Flag: Tornado!
Hurricane!
|
|
Topic created on: April 19, 2006 20:04 CDT by Extrarius2  .
I'm thinking about buying it, but only if the latest version makes things far easier with extra features (otherwise, what's the point?), so I'm wondering if it supports a few things that the freeware version doesnt (or how difficult it would be to add such things with plugins etc). If there is a more appropriate forum for such questions, I'd appreciate pointers to it (the IDA Pro forum is only for customers, so that wasn't an option).
I would test the demo version, but the programs I need to use it on take so long to analyse that it times out shortly after it allows user interaction (allowing maybe 5 minutes at most, not nearly enough time to test it).
I'm having a difficult time keeping track of functions that were (probably) only in a single compilation unit, such that they freely use whatever registers they want as input. Does IDA Pro 5.0 allow marking registers as arguments to a function, such that each call to the function will mark the line setting that register with the parameter name and/or type?
Is there some way to have the analyzer treat a 'call' as if the function called was actually in place of the call? Several functions that were probably used only in a single compilation unit end up using the stack frame of the one or two functions that call them, and that messed up analysis such that I have to figure out all the offsets myself, which is quite tedious.
How well does it's stack analysis work? Several times in IDA freeware, the program apparently misses a push or pop and throws off the use of arguments in a function so that every single one is called incorrectly. This could perhaps be caused by it's signatures having the wrong calling convention, but it happens quite rarely so it seems more likely to simply be a bug of some sort.
How well does it recognize basic structures such as 'switch' statements? In OllyDbg, most are recognized in the project I'm currently working on and it helps tremendously, but IDA Freeware doesn't seem to recognize any at all.
Are there any plugins that attempt to detect where a function is inlined and somehow mark that as an xref to the function itself? If not, how difficult would it be to make something like that? Inline functions give me a headache since I have to go comment each instance after figuring out the non-inlined version and it can take quite a while.
Another thing that bothers me is the IDA website - it has some oddities, such as the menu along the bottom not being updated to match the top menu (the bottom one takes you to and outdated news page, for example). Does such negligence reflect on a larger issue, or is it just that a bunch of programmers are trying to make a website?
Any other comments or suggestions would be greatly appreciated
|
the first suggestion is just forget about freeware version of you got anything serious to do , recent versions of IDA specially 4.9 and 5 are presenting great functions , you should first have a look at http://www.datarescue.com/idabase/ida50news.pdf and Ilfak's blog ( the main ida developer who is a member of openrce too ) www.hexblog.com , and i'm agree with you about website .
|
Given the freeware version is several generations old -- comparisons are lengthy and difficult. A bit of an apple to orange comparison save the most rudimentary portions of the IDA kernel itself.
IDA Pro 5.0 recognizes pretty much every conceivable aspect of a file format that has a corresponding loader, e.g. PE, ELF, COFF, etc. IDA cannot magically understand nor discern text versus data in a raw binary file, so at that point freeware versus commercial is not possible.
If you are talking plugin development, search around if you find what you want it answers your question. Otherwise the SDK exists and the limits of your abilities are the limits of the SDK for the most part. I have not yet found something I could not do via the SDK if IDA did not allow me the functionality to begin with.
As for the website -- That is absolutely NOT Datarescue's focus, nor have they claimed such. Once/if you become a customer Datarescue is extremely responsive to such inputs, but I dare say don't bother them if you're not a customer.
Having paid for a licensed copy of IDA Pro for 6 years now, I admit I am very biased, but rightly so. I have only been treated with the utmost of respect and rapid response to any bugs or feature inquiries. No other company I have ever dealt with (personal, business, computer, non-computer, etc.) has ever been this responsive.
|
MohammadHosein: Thank you for attempting to help, but I had already found that pdf and it does not explain the abilities of the program. Rather, it says "5.0 is better" which doesn't answer any of my questions.
aeppert: I understand the freeware versions are old, and I haven't asked for a comparison, exactly. I asked about several quite specific features, and I just want to know whether they are present or not, and if not I'd appreciate any guesses about how difficult such things might be to implement.
I understand that IDA deals with a wide variety of processors and file formats, but all I need is for it to work well with executables. I'm having some problems with the freeware version, thus my questions. If the full version doesn't address the issues I mention, it wouldn't be much more usefull to me, and I'd essentially be paying an enormous sum for an SDK so I can program it myself, and even then it might take an exceedingly long period of time for me to hack in the functionality I want.
The fact that the standard version doesn't work with 64-bit binaries is another point against it - the only two machines I'll ever use it for (for the next many years, at least) would be x86 and amd64, but for that I'd have to spend double the amount, which is insane. If they had an inexpensive version that only supported executable formats used by windows xp and xp64, I'd probably have bought it already. Since I'm not yet working with 64 bit binaries, the freeware version is doing pretty good for it's price, but it does have serious limitations (thus this inquiry).
I know enough about disassembly to know the theory, and I understand magic is not possible, but I do know that at least some of my requests are possible because they are already implemented elsewhere (as with switch detection) or the implementation is obvious (as with treating a function as inline for the purpose of analysis).
As far as the website, I can understand it's not top priority, but they really should have one that a developer can visit to find what is provided, or a demo with some other kind of limitation so it can be tested under the conditions that the full product must perform. I guess that there are few enough disassemblers that they get enough buisness without doing so, but that doesn't make me want to buy their product.
I already found out the hard way that I shouldn't contact them as a possible-customer-to-be, and that gave me quite a negative impression of the company, but that's not really relevant.
: Neither one of you answered any of my questions =-/
|
Seems I left out a few words (and don't see any type of edit)
"but all I need is for it to work well with executables"
should say "modern PE executables for Windows"
|
Does IDA Pro 5.0 allow marking registers as arguments to a function, such that each call to the function will mark the line setting that register with the parameter name and/or type?
AFAIK, IDA5 doesn't have support for custom calling conventions. However, it does support standard __fasctall conventions for Borland and Microsoft compilers which use registers for some parameters.
Is there some way to have the analyzer treat a 'call' as if the function called was actually in place of the call? Several functions that were probably used only in a single compilation unit end up using the stack frame of the one or two functions that call them, and that messed up analysis such that I have to figure out all the offsets myself, which is quite tedious.
This is not very clear, so I'll try to guess. There are two common scenarios that fit your description:
1) Chunked functions. They usually occur in MS system binaries and are basically functions with some parts split off from the main function's body, linked by jumps. They've been supported by IDA for a while. For freeware version you can use ParseFragFunc.idc by Dmitry Friesen, though you'll have to sync stack variable names manually.
2) Delphi's local functions. These get the parent's function stack pointer as a parameter and use that to access parent's frame. IDA doesn't have any special support for them.
How well does it recognize basic structures such as 'switch' statements? In OllyDbg, most are recognized in the project I'm currently working on and it helps tremendously, but IDA Freeware doesn't seem to recognize any at all.
I don't think switch recognition improved much. It recognized standard jumptable switch pretty well (which it does in freeware too), but not two-stage switches like this:
add eax, 7789FF7Eh
cmp eax, 64h
ja loc_402C64
xor ecx, ecx
mov cl, ds:byte_402C88[eax]
jmp ds:off_402C6C[ecx*4]
Are there any plugins that attempt to detect where a function is inlined and somehow mark that as an xref to the function itself?
Nothing ready to use, though I did see some people talking about solving this problem.
In short, I don't think it's worth buying just if you need just those features. You'll be probably better off writing some idc scripts. However, there can be some other features making work easier for you. E.g. I was sold on the new graph view. I was also hitting idc limitations for a while and being able to write plugins should help a lot.
|
Actually, I did answer your question. Part of the problem is you have to be able to find the answers to your own question by searching on your own. For instance, Datarescue now has an anonymous forum open for those that are not licensed users or in your situation, someone wanting answers prior to buying.
I answered your plugin question, by saying you need to do your own leg work a very fair answer as I would have expected nothing but the same of myself.
I apologize for not directly answer your switch statement question, but it is inherent in the literature that this is a capable, short of the issue mentioned by igorsk above.
|
How well does it recognize basic structures such as 'switch' statements? In OllyDbg, most are recognized in the project I'm currently working on and it helps tremendously, but IDA Freeware doesn't seem to recognize any at all.
It has gotten much better, espcially 4.8 or 4.9 onwards.
How well does it's stack analysis work?
The stack analysis is extremely good. However, there are numerous situations that it cannot solve (and never will be able to), most especially indirect calls such as virtual calls in C++, where IDA could not know what function is actually called. Your skill will still have to be applied.
Another thing that bothers me is the IDA website ...
Does such negligence reflect on a larger issue, ...
No. I have my thoughts about the company, but negligence with their product is certainly not one of them. Their web site sucks, its not a big deal. Don't read too much into it, it is just a highly focused small company.
IDA Pro is, without question, the finest tool in its category. Furthermore, it is an absolutely outstanding aid to reverse engineering. I have done it by hand with just a assembly listing, and I thank the stars for IDA everytime I use it. Combined with Olly, it is an extremely power tool.
However, RE is still very very hard work and takes huge amounts of patience, and often time. IDA Pro is much better then the freeware version, but won't suddenly solve all the problems in RE. If you have the patience to do RE, then I would highly recommend IDA. If your thinking it won't speed up the process enough, I may suggest you are not ready to do RE.
|
@aeppert: I have no way to test plugins, and few have more than a sentence or two of description, which is not enough to know whether they fit my needs or not. Since the SDK documentation is not available (as far as I can tell), I really can't make any kind of decision about plugins.
I was hoping people would have similar needs to mine and would thus know about the presence or lack of such plugins. If that isn't the case, it means such plugins likely do not exist. I did not expect anybody to search out such information for me.
As far as the anonymous forum, I now see that it is possible to post messages to the "Free for all" forum, but the only reason I know that is because of your notice. As far as I can tell, the only notification that anonymous posting is allowed is on the 'post' form for that forum. The 'register' page should mention it, at the very least, since it made me think that it was not possible to post at all without already having an IDA license.
@igorsk: Unfortunately, the __fastcall calling convention is not what I need. Some of the functions are as you describe, simply functions split in pieces with jumps instead of calls. For such functions, the state of the stack should be known across that boundary, so references to [EBP+08h] are still recognized as arg_0 or the like. The freeware version does not do such a thing as far as I can tell.
Other functions are called normally using 'call', but do not follow a standard calling convention and will, for example, use the value of EBP plus a constant (representing the difference between the current stack position and the caller's stack frame) to address parameters without setting up a stack frame, which the freeware version of IDA does not properly 'understand'. This generally happens for functions declared as 'static' in C or in an unnamed namespace in C++, because the compiler has full control over all entry points to the function. In addition to using the "parent's" stack frame, such functions often take parameters in whichever arbitrary registers the function uses so it won't have to shuffle things around as much before or after processing.
About recognizing switches, I don't simply mean disassembling them correctly - IDA freeware does that well enough for me now (I'm guessing MSVC doesn't generate two-table switches). What OllyDbg does that IDA freeware doesn't is that it will recognize several consecutive conditional jumps that depend on a single variable and will comment the start location with a 'switch(A..B)' indicating the range, and then comments the jumps and/or the destinations as being 'case X' or 'case X..Y' to make it easily visible that a switch-type conditional is taking place, which values it accepts, and which code handles each value. For table-based jumps, the table makes it somewhat obvious generally, but for condition-tree switches, it can be difficult to figure out the values when several arithmetic operations take place between each conditional.
This could probably be made a plugin without too much trouble, but since I can't even see the SDK documentation without buying IDA, I can't know one way or the other. I'm not averse to having to write some things myself, but the amount of work it will take has to be balanced with the fact that it's not an inexpensive product.
@BillyBoBob: I understand that RE takes a lot of time, and luckily I'm a college student, so I have plenty of spare time. I've already spent quite a bit of time with the freeware version of IDA pro (in conjunction with OllyDbg), so I have at least some idea of what RE takes. Unfortunately, I'm a college student, so such a purchase is relatively a quite large one and thus not something to be taken as lightly as many seem to.
About not being able to recognize some situations, I think that it should be possible to recognize virtual function calls with help from the programmer - if a certain pointer is always a certain 'class', it should be possible to annotate it with information specifying which virtual table it refers to, which could be used to mark functions. It wouldn't be 100% accurate, but with virtual-heavy code, it would help quite a bit still. I'd hope such a thing wouldn't be too difficult to do in a plugin, but propagating the information might be difficult since a vtable might be loaded into a register long before it's used, etc. Still, it'd be nice to have proper xref info on virtual functions.
It'd also be nice to be able to declare a register to be of a certain structure type for some range of code, so that offsets would be translated into struct members.
That reminds me - is renaming a register only in a small part of the code possible? In the freeware version, it seems that the 'end' of the rename is always the end of the function, which is not as helpful as it could otherwise be (since registers change value often).
|
@igorsk :
2) Delphi's local functions
it was a nice tip , i got confused with a binary made by delphi a week ago and now this hint helped me alot , Thanks :)
@Extrarius2 :
Other functions are called normally using 'call', but do not follow a standard calling convention
excuse me , but are you doing some paper or even a crackme or something like that ? or malware analysis ? no big deal i'm just Curious .
|
MohammadHosein: The following code compiled in a VS2003 console project set to the standard 'release' configuration will produce an instance of non-standard calling convention:
#include <stdio.h>
static void __cdecl TestFunc(int argc)
{
printf("argc = %d", argc);
}
int main(int argc)
{
TestFunc(argc);
}The argument is supposed to be passed on the stack (according to the calling convention), but is instead passed in EAX. I couldn't get a simple example to pass anything using EDI/ESI, but it does happen often enough that I'd definitely write a plugin to allow registers-as-parameters if needed.
|
|
You can consult IDA SDK reference here, and then there is an excellent tutorial by Steve Micallef. So some info is definitely available without buying.
|
I think I'm hearing a couple of questions I can answer.
The free version is 4.3, right?
As of (I think) 4.8, IDA can do non-contiguous functions. This means you can mark multiple chunks of code as being part of the same function, so the stack tracking works across all of them.
You can do register-arg style functions. I think I first noticed this in 5.0, but Ilfak says it's been there for some time.
There's always empirical evidence. If you have some binary and you want to see how IDA handles it, post it and one of us can give you a text cut-and-paste of the 5.0 output.
|
Unfortunately, I'm a college student, so such a purchase is relatively a quite large one and thus not something to be taken as lightly as many seem to.
For a college student, the purchase price will be brutal. This is quite unfortunate. Not to mention, you might actually find it hard to buy as a private individual even with the money (this is one of the things about the company which practically drives me insane). Unless you are fairly well off, I would stick to the freeware version or figure out how to get someone else (like the uni) to pay for it.
But, as to the actual price ... considering it is a pretty small market, a big app highly sophisticated app and by a large margin the best-in-class, it is actually quite cheap for organizations who need it. When your on the clock, it pays for itself in very short order. For personal use, it is brutally expensive.
There are some things (including like what you mention) that could make indirect calls easier (and I wish C++ support in general was better, I have numerous ideas on this front), but nonetheless, it is still fantastic. I hope these things get more traction in the future.
One thing you might not know: If you put a symbol name in a comment, you can double click on it to jump. so..
call eax ; calls MyFunction
You can double click MyFunction and jump to it if is defined. I use this like crazy for a lot of situations. Not as pretty as one might like, but gets you by. At least, this should work in 4.3...
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,328 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}