OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: October 20, 2010 20:32 CDT by monarch .

New to IDA, please keep that in mind.

This is with regard to a .so on linux, being loaded into IDA on windows.

When viewing the strings and trying to get a chart of the xrefs to those strings none of the strings are found to have xrefs. The strings are in the .rodata section.

Example:
.rodata:00162CBC __STRING_21 db 'foo',0

It would be really nice to see what functions use the string above..

Is there a way to use the search functions of IDA to find xrefs? Or is something just plain wrong with the way I am trying this?

cseagle		October 21, 2010 13:22.07 CDT
You are not really telling us enough about the binary in question. Perhaps there are no direct references to the strings. Perhaps the code computes the addresses of the strings at run time. Are they part of a larger table? Embedded within a struct? Perhaps the code is obfuscated in some way and Ida is not seeing the code that references the strings. What is the earliest data item preceding the string of interest that does have a cross reference? The bottom line is that Ida sees no direct reference to this string and no search function is going to make one appear. You need to determine the underlying reason that Ida is seeing no cross reference and move forward from there.

monarch		October 22, 2010 07:50.03 CDT
Thanks cseagle, glad to know it should work. I think with .so since address rebasing could occur direct references to the strings would be impossible. Correct? So perhaps I will need to review some string functions and see how the args are pushed to see how the .rodata is being accessed. Sorry for the vague question, I thought someone who had worked on linux shared libs would know from experience.

cseagle		October 22, 2010 09:57.54 CDT
Yes with .so, frequently the address of the .got section is computed at runtime often into ebx, then the address of data is taken as a fixed offset from ebx. Ida often handles these references quite well however.

oxident		December 6, 2010 13:33.48 CST
I'm also quite new in ida and facing a similiar problem. In my case, the target is a huge (>50 MB) ELF executable with tons of strings in the .rodata section. Roughly half of the code consists of strings to which ida finds no reference. Is there any advice on how to approach this easily?

tosanjay		December 16, 2010 06:15.17 CST
The IDApro book says that data xrefs are application to only locations that have virtual address i.e. stack variables are not covered for data xrefs. So, may be you have no data xrefs because of this limitations. As a matter of fact, I am too digging a lot to find data xref across the binary to trace data as it flows from some entry function (e.g. getInput()) to some sink (e.g. strcpy()'s argument) with many in-between assignments to other variables. And I shall appreciate any suggestions in this direction.

Note: Registration is required to post to the forums.

There are 31,322 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit