In this blog post I am going to discuss how you can interact with basic blocks in IDAPython. Before we jump into the technical details, I want to provide some context and show why I became interested in exploring this feature of IDA Pro.
Background and Motivation
The other day I reverse engineered a backdoor that was heavily armored with two classic anti-disassembly techniques. The first technique substitutes
jmp instructions with sequences of
retn instructions. Figure 1 shows how this hinders the program’s control flow analysis. First, IDA Pro interprets the
retn instruction to mark a function’s end. Second, IDA Pro is not able to identify the target addresses as code and hence does not disassemble them.
.text:00564A90 sub_564A90 proc near ; CODE XREF: ___tmainCRTStartup+10Dp .text:00564A90 push 564C87h .text:00564A95 retn .text:00564A95 sub_564A90 endpFigure 1
Figure 2 shows the same disassembly after I changed the push operand type to offset.
.text:00564A90 sub_564A90 proc near ; CODE XREF: ___tmainCRTStartup+10Dp .text:00564A90 push (offset loc_564C83+4) .text:00564A95 retn .text:00564A95 sub_564A90 endpFigure 2
Continue reading “IDA Pro Anti-Disassembly, Basic Blocks, and IDAPython”