OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: September 7, 2006 09:30 CDT by Piotr .

Hi all,

Consider the following disassembly:



.text:01002108 off_1002108     dd offset loc_1001EA8   ; DATA XREF: wnd_Proc+3A8r

.text:01002108                 dd offset loc_1001F05   ; jump table for switch statement

.text:01002108                 dd offset loc_1001F0D

And the following plugin code:



/* lets say im trying to reach next dword value */

flags =  getFlags(0x1002108+4);



	msg("\nFLAGS ARE: %.08x\n",flags);

	msg("AFTER D_TYPE: %.08x\n",(flags & DT_TYPE));





	if (isUnknown(flags))

		msg("IS UNKNOWN\n");

	if (hasRef(flags))

		msg("HAS REF\n");

	if (hasValue(flags))

		msg("HAS VALUE\n");

	if (isHead(flags))

		msg("IS HEAD\n");

	if (isOff0(flags))

		msg("IS OFF\n");

And here's my output:



- FLAGS ARE: 00400305

- AFTER D_TYPE: 00000000

- HAS VALUE

Well, shortly its not that what i need. I though it should mark that the following value as: is offset (OFF), HEAD, and infact hasRef would be also nice.

Is there any way, to check if the dword value is an offset to a subroutine? And i dont mean here any "tricks" like getbytes and then using IsCode bla bla. I want to stay the code very clear and documented, that should help to protect from getting false positives.

thanks!

PSUJobu		September 10, 2006 22:36.43 CDT
> Piotr: > (snip...) > Well, shortly its not that what i need. I though it should mark that the following value as: is offset (OFF), HEAD, and infact hasRef would be also nice. The jump table is an array, so the first word is the place to look for HEAD and OFF. You can pull the array size (to get the case count) and offset info from that address and apply it to the other words. Because the entire jump table is an array with common parameters, only the first address is a HEAD. All other elements are tail bytes, which means that internally they have no netnodes (and therefore no flags, cross-refs, etc.). Each case target would be: `target = get_long(tableBase + (n * 4)) + caseOffset;` > Is there any way, to check if the dword value is an offset to a subroutine? And i dont mean here any \"tricks\" like getbytes and then using IsCode bla bla. I want to stay the code very clear and documented, that should help to protect from getting false positives. Given my recent experience with enhancing a processor module so it creates switch statements (and predecessor IDC scripts that found and "fixed" switch statements to make a good graph view, I can give you this hint: I believe (not confirmed) that the jump / branch instruction of the switch (the last instruction of that basic block) has code cross-refs to all of the cases. That is probably what you're looking for, based on your question...

Piotr		September 11, 2006 07:08.02 CDT
Hi, the *target = get_long(tableBase + (n 4)) + caseOffset;** thing is almost the same as getbytes method, as not the same. I've implemented this method (get_long()), the XREFS method u mention seems to also be nice, but i belive there are cases when this method can fail, so i have added some range checker (if the (DWORD) from the switch statement points somewhere inside the mapped area, i consider this area as "good"). It seems that it works ok. Anyway, much thanks for replying :) best regards, pb

PSUJobu		September 11, 2006 09:10.02 CDT
> Piotr: Hi, > > the *target = get_long(tableBase + (n 4)) + caseOffset;** thing is almost the same as getbytes method, as not the same. Absolutely. I was just clarifying my statement about the first offset having all the useful info. > I\'ve implemented this method (get_long()), the XREFS method u mention seems to also be nice, but i belive there are cases when this method can fail, so i have added some range checker (if the (DWORD) from the switch statement points somewhere inside the mapped area, i consider this area as \"good\"). It seems that it works ok. For the record, the range-checking is also something I used for a plugin that added an is_switch() function to one of IDA's closed source processor modules. Before this, I used an IDC script to add cross-refs from the branch / jump instruction to each of the cases. The graph view displays two branches as red/green and three or more branches as a switch statement. That is why I believed that the cross-refs approach would work. So far I have only tried to 'fix' switch statements, though, not the reverse. > Anyway, much thanks for replying :) No problem.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

View Gallery (11) / Submit