Flag: Tornado! Hurricane!

Blogs >> RolfRolles's Blog

Created: Thursday, June 7 2007 19:59.35 CDT  
Printer Friendly ...
IDA's .IDS Files Part II
Author: RolfRolles # Views: 9062

While reverse engineering a SymbianOS worm last February, I noticed that IDA wouldn't convert some by-ordinal imports from SymbianOS DLLs into their real names:


.idata:00405678 ;
.idata:00405678 ; Imports from PBKENG[101f4cce].DLL
.idata:00405678 ;
.idata:00405678   IMPORT __imp_PBKENG_18  ; DATA XREF: .text:off_404568
.idata:0040567C   IMPORT __imp_PBKENG_21  ; DATA XREF: .text:off_4045A8
.idata:00405680   IMPORT __imp_PBKENG_43  ; DATA XREF: .text:off_404518
.idata:00405684   IMPORT __imp_PBKENG_72  ; DATA XREF: .text:off_404588
.idata:00405688   IMPORT __imp_PBKENG_73  ; DATA XREF: .text:off_404578
.idata:0040568C   IMPORT __imp_PBKENG_101 ; DATA XREF: .text:off_404528
.idata:00405690   IMPORT __imp_PBKENG_110 ; DATA XREF: .text:off_404538
.idata:00405694   IMPORT __imp_PBKENG_173 ; DATA XREF: .text:off_404508
.idata:00405698   IMPORT __imp_PBKENG_180 ; DATA XREF: .text:off_404548
.idata:0040569C   IMPORT __imp_PBKENG_185 ; DATA XREF: .text:off_404558
.idata:004056A0   IMPORT __imp_PBKENG_254 ; DATA XREF: .text:off_404598


I installed the SymbianOS SDK and then came up with a convoluted series of scripts wrapped around the GNU tool suite that would extract the function names and their ordinals from the relevant .LIB, and then create an IDC script that would rename any import-by-ordinal to its real name.  A friend chuckled at this Rube Goldberg-esque contraption and suggested that I use the IDSUTIL package instead.

It couldn't be easier:  just type "ar2idt pbkeng.lib && zipids pbkeng.idt" to produce an .IDS file for the pbkeng.lib static library.  Now inside of IDA, go to File->Load File->IDS File, and select the .IDS file that was created.  Alternatively, you can put this in the %IDA%\ids\epoc6\arm directory to have IDA load it automatically (after a restart).  Here are the results of applying it:


.idata:00405678 ;
.idata:00405678 ; Imports from PBKENG[101f4cce].DLL
.idata:00405678 ;
.idata:00405678 ; CPbkContactItem::CardFields(void)const
.idata:00405678   IMPORT CardFields__C15CPbkContactItem
.idata:00405678                           ; DATA XREF: .text:off_404568
.idata:0040567C ; CPbkContactEngine::CloseContactL(long)
.idata:0040567C   IMPORT CloseContactL__17CPbkContactEnginel
.idata:0040567C                           ; DATA XREF: .text:off_4045A8
.idata:00405680 ; CPbkContactEngine::CreateContactIteratorLC(int)
.idata:00405680   IMPORT CreateContactIteratorLC__17CPbkContactEnginei
.idata:00405680                           ; DATA XREF: .text:off_404518
.idata:00405684 ; CPbkFieldInfo::FieldId(void)const
.idata:00405684   IMPORT FieldId__C13CPbkFieldInfo
.idata:00405684                           ; DATA XREF: .text:off_404588


To address the specific problem that's been coming up lately, let's see how to convert the MFC .DEF file into an .IDS file.  First, here's a snippet from the .DEF file:


; This is a part of the Microsoft Foundation Classes C++ library.
; Copyright (C) 1992-1998 Microsoft Corporation
; All rights reserved.

LIBRARY MFC42

EXPORTS
DllGetClassObject @ 1 PRIVATE
DllCanUnloadNow @ 2 PRIVATE
DllRegisterServer @ 3 PRIVATE
DllUnregisterServer @ 4 PRIVATE
?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B @ 5 DATA
?classCDataPathProperty@CDataPathProperty@@2UCRuntimeClass@@B @ 6 DATA
; MFC 4.2(final release)
??0_AFX_CHECKLIST_STATE@@QAE@XZ @ 256 NONAME


We can see that lines starting with a ";" are comments, any line containing the string " @ " is an actual export declaration, and everything else is part of the DEF file structure.  We only want the export declarations.  Let's run a quick sed/awk script on the .DEF file:

sed -e '/^ *;/d' MFC42.def | sed -n -e '/ @ /p' | gawk '{ print $3 " Name="$1 }' > MFC42.idt && zipids MFC42.idt

The first part of that command erases any comment-lines (those that begin with any number of spaces and then a semi-colon); the second part accepts any line that contains the string " @ "; and the third part converts the results into the .IDT file format.

To complete the job, we need to manually add a line that says "0 Name=MFC42.dll" to the top of the file.  Also, be sure to name the .IDT file the same as the DLL/LIB base name, e.g. mfc42.idt.  As before, we then run zipids on it to produce an .IDS file, which can be loaded into IDA and/or put into the %IDA%\ids directory to have it loaded automatically when appropriate.

Before applying the .IDS file:

.idata:4BB710DC   extrn __imp_MFC42_6467:dword ; DATA XREF: MFC42_6467

Afterwards:

.idata:4BB710DC ; public: __thiscall AFX_MAINTAIN_STATE2::AFX_MAINTAIN_STATE2(class AFX_MODULE_STATE *)
.idata:4BB710DC   extrn ??0AFX_MAINTAIN_STATE2@@QAE@PAVAFX_MODULE_STATE@@@Z:dword


Blog Comments
dennis Posted: Friday, June 8 2007 06:48.58 CDT
Rolf, as I know how ugly Symbian reversing is, with all its events and OOP @@##!!# code, I thought I'd share the following article with you ;-)

http://arteam.accessroot.com/tutorials.html?fid=194

RolfRolles Posted: Friday, June 8 2007 13:17.04 CDT
Dennis,

That's a nice and thorough article.  It could have saved me a lot of time if it had been written back when I started Symbian reversing.  It lacks information about C++ reversing though; my target (which I was tasked with decompiling into source) made heavy use of multiple inheritance, mixins, etc. which were mostly undocumented from a reversing perspective.

SuperIrishDonkey Posted: Wednesday, July 18 2007 01:47.05 CDT
Hello, Rolf, When I want to create ids file with "ar2idt ***.lib && zipids ***.idt", It always said that ***.idt cannot be found, could you tell me what happend?

RolfRolles Posted: Tuesday, July 24 2007 18:04.52 CDT
The "&&" tells the command-line interpreter to execute the commands sequentially.  So if ar2idt fails to produce an .IDT file for whatever reason, the whole command will fail.  You can verify this by running the commands separately, e.g. 'ar2idt blah.lib' followed by 'zipids blah.idt' -- does ar2idt produce an error message?

If ar2idt can't handle your .lib file for whatever reason (unsupported library format perhaps?), give Ilfak's efd utility a try.



Add New Comment
Comment:









There are 31,021 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit