March 10, 2010

Preview of the new cross-platform IDA Pro GUI

In order to provide our customers with the best user experience and in order to target many different platforms, the IDA Pro graphical user interface is currently being rewritten using the Qt technology.

Qt (pronounced "cute") is a cross-platform application and UI framework and the Win32 VCL-based IDA Pro interface is being ported to it. The goal is to provide all the features available in the current GUI while maintaining the maximum compatibility with plugins and other external modules.

Here is a screenshot of the current build of idaqt running on Ubuntu:

idaqt_preview_100310_thumb_1.jpg

You can click on the images to enlarge them.

Continue reading "Preview of the new cross-platform IDA Pro GUI " »

Posted by Daniel Pistelli at 12:33 PM | | Comments (5)

February 25, 2010

Custom data types and formats

Another new feature that will be available in the upcoming version of IDA Pro is the ability to create and render custom data types and formats.


(Embedded instructions disassembled and rendered along side with x86 code)

Continue reading "Custom data types and formats" »

Posted by Elias Bachaalany at 06:48 PM | | Comments (1)

February 16, 2010

Scriptable Processor modules

One of the new features we are preparing for the next version of IDA is the ability to write processor modules using your favorite scripting language.
After realizing how handy it is to write file loaders using scripting languages, we set out to making the same thing for processor modules. As an exercise for this new feature, we implemented a processor module for the EFI bytecode.


Continue reading "Scriptable Processor modules" »

Posted by Elias Bachaalany at 06:38 PM | | Comments (0)

February 05, 2010

New IDC improvement in IDA Pro 5.6

Scripting with IDA Pro has always been a very handy feature, not only when used in scripts but also in expressions, breakpoint conditions, form fields, etc...
In IDA Pro 5.6 we improved the IDC language and made it more convenient to use by adding objects, exceptions, support for strings with embedded zeroes, string slicing and references.

Continue reading "New IDC improvement in IDA Pro 5.6" »

Posted by Elias Bachaalany at 08:31 PM | | Comments (3)

January 20, 2010

Hex-Rays against Aurora

As everyone knows, Google and some other companies were under a targeted attack a few days ago. A vulnerability in the Internet Explorer was used to penetrate the computers.

An IDA user very kindly sent us the following link

http://www.avertlabs.com/research/blog/index.php/2010/01/18/an-insight-into-the-aurora-communication-protocol/

Continue reading "Hex-Rays against Aurora" »

Posted by Ilfak Guilfanov at 01:30 PM | | Comments (2)

January 16, 2010

Practical Appcall examples

Last week we introduced the new Appcall feature in IDA Pro 5.6. Today we will talk a little about how it's implemented and describe some of the uses of Appcall in various scenarios.

How Appcall works

Given a function with a correct prototype, the Appcall mechanism works like this:
  1. Save the current thread context
  2. Serialize the parameters (we do not allocate memory for the parameters, we use the debuggee's stack)
  3. Modify the input registers in question
  4. Set the instruction pointer to the beginning of the function to be called
  5. Adjust the return address so it points to a special area where we have a breakpoint (we refer to it as control breakpoint)
  6. Resume the program and wait until we get an exception or the control breakpoint (inserted in the previous step)
  7. Deserialize back the input (only for parameters passed by reference) and save the return value
In the case of a manual Appcall, the debugger module will do all but the last two steps, thus giving you a chance to debug interactively the function in question.
When you encounter the control breakpoint:

you can issue the CleanupAppcall() IDC command to restore the previously saved thread context and resume your debugging session.

Continue reading "Practical Appcall examples" »

Posted by Elias Bachaalany at 05:00 PM |

January 12, 2010

Introducing the Appcall feature in IDA Pro 5.6

In this blog entry we are going to talk about the new Appcall feature that was introduced in IDA Pro 5.6. Briefly, Appcall is a mechanism used to call functions inside the debugged program from the debugger or your script as if it were a built-in function. If you've used GDB (call command), VS (Immediate window), or Borland C++ Builder then you're already familiar with such functionality.

(Screenshot showing how we called three functions (printf, MessageBoxA, GetDesktopWindow) using IDC syntax)

Before diving in, please keep in mind that this blog entry is a short version of the full Appcall reference found here.

Continue reading "Introducing the Appcall feature in IDA Pro 5.6" »

Posted by Elias Bachaalany at 05:04 PM |