0

I'm using IDA pro to reverse a trojan with a packer, and I saw that the trojan unpack some files, (two files actually) by depacking my trojan with winrar. Now I would like to see what's really going on and was trying to use IDA pro to disassemble it, but when analyzing it with strings, I don't find the files name which are unpacked, that's why I presume that they are pushed to the stack, and I'm wondering how to set a condition in IDA pro which would raise if one register contains a string for example if %eax = string , ( whatever string ).

Thanks for your help

Xint0
  • 5,221
  • 2
  • 27
  • 29
xabe
  • 51
  • 1
  • 4
  • 1
    I would be highly surprise if this would be possible, I mean, its all a bunch of bits in some funny random pattern. I really can't imagine how one could identifie a string in it. – JustSid Mar 12 '11 at 15:36
  • I saw that there is a "general register" windows, sometimes the registers are equals to strings, and it's noticed there, so maybe it could be possible. – xabe Mar 12 '11 at 15:43

1 Answers1

1

You can set up conditional breakpoints from their properties window (Right click on the breakpoint address->Edit Breakpoint). Lookup the IDC command table for more info on the supported functions.

shadeMe
  • 706
  • 1
  • 10
  • 30