I realized that it is quite easy to make FindCrypt work with big endian programs. For that we just need to know the size of each constant array element and swap them if required. So here is the second version of FindCrypt. It introduces the following improvements:

  1. it works with both little and big endian programs
  2. it knows to reuse old slots in the bookmarks if run repeatedly
  3. it is fully automatic and scans each new created database. manual scan is still available

Future possible improvement: a tool which would extract constant arrays from the source code of any project. This tool can be written on perl or python and will be quite simple (we only have to handle constant array definitions in C). More sophisticated tool could also take care of type definitions like “typedef long LONG”…
For your convenience, here are links to both versions: and
Compare them to see the differences, there aren’t many!

Simple trick to hide IDA debugger

Quite often IDA users ask for a plugin or feature to hide the debugger
from the application. In fact there are many anti-debugging tricks and
each of them requires an appropriate reaction from the debugger, let’s
start with something simple: we will make the IsDebuggerPresent
function call always return zero.

Continue reading Simple trick to hide IDA debugger