Results 1 to 11 of 11

Thread: Edit strings with IDA Pro 5.2

  1. #1
    nekkro-kvlt
    Guest

    Edit strings with IDA Pro 5.2

    Hi, I have disassembled an ELF file, and I want to edit a particular string.
    I searched the forum and found this:
    http://www.woodmann.com/forum/showthread.php?t=5119&highlight=ida+edit

    But didn't work.

    I select the string near the db instruction, and type backspace or try the edit menu, but nothing happen... Do I make something wrong ?

    I'm new to reverse engineering so please excuse me if the problem has alreary been solved, but can't find it...
    thanks.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Please do not double post. You already posted in that 6 year old Thread, and just posting in this one, with a reference to the previous post, as you made here, would be sufficient.



    Regards,
    JMI

  3. #3
    If it's an unencrypted string, just use another tool like "Hex Workshop" to edit it.

  4. #4
    nekkro-kvlt
    Guest
    Hi, the fact is that I need to replace the string with a bigger one (2 chars longer). As far as I know (not very far however), If I replace with a longer string, the new executable won't work as it will change the intern structure, right ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    right.
    but if you have phantasy.. then.. at other place..

  6. #6
    nekkro-kvlt
    Guest
    Sorry, but I don't understand what you're saying
    I think editing strings in an executable should be quite simple for someone who know how to do that, but I have no clues at all
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Hello.

    Text files. They don't work on the basis of addresses. Meaning, a word or sentence on the fifth page, does not refer to a word or sentence on the second page. Therefore, you add, delete, insert text at whatever position you want. You can also replace the word AIM with AIMLESS and nothing is wrong.

    Executable files. They work on the basis of offsets. Simply put, they work on the basis of ADDRESSES inside the file itself. So if the word AIM REVERSES has AIM beginning at address 00000001 and REVERSES begins at address 00000004, then if you change it to AIMLESS REVERSES then the word REVERSES is pushed back to address 00000008. Now, if the executable wants to display the term REVERSES in a messagebox, it will say: DISPLAY STRING AT ADDRESS 00000004. After all, when it was compiled, the word REVERSES was on 00000004. But because you changed it, it will now show LESS. This becomes worse when instead of the word REVERSES there is an instruction, such as CALL 00003434. Now if you add something before this, when this gets called later on somewhere in the program, it will be somewhere in the middle of the instruction.

    Complicated?

    Of course. They are not called BINARIES for nothing.

    Have Phun
    Blame Microsoft, get l337 !!

  8. #8
    As far as I know, it's not possible to edit the disassembled file from IDA in any way. Also, you've already seen that it won't be possible to replace the string in-place by a longer one. What you will have to do is find an empty, unused spot in the ELF file (a "cave"), use a hex editor to place your new string there, and update all references to the old string in the ELF's code so they point to this new string instead.

  9. #9
    nekkro-kvlt
    Guest
    OK, thanks for your explications, I understand now, but, doesn't it possible to modify the asm code source, imagine that I modify the string at address X, and I add 2 octets. In the ASM code source, If it increment with 2 all references to address > X, and then I recompile the asm code source?

    Thanks, I'll try to find nop or null hole in the file
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    Quote Originally Posted by nekkro-kvlt View Post
    Hi, the fact is that I need to replace the string with a bigger one (2 chars longer). As far as I know (not very far however), If I replace with a longer string, the new executable won't work as it will change the intern structure, right ?
    It really depends! If the string is in a place with nothing around it, you can just make it longer, as long as you terminate it with a NULL (00 byte).

    So, really, make a copy of the executable, fix the string, and test it! My philosophy is "What's it gonna do? Not work?"

  11. #11
    nekkro-kvlt
    Guest
    Good Idea, after my string I got some useless strings, maybe I can overwrite them !
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Edit PE Optional header
    By mint77 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 9
    Last Post: December 18th, 2012, 14:00
  2. IDA>Edit>Patch Program
    By replica in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: June 8th, 2009, 08:42
  3. Cool Edit Pro Demo?? or Cool Edit???
    By crUsAdEr in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: February 14th, 2002, 16:57
  4. Help with Ultra Edit ver 7.20a
    By xOptiMus in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: December 15th, 2000, 12:23
  5. Help with Ultra Edit ver 7.20a
    By xOptiMus in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: December 14th, 2000, 18:43

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •