我做了很多工作来重命名和修复 lvar 类型以更好地理解代码 我在将一些转换unk_dword为数组时犯了一个错误我错过了它没有设置为 db 而是 dd 并且它覆盖了很多东西我丢失了很多我自己的东西,我知道我不会回来,但我可以忍受,但我似乎无法像以前那样用正确的名称来评估导入。
我试图Load->FLIRT signature file与Microsoft VisualC 2-10/net runtime这似乎是正确的,什么也没做。
在输出窗口我得到
004DB200: Already data or code (hint: make 'unexplored')
我想我需要让它无人探索?我该怎么做?我尝试取消定义导入,但U Key它不起作用。
这是一些屏幕截图
之前看起来像这样
之后看起来像这样
它的真正样子
这是以前的字节和现在的样子(8 个额外字节)
此修复程序不会保存到数据库或在加载 IDB 数据库时被覆盖它总是恢复到混乱状态!(我想我错过了一些改变)
不是正确的方法..但我设法解决了这个问题 IDC Scripts
打开一个新的 IDA PRO 让它分析然后去 File -> Produce File -> Dump Database to IDC File.
idc在记事本中打开转储文件并搜索导入注释的开头,例如因为; Imports from GDI32.dll那是第一次导入开始的地方。
现在只需从idc文件中复制+粘贴到括号前的函数末尾即可。
备份您搞砸的project.idb文件,因为如果您不小心,这可能会使它变得更糟!。
现在转到File->IDC Command...并粘贴我在本文末尾发布的内容。
IDC 命令文本框有限制,您不能粘贴太多,因此您需要按块拆分,我建议确保您的块以开头MakeDword不要以那个结尾。
这是我第一次从idc文件中导入它在下面生成的内容。
(This will only work for my application only obviously, just showing you what you need to look for.)
auto x;
#define id x
MakeArray (0X4DA0EC, 0XF14);
ExtLinA (0X4DB200, 0, "; ");
ExtLinA (0X4DB200, 1, "; Imports from GDI32.dll");
ExtLinA (0X4DB200, 2, "; ");
ExtLinA (0X4DB200, 3, "; Section 4. (virtual address 000DB000)");
ExtLinA (0X4DB200, 4, "; Virtual size : 0000090E ( 2318.)");
ExtLinA (0X4DB200, 5, "; Section size in file : 00000A00 ( 2560.)");
ExtLinA (0X4DB200, 6, "; Offset to raw data for section: 0002FC00");
ExtLinA (0X4DB200, 7, "; Flags C0000040: Data Readable Writable");
ExtLinA (0X4DB200, 8, "; Alignment : default");
MakeDword (x=0X4DB200);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB200, "GetObjectA");
MakeDword (x=0X4DB204);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB204, "DeleteObject");
MakeByte (0X4DB208);
MakeArray (0X4DB208, 0X4);
ExtLinA (0X4DB20C, 0, "; ");
ExtLinA (0X4DB20C, 1, "; Imports from KERNEL32.dll");
ExtLinA (0X4DB20C, 2, "; ");
MakeDword (x=0X4DB20C);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB20C, "GetModuleFileNameA");
MakeDword (x=0X4DB210);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB210, "WritePrivateProfileStringA");
MakeDword (x=0X4DB214);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB214, "GetTickCount");
MakeDword (x=0X4DB218);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB218, "CloseHandle");
MakeDword (x=0X4DB21C);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB21C, "GetFileTime");
MakeDword (x=0X4DB220);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB220, "CreateFileA");
MakeDword (x=0X4DB224);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB224, "GetPrivateProfileIntA");
MakeDword (x=0X4DB228);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB228, "GetPrivateProfileStringA");
MakeDword (x=0X4DB22C);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB22C, "VirtualAlloc");
MakeDword (x=0X4DB230);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB230, "VirtualFree");
MakeDword (x=0X4DB234);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB234, "TerminateProcess");
MakeDword (x=0X4DB238);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB238, "GetExitCodeProcess");
MakeDword (x=0X4DB23C);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB23C, "CreateProcessA");
MakeDword (x=0X4DB240);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB240, "GetCommandLineA");
MakeDword (x=0X4DB244);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB244, "SetConsoleTitleA");
MakeDword (x=0X4DB248);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB248, "Sleep");
MakeDword (x=0X4DB24C);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB24C, "SetEndOfFile");
MakeDword (x=0X4DB250);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB250, "SetStdHandle");
MakeDword (x=0X4DB254);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB254, "GetFileType");
MakeDword (x=0X4DB258);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB258, "ExitProcess");
MakeDword (x=0X4DB25C);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB25C, "GetNumberOfConsoleInputEvents");
MakeDword (x=0X4DB260);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB260, "PeekConsoleInputA");
MakeDword (x=0X4DB264);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB264, "GetConsoleMode");
MakeDword (x=0X4DB268);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB268, "SetConsoleMode");
MakeDword (x=0X4DB26C);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB26C, "ReadConsoleInputA");
MakeDword (x=0X4DB270);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB270, "SetEnvironmentVariableA");
MakeDword (x=0X4DB274);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB274, "CompareStringW");
MakeDword (x=0X4DB278);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB278, "CompareStringA");
MakeDword (x=0X4DB27C);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB27C, "LoadLibraryA");
MakeDword (x=0X4DB280);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB280, "WaitForSingleObject");
MakeDword (x=0X4DB284);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB284, "GetStringTypeW");
MakeDword (x=0X4DB288);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB288, "GetStringTypeA");
MakeDword (x=0X4DB28C);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB28C, "IsBadCodePtr");
MakeDword (x=0X4DB290);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB290, "IsBadWritePtr");
MakeDword (x=0X4DB294);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB294, "IsBadReadPtr");
MakeDword (x=0X4DB298);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB298, "GetOEMCP");
MakeDword (x=0X4DB29C);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB29C, "GetACP");
MakeDword (x=0X4DB2A0);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB2A0, "GetCPInfo");
MakeDword (x=0X4DB2A4);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB2A4, "GetEnvironmentStringsW");
MakeDword (x=0X4DB2A8);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB2A8, "GetTimeZoneInformation");
MakeDword (x=0X4DB2AC);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB2AC, "GetSystemTime");
MakeDword (x=0X4DB2B0);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB2B0, "GetLocalTime");
MakeDword (x=0X4DB2B4);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB2B4, "__imp_RtlUnwind");
MakeDword (x=0X4DB2B8);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB2B8, "GetLastError");
MakeDword (x=0X4DB2BC);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB2BC, "GetEnvironmentStrings");
MakeDword (x=0X4DB2C0);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB2C0, "FreeEnvironmentStringsW");
MakeDword (x=0X4DB2C4);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB2C4, "GetCurrentProcess");
MakeDword (x=0X4DB2C8);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB2C8, "HeapAlloc");
MakeDword (x=0X4DB2CC);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB2CC, "HeapReAlloc");
MakeDword (x=0X4DB2D0);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB2D0, "HeapFree");
MakeDword (x=0X4DB2D4);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB2D4, "RaiseException");
MakeDword (x=0X4DB2D8);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB2D8, "GetVersion");
MakeDword (x=0X4DB2DC);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB2DC, "ReadFile");
MakeDword (x=0X4DB2E0);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB2E0, "WriteFile");
MakeDword (x=0X4DB2E4);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB2E4, "SetFilePointer");
MakeDword (x=0X4DB2E8);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB2E8, "HeapDestroy");
MakeDword (x=0X4DB2EC);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB2EC, "LCMapStringW");
MakeDword (x=0X4DB2F0);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB2F0, "SetHandleCount");
MakeDword (x=0X4DB2F4);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB2F4, "GetStdHandle");
MakeDword (x=0X4DB2F8);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB2F8, "GetStartupInfoA");
MakeDword (x=0X4DB2FC);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB2FC, "MultiByteToWideChar");
MakeDword (x=0X4DB300);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB300, "WideCharToMultiByte");
MakeDword (x=0X4DB304);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB304, "LCMapStringA");
MakeDword (x=0X4DB308);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB308, "UnhandledExceptionFilter");
MakeDword (x=0X4DB30C);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB30C, "FreeEnvironmentStringsA");
MakeDword (x=0X4DB310);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB310, "HeapCreate");
MakeDword (x=0X4DB314);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB314, "SetUnhandledExceptionFilter");
MakeDword (x=0X4DB318);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB318, "GetFileAttributesA");
MakeDword (x=0X4DB31C);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB31C, "FlushFileBuffers");
MakeDword (x=0X4DB320);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB320, "GetProcAddress");
MakeDword (x=0X4DB324);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB324, "GetModuleHandleA");
MakeByte (0X4DB328);
MakeArray (0X4DB328, 0X4);
ExtLinA (0X4DB32C, 0, "; ");
ExtLinA (0X4DB32C, 1, "; Imports from USER32.dll");
ExtLinA (0X4DB32C, 2, "; ");
MakeDword (x=0X4DB32C);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB32C, "MessageBoxA");
MakeDword (x=0X4DB330);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB330, "LoadImageA");
MakeByte (0X4DB334);
MakeArray (0X4DB334, 0X4);
ExtLinA (0X4DB338, 0, "; ");
ExtLinA (0X4DB338, 1, "; Imports from WSOCK32.dll");
ExtLinA (0X4DB338, 2, "; ");
MakeDword (x=0X4DB338);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB338, "__imp_ioctlsocket");
MakeDword (x=0X4DB33C);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB33C, "__imp_inet_ntoa");
MakeDword (x=0X4DB340);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB340, "__imp_WSACleanup");
MakeDword (x=0X4DB344);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB344, "__imp_WSAStartup");
MakeDword (x=0X4DB348);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB348, "__imp_recvfrom");
MakeDword (x=0X4DB34C);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB34C, "__imp_sendto");
MakeDword (x=0X4DB350);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB350, "__imp_recv");
MakeDword (x=0X4DB354);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB354, "__imp_closesocket");
MakeDword (x=0X4DB358);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB358, "__imp_socket");
MakeDword (x=0X4DB35C);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB35C, "__imp_inet_addr");
MakeDword (x=0X4DB360);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB360, "__imp_setsockopt");
MakeDword (x=0X4DB364);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB364, "__imp_htons");
MakeDword (x=0X4DB368);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB368, "__imp_htonl");
MakeDword (x=0X4DB36C);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB36C, "__imp_bind");
MakeDword (x=0X4DB370);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB370, "__imp_gethostbyname");
MakeDword (x=0X4DB374);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB374, "__imp_connect");
MakeDword (x=0X4DB378);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB378, "__imp_send");
MakeByte (0X4DB37C);
MakeArray (0X4DB37C, 0X4);
ExtLinA (0X4DB380, 0, "; ");
ExtLinA (0X4DB380, 1, "; Imports from zlib.dll");
ExtLinA (0X4DB380, 2, "; ");
MakeDword (x=0X4DB380);
OpOff (x, 0, 0);
OpOff (x, 128, 0);
MakeName (0X4DB380, "__imp_compress");
MakeByte (0X4DB384);
MakeArray (0X4DB384, 0X4);