Question about the PC address reported by mythril
ShangzhiXu opened this issue · 2 comments
Description
So to sum up, I found that the PC address reported does not match the disassemble code generated by solc. I don't know if I made any mistake in usage or if I apprehend the meaning of PC addresswrongly.
Thanks for your help!!
Tests
Let's use the example in README:
root@i10940x:/home/usr/mythril# myth analyze solidity_examples/killbilly.sol -t 3
==== Unprotected Selfdestruct ====
SWC ID: 106
Severity: High
Contract: KillBilly
Function name: commencekilling()
PC address: 354
Code: selfdestruct(msg.sender)
Estimated Gas Usage: 974 - 1399
Any sender can cause the contract to self-destruct.
Any sender can trigger execution of the SELFDESTRUCT instruction to destroy this contract account and withdraw its balance to an arbitrary address. Review the transaction trace generated for this issue and make sure that appropriate security controls are in place to prevent unrestricted access.
--------------------
In file: solidity_examples/killbilly.sol:22
selfdestruct(msg.sender)
--------------------
Initial State:
Account: [CREATOR], balance: 0x0, nonce:0, storage:{}
Account: [ATTACKER], balance: 0x0, nonce:0, storage:{}
Transaction Sequence:
Caller: [CREATOR], calldata: , decoded_data: , value: 0x0
Caller: [ATTACKER], function: killerize(address), txdata: 0x9fa299ccadadadadadadadadadadadaddeadbeefdeadbeefdeadbeefdeadbeefdeadbeef, value: 0x0
Caller: [ATTACKER], function: activatekillability(), txdata: 0x84057065, value: 0x0
Caller: [ATTACKER], function: commencekilling(), txdata: 0x7c11da20, value: 0x0
There is an item in the report PC address: 354. I considered it as the offset of the opcode in bytecode. Like here, I think at PC address: 354, the opcode should be CALL, but when I try to check this out by reading the disassemble code generated by solc, I found they are different. The disassemble code looks like this at 354 (equal to 0x162)
0162 50 POP
0163 50 POP
0164 60 PUSH1 0x40
0166 51 MLOAD
0167 80 DUP1
0168 91 SWAP2
0169 03 SUB
016A 90 SWAP1
016B F3 *RETURN
016C 5B JUMPDEST
016D 60 PUSH1 0x00
016F 80 DUP1
which is a pop.
Same thing happen when handling integer overflow, the PC address does not match the disassemble code generated by solc. For example, mythril reports PC address : 100, but the opcode in the disassemble code at offset 100 may not be MUL, ADD or other opcodes that might lead to overflow, instead, opcode at offset 100 might be POP CALL or other things.
Thanks for your help!!
Hi @ShangzhiXu are you checking runtime disassembly or creation disassembly? In this case, you'd have to check runtime disassembly.
Thanks!I'll check it out