1. Daniel Plohmann
  2. simpliFiRE.IDAscope
  3. Issues
Issue #1 resolved

Fix semanticidentifier.py line 354 - Wrapper function

Alexander Hanel
created an issue

if self.ida_proxy.GetMnem(i_ea) == 'call'

The above code only checks for the 'call' string. The function could contain a jmp to sub_func example

.text:00423BBA CryptDestroyKey_0 proc near             ; CODE XREF: sub_42E673+A3p
.text:00423BBA                                         ; sub_42E673+AEp
.text:00423BBA hKey            = dword ptr  4
.text:00423BBA                 push    esi
.text:00423BBB                 mov     esi, ecx
.text:00423BBD                 cmp     dword ptr [esi+0Ch], 0
.text:00423BC1                 jz      short loc_423BCC
.text:00423BC3                 push    dword ptr [esi+0Ch] ; hKey
.text:00423BC6                 call    ds:CryptDestroyKey
.text:00423BCC loc_423BCC:                             ; CODE XREF: CryptDestroyKey_0+7j
.text:00423BCC                 mov     ecx, esi
.text:00423BCE                 pop     esi
.text:00423BCF                 jmp     sub_41479E   <- not a call 
.text:00423BCF CryptDestroyKey_0 endp

FIX - check for instructions that contain jmp and validate the jmp address is in the function block.

adding the following to line 362 fixed it.

                            if self.ida_proxy.GetMnem(i_ea) == 'jmp' and (func_ea > self.ida_proxy.GetOperandValue(i_ea,0) or func_end < self.ida_proxy.GetOperandValue(i_ea,0)):
                                   nr_calls = nr_calls + 2   

Comments (4)

  1. Log in to comment