MYusufY
commented
2 months ago Hi :) I do give it a try, but im not sure will this work. I will test it soon. Here is my fork if you want to test it :) If its good, i will PR it :)
Open mike-hunhoff opened 2 months ago
MYusufY
commented
2 months ago Hi :) I do give it a try, but im not sure will this work. I will test it soon. Here is my fork if you want to test it :) If its good, i will PR it :)
mike-hunhoff
commented
2 months ago Hi :) I do give it a try, but im not sure will this work. I will test it soon. Here is my fork if you want to test it :) If its good, i will PR it :)
Thanks for reaching out @MYusufY . The changes pushed to your fork do not address the bug I've described above. Please take another look at my initial context, specifically the reference to Vivisect's implementation.
https://github.com/mandiant/capa/blob/4b1a5003df926eb790eb14e9a70e68bf93ca1f2a/capa/features/extractors/ghidra/insn.py#L428-L438
This incorrectly checks if the instruction's parent function consists of a single basic block. The intention is to check if the XOR operation is within the first or last basic block of the parent function plus or minus the delta, respectively. See vivisect for example.