Description
What is the feature you'd like to have?
In shellcode, a position independent base address is stored in a global register using a call to the next instruction address and then the next instruction being a pop to the global register. This is handled very well by Binary Ninja now. Here is an exampe of that:
Here is the feature request: in a similarly artful handling of that pattern, this sneaky call which in effect pushes the next "instruction" address to the stack whereas that next instruction is really a null terminated string. The distance in the call instruction is really the length of the string with trailing null byte. The result is the pointer to the string is now on the stack and becomes an input parameter for a subsequent call. Here is an example of this technique:
The area highlighted in red is really NTDLL. And the ff at 027a0152 is the start of the opcode for the call to GetProcAddress.
Is your feature request related to a problem?
The call at 027a0148 could be handled in the same way as the pattern that sets the global register above with the name of the "function" being $+11 in this case. The string would then, at least in the linear view be shown as a data symbol. Then everything looks much better.
Are any alternative solutions acceptable?
As @psifertex pointed out to me in Slack, the first call can be replaced with a jump, and it all falls in place. But this changes the bytes from their original.
Additional Information:
Here is another example of this where it makes the disassembly borken:
The call at 027a0179 should be $+20, the string NtQueryVirtualMemory should be a data symbol char string. Also, in this screenshot, there is the start of a trampoline function at 027a019c that is being misinterpreted as being part of the earlier function.