OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: April 28, 2012 02:52 CDT by DriEm .

Inspired by Angus Johnson's Resource Hacker and by Chris Eagle's "The IDA Pro Book", I developed a compact resource viewer to be used with IDA version 5.0 or higher.

The plugin is invoked by Alt+F5 hotkey or from Edit/Plugin sub-menu. It opens a subview and lists all resources contained in a Windows PE executable, provided that the executable has been loaded into IDA with the "Load resources" option checked. Double-click on a list record to display that resource.

Click below for a screenshot of the plugin listing the resources of NOTEPAD.EXE:

It is still rudimentary, and I plan to add more features in the future. Please leave your comments here.

--------------------------------

Name: IDA Resource Viewer plugin
Version: 0.6
Author: DriEm
Distribution: Binary only
Platform: IDA for Windows version 5.0 or higher
Price: Free for non-commercial use
Description: Resource viewer for IDA

Download: https://rapidshare.com/files/1648962871/idares.plw
MD5: f038506b867e06c017e69928f0aed0cb

Download version 0.3 for IDA Freeware Vesrion 5.0: https://rapidshare.com/files/3819039869/idaresfr.plw
MD5: 9f6d7bff1e03356007e9a6e74fda06dd

waleedassar		April 28, 2012 15:51.28 CDT
Nice plugin, but it is subject to "stack overflow" due to an infinite loop when processing a specially crafted resource directory. http://ollytlscatch.googlecode.com/files/antiResHacker.exe N.B. Resource Hacker is also subject to this bug.

DriEm		April 29, 2012 16:39.01 CDT
> waleedassar: Nice plugin, but it is subject to \"stack overflow\" due to an infinite loop when processing a specially crafted resource directory. > > http://ollytlscatch.googlecode.com/files/antiResHacker.exe > > N.B. Resource Hacker is also subject to this bug. Thanks for pointing this out. I've fixed it, click below for a screenshot of the plugin listing the resources of "antiResHacker.exe": I'll integrate the fix into the next release.

jduck		April 29, 2012 20:58.42 CDT
Are you planning to release the source??

DriEm		May 1, 2012 12:20.50 CDT
> jduck: Are you planning to release the source?? Nope. I plan to release an updated version within a few days.

DriEm		May 2, 2012 09:40.43 CDT
Version 0.2 released, head post updated accordingly. Changes: - "infinite loop" vulnerability (as pointed out by waleedassar) fixed - if the selected resource is a bitmap, it is displayed in a dialog box

waleedassar		May 2, 2012 11:38.04 CDT
Another infinite loop already exists. No stack overflow, just a typical infinite loop. Two demos have been included in the archive below. http://www.filefactory.com/file/5v4iva89en85/n/idares_loops_rar

DriEm		May 11, 2012 11:55.56 CDT
> waleedassar: Another infinite loop already exists. No stack overflow, just a typical infinite loop. > > Two demos have been included in the archive below. > > http://www.filefactory.com/file/5v4iva89en85/n/idares_loops_rar What do your example EXEs do? Do they use resources?

waleedassar		May 11, 2012 13:59.52 CDT
Yes, they embed resources. http://uploadpic.org/v.php?img=Lg3hb8YWjk http://uploadpic.org/v.php?img=b4R3yayQCI

DriEm		May 13, 2012 13:59.08 CDT
Version 0.3 released, head post updated accordingly. Changes: - another "infinite loop" vulnerability fixed (thanks again to waleedassar) - execution speed-up through minor changes - plugin compiled for IDA Freeware Version 5.0 (this is the currently distributed free IDA version)

DriEm		June 12, 2012 13:28.21 CDT
Version 0.6 released, head post updated accordingly. Changes: - displaying more resource types (bitmaps, icons, cursors, dialogs, strings, menus) - for MFC executables, the event handler for a dialog button and for a menu item is printed out to IDA's Output window (may be redundant) - for Delphi executables, all event handlers for a form's buttons are printed out to IDA's Output window (tested on Embarcadero Delphi 2010 executables)

r2x64		May 12, 2013 09:27.10 CDT
Hey, any new downloading link for this? It seems that the old links don't work anymore.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

View Gallery (11) / Submit