You can see that a different code cross reference led IDA Pro to identify code starting at address 0x564C6D. The region surrounding the push/ retn target is shown in Figure 3. Second, IDA Pro is not able to identify the target addresses as code and hence does not disassemble them.text:00564A90 sub_564A90 proc near CODE XREF: _tmainCRTStartup+10Dpįigure 2 shows the same disassembly after I changed the push operand type to offset.text:00564A90 sub_564A90 proc near CODE XREF: _tmainCRTStartup+10Dp First, IDA Pro interprets the retn instruction to mark a function’s end. Figure 1 shows how this hinders the program’s control flow analysis. ![]() The first technique substitutes jmp instructions with sequences of push and retn instructions. The other day I reverse engineered a backdoor that was heavily armored with two classic anti-disassembly techniques. Before we jump into the technical details, I want to provide some context and show why I became interested in exploring this feature of IDA Pro. In this blog post I am going to discuss how you can interact with basic blocks in IDAPython.
0 Comments
Leave a Reply. |