IDA - Analyzing offset independent malware [Archive]

View Full Version : IDA - Analyzing offset independent malware

lowkick

November 20th, 2008, 16:42

During analysis you may frequently encounter a scenario such as:

Code:

call _delta

pop ebp

later on ebp is used as a base offset for computing relative addresses, etc.
I run across this method:
http://malwareanalysis.com/CommunityServer/blogs/geffner/archive/2006/03/17/11.aspx
but I got stuck at the last step. I can't get IDA to interpret a register (edi in that case) as a structure offset. Any ideas will be appreciated

Maximus

November 20th, 2008, 19:38

you dont transform register into structures, but offsets applied to them in structures.
Check your right-click menu and you find it there.
(i forgot, but i am sure you missed: click the offset part!)

reverser

November 20th, 2008, 20:17

On an expression which uses ebp, press Ctrl-R and enter the ebp value (the address of pop ebp instruction) into Base Address field. Optionally, check "Treat base as plain number", this will keep down the number of unnecessary xrefs.

dELTA

November 23rd, 2008, 11:52

Hey, stop calling me in the middle of the night like that!

lowkick

November 23rd, 2008, 14:35

Thanks for the replies, 66% of them were helpfull

deroko

November 23rd, 2008, 15:34

Quote:

[Originally Posted by dELTA;77850]Hey, stop calling me in the middle of the night like that!

rofl

evaluator

November 24th, 2008, 09:33

>>Thanks for the replies, 66% of them were helpfull
delta, i unpucked: so your is 3d replie, so your post is that 33%, so .... ya ya ;-D

PS. hsit! & this was my 1000 post

((:

naides

November 24th, 2008, 18:07

Lowkick gets an A in diplomacy

reverser

November 25th, 2008, 16:59

Quote:

[Originally Posted by dELTA;77850]Hey, stop calling me in the middle of the night like that!

That's what you get for being overly case-insensitive.