total noob here, hope this is OK
I'm using IDA trying to reverse engineer a little program I have. Currently the only thing I know about it is that it prints a string when started. I tried looking in the string section for that string but couldn't find it (guessing the string was generated mid-run).
So, I figured that if I could find a call to a function that prints data, I would be able to lock-on that part in the program. Is that possible? and if so, how?
If not, what should I do in order to find what happens after that string is printed? (the program awaits input, and upon bad input, exits...)
Try to search some classical windows API such as "printf" in IDA, i.e. you can search by key word "printf"
Look at ltrace, it intercepts calls to dynamically linked libraries.
Related
when I reverse the binary with IDA gui, all the functions get decompiled without a problem.
but when I am running an automatic script on ida without gui, there is always the same function, that refuses to be decompiled. (when I am openning the same IDB that the automation script worked on, the function get decompiled without a problem)
I am using bip. and using BipFunc.can_decompile to check if a function can get decompiled.
EDIT:
according to an answer bellow, I have tried to add the following:
if not func.can_decompile:
print(f"can't decompile function 0x{func.ea:04x}, trying again")
decomp_all()
if not func.can_decompile:
print(f"can't decompile function 0x{func.ea:04x}, trying again")
decomp_all_twice_cacheclear()
if not func.can_decompile:
print(f"can't decompile function 0x{func.ea:04x}, skipping...")
return
sadly it did not work, I get all 3 prints every time, even on different binaries
it seems to be fixed on IDA Pro 7.6
There is several reason you can get an error on the decompilation from IDA. If it works on some case and other it does not it is probably because of the call analysis. When decompiling a function IDA will try to gather information on the function called by this one and in some case fail to get those information which will make the decompilation fail. But once that function has been decompiled, the information fetched by IDA will be updated, and so the decompilation of the caller function might now work. So basically it means you have to decompile the function in an order, which is a pain, for fixing that the simplest way is to just decompile everything twice, but it can take quite some time if you do it on "big" binaries.
I though I put that in the Bip repository somewhere but I can't find it, so here is a small plugin/code which should allows to do that:
from bip import *
class DecompileAll(BipPlugin):
"""
Plugin for decompiling all the function in the binary.
"""
#menu("Bip/DecompileAll/", "Invalidate hexrays caches")
def clear_hxcCache(self):
HxCFunc.invalidate_all_caches()
#menu("Bip/DecompileAll/", "Decompile all func")
def decomp_all(self):
count = 0
for f in HxCFunc.iter_all():
count += 1
print("0x{:X} functions decompiled".format(count))
#menu("Bip/DecompileAll/", "Decompile twice with cache clear")
def decomp_all_twice_cacheclear(self):
HxCFunc.invalidate_all_caches()
self.decomp_all()
self.decomp_all()
Just for information the basic reason for decompilation error, is that it is not able to make a correct translation of some piece of code because it does not understand the assembly, this is typically true if there is a problem during the analysis and the code is not correctly detected (also happens a lot if you are dealing with obfuscation). You can typically view this case by an error telling you "failed analysis at ADDR" in the IDAPython console, and then look at the problem. Probably not your case but might still help.
Glad to hear you are using bip. So about the BipFunc.can_decompile function: like indicated in the documentation (https://synacktiv.github.io/bip/build/html/base/func.html#bip.base.BipFunction.can_decompile) it will just try to decompile the function and see if an error occurs. The code is pretty straight forward (https://github.com/synacktiv/bip/blob/master/bip/base/func.py#L372), this is mostly written for being done while using one-liner, its the same thing as catching the exception when trying to decompile.
I am just getting started programming and I couldn’t wrap my head around the following problem I currently have:
I have a PHP Script which retrieves the CPU Temperature of a Raspberry Pi and shows it on a local Network in my browser. The output in my browser is just a blank page with the value e.g. 56.7 only and no more.
What I would like to know now is, if it’s possible with JSON Utility to take this value and import it into Unity -> to be more specific, into an Augmented Reality Environment using Vuforia, even if it’s on a local Network and the only output is just the temperature value.
Is there anyone who could answer these (probably trivial) questions and eventually could show me how the code could look like?
And is it correct to assume, that the value within Unity would change as soon as the value in my browser changes?
I would like to thank everyone in advance for any help at all and even though these questions seem obvious for experienced programmers, I wasn’t able to find a correct answer by now.
Best regards!
Use UnityWebRequest to contact your Raspberry Pi.
Parse the DownloadHandler.text any way you like. JSON Utility is one option for parsing the result, but it might be overkill if this is a hobby project that just gets one sensor value.
https://docs.unity3d.com/Manual/UnityWebRequest-RetrievingTextBinaryData.html
To parse the json with JsonUtility, you would make a class to hold the data, making sure to mark it with Serializable attribute.
[System.Serializable]
public class MyData
{
public float temperature;
}
And then parse it like this, in the RetrievingTextBinaryData example
MyData myData = JsonUtility.FromJson<MyData>(www.downloadHandler.text)
Assuming your JSON looks like this
{ "temperature":30.7 }
Note: to make it continuously poll your Raspberry Pi for updates, you would need to download the temperature in the Update() method instead of Start() like in the example code.
I'm very new to masm.
Was trying to read this source code I found online and I came about invokx,
which is not invoke. Can't find anything on it around, strange, can anybody explain? can it be just a typo?
code snippet here
invoke Install
invoke EnumProcs
invokx _ExitProcess, 0
and another snippet too in some other part of the code
#nomore:
;; Dedstroy handle
invokx _CloseHandle[ebx], hSnapshot
any help will be much appreciated , thanks
Judging by your code snippets, it's probably the macro defined here.
As the code is from the Tinba banking trojan, there's this article that talks about it:
‘GetBaseDelta’ and ‘invokx’ are macros predefined in the code. As its
name suggests, the first one calculates the delta offset and puts the
result in ‘ebx’ register [...] The second macro calls an API function
based on the contents of ‘ebx’ register (i.e. by taking into account
the same delta offset).
It seems that invokx can also work like the standard invoke.
I'm trying to parse this string using SuperObject in Delphi 7.
procedure TForm1.btn1Click(Sender: TObject);
var
obj: ISuperObject;
fw:string;
begin
fw:= '{"type":"normal","info":{"Name":"frank","Number":"01","Age":"21","registered":"Yes","Support":"Expired"}}';
obj := TSuperObject.ParseString(PWideChar(fw), false);
mmo1.lines.Add(obj.AsJSon(true,false));
end;
But result in the memo is like this:
"????????????????????????????????????????????????????}"
What am I doing wrong?
fw is a string which in Delphi 7 is 8 bit ANSI encoded. The cast to PWideChar is thus incorrect. It will treat the 8 bit text as if it were UTF-16 encoded.
If the function you are calling really does receive PWideChar then you need to convert to UTF-16 first. For example like this:
PWideChar(WideString(fw))
You also report a separate problem that arises in the super object code. Specifically this line of code:
h := h*129 + ord(k[i]) + $9e370001;
raises an overflow error.
That happens because your project has the overflow checking option enabled (good practice to do so), but the super object code has been written under the assumption that the option is disabled. This is really a flaw in the super object code. You can solve it by disabling overflow checking in the super object code by adding {$OVERFLOWCHECKS OFF}. Ideally this would be disabled very locally for just the code that intentionally overflows. However, unless you fully understand the code it may just be easier to stuff {$OVERFLOWCHECKS OFF} at the top of the unit and move on.
Now, I'm looking at the very latest super object code and right at the top of the unit is {$OVERFLOWCHECKS OFF}. So I wonder if you are perhaps using an out of date version of the code. Pull the latest version from the repo.
I had the same problem using SuperObjects1.2.4 in delphi 7. As many people said, the solution is: to get the latest version. So, to get the lastest SuperObjects version from repository do:
1. Install git (http://git-scm.com/)
2. Right click in some Folder, choose 'Git bash' and paste the following
git clone https://code.google.com/r/steve-superobject/
Done!
I've written a JTree with couple of nodes. When I launch the program, I only see the node icons like folder or file and not the names associated with them. I could expand and collapse the nodes. When I debug, I see that the nodes are set with proper data whatever I used while building the model. In this program, i've written wrappers for JTree, TreeModel, DefaultMutableTreeNode. What could be the problem? Any pointers would be of great help.
-Paul
Sorry for not posting more details/code. Anyway, I've found the problem with my code. The problem was that I had overridden the toString() method in the class that I use to set as user object for the tree node, but that was returning null. As the method was returning null, there was nothing displayed. I made it to return the string to be displayed. It is working good now.
Thanks guys..!