Open psifertex opened 1 year ago
I also experienced a couple of cases where this particular signature file was being over aggressive.
Also happens frequently with msvcrt_windows-x86_64.sig
. https://dogbolt.org/?id=1701d225-02d4-4210-8f99-9d230c9e0418#Hex-Rays=185&BinaryNinja=54
In this case because of the similarities between c++ vfuncs and constructors they often will match against each other.
Found at least one eggregious function signature in
msvcrt_windows-x86.sig
that will cause it to match any 32bit x86 function with:Here's a screenshot of assembly from a simple hello world app that matches:
Here's the relevant section of the signature library:
We likely need to increase the minimum size function that signatures are attempted to match against and re-generate the libraries. (Because this particular signature contains an epilogue it's likely possible to simply increase the minimum match size but this may have other effects)