Fravia's TOOLS OF OUR TRADE Messageboard ~ Moderated
Re: IDA
Monday, 11-Jan-99 18:26:46
this happened to me a lot as well. Basically, when IDA anaylzes your file, it uses the default string type you put in IDA.CFG. This is usually set to "C-style" when you get it, and Windoze types tend to flip it to Unicode because it;s more irritating having those lined-up characters when they are separated by 00's :)
Delphi uses a Pascal-format string (C is \0 -terminated, or 0A0Dh actually; Pascal is not terminated but is prefized w/# of chars in the string) and thus Fravia noticed these pascal strings in his Delphi program.
Unfortunately, when you change the default string type, IDA does not re-analyze the program and find stings of the new type. Instead, you have to highlight the first byte of that string [remember what I said about Pascal above] and type "a", which willturn those undefined bytes into an ascii string of the default type.
This is tedious; I have written two different IDC scripts to automate this --I think they are in that primer on Fravia's, if not then check my page-- but they work funny.
The first works on an entire segment, the second works on a mouse-selected area. The scripts scan each byte, looking for one in the alphanumeric range. When a byte is found, it is defined as a string [even if it is just a single character, I thought of rewriting it but thought 'aw, hell, it works fine.'], and then the script starts searchign for the next byte after then end of the string. Thus, you will define all of the strings in the specified area...but a lot mroe as well :(
However, if you know C the scripts are not toohard to improve or mimic.
_m
mammon_