![]() ![]() If you're using legit IDA, you have received the updated version 6.95. If you're using IDA Free, latest version is 6.95. The results were identical, the bug is only present in IDA 6.90. Empty export nameįor completeness sake, I repeated the experiment with empty exported API name. So, it looks like this bug was introduced in IDA 6.90. Naturally, I wanted to see how old this bug is. As already demonstrated by Palo Alto, it's buggy: I started with IDA 6.95 Demo you can download from official site. Now the exported DLL name is 0-length string. Empty DLL nameįirst, I took hex editor and changed DLL name in export directory. But IDA 6.95 changelog was even more detailed about what was fixed:īUGFIX: PE: IDA would not detect DLL exports with empty namesīUGFIX: PE: IDA would show no exports if the export directory's DLL name was an empty stringĪrmed with the detailed description, I used MASM32 package and their Examples to build a DLL file. Palo Alto report contained most of the information to reproduce the issue. The less obvious reason is that it takes advantage of a bug in the popular IDA disassembler that was recently fixed in the latest version of IDA.īug in IDA?! How nice, I want to test this! Testing the bug ![]() Using the exported functions by ordinal meant the exported function name was unnecessary, which allowed the developer of this DLL to leave the names for the exported functions blank. When checking my RSS feed, I stumbled upon the article by Palo Alto researchers called " The Dukes R&D Finds a New Anti-Analysis Technique". But, as you'll see later, that's not necessary at all. It was supposed to be a long post showing how to use PatchDiff to locate patched code and then backport it. So, here's a short writeup regarding publicly-known IDA bug and how it will (not) affect reversers. And now I'm catching up on all the things that have happened during that time. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |