mandiant / flare-ida

IDA Pro utilities from FLARE team
Apache License 2.0
2.24k stars 465 forks source link

Possible problem with 64 bit code (find_ref_loc fucntion)? #87

Open govcert-ch opened 4 years ago

govcert-ch commented 4 years ago

I'd also like to create flirt libraries for Go code (64 bit) - however, in first tests, only around 30% matched. I'm not sure where the problem exactly is, but it could be here:

    ...
    if isCode(getFlags(ea)):
        for i in zrange(ea, max(ea, 1 + get_item_end(ea) - config.pointer_size)):
            if get_long(i) == ref:
                return i

That code should find outgoing data or code references so they can be excluded from CRC32 checksums and signature and assumes these to be 32- or 64-bit values depending or architecture, not really sure about it... but it seems to fail with 64-bit instructions like

48 8B 05 F6 FF A3 00                    mov     rax, cs:main_something

as this is a 32-bit relative offset (0xa3fff6) in 64 bit code. Actually I think all references in 64 bit code is 32 bit relative... In these cases, nothing is put into variable_bytes and the offset is added to crc32, which it probably should not - if I understand the code correctly.

Another small thing I find odd is

    # this will be either " :%04d %s" or " :%08d %s"
    public_format = " :%%0%dX %%s" % (config.pointer_size)

Shouldn't this be config.pointer_size*2 as each character only covers one nibble, so each byte requires 2 characters? Or is this a specific feature of Ida that these values only cover half the bitsize?