Flag: Tornado! Hurricane!

 Forums >>  IDA Pro  >>  IDA Offsets vs Strings

Topic created on: April 20, 2008 06:20 CDT by tagetora .

Okay, let's say we have an exe with a large .text section (0x00400000 to 0x00750000), and it has a lot of unicode strings.

I noticed that using the default options in IDA Pro, the IDA kernel tends to interpret the unicode strings as offsets to code. I mean, if we have the "hello" unicode little endian string (68 00 65 00 6c 00 6c 00 6f 00), the kernel will see it as an offset to 0x00650068, then another offset to 0x006c006c, and so... of course all offsets pointed to code at .text so I understand why the IDA kernel is doing this way. The question is, is there any way to tell the kernel that unicode strings have priority over offsets?

The exe I was analyzing had about 80% of the unicode strings as offsets (wow). I was in a hurry so I solved it using a semi-intelligent buggy-script, but now I'm curious about what would be the right way ;D

  abuse007     April 21, 2008 01:48.55 CDT
Hi Tegetora,

I believe distinguishing code and data is a very difficult problem to solve in static analysis, which will lead to these types of problems occurring.

I'm not an RE expert, but I'll hazard a guess that writing custom tailored scripts for a particular target is probably one of the best methods to solve the problem. It will be interesting to here what the RE gurus suggest.

I find an IDC script written by itsme very useful. It can convert a highlighted area into strings (ASCII and Unicode, with aligns) using a MakeTable function. I use it via a hotkey, to manually tweak data/code, and custom scripts like you did.

  nezumi     April 22, 2008 22:36.53 CDT
there is a simple solution. follow this. load file into IDA Pro, press "Analysis options", press "Kernel analyser options 1" and uncheck "Create offset if data xref to seg32 exists". of course, you can do this after loading via options, however, in this case you have to reanalyze the file or just undefine the strings. (this is for IDA Pro 4.7, console edition, names on the menu might be different on another one, however, this strategy should work everywhere).

  tagetora   April 23, 2008 05:11.15 CDT
Hi there,

@abuse007:
The script you are talkin about is Format Data, isn't it? It's a nice script but I needed some more specific and automated. Actually, I found that after browsing the binary a bit and finding how the strings and vTables are stored a custom script does a very good job, but can be a bit tricky.

@nezumi:
Damn! I've been looking at the kernel options without seeing it. That's what I was looking for. Using this option I only need to take care of the vTables, that is easier than my semi-intelligent-buggy-script xD

Thanks!

  nezumi     April 23, 2008 05:53.16 CDT
well, I'm not IDA guru, however I'd published a couple books about it, so I know the internals and you're always welcome like all other ppl.

to automate vTables offset: after IDA will have finished work, go to the options and set the flag up. now, select vTables and reanalyze selected area. or, well, select all, but your Unicode string and run analyze script (it comes with IDA). everything will be fine, I promise :)

  abuse007     April 23, 2008 20:08.14 CDT
@tagetora
Yes, that's the one I was talking about. I remembered the author, but I was too lazy to find the scripts name for the post.

@nezumi
I have not read your books yet, but I plan to. From your posts I've read here on OpenRCE you seem an IDA guru to me... :)

  nezumi     April 24, 2008 03:03.42 CDT
@abuse007:
check it out, here: ftp://nezumi.org.ru:27
for some reasons I use non-standard ftp port - 27, please, keep it in mind

Note: Registration is required to post to the forums.

There are 31,310 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit