Failed decoding due to max. instruction limit being set too low

[mr-tz]

Related to #98. For example 4894...ad9a, VA 0x100114A1 decodes no strings with an instruction limit of 2000, but about 200 strings with a limit of 30000. This sample is decoding a large configuration block containing all those strings. Options are:

• increase default instruction limit
  • could short circuit decoding candidate if there are no strings found for n (e.g. 5) invocations
• add --hardcode-scan option to increase instruction size limit
• provide limit as command line argument --instruction-max or something similar (not very user-friendly)

[williballenthin]

increase default instruction limit

im not sure this is the way to go, since some specific sample will always require a higher limit.

could short circuit decoding candidate if there are no strings found for n (e.g. 5) invocations

this is interesting. might lead to subtle bugs on specific samples due to chance, but could improve performance across everything else.

alternatively, if no strings are found with n=5000, could retry with n += 5000 for a few rounds.

provide limit as command line argument --instruction-max or something similar (not very user-friendly)

agree that its not user friendly, but maybe something good to have for testing/advanced users. would not expect average analysts to use this feature

add --hardcode-scan option to increase instruction size limit

i like this idea. hardcore-scan is a term that should make sense to lots of people, even if they don't know how the knobs are being tweaked. it also gives us the chance to perhaps increase the function list size, and make other changes.