labeless icon indicating copy to clipboard operation
labeless copied to clipboard

Published 20 hours ago verified publisher icon a1ext

Dynamic dump, some functions IDA are not recognized

Open taodaqiao opened this issue 6 years ago • 5 comments

Dynamic dump, some functions IDA are not recognized OD1.10 And IDA 7.0 qq 20181123175623 qq 20181123175646

taodaqiao avatar Nov 23 '18 09:11 taodaqiao

that's IDA's auto-analysis fail. when we are dumping memory from a debugger, we don't know where is the code and where is data. and OllyDBG doesn't help with this. Do you have any ideas how to determine that?

a1ext avatar Nov 23 '18 15:11 a1ext

My idea is to fix the IDA within the IDA according to the assembly code identified in the OD. This function is very useful, but I don't know how to write these plugins.

taodaqiao avatar Jul 04 '19 08:07 taodaqiao

@a1ext @taodaqiao I also meet this problem, there are three types of errors:

  1. IDA confuse code with data, recognize code as data, or recognize data as code
  2. Error instruction length recognized. For example, first instruction consist of 4 bytes, but ida recognize it as 2 bytes, as a result all subsequent instructions are recognized wrongly as well.
  3. Stack sp error, which leads to failure in convert the code to c Pseudocode.

I compare my debugger's recognization result with ida's. For wrong recognization part, most of time, debugger is correct.

Possbile solution will be figuring out how debugger and IDA distinguish code from data, and how it seperate code correctly. There algorithm may based on following hints:

  1. push and ret, and corresponding esp change to recognize function.
  2. if segment is executable, prefer to recognizae as code. But that isn't 100 percent guaranteed, for there are data in code segment or some program unpack code to not execuable segment and change it to execuable when need to execute(just my guess, is it possible?)

Also, could labeless be enhanced(maybe I could fork it and improve) to import disassemble result from debugger to IDA, since debugger has more information to do correct code analysis.

Thanks a lot.

anaivebird avatar Feb 04 '21 00:02 anaivebird

By the way, dump code by labeless will cause more analysis error compared to directly analysis static file in IDA(of course that's hard for self unpacked program), I guess some information missed during dumping which IDA relys on to analysis correctly.

anaivebird avatar Feb 04 '21 00:02 anaivebird

It seems that for debuggers, using CPU's single step, could take advantage of CPU itself to get the devision of each instruction

anaivebird avatar Feb 06 '21 00:02 anaivebird