- Joined
- Jan 8, 2019
- Messages
- 56,608
- Solutions
- 2
- Reputation
- 32
- Reaction score
- 100,454
- Points
- 2,313
- Credits
- 32,600
6 Years of Service
76%
FindFunc is an IDA PRO plugin to find code functions that contain a certain assembly or byte pattern, reference a certain name or string, or conform to various other constraints. This is not a competitor to tools like Diaphora or BinNavi, but it is ideal to find a known function in a new binary for cases where classical bindiffing fails.
Filtering with Rules
The main functionality of FindFunc is letting the user specify a set of “Rules” or constraints that a code function in IDA PRO has to satisfy. FF will then find and list all functions that satisfy ALL rules (so currently all Rules are in an AND-conjunction). Exception: Rules can be “inverted” to be negative matches. Such rules thus conform to “AND NOT”.
FF will schedule the rules in a smart order to minimize processing time. Feature overview:
Currently, 6 Rules are available, see below
Code matching respects Addressing-Size-Prefix and Operand-Size-Prefix
Aware of function chunks
Smart scheduling of rules for performance
Saving/Loading rules from/to file in simple ascii format
Several independent Tabs for experimentation
Copying rules between Tabs via clipboard (same format as a file format)
Advanced copying of instruction bytes (all, opcodes only, all except immediate)
Button “Search Functions” clears existing results and starts a fresh search, “Refine Results” considers only results of the previous search.
Advanced Binary Copying
A secondary feature of FF is the option to copy binary representation of instructions with the following options:
copy all -> copy all bytes to the clipboard
copy without immediate -> blank out (AA ?? BB) any immediate values in the instruction bytes
opcode only -> will blank out everything except the actual opcode(s) of the instruction (and prefixes)