|
Donation/Premium |
|
 |
|
|
|
|
|
|
|
Survey |
|
|
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
guest
Guest
IP: 222.211.*.*
|
 Posted: Sun Jan 08, 2006 3:13 am Post subject: Need help about IDA plugin writting |
|
|
I'm a newbie to write IDA plugin. I'm reading a packer's code,there are
so many junkcodes so i decide to write a plugin to clear them.
for example.
| Code: | 011D320D 87 F5 xchg esi, ebp
011D320F F7 D6 not esi
011D3211 87 F5 xchg esi, ebp
011D3213 F7 D5 not ebp |
Obviously they can be replaced by 8 nops. The problem is,they might be separated
by some more "basic" junkcode such as "lea ebp,[ebp]" or "jmp" like this:
| Code: | xchg esi,ebp
not esi
jmp xxxxxxxx
xxxxxxxx:
xchg esi,ebp
not ebp |
So i wrote some codes like this(a simplified version).
| Code: | StripAtomicGarbage(nVAFrom,nVATo); // This one replaces something like "lea ebp,[ebp]" with nops
StripDiscreteGarbage(nVAFrom,nVATo);
typedef struct _INSTRUCTION_INFO
{
ea_t address;
int size;
}INSTRUCTION_INFO, *PINSTRUCTION_INFO;
void StripDiscreteGarbage(ea_t nVAFrom,ea_t nVATo)
{
DWORD dwCurrAddr = 0;
BYTE opcode = 0;
DWORD dwSkip = 0;
dwCurrAddr = nVAFrom;
while(dwCurrAddr < nVATo)
{
dwSkip = 0;
// At first i called isCode but many junkcodes
// were skipped.
opcode = get_byte(dwCurrAddr);
switch(opcode)
{
case 0x87: // xchg reg32,reg32
dwSkip = Garbage_Xchg(dwCurrAddr);
break;
......
default:
break;
}
if(dwSkip)
{
dwCurrAddr += dwSkip;
}
else
{
dwCurrAddr ++;
}
}
}
DWORD Garbage_Xchg(ea_t lpCurrOpcode)
{
BYTE data[8];
INSTRUCTION_INFO InstrInfo[4];
DWORD dwNumOfItem = 0;
DWORD dwSkip = 0;
DWORD dwBytesBeforeJmp = 0;
if(Intelli_GetManyBytes(lpCurrOpcode,data,8,InstrInfo,dwNumOfItem,dwBytesBeforeJmp))
{
if((0xF7 == data[2]) && (0x87 == data[4]) && (0xF7 == data[6])) // pattern matched?
{
Intelli_Nop(InstrInfo,dwNumOfItem);
dwSkip = dwBytesBeforeJmp;
nNumOfDiscreteJunk++;
}
}
return dwSkip;
}
bool Intelli_GetManyBytes(ea_t lpStartAddr, // start address
PBYTE lpBuff, // result
int nSize, // bytes to get
PINSTRUCTION_INFO lpInstrInfo, // result,save instruction info
DWORD & dwNumOfItem, // number of items in lpInstrInfo
DWORD & dwSkip) // bytes occupied(not including ones after jmp)
{
// read bytes specified at lpStart,skip nops & jmp
bool bRet = FALSE;
bool bJmpPresent = FALSE;
int nCounter = 0;
ea_t lpCurrOpcode = 0;
int nInstrLen = 0;
xde_instr instruction;
BYTE tmp[0xA];
dwNumOfItem = 0;
dwSkip = 0;
lpCurrOpcode = lpStartAddr;
while(TRUE)
{
get_many_bytes(lpCurrOpcode,tmp,0x10); // read 10 bytes each time
// sorry i'm not familar with IDA SDK so i used XDE instead.
nInstrLen = xde_disasm(tmp,&instruction);
if(0 == nInstrLen)
{
msg("Failed to analysis the code at %08X\n",lpCurrOpcode);
break;
}
if((1 == nInstrLen) && (0x90 == instruction.opcode)) // skip nops
{
lpCurrOpcode ++;
if(!bJmpPresent)
{
dwSkip ++;
}
continue;
}
if((5 == nInstrLen) && (0xE9 == instruction.opcode)) // if jmp,continue at the destination
{
lpCurrOpcode = lpCurrOpcode + 5 + instruction.data_d[0];
if(!bJmpPresent)
{
dwSkip += 5;
bJmpPresent = TRUE;
}
continue;
}
if(nInstrLen <= (nSize - nCounter))
{
memcpy(lpBuff + nCounter,tmp,nInstrLen);
lpInstrInfo->address = lpCurrOpcode;
lpInstrInfo->size = nInstrLen;
lpInstrInfo ++;
dwNumOfItem ++;
lpCurrOpcode += nInstrLen;
nCounter += nInstrLen;
if(!bJmpPresent)
{
dwSkip += nInstrLen;
}
continue;
}
else
{
if((nSize - nCounter) > 0)
{
memcpy(lpBuff + nCounter,tmp,nSize - nCounter);
}
bRet = TRUE;
break;
}
}
return bRet;
} |
and a similar function named Intelli_Nop to clear the junkcodes,all i want is to nop all
junkcodes even if they are separated by "lea ebp,[ebp]" or "jmp".
But,when i run the plugin,I always get some exception like
"Access violation at address 011D2348,Read of address 011D2348." and the plugin
can't continue anymore(it has already found and cleared several junkcodes).
When exited IDA,the database was crashed. It seemed to be caused by
the call to get_many_bytes in Intelli_GetManyBytes,if i use try-catch block
i caught nothing. I wrote it with VC6.
So what's my problem? thanks in advance and forgeive my poor english.
|
|
| Back to top |
|
 |
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
ilfak
Hexblog Host
Joined: Jan 03, 2006
Posts: 21
Location: Belgium
|
| Posted: Sun Jan 08, 2006 10:00 pm Post subject: |
|
|
It is quite difficult to say anything right now. One has to get the full source code, compile and run it under the debugger to understand why it crashes or behaves incorrectly. If you are DataRescue customer, you may post your question to the support forum and get help there.
|
|
| Back to top |
|
|
softworm
Guest
IP: 218.89.*.*
|
| Posted: Mon Jan 09, 2006 12:45 am Post subject: thank you! |
|
|
I've found the reason this morning,it's caused by my stupid fault.
I declined an arrary of type INSTRUCTION_INFO of size 4 to save the instruction information,so when the function Intelli_GetManyBytes read the bytes of specified size(8 bytes here),it can include more than 4 instructions and exceed the array.
I'm very sorry to disturb you,thank you paul and ilfak.
Best regards.
softworm from China
|
|
| Back to top |
|
|
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
Powered by phpBB © 2001 phpBB Group
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
