Fix semanticidentifier.py line 354 - Wrapper function
Issue #1
resolved
if self.ida_proxy.GetMnem(i_ea) == 'call'
The above code only checks for the 'call' string. The function could contain a jmp to sub_func example
.text:00423BBA CryptDestroyKey_0 proc near ; CODE XREF: sub_42E673+A3?p
.text:00423BBA ; sub_42E673+AE?p
.text:00423BBA
.text:00423BBA hKey = dword ptr 4
.text:00423BBA
.text:00423BBA push esi
.text:00423BBB mov esi, ecx
.text:00423BBD cmp dword ptr [esi+0Ch], 0
.text:00423BC1 jz short loc_423BCC
.text:00423BC3 push dword ptr [esi+0Ch] ; hKey
.text:00423BC6 call ds:CryptDestroyKey
.text:00423BCC
.text:00423BCC loc_423BCC: ; CODE XREF: CryptDestroyKey_0+7?j
.text:00423BCC mov ecx, esi
.text:00423BCE pop esi
.text:00423BCF jmp sub_41479E <- not a call
.text:00423BCF CryptDestroyKey_0 endp
FIX - check for instructions that contain jmp and validate the jmp address is in the function block.
adding the following to line 362 fixed it.
if self.ida_proxy.GetMnem(i_ea) == 'jmp' and (func_ea > self.ida_proxy.GetOperandValue(i_ea,0) or func_end < self.ida_proxy.GetOperandValue(i_ea,0)):
nr_calls = nr_calls + 2
Comments (4)
-
reporter -
reporter - edited description
-
reporter - edited description
-
repo owner - changed status to resolved
fixed Issue
#1→ <<cset 9fac49595a01>>
- Log in to comment
Sorry line 362 is the one that needs to be changed not 354
if self.ida_proxy.GetMnem(i_ea) == 'call':