API tools faq
paste
Advertisement
waliedassar

CodeView Parsing Code

waliedassar
Jun 21st, 2012
322
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 4.04 KB | None | 0 0
raw download clone embed print report
  1. http://www.twitter.com/waleedassar
  2. //The following is only for educational purposes demonstrating a bug found in IDA Pro.
  3. //For more info:
  4. //http://waleedassar.blogspot.com/2012/06/ida-pro-and-codeview-debug-info-bug.html
  5.  
  6. //global variables.
  7.  
  8. unsigned long cv_version;
  9. unsigned long shitty;
  10. unsigned long shitty2;
  11.  
  12. //The following structure is used with PDB v2.00
  13. struct CV_INFO_PDB20
  14. {
  15.      unsigned long Signature; //e.g. NB10
  16.      unsigned long Reserved;  //Usually zero
  17.      unsigned long TimeDateStamp; //Seconds elapsed since 01/01/1970
  18.      unsigned long Age;//This field is incremented with each time CV info is embedded e.g. relinking
  19.      unsigned char PdbFileName[1]; //Null-terminated string.
  20. };
  21.  
  22. struct CV_INFO_PDB20
  23. {
  24.      unsigned long Signature; //e.g. RSDS
  25.      GUID          Guid;
  26.      unsigned long Age; //This field is incremented with each time CV info is embedded e.g. relinking
  27.      unsigned char PdbFileName[1]; //Null-terminated string.
  28. };
  29.  
  30. struct CV_INFO2
  31. {
  32.          unsigned short ID;
  33.          unsigned short Pad;
  34.          unsigned long  Offset;
  35. };
  36. struct CV_INFO
  37. {
  38.        unsigned short Sign; //always 0x10
  39.        unsigned short Incrementer;
  40.        unsigned long NumberOfXX;
  41.        unsigned long unk1;
  42.        unsigned long unk2;
  43.        CV_INFO2 info;
  44. };
  45.  
  46. bool IsSupported_CodeView(void* pCodeView)
  47. {
  48.         if(!strncmp((char*)pCodeView,"NB02",0x4)
  49.         ||  !strncmp((char*)pCodeView,"NB05",0x4)
  50.         ||  !strncmp((char*)pCodeView,"NB08",0x4)
  51.         ||  !strncmp((char*)pCodeView,"NB09",0x4)
  52.         ||  !strncmp((char*)pCodeView,"NB11",0x4) ) return true;
  53.         return false;
  54. }
  55.  
  56. void CodeView_function(void* pCodeView, unsigned long size_codeview)
  57. {
  58.     //Test for PDB v2.00 and PDB v7.00
  59.     if(       *(unsigned long*)pCodeView=='01BN'  /* PDB v2.00 */ ||
  60.               *(unsigned long*)pCodeView=='SDSR'  /* PDB v7.00 */   )
  61.     {
  62.              run_plugin(load_plugin("pdb"),0x1);
  63.              return;
  64.     }
  65.     call_CallUi("Loading CODEVIEW debug information...\n");
  66.     if(!IsSupported_CodeView(pCodeView))
  67.     {
  68.             call_CallUi("Unknown codeview information format: %4.4s",pCodeView);
  69.             return;
  70.     }
  71.     unsigned long c1=*((unsigned char*)pCodeView+2);  //NB02 --> '0'
  72.     unsigned long c2=*((unsigned char*)pCodeView+3);  //NB02 --> '2'
  73.     cv_version=c2+(c1*10)-0x210;  //evaluate to 0x2 ('02' to 0x2)
  74.     unsigned long block_size=*((unsigned long*)pCodeView+1);  //header size
  75.     if(block_size==-1)
  76.     {
  77.           call_CallUi("Borland debug information is ignored\n";
  78.           return;
  79.     }
  80.     if( (block_size<size) && ( ((CV_INFO*)((unsigned long)pCodeView+block_size))->Sign==0x10))
  81.     {
  82.           unsigned long i=0;
  83.           shitty=i;
  84.  
  85.           unsigned long* pNumberOfXX=&(((CV_INFO*)((unsigned long)pCodeView+block_size))->NumberOfXX);
  86.           shitty2=i;
  87.  
  88.           CV_INFO2* pInfo=&(((CV_INFO*)((unsigned long)pCodeView+block_size))->info);   //esp+0x10
  89.          
  90.           if(*pNumberOfXX>0)
  91.           {
  92.                  unsigned long* pIncrementer=((CV_INFO*)((unsigned long)pCodeView+block_size))->Incrementer;  //esp+0x14
  93.                  do
  94.                  {
  95.                           unsigned long id=pInfo->ID;
  96.                           unsigned long Ptr=(unsigned long)pCodeView+(pInfo->Offset);
  97.                           //eeexx+=pCodeView;
  98.                           if(id==0x12E)
  99.                           {
  100.                                    //
  101.                           }
  102.                           else if(id==0x12D)
  103.                           {
  104.                                   unsigned short xxx=*(unsigned short*)Ptr;
  105.                                   Ptr++;
  106.                                   gID=id;
  107.                                   shitty1=Ptr;
  108.                           }
  109.                           i++;
  110.                           pInfo=(unsigned long)pInfo+(*pIncrementer);
  111.                  }while(i<*pNumberOfXX);
  112.           }    
  113.     }
  114.     call_CallUi("Invalid Codeview debug information");
  115.     return;            
  116. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!