3

I've dumped a dll from memory using LordPE, so far so good, but there are some functions IDA shows just like this:

call    off_11CAE08

At memory address 11CAE08(.data section) we have 01058530(.text section) so I'd like IDA was able to show call sub_01058530, so, Is there any way or script that's able to change and fix all lines with this problem?

dragon
  • 31
  • 3
  • Since the data section is mutable, whatever address is stored at 11CAE08 can change, can't it? So what you propose is an incorrect program transformation *in general* (transforming an indirect call to a direct one). I suppose you may be able to rig a script to do it for one session, but I don't know one off the top of my head. – Fizz Jan 21 '15 at 07:15

2 Answers2

0

It's a relative call, you need to resolve that address. You can do this statically by looking at the library or you can do it dynamically by using a tool called Ablation, you can learn how to use it by listening to the authors talk at black hat. In order to do that you need to run the process/dll with ablation

Erik
  • 493
  • 1
  • 7
  • 18
0

Assuming you have 1-dref functions like this one, here is a script using sark:

from sark import *
from idc import *
from idaapi import *
from idautils import *
import struct
text_start =xxx
text_end= xxxx
data_start=xxx
data_end=xxx

for line in sark.lines(text_start, text_end):
    for ref in line.xrefs_to:
        if ref.type.is_call:
            if data_start <= ref.to <= data_end:
                addr = GetManyBytes(ref.to, 4)
                addr, _ = struct.unpack("<I", addr)
                MakeName(ref.to, "func_ptr_"+str(addr))

P.S. Im writing from my phone, so syntax may not be exact.

789
  • 718
  • 1
  • 10
  • 30