About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
IDA Plugins
: IDA Extra Pass
File Information
Category
Open Source
# Downloads
Version
IDA Plugins
Yes
12,365
2.0
Download from OpenRCE
MD5 Sum: 958DA563099FBC248599E4B82F1059DF
Last updated on Nov 26, 2007.
Author Information
Username
Name
E-Mail
URL
Sirmabus
Jim Lacy
jimlacy2003
yahoo
com
http://
Description
IDA Pro is amazing, IMHO the best disassembler of it's class. But it's nice to have perfect disassemblies. Certain targets just don't disassemble very well. In particular heavy C++ OOP created programs, ones with embedded script systems (with a zillion little bind stubs), etc. You could be miss something important in your reversing work.
If you didn't know, you can manually clean/fix an IDA Pro database by hand. Start at the top of the code sections (I.E. ".text") and text search down for each " dd ", then " db ", make them "unknown" then fix code and data where needed. You'll find blocks of missed code, messed up arrays/tables that are actually code, not data, etc. Normally this will work easy enough, but try this on a huge 10mb EXE (that could be a 100mb+ database!) and watch the tedious hours roll by. After doing this a few times, some times taking over eight hours; There had to be a better way..
This is where this plug-in comes in. It simply duplicates the manual steps above (and a few more) automatically. It's not perfect, you'll still probably need to do at least some manual fixing, but it can cut off hours of work.
It does essentially four passes:
1. Convert all stray data to "unknown" (for the following passes).
2. Fixes "align xx" blocks.
These are internally runs of CCh (int 3), or 90h ('nop') bytes.
3. Scans for missing code. Basically tells IDA to convert stray data bytes to code.
Finds new blocks of codes, or reverts back to data (unfortunately such as in return'less
exception blocks, or unfortunately some times messes up data/index tables.
4. Finds missing/undefined functions. It does this by finding gaps from the end of one
function to the next.
The plug-in will error on the side of code that can potentially mess up data/index tables (kind used with C/C++ "switch()" statements), but the sacrifice is for the better IMHO. The assumption most will want to find and examine code first, data second. It's better to run this plug-in just after initial IDA analyze, after the first save and before you actually start your major work on it.
It's intended for typical Win32 binary executables, so it may, or may not work
on other targets, the odd complied code, etc. In particular Delphi programs, or any other that tend to mix data and code a lot in the same section. In the end you might end up with less functions then when you started. To catch this problem, again be sure to save first, then after the plug-in has run, look in the IDA log window for a negative found function count.
Install
Copy the plug-in to your IDA Pro 5.xx "plugins" directory.
Edit your "plugins.cfg' with a hotkey to run it, etc., as you would install any other
plug-in. See the IDA docs for more help on this.
How to run it
1. Make a backup of your IDA Pro DB. If there are adverse effects, you can
restore to your backup.
2. Run the plug-in. Here you have a choice of which passes to run.
Normally you want them all checked, but if say you are working on a Delphi
exe you might just want to use the last two options to fix alignment blocks,
and find missing functions.
Currently the plug-in will process just the first CODE segment it finds.
Usually this will be the ".text" segment.
3. If you touch your screen, if you click off the IDA window, IDA will look like
it locked up. Appears to be a message pump thread starvation issue.
Don't know if this can be fixed as it appears other plug-ins have the same problem.
Some times you can fix it by minimizing then restoring the IDA window.
If all else fails and you are not sure what is going on, hold down the "Pause/Break"
key and the plug-in should abort.
4. Let it run and do it's passes..
It might take a while. On my Core2 Duo 3Ghz, it took about 12 minutes
to do all passes on a large 11mb (50mb IDA DB) exe.
When it's done and all goes well there should be a plus number of "Found- functions:" (a before and after function count), and a lot less gray spots on your IDA's navigator scale bar!
For best results, run the plug-in at least two times.
On a particular bad 11mb exe I tested, it recovered ~13,000 missing functions on the first, ~1000 on 2nd, and ~900 on 3rd runs! To make the DB real clean I still had to go through it manually, but the time spent is much shorter then the laborious hours..
There are
31,321
total registered users.
Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...
Recent Blog Comments
nieo
on:
Mar/22
IAT Patcher - new tool for ...
djnemo
on:
Nov/17
Kernel debugger vs user mod...
acel
on:
Nov/14
Kernel debugger vs user mod...
pedram
on:
Dec/21
frida.github.io: scriptable...
capadleman
on:
Jun/19
Using NtCreateThreadEx for ...
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit