OpenRCE: Blog

The Greatness of PyDbg

Tue, 06 Feb 2007 01:14:20 -0600

For the past few years I've been using a debugger I wrote in C#. Recently I gave Pedram's PyDbg, a part of PaiMei, a spin. PyDbg did exactly what I wanted! Even though I'm not particularly fond of Python, it looks like I'll have to use PyDbg more and probably learn a bit of Python along the way. You can download PyDbg as a part of PaiMei from our download section.

One function that I stole from Igor Skochinsky's QTFairUse is find_pid. It takes in a process name and returns the process id. Simple enough, but useful. :) Here's a dump of the code:



def find_pid(dbg, name):

    namel = name.lower()

    found_target = False

    for (pid, proc_name) in dbg.enumerate_processes():

        if proc_name.lower() == namel:

            return pid

    return -1





#and a simple use example:



dbg = pydbg()



pid = find_pid(dbg, "notepad.exe")

if pid!=-1:

    print ("Attaching to %d") % (pid)

    dbg.attach(pid)

else:

    error("process not found.")

Introduction to File Format RE

Fri, 22 Dec 2006 21:20:06 -0600

Igor pasted a link to a blog with a good introduction to file format reverse engineering. The author, Edward Keyes, is involved with translating 3rd party games in to different languages, such as English, Japanese, etc. So far he has a good introduction to file format RE:

Part II: The Hex Editor
Part III: Code Prototyping
Part IV: Compression Formats

In future installments he'll discuss typical image formats. For non-beginners, the compression format post has some useful information.

Here's a quick IDA IDC function to return the next empty Mark slot

Tue, 13 Jun 2006 19:41:48 -0500

http://www.openrce.org/repositories/users/drew/GetMarkedNext.idc

Here's a quick IDA IDC function to return the next empty Mark slot for use with MarkPosition.



// return the next empty Mark slot for use with MarkPosition

static GetMarkedNext()

{

        auto slot;

        slot = 1;

        //loop until we find an empty slot

        while( -1 != GetMarkedPos(slot) )

           {slot++;}



        return slot;

}

Note:
IDA 5.0's valid range for mark slots is 1..1023. However, MAX_MARK_SLOT does not seem to be available to IDC. MAX_MARK_SLOT on IDA 5.0 is actually set to 1024. This means that Ilfak's findcrypt.cpp plugin has a slight bug in it:

for ( i=1; i <= MAX_MARK_SLOT; i++ )

The comparison should actually be i < MAX_MARK_SLOT. But I can't blame him because the comments in sdk\include\moves.hpp say that 1..MAX_MARK_SLOT are valid slots. ;)

Earlier versions of IDA, such as 4.6sp1, have a mark slot limit somewhere near 32.

IDACompare pre-compiled for IDA 4.6sp1

Fri, 19 May 2006 19:47:29 -0500

http://www.openrce.org/repositories/users/drew/IDA_Compare.plw

Above is a link to a pre-compiled IDACompare plugin for IDA 4.6sp1. The only change required for the compile was removing the last arg from generate_disasm_line in idacompare.cpp line 285. It was compiled from the 12.16.05 release from http://labs.idefense.com/labs-software.php?show=16

I'm posting this so that it'll make it into google. User repositories don't appear to be browsable unless you're logged in.

How to add custom symbolic constants in IDA

Fri, 19 May 2006 19:22:26 -0500

Quick Answer: use an Enum

Explanation and long answer:

Let's say that you're using IDA, run across a numerical constant, and want to replace the numerical constant with a symbolic constant. IDA has a great pre-built database of common symbolic constants. To access this, right-click on the constant in question, select Symbolic Constant, Use standard symbolic constant. However if you want to add your own custom symbolic constant, you'll want to add an enum. The process isn't advanced, but I've run into a couple IDA users that weren't familiar with it.

Let's use the following code from notepad.exe as an example:

push    20019h          ; samDesired

xor     esi, esi

push    esi             ; ulOptions

push    offset aClsidAdb880a6D ; lpSubKey

push    80000000h       ; hKey

call    ds:RegOpenKeyExA

In order to add a custom symbolic constant, open the Enumerations subview (shift+F10). Press the Insert key to add a new enumeration type. Ignore all the settings for now and just hit Ok. Now that you have a new enumeration type, press N to create a new symbolic constant. Put your new name, for example mySAM, as the name, and the value for the constant, for example 0x20019. Please note that you'll have to precede hex values with "0x". Now go back to your disassembly subview, right click on the numeric constant, select Symbolic constant, and your newly created symbolic constant should appear just like the following:

Side note: Some readers might notice that the correct symbolic constant for this 20019h is already included in IDA's standard symbolic constant list.