).
19440110        Concluding factVFTableSizeGTE(0x19fc2bc, 0x6c).
19440168        Fail-Retracting factVFTableSizeGTE(0x19fc2bc, 0x6c)...
19440216        reasonVFTableSizeGTE_B(0x19fc2bc, 0x19fc2bc, 0, 0x19fb9f8, 0x19fb9f8, 0x19fc2bc, 0x6c).
19440217        Concluding factVFTableSizeGTE(0x19fc2bc, 0x6c).
19440250        Fail-Retracting factVFTableSizeGTE(0x19fc2bc, 0x6c)...
19440289        reasonVFTableSizeGTE_B(0x19fc2bc, 0x19fc2bc, 0, 0x19fb9f8, 0x19fb9f8, 0x19fc2bc, 0x6c).
19440290        Concluding factVFTableSizeGTE(0x19fc2bc, 0x6c).
19440316        Fail-Retracting factVFTableSizeGTE(0x19fc2bc, 0x6c)...

0x192389c looks like it is 0x5c to me, but there appears to be RTTI after the vftable. OOAnalyzer might be getting that confused? I don't think that is the root problem of this issue but it is concerning.

0x194d444 looks only to be 0x18 large. So that is probably the root of the problem. According to IDA, there is another vftable at 0194D460.

But OOAnalyzer does not think so:

[eschwartz@pd4 analysis]$ cat -n ../code/testcases/legoavengers/unknown.exe.facts | fgrep -e 194d444 -e 194d460                                                                                                                                                                                                                                     
170233  possibleVFTableWrite(0xcc9512, 0xcc94f0, 0, 0x194d444).
223726  initialMemory(0x194d444, 0xce19a0).
223733  initialMemory(0x194d460, 0xce19a0).

VFTable 0x194d460 is installed at 0x8c8984.

I just looked at the facts file I generated, which just completed overnight, and:

[eschwartz@pd4 analysis]$ cat -n ../code/testcases/legoavengers/LEGOMARVELAvengers.exe.facts | fgrep -e 194d444 -e 194d460                                               
379858  possibleVFTableWrite(0xcc9512, 0xcc94f0, 0, 0x194d444).
379859  possibleVFTableWrite(0xcc9584, 0xcc9540, 0, 0x194d460).
533810  initialMemory(0x194d444, 0xce19a0).
533817  initialMemory(0x194d460, 0xce19a0).

And looking at your new facts file:

/tmp $ cat ooprog-facts.pl | fgrep -e 194d444 -e 194d460
possibleVFTableWrite(0xcc9512, 0xcc94f0, 0, 0x194d444).
initialMemory(0x194d444, 0xce19a0).
initialMemory(0x194d460, 0xce19a0).

So for some reason, you are not finding the vftable install of 0x194d460. This may not be a prolog problem after all.

Originally posted by @sei-eschwartz in #175 (comment)

[sei-ccohen]

It's expected that OOAnalyzer would export initialMemory facts that aren't actually part of the table. There's a fairly complex algorithm involving allowing some "invalid" addresses in the VFTable, to help account for other problems where we failed to detect a function correctly during disassembly. The table should be terminated after more than one entry in a row that we can't confirm in Prolog points to an actual OO method. So the real question is what are all of the exported initialMemory facts in that region of memory, and do any of those addresses, unfortunately, happen to be valid RTTI data structures?

We could probably add a rule in Prolog that says that VFTables are not allowed to overlap with RTTI data structures. I don't think we have that rule just because we've never encountered it before.