页面

2012年11月20日星期二

iOS Kernel analysis tips

1. Use newest IDA Pro is much useful;
2. If you want to improve the automatic analysis result, you need to set CPU type;
3. Basic info: If you need to convent data to code, you can ignore
DCB 0
DCB BF
this equal to
ALIGN 4

2012年9月12日星期三

The Rename of Dynamic Function

Recently I reversed a program about Apple. This software have lots of dynamic functions to call the official function. Such as below:
......
aaa = (int (__cdecl *)(_DWORD))GetProcAddress(hModule, "aaa");
if ( aaa )
{
    bbb = (int)GetProcAddress(hModule,"bbb");
    if ( bbb )
......

But in default in IDA, aaa or bbb may show as dword_xxxxxxx. It's more different to identify all of them. So I decide to write a script to help to rename from dword_xxxxxxxx to aaa/bbb.
Just like below:

2012年9月3日星期一

WinDbg and IDA to Improved Code Flow Analysis


First of all, may I copy some pieces of others' blog post:

IDA is hands down the best tool for static analysis. Its debugger on the other hand, when compared to the power of WinDbg is certainly lacking, IMHO. As such, I find myself wasting too much time switching between windows and manually highlighting and commenting instructions in IDA as I trace through them in WinDbg. Fortunately, the power of IDApython can be unleashed to reduce this tedium.
I was reading an older TippingPoint MindshaRE article from Cody Pierce entitled “Hit Tracing in WinDbg” and was inspired by his ideas to implement my own IDApython script to better integrate WinDbg with IDA. While, I may be recreating many of his efforts, my primary intent was to get better at scripting in IDApython while improving upon my static/dynamic analysis workflow.
The purpose of my script is to parse WinDbg log files for module base addresses, instruction addresses, references to register values, and pointer dereferences. Then, for every instruction you hit in your debug session, the corresponding instructions will be colored and commented accordingly and in a module base address-agnostic fashion.
Yes, I have the some thought. But when I test the idc file, I found a problem. This IDC script can not support the randomized address. Then I find the Matthew Graeber's script. This script is good, but cann't suite for some program that we don't have symbols. So I rewrite the script, hope can give you some help XD.

2012年8月31日星期五

Cool ImmDbg Script: BlackManta

I found a python script for ImmDbg whice name is BlackManta. You can found it here: http://tuts4you.com/download.php?view.2939

Although it is not new tech, it also can do some help on analyzing some programs. You know there is another script called apitrace. It's also very useful.

How to use and some examples can find in the package.

I will give some tips to improve RCE progress. Hope can help you :P