📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.





About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

Blogs >> Paolo's Blog

Created: Friday, August 18 2006 18:07.00 CDT Modified: Friday, August 18 2006 19:02.53 CDT
This is an imported entry. View original. Printer Friendly ...
EXPLICATOR?
Author: Paolo # Views: 1837

I have been receiving several emails regarding the Explicator IDA Pro plugin, that was somewhat showed in one of my previous post, so I thought I will provide some more information about it.

The Explicator IDA Pro plugin is designed to collect information from IDA Pro, and based on this, will attempt to rebuild some kind of C representation of the current function.

Currently, it does feature:

* basic dataflow analysis (improved version of Desquirr code base)
* basic loop recognition
* graphing interface
* limited commenting abilities
* lots of bugs :(

So, lets see an example of Explicators use. For example, lets take the following subroutine from some silly malware sample:



So, if we invoke the plugin, we obtain this:



This is nice, but if we get back to the disassembly, we see that explicator added repeatable comments for some (sic!) of the API functions inside the function:



So, now we may want to improve the disassembly by adding enumerations, so we convert the first operand of the RegOpenKeyA API function into enumeration:

push 80000002h --> push HKEY_LOCAL_MACHINE


If we invoke again Explicator, we can see that the enumeration has been used in producing the output:



The same applies for structure.

Ok, now that we are satisfied with the result, we will tell Explicator to add a repeatable comment to the current function, so that whenever that function will be called we will also have next to us the translated code.



and from the caller:



If we examine a bit the argument that is passed to our function, we see that it is a pointer to a C-Style string, so why do not we add a proper prototype to our function? Lets do it and invoke again Explicator for the final result:



Of course, such a lovely output is not always the case: sometimes the function is too complex, too optimized or something is still not supported in Explicator, so do not espect it to be a silver bullet.

If you are wondering when the Explicator will be released, the answer is "I do not know". Basicly it will be released when I feel it is stable enough and useful enough.
But eventually it will be released for free on the OpenRCE website.


If you wish to comment on this blog entry, please do so on the original site it was imported from.

There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit