I'm very new to masm.
Was trying to read this source code I found online and I came about invokx,
which is not invoke. Can't find anything on it around, strange, can anybody explain? can it be just a typo?
code snippet here
invoke Install
invoke EnumProcs
invokx _ExitProcess, 0
and another snippet too in some other part of the code
#nomore:
;; Dedstroy handle
invokx _CloseHandle[ebx], hSnapshot
any help will be much appreciated , thanks
Judging by your code snippets, it's probably the macro defined here.
As the code is from the Tinba banking trojan, there's this article that talks about it:
‘GetBaseDelta’ and ‘invokx’ are macros predefined in the code. As its
name suggests, the first one calculates the delta offset and puts the
result in ‘ebx’ register [...] The second macro calls an API function
based on the contents of ‘ebx’ register (i.e. by taking into account
the same delta offset).
It seems that invokx can also work like the standard invoke.
Related
when I reverse the binary with IDA gui, all the functions get decompiled without a problem.
but when I am running an automatic script on ida without gui, there is always the same function, that refuses to be decompiled. (when I am openning the same IDB that the automation script worked on, the function get decompiled without a problem)
I am using bip. and using BipFunc.can_decompile to check if a function can get decompiled.
EDIT:
according to an answer bellow, I have tried to add the following:
if not func.can_decompile:
print(f"can't decompile function 0x{func.ea:04x}, trying again")
decomp_all()
if not func.can_decompile:
print(f"can't decompile function 0x{func.ea:04x}, trying again")
decomp_all_twice_cacheclear()
if not func.can_decompile:
print(f"can't decompile function 0x{func.ea:04x}, skipping...")
return
sadly it did not work, I get all 3 prints every time, even on different binaries
it seems to be fixed on IDA Pro 7.6
There is several reason you can get an error on the decompilation from IDA. If it works on some case and other it does not it is probably because of the call analysis. When decompiling a function IDA will try to gather information on the function called by this one and in some case fail to get those information which will make the decompilation fail. But once that function has been decompiled, the information fetched by IDA will be updated, and so the decompilation of the caller function might now work. So basically it means you have to decompile the function in an order, which is a pain, for fixing that the simplest way is to just decompile everything twice, but it can take quite some time if you do it on "big" binaries.
I though I put that in the Bip repository somewhere but I can't find it, so here is a small plugin/code which should allows to do that:
from bip import *
class DecompileAll(BipPlugin):
"""
Plugin for decompiling all the function in the binary.
"""
#menu("Bip/DecompileAll/", "Invalidate hexrays caches")
def clear_hxcCache(self):
HxCFunc.invalidate_all_caches()
#menu("Bip/DecompileAll/", "Decompile all func")
def decomp_all(self):
count = 0
for f in HxCFunc.iter_all():
count += 1
print("0x{:X} functions decompiled".format(count))
#menu("Bip/DecompileAll/", "Decompile twice with cache clear")
def decomp_all_twice_cacheclear(self):
HxCFunc.invalidate_all_caches()
self.decomp_all()
self.decomp_all()
Just for information the basic reason for decompilation error, is that it is not able to make a correct translation of some piece of code because it does not understand the assembly, this is typically true if there is a problem during the analysis and the code is not correctly detected (also happens a lot if you are dealing with obfuscation). You can typically view this case by an error telling you "failed analysis at ADDR" in the IDAPython console, and then look at the problem. Probably not your case but might still help.
Glad to hear you are using bip. So about the BipFunc.can_decompile function: like indicated in the documentation (https://synacktiv.github.io/bip/build/html/base/func.html#bip.base.BipFunction.can_decompile) it will just try to decompile the function and see if an error occurs. The code is pretty straight forward (https://github.com/synacktiv/bip/blob/master/bip/base/func.py#L372), this is mostly written for being done while using one-liner, its the same thing as catching the exception when trying to decompile.
In my Coded UI Test project, I need to check if few Labels or Messages are consistent with the context. But those checks are not critical if not consistent and I need to output them only as warnings.
Note that I'm using nested ordered tests to use only one global ordered test with vstest.console.exe and get in one shot the overall test coverage report.
Till now I was creating assertions to check those consistencies, but an assertion failure leads to Test failure, then to ordered test failure and then to playback stop.
I tried to change Playback.PlaybackSettings.ContinueOnError value before and after the assertion: this works as I expect as the assertion is well reported as a warning in the html report file. But whatever, it causes the ordered test to stop and then my global ordered test chaining to fail...
I tried to use TestContext.WriteLine too instead of creating assert, but it seems that this is not output in the html report.
So my question is:
is there any way to create an assertion only as a Warning that will be output in the html report file and that doesn't lead to a test failure?
Thanks a lot for any answer and help on this ;)
So I got my solution with developping my own Warning Engine to integrate Warnings in test report, 'cause I found no existing solution for that with the current Coded UI Test Assertion engine.
I'll try to take some time to post generic parts of the code structure with comments translated in english (we're french so default comments are french for now...), but here are the main step lines :
Create a template based on the UITestActionLog.html original file
report structure of Coded UI Test engine, with only the start
bloc and the javascript functions and CSS declarations in it.
Create an assertion class with a main function to manage insertion
of Warning html bloc in the html report first created from the template.
Then create custom assert functions to call the main function
whereever on runtime, and custom Stopwatch to inject elapsed time in
the report ('cause I could'nt found a way to get back the elapsed
time directly from the Coded UI Test engine).
That's it.
Just a proposition as a way to do it, maybe not the best one but it worked for me. I'll try to take time to put blocl codes to be clearer on it.
total noob here, hope this is OK
I'm using IDA trying to reverse engineer a little program I have. Currently the only thing I know about it is that it prints a string when started. I tried looking in the string section for that string but couldn't find it (guessing the string was generated mid-run).
So, I figured that if I could find a call to a function that prints data, I would be able to lock-on that part in the program. Is that possible? and if so, how?
If not, what should I do in order to find what happens after that string is printed? (the program awaits input, and upon bad input, exits...)
Try to search some classical windows API such as "printf" in IDA, i.e. you can search by key word "printf"
Look at ltrace, it intercepts calls to dynamically linked libraries.
I Have a aps MVC razor project, where the razor pages, show a error in the razor helpers than use a lambda expression,
for example:
#model Person
#Html.TextBoxFor(c=>c.Name)
is marked with red underline, and c.Name does no have intelisense.
But if i use
#Html.TextBox("hello")
is not marked with the red underline.
This does let me compile, and execute, but it's annoying, because of the lack of intelisense in the lambda expressions.
the error that gives is:
the type arguments for method cannot be inferred from the usage
Some things I have tried
to change a little the structure of the call:
#(Html.TextBoxFor(c=>c.Name))
Then only the lambda expression is in red and the error says:
cannot convert lambda expression to type because it is not a delegate type
I have the
<compilation debug="true" targetFramework="4.0">
with the targetFramework of my project, and all the other helpers that not uses lambda don't give this error.
What can it be?
I had this problem just now, and I know that it might not be help at all for you since this reply comes 2 years later, but searching in google this was the first result and I worked out a solution.
Turns out that there was a problem (I don't know why) with the "System.Core" reference. I tried to remove and add that reference again but I got an error when adding it. So I searched a bit more and discover that Microsoft made that reference even if it is not visible on your project so to add it again you need to edit the "*.csproj" yourself. I opened it with VS Code (you can even use Notepad) and then added:
<Reference Include="System.Core" />
I did it alphabetically like every other reference but I don't think that's important, in my case that was after "System.ComponentModel.Composition". Hope that this can help you if it happens to you again and maybe help anyone else that finds this question.
I wanted to move from one point to other on a spherical earth, and when I looked up, I found there is a function named reckon in matlab that does exactly what I need. But when I call it, it says Undefined function 'reckon' for input arguments of type 'double. Which means that maybe the function is not in my library. So I found the m-file from the internet and tried, but then it leads to same error with a different function, which I found the function reckon depends on. So I included that in my folder too, and then again there is a new function missing... and so on.
I have Matlab R2011b.
These functions seem to be in-built matlab functions as they show up in help, but as I'm new to matlab, maybe I'm wrong. What can be done?
As i just wanted to use the functions of the Mapping Toolbox,after some looking up, i found them all in a single package on a website. If any body else wants them too, and don't have the mapping toolbox, you can get all the functions here.
http://mooring.ucsd.edu/software/matlab/doc/toolbox/geo/index.html