IDA Pro 6.2 with database snapshots support

The most frequently asked question we get during the IDA Pro trainings, on the support forum or via support emails is: “When will IDA Pro support the undo feature?” or “How can I undo an operation in IDA Pro”.

Our answer has always been: “Sorry, it is not possible to undo in IDA Pro” or “This feature will eventually be implemented sometime in the future”.

In this blog post, we introduce the new database snapshots feature that will be present in IDA Pro 6.2:

snap_man

Continue reading IDA Pro 6.2 with database snapshots support

Unpacking mpress’ed PE+ DLLs with the Bochs plugin

In IDA Pro 6.1 we extended the Bochs debugger plugin to support debugging of 64bit code snippets. With IDA Pro 6.2 it will be possible to debug PE+ executables as well. Since the execution will be emulated inside Bochs, a 64bit operating system is not required and one could be equally running a 32 or 64bit Linux, Mac OS or Windows operating system and still be able to debug 64bit PE files from IDA Pro.

To illustrate this new feature, we are going to unpack and briefly analyze a PE+ trojan that is compressed with MPRESS from MATCODE Software.We will illustrate how to unpack the DLL, recover the import table and cleanup the database to get it ready for analysis.

bochs_options

Continue reading Unpacking mpress’ed PE+ DLLs with the Bochs plugin