Skip to main content

Overview

While xAnalyzer is a powerful analysis tool, there are some known limitations due to the complexity of static code analysis and x86/x64 instruction patterns. This page documents these limitations to help you understand the plugin’s behavior.

Function Analysis Limitations

First Undefined Call in Functions

The first undefined call with generic arguments in a function will not be processed unless it’s preceded by a jump.
There’s no reliable way to determine how many arguments an undefined function uses without illegally analyzing the function prolog instructions. As a result:
  • Documented calls at the beginning of a function will be processed correctly
  • Undefined functions preceded by a jump will be processed
  • First undefined call at function start (without preceding jump) will be skipped
Example: 
; This undefined call at function start won't be analyzed
func_start:
  call unknown_function  ; SKIPPED
  
; But this one after a jump will be
jump_target:
  call unknown_function  ; PROCESSED
```asm

### Function Boundary Detection

<Note>
  Loop detection only works within function boundaries, defined by function prologs and RET instructions.
</Note>

If a function contains a RET instruction in the middle of its code:
- It will be detected as a function end
- The loops stack is cleared at that point
- Analysis may be incomplete for code after the mid-function RET

## Instruction Pattern Limitations

### Arguments Among Jumps

Some uncommon functions have arguments distributed across jump instructions. According to xAnalyzer's design:

- **Jump instructions clear the argument stack**
- Functions with arguments split by jumps won't be processed correctly
- This is by design to maintain analysis accuracy

**Example:**
```asm
push arg1
jnz skip_label      ; Jump clears the stack tracking
push arg2          ; This argument won't be associated
skip_label:
call some_function  ; May have incomplete argument detection
```asm

## Nested Call Constraints

<Warning>
  Nested function calls have specific requirements to work correctly.
</Warning>

Nested calls will only work correctly when:

1. **Inner call is defined** in API definition files, OR
2. **Inner undefined call** takes no more stack arguments than the arguments needed by the outer call

Otherwise, argument tracking may become inaccurate.

**Example:**
```asm
; This works - inner call is defined
push arg1
push arg2
push [result of: call DefinedFunction]  ; Inner call
call OuterFunction

; This may fail - inner undefined call with unknown args
push arg1
push [result of: call UnknownFunction]  ; Unpredictable
call OuterFunction
```asm

## Loop Detection Issues

### Non-Conditional Jumps

<Note>
  Incorrect loop detection may occur for code sections with non-conditional jumps inside them.
</Note>

For more details, see [GitHub Issue #7](https://github.com/ThunderCls/xAnalyzer/issues/7).

## File Name Restrictions

### Multiple Dots in Executable Name

Analysis could fail if the executable being debugged has multiple dots in its name.

**Examples:**
- `myapp.v2.0.exe` - May cause issues
- `my.program.debug.exe` - May cause issues  
- `myapp.exe` - Works correctly
- `myapp_v2_0.exe` - Works correctly

**Workaround**: Rename executables to use underscores or remove extra dots before the file extension.

## x64dbg Integration Limitations

### Nested Argument Display

<Note>
  xAnalyzer has support for nested arguments, but x64dbg currently doesn't display them properly.
</Note>

This is a limitation of the x64dbg interface, not xAnalyzer itself. Nested argument information is generated but may not render as expected in the disassembly view.

## Extended Analysis Considerations

<Warning>
  Extended Analysis mode can consume significant system resources.
</Warning>

When Extended Analysis is enabled:

- **Analysis time**: May take considerably longer to complete
- **Memory usage**: Large amounts of RAM may be consumed by x64dbg
- **Impact factors**: Depends on code section size and the amount of data being analyzed

**Recommendation**: Only enable Extended Analysis when necessary, and ensure your system has adequate resources.

## API Definition Coverage

While xAnalyzer includes definitions for over 13,000 API functions from nearly 200 DLLs:

- Some APIs may still be missing
- New APIs in recent Windows versions may not be defined
- Custom or third-party DLL functions won't be defined

**Solution**: You can extend the API definition files yourself. See [API Definition Files](/api-definitions/overview) for details.

## Working Within Limitations

Understanding these limitations helps you:

<CardGroup cols={2}>
  <Card title="Set Expectations" icon="bullseye">
    Know when analysis might be incomplete
  </Card>
  
  <Card title="Choose Right Tools" icon="toolbox">
    Select appropriate analysis modes for your needs
  </Card>
  
  <Card title="Interpret Results" icon="magnifying-glass-chart">
    Better understand the analysis output
  </Card>
  
  <Card title="Contribute Fixes" icon="code-pull-request">
    Help improve xAnalyzer by addressing these issues
  </Card>
</CardGroup>

## Future Improvements

Some limitations may be addressed in future versions. Check the [GitHub repository](https://github.com/ThunderCls/xAnalyzer) for ongoing development and planned features.

Build docs developers (and LLMs) love

Get started for freeTalk to us