Snowman should use a more sophisticated disassembly technique than linear about snowman HOT 9 OPEN

I agree. I would try something like:

1. Scan through the executable section, try to disassemble N instructions in a row (you can also use various hints, e.g., symbols and the executable's entry point, for the starting points).
2. If disassembly succeeds, run recursive traversal from the address of the first instruction.

The traversal I have already implemented once, although never got to actually using it: 7f1e836. The traversal constructs control-flow graph on the fly and uses DataflowAnalyzer to perform abstract interpretation, so, it should be able to tell you the jump destinations, in particular, switches from/to THUMB mode.

One can take the above code as a starting point and do some experiments with it.

from snowman.

IDA already knows the ranges of addresses belonging to a function. Not sure, although, if it includes data into these ranges. If it does not, the IDA plug-in should not have problems with interpreting data as code. If it does, maybe we need to find where the instructions exactly are (IDA has getFlags() function for this), and update IdaFrontend::functionAddresses() to report only ranges of addresses containing executable code.

But this does not dismiss the need in a better discovery of the code.

from snowman.

Well couldnt this already piggyback on IDA? However a purely free ARM decompiler is welcomed.

from snowman.

seems to suffer quite a bit from confusing code

Can you provide an example?

from snowman.

are you speaking about stuff like ROP gadget ?

from snowman.

Related: #14 (comment)

from snowman.

Related: #51

from snowman.

Moreover #59 is an actual way to achieve this.

from snowman.

No, it's not.

from snowman.