Finding instructions

Searching for instructions and opcodes is a basic necessity for security researchers, therefore to address this issue IDA Pro provides many search facilities, among them we list:

  • Text search: Used to search the listing for text patterns (regular expressions are allowed). One can write a regular expression to find any assignment to the eax register (with the mov instruction)


  • Binary search: Allows you to search for binary patterns with wildcard support. It is also possible to search for strings alongside with the binary patterns.


  • Immediate search: Very useful to find constants and magic numbers used in the program.
  • Please refer to the search menu for other search facilities

None of the existing search facilities allow us to readily search for instructions and opcodes. In order to do that, one has to assemble the instruction in question then use the Binary Search to find the pattern.


Each processor module in IDA can implement the assemble notification callback:

assemble,               // Assemble an instruction
                        // (display a warning if an error is found)
                        // args:
                        //  ea_t ea -  linear address of instruction
                        //  ea_t cs -  cs of instruction
                        //  ea_t ip -  ip of instruction
                        //  bool use32 - is 32bit segment?
                        //  const char *line - line to assemble
                        //  uchar *bin - pointer to output opcode buffer
                        // returns size of the instruction in bytes

Once this callback is implemented by the processor module one can then assemble instructions by calling the ph.notify() with the assemble notification code (please check this forum discussion here).

Currently, only the pc processor module implements this callback and provides a very basic assembler.

We wrote a script that allows you to search for opcodes and assembly statements, so for example to find the “33 c0″ (xor eax, eax), followed by “pop ebp” and followed by “ret” we could search like this:

find("33 c0;pop ebp;ret")



That’s the script operation in brief:

  1. Do some input initial validation
  2. Split the patterns
  3. Loop:
    1. Determine if the pattern is an assembly instruction or opcode list (using a simple regular expression)
    2. If pattern is an instruction then assemble it
    3. Accumulate the assembled (or converted opcodes) into a single buffer
  4. Now that we have one single binary buffer we can search for it with FindBinary()
  5. Display the result




The script uses the Assemble() function (available in IdaPython r233 and above). Comments and suggestions are welcome.

An attempt to reconstruct the call stack

Walking the stack and trying to reconstruct the call stack is a challenge (especially if no or little symbolic information is present) and there are many questions to be answered in order to have a correct call stack:

  • Determining return address
  • Determining the boundary of the caller function
  • Distinguishing between pointers to callbacks and return addresses
  • Determining stack frames

In this post, we are going to implement the method entitled “Manually Walking a Stack” described in the MSDN.
While this approach does not always give accurate results, it is still possible to get a fairly correct call stack.

Continue reading An attempt to reconstruct the call stack