About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

 Forums >>  IDA Pro  >>  IDA .asm file >> PE file with MASM causing errors - how to do it right?

Topic created on: November 7, 2008 15:59 CST by dmitry32 .

I am looking for a way to create a PE file from an IDA Pro disassembly. I figured out that IDA is able to create a .asm dump of the current database, but all my attempts to assemble and link this file have failed. I tried with MASM 6, the current MASM, TASM and some other, less-known assemblers, but all seem to have trouble with the syntax of the file. The following are the first few lines of MASM (9) 's litany of errors which it produces when given IDA's asm dump.

C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\bin>ml.exe t6.asm
Microsoft (R) Macro Assembler Version 9.00.30729.01
Copyright (C) Microsoft Corporation.  All rights reserved.

Assembling: t6.asm
inc.inc(21) : error A2179:structure improperly initialized
inc.inc(21) : error A2008:syntax error : in structure
t6.asm(161) : error A2001:immediate operand not allowed
t6.asm(1298) : error A2189:invalid combination with segment alignment : 512
t6.asm(2696) : error A2005:symbol redefinition : hInstance
t6.asm(2716) : error A2005:symbol redefinition : hWnd
t6.asm(2717) : error A2189:invalid combination with segment alignment : 256

These are the first few lines of my IDA dump with IDA's comments removed, t2.inc is an include file containing all symbolic constants also created by IDA.

.686p
.mmx
.model flat
include t2.inc
_text segment para public 'CODE' use32
assume cs:_text
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing

public start
start proc near
push 0 ; lpModuleName
call GetModuleHandleA
mov hInstance, eax
call GetCommandLineA
mov hInstance_0, eax
push 0Ah ; int
push hInstance_0 ; int
push 0 ; int
push hInstance ; hInstance
call main
push eax ; uExitCode
call ExitProcess
start endp

main proc near
hWnd= dword ptr -50h
Msg= tagMSG ptr -4Ch
var_30= WNDCLASSEXA ptr -30h
hInstance= dword ptr  8

push ebp


While I did try to manually make the file compatible with MASM (basically by removing ALIGN directives, including EXTRN statements and renaming variables), this is not a practiable solution given the size of the executable.

Do you have any suggestions on how get an IDA output file assembled correctly with little or no manual editing?

[Btw... I literally spent hours looking this up on Google with nothing useful turning up. What do the more expierienced reverse code engineers do when, for example, solving a crackme which needs more than simple instruction-wise patching?]

Thanks in advance
Dmitry

EDIT: Forgot to add: I know that the PE file I would get if I could assemble IDA's dump would be lacking all resource data. This, however, is irrelevant for my work; I only care about code.

  igorsk     November 7, 2008 18:54.29 CST
IDA's output is not really intended for reassembly. Depending on your goal, it's usually better to just patch the exe or cut out small chunks of code and assemble them separately. An IDC script or something like Code Snippet Creator might help with the latter.

  cseagle     November 8, 2008 02:10.18 CST
You might look into the PE utility scripts available here: http://www.hex-rays.com/idapro/freefiles/pe_scripts.zip, especially the pe_write.idc script.

If you are patching the binary in IDA and then trying to dump the changes to a new executable, why don't you just generate an IDA dif file and use the dif file to patch the original binary (see http://www.idabook.com/examples/chapter_14/ida_patcher.c for example)

  dmitry32   November 12, 2008 17:24.50 CST
Thanks a lot for your replies... the PE scripts are what I am currently using, but they offer extremely limited possibilities (that's why I tried the MASM approach). An IDA diff file would be another option, but I do not want to edit the binary in IDA. IDA is a great disassembler, but a lousy tool for patching. My preferred workflow would be like
PE File ==> IDA (for unpacking, finding code/data etc...) ==> asm IDE for applying patches / adding new functionality ==> Assembler ==> New PE File

Let us assume that I have a networked application using a proprietary, stateful protocol which I want to test for remotely exploitable security holes. With the patching approach, I am limited to either doing trivial patches in the original application, which makes the whole task extremely difficult, or reverse engineering the whole network subsystem manually and writing a compatible client. The ideal solution would be to have the original asm code accessible through an asm dump file, where I can call the network subsystem's high level functions at will without having to recreate it from scratch. Since this is not possible, could you give me any advice how to tackle this specific problem? [And before you ask, no I am not trying to do anything illegal here.]

Thank you for your time and willingness to help, I appreciate it =)
Dmitry

  anoirel   November 14, 2008 04:01.03 CST
You can compile IDA asm output without any major problems.
However you need to know how your specific asm compiler works.

I believe IDA uses a Tasm like syntax.
Hence the need to fix some declarations so that your specific assembler could understand the code.

Here is an IDA generated source code that I have corrected/adapted to work with MASM.
I left some of the IDA syntax so you could see the difference.(My comments are those starting with ;*********)

-%<-- Cut here:



;
; +-------------------------------------------------------------------------+
; |   This file has been generated by The Interactive Disassembler (IDA)    |
; |    Copyright (c) 2008 by Hex-Rays, <[email protected]>     |
; | License info: 50-3990-8370-2C     |
; |    Anoirel Issa,     |
; +-------------------------------------------------------------------------+
;
;
;******Header:
;******      .686p
;******      .mmx
;******      .model flat

;********* To be replaced by:
.386
.model flat,stdcall
option casemap:none

include \masm32\include\kernel32.inc
include \masm32\include\user32.inc

includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib

; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
;****** _text segment para public 'CODE' use32
;******      assume cs:_text
;******      ;org 401000h
;******      assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
; =============== S U B R O U T I N E =======================================

.CODE

;public start   fixed for masm32 syntax:
    start:
_start proc near ;*** I have renamed the 'start' -> '_start' because masm needs 'start' as the beginning of the Code (EP)
      push 0 ; uType
      push offset Caption ; "IDA generated asm"
      push offset Text ; "this file is 2500 bytes"
      push 0 ; hWnd
      call MessageBoxA
      push 0
      call $+5
      jmp ds:ExitProcess
_start endp

; [00000006 BYTES: COLLAPSED FUNCTION MessageBoxA. PRESS KEYPAD "+" TO EXPAND]
;********** Allignment not necessary
;      align 200h
;********** _text ends not for our compiler

; Section 2. (virtual address 00002000)
; Virtual size : 00000092 ( 146.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00000600
; Flags 40000040: Data Readable
; Alignment : default
;
; Imports from kernel32.dll
;
; ===========================================================================

;********** [These imports declarationare not need as we have delared them in the include section at the beginning of the program:]
; Segment type: Externs
; _idata
;********** extrn ExitProcess:dword ; DATA XREF: start+1Ar

;
; ********  Imports from user32.dll
;
;*********   extrn __imp_MessageBoxA:dword ; DATA XREF: MessageBoxAr

; ===========================================================================

; Segment type: Pure data
; Segment permissions: Read
;**********_rdata segment para public 'DATA' use32
;********** assume cs:_rdata
;**********all data here
;**********_rdata ends

; Section 3. (virtual address 00003000)
; Virtual size : 0000002E ( 46.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00000800
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================

;**********_data segment para public 'DATA' use32
;**********      assume cs:_data
.data
Caption db 'Ida generated asm file',0    ; DATA XREF: start+2o
; char Text[]
Text  db 'this file is 2500 bytes',0    ; DATA XREF: start+7o

;********** align 200h
;**********_data ends

end start

-%<-- Cut here



If you want to see clearer just remove all commented lines.
In short, you need to fix:

-the assembler directives in the header
- The imports  (with masm no need to declare every imported func like in tasm)
- Fix Sections declaration (.CODE .DATA...)
some other minor differences that you migh find while compiling.

Ida asm output can save lot of time especially when dealing with huge code.


Hope this helps.

  dmitry32   November 15, 2008 16:40.17 CST
=== PROBLEM SOLVED! ===

Thanks a lot anoirel, you gave me exactly what I was looking for. I successfully managed to re-assemble IDA's output. I had to do some additional fixups in IDA (undefine all structs, undefine all fields in the start: function, undefine all enums, rename some global variables having reserved names (hInstance and hWnd in my case).
When I have time, I will write a script which automates these fixups and post it here.
Thanks again, you helped me save a lot of time!

Cheers, dmitry

  Locker   November 8, 2011 22:51.51 CST
Was this script ever posted anywhere?

Note: Registration is required to post to the forums.

There are 31,319 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit