Artificial Intelligence / Reverse Engineering / Internet of Things / Full Stack Developer
a plugin to find all code paths between two functions. This can significantly narrow down the number of paths that require investigation
插件地址:https://code.google.com/p/idapathfinder
原文链接:http://www.devttys0.com/2013/04/finding-all-paths-between-two-functions-in-ida/
Milan’s useful functions for Hex-Rays decompiler
================================================
New hexrays features:
Assist in creation of new structure definitions / virtual calls detection
===========================================================================
至于开源的东西,其实自己也蛮想做的。但是苦于技术水平不够,所以一直也没什么东西公布。刚开始的时候代码都是托管在Googlecode, 后来迁移到了github,但是苦于github不能创建私有项目,于是最后选择了bitbucket上,另外一个好处是可以绑定域名。于是以后有代码公布的话,可以访问这个网址访问http://code.h4ck.org.cn。
准备写一本关于IDA的书,然后这个帖子的两个目的:
1. 大家对于这种书籍有没有兴趣,肯定不会和《IDA PRO权威指南》中的内容重叠。
2. 寻求一个好的出版商,如果有意请联系我!
DeDe is Excellent Delphi program analyzing tool, but I still prefer IDA for
navigation & documentation.Exe-2-Dpr is another very useful utility (and also work with old 16-bit Delphi
programs).I always look for way to grab as many info from this great program’s output as
possible. So, I wrote a few stupid progs just to _reformate_ Exe2dpr & DeDe
output and import into IDA by simple IDC script.That’s all.
How to use:
———–
EDM:
> -*- EDM 1.4 * Copyright (c) Aleph 2001-2003 -*-
> Exe-2-Dpr output files reformatter
> Usage: edm.com [> ProjectName.DDM]
Apply exe2dpr.exe to analyzed proggy. Place all exe2dpr output in some
directory. Now, run edm.com in this directory and redirect edm output to some
file. edm will be scan all *.pas files in the directory and create output file
in *.ddm format. Use deida.idc script for import the *.ddm file to IDA database.
This is an attempt to improve the original fixobjc.idc script by Willem Jan Hengeveld.
For now it’s only compatible with Mach-O 32bits binaries for Mac OS X.
My goal is to make it compatible with all Mac OS X and iOS binaries.
fG!
IDA对Unicode的处理不能说很烂,但是有的时候却比较蛋疼。例如神马中文之类的,但是除此之外,对于英文的字符串处理在部分地方也是有问题的,例如上面的内容。
同样在idb刚创建的时候对于unicode字符串的解析也存在问题,例如下面的内容:
真正的字符串内容应该是ReadFromRegistry。但是ida很蛋疼的把第一个R当作dw给处理掉了,于是剩下了一个眉头的身子。
在创建string之后默认是采用的当前idb数据库的字符串格式,如果想要创建正确的字符串需要用到SetAsciiStyle(http://www.hex-rays.com/products/ida/support/idadoc/613.shtml)。
/*
*
* IDA Pro 6.3 (crash due an internal error)
* ELF anti-debugging/reversing patcher
*
* Published @ IOActive Labs Research blog:
* http://blog.ioactive.com/2012/12/striking-back-gdb-and-ida-debuggers.html
*
* - nitr0us [ http://twitter.com/nitr0usmx ]
*
* Tested under:
* IDA Pro Starter License 6.3.120531 (Mac OS X)
* IDA Pro Demo 6.3.120730 (Ubuntu Linux 9.04)
* IDA Pro Demo 6.3.120730 (Mac OS X 10.7.3)
* IDA Pro Demo 6.3.120730 (Windows Vista Home Premium SP2)
*
* Bug found using Frixyon fuzzer (my ELF file format fuzzer still in development)
*
* Timeline:
* 21/11/2012 The bug was found on IDA Demo 6.3
* 22/11/2012 The bug was tested on IDA Pro Starter License 6.3.120531 (32-bit)
* 22/11/2012 The bug was reported through the official Hex-Rays contact emails
* 23/11/2012 Hex-Rays replied and agreed that the bug leads to an unrecoverable
* state and it will be fixed on the next release
*
**************** TECHNICAL DETAILS ***********************
nitr0us@burial:~$ gdb -q idaq
(gdb) r a.out
(no debugging symbols found)
Program received signal SIGTRAP, Trace/breakpoint trap.
[Switching to Thread 0xb6860760 (LWP 3638)]
0xb55f7694 in default_notification_handler (reader=@0xbfbffae0,
notif=reader_t::err_shstrndx) at reader.cpp:33
33 reader.cpp: No such file or directory.
in reader.cpp
Current language: auto; currently c++
(gdb)