#158951 - yellowstar - Mon Jun 23, 2008 3:34 am
Could somebody explain this?
IDA Pro Free disassembly of a exported function in my Wmb Asm module:
This would most likely be very similar in ARM assembly, instead of x86. (Register names aside)Anyway: I know the esp register points to the stack. I know with x86/Intel CPUs, the stack grows backwards. So the sub mnemonic would make the stack grow, will add will make the stack shrink. The size that's it's changing the stack with these mnemonics, that's 0x1C. The size of the capture header. Then after the add mnemonic, it does a mov, putting 0x19 in the stack, were esp points. How does malloc know how much to allocate? 0x19 is 3 bytes smaller than 0x1C. Does malloc word-align the value passed to it via stack?(parameter, I think)
Does it use the values subtracted from esp? So would subtract ebp by esp to get the amount to allocate? I tried to look at the dissassembly for malloc, but I couldn't - only got something similar to a header. )-:
I'd much rather RE/disassemble NDS/ARM code, but with IDA Pro Free, the only processors it supports is x86 processors on PC. And the only loaders available are PC only. The commercial has these things, but that's $500. It seems to be possible to add this processors myself with the Free version and the IDA Pro SDK, but on the web site they only have the SDK for IDA 5.2. And the free version is 4.9. I need SDK version 4.9, for the commercial version.(The SDK is free)
Unfortunately, the SDK can't be used with the free IDA Pro without patching. I have that patch, just not the SDK. Does anybody know where I can download it? Unfortunately, loaders/processor modules have to be made specifically for the free version with that patch. Plugins that aren't built for that, and aren't made with SDK version 4.9 too probably, won't work with the free version.(But there seems to be a tool to patch plugins so they work with the free version)
)-: But I heard that the processor modules, and even the the loaders, are encrypted. But that might be only in the commercial version, that they would be encrypted. Encrypting modules in the commercial version would make a lot of sense. There's this private key unique to each copy of IDA Pro. The modules are encrypted with this key.(However there might be more things done for this, I don't remember. I read this in a tutorial about this)
EDIT:
I guess there is not encryption in IDA Pro Free. I checked one processor module in an hex editor, and the strings weren't incomplete or anything. That tutorial said if there incomplete/scrambled/and such, the file is encrypted.
IDA Pro Free disassembly of a exported function in my Wmb Asm module:
| Code: |
|
public _Z17pcap_open_offlinePKcPc .text:10001360 _Z17pcap_open_offlinePKcPc proc near .text:10001360 .text:10001360 var_28 = dword ptr -28h .text:10001360 var_24 = dword ptr -24h .text:10001360 var_20 = dword ptr -20h .text:10001360 var_1C = dword ptr -1Ch .text:10001360 arg_0 = dword ptr 8 .text:10001360 .text:10001360 push ebp ; 1C number is size of capture header structure .text:10001361 mov ebp, esp .text:10001363 push edi .text:10001364 push esi .text:10001365 push ebx .text:10001366 sub esp, 1Ch ; void * .text:10001369 mov [esp+28h+var_28], 19h .text:10001370 call malloc .text:10001375 mov ds:lvarpcaplibpcap_open_offline_cap, eax ... mov esi, ds:lvarpcaplibpcap_open_offline_cap .text:10001438 mov [esp+28h+var_28], esi .text:1000143B .text:1000143B loc_1000143B: ; CODE XREF: _Z17pcap_open_offlinePKcPc+22Fj .text:1000143B call free .text:10001440 xor ecx, ecx .text:10001442 .text:10001442 loc_10001442: ; CODE XREF: _Z17pcap_open_offlinePKcPc+20j .text:10001442 ; _Z17pcap_open_offlinePKcPc+8Fj ... .text:10001442 add esp, 1Ch .text:10001445 mov eax, ecx .text:10001447 pop ebx .text:10001448 pop esi .text:10001449 pop edi .text:1000144A pop ebp .text:1000144B retn ; void * |
This would most likely be very similar in ARM assembly, instead of x86. (Register names aside)Anyway: I know the esp register points to the stack. I know with x86/Intel CPUs, the stack grows backwards. So the sub mnemonic would make the stack grow, will add will make the stack shrink. The size that's it's changing the stack with these mnemonics, that's 0x1C. The size of the capture header. Then after the add mnemonic, it does a mov, putting 0x19 in the stack, were esp points. How does malloc know how much to allocate? 0x19 is 3 bytes smaller than 0x1C. Does malloc word-align the value passed to it via stack?(parameter, I think)
Does it use the values subtracted from esp? So would subtract ebp by esp to get the amount to allocate? I tried to look at the dissassembly for malloc, but I couldn't - only got something similar to a header. )-:
I'd much rather RE/disassemble NDS/ARM code, but with IDA Pro Free, the only processors it supports is x86 processors on PC. And the only loaders available are PC only. The commercial has these things, but that's $500. It seems to be possible to add this processors myself with the Free version and the IDA Pro SDK, but on the web site they only have the SDK for IDA 5.2. And the free version is 4.9. I need SDK version 4.9, for the commercial version.(The SDK is free)
Unfortunately, the SDK can't be used with the free IDA Pro without patching. I have that patch, just not the SDK. Does anybody know where I can download it? Unfortunately, loaders/processor modules have to be made specifically for the free version with that patch. Plugins that aren't built for that, and aren't made with SDK version 4.9 too probably, won't work with the free version.(But there seems to be a tool to patch plugins so they work with the free version)
| Quote: |
|
Processor modules are blocked by the free version. |
)-: But I heard that the processor modules, and even the the loaders, are encrypted. But that might be only in the commercial version, that they would be encrypted. Encrypting modules in the commercial version would make a lot of sense. There's this private key unique to each copy of IDA Pro. The modules are encrypted with this key.(However there might be more things done for this, I don't remember. I read this in a tutorial about this)
EDIT:
I guess there is not encryption in IDA Pro Free. I checked one processor module in an hex editor, and the strings weren't incomplete or anything. That tutorial said if there incomplete/scrambled/and such, the file is encrypted.