I realized that it is quite easy to make FindCrypt work with big endian programs. For that we just need to know the size of each constant array element and swap them if required. So here is the second version of FindCrypt. It introduces the following improvements:
- it works with both little and big endian programs
- it knows to reuse old slots in the bookmarks if run repeatedly
- it is fully automatic and scans each new created database. manual scan is still available
Future possible improvement: a tool which would extract constant arrays from the source code of any project. This tool can be written on perl or python and will be quite simple (we only have to handle constant array definitions in C). More sophisticated tool could also take care of type definitions like “typedef long LONG”…
For your convenience, here are links to both versions: findcrypt.zip and findcrypt2.zip
Compare them to see the differences, there aren’t many!
While analyzing a program quite often we want to know if it uses any crypto algorithm. Knowing the algorithm name would be useful too. Here is the plugin which can help us answer these questions.
Continue reading FindCrypt
Suppose our goal is to dissect a new program. The ultimate method of analysis is single stepping the program of interest. Each executed instruction must be single stepped at least once so we won’t miss anything important.
Continue reading Tracing exception handlers
How do you spell “I love you” in Greek?…
Continue reading The unispector
Today I’ll present you a pretty small yet useful plugin.
Continue reading The highlighter
The last described method does not work if the application uses an “unsupported” antidebugging trick. For example, if the application directly checks the PEB field instead of calling the IsDebuggerPresent function, the method will fail. Or the application could use something else, something from the future…
Continue reading The ultimate stealth method
Quite often IDA users ask for a plugin or feature to hide the debugger
from the application. In fact there are many anti-debugging tricks and
each of them requires an appropriate reaction from the debugger, let’s
start with something simple: we will make the IsDebuggerPresent
function call always return zero.
Continue reading Simple trick to hide IDA debugger
Final method of loading several files into a database
Continue reading Several files in one IDB, part 4
I promised to tell you about the TLS callbacks.
Here is the discussion.
Continue reading TLS callbacks
The third method to create a database with several PE files.
Continue reading Several files in one IDB, part 3