OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: January 10, 2008 07:17 CST by luckiejacky .

Q1: *(DWORD *) dword1234+v10
Is this an array like dword1234[v10];
or
Is this a offset of a structure like
struct dword1234
{
...
DWORD v10;
};

Q2: If I only have partial source code in a project, how do I just add those limited source code to IDA?
Thanks
Jack

RolfRolles		January 10, 2008 07:21.48 CST
#1: It could be either an array, or a structure that begins with an array. Look for more context, but apply Occam's razor: if you can't find evidence that it's a structure, assume it's an array. EDIT: Looks like I read the question too quickly. v10 is not the name of one of the structure members; it's (presumably) an integer that describes how far to displace into that global variable (which as mentioned above could be either an array or a structure). #2: I don't believe you can "add" source code at all to IDA, apart from its C header parsing functionality which can autoamtically create structures and enumerations for you. That functionality is accessible via File->Load File->Parse C Header File. If anybody knows differently, please do speak up.

aeppert		January 10, 2008 08:14.22 CST
Rolf did a great job of addressing #1. But to take it one step further Occam's razor pretty much applies to everything in RE :) As for #2, you cannot in anyway do this unless you add it in via comments to the assembly code. Your best bet is to utilize the source code you do have to label functions, arguments, and perhaps globals appropriately. Basically, it will give you some structure to understand what is going on, but you will have to do battle with the compilers optimization engine a bit as, you should know, source to assembly is absolutely not 1:1.

PSUJobu		January 11, 2008 07:28.51 CST
FWIW, it is often interesting to match source to source with Hex-Rays (e.g., finding customizations to the Linux kernel given the bzImage and the stock kernel from kernel.org). Hex-Rays does a heck of a job! Can't wait to see PPC and ARM support. ;-)

x0rr0x		May 8, 2008 03:18.29 CDT
does anyone have a set of header files for the windows SDK that actually works for IDA (5.2) ? I tried the official one but there are too many things IDA can't handle and the one from devcpp is without names, only arg types... thanks in advance!

memo5		May 8, 2008 17:47.07 CDT
I think that I know what you are tallking about x0rr0x, IDA header import functionality is too simple, so you have to do some manual job to make it work. 1) IDA cann't ignore the inline functions, function implementation, nor macros that use inline code, so you must comment all of this stuff. 2) IDA cann't deal with forward declerations of data type so you must find a way to move some data type declerations before others if it possible. 3) If the header file includes other header file(s) IDA cann't parse those files unless you manage to move them to the same DIR of your target database file. 4) Some times you need to make a header file and include it in every header file, in this file you must add some declerations to emulate some preprocessor and compiler directives.

cseagle		May 9, 2008 00:22.57 CDT
> memo5: > 3) If the header file includes other header file(s) IDA cann\'t parse those files unless you manage to move them to the same DIR of your target database file. Please see the Options>Compiler dialog and the associated "Include directories" setting, it may help > 4) Some times you need to make a header file and include it in every header file, in this file you must add some declerations to emulate some preprocessor and compiler directives. Please see the Options>Compiler dialog and the associated "Predefined macros" setting, it may help Chris

memo5		May 9, 2008 10:51.04 CDT
Ok Chris forgave my ignorance. And thank you for the corrections.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit