Hello,
I'm curious if you'd be interested in making your tooling compatible with Ghidra's builtin instruction pattern search syntax, IE:
[01001...] 89 5c [..100100] 08 [01001...] 89 6c [..100100] 18 [01001...] 89 74 [..100100] 20 57 [01000...] 54 [01000...] 55 [01000...] 56 [01000...] 57 [01001...] 83 ec 70 [01001...] 8b [11......] [01000...] 32 [11......] [01001...] 8b [00...101] [........] [........] [........] [........] [01001...] 85 [11......] 74 [........] [01000...] 8b [10......] [........] [........] [........] [........] with full bytes in hex, binary bits within [ and ] and . as single bit wildcards... I'm not entirely sure why, but Ghidra seems to love to mask a lot of the instructions to a 5 bit wildcarded byte.
The original unmasked byte sequence for this was:
48 89 5c 24 08 48 89 6c 24 18 48 89 74 24 20 57 41 54 41 55 41 56 41 57 48 83 ec 70 48 8b e9 45 32 e4 48 8b 15 cf 11 f2 01 48 85 d2 74 2d 44 8b 89 a8 00 00 00
I was thinking about trying to add this in myself, but the newer C++ syntax is a bit out of my skill level at this point. Ghidra's instruction pattern search editor makes it very easy to find a good signature that matches well IMO.
Hello,
I'm curious if you'd be interested in making your tooling compatible with Ghidra's builtin instruction pattern search syntax, IE:
[01001...] 89 5c [..100100] 08 [01001...] 89 6c [..100100] 18 [01001...] 89 74 [..100100] 20 57 [01000...] 54 [01000...] 55 [01000...] 56 [01000...] 57 [01001...] 83 ec 70 [01001...] 8b [11......] [01000...] 32 [11......] [01001...] 8b [00...101] [........] [........] [........] [........] [01001...] 85 [11......] 74 [........] [01000...] 8b [10......] [........] [........] [........] [........]with full bytes in hex, binary bits within [ and ] and . as single bit wildcards... I'm not entirely sure why, but Ghidra seems to love to mask a lot of the instructions to a 5 bit wildcarded byte.The original unmasked byte sequence for this was:
48 89 5c 24 08 48 89 6c 24 18 48 89 74 24 20 57 41 54 41 55 41 56 41 57 48 83 ec 70 48 8b e9 45 32 e4 48 8b 15 cf 11 f2 01 48 85 d2 74 2d 44 8b 89 a8 00 00 00I was thinking about trying to add this in myself, but the newer C++ syntax is a bit out of my skill level at this point. Ghidra's instruction pattern search editor makes it very easy to find a good signature that matches well IMO.