Log in

View Full Version : Saving names in IDA

barthen
August 6th, 2006, 14:56
Hi all. I have a question regarding an executable that I unpacked and dumped. This executable stores in memory several addresses of API functions.

At runtime (while debugging) is shown like this:
Code:
seg023:006DDC18 off_6DDC18 dd offset IMM32_ImmSetCompositionWindow

seg023:006DDC18                                         ; DATA XREF: sub_613767+CCr

seg023:006DDC1C off_6DDC1C dd offset IMM32_ImmGetContext ; DATA XREF: sub_613767+96r

seg023:006DDC1C                                         ; sub_613767+19Br ...

seg023:006DDC20 off_6DDC20 dd offset IMM32_ImmNotifyIME ; DATA XREF: sub_613AC8+A2r

seg023:006DDC20                                         ; sub_614012+23r


But when I stop the debugger, IDA shows that memory region as:
Code:
seg003:006DDC18 off_6DDC18      dd 76344DF6h            ; DATA XREF: sub_613767+CCr

seg003:006DDC1C off_6DDC1C      dd 763422B3h            ; DATA XREF: sub_613767+96r

seg003:006DDC1C                                         ; sub_613767+19Br ...

seg003:006DDC20 off_6DDC20      dd 76346FF8h            ; DATA XREF: sub_613AC8+A2r

seg003:006DDC20                                         ; sub_614012+23r


And the funcion calls look like this one:
Code:
seg020:00613831 push    eax

seg020:00613832 push    edi

seg020:00613833 call    dsff_6DDC18


So, here is my question. How can I save this symbolic information while debugging to make it available when the debugger is stopped?

Thanks in advance!
Kayaker
August 7th, 2006, 20:51
Hi

Figured it out yet? I assume it has something to do with the way you dumped it, or maybe because of the way the API's were referenced in the packed file in the first place. Just for fun I dumped Mspaint (which uses Imm32) from Olly with ollydump. Even with a rebuilt IT, IDA still recognizes the imports normally as:

.idata:01001180 ; BOOL __stdcall __imp_ImmSetCompositionWindow(HIMC,LPCOMPOSITIONFORM)
.idata:01001180 extrn __imp_ImmSetCompositionWindow:dword

In any case, you'll probably have to write a plugin or fix things manually.

Kayaker
upb
August 8th, 2006, 03:17
try to set the names as 'public', you could write an IDC to do this automatically for all names
barthen
August 8th, 2006, 13:35
Hi again, and thanks for your replies. I dumped with Ollydump and reconstructed the IAT with ImpRec. The problem was that the executable sometimes calls the API using the IAT address and other times using the address stored in the array of addresses (and I didn't get info about the parameters of the call)

What I did to solve my problem was:

1. Delete all the names from the IAT section.

2. I used the following script to name correctly the addresses in the array (which gives me the parameter info I need):

Code:
auto ea, name;

for (ea = ArrayStart; ea<ArrayEnd; ea =ea+4 )

{

name = Name(Dword(ea));               /* get name of the address pointed*/

name = substr(name, strstr(name, "_"+1, -1); /* drop the prefix */

if (strstr(name, "_" != -1) {                 /* check for second "_" like in ws2_32_send */

name = substr(name, strstr(name, "_"+1, -1);

}

MakeName(ea, name);

}


3. I used the following to rename the addresses (keeps parameter info)

Code:
auto ea, name;

for (ea = ArrayStart; ea<ArrayEnd; ea =ea+4 )

{

name = Name(ea);               /* get name */

name = name + "_ind"; /* append "_ind" to the names, meaning "indirect" */

MakeName(ea, name);

}


4. I used the reanalyze code feature to get the names in the IAT back again.

Now my code is shown like:
Code:
call ds:NameOfAPIFunction

or

call ds:NameOfAPIFunction_ind


and the parameter info is shown for both kinds of calls