views:

145

answers:

1

Say there is a buggy program that contains a sprintf() and i want to change it to a snprintf so it doesn't have a buffer overflow.. how do I do that in IDA??

+2  A: 

You really don't want to make that kind of change using information from IDA pro.

Although IDA's disassembly is relatively high quality, it's not high quality enough to support executable rewriting. Converting a call to sprintf to a call to snprintf requires pushing a new argument on to the stack. That requires the introduction of a new instruction, which impacts the EA of everything that follows it in the executable image. Updating those effective addresses requires extremely high quality disassembly. In particular, you need to be able to:

  1. Identify which addresses in the executable are data, and which ones are code
  2. Identify which instruction operands are symbolic (address references) and which instruction operands are numeric.

Ida can't (reliably) give you that information. Also, if the executable is statically linked against the crt, it may not contain snpritnf, which would make performing the rewriting by hand VERY difficult.

There are a few potential workarounds. If there is sufficient padding available in (or after) the function making the call, you might be able to get away with only rewriting a single function. Alternatively, if you have access to object files, and those object files were compiled with the /GY switch (assuming you are using Visual Studio) then you may be able to edit the object file. However, editing the object file may still require substantial fix ups.

Presumably, however, if you have access to the object files you probably also have access to the source. Changing the source is probably your best bet.

Scott Wisniewski
There doesn't need to be space available anywhere near the function in question, really -- as long as you can find (or make) some space somewhere in the appropriate section, you could replace something in the original function with a JMP to your new instruction sequence there. But, honestly, it's easier to figure out how to do this with OllyDbg.
SamB
You are right.. you don't necessarily need to have room near the function. However I wouldn't advocate doing it frequently, as it could adversely impact performance (it will have poor locality). For one call to sprintf, it would be ok. If you have MANY calls to sprintf, though, then you don't want to introduce a bunch of crazy jumps all over the place.
Scott Wisniewski