Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent irreversible effects when recognizing structures #22

Open
4 tasks
Albeoris opened this issue Sep 28, 2018 · 2 comments
Open
4 tasks

Prevent irreversible effects when recognizing structures #22

Albeoris opened this issue Sep 28, 2018 · 2 comments
Labels
enhancement help wanted

Comments

@Albeoris
Copy link

  • Validate changes
    When resolving the fields, some of them may be disabled. As a result of such actions, an appeal to gaps will be formed. This should not be. It is necessary to warn about incorrect struct.

  • Preview and select changes
    The finalization of the structure applies it to all known dependencies, which can lead to problems in case of incorrect recognition or incorrect selection of a variable. It is necessary to display a list of changes, and to allow the user to uncheck a part of them if he wants to limit the changes to one area.

  • Continuation of the analysis of the existing structure.
    Often the analysis of the structure is incomplete. Even a deep scan cannot detect all fields. When this happens, it is necessary to continue the analysis, modify the existing fields or update a new one.

  • Undo changes
    If everything went wrong, it must be able to undo maden changes by pressing Ctrl+Z.

I hope some of these ideas seem interesting to you. While recognition of structures is not easy to use, but argument's name inference is already worth a lot. Thank you!
@igogo-x86
Copy link
Owner

  1. Not sure I've understood problem. Could you specify?
  2. Agreed. I considered making special window with list of scanned functions and variables. With options to remove or disable some scans.
  3. I think Create New Field feature is a cheap way to do same. When you see gaps you can create new fields very fast and they will be included in field cross-references. Anyways i don't see why you proposal shouldn't be implemented (with enough amount of time)
  4. Tell that to authors of IDA )) I'm not sure if it's possible to restore something after applying new type, so usually make snapshots of database more often when recover very big structures.

@Albeoris
Copy link
Author

About 1/3, I have three unrelated functions. Each of them uses the same structure.

  • But the first function uses fields 0x00 Int32 and 0x02 Int16.
  • The second uses fields 0x00 Int16 and 0x04 Int32.
  • The third uses fields 0x08 Int32 and 0x0C char[128];

The current functionality doesn't allow to recognize all the fields of the structure, since each analyze does not expand, but replaces the structure.

If I try to do this, the already recognized fields will be changed, and the code that used them will now refer to the gaps. It's very easily to lost information about structures.

@igogo-x86 igogo-x86 mentioned this issue Jul 14, 2019
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Albeoris @igogo-x86