xusheng6
commented
1 day ago Another relevant sample: 3b13b6f1d7cd14dc4a097a12e2e505c0a4cff495262261e2bfc991df238b9b04.dll_.zip
The push+ret pattern at 0x10009ce9 causes some issue, but the analysis is eventually able to finish on it (instead of bailing out on a limit), so it should be fine. Also the analysis took 206 seconds to run which is not too bad
While analyzing 94d3c854aadbcfde46b2f82801015c31.exe_.zip, I observe we bail out on a lot of functions relying on
analysis.limits.maxFunctionUpdateCount. A closer look at the code reveals the following pattern at the end of almost all functions:We actually handle such a case when it occurs on individual functions. However, since every function has it, the analysis falters and do not handle it gracefully. If I force the analysis of the function, the analysis will get into an infinite loop