PDA

View Full Version : IDA: create and apply structs


deepzero
July 30th, 2013, 05:06
Hi,

i am struggling with structs in IDA. Basically, i want to do 3 things

1) add a custom struct to IDA
2) apply a struct to a fixed VA
3) apply a struct to a register (?)

1)
opening the struct subview, i get this:

00000000 ; Ins/Del : create/delete structure
00000000 ; D/A/* : create structure member (data/ascii/array)
00000000 ; N : rename structure or structure member
00000000 ; U : delete structure member
00000000 ; ---------------------------------------------------------------------------
00000000

i was able to create a new struct, and insert a member by pressind D. However, i cannot insert a second member: pressing D will only change the type of the first member.
how do i insert a new member?


2) ok, that seems to work fine by selecting the address and edit->struct var

3)
I know that at a given location in the program, EAX will point to a certain struct.
the struct members are accessed resutlingg in code like

mov esi, [eax + 254]

Now it would be helpful if we could some let IDA know that eax points to that struct, so it would "decode" that command to

mov es, [eax + membername]


How can i do that?



hope someone can help me out!

Kayaker
July 30th, 2013, 20:28
Hi

If your structure is recognized I think all you need to do is right click on the register pointer and choose the member under the Structure Offset menu. If you've got too many structs defined that have similar offsets, yours may get lost in the noise or possibly not even included in the drop down list.

I find it easier to create a struct in a separate header file and import it with File/Load file/Parse C header file, rather than the agonizing steps needed to do it within IDA. After doing that you add the struct with Structures/Insert/Add Standard Structure. The new header file struct should be at the bottom of the list. The format recognized is:

struct MYSTRUCT
{
int dummy1;
int dummy2;
};

deepzero
July 31st, 2013, 00:51
Thanks! That seems to do the trick!

But going over the code and labeling every [eax+x] myself is a little tiresome...cant i tell ida somehow "here eax points to a struct, as long as eax is not modified, mark all [eax+x] appropriately."

Kayaker
July 31st, 2013, 01:42
An idc script should be able to do that. You can't just do a blanket coverage of all eax's say, but you could use a selection or range of addresses as a way of delineating an area to work on, or use a hotkey to at least simplify having to right click all the time. There are several commands you'll probably have to make use of. Take a look at the idc script Zairon used in this thread to accomplish something similar as an example.

http://www.woodmann.com/forum/showthread.php?15078-Girls-just-want-to-have-fun-RE-challenge&p=94458#post94458

ZaiRoN
July 31st, 2013, 03:12
[QUOTE]i was able to create a new struct, and insert a member by pressind D. However, i cannot insert a second member: pressing D will only change the type of the first member.
how do i insert a new member?[QUOTE]
Click on the last line of the defined structure (" struc_1 ends" and then add a member using 'D', 'A' or '*', you should be able to see a new member!