You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
can't detect it very easily since the loop isn't tight, like you said. we could write a rule with function scope matching and(non zero xor, has loop) but this doesn't seem very specific at all.
for this specific function we could also limit the number of basic blocks and/or #callers and/or #callees. that might be reasonably robust but doesn't generalize the technique very well.
capa doesn't detect null-preserving XOR because the XOR is not in a tight loop. Can we detect it?
![Screenshot 2023-11-06 at 15 20 47](https://private-user-images.githubusercontent.com/16052290/280838224-66b3875b-f3e8-43d1-ae5f-ca54c4105e3b.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTg1MzQwNzAsIm5iZiI6MTcxODUzMzc3MCwicGF0aCI6Ii8xNjA1MjI5MC8yODA4MzgyMjQtNjZiMzg3NWItZjNlOC00M2QxLWFlNWYtY2E1NGM0MTA1ZTNiLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MTYlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjE2VDEwMjkzMFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWQyMmQ0YThlODU3NjlkMzZkYzlkNDc4ZjI3MDY1ZTA5YjM4MTI1YmM3ZDIzOTJjZjZjNDU5ZTdhY2VhNjA2NTcmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.kb8AJV-NPQzKb9wq-2pw9t4cm5oGQtP7rY6XNMFlUe0)
Tested with capa 6.1.0 using sample 4ce210df92602f9cf4990357eb63f1f05cb5e89d03426a98a77ef98d6ff967bc
The text was updated successfully, but these errors were encountered: