OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Tuesday, February 6 2007 01:14.20 CST Modified: Tuesday, February 6 2007 18:06.06 CST

Direct Link, View / Make / Edit Comments

The Greatness of PyDbg

Author:

drew

# Views: 15424

For the past few years I've been using a debugger I wrote in C#. Recently I gave Pedram's PyDbg, a part of PaiMei, a spin. PyDbg did exactly what I wanted! Even though I'm not particularly fond of Python, it looks like I'll have to use PyDbg more and probably learn a bit of Python along the way. You can download PyDbg as a part of PaiMei from our download section.

One function that I stole from Igor Skochinsky's QTFairUse is find_pid. It takes in a process name and returns the process id. Simple enough, but useful. :) Here's a dump of the code:



def find_pid(dbg, name):

    namel = name.lower()

    found_target = False

    for (pid, proc_name) in dbg.enumerate_processes():

        if proc_name.lower() == namel:

            return pid

    return -1





#and a simple use example:



dbg = pydbg()



pid = find_pid(dbg, "notepad.exe")

if pid!=-1:

    print ("Attaching to %d") % (pid)

    dbg.attach(pid)

else:

    error("process not found.")

Created: Friday, December 22 2006 21:20.06 CST

Direct Link, View / Make / Edit Comments

Introduction to File Format RE

Author:

drew

# Views: 1520

Igor pasted a link to a blog with a good introduction to file format reverse engineering. The author, Edward Keyes, is involved with translating 3rd party games in to different languages, such as English, Japanese, etc. So far he has a good introduction to file format RE:

Part II: The Hex Editor
Part III: Code Prototyping
Part IV: Compression Formats

In future installments he'll discuss typical image formats. For non-beginners, the compression format post has some useful information.

Created: Tuesday, June 13 2006 19:41.48 CDT Modified: Friday, June 16 2006 14:21.15 CDT

Direct Link, View / Make / Edit Comments

Here's a quick IDA IDC function to return the next empty Mark slot

Author:

drew

# Views: 1448

http://www.openrce.org/repositories/users/drew/GetMarkedNext.idc

Here's a quick IDA IDC function to return the next empty Mark slot for use with MarkPosition.



// return the next empty Mark slot for use with MarkPosition

static GetMarkedNext()

{

        auto slot;

        slot = 1;

        //loop until we find an empty slot

        while( -1 != GetMarkedPos(slot) )

           {slot++;}



        return slot;

}

Note:
IDA 5.0's valid range for mark slots is 1..1023. However, MAX_MARK_SLOT does not seem to be available to IDC. MAX_MARK_SLOT on IDA 5.0 is actually set to 1024. This means that Ilfak's findcrypt.cpp plugin has a slight bug in it:

for ( i=1; i <= MAX_MARK_SLOT; i++ )

The comparison should actually be i < MAX_MARK_SLOT. But I can't blame him because the comments in sdk\include\moves.hpp say that 1..MAX_MARK_SLOT are valid slots. ;)

Earlier versions of IDA, such as 4.6sp1, have a mark slot limit somewhere near 32.

Created: Friday, May 19 2006 19:47.29 CDT

Modified: Tuesday, June 13 2006 19:42.46 CDT

Direct Link, View / Make / Edit Comments

IDACompare pre-compiled for IDA 4.6sp1

Author:

drew

# Views: 1363

http://www.openrce.org/repositories/users/drew/IDA_Compare.plw

Above is a link to a pre-compiled IDACompare plugin for IDA 4.6sp1. The only change required for the compile was removing the last arg from generate_disasm_line in idacompare.cpp line 285. It was compiled from the 12.16.05 release from http://labs.idefense.com/labs-software.php?show=16

I'm posting this so that it'll make it into google. User repositories don't appear to be browsable unless you're logged in.

Created: Friday, May 19 2006 19:22.26 CDT Modified: Friday, May 19 2006 19:29.11 CDT

Direct Link, View / Make / Edit Comments

How to add custom symbolic constants in IDA

Author:

drew

# Views: 16355

Quick Answer: use an Enum

Explanation and long answer:

Let's say that you're using IDA, run across a numerical constant, and want to replace the numerical constant with a symbolic constant. IDA has a great pre-built database of common symbolic constants. To access this, right-click on the constant in question, select Symbolic Constant, Use standard symbolic constant. However if you want to add your own custom symbolic constant, you'll want to add an enum. The process isn't advanced, but I've run into a couple IDA users that weren't familiar with it.

Let's use the following code from notepad.exe as an example:

push    20019h          ; samDesired

xor     esi, esi

push    esi             ; ulOptions

push    offset aClsidAdb880a6D ; lpSubKey

push    80000000h       ; hKey

call    ds:RegOpenKeyExA

In order to add a custom symbolic constant, open the Enumerations subview (shift+F10). Press the Insert key to add a new enumeration type. Ignore all the settings for now and just hit Ok. Now that you have a new enumeration type, press N to create a new symbolic constant. Put your new name, for example mySAM, as the name, and the value for the constant, for example 0x20019. Please note that you'll have to precede hex values with "0x". Now go back to your disassembly subview, right click on the numeric constant, select Symbolic constant, and your newly created symbolic constant should appear just like the following:

Side note: Some readers might notice that the correct symbolic constant for this 20019h is already included in IDA's standard symbolic constant list.

Archived Entries for drew

Subject	# Views	Created On
Upcoming Projects	749	Saturday, June 18 2005

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit