Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dynamic dump, some functions IDA are not recognized #48

Open
taodaqiao opened this issue Nov 23, 2018 · 5 comments
Open

Dynamic dump, some functions IDA are not recognized #48

taodaqiao opened this issue Nov 23, 2018 · 5 comments

Comments

@taodaqiao
Copy link

Dynamic dump, some functions IDA are not recognized
OD1.10 And IDA 7.0
qq 20181123175623
qq 20181123175646
@a1ext
Copy link
Owner

a1ext commented Nov 23, 2018

that's IDA's auto-analysis fail. when we are dumping memory from a debugger, we don't know where is the code and where is data. and OllyDBG doesn't help with this. Do you have any ideas how to determine that?

@taodaqiao
Copy link
Author

My idea is to fix the IDA within the IDA according to the assembly code identified in the OD. This function is very useful, but I don't know how to write these plugins.

@anaivebird
Copy link

anaivebird commented Feb 4, 2021
edited
Loading

@a1ext @taodaqiao
I also meet this problem, there are three types of errors:

  1. IDA confuse code with data, recognize code as data, or recognize data as code
  2. Error instruction length recognized. For example, first instruction consist of 4 bytes, but ida recognize it as 2 bytes, as a result all subsequent instructions are recognized wrongly as well.
  3. Stack sp error, which leads to failure in convert the code to c Pseudocode.

I compare my debugger's recognization result with ida's. For wrong recognization part, most of time, debugger is correct.

Possbile solution will be figuring out how debugger and IDA distinguish code from data, and how it seperate code correctly. There algorithm may based on following hints:

  1. push and ret, and corresponding esp change to recognize function.
  2. if segment is executable, prefer to recognizae as code. But that isn't 100 percent guaranteed, for there are data in code segment or some program unpack code to not execuable segment and change it to execuable when need to execute(just my guess, is it possible?)

Also, could labeless be enhanced(maybe I could fork it and improve) to import disassemble result from debugger to IDA, since debugger has more information to do correct code analysis.

Thanks a lot.

@anaivebird
Copy link

By the way, dump code by labeless will cause more analysis error compared to directly analysis static file in IDA(of course that's hard for self unpacked program), I guess some information missed during dumping which IDA relys on to analysis correctly.

@anaivebird
Copy link

It seems that for debuggers, using CPU's single step, could take advantage of CPU itself to get the devision of each instruction

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@a1ext @anaivebird @taodaqiao