How to reformat a c structure in ida pro

Question

I'm trying to disassemble a arm64 based binary I want to know how can I reformat structure as it was before I mean not strings but the values at least placed that they were before in code? Take example

static struct mystruct cmn = {
      { 0xFF, 0x03, {0x98, 0x81, 0x03} },
      { 0x01, 0x01, {0x00} },
      { 0x02, 0x01, {0x00} },
      { 0x03, 0x01, {0x53} },
};

But in binary it's actually hard to remember and I sometimes make mistakes while reversing. So, it possible to get a exactly same arranged chars in ida pro 7.2 or radare 2?

https://del.dog/raw/fomukovata

Answer 1

ENVIRONMENT

• radare2: radare2 4.2.0-git 23519 @ linux-x86-64 git.4.1.1-84-g0c46c3e1e commit: 0c46c3e1e30bb272a5a05fc367d874af32b41fe4 build: 2020-01-08__09:49:0
• system: Ubuntu 18.04.3 LTS

SOLUTION

• As @David Hoelzer mentioned you must first derive the format of the data in memory.
• If you know the structure of the data we can use two commands in radare2 to structure that area of memory.
  • Command 1: pf.name [0|cnt]fmt # Define a new named format
  • Command 2: Cf[?][-] [sz] [0|cnt][fmt] [a0 a1...] [@addr] # format memory (see pf?)

EXAMPLE

Following the structure close to what you provided.

user@host:~$ r2 /bin/ls
[0x1000011e8]> pf.mystruct [5]c[3]c[3]c[3]c
[0x1000011e8]> Cf 14 ? (mystruct)example
[0x1000011e8]> pd 1
            ;-- rip:
            0x1000011e8 format ? (mystruct)example {
 example :
                struct<mystruct>
0x1000011e8 = [ 'U', 'H', '.', '.', 'A' ]
0x1000011ed = [ 'W', 'A', 'V' ]
0x1000011f0 = [ 'A', 'U', 'A' ]
0x1000011f3 = [ 'T', 'S', 'H' ]
} 14
[0x1000011e8]> q
user@host:~$