OpenRCE: Blog

Updated plug-ins, blogging moved to..

Tue, 29 Mar 2011 05:11:13 -0500

I've updated many of my IDA Pro plug-ins and made a support section for them on my forum.
Download them here: Sirmabus PlugIns

Also moved my occasional blogging to here:
http://www.sirmabus.macromonkey.com

Class Informer IDA plug-in

Thu, 22 Jan 2009 03:42:28 -0600

My new IDA plug-in based on Igorsk's excellent article and IDC scripts.

[Download]

------------------------------------------------------------
Scans an MSVC 32bit target IDB for vftables with C++ RTTI, and MFC RTCI type data.
Places structure defs, names, labels, and comments to make more sense of class vftables ("Virtual Function Table") and make them read
easier as an aid to reverse engineering.
Creates a list window with found vftables for browsing.

RTTI ("Run-Time Type Identification"):
http://en.wikipedia.org/wiki/RTTI

RTCI ("Run Time Class Information") the MFC forerunner to "RTTI":
http://msdn.microsoft.com/en-us/library/fych0hw6(VS.80).aspx
------------------------------------------------------------

Example vftable output list:

.
.
Example vftable info set by plug-in:

.
.

IDA2PAT Reloaded

Thu, 07 Aug 2008 13:43:19 -0500

Like many others I like to generate signitures of functions I've RE'ed in a target so I can apply them to an update.
There are a lot of issues with the process.

This is yet another IDB2Sig/IDB2PAT plug-in for IDA Pro with some improvements to help with some of the problems.

Instead of relying on broken function types/tags, this uses function name text patterns.
Easier to go from one IDA DB to the next for updated targets, easier to update function names, don't have to combine multiple .PAT files, etc.
And as fast as TQN's version with out the huge buffer.

While IMHO this is an improvement in the process, but it certainly dosn't solve all the problems.
I think a whole new project is in order, something that will replace ".sigs" for update processes..

See the help file for more info..

http://www.openrce.org/repositories/users/Sirmabus/IDA2PAT_Reloaded.zip

"Function String Associate" IDA Plug-in

Tue, 13 May 2008 03:15:32 -0500

"Function String Associate"  IDA Plug-in:

I thought of this idea the other day based on the observation of "assert()", development, debug text strings, etc., that software developers often leave in programs I want to reverse.
As I'm sure others do, I look at these comments to help me determine what a particular function is for (x86 binary targets that is).
I thought, wouldn't be nice to somehow data mine this stuff and automatically put some of it as a function comment?

Based on this, what this plug-in does is iterate through every function in IDA and auto-comments every function that has these strings (unless it already has a comment).  It applies a little logic to it, to try to put the most relevant strings first.

Sort of a proof of concept thing.  It's hard to say how useful it is yet.
So far it does seem to help as I browse around a DB. I'm putting together things a bit faster because of it.

Of course it's only works as well as your target uses such messages mixed in it's code.
So far on programs I've used it it on, the plug-in finds such strings on about 15% of all functions.

With source. If you expand on the idea, add helpful modifications, etc., share it here please.

http://www.openrce.org/repositories/users/Sirmabus/IDA_FunctionStringAssociate_PlugIn.zip

Updated ExtraPass plug-in 2.1, and APIScan

Fri, 08 Feb 2008 21:26:48 -0600

Proud to say that IMHO it's working well now.
Really can clean up discombobulated code.

See:
https://www.openrce.org/blog/view/839/An_%22extra_pass%22_for_IDA_Pro

Also updated my "APIScan":
http://www.openrce.org/forums/posts/456