Monday, October 28, 2019

Execute Specific Function in Debugged Program in IDA - Appcall

IDA has a very good feature called Appcall that can help call a specific function from a debugged program. This feature can come in handy in cases where you need to run a bunch of inputs against a specific function in your debugged program. For example, in case of malware decrypting strings using specific functions etc.

For the purpose of exploring the Appcall feature lets consider a trivial example.


#pragma optimize( "", off )
int add(int a, int b)
 return a + b;

#pragma optimize( "", off )
int main()
 int c;
 std::cout << "About to call the function add\n";
 c = add(1, 2);
 std::cout << "This is the output: " << c;

In the above code there's a function called add which takes in couple of parameters, add them and return them. Using Appcall we will call the function add during our debugging session and pass specific inputs and print the output out.

After compiling and loading the executable in IDA we can spot the add function.

The address of the add function is at 0x5A1000 and has the function is sub_5A1000. Now we can debug the program and try to invoke this function using Appcall.

I've put a breakpoint just before the add function gets invoked. Open the Script Command windows to invoke the add function using Appcall.Once done invoke Appcall with the below arguments,

  1. The Address to the function
  2. The function declaration
  3. Arguments to the function
To get the address of the function we can use the LocByName function. The function declaration can be obtained through decompiling the function.

Using the above details we can form a two liner script to execute and print the function's return value using Appcall.

auto ret = Appcall(LocByName("sub_5A1000"), "int sub_5A1000(int a, int b);", 5, 5);
Message("The output is: %d", ret);

Clicking on Run should output the result in the IDA's output window.


No comments:

Post a Comment