Log in

View Full Version : IDA Pickle


Eibon
January 18th, 2011, 06:40
Hello
I just registered on these forum, so I guess a little introductory background will be in its place.

Ive been reversing on and off for the last 10 years, on an amateurish hobby level, this includes programming more or less only in assembler.
Recently within the last couple of years, ive been picking up a few higher level languages in Delphi(pascal), and a tiny bit C (kinda hard not to, with all the "minor" languages using alike syntax etc). and getting into the win32 enviroment. Ive grown familiar with some of more common tools like OllyDbg, and my current project is learning IDA, which leads me to my problem.

The pickle:
As mentioned im currently goofing around IDA, with the sole reason being to learn its capabilities. My plan is/was to totally disect a simple little application, hence also forcing me to get familiar with alot of different APIs and structures etc.
It all went well so far; I was commenting and renaming everything for easier comprehension, up untill I was digging around for a resource reference I couldnt find, and got the the bright idea to dump the entire process. I read somewhere that the "Memory Snapshot" could be used to dump a process, so I did. To make everything better I included "All Segments", ending up with a database file(.idb) of ½GB.... *sigh*
Well, to try and fix this little mess, I started to remove some of the extra segments, and resaved my database (including garbage).....
My database file is still around ½GB, and now my BPs aint working (in static analysis the BPs are referencing allright, but at runtime they dont) - IDA aint doing any rebasing when the program is run.
The easiest way would be to reanalyze the program, but Id hate to lose all my comments, names and BPs.

I wasnt able to locate much similar info anywhere (in general, info on the .idb file format seem rather sparse)

So my question(s) is:

- Any tips on fixing my problem? (eg. reducing the database size, getting the BPs/any reference to properly work again)
- Is there some way of generally removing "garbage" from .idb files?

- On the tricking subject: I was looking for a resource, not visible in a PE resource inspector (more precise an Accelerator Table), and it wasnt generated at runtime. Any tips on where this table could be stored?


Regards
Eibon

Ps.
Sorry about any spelling/sentence errors, english aint my native language.

dELTA
January 18th, 2011, 10:17
Is the process packed/protected somehow? In some cases protectors define large unused sections in memory as a "protective measure" against dumping, in order to cause just the problems you are talking about for people who attempt to dump the process..

The mentioned resource reference not being found in the static exe also suggests some kind of packing.

Also, I'm not sure if this "dump all segments" includes the heap? Any dynamically allocated memory (heap) may be located in different addresses between different executions of the process anyway, so any breakpoints placed in there areas will thus most likely not work between different runs.

Eibon
January 18th, 2011, 11:48
Thanks for the reply.

The program dont seem to be packed at all (its part of any Windows 7 installaton) and it didnt seem to have any protected measurements, but just IDA dumping all the DebugXXX segments aswell.

Regarding the heap, it could be included, I really dont know.
About the BPs, what I dont get, is that they are referring to the proper code section during static analysis, but at runtime they seem illegal.

Maximus
January 18th, 2011, 13:32
are you using Vista/7 with ASLR, at least when you loaded/dumped the project the first time? That sounds 99% like to be the root cause...
(btw projekt is in deutsch :P )

Eibon
January 18th, 2011, 13:55
Yes, im using Windows 7, and you might be onto something regarding the ASLR "disqualifying" the current BPs, but it should be possible to "persuade" ida to remap them again, to whatever memory area the process is being loaded into - I mean, they have worked before.
I dont believe the project is in deutsch.

JMI
January 18th, 2011, 17:24
Eibon:

I believe Maximus was simply saying that the word "projekt" appeared to be the German spelling of the English word "project".

http://translation.babylon.com/english/to-german/

v. projizieren; schleudern; abfeuern; abschießen (Rakete); werfen (Lichtschein)

n. Plan; Projekt

Regards,

Eibon
January 18th, 2011, 18:07
Thanks for the clarification, I really didnt get what was ment by that sentence.

BanMe
January 18th, 2011, 18:46
Quote:
[Originally Posted by Eibon]
"persuade" ida to remap them again


lol relocatable breakpoints..good idea.
kayaker:
Amazing some of the stuff you know,and the quickness to see a outcome.

Kayaker
January 18th, 2011, 19:18
Interesting conundrum. I did a brief search for "ASLR + saved breakpoints" to see if the problem was brought up before. It has, even on the MSDN blogs, but with no viable solution.

However, you would think a plugin solution might work. I don't know about the Windbg/IDA format, but in Olly breakpoints are saved between sessions in the .udd files.

(from plugin.h)
// Record tags in .udd files.
#define MI_INT3BREAK 0x7470420AL // Record with breakpoint data
#define MI_INT3BRKC 0x6370420AL // Record with checked breakpoint data

A simple F2 breakpoint is recorded with the MI_INT3BRKC tag. Searching with a hex editor for 2 such breakpoints on the start of notepad:

Code:

01006420 > $ 55 PUSH EBP
01006421 . 8BEC MOV EBP,ESP


gives what looks like 0x11 byte recorded sequences:

Code:

00013D4B 0A 42 70 63 09 00 00 00 20 64 00 00 80 0B 00 00 .Bpc.... d......
00013D5B 55

00013D5C 0A 42 70 63 09 00 00 00 21 64 00 00 00 03 00 00 .Bpc....!d......
00013D6C 8B


Parsing this, it appears to be something like:

0x6370420AL (tag)
0x00000009 (length of bytes to follow)
0x0000xxxx (rva, no base address)
unknown dword
0xxx (first byte of instruction)


I haven't tried Olly in an ASLR system, but if it calculates where breakpoints are to be reset using the dynamic base address, shouldn't they still be valid?

Dunno, just a quick observation.

Kayaker

Sab
January 19th, 2011, 01:08
generally like to disable dynamic base bit in pe header when debugging a particular dll or exe... makes life easier. i would suggest debug on xp, but since its a win7 binary, the former will work... dongs

Eibon
January 19th, 2011, 10:26
Thanks for the replies.

I dug abit more around the database file(s), searching for some more info.
I wasnt able to find alot help on the file formats on the net, and the format appears to be varying from each version of IDA.
It seems to be no problem saving your names & BPs, as you can export them into a IDC script containing most of the important info (including segments), but importing them into a newly analyzed file, would bug up bigtime as the new segments would be "replaced".
I tried to manually edit the segment locations, but that didnt seem to work either.

My next step is to try and replace the old segments, with some new, then rebase them back to the old locations.

I didnt find any proper way to remove "garbage", as any valid segments, and the garbage seems to be stored/packed in a big "mess" in the .id1 file. No visible identifies.

This is getting abit over my heard, and farther away from my original intention with this, so if my last plan with the rebasing dont work, I might aswell just start over from scratch.

Regards
Eibon

Eibon
January 20th, 2011, 08:25
Right, I found what could be classified as a solution (though with the time spent, one could argue the opposite)
My main goal was to remove garbage from my IDA database, while retaining my BPs, Names and Comments.

IDA is able to export some of the database to an IDC script, containing information about segments, analyzed data etc. including Names and Comments (not BPs, previous mistaken by me).
Theres a couple of problems with this though:
1. Theres no simple distinction between user defined Comments/Names, and auto-generated info. (this is less important, because auto-generated info should be the same anyway, even in a new analysis)
2. All references are saved with a static segment baseaddress+offset, hence they cant just be imported into a identical app, unless the segments have exactly the same location. (they rarely do with ASLR)

The plan was now re-analyze the app, make a custom script with info from the old analyze(old.idc), and fit it to the new app(new.idc).
From the old.idc I extracted following info:
- All the MakeName records ( format is: MakeName(address, "Name"; eg. MakeName(0xA04E6C, "About"; )
- All the MakeNameEx records ( MakeNameEx(0xA0F6B4, "VK_DOWN_Process", SN_LOCAL); )
- All the MakeComm records ( MakeComm(0xA04FC8, "comment"; )
I then replaced all the addreses with a baseaddress fitting segments in the new analyze(search&replace).

Loading the new.idc in the newly analyze app, worked perfect restoring alle the names and comments.
I stil miss the BPs and any user derfined data types, but it shouldnt be a problem manually reputting the few BPs now.
I now have a .IDB of a few MBs, and all my Names and Comments back, so I guess this is a partial success.

This aint exactly rocket science, but I learned abit, and noticed a couple of things I need to be aware of in the future.

Regards
Eibon

*Edit* : I can really recommend removing the IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE flag as mentioned by Sab.

Maximus
January 20th, 2011, 12:57
way simpler:
calc the offset of your bpx from DLL base, and save it with your dll name/dll segment name (whatever you feel better with).
Whenever you load your app for debugging, you can easily re-apply such breakpoints in the same way (base+offs).
It is probaly mcuh easier to do with a small IDA plugin, where you only need save breakpoints and reload/reapply them.