Recon 2012: Compiler Internals

This year I again was lucky to present at Recon in Montreal. There were many great talks as usual. I combined the topic of my last year’s talk on C++ reversing and my OpenRCE article on Visual C++ internals. New material was implementation of exceptions and RTTI in MSVC x64 and GCC (including Apple’s iOS).

The videos are not up yet but here are the slides of my presentation and a few demo scripts I made for it to parse GCC’s RTTI structures and exception tables. I also added my old scripts from OpenRCE which I amended slightly for the current IDA versions (mostly changed hotkeys).

Slides
Scripts

The trace replayer

One of the new features that will be available in the next version of IDA is a trace re-player. This pseudo-debugger allows to re-play execution traces of programs debugged in IDA. The replayer debugger allows replaying traces recorded with any of the currently supported debuggers, ranging from local Linux or win32 debuggers to remote GDB targets. Currently supported targets include x86, x86_64, ARM, MIPS and PPC.

When we are re-playing a recorded trace, we can step forward and backward, set breakpoints, inspect register values, change the instruction pointer to any recorded IP, etc…

Also, trace management capabilities have been added to IDA in order to allow saving and loading recorded execution traces. Let’s see an example.

Continue reading The trace replayer

Recon 2011: Practical C++ Decompilation

Last month I visited the Recon conference and had a great time again. I gave a talk on C++ decompilation and how to handle it in IDA and Hex-Rays decompiler. You can get the slides here, and download the recorded talk here.

Edit: for some reason the streaming version does not show anything after the intro, please download the Quicktime version until it’s fixed.

 

Challenging job for software developers

We should permanently and prominently publish this ad on our site 🙂

We are looking for strong software engineers to join our team and participate in the development of unique software security tools. The candidates must know low-level details of modern software as well as high-level data structures and algorithms.

Requirements:

  • strong knowledge of C/C++
  • knowledge of the x86 assembler and unwillingness to use it in development
  • cross platform development (Windows/Linux/Mac) is a plus
  • knowing the graph theory and how compilers work is a plus
  • ability and willingness to write secure yet fast code
  • good problem solving and communication skills

If you want a challenging job in a friendly environment, please apply by sending your resume to [email protected]
Thanks!

IDA Pro 5.5 and Hex-Rays 1.1 have been released!

IDA Pro 5.5

We are happy to announce a new version of IDA Pro! The major news is the
new docking user interface. There are many other improvements: processor modules,
file formats, analysis tweaks, well, the usual stuff. There is a new MS Windows
Crash Dump Loader and improved Bochs debugger. The complete list of new
features and bug fixes is available here

http://www.hex-rays.com/idapro/55/index.htm

Hex-Rays 1.1

We also release a new version of our decompiler: now with the floating point
support. It was a technically challenging task and required lots of testing, but
we are very happy with the end result. It can really handle floating point
computations and generates reliable output. All subtle nuances, like conversion
rules, fpu stack state, predefined compiler helper functions, are all taken care of.

The decompiler uses debug information if it is available: in this case, even local
variable names and types will be restored. If there is no debug information, the
decompiler will still generate correct and precise output. In fact, it is designed
to work without debug information, which means that virtually any
compiler-generated executable can be analyzed and turned into C output.

New pricing and support plans

With this release, we update the pricing of IDA Pro and Hex-Rays Decompiler.
While the initial purchase prices are increased, upgrade prices go down.
In order to streamline the upgrade process, we will use the same rules for
all our products: now a support plan is renewable any time while it is active
and also three months after its expiration. The new support period is counted from
the expiration date of the previous support period.

If you upgraded your IDA/Hex-Rays copy the last month with older prices,
do not worry. For you, we will add a month of support for the IDA license,
and three months of support for Hex-Rays Decompiler.

We will continue to accept old-style upgrade orders until 12 October 2009.

How to request the new versions

As usual, the new versions are free for users whose licenses are within active
support plan. Submit your ida.key to

https://www.hex-rays.com/updida.shtml

and expect a message from us within 5-10 minutes. Sometimes we do not have your
email in the database, so please specify it (otherwise we will have no means of
communicating with you).

To request the new version of the decompiler, please use Edit, Plugins, Hex-Rays,
Check for updates in IDA.

Is your key too old?

If your key is too old for a free update, you might still be
eligible for a discounted upgrade. Until 12 October 2009 we offer the upgrade
prices for all purchases made two years ago or less. The order forms can be
found here:

http://www.hex-rays.com/idapro/idaorder.htm

We will arrange an electronic delivery to existing customers.

That’s all folks! Enjoy the release.