📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.





About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

 Forums >>  IDA Pro  >>  Convert Address to Code from Plugin

Topic created on: October 30, 2007 11:10 CDT by bodzcount .

Hi,

how can i do that? I found plugin functions for checking the flag but none for setting it :(

  bodzcount     October 30, 2007 11:15.32 CDT
The function in idc script is MakeCode(ea), can i call this from a plugin too somehow?

I can find only the getFlags(ea_t ea) function...

  PSUJobu     October 30, 2007 11:38.08 CDT
I believe the equivalent function from a plugin is ua_code() - see ua.hpp. IIRC, you may need to call autoWait() afterwards if you need to wait for the resultant automated analysis.

  bodzcount     October 30, 2007 12:06.50 CDT
thanks, that works!

  bodzcount     October 30, 2007 12:39.56 CDT
There is still one problem. When there is already an instruction at ie eip+1, i the plugin doesnt convert the bytes at eip to code (if the new instructionsize if bigger than 1). Does anybody know how to fix this?

A workaround would be to set everything at eip + instruction size to data and then eip back to code. but i think this is a little bit gay (and slow during tracing).

  cseagle     October 30, 2007 17:05.57 CDT
> bodzcount: There is still one problem. When there is already an instruction at ie eip+1, i the plugin doesnt convert the bytes at eip to code (if the new instructionsize if bigger than 1). Does anybody know how to fix this?
>
> A workaround would be to set everything at eip + instruction size to data and then eip back to code. but i think this is a little bit gay (and slow during tracing).

I currently use auto_make_code in x86emu.  Generally IDA won't undefine things automatically which is why you have a problem if the thing at eip+1 is already code and the thing at eip is a multi-byte instruction.

Your workaround would be something like:
int len = ua_ana0(eip);
do_unknown_range(eip, len, DOUNK_EXPAND | DOUNK_DELNAMES);
ua_code(eip);

Chris

  bodzcount     October 31, 2007 08:12.10 CDT
I don't know what you mean by "auto_make_code", maybe I have an old version of x86emu???

I have this function now, which gets executed everytime after executeInstruction()

void checkIdaAssemblyWindowForCode(void)
{
    flags_t flags;
    flags=getFlags(cpu.eip);
    if(convertToCode && !isCode(flags))
    {
        char Msg[200];
        sprintf(&Msg[0],"Converting address %08x to code\n",cpu.eip);
        msg(Msg);
        static int len = ua_ana0(cpu.eip);

        if(checkInstructionOverwrite)
        {
            for(int n=1;n<len;n++)
            {
                flags = getFlags(cpu.eip+n);
                if(isHead(flags) == true || isCode(flags)==false)
                {
                    sprintf(&Msg[0],"Overwriting instruction at %08x\n",cpu.eip+n);
                    msg(Msg);
                    break;
                }
            }
        }
        do_unknown_range(cpu.eip, len, DOUNK_EXPAND | DOUNK_DELNAMES);
        ua_code(cpu.eip);
    }
}

Is it possible to synchronize our x86emu code somehow? (I don't want to merge my code into every new x86emu update)

regards!

  bodzcount     October 31, 2007 17:21.25 CDT
ah sorry i have found your codeCheck routine. I have missed it, because you don't execute it for every instruction while running. Do you have a reason for that?
I am not sure if your routine works that way, because if you have unknown byte at eip and a ie data at eip+1, auto_make_code will fail to convert eip to code.

  cseagle     November 1, 2007 22:10.29 CDT
At the moment I only check when control returns to the user because I did not want to slow things down to a crawl by checking at the beginning of every instruction.  It could be a  on/off option.  The only check I make at the moment is whether the item at eip is already defined or not, and if it is I undefine it.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit