How do I get branch addresses of LLIL_IF expressions?

[portersan]

When inspecting the operands of an LLIL_IF instruction, the 3rd and 4th operand values are single byte labels(?). How do I map that to the branch virtual addresses?

Thanks, --Mark

[portersan]

Actually, to be more precise, the 3rd and 4th arguments are longs, but seem to contain small index values/labels, not addresses.

[MartijnB]

It are indices in the vector of LLIL instructions of the corresponding basic block for the IF instruction. If you lookup the target LLIL instructions based on their index, you can find them the corresponding addresses.

[portersan]

Thanks for the quick response. First question: I've been surfing the API docs and associated source code, but is there other LLIL documentation I should use?

Your answer makes sense, but I'm still struggling to find the way to access the instruction list. From the LowLevelInstruction object, I see that il_basic_block will give me the enclosing basic block. However, looking at the LowLevelILBasicBlock documentation, I don't see a method or field to get a list of instructions (maybe I'm missing it). Does getitem access instructions (I see that in the source)?

From LowLevelILFunction, I see the "instructions" generator can be used to get a list of all LLIL instructions in the function, so would the IF index match this larger list position?

Many thanks, --Mark

[portersan]

Actually, disregard my last post. I just remembered that I walked the instructions in the basic blocks using "for il in block". I should be set....thanks

[portersan]

OK, given MartijnB's insight, I was able to access il_instr.il_basic_block.il_function[index].address and get the info. Thanks