funcap
funcap copied to clipboard
deresz
IDA Pro script to add some useful runtime info to static analysis
d.hookSeg() will not finish and running python script window wont go away until pressing cancel. IDA Pro 7.7
Can funcap be run in macOS? I try to use funcap in macOS,I tried to use ida to reverse an ios app,but something went wrong,below is the info: ``` /Applications/IDA...
It would be very cool to have also the comment of the trace in the decompiled pseudocode.
Now to support `thiscall` conventions (ECX register) you should modify the configuration: ``` C self.CMT_CALL_CTX = [re.compile('^arg'), re.compile('^ECX')] self.CMT_RET_CTX = [re.compile('^EAX')] self.CMT_RET_SAVED_CTX = [re.compile('^arg'), re.compile('^ECX')] ``` But then it's shown...
some database interface for collected data + UI plugin in IDA - so that right click on a function call in IDA will show the table with links to different...
Re-implementation of funcap as a pintool. This poses some chalenges but I think it is worth the effort, especially for things like obfuscated code where standard debugger breakpoints mess up...
Amd64 stack-based arguments are not always well captured. To reproduce: try 64-bit version of java.exe v1.6.0. - we get too large stack frame
Better call and ret association: build a call tree for each thread instead of current stack pointer-based hashing (this turns out not reliable)
Single step and continue requests are lost sometimes (tried on 32-bit java.exe v1.6.0 - confirmed and logged with hexrays) and sometimes, on the other hand, we get a lot of...
Instead of simple arg frame size calculation (get_num_args_stack()) and argument primitive type guessing (only string and int) - we could read function prototypes guessed by IDA, or even HexRays decompiler...