-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wrong parameter recognition #26
Comments
You're right 😀. |
hum, good question 😉 As a human I would think somehow like that: Btw: Do you know why there is no black line on the left? |
If only "push"es are allowed, the plugin is gonna fails on the mov scenarios and visceversa, so, until a workaround or a better algorithm to filter out/predict the "correct argument instructions" for both cases is found, the plugin is gonna be buggy regarding this feature. That's what I meant in my previous comment, it's not a trivial task. The arguments line should be drawn correctly, are you using the last version of both, the plugin and x64dbg? If you are, could you upload that sample to give it a look? |
Thank you for the insight! In my case it was/is an x86 executable - therefore the problem is somehow
But yes, I understand, that's not so easy to implement, because you would have to predict/trace. Anyhow! Something that turns
into
I uploaded the file you are asked for, but beware - it is ransomware! (pasword: malware). |
OK I think you got something there to somehow workaround the mov issue at least for now If(n / 4 <= function_argument_count) In your code that "mov [ebp + 24]" would be out of the picture since the function only has 6 parameters and that +24 would be way off that. So yeah I think I can come up with some code by using this approach. I'll keep this issue updated once is done. Regarding the arguments widget yeah, I'm all for implementing this in xAnalyzer, we just gotta work on some plugin interface on x64dbg to allow plugins to handle that info, I just haven't had time to implement it myself, anyways , if you're interested we could work that out. |
Nice! No hurry ;)
Jap! I already talked to mrexodia about this some days before, he said it would be a "minor time investment" and shouldn't be difficult. I'm relatively busy at the moment, too. Let's do that in some weeks - we should open an independent enhancement-issue in the meantime. |
Ok, now we have an issue here. Even when we can predict [ESP*] instructions, there's no way that I can find to choose the correct argument instructions using [EBP*]. High stack addresses correspond to the stack base pointer [EBP+n] and those refer to the actual function parameters. On the other hand [EBP-n] or low stack addresses correspond to local vars, which are most likely to be used as parameters for function calls inside the actual function. The thing is that anything from [EBP-n] to [EBP+n] could be used as a function parameter and there's no reliable way (at least that I can find) to statically predict which of all is gona be used as an actual parameter in a function call. I could just ban every [EBP*] instruction...I'm out of ideas. |
Hum, tell me if I am wrong, but... When a function is called, normally a new stack frame is created at the adress where ESP is pointing to at the moment. After the call, But... why should I Can you maybe show me an example, you have lost me somewhere. |
Sorry I didn't read your entire message before writing mine so I deleted my prev message. |
perfect - I think now we are in tune ;) Thanks! |
I am not totally sure, but i guess that
MOV ...
is not one of the parameters - right? :Dhttps://i.imgur.com/5duxcci.png
The text was updated successfully, but these errors were encountered: