tags:

views:

145

answers:

1
Q: 

Patching an EXE using IDA

Say there is a buggy program that contains a sprintf() and i want to change it to a snprintf so it doesn't have a buffer overflow.. how do I do that in IDA??

+2  A: 

You really don't want to make that kind of change using information from IDA pro.

Although IDA's disassembly is relatively high quality, it's not high quality enough to support executable rewriting. Converting a call to sprintf to a call to snprintf requires pushing a new argument on to the stack. That requires the introduction of a new instruction, which impacts the EA of everything that follows it in the executable image. Updating those effective addresses requires extremely high quality disassembly. In particular, you need to be able to:

  1. Identify which addresses in the executable are data, and which ones are code
  2. Identify which instruction operands are symbolic (address references) and which instruction operands are numeric.

Ida can't (reliably) give you that information. Also, if the executable is statically linked against the crt, it may not contain snpritnf, which would make performing the rewriting by hand VERY difficult.

There are a few potential workarounds. If there is sufficient padding available in (or after) the function making the call, you might be able to get away with only rewriting a single function. Alternatively, if you have access to object files, and those object files were compiled with the /GY switch (assuming you are using Visual Studio) then you may be able to edit the object file. However, editing the object file may still require substantial fix ups.

Presumably, however, if you have access to the object files you probably also have access to the source. Changing the source is probably your best bet.

Scott Wisniewski  2010-07-01 23:08:08
There doesn't need to be space available anywhere near the function in question, really -- as long as you can find (or make) some space somewhere in the appropriate section, you could replace something in the original function with a JMP to your new instruction sequence there. But, honestly, it's easier to figure out how to do this with OllyDbg.
SamB  2010-07-15 19:30:04
You are right.. you don't necessarily need to have room near the function. However I wouldn't advocate doing it frequently, as it could adversely impact performance (it will have poor locality). For one call to sprintf, it would be ok. If you have MANY calls to sprintf, though, then you don't want to introduce a bunch of crazy jumps all over the place.
Scott Wisniewski  2010-07-16 02:23:51

related questions

Displaying information from MATLAB without a line feed
Rounding doubles - .5 - sprintf
c++ what happens if you print more characters with sprintf, than the char pointer has allocated?
Using floats with sprintf() in embedded C
Calling swprint from a separate lib fails
Only show decimal point if floating point component is not .00 sprintf/printf
How can I sprintf a big number in Perl?
sprintf outcome problem
C: using sprintf and strncpy inserting data into an array of pointers
Customizable implementation of sprintf()
Javascript printf/string.format
How do display functions like sprintf convert numbers to strings?
In Perl, how can I limit the number of places after the decimal point but have no trailing zeroes?
Is there any way to determine how many characters will be written by sprintf?
create a my_printf that sends data to both a sprintf and the normal printf?
Silly sprintf() question
sprintf() without trailing null space in C
sprintf access violation
sprintf in C#?
sprintf() and WriteFile() affecting string Buffer
How can I improve/replace sprintf, which I've measured to be a performance hotspot?
The origin of sprintf-style string formatting
How do I emulate Python's named printf parameters in Ruby?
how to use "%f" to populate a double value into a string with the right precision
Looking for algorithm that reverses the sprintf() function output