How can I clean up strings built at runtime (stack strings)?

Question

How can I clean up/simplify strings that are built at runtime?

I've seen this a couple of times and figured that there has to be something easier. I've been manually converting the characters to try and interpret what strings are being formed.

.text:0040166E C6 45 F0 5C   mov     [ebp+pszSubKey+2Ch], '\'
.text:00401672 C6 45 F1 57   mov     [ebp+pszSubKey+2Dh], 'W'
.text:00401676 C6 45 F2 69   mov     [ebp+pszSubKey+2Eh], 'i'
.text:0040167A C6 45 F3 6E   mov     [ebp+pszSubKey+2Fh], 'n'
.text:0040167E C6 45 F4 6C   mov     [ebp+pszSubKey+30h], 'l'
.text:00401682 C6 45 F5 6F   mov     [ebp+pszSubKey+31h], 6Fh
.text:00401686 C6 45 F6 67   mov     [ebp+pszSubKey+32h], 67h
.text:0040168A C6 45 F7 6F   mov     [ebp+pszSubKey+33h], 6Fh
.text:0040168E C6 45 F8 6E   mov     [ebp+pszSubKey+34h], 6Eh
.text:00401692 C6 45 F9 5C   mov     [ebp+pszSubKey+35h], 5Ch

Can't you just put a breakpoint after the string builder function ? — jvoisin, Oct 29 '13 at 17:09
I could set a breakpoints but I am trying to simplify it for all occurrences not just the one time. — phoenix89, Oct 30 '13 at 07:02
The "hackish" way could be to break after all strings are built, and to run the "strings" command on the memomy dump. — jvoisin, Oct 30 '13 at 13:10

jbh · Accepted Answer · 2014-01-25T03:43:37.633

7

Finding Byte Strings using IDAPython

ASERT MindshaRE solves this right. No need to actually run the code which isn't always possible.

Effectively this script will go through instruction by instruction to find moves of ASCII characters into a memory location. It gets fancy and used QT to create an interactive table however you can gut out that part and just have it place a comment at the instruction that gets used.

edited Jan 25 '14 at 03:43

answered Jan 25 '14 at 02:19

jbh

516
3
7

Script looks neat, but it fails on x64 apparently. Will try to patch :) – Konrads Feb 16 '15 at 16:46
1

Yeah, the one thing I noticed about the script is it relied heavily on strings being equivalent. (it is looking for "mov" and "[e") So it will definitely only work on x86. I reimplemented it for different architectures but have misplaced it. – jbh Feb 17 '15 at 03:59
I started patching it - making it work with x64 was a matter of changing [e to [(e|r) however it then makes an assumption that the 1st mov will be mov [rsp],'x' whereas in my case it is mov [rsp+138h+var_118], 'x'. Back to patching... – Konrads Feb 17 '15 at 17:11

score 4 · Answer 2 · edited Jun 01 '22 at 10:04

4

The one that worked for me eventually was "stackstrings" plugin from FireEye/Mandiant FLARE (based on this module)

edited Jun 01 '22 at 10:04

0xC0000022L

10,908
9
41
79

answered Feb 17 '15 at 17:53

Konrads

193
7

score 3 · Answer 3 · answered Oct 30 '13 at 16:32

3

You could use ida-x86emu to emulate the dynamic construction of the string.

But if you want something more automated then you'd need to write an IDA script or plugin.

answered Oct 30 '13 at 16:32

Jason Geffner

20,681
1
36
75

How can I clean up strings built at runtime (stack strings)?

3 Answers3

Linked

Related