Flag: Tornado!
Hurricane!
|
|
Topic created on: May 13, 2008 01:59 CDT by sensille  .
Is there a way to tell IDA that this register/local variable points to a structure of specific type?
I can right-click on e.g. [esi+010h] and change the '010h' to a structure offset, but this will not be propagated. I'd like to get the information "ESI ist pointer to struct _foo" to propagated as far as possible, even down function calls and into local variables.
This would make analysis of especially C++ much easier.
Thanks for any hints.
to apply a structure to all reg references, you have to write x86 emulator, tracing actual value of reg. for example:
mov eax, [esi+0x8]
sub esi, 0x4
mov ebx, [esi+0xC]
as far as you see: [esi+0x8] and [esi+0xC] point to the same field of the structure, however, to find out this, you have to trace esi value. if you're sure, that your register isn't change, a simple IDC-script helps you. just select the area, get operand of all instructions and convert operand to structure member if register matches
|
|
um? selection-T applies structure to all registers with appropriate operands, while sensille asks for the certain register, so we need to write a simple IDC-script to enumerate commands, get operands as text, looking for our register.
|
|
In the GUI version, selection-T works on a single-register granularity. See the "register" drop box in the top/left corner of the dialog.
|
I've seen IDA tracing register values when the address of an imported function gets loaded into a register and being called indirectly later on. IDA will then put a comment on the call pointing to the function loaded earlier.
So I thought IDA might have built-in register tracing capabilities and I just missed the 'assume register points to struct' switch.
I found the 'idastruct' plugin by rjohnson and the description looks promising, it might be what I'm searching for. As soon as I'm able to get it to work I'll check it out. Otherwise I'll dig into how to write plugins and try me luck.
The main idea is to get a large C++ binary annotated quickly so that you can see how far the objects/structures spread, so you could start reading in the middle of it without the need to painfully trace every single call up to that point just to find out which structures the registers point to.
Also it would be possible to search where a certain structure component gets modified. One might even add xrefs to the structure members, though I don't know if that is possible with the current IDC/plugin command set.
|
RolfRolles
in my 4.7 (console) there is nothing like that (my employer gave me 5.2, but I don't use it quite often due to compatible issues with my old scripts/plugins).
|
|
hm, IDA 4.7 gui has this feature with register. I missed it, coz I use only console version and keep gui-version just to take screen-shots for my papers.
|
sensille
yes, IDA tracks register values, see:
\IDA\SDK\include\ua.hpp and \IDA\SDK\module\...\emp.cpp
|
hm, value tracking is not type tracking, but I could just assign a magic value representing a specific struct to a register and let IDA track the value. In a later pass I could use this info to convert the structure offsets.
I see, I have to dive deeper into this...
|
you got the point. using IDA-Pro emulators you can trace reg. changing, even more! if two different registers are match and point to the same memory location - their values have to be converted into structures as well.
but remember: IDA Pro emulates just a few instructions and quite often gives you wrong result. however, you may improve x86 emulator, since there is well-know open source plug-in designed for emulation debugging, and emulates almost all frequently used instructions.
my point is: IDA-Pro is an interactive disassembler, so, don't try to automate everything, turning her into Sourcer-like stuff. use your own hand and brain, man!
|
> nezumiIDA Pro emulates just a few instructions and quite often gives you wrong result. however, you may improve x86 emulator, since there is well-know open source plug-in designed for emulation debugging, and emulates almost all frequently used instructions.
I currently look into bochs to see if I can use the CPU module for accurate emulation.
> nezumimy point is: IDA-Pro is an interactive disassembler, so, don\'t try to automate everything, turning her into Sourcer-like stuff. use your own hand and brain, man!
I can't fully agree. What can be automated should be automated. Imagine an IDA Pro without xrefs, or without function recognition!
"Sourcer" is a good cue: I misread it as 'sorcerer', which is how I feel with my current project: I'm stuck, the amount of code is overwhelming, I have to go back into seclusion and work a mightier spell.
My point is: there will still be enough work left for my hands and brain ;-)
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,328 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}