This is my personal method when FLIRT can't do anything:
Idea: use the miracl debug information
find in the file(hex editing):
00000BE8 5DC3 796F 7572 2070 726F 6772 616D 0069 6E6E 756D 006F 746E ].your program.innum.otn
00000C00 756D 006A 6163 6B00 6E6F 726D 616C 6973 6500 6D75 6C74 6970 um.jack.normalise.multip
00000C18 6C79 0064 6976 6964 6500 696E 6372 0064 6563 7200 7072 656D ly.divide.incr.decr.prem
00000C30 756C 7400 7375 6264 6976 0066 6473 697A 6500 6567 6364 0063 ult.subdiv.fdsize.egcd.c
00000C48 6261 7365 0063 696E 6E75 6D00 636F 746E 756D 006E 726F 6F74 base.cinnum.cotnum.nroot
00000C60 0070 6F77 6572 0070 6F77 6D6F 6400 6269 6764 6967 0062 6967 .power.powmod.bigdig.big
00000C78 7261 6E64 006E 7870 7269 6D65 0069 7370 7269 6D65 006D 6972 rand.nxprime.isprime.mir
00000C90 7661 7200 6D61 6400 6D75 6C74 695F 696E 7665 7273 6500 7075 var.mad.multi_inverse.pu
00000CA8 7464 6967 0061 6464 0073 7562 7472 6163 7400 6D69 7273 7973 tdig.add.subtract.mirsys
get them in IDA:
seg000:004019EA 79 6F 75 72 20 70+ dword_4019EA dd 72756F79h, 6F727020h, 6D617267h, 6E6E6900h, 6F006D75h, 6D756E74h
seg000:004019EA 72 6F 67 72 61 6D+ ; DATA XREF: seg000:00414044o
seg000:004019EA 00 69 6E 6E 75 6D+ dd 63616A00h, 6F6E006Bh, 6C616D72h, 657369h, 746C756Dh, 796C7069h
seg000:004019EA 00 6F 74 6E 75 6D+ dd 76696400h, 656469h, 72636E69h, 63656400h, 72700072h, 6C756D65h
seg000:004019EA 00 6A 61 63 6B 00+ dd 75730074h, 76696462h, 73646600h, 657A69h, 64636765h, 61626300h
seg000:004019EA 6E 6F 72 6D 61 6C+ dd 63006573h, 756E6E69h, 6F63006Dh, 6D756E74h, 6F726E00h, 7000746Fh
seg000:004019EA 69 73 65 00 6D 75+ dd 7265776Fh, 776F7000h, 646F6Dh, 64676962h, 62006769h, 61726769h
seg000:004019EA 6C 74 69 70 6C 79+ dd 6E00646Eh, 69727078h, 6900656Dh, 69727073h, 6D00656Dh, 61767269h
seg000:004019EA 00 64 69 76 69 64+ dd 616D0072h, 756D0064h, 5F69746Ch, 65766E69h, 657372h, 64747570h
the little bastard has converted them into dwords !
( actually, you can see them in "strings window" while analysing, just before it desepears )
So click on "dword_4019EA" and press 'U', it will undefine them like this:
seg000:004019EA 79 db 79h ; y
seg000:004019EB 6F db 6Fh ; o
seg000:004019EC 75 db 75h ; u
seg000:004019ED 72 db 72h ; r
seg000:004019EE 20 db 20h ;
seg000:004019EF 70 db 70h ; p
seg000:004019F0 72 db 72h ; r
seg000:004019F1 6F db 6Fh ; o
seg000:004019F2 67 db 67h ; g
seg000:004019F3 72 db 72h ; r
seg000:004019F4 61 db 61h ; a
Now you can do a "reanalyse program"
where IDA fucked, help him with 'U' and 'A' (ex: "your program")
you must have something like that:
seg000:004019EA 79 6F 75 72 20 70+ aYourProgram db 'your program',0
seg000:004019F7 69 6E 6E 75 6D 00 aInnum db 'innum',0 ; DATA XREF: seg000:00414044o
seg000:004019FD 6F 74 6E 75 6D 00 aOtnum db 'otnum',0 ; DATA XREF: seg000:00414048o
seg000:00401A03 6A 61 63 6B 00 aJack db 'jack',0 ; DATA XREF: seg000:0041404Co
seg000:00401A08 6E 6F 72 6D 61 6C+ aNormalise db 'normalise',0 ; DATA XREF: seg000:00414050o
seg000:00401A12 6D 75 6C 74 69 70+ aMultiply db 'multiply',0 ; DATA XREF: seg000:00414054o
seg000:00401A1B 64 69 76 69 64 65+ aDivide db 'divide',0 ; DATA XREF: seg000:00414058o
seg000:00401A22 69 6E 63 72 00 aIncr db 'incr',0 ; DATA XREF: seg000:0041405Co
seg000:00401A27 64 65 63 72 00 aDecr db 'decr',0 ; DATA XREF: seg000:00414060o
seg000:00401A2C 70 72 65 6D 75 6C+ aPremult db 'premult',0 ; DATA XREF: seg000:00414064o
seg000:00401A34 73 75 62 64 69 76+ aSubdiv db 'subdiv',0 ; DATA XREF: seg000:00414068o
seg000:00401A3B 66 64 73 69 7A 65+ aFdsize db 'fdsize',0 ; DATA XREF: seg000:0041406Co
seg000:00401A42 65 67 63 64 00 aEgcd db 'egcd',0 ; DATA XREF: seg000:00414070o
seg000:00401A47 63 62 61 73 65 00 aCbase db 'cbase',0 ; DATA XREF: seg000:00414074o
seg000:00401A4D 63 69 6E 6E 75 6D+ aCinnum db 'cinnum',0 ; DATA XREF: seg000:00414078o
Do you see all the DATA XREF ? go on it
ok, IDA did some good job first, then he fucked, he though it was some instructions
press 'U' every where he fucked
and press 'O' on the first offset (&"your program")
Now click on "aYourProgram" and press "*" to make an array, set on dlg box:
- number of elements: maximal possible size = 144
- item on line: 1
- element width: -1
- check "display indexes"
And OK!
You should have something like that:
seg000:00414040 EA 19 40 00 F7 19+ off_414040 dd offset aYourProgram ; 0
seg000:00414040 40 00 FD 19 40 00+ ; DATA XREF: sub_40242C+54r
seg000:00414040 03 1A 40 00 08 1A+ ; sub_40242C+C0r
seg000:00414040 40 00 12 1A 40 00+ ; sub_4027AC+65r
seg000:00414040 1B 1A 40 00 22 1A+ dd offset aInnum ; 1 ; "your program"
seg000:00414040 40 00 27 1A 40 00+ dd offset aOtnum ; 2
seg000:00414040 2C 1A 40 00 34 1A+ dd offset aJack ; 3
seg000:00414040 40 00 3B 1A 40 00+ dd offset aNormalise ; 4
seg000:00414040 42 1A 40 00 47 1A+ dd offset aMultiply ; 5
seg000:00414040 40 00 4D 1A 40 00+ dd offset aDivide ; 6
seg000:00414040 54 1A 40 00 5B 1A+ dd offset aIncr ; 7
seg000:00414040 40 00 61 1A 40 00+ dd offset aDecr ; 8
seg000:00414040 67 1A 40 00 6E 1A+ dd offset aPremult ; 9
seg000:00414040 40 00 75 1A 40 00+ dd offset aSubdiv ; 10
seg000:00414040 7D 1A 40 00 85 1A+ dd offset aFdsize ; 11
seg000:00414040 40 00 8D 1A 40 00+ dd offset aEgcd ; 12
seg000:00414040 94 1A 40 00 98 1A+ dd offset aCbase ; 13
seg000:00414040 40 00 A6 1A 40 00+ dd offset aCinnum ; 14
note that the indexes are decimal (not hex).
So now we've got our table built.
'Alt+M' on it to save location
Let's see how to use it:
exemple: go to sub_402E6C
do you see a few lines after (press 'H' on the number to get in in decimal):
mov dword ptr [edx+eax*4+20h], 23
actually it will always be a: mov dword ptr [REG+REG*4+20h], index
click on "23" to highlight it, 'ctrl+m' to go to our table and look the highlighed index :D
This way, lookup all miracl calls.
But there is an exception, sub_40711C : we've got
mov dword ptr [edx+eax*4+20h], 105
and it's not trial_division !
Okey... grab the miracl sources.
seach for "MR_IN(105)" in all miracl sources
it's found in epoint_comp() and trial_division()
We got it.
Greetz,
TaGaDaPaF
01/09/04
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法