Results 1 to 5 of 5

Thread: IDA: create and apply structs

  1. #1

    IDA: create and apply structs

    Hi,

    i am struggling with structs in IDA. Basically, i want to do 3 things

    1) add a custom struct to IDA
    2) apply a struct to a fixed VA
    3) apply a struct to a register (?)

    1)
    opening the struct subview, i get this:

    00000000 ; Ins/Del : create/delete structure
    00000000 ; D/A/* : create structure member (data/ascii/array)
    00000000 ; N : rename structure or structure member
    00000000 ; U : delete structure member
    00000000 ; ---------------------------------------------------------------------------
    00000000

    i was able to create a new struct, and insert a member by pressind D. However, i cannot insert a second member: pressing D will only change the type of the first member.
    how do i insert a new member?


    2) ok, that seems to work fine by selecting the address and edit->struct var

    3)
    I know that at a given location in the program, EAX will point to a certain struct.
    the struct members are accessed resutlingg in code like

    mov esi, [eax + 254]

    Now it would be helpful if we could some let IDA know that eax points to that struct, so it would "decode" that command to

    mov es, [eax + membername]


    How can i do that?



    hope someone can help me out!

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,146
    Blog Entries
    5
    Hi

    If your structure is recognized I think all you need to do is right click on the register pointer and choose the member under the Structure Offset menu. If you've got too many structs defined that have similar offsets, yours may get lost in the noise or possibly not even included in the drop down list.

    I find it easier to create a struct in a separate header file and import it with File/Load file/Parse C header file, rather than the agonizing steps needed to do it within IDA. After doing that you add the struct with Structures/Insert/Add Standard Structure. The new header file struct should be at the bottom of the list. The format recognized is:

    struct MYSTRUCT
    {
    int dummy1;
    int dummy2;
    };

  3. #3
    Thanks! That seems to do the trick!

    But going over the code and labeling every [eax+x] myself is a little tiresome...cant i tell ida somehow "here eax points to a struct, as long as eax is not modified, mark all [eax+x] appropriately."

  4. #4
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,146
    Blog Entries
    5
    An idc script should be able to do that. You can't just do a blanket coverage of all eax's say, but you could use a selection or range of addresses as a way of delineating an area to work on, or use a hotkey to at least simplify having to right click all the time. There are several commands you'll probably have to make use of. Take a look at the idc script Zairon used in this thread to accomplish something similar as an example.

    http://www.woodmann.com/forum/showthread.php?15078-Girls-just-want-to-have-fun-RE-challenge&p=94458#post94458

  5. #5
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    [quote]i was able to create a new struct, and insert a member by pressind D. However, i cannot insert a second member: pressing D will only change the type of the first member.
    how do i insert a new member?[quote]
    Click on the last line of the defined structure (" struc_1 ends") and then add a member using 'D', 'A' or '*', you should be able to see a new member!
    A mind is like a parachute. It doesnt work if it's not open.

Similar Threads

  1. How to create .sig file from .cpp?
    By 5aLIVE in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: April 26th, 2005, 04:09
  2. Replies: 7
    Last Post: April 27th, 2004, 03:32
  3. Auto apply the patches
    By ldril in forum OllyDbg Support Forums
    Replies: 1
    Last Post: March 3rd, 2004, 10:21
  4. How to create a patcher and..
    By RevoQer in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: November 26th, 2001, 00:32
  5. Attempt to apply ReVirgin on Pc Guard protection on app Iris
    By BlackB in forum Advanced Reversing and Programming
    Replies: 17
    Last Post: March 4th, 2001, 09:07

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •