Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 05-27-2003, 21:14
kade
 
Posts: n/a
IDA Question about "db ? ; unexplored"

Hi,

I have a target (safedisc v2.8.11) which I am fully reversing to improve my skills. At the moment I am looking at secdrv.sys which is created from the main exe. I already found the decryption routine, but when I disassemble the main exe, the region of interest that contains the encrypted data is displayed as "db ? ; unexplored". How can I tell IDA that it needs to display those bytes? I need this because I want to write an idc script to emulate the decryption routine. Some of you might say that there are easier ways to get hold of secdrv.sys and I know, and I have done that. But for me it is only to practice my ida and reversing skills. I already fully reversed the appended section to the main app, ~e5d141.tmp, and the anti-debugging part of ~df394b.tmp. That only leaves me secdrv.sys, drvmgt.dll, ~defd6a.tmp and ~efe2.tmp. I have a long way to go, but as long as I have fun doing it ... I will do it.

Here is an illustration of my problem :

Hexviewer

EBFDA 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11
EBFEC 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11
EBFFE 11 11 00 00 00 00 13 CD 25 19 04 00 00 00 00 00 07 00

in IDA :

.data:004EBFFC db 11h ;
.data:004EBFFD db 11h ;
.data:004EBFFE db 11h ;
.data:004EBFFF db 11h ;
.data:004EC000 db ? ; unexplored
.data:004EC001 db ? ; unexplored

Kade

Last edited by kade; 05-27-2003 at 22:27.
Reply With Quote
  #2  
Old 05-29-2003, 22:27
kade
 
Posts: n/a
I solved my problem.

My problem had nothing to do with ida, but with the .data section header. Apparently safedisc sets its virtual size to 8D458 and its raw size to 1B000. This explained my problem, setting the raw size allso to 8D458 did the trick. Ida read the file like I wanted to. One lesson I learned is that ida only displays the first rawsize bytes and after that all the bytes become "db ? ; unexplored" or 0FFh if you like.

Here is the end result :

.data:004EBFFB db 11h ;
.data:004EBFFC db 11h ;
.data:004EBFFD db 11h ;
.data:004EBFFE db 11h ;
.data:004EBFFF db 11h ;
.data:004EC000 db 0 ;
.data:004EC001 db 0 ;
.data:004EC002 db 0 ;
.data:004EC003 db 0 ;
.data:004EC004 db 13h ;
.data:004EC005 db 0CDh ; -
.data:004EC006 db 25h ; %

But now I have a few related questions regarding to windows, not ida:

When do the sections get loaded into memory? Do they get loaded regarding the virtualsize or the rawsize? Does windows takes care of this or does your program has to do it itself?

I ask this because when I set a breakpoint in softice on the entrypoint, I cannot use the command dd to view data within the segments except for the segment where the entrypoint is. All softice shows is "?? ?? ?? ??".

The sections are as follows with their flags:

.text 60000020
.rdata 40000040
.data C0000040
.rsrc 40000040
stxt774 E0000020
stxt371 E0000020

stxt371 contains the entrypoint and is loaded into memory when softice pops up at "bpx entrypoint". All the other sections are not loaded into memory yet. Why does that happen? The flags do not show that the sections would not be loaded into memory.

Last edited by kade; 05-30-2003 at 01:00.
Reply With Quote
  #3  
Old 05-30-2003, 04:28
loman
 
Posts: n/a
have u got some tuts on sd2? or are u working for your own? I would like to improve my skill too, looking for some tuts but not able to find any. Thanks man!
Reply With Quote
  #4  
Old 05-30-2003, 05:00
kade
 
Posts: n/a
I have a tut on sd2 v2.70 but it is not quite the same as v2.80. After the weekend I can give it to you. You can search the woodmann rce board, just search for "sd2", "safedisc" or "c-dilla".
Reply With Quote
  #5  
Old 06-02-2003, 08:31
Lunar_Dust
 
Posts: n/a
Windows won't load a section of a program at all, until it needs to be used. In other words, it pages in the program 0x1000 bytes at a time, only if the pages are necessary. So your data sections won't exist in memory until the program accesses them.

-Lunar
Reply With Quote
  #6  
Old 06-02-2003, 20:59
kade
 
Posts: n/a
You are right, I didn't think of that.

Now I am again struggling a bit with the fact that the virtualsize is greater than the rawsize. Lets have a very simple imaginary example :

first section : Virtualsize = 010h
Size of Raw data = 08h
second section : Virtualsize = 08h
Size of Raw data = 08h

The Raw file looks like this :

00 : 53 --> start first section
01 : 0A
02 : F5
03 : D6
04 : F4
05 : E4
06 : 16
07 : 39
08 : C8 --> start second section
09 : D2
0A : F6
0B : E5
0C : D7
0D : A6
0E : 05
0F : 0C

Normally the first 8 bytes will be loaded into memory because the sizeofrawdata is 8. But what happens with the other 8 bytes?

Does this get loaded into memory as follows?

00 : 53 --> start first section in memory
01 : 0A
02 : F5
03 : D6
04 : F4
05 : E4
06 : 16
07 : 39
08 : C8 or ??
09 : D2 or ??
0A : F6 or ??
0B : E5 or ??
0C : D7 or ??
0D : A6 or ??
0E : 05 or ??
0F : 0C or ??
10 : C8 --> start second section in memory
11 : D2
12 : F6
13 : E5
14 : D7
15 : A6
16 : 05
17 : 0C

Which one of the two is the right one?
Reply With Quote
  #7  
Old 06-02-2003, 21:11
kade
 
Posts: n/a
I was to quick to ask this question because in the PE specification it says that when the virtualsize is greater than the size of raw data, it is padded with 0's. So now I have to look for the function where they load some data in this 0 area.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
When use "vendor defined encryption routines", how to set daemon related part? bridgeic General Discussion 6 01-22-2015 11:35
Wlscgen: Are "Vendor Id" and "Developer Id" different ? Numega Softice General Discussion 6 02-12-2007 18:12
"newbie" question for crackers ;) newbie007 General Discussion 4 10-07-2003 04:46


All times are GMT +8. The time now is 16:59.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )