fuzzinglabs / thoth Goto Github PK

The decompiler does not support hints for now :

Code :

add a dockerfile for people that prefer

In some cases, we can have indirect calls

It's not supported yet.

on the current codebase we need to add:

• proper disassembly print i.e. call abs [fp + 4], call rel [fp + 4]
• add indirect call info inside the callgraph (dashed circle?)

when one function (a) is calling multiple times the same function (b), we want to have an arrow with the number of count on it.
e.g.

Direct CALL inside the same function call rel 123 are possible (recursive function), it needs to be considered as a jump.

Same idea with relative JUMP e.g. jump rel 7

For the moment we ignore them

In cairo_return.json.

We should have

For the builtins decompilation, we have:

We don't have the disassembling of the objects (struct) and their attributes (members):

while we have:

APUpdate should be shown only after an ASSERT_EQ.
Bug is fixed on the decompiler, need to fix it also in the disassembler.

we need to have the same color feature than the disassembler but for the decompiler output

indirect_recursion.cairo:

We don't have the decorators disassembling.
For those codes (decorators1.cairo decorators2.cairo decorators3.cairo and constructor.cairo, l1_default.cairo):

And those bytecodes:

(decorators1.json)
storage_var:

view:

external:

or

(decorators2.json)
raw_input and raw_output:

(decorators3.json)
event:

(constructor.json)
constructor:

or

(l1_default.json)
l1_handler:

In this example, v_6 can actually be either v_5 or v_2 depending on the if/else.
It's a case of phi node in SSA.

by default the output is pdf, user should be able to choose the format in CLI
e.g. -format=png

interesting format: png, pdf, SVG
https://graphviz.readthedocs.io/en/stable/manual.html#formats

Also, we should change the output file name with the name of the input file
e.g. ... -f test.json -c => test_callgraph.gv.png
e.g. ... -f test.json -g => test_cfg.gv.png

we need to find a way to print the CFG like the disassembly output

ideally something like radare2 will be nice

add github action to run tests

in this example

We assign :

[AP] = 0

And we update ap.
So in the if statement, the AP used is not the same as the assigned before.
What should we do in this case ?

CAIRO SOURCE CODE :

https://github.com/starkware-libs/cairo-lang/blob/167b28bcd940fd25ea3816204fa882a0b0a49603/src/starkware/cairo/lang/tracer/tracer_data.py#L261-L273

add a flag to print disassembly with color :
builtins/struct
function name
call and return
jump

In this example

We have
[AP-2] = [AP] + [AP-1]
We should have :
[AP] = [AP-2]-[AP-1]
Because [AP] is not assigned yet.

The information that a function is an event can be found inside the abi section
for file: starknet_decorators3.json

we need to extract it, print it in the disassembler and the callgraph

We don't have the disassembling of functions implicit arguments;
For this code: cairo_implicit_parameters.cairo

And this bytecode: cairo_implicit_parameters.json

We have:

need a refacto on instruction print

the only place we need to import from cairo-lang library is for the decode_instruction

Could be interesting to copy decode_instruction and the Instruction directly in this program to prevent cairo-lang dependency and potential issue if people are not using venv

we should run tests and linters before each merge (in PR)

For this example:

We have:

python3 __main__.py -file tests/json_files/starknet_imports_with_parentheses.json

Traceback (most recent call last):
File "main.py", line 69, in
main()
File "main.py", line 50, in main
disassembler = Disassembler(args.file)
File "/home/fuzz/cairo_disassembler/disassembler.py", line 24, in init
self.analyze()
File "/home/fuzz/cairo_disassembler/disassembler.py", line 31, in analyze
self.json = parseToJson(self.file)
File "/home/fuzz/cairo_disassembler/jsonParser.py", line 126, in parseToJson
data, func_offset, func_identifiers = extractData(path)
File "/home/fuzz/cairo_disassembler/jsonParser.py", line 82, in extractData
json_data = json.load(f)
File "/usr/lib/python3.8/json/init.py", line 293, in load
return loads(fp.read(),
File "/usr/lib/python3.8/json/init.py", line 357, in loads
return _default_decoder.decode(s)
File "/usr/lib/python3.8/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib/python3.8/json/decoder.py", line 353, in raw_decode
obj, end = self.scan_once(s, idx)
json.decoder.JSONDecodeError: Invalid control character at: line 84067 column 109 (char 4194304)

We can take a look at existing similar projects:

• https://github.com/crytic/ethersplay
• https://github.com/adelapie/ghidra-evm

We have this error:
thoth -f ../base64.json -color

When we try to use Thoth on the bytecode of this code:
base64.cairo

base64.zip

Allow user to provide the function name of the function they want to see in details in the CFG

add documentation and clean function comments

we can find all label by looking at relative jump offset (JUMP_REL 9) and relative CALL (CALL rel 3145)

once done we should have an output like:

offset 2458:  ADD            AP, 1          
offset 2459:  ASSERT_EQ      [AP], [FP]     
offset 2459:  ADD            AP, 1          
offset 2460:  CALL           rel 4870       
offset 2460:  ADD            AP, 2          

label_2462:

offset 2462:  ASSERT_EQ      [AP], [FP-4] + [FP]
offset 2462:  ADD            AP, 1          
offset 2463:  ASSERT_EQ      [FP-3], [[AP-1]]
offset 2464:  ASSERT_EQ      [AP], [FP] + 1 
offset 2464:  ADD            AP, 1          
offset 2466:  ASSERT_EQ      [AP], [FP] + 1 
offset 2466:  ADD            AP, 1          
offset 2468:  ASSERT_EQ      [AP], [AP-4]   
offset 2468:  ADD            AP, 1          

Disassembler does not make a difference between CALL ABS and CALL REL

I fixed the bug for the decompiler, just need to do the same for the disassembler

Create unit test to check if every feature/API call works well
https://github.com/FuzzingLabs/octopus/blob/master/octopus/tests/BTC/test_disassembler.py

We can not detect the start/end of a function

Create a json that dumps multiple data
Use the json for the unit test

In this case python3 __main__.py -f tests/json_files/starknet_decorators1.json:

it will better to have:

CALL        76       # func __main__.get_balance

How strings/data work ? where should we dumps it ?

Show decorator information in the callgraph

e.g. view, external, l1_handler, etc.

better to change the color or shape?

Some identifiers (with type = "reference") actually contains value that we can print as comment during disassembly

(warning: I'm not speaking about the "reference manager" section)

use a python formater to have clean files.

based on current disassembly:

we should be able to associate args to ASSERT_EQ opcode:

The project should be allow the user to install it as a python package

We have:
python3 __main__.py -file tests/json_files/cairo_implicit_parameters.json

But the format of the implicit argument is using brackets { } and the classic arguments are using ( ):
cairo_implicit_parameters.cairo

create the requirements.txt file

in this test: tests/json_files/starknet_contract_interface.json

there is no bytecode because it's a contract interface.
For the moment we just quit and inform the user but we should do something else ;)

When we try to get the callflowgraph of the cairo_direct_recursion.json we don't have the direct recursion.
Command:
python3 __main__.py -file tests/json_files/cairo_direct_recursion.json -call

Result:

we already have the offset and some code that are interesting to add as a comment

we are missing a test with something like CALL rel [AP-5]