Flag: Tornado! Hurricane!

 Forums >>  IDA Pro  >>  Update DB with deobfuscated library function

Topic created on: August 25, 2012 16:06 CDT by pdrimel .

Hi All,

I have a pretty dummy question. I would like to update IDA DB change for instance a call eax to a deobfuscated library function that are dynamically loaded through LoadLibrary/GetProcAddress.

Example:
.text:10021C18                 push    0
.text:10021C1A                 push    0
.text:10021C1C                 push    0
.text:10021C1E                 push    2
.text:10021C20                 push    0
.text:10021C22                 push    ebp
.text:10021C23                 push    offset aDsfbufgjmfnbqq ; CreateFileMappingA
.text:10021C28                 call    f_deobfuscate
.text:10021C2D                 add     esp, 4
.text:10021C30                 call    eax <- This is the one to replace

I would like to replace the call eax with the relevant CreateFileMappingA, then IDA would automatically (since it has FLIRT related to CreateFileMappingA) comments related to the function parameters.

I googled about it, read about FLIRT and did not find a solution even though I thought would be common to people doing it however I'm not sure if that is possible.

Any suggestions?

TIA.

Pedro.

  julyDragon919     September 3, 2012 12:01.23 CDT
I am a newbie, either. But i will tell you as much as I know!
Probably you noticed that you can see your idb file in Hex-dump mode.
So view your file in hex-dump mode and go to 10021C30, the address where you want to give a change to that call function.
I dont remember the exact opcode of call function.
But when you go to that address, you will see both opcodes of call function and eax register. Now what you must do is to change the opcode of eax to the function you want.
That function must be placed somewhere in your idata section.
In my opinion, you can solve the problem if you replace that opcode of eax to the function address.
That is all i can say. As i said first, i am a NEWBIE!
So ...........
Anyway i wish that my answer to be of help to you even a
little!

  RolfRolles     September 11, 2012 19:56.07 CDT
JulyDragon919 is correct in that you can position your cursor over the 'call eax' and press alt-F11, then enter the address of the called function (assuming that the function is imported by the program and hence has an IAT entry; if this is not the case, you could manually add the imports by adding the relevant IMAGE_IMPORT_DESCRIPTOR structures).  But I think that in this scenario, once again assuming that all functions called through such obfuscated stubs are properly imported, a better strategy might be to NOP out

call f_deobfuscate
add esp, 4
call eax

And replace it with a direct call to the import, e.g., FF 15 [import address] 90 90 90 90.  This way the disassembly listing is less polluted, and if you happen to have Hex-Rays, the decompilation will be much nicer.

Note: Registration is required to post to the forums.

There are 31,040 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit