OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: June 16, 2007 16:28 CDT by Sirmabus .

If you use IDA a lot you must know that while it is fantastic, it still misses or incorrectly parses some code after it's final pass.  It can be much worse on some executables then others.

I normally do a fix manually (for 32bit flat mode Windows executables).

If you don't know, you can start at the top of the ".text" segments and text search down for every " dd ".
You will hit most of the badly resolved sections.
Here you can press the 'C', 'P' and some times 'D'.
If you want to be more complete, you can start over again searching for " db ".  That should catch any remaining stay code spots.

While normally, it's a quick work, maybe 30minutes or so.
But try it on a 10mb (100mb+ IDA DB) executable with around 50k functions, a big percentage disconnected in vtables and callbacks and it's gets a bit overwhelming (literally takes 3 or 4 hours to fix!).

Anyone know of some helper scripts or a plug-in to do some of this?
If not, I'll start a little openrce project for it here. Hopefully these tasks could be at least partially automated. A lot of the mixed-up/bad code sections have patterns to it.  Like the NOP or INT3 alignment padding bytes. And, or, there are a lot of patterns to the stack frames.
Maybe examining the distance from one function to the next in code spaces...

TQN		June 18, 2007 06:49.55 CDT
http://www.sharemation.com/servil/idaplugs/. A lot of great plugins, written by Servil.

Sirmabus		June 18, 2007 17:43.45 CDT
Thanks, I'll check it out. So far in a little plug-in I've made. It just finds functions that haven't been "function'ised" by IDA. It's working great. It found 10K missing functions in a huge 10mb Win32 EXE. But it's just a first step, a percentage of the functions are broken up switch statement code, and it dosn't try to fix the messed up data blocks. But off to a good start..

dennis		June 19, 2007 02:06.22 CDT
Hi Sirmabus, in case you need any code to wait for IDA's analysis to finish: static int idaapi ui_callback(void *, int event_id, va_list va) { if ( event_id != ui_msg ) // avoid recursion if ( event_id == ui_setstate ) { idastate_t state = va_argi(va, int); if( state == st_Ready ) { unhook_from_notification_point( HT_UI, ui_callback, NULL ); msg("autoanalysis finished.\n"); } } return 0; } int idaapi init(void) { if ( ph.id != PLFM_386 ) return PLUGIN_SKIP; hook_to_notification_point(HT_UI, ui_callback, NULL); return PLUGIN_KEEP; } I recently had to use similar code, maybe you could make use of it as well.

Sirmabus		June 19, 2007 02:46.33 CDT
What about "autoWait()" does something different?

Sirmabus		June 19, 2007 03:13.28 CDT
Here's an odd one... When I find a block of data that looks like code I first make the whole block undefined/unknown via "do_unknown_range()" (same as marking something and pressing 'U' manually). Then I can analyze the bytes in my own code, etc. All working as expected so far.. Now when I go to make all or part of the undefined bytes back to code, I get different results depending on the SDK function. I've been back and forth through the SDK and tried the most obvious support for it. If I do it manually by pressing 'C' it works the best! analyze_area() -- Usually reverts back to the same mixed up data. This makes sense because its on "auto". auto_mark_range(,,AU_CODE); -- Sort of works, but not as good as pressing 'C'. ua_code() -- Like analyze_area() None are working as well as pressing 'C' manually. Also while "add_func(CodeStartEA, BADADDR)" works pretty well, it appears the 'P' key behavior is also different. What is the right way from the SDK to convert undefined bytes to code?

dennis		June 19, 2007 03:14.01 CDT
Yes, I guess autoWait() should work too. The reason I used callbacks was that I needed to call my plugin from the commandline. Don't know the behavior of autoWait() if used from the commandline, but honestly, I totally forgot about the existance of autoWait().

dennis		June 19, 2007 03:36.37 CDT
> Sirmabus: Here\'s an odd one... > If I do it manually by pressing \'C\' it works the best! > > analyze_area() -- Usually reverts back to the same mixed up data. This makes sense because its on \"auto\". > auto_mark_range(,,AU_CODE); -- Sort of works, but not as good as pressing \'C\'. > ua_code() -- Like analyze_area() Have you tried auto_make_code() etc. from auto.hpp? Maybe you need to delete flags for specific bytes (which might have been previously set by IDA's auto analysis) before declaring the sequence of bytes as code? Better ask for support on the Datarescue board.

Sirmabus		August 1, 2007 01:34.51 CDT
Here's my 2nd attempt at it: EDIT: See below Goes through and tries to make code of all the odd DWORD and BYTES it can find. Simple but working pretty well..

dianaming		September 10, 2007 21:26.02 CDT
I have the same question as you. I want to turn data to code in the result of ida 5.0.This is the way i use it in my plugin: ea=0x705310c4;(just used for example,this adress holds data) auto_make_code(ea); It just does not work,But if i press "c" at 0x705310c4,it works well. Have you solve this problem?how to use this function? thank you ! ps :can i get the source code of you plugin IDA_ExtraPass_PlugIn.plw?is it developed under ida 5.0?

fileoffset		September 11, 2007 22:23.25 CDT
I know its really stupid but for that to work, you need to first make the bytes unknown first, otherwise if its already defined as another type it will fail. This is a stupid way to do things but AFAIK its necessary (there should really be a flag passed to each 'make'/'do' function that specifies wether it overwrites). The functions names are (i think) do_unknown() and do_unknown_range or something like that, check bytes.hpp.

Sirmabus		September 13, 2007 04:05.46 CDT
Thats right, you need to make it "unknown" first. I think I did release the source in the old version, but to make a long story short, I had a release and an R&D version. I need update the "release" cleaned up from the R&D version again. Here is what I currently do: `autoWait(); do_unknown(uStartAddress, FALSE); auto_mark_range(uStartAddress, uEndAddress, AU_UNK);` then follow that with: `autoWait(); ua_code(uStartAddress);` To try to make it code. Note the autoWait()'s in there to keep things syncronous. I'm sure it slows the processing down, but there are problems with out it. There are still some problems and oddness. Pressing 'C' from IDA seems to do a better job. I even played around sending IDA 'C' key presses for a while.. Some odd things (that is quite understandable) like trying to convert exception frames into code. They have no stack frame, and return, etc., so IDA often gets confused by them apparently. You can mark this section unknown and try converting it to code, but often only part of it will. You can see this if you try these manually, some times it takes a few steps to make clean code. Again not knocking IDA. These problems are understandable. My thoughts, maybe they will add something to IDA's already excellent analyzer. I think along the lines of some type of pattern matcher. Using a neural net or some other trainable mechanism, so that when there is a doubt about some bytes it could get a better idea if it's either code or data. I was thinking of adding this to my tool. Like if you see what appears be a stack frame bytes, followed by a "retn", etc., it's safer to assume it's code. Some other ideas for more clean up: 1. I just noticed Hard Wisdom's old "NOP" to "align" script. Maybe I'll add a NOP fixer as another pass. 2. There is some problem propagating from one function to the next if you change/fix some in between. To get around this I could do a pass populating a table first. Then I could bring missing function fixer back. Anyone know a way to "reset" an IDA DB to fix these kind of issues with out reloading it? P.S. This plug-in can cause havoc on complied Delphi code. The complier mixes a lot code and data.

Sirmabus		November 26, 2007 03:34.06 CST
I updated my "ExtraPass" plugin for IDA Pro. Now it finds align blocks, missing functions, plus it has a UI to control it's operation. And source included again. My blog entry for it <Download>

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

View Gallery (11) / Submit