Log in

View Full Version : IDA auto param recognition on OLDER versions with VALUES!!

Aimless
November 2nd, 2001, 10:29
Just for your information, thought I should share this knowledge with you, though I am sure MANY would have already thought of it...


IDA 4.xx version starts giving you the parameters for your disassembly. A very helpful feature this. But what happens to users who are using 4.04, or worse, 3.80 ??

More over, I know the parameters (like hwnd, lpCmdLine) etc. But I do not know the VALUES that these contains...decoded like MB_OK|MB_EXCLAMANTION and so on...

Would it not be great to have that in IDA? And in versions as old as 3.80 ???

Well, here I have found out a way. Humble and simple, but workable...


* Download ollydbg. (yup!)
* Open your program through it and it will AUTOMATICALLY show you the parameters of around 1500 APIs (with facility to add your own!)
* Run the program
* Select all and save the disassembly to file (warning, it can be QUITE big)
* Use ultraedit and strip off everything, except the addresses and the comments (parameters, with values!!)
* Create idc script which says MakeComm(address,"comment"
* Load your proggy in IDA
* F2, apply the IDC..

VOILA !!! INstant param recognitions, with character graphichs AND values of parameters.

Enjoy.

...Have Phun (Maybe I should write an essay for the uninitiated ??)
Polaris
November 4th, 2001, 14:37
Aimless,you have pointed out a great possibility.

I have written a proggie that converts the ollydbg-dump to an autocommenting IDC script.

How can I upload it?

(Just ask and I'll email it ...)

Polaris - The Master Of Nebulah Frost
Polaris
November 4th, 2001, 14:48
Sorry!
Here is the file...
Carpathia
November 4th, 2001, 16:05
Autoparam recognition for older versions of IDA has been around since late last year, courtesy of Spath.

http://frogsprint.cjb.net
Aimless
November 5th, 2001, 01:14
With values for each params...?

...Have Phun Carp.
Unregistered
November 10th, 2001, 20:40
Quote:
Originally posted by Carpathia
Autoparam recognition for older versions of IDA has been around since late last year, courtesy of Spath.

http://frogsprint.cjb.net



Um the autoparam recognition that Carpathia speaks of is not complete. If I name arguments in a function by hand IDA will not reflect this in the calling routines. API calls are usually the simplest to figure out what push corresponds with what argument. It is calls within the program itself where it would be more useful. Maybe an IDC script can be made to do this?!?

Snatch
Anticode
November 12th, 2001, 06:24
what do you exactly mean by "with values for each params"!??
Aimless
November 14th, 2001, 03:58
Instead of showing :

push xxx ;uType
push yyy
push zzz
push aaa
call MessageBoxA

It will show:


push xxx ; uType: MB_OKCANCEL | MB_ICONEXCLAMATION
push yyy ; lpCaption: "This is a Grea Idea"
push zzz ; lpText : "Sure Is"
push aaa ; hWnd
call MessageBoxA

...Have Phun
Lord_Soth
November 15th, 2001, 12:59
So either an IDC script or some other way around it
need to be found. any suggestions ??

LS
Polaris
November 17th, 2001, 08:13
Please use my proggie,it's avalaible for download in an upper post...
Please note that using an IDC script to load into IDA comments generated by OllyDbg is not a good idea,as the dump-file is most of the times really big...
More than this,IDC is really slow in what concerns I/O operations,so...