- QSTRING STARTSWITH IDA HOW TO
- QSTRING STARTSWITH IDA INSTALL
- QSTRING STARTSWITH IDA PATCH
- QSTRING STARTSWITH IDA PRO
Running a script can be done from File > IDC Command. Then the following loop might end up being part of your IDC script: // *EXAMPLE*Īuto addr = 0x00401000 // The address of your string Let's say your deobfuscation routine simply XOR'd each successive byte with 0x1F until the null byte was decoded. I'm writing it in IDC in case you're using IDA Free. Giving an overview of scripting IDA would be beyond the scope of this answer, but here's an example to get you started.
QSTRING STARTSWITH IDA INSTALL
I'm not sure if you can install IDAPython on IDA Free 5.0, but it should be bundled with all vaguely recent versions of IDA Pro. I highly recommend using IDAPython, as it is much easier to use, and a much more powerful language. Your options for scripting IDA are IDC (IDA's original built-in scripting language) and IDAPython. Anything you do to the database will have no effect on the actual binary, and anything you do to the binary will have no effect on the database) (As a point of clarification, the IDA database is entirely separate from the binary itself. This will allow you to replace the obfuscated strings with the deobfuscated strings in the IDA database. If the routine isn't too complicated - and they usually aren't - you should be able to write a script to emulate the debofuscation routine.
QSTRING STARTSWITH IDA PRO
If you can't run the binary, or if the dynamic approach isn't deobfuscating all the strings for you, then you can deobfuscate them yourself.Ĭhances are good that if you view the cross-references to any of the obfuscated strings in IDA Pro (view them with the x key), you should be taken to the deobfuscation routine.
QSTRING STARTSWITH IDA HOW TO
How to deobfuscate the strings (static approach): The IDA Pro Book contains a great reference for this.
QSTRING STARTSWITH IDA PATCH
Once you have a list of deobfuscated strings, you can either patch them directly into the IDA database (discussed below), or you can leave repeatable comments (use the ' key) at the addresses of each of the strings in the database, such that the deobfuscated string will display as a comment on every instruction that references it.įor small binaries, you can get away with doing the annotations by hand, but it would be worthwhile to read into scripting IDA so that you can automate this process. If the deobfuscation always happens from a common routine, you can place a breakpoint near the end of that routine and possibly script your debugger to print the debofuscated string each time execution passes through that routine. If the breakpoint trips, step through the instructions to allow the rest of the string to be deobfuscated. If the previous method does not work for you, try setting a hardware write breakpoint on the first byte of an obfuscated string, then running the binary. (This will not necessarily deobfuscate all of the strings for you you'll only get the strings that were deobfuscated along the path of the binary's execution) If the strings are still debofuscated, you can do a memory dump of the appropriate section to save the deobfuscated strings. Several binaries that obfuscate their strings never re-obfuscate them after their use, so one interesting shortcut you might want to try first is to run the binary in a debugger and break execution right before it exits.
All you need to do is run the binary in a debugger and analyze the memory after it has been deobfuscated.
If you are able to run the binary, you can let it take care of the deobfuscation for you. How to deobfuscate the strings (dynamic approach):
The rest of this answer makes the assumption that this is true of your binary. This is a common technique used to prevent static analysis tools (such as the GNU "strings" utility or IDA Pro) from properly analyzing the binary. Chances are, before each of the strings is used in the program, a deobfuscation routine is run to convert the string in memory back into something meaningful.
0 kommentar(er)
