Giters

a1ext / labeless

Labeless is a multipurpose IDA Pro plugin system for labels/comments synchronization with a debugger backend, with complex memory dumping and interactive Python scripting capabilities.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Dynamic dump, some functions IDA are not recognized

taodaqiao opened this issue · comments

commented

Dynamic dump, some functions IDA are not recognized
OD1.10 And IDA 7.0
qq 20181123175623
qq 20181123175646

commented

that's IDA's auto-analysis fail. when we are dumping memory from a debugger, we don't know where is the code and where is data. and OllyDBG doesn't help with this. Do you have any ideas how to determine that?

commented

My idea is to fix the IDA within the IDA according to the assembly code identified in the OD. This function is very useful, but I don't know how to write these plugins.

commented

@a1ext @taodaqiao
I also meet this problem, there are three types of errors:

  1. IDA confuse code with data, recognize code as data, or recognize data as code
  2. Error instruction length recognized. For example, first instruction consist of 4 bytes, but ida recognize it as 2 bytes, as a result all subsequent instructions are recognized wrongly as well.
  3. Stack sp error, which leads to failure in convert the code to c Pseudocode.

I compare my debugger's recognization result with ida's. For wrong recognization part, most of time, debugger is correct.

Possbile solution will be figuring out how debugger and IDA distinguish code from data, and how it seperate code correctly. There algorithm may based on following hints:

  1. push and ret, and corresponding esp change to recognize function.
  2. if segment is executable, prefer to recognizae as code. But that isn't 100 percent guaranteed, for there are data in code segment or some program unpack code to not execuable segment and change it to execuable when need to execute(just my guess, is it possible?)

Also, could labeless be enhanced(maybe I could fork it and improve) to import disassemble result from debugger to IDA, since debugger has more information to do correct code analysis.

Thanks a lot.

commented

By the way, dump code by labeless will cause more analysis error compared to directly analysis static file in IDA(of course that's hard for self unpacked program), I guess some information missed during dumping which IDA relys on to analysis correctly.

commented

It seems that for debuggers, using CPU's single step, could take advantage of CPU itself to get the devision of each instruction