This dlc DLL will be loaded together (right after) with image, and will replace original functions with jumps to our own functions (inside dlc DLL). The idea is to create dlc DLL for each image (EXE, DLL) we are interested in. I think it's preferable to run program as usual, without any tricks, like CreateProcess with suspended flag, DLL injection, etc. I think it increases our chances to achieve our reverse engineering goals, especially for large programs, that contain thousands of functions. Also we can make changes to IDA's database to keep things synced. If we made errors, the program will probably crash.Īs we advance through reverse engineering process, we can translate more functions, rename struct fields, functions, variables in our C code, when their purpose becomes clear. We can write something that actually builds, and we can run the program to see if we got it right. This way, we will have solid ground of C (type system, clear names, function prototypes). We will accumulate our code in a separate DLL, just like IDA's database for inspected executable. We will still use IDA to inspect disassembly, however we will translate disassembly to real C code on function basis, and force inspected program to use our code instead. I thought about another method of reverse engineering. The chances of errors and ambiguities increase with amount of pseudocode, and we can finally get lost. However, no matter how good pseudo code is, it is still pseudocode. We can use IDA to examine assembly code, and translate disassembly to some pseude C code by hand.
0 Comments
Leave a Reply. |