binaryninja-ebpf icon indicating copy to clipboard operation
binaryninja-ebpf copied to clipboard
verified publisher icon riptl

Stack spill heuristic

Open riptl opened this issue 3 years ago • 0 comments

When function arg count exceeds 5, then r5 becomes some weird call args pointer to the stack. If callee does indirect addressing on r5, there's a decent chance that these are function args

riptl avatar Aug 26 '22 18:08 riptl