search

keystone-engine / keypatch

Multi-architecture assembler for IDA Pro. Powered by Keystone Engine.
http://www.keystone-engine.org/keypatch
GNU General Public License v2.0
1.47k stars 355 forks source link

Excessive IDA analysis #34

Open n-o-o-n opened 6 years ago

n-o-o-n commented 6 years ago

Function patch() takes a lot of time to analyze code in cases where a function has chunks at addresses lower than its start. I'm talking about this:

        # ask IDA to re-analyze the patched area
        if orig_func_end == idc.BADADDR:
            # only analyze patched bytes, otherwise it would take a lot of time to re-analyze the whole binary
            idaapi.analyze_area(address, address + patched_len + 1)
        else:
            idaapi.analyze_area(address, orig_func_end)
            # try to fix IDA function re-analyze issue after patching
            idaapi.func_setend(address, orig_func_end)

In IDA v7.0 is apparently enough to do only idaapi.analyze_area(address, address + patched_len + 1).

aquynh commented 6 years ago

Does your technique works for pre-v7?

n-o-o-n commented 6 years ago

I didn't try with pre-v7 versions, sorry.