Topic created on: August 25, 2012 16:06 CDT by pdrimel .

Hi All,

I have a pretty dummy question. I would like to update IDA DB change for instance a call eax to a deobfuscated library function that are dynamically loaded through LoadLibrary/GetProcAddress.

Example:
.text:10021C18                 push    0
.text:10021C1A                 push    0
.text:10021C1C                 push    0
.text:10021C1E                 push    2
.text:10021C20                 push    0
.text:10021C22                 push    ebp
.text:10021C23                 push    offset aDsfbufgjmfnbqq ; CreateFileMappingA
.text:10021C28                 call    f_deobfuscate
.text:10021C2D                 add     esp, 4
.text:10021C30                 call    eax <- This is the one to replace

I would like to replace the call eax with the relevant CreateFileMappingA, then IDA would automatically (since it has FLIRT related to CreateFileMappingA) comments related to the function parameters.

I googled about it, read about FLIRT and did not find a solution even though I thought would be common to people doing it however I'm not sure if that is possible.

Any suggestions?

TIA.

Pedro.