Results 1 to 3 of 3

Thread: Custom data types and formats

  1. #1
    Imported blog (Hex-Rays)
    Join Date
    Nov 2007
    Posts
    105

    Custom data types and formats

    Another new feature that will be available in the upcoming version of IDA Pro is the ability to create and render custom data types and formats.


    (Embedded instructions disassembled and rendered along side with x86 code)

    What are custom types and formats

    • Custom data type: A custom type is basically just a way to tag some bytes for later display with custom format, when the built-in IDA types (dt_byte, dt_word, etc) are not enough.For example: an XMM vector, a Pascal string, a half-presision (16 bits) floating-point number, a 16:32 far pointer (fword), uleb128 number and so on.To define a custom type, you need to provide to IDA its name, size (fixed or dynamically calculated), keyword for disassembly and a few other attributes.Custom data format:The custom data format allows you do display a custom or built-in data type in any way you like. You can register several formats for each type and switch the representation.For example, you might want to switch the display of the same 16-byte XMM vector between four floats or two doubles.A format definition includes callback for printing (to display) and scanning (used during debugging to change the register values).
    For example, here is a custom MAKE_DWORD format applied to the built-in dword type:


    Its implementation is very simple:



    Next we illustrate some possible usages of custom types and formats. Other uses are also possible too, it is up to your imagination.

    Decoding embedded bytecodes

    Imagine you are debugging an x86 program that implements its own VM and embeddes them in the program.
    The classical solution for this problem can be:
    • Write a dedicated processor module and then load the extract bytecodes separatelyOr define the bytecodes as bytes and then use comments to describe the real meaning of those bytecodes.
    With this new addition, one can just write a custom data type to handle the situation:



    And if you happen to have a situation where the bytecodes are operands to instructions (as means of obfuscation), you can still apply the custom format on those operands:



    The previous blog entry showed how to write processor modules using Python. What if one simply uses the "import" statement to import a full-blown processor module script and use it in the custom data types/formats?

    Displaying resource strings

    When reversing MS Windows applications, one can encounter string IDs, but then how to easily and nicely go fetch the data and display it in the disassembly listing?
    Normally, one would have to use a resource editor to extract the string value corresponding to the string id, then to create an enum in IDA for each string ID with a repeatable comment:



    That works, but what about writing your own custom format instead:



    And then applying it directly without having to use a resource editor to extract the string value, have the custom format do that programmatically for you :



    This is how a resource string custom format handler can look like:



    To take a closer look at it, you can download the custom data type handler script along with the source code of the simplevm assembler/disassembler and the C program that was used in this article.
    <!-- Thank you, you know who you are. -->

    http://hexblog.com/2010/02/custom_data_types_and_formats_1.html

  2. #2
    <!-- Thank you, you know who you are. -->
    Interesting feature of the blog import tool

    (I don't know who it is, so it's not me )

  3. #3
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    Bwwahaha...I hadn't realized until now that some html comments come through the rss feed. I could fix the import script, but I think it could be more entertaining to leave it the way it is

Similar Threads

  1. Replies: 11
    Last Post: September 7th, 2011, 00:09
  2. using filestreams to store data..or code as data?
    By BanMe in forum The Newbie Forum
    Replies: 7
    Last Post: August 8th, 2009, 21:58
  3. make olly treat stuff in data section as data
    By gtype in forum OllyDbg Support Forums
    Replies: 0
    Last Post: March 4th, 2009, 15:29
  4. Useful WinDbg commands: .formats
    By Nynaeve in forum Blogs Forum
    Replies: 0
    Last Post: April 23rd, 2008, 10:01
  5. Easy structure types
    By Hex Blog in forum Blogs Forum
    Replies: 0
    Last Post: February 18th, 2008, 15:10

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •