search

keystone-engine / keypatch

Multi-architecture assembler for IDA Pro. Powered by Keystone Engine.
http://www.keystone-engine.org/keypatch
GNU General Public License v2.0
1.49k stars 355 forks source link

Add SEARCH button to Assembler Form to search for instructions #19

Closed stefanesser closed 7 years ago

stefanesser commented 7 years ago

Adds a SEARCH button with a simple chooser form to search for instructions.

Can be of course beautified and made more IDA search like, but good enough for my purpose at the moment.

aquynh commented 7 years ago

usually you can just search an assembly instruction as a string (thus do not need this plugin). but i understand that you want to find binary code that is either non-code segment, or code that lie between consecutive instructions (for ex, connecting previous and next instruction). in which scenario do you want to do this?

stefanesser commented 7 years ago

IDA does not allow you to search for multiple instructions at once like: MOV X0, X1; RET This search function allows you to search for it.

Also binaries without symbols are not necessary cleaned up, yet. That means IDA does not necessary know that some large piece of the binary is code. So it is not possible to search for it. Best example the iOS kernel with all the kernel extensions at its end. Unless you clean up your ida database very nicely a lot of code is not recognized as code.

aquynh commented 7 years ago

I see, but in this case it is better to have a new dedicated form for this Search button, rather than put it to the same form with Patch function. Can you make this change?

stefanesser commented 7 years ago

The Search button was added to the "Assembler" Form not the Patch Form. Or what do you mean?

aquynh commented 7 years ago

Right, sorry for confusion. The Assembler form allows to change the architecture, so for different purpose. That is why i feel that this Search function needs another dedicated form. Thoughts?

aquynh commented 7 years ago

Hmm or we take another approach: renaming this form from "Assembler" to "Search", then done. The function of "Assembler" is just a "side effect" of "Search" form, which can have more usage. Thoughts?

aquynh commented 7 years ago

@redragonvn, what do you think about my comment above on renaming the "Assembler" form?

aquynh commented 7 years ago

merged with some minor fixes into the new branch "search" at https://github.com/keystone-engine/keypatch/tree/search. let me know if you have any comments.

aquynh commented 7 years ago

note that in "search" branch, i renamed the form "Assembler" to "Search", and also renamed all menu about "Assembler" to "Search".

aquynh commented 7 years ago

i just merged the "search" branch into the "master" branch. thank you, Stefan: https://github.com/keystone-engine/keypatch/commit/15d3911d90af5569f93e815cef1a144715c27e0e