cutter/docs/source/user-docs/preferences/analysis.rst

100 lines
3.9 KiB
ReStructuredText

Analysis Options
================
Cutter will use the underlying Rizin analysis options to analyze a binary. These options are usually
configured when the binary is first loaded. However, they can be later changed using the Analysis
dialog, and a new analysis that takes these options into account can then be performed.
Analysis Dialog
---------------
.. image:: ../../images/analysis_dialog.png
:alt: Analysis dialog
**Description:** The Analysis dialog allows setting some Rizin's analysis options. The supported options are described
below.
Clicking on the "Analyze Program" button will trigger an analysis of the current binary with Rizin's ``aaa``
command, taking into account the configured values of the analysis options.
**Steps to open:** ``Edit -> Preferences -> Analysis``
Search boundaries for analysis
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Select the boundaries in which the analyis will be performed. The different options are:
- All executable maps (``io.maps.x``)
- All maps (``io.maps``)
- Current map (``io.map``)
- Raw (``raw``)
- Current mapped section (``bin.section``)
- All mapped sections (``bin.sections``)
**Configuration variable:** ``analysis.in``
Speculatively set a name for the functions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Try to name functions without symbols by using artifacts in the functions such as API calls and strings.
**Configuration variable:** ``analysis.autoname``
Search for new functions following already defined functions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Cutter will check if there is a candidate for a new function following an already defined one, as the compiler usually
state them together. This option is taking the advantages of both Recursive Analysis and Linear Sweep into some kind of a hybrid mode. For each discovered function, the analysis will try to check for a function-prologue, usually following a gap of null bytes or ``cc`` bytes. This will help with discovering functions which are not referenced in the program. As such, it will make the analysis slower and prone to false-positives.
**Configuration variable:** ``analysis.hasnext``
Create references for unconditional jumps
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When encountering unconditional jumps during the analysis, Cutter will add a code-reference even if it is not guaranteed
that the jump will take place.
**Configuration variable:** ``analysis.jmp.ref``
Analyze jump tables in switch statements
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When encountering switch statements during analysis, continue and analyze the target blocks of the jump tables.
**Configuration variable:** ``analysis.jmp.tbl``
Analyze ``push`` + ``ret`` as ``jmp``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When performing analysis of a function, treat the sequence of ``push`` followed by ``ret`` instruction as a ``jmp``.
This can help Cutter to continue the analysis to target of the ``jmp``.
**Configuration variable:** ``analysis.pushret``
Show verbose information when performing analysis
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When enabled, Cutter will print warnings it encountered while preforming analysis. These warnings can help the user
understand if anything went wrong in the analysis. This function is not only helpful when trying to perform a full
analysis of the program, but also when trying to analyze and define new functions.
**Configuration variable:** ``analysis.verbose``
Verbose output from type analysis
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Print warnings encountered while preforming type analysis. These warnings can help the user understand if anything went
wrong in the analysis.
**Configuration variable:** ``analysis.types.verbose``
Pointer depth
~~~~~~~~~~~~~
The maximum number of nested pointers to follow in analysis.
**Configuration variable:** ``analysis.ptrdepth``
Functions prelude
~~~~~~~
Hex value that represents certain opcodes that will be used to identify functions.
**Configuration variable:** ``analysis.prelude``