a plugin to find all code paths between two functions. This can significantly narrow down the number of paths that require investigation
插件地址:https://code.google.com/p/idapathfinder
原文链接:http://www.devttys0.com/2013/04/finding-all-paths-between-two-functions-in-ida/
If anyone wants to use the old version of hexrays you can just use this patch. I haven’t run into any problems with it yet. (Make a backup first)
– License check message removed
– Fixed null pointer crash in ida.wll
Link:http://pan.baidu.com/s/1bBMTw
Refer:http://forum.exetools.com/showpost.php?p=93702&postcount=61
The main goal of the project is to implement a retargetable and highly modular native code to C/C++ decompiler using the latest research results in the field of decompilation.
On this website you can download a beta version of the decompiler or just check out some examples of its application. If you are interested in using SmartDec, please contact us.
原汇编代码:
554748: push ebp 554749: mov ebp, esp 55474b: add esp, 0xfffffff8 55474e: push ebx 55474f: push esi 554750: push edi 554751: xor ebx, ebx 554753: mov [ebp + 0xf8]:32, ebx 554756: mov [ebp + 0xfc]:32, ecx 554759: mov edi, edx 55475b: mov ebx, eax 55475d: mov esi, [ebp + 0x8]:32 554760: xor eax, eax 554762: push ebp 554763: push 0x5548f6 554768: push [eax]:32 55476b: mov [eax]:32, esp 55476e: cmp esi, [ebp + 0xfc]:32 554771: jl 0x55477b 554773: cmp esi, [ebx + 0x2a0]:32 554779: jge 0x55479c 55477b: lea edx, [ebp + 0xf8]:0 55477e: mov eax, [0x7d9a60]:32 554783: call 0x40d6c4 554788: mov ecx, [ebp + 0xf8]:32 55478b: mov dl, 0x1 55478d: mov eax, [0x48dc40]:32 554792: call 0x428b3c 554797: call 0x408cb0 55479c: cmp edi, [ebp + 0xfc]:32 55479f: jge 0x5547a4 5547a1: mov edi, [ebp + 0xfc]:32 5547a4: cmp esi, edi 5547a6: jge 0x5547aa 5547a8: mov edi, esi 5547aa: mov eax, [ebx + 0x298]:32 5547b0: cmp eax, [ebp + 0xfc]:32 5547b3: jnz 0x5547bd 5547b5: cmp esi, [ebx + 0x29c]:32 5547bb: jz 0x5547f9 5547bd: mov eax, [ebp + 0xfc]:32 5547c0: mov [ebx + 0x298]:32, eax 5547c6: mov [ebx + 0x29c]:32, esi 5547cc: mov eax, ebx 5547ce: call 0x53bd64 5547d3: test al, al 5547d5: jz 0x5547f9 5547d7: cmp edi, [ebx + 0x294]:32 5547dd: setz al 5547e0: neg al 5547e2: sbb eax, eax 5547e4: push eax 5547e5: push esi 5547e6: mov eax, [ebp + 0xfc]:32 5547e9: push eax 5547ea: push 0x2 5547ec: mov eax, ebx 5547ee: call 0x53b98c 5547f3: push eax 5547f4: call 0x412cdc 5547f9: cmp edi, [ebx + 0x294]:32 5547ff: jz 0x5548e0 554805: mov [ebx + 0x294]:32, edi 55480b: mov eax, ebx 55480d: call 0x53bd64 554812: test al, al 554814: jz 0x5548c9 55481a: call 0x5b0b48 55481f: mov edx, [eax]:32 554821: call [edx + 0x118]:32 554827: test al, 0x1 554829: jz 0x554886 55482b: mov eax, ebx 55482d: call 0x5546ec 554832: test al, al 554834: jz 0x554850 554836: push 0x0 554838: mov eax, [ebx + 0x294]:32 55483e: push eax 55483f: push 0x2 554841: mov eax, ebx 554843: call 0x53b98c 554848: push eax 554849: call 0x412cd4 55484e: jmp 0x55486e 554850: push 0x0 554852: mov eax, [ebx + 0x29c]:32 554858: sub eax, [ebx + 0x294]:32 55485e: push eax 55485f: push 0x2 554861: mov eax, ebx 554863: call 0x53b98c 554868: push eax 554869: call 0x412cd4 55486e: push 0x101 554873: push 0x0 554875: push 0x0 554877: mov eax, ebx 554879: call 0x53b98c 55487e: push eax 55487f: call 0x412bcc 554884: jmp 0x5548c9 554886: mov eax, ebx 554888: call 0x5546ec 55488d: test al, al 55488f: jz 0x5548ab 554891: push 0xff 554893: mov eax, [ebx + 0x294]:32 554899: push eax 55489a: push 0x2 55489c: mov eax, ebx 55489e: call 0x53b98c 5548a3: push eax 5548a4: call 0x412cd4 5548a9: jmp 0x5548c9 5548ab: push 0xff 5548ad: mov eax, [ebx + 0x29c]:32 5548b3: sub eax, [ebx + 0x294]:32 5548b9: push eax 5548ba: push 0x2 5548bc: mov eax, ebx 5548be: call 0x53b98c 5548c3: push eax 5548c4: call 0x412cd4 5548c9: mov dl, 0x1 5548cb: mov eax, ebx 5548cd: mov ecx, [eax]:32 5548cf: call [ecx + 0x80]:32 5548d5: mov eax, ebx 5548d7: mov si, 0xffad 5548db: call 0x407bc8 5548e0: xor eax, eax 5548e2: pop edx 5548e3: pop ecx 5548e4: pop ecx 5548e5: mov [eax]:32, edx 5548e8: push 0x5548fd 5548ed: lea eax, [ebp + 0xf8]:0 5548f0: call 0x4095e4 5548f5: ret 5548f6: jmp 0x408b0c 5548fb: jmp 0x5548ed 5548fd: pop edi 5548fe: pop esi 5548ff: pop ebx 554900: pop ecx 554901: pop ecx 554902: pop ebp 554903: ret 0x4 |
Hexrays F5:
int __fastcall sub_554748(int a1, int a2, int a3, int nMaxPos) { int v4; // edi@1 int v5; // ebx@1 int v6; // edx@3 int v7; // eax@3 BOOL v8; // ST10_4@11 int v9; // ST08_4@11 HWND v10; // eax@11 int v11; // edx@13 int v12; // eax@14 int v13; // ST0C_4@16 HWND v14; // eax@16 int v15; // ST0C_4@17 HWND v16; // eax@17 HWND v17; // eax@18 int v18; // ST0C_4@20 HWND v19; // eax@20 int v20; // ST0C_4@21 HWND v21; // eax@21 unsigned int v23; // [sp-Ch] [bp-20h]@1 _UNKNOWN *v24; // [sp-8h] [bp-1Ch]@1 int *v25; // [sp-4h] [bp-18h]@1 int v26; // [sp+Ch] [bp-8h]@1 int nMinPos; // [sp+10h] [bp-4h]@1 int v28; // [sp+14h] [bp+0h]@1 v26 = 0; nMinPos = a3; v4 = a2; v5 = a1; v25 = &v28; v24 = &loc_5548F6; v23 = __readfsdword(0); __writefsdword(0, (unsigned int)&v23); if ( nMaxPos < a3 || nMaxPos < *(_DWORD *)(a1 + 672) ) { sub_40D6C4(off_7D9A60[0], &v26); LOBYTE(v6) = 1; v7 = unknown_libname_167(off_48DC40, v6, v26); sub_408CB0(v7); } if ( v4 < nMinPos ) v4 = nMinPos; if ( nMaxPos < v4 ) v4 = nMaxPos; if ( *(_DWORD *)(v5 + 664) != nMinPos || nMaxPos != *(_DWORD *)(v5 + 668) ) { *(_DWORD *)(v5 + 664) = nMinPos; *(_DWORD *)(v5 + 668) = nMaxPos; if ( (unsigned __int8)sub_53BD64(v5) ) { v8 = -(v4 == *(_DWORD *)(v5 + 660)); v9 = nMinPos; v10 = (HWND)sub_53B98C(v5); SetScrollRange(v10, 2, v9, nMaxPos, v8); } } if ( v4 != *(_DWORD *)(v5 + 660) ) { *(_DWORD *)(v5 + 660) = v4; if ( (unsigned __int8)sub_53BD64(v5) ) { v12 = sub_5B0B48(v23, v24, v25); if ( (*(int (**)(void))(*(_DWORD *)v12 + 280))() & 1 ) { if ( (unsigned __int8)sub_5546EC(v5) ) { v13 = *(_DWORD *)(v5 + 660); v14 = (HWND)sub_53B98C(v5); SetScrollPos(v14, 2, v13, 0); } else { v15 = *(_DWORD *)(v5 + 668) - *(_DWORD *)(v5 + 660); v16 = (HWND)sub_53B98C(v5); SetScrollPos(v16, 2, v15, 0); } v17 = (HWND)sub_53B98C(v5); RedrawWindow(v17, 0, 0, 0x101u); } else { if ( (unsigned __int8)sub_5546EC(v5) ) { v18 = *(_DWORD *)(v5 + 660); v19 = (HWND)sub_53B98C(v5); SetScrollPos(v19, 2, v18, -1); } else { v20 = *(_DWORD *)(v5 + 668) - *(_DWORD *)(v5 + 660); v21 = (HWND)sub_53B98C(v5); SetScrollPos(v21, 2, v20, -1); } } } LOBYTE(v11) = 1; (*(void (__fastcall **)(int, int))(*(_DWORD *)v5 + 128))(v5, v11); sub_407BC8(v5); } __writefsdword(0, v23); v25 = (int *)&loc_5548FD; return sub_4095E4(&v26); } |
SmartDec F4:
struct s1 { signed char[128] pad128; int32_t f128; }; struct s0 { struct s1* f0; signed char[656] pad660; int32_t f660; int32_t f664; int32_t f668; int32_t f672; }; void** g0; void sub_40D6C4(); void unknown_libname_167(); void sub_408CB0(); signed char sub_53BD64(); int32_t sub_53B98C(); void SetScrollRange(int32_t a1, signed char a2); struct s2 { signed char[280] pad280; int32_t f280; }; struct s2** sub_5B0B48(); signed char sub_5546EC(); void SetScrollPos(int32_t a1, signed char a2); void RedrawWindow(int32_t a1, int16_t a2); void sub_407BC8(); void sub_4095E4(); void sub_554748(int32_t a1) { int32_t v2; int32_t ecx3; int32_t edi4; int32_t edx5; struct s0* ebx6; struct s0* eax7; int32_t esi8; signed char al9; int32_t eax10; signed char al11; struct s2** eax12; unsigned char al13; signed char al14; int32_t eax15; int32_t eax16; signed char al17; int32_t eax18; int32_t eax19; int32_t eax20; void** v21; v2 = ecx3; edi4 = edx5; ebx6 = eax7; esi8 = a1; g0 = (void**)((int32_t)"intrinsic"() - 4 + -8 - 4 - 4 - 4 - 4 - 4 - 4); if (esi8 < v2 || ebx6->f672 > esi8) { sub_40D6C4(); unknown_libname_167(); sub_408CB0(); } if (v2 > edi4) { edi4 = v2; } if (edi4 > esi8) { edi4 = esi8; } if ((ebx6->f664 != v2 || esi8 != ebx6->f668) && (ebx6->f664 = v2, ebx6->f668 = esi8, al9 = sub_53BD64(), al9 != 0)) { eax10 = sub_53B98C(); SetScrollRange(eax10, 2); } if (edi4 != ebx6->f660) { ebx6->f660 = edi4; al11 = sub_53BD64(); if (al11 != 0) { eax12 = sub_5B0B48(); al13 = (unsigned char)(*eax12)->f280(); if ((al13 & 1) == 0) { al14 = sub_5546EC(); if (al14 == 0) { eax15 = sub_53B98C(); SetScrollPos(eax15, 2); } else { eax16 = sub_53B98C(); SetScrollPos(eax16, 2); } } else { al17 = sub_5546EC(); if (al17 == 0) { eax18 = sub_53B98C(); SetScrollPos(eax18, 2); } else { eax19 = sub_53B98C(); SetScrollPos(eax19, 2); } eax20 = sub_53B98C(); RedrawWindow(eax20, 0); } } ebx6->f0->f128(); sub_407BC8(); } g0 = v21; sub_4095E4(); return; } void func_5548f6() { } void func_5548fb() { goto 0x5548ed; } void func_5548fd(int32_t a1, int32_t a2, int32_t a3, int32_t a4, int32_t a5, int32_t a6) { return; } |
原创文章,转载请注明: 转载自 火星信息安全研究院
本文标题: 《SmardDec v0.0.3 Plugin for IDA Pro》
本文链接地址: http://www.h4ck.org.cn/2014/08/smarddec-v0-0-3-plugin-for-ida-pro/
第一次看到这个错误还以为是修改文件导致的,但是觉得又不大像,因为在Win7底下是完全正常的。搜索了一下才发现是由于插件导致的:
NOTE3: You get a “Fatal error before kernel init” when trying to use BinDiff with IDA in 64-bit, this is a bug that also occurs with a real license (use 32-bit instead).
简单的办法。直接把zynamics_binexport_8.p64删除或者改名禁用就OK了。另外新版的IDA如果出现python.plw无法加载的错误,一般是由于pythone的路径问题或者版本问题导致的,6.5的ida只能使用2.7版的python,如果是2.6就升级吧。
Link:http://arenabg.ch/torrents/zynamics-bindiff-v4-1-incl-keyfilemaker-embrace-434469/
原创文章,转载请注明: 转载自 火星信息安全研究院
本文标题: 《IDA64 Fatal error before kernel init》
本文链接地址: http://www.h4ck.org.cn/2014/08/ida64-fatal-error-before-kernel-init/
感谢zadow提供的升级版的向导: https://forum.tuts4you.com/topic/34511-ida-pro-plugin-wizard-for-vs2013/
本向导在此基础上进行了更新:
1.完善了IDAsdk版本,并且默认的选项修改为6.5 2.修正向导程序在部分机器上最下方的按钮无法正常显示 3.删除掉部分无用的文件 代码链接:http://code.h4ck.org.cn/ida-pro-plugin-wizard-for-vs2013
原创文章,转载请注明: 转载自 火星信息安全研究院
本文标题: 《IDA Pro Plugin wizard for vs2013》
本文链接地址: http://www.h4ck.org.cn/2014/08/ida-pro-plugin-wizard-for-vs2013/
更新了一下Unicode字符串识别插件,去掉了非PE格式下不能加载插件的限制。上图为MachO文件格式。
下图为PE格式:
直接上图,废话就不多说了,目前只有32位的插件,64位的插件编译存在一点点问题,希望能很快解决。
更新64位插件,但是没有合适的二进制文件,未测试!
快捷键为Ctrl+U,该插件只解析未知的并且存在交叉引用的数据格式(数据前缀为unk,如果不是将不会处理),如果是中文已经识别为英文字符串请去掉原来的定义,这样才能重新识别,可以结合2.0版本的进行手工修复。
MachO文件:
PE文件:
iTools解析效果:
猛击此处下载插件!
测试环境:Windows 7 64bit/Windows 8 64bit + IDA Pro 6.5
Windows版的插件编写可以参考的文档比较多,并且也有专门的向导可以来做这件事情,相对来说比较简单。但是针对Mac下的插件编写虽然也有一些参考文档但是都比较老旧。有参考价值但是意义不大,形同鸡肋。Windows下的插件编写可以参考下面两篇文章中的向导:IDA Pro Plugin wizard for vs2013 以及 Ida Plugin Wizard For VS2010。
现在开始正题,测试环境为:
Mac OS 10.9.4
Xcode 5.1.1
IDA Pro For Mac 6.5+sdk65
如果环境不一样可能存在些许的差异,下面开始说插件的创建方法。
#define __MAC__ #include <ida .hpp> #include <idp .hpp> #include <loader .hpp> int IDAP_init(void) { // Do checks here to ensure your plug-in is being used within // an environment it was written for. Return PLUGIN_SKIP if the // checks fail, otherwise return PLUGIN_KEEP. return PLUGIN_KEEP; } void IDAP_term(void) { // Stuff to do when exiting, generally you'd put any sort // of clean-up jobs here. return; } // The plugin can be passed an integer argument from the plugins.cfg // file. This can be useful when you want the one plug-in to do // something different depending on the hot-key pressed or menu // item selected. void IDAP_run(int arg) { // The "meat" of your plug-in msg("===============================\n!"); msg("Hello world for Ida Mac from obaby\n!"); msg("===============================\n!"); return; } // There isn't much use for these yet, but I set them anyway. char IDAP_comment[] = "This is my test plug-in"; char IDAP_help[] = "My plugin"; // The name of the plug-in displayed in the Edit->Plugins menu. It can // be overridden in the user's plugins.cfg file. char IDAP_name[] = "My plugin"; // The hot-key the user can use to run your plug-in. char IDAP_hotkey[] = "Alt-X"; // The all-important exported PLUGIN object plugin_t PLUGIN = { IDP_INTERFACE_VERSION, // IDA version plug-in is written for 0, // Flags (see below) IDAP_init, // Initialisation function IDAP_term, // Clean-up function IDAP_run, // Main plug-in body IDAP_comment, // Comment – unused IDAP_help, // As above – unused IDAP_name, // Plug-in name shown in // Edit->Plugins menu IDAP_hotkey // Hot key to run the plug-in }; </loader></idp></ida> |
注意文件头定义的宏#define __MAC__,如果没有这个宏也会出现比较多的诡异错误!
此时直接编译会提示下面的错误:
/Users/obaby/codes/idasdk65/include/loader.hpp:779:38: ‘get_idp_descs’ has C-linkage specified, but returns user-defined type ‘const idp_descs_t &’ (aka ‘const qvector<idp_desc_t> &’) which is incompatible with C
打开Build Phases 找到Complie Soures 添加编译标签-Wno-return-type (或者-Wno-return-type-c-linkage)
到这里32位插件的编译就结束了,64位插件的编译将会在后面进行整理。
参考文献:
http://reverse.put.as/2011/10/31/how-to-create-ida-cc-plugins-with-xcode/
http://www.binarypool.com/idapluginwriting/
猛击此处下载pdf版本!
Enjoys all executable file formats supported by the disassembler.
Benefits from IDA’s signature search, parsers of debug information, and demanglers.
Decompiles a chosen function or the whole program by push of a button.
Allows easy jumping between the disassembler and the decompiled code.
Fully integrated into IDA’s GUI.
Download:
v0.0.5 (20 September 2014) Changes
Standalone: Windows x86-64, Windows x86.
Plug-in for IDA: Windows x86, Qt 4.8 for IDA 6.3-6.6, Windows x86, Qt 4.7 for IDA 6.1.
原创文章,转载请注明: 转载自 火星信息安全研究院
本文标题: 《Snowman IDA Plugin(F4)》
本文链接地址: http://www.h4ck.org.cn/2014/10/snowman-ida-pluginf4/
IDA Patcher is a plugin for Hex-Ray’s IDA Pro disassembler designed to enhance IDA’s ability to patch binary files and memory. The plugin is useful for tasks related to malware analysis, exploit development as well as bug patching. IDA Patcher blends into the standard IDA user interface through the addition of a subview and several menu items
Simply copy idapatcher.py into IDA’s plugins folder. The plugin will be automatically loaded the next time you start IDA Pro.
The plugin uses pure IDA Python API, so it should be compatible with all versions of IDA on different platforms. However, it was only extensively tested on IDA Pro 6.5 for Windows with x86, x86-64 and ARM binaries.
Link:http://pan.baidu.com/s/1bnpPvGF
原创文章,转载请注明: 转载自 火星信息安全研究院
本文标题: 《IDA Patcher 1.2 by Peter Kacherginsky》
本文链接地址: http://www.h4ck.org.cn/2014/12/ida-patcher-1-2-by-peter-kacherginsky/
BinDiff is a comparison tool for binary files that helps to quickly find differences and similarities in disassembled code. It is used by security researchers and engineers across the globe to identify and isolate fixes for vulnerabilities in vendor-supplied patches and to analyze multiple versions of the same binary. Another common use case is to transfer analysis results from one binary to another, helping to prevent duplicate analyses of, for example, malware binaries. This also helps to retain knowledge across teams of binary analysts where the individual workflows might vary from analyst to analyst.
More specifically, BinDiff can be used to:
原创文章,转载请注明: 转载自 火星信息安全研究院
本文标题: 《BinDiff now available for free》
本文链接地址: http://www.h4ck.org.cn/2016/03/bindiff-now-available-for-free/
Milan’s useful functions for Hex-Rays decompiler
================================================
New hexrays features:
Assist in creation of new structure definitions / virtual calls detection
===========================================================================
1) use “Reset pointer type” on all variables that you want to scan.
2) Select one of these variables and choose “Scan variable (S)”
Plugin deals with simple assignments “v1 = this;” automatically.
3) Again right click on such variable and choose open structure builder.
Ajdust the structure to your likings.
In Structure builder you can open a list of functions you scanned so far and
functions that were added from virtual function tables.
Open some of the functions and scan other variables that are of the same
type. Be carefull there is no undo yet.
As you gather more evidence structure builder will show you guessed substructure sizes
and guessed types.
Colliding types have yellow background. Use delete to solve the ambiguity.
With red colour is marked current master offset into structure being created.
Use “*” to change master offset. But you should not need this too often,
because basic situations are detected automatically.
下载地址
https://www.hex-rays.com/contests/2013/hexrays_tools.zip
演示
https://www.hex-rays.com/contests/2013/milan_videos.7z
重建版链接:
http://pan.baidu.com/share/link?shareid=2736195585&uk=3188888025
CrowdStrike CrowdDetox Plugin for Hex-Rays
CrowdDetox version 1.0.2 Beta
by Jason Geffner (jason@crowdstrike.com)
The CrowdDetox plugin for Hex-Rays automatically removes junk code and variables from Hex-Rays function decompilations.
下载地址
https://www.hex-rays.com/contests/2013/CrowdDetox.zip
原文链接
https://www.hex-rays.com/contests/2013/index.shtml
重建版链接:
http://pan.baidu.com/share/link?shareid=2746706555&uk=3188888025
a plugin to find all code paths between two functions. This can significantly narrow down the number of paths that require investigation
插件地址:https://code.google.com/p/idapathfinder
原文链接:http://www.devttys0.com/2013/04/finding-all-paths-between-two-functions-in-ida/
IDA Patcher is a plugin for Hex-Ray’s IDA Pro disassembler designed to enhance IDA’s ability to patch binary files and memory. The plugin is useful for tasks related to malware analysis, exploit development as well as bug patching. IDA Patcher blends into the standard IDA user interface through the addition of a subview and several menu items
Simply copy idapatcher.py into IDA’s plugins folder. The plugin will be automatically loaded the next time you start IDA Pro.
The plugin uses pure IDA Python API, so it should be compatible with all versions of IDA on different platforms. However, it was only extensively tested on IDA Pro 6.5 for Windows with x86, x86-64 and ARM binaries.
Link:http://pan.baidu.com/s/1bnpPvGF
原创文章,转载请注明: 转载自 obaby@mars
本文标题: 《IDA Patcher 1.2 by Peter Kacherginsky》
本文链接地址: http://www.h4ck.org.cn/2014/12/ida-patcher-1-2-by-peter-kacherginsky/
========================= IDA-Pro Key Generator ========================
Use this program to make your IDA-Pro copy look legit or to increase the
number of seats for your license.
I used to support IDA a long time ago but they have exponentially increased
the prices of their products and insisted on a yearly subscription based
payment. Without an active plan one can’t even access the IDA forum.
So I’ve continued to use IDA-Pro and for the last 20 years I had every
single version either leaked or “borrowed” from friends with my own
generated licenses.
IDA uses RSA-1024 for its key signatures and without the private key you
cannot make valid keys. So what I did was to generate a new pair of
public/private keys with a modulus close to the original. The two RSA
modulus differ by just one byte. This was important because IDA checks the
validity of the modulus and private key but it only compares the first and
last bytes. This allows one to patch just one byte in the IDA library and
have complete control of the license. This works for all OS versions: Mac,
Linux and Windows. I’m sure that after this keygen is published (last IDA
version is now 7.3) better checks will be incorporated and the binaries
will have to be patched more extensively.
If you’re in a hurry to get the latest IDA version, buy the cheapest
available license and then increase the number of seats to cover and
entire organisation.
========================= How To Use ===================================
The C sources are included but I’ve precompiled Linux and Windows
versions for convenience.
To generate a new key first edit the template with an editor and then
run ‘ida_key -s ida-tmplv6v7.key > ida.key’
The ‘ida_key’ program can also be used to decode existing keys.
Then move ‘patch_ida’ in the install directory and run it. This will
toggle between to original and new modulus at every run.
=================== Reuse your old databases ===========================
With the new key, previously saved IDA databases will refuse to load so
you need to patch those as well before you switch to the new modulus. When
you generate a new key, a header file, anon_idb.h is also created. This is
used when you compile the ‘anon_idb’ program which lets you patch an idb
file with a new signature. You should recompile it if you want the
databases to include the credentials of your newly generated key.
‘anon_idb’ doesn’t work on compressed idb files, so before attempting to
patch them you need to load them in IDA and then save them after
unchecking the ‘deflate’ option. Obviously you need to do this operation
with the original modulus so just run ‘patch_ida’ to toggle it back.
============== Repack your Windows version of IDA-Pro ==================
IDA is delivered as an encrypted setup executable with the password sent
via email. IDA uses a free setup packager called innosetup. You can
extract all the files from the setup executable with the ‘7z’ unpacker and
providing the right password. Then use the included ‘innounp’ to also
extract the .iss script. You need to edit this script with the changes
outlined in the ‘install_script.iss_dif’. That’s not a proper diff file so
the changes need to be done by hand. The changes remove the license and
welcome page and include some code for the python installation.
Finally install a version of the packer (like ‘innosetup-5.6.1’) and repack
IDA after you’ve generated a new key and patched the modulus in the library.
If you distribute your own purchased IDA copy be aware that the binaries
are watermarked and can be traced back to you. I couldn’t check this because
I never had two copies of the same version.
Happy disassembly,
CZC.
下载:
https://obaby.lanzous.com/i2PVhjub5id
提示,请使用原版ida进行修改。
The post IDA PRO 7.5 KEYGEN first appeared on obaby@mars.
RetDec plugin for IDA (Interactive Disassembler).
The plugin is compatible with the IDA 7.5+ versions. The plugin does NOT work with IDA 6.x, IDA 7.0-7.4, or freeware version of IDA 7.0. The plugin comes at both 32-bit and 64-bit address space variants (both are 64-bit binaries). I.e. it works in both ida and ida64. At the moment, it can decompile the following architectures:
Currently, we officially support only Windows and Linux. It may be possible to build macOS version from the sources, but since we do not own a macOS version of IDA, we cannot create a pre-built package, or continually make sure the macOS build is not broken.
user_guide.pdf) that is part of the downloaded package, or use the current version from this repository.Note: These are requirements to build the RetDec IDA plugin, not to run it. See our User Guide for information on plugin installation, configuration, and use.
git clone https://github.com/avast/retdec-idaplugin.gitcd retdec-idapluginmkdir build && cd buildcmake .. -DIDA_SDK_DIR=<path>makemake install (if IDA_DIR was set, see below)C:\msys64\msys2_shell.cmd from MSYS2)cd retdec-idapluginmkdir build && cd buildcmake .. -DIDA_SDK_DIR=<path> -G<generator>cmake --build . --config Release -- -mcmake --build . --config Release --target install (if IDA_DIR was set, see below)retdec-idaplugin.sln generated by cmake in Visual Studio IDE.You must pass the following parameters to cmake:
-DIDA_SDK_DIR=</path/to/idasdk> to tell cmake where the IDA SDK directory is located.-G<generator> is -G"Visual Studio 15 2017 Win64" for 64-bit build using Visual Studio 2017. Later versions of Visual Studio may be used. Only 64-bit build is supported.You can pass the following additional parameters to cmake:
-DIDA_DIR=</path/to/ida> to tell cmake where to install the plugin. If specified, installation will copy plugin binaries into IDA_DIR/plugins, and content of scripts/idc directory into IDA_DIR/idc. If not set, installation step does nothing.-DRETDEC_IDAPLUGIN_DOC=ON to enable the user-guide target which generates the user guide document (disabled by default, the target needs to be explicitly invoked).The User Guide in a PDF form is located in doc/user_guide/user_guide.pdf.
You can build your own guide by enabling and invoking the user-guide target:
cmake .. -DRETDEC_IDAPLUGIN_DOC=ONmake user-guidecmake --build . --config Release --target user-guideuser_guide.pdf in doc/user_guide.The post RetDec IDA plugin first appeared on obaby@mars.
An IDA plugin for making pseudocode better.
It was only tested on IDA 7.7, other versions are not guaranteed.
Specify register value in a specific address
It helps ida internal optimizer to work better.
All changes stored in idb database!
pip3 install ida-netnode
https://github.com/P4nda0s/IDABeautifyThe post IDABeautify first appeared on obaby@mars.
IDA is an interactive disassembler, which means that the user takes active participation in the disassembly process. IDA is not an automatic analyzer of programs. IDA will give you hints about suspicious instructions, unsolved problems etc. It is your job to inform IDA how to proceed.
下载链接:
温馨提示: 此处隐藏内容需要发表评论,并且审核通过后才能查看。
(发表评论请勾选 在此浏览器中保存我的显示名称、邮箱地址和网站地址,以便下次评论时使用。)
(请仔细检查自己的昵称和评论内容,以免被识别为垃圾评论而导致无法正常审核。)
The post Ida Pro 8.3 (x86, x86_64) first appeared on obaby@mars.