It works! There are lots of limitations but it is alive, handles breakpoints, exceptions, and even some limited tracing is available. It is possible to launch processes and attach to them. Here is just one screenshot:

Expect many limitations in the first version (no hardware bpts, limited multithread support, etc). One of the most annoying shortcomings is that the memory layout is not determined automatically - we had to introduce 'manual memory regions' window to overcome this.

Since it is a new beast and many aspects need polishing, beta testers are welcome!

Posted by Ilfak Guilfanov at 07:02 PM | Permalink | Comments (2)

Things are quite easy with the Symbian TRK! Today I decided to write a small program to interact with it and everything worked extremely smoothly. My driver program can download a SIS file to the phone, automatically install and run it. It reacts to debugging events and gracefully closes the connection when the application terminates. Below are just a few pictures for the curious.

Continue reading "Symbian AppTRK" »

Posted by Ilfak Guilfanov at 02:06 AM | Permalink | Comments (3)

Yesterday I created my first Symbian program :) Sure enough, it was a "hello world" and to tell the truth I did not write it myself. But it still took me 3 (three) hours to get it running on Nokia E51. The good side is that I learned a lot about possible failures with Symbian applications (there are quite many of them, some of them with cryptic error messages like "install failed").

Continue reading "Hello Symbian!" »

Posted by Ilfak Guilfanov at 11:30 AM | Permalink | Comments (0)

A brilliant blog post by Ero Carrera: IDAPython in action:

http://blog.dkbza.org/2008/03/digging-up-system-call-ordinals.html

Just note how concise and powerful is the script!

Posted by Ilfak Guilfanov at 12:22 AM | Permalink | Comments (0)

Just a quick post to announce that we have published a small plugin to specify jump table information. When IDA misses them, the flow charts are virtually useless - they fall apart into several loosely connected components and the logic is completely hidden. This plugin is especially useful for rarely used processors with unusual switch idioms.

The plugin and its source code can be found on our forum.

Posted by Ilfak Guilfanov at 04:25 PM | Permalink | Comments (0)

For example, IDA might claim that EIP points to an address without a segment, or none of exported names of a loaded DLL are available.

Continue reading "Debugger and process memory" »

Posted by Ilfak Guilfanov at 05:02 PM | Permalink | Comments (0)

That's why we strive to add support for new jump tables to IDA, and since it can not be done for all of them, we focus on compiler generated jump tables for popular processors. Take ARM, for example. The ARM processor module have been improved a lot in v5.2, but yet we received a report with a bunch of new patterns. So expect even better support for ARM in the near future :)

If you are interested in improving the jump table handling for a rarely used processor, here are the explanations how to do it.

Continue reading "Jump tables" »

Posted by Ilfak Guilfanov at 11:21 AM | Permalink

If you ever used IDA to analyze embedded stuff, you would immediately notice its pc-centric nature. While any embedded SDK targets specific devices with real-world part numbers, IDA just provides you with a universal analysis framework. You are supposed to know how the device works, its idiosyncrasies, programming model, memory organization, and all other practical stuff. If there is an automatic way to determine the entry point or interrupt vectors, IDA will use it but in general you will have to find out the correct parameters yourself.

The following tutorial fills the gap for C166 (and explains many other things!):

http://andywhittaker.com/ECU/DisassemblingaBoschME755/tabid/96/Default.aspx

Thanks, Andy!

Posted by Ilfak Guilfanov at 02:52 PM | Permalink | Comments (3)

If I have an instruction like

     mov eax, [edi-0ch]

and I know that that's really the sum of an offset to a structure not at edi and the offset of a member within that structure, how do I get IDA to display it as such without using a manual operand?

Continue reading "Negated structure offsets" »

Posted by Ilfak Guilfanov at 05:53 PM | Permalink | Comments (0)

Continue reading "Very simple custom viewer" »

Posted by Ilfak Guilfanov at 01:42 AM | Permalink | Comments (0)

Continue reading "Dynamic coloring" »

Posted by Ilfak Guilfanov at 07:02 PM | Permalink | Comments (5)

Continue reading "On batch analysis" »

Posted by Ilfak Guilfanov at 09:52 PM | Permalink | Comments (6)

• Open xrefs window and press Ins
• Write an IDC script
• Write a plugin

See a demo below the cut.

Continue reading "Adding cross references" »

Posted by Ilfak Guilfanov at 08:42 AM | Permalink | Comments (6)

We all know that call invokes a function and ret returns to the caller. Alas, nothing is certain in the binary world. The ret instruction is quite often used for short jumps within a function. Among many other improvements in IDA v5.1 there will be a special logic to recognize and mark such pseudo-returns. I was surprised to see this graph and post it here for your amusement:

Continue reading "Does 'return' come back?" »

Posted by Ilfak Guilfanov at 07:27 PM | Permalink | Comments (12)

This results in that, from the disassembler point of view, one has to allow for those chunks and also for those chunks to be assigned to an arbitrary number of "owning" or parent functions.

Continue reading "Heads and tails" »

Posted by Ilfak Guilfanov at 04:02 PM | Permalink | Comments (1)

Continue reading "Loop colorizer" »

Posted by Ilfak Guilfanov at 07:40 PM | Permalink | Comments (12)

http://www.datarescue.com/ubb/ultimatebb.php?/topic/4/375.html

There were some nice tries but nobody guessed it right. It seems Datarescue will have to repeat the contest with another question :)

If you are curious to learn the correct answer, please read on.

Continue reading "Simplex method in IDA Pro" »

Posted by Ilfak Guilfanov at 02:09 AM | Permalink | Comments (11)

After spending several days with a naive approach to linear algebra I can tell you: it doesn't work. Will use a third party implementation because my implementation is way too slow. My very short and elegant implementation (only 500 lines) works well for smal problems but miseralby fails with anything of substantial size. The failure means that the soluion is obtained after a noticeable period of time (1-2 seconds) which is not acceptable for a pleasant interactive experience.

If you wonder why I would need such a beast in IDA, ask yourself how it can be used. There is a chance to win a contest:

http://www.datarescue.com/ubb/ultimatebb.php?/topic/4/375.html

Posted by Ilfak Guilfanov at 02:04 AM | Permalink | Comments (0)

http://nominis.cef.fr/contenus/saints_966.html

Today is her day.

IDA Pro started as a simple abbreviation but we quickly got used to the image of this nice lady (in fact the person depicted on the image is just a certain medieval lady, not a saint; not named Ida neither...).

Posted by Ilfak Guilfanov at 12:13 AM | Permalink | Comments (1)

The good news are that there are easy methods to improve the situation.

Continue reading "Improving IDA analysis" »

Posted by Ilfak Guilfanov at 02:57 AM | Permalink | Comments (2)

The new IDA Pro introduces the graph mode. The disassembly of the current function is displayed as a graph: each basic block is represented as a node and cross references are represented as edges. It is easy to zoom, move, and modify the graph using the mouse, I'm sure you will just use the new interface without much difficulty. However, there are some unexpected commands which may render your life easier.

For example, the keyboard arrows can be used to move around the graph. This is something expected. But if you hold the Ctrl arrow and press the Up or Down keys, IDA will display the list of all predecessors or successors of the current node.

Double clicking on an edge with the Ctrl key pressed will jump to its destination. Alt will jump to its source.

Pressing '5' on the keypad will center the current node. If you prefer to use the mouse, try to click with the mouse wheel on a node - the clicked node will be centered.

There are many tricks like this. All this is described in minute detail in the help. It won't take long to read the graph-related pages and you will become really fast and comfortable with the graph view. I urge you to spend some 10-15 minutes reading it and playing with graphs.

IDA has more graph layout algorithms than you might think. See some of them in Dennis' blog. You can create your own layouts too (and even your own graphs of absolutely anything). Just take a look at the sample plugin in the SDK.

Posted by Ilfak Guilfanov at 11:02 PM | Permalink | Comments (2)

Sometimes we want to perform the coverage analysis of the input file: to find areas of the program not exercised by a set of test cases. These test cases may come from a test suit or you could be trying to to find a vulnerability in the program by 'fuzzing' it. A nice feedback in the form of a list of 'not-yet-executed' instructions would be a nice addition to blind fuzzing.

Continue reading "Coverage analyzer" »

Posted by Ilfak Guilfanov at 01:28 AM | Permalink | Comments (1)

A nice dynamic graph: relation browser.

Something similar could be used in IDA Pro for inter-function navigation. The graph nodes would be functions and static data variables, the edges would represent function calls and data accesses...

Posted by Ilfak Guilfanov at 12:00 AM | Permalink | Comments (3)

I realized that it is quite easy to make FindCrypt work with big endian programs. For that we just need to know the size of each constant array element and swap them if required. So here is the second version of FindCrypt. It introduces the following improvements:

1. it works with both little and big endian programs
   
2. it knows to reuse old slots in the bookmarks if run repeatedly
3. it is fully automatic and scans each new created database. manual scan is still available

For your convenience, here are links to both versions: findcrypt.zip and findcrypt2.zip
Compare them to see the differences, there aren't many!

Posted by Ilfak Guilfanov at 02:27 AM | Permalink | Comments (1)

While analyzing a program quite often we want to know if it uses any crypto algorithm. Knowing the algorithm name would be useful too. Here is the plugin which can help us answer these questions.

Continue reading "FindCrypt" »

Posted by Ilfak Guilfanov at 12:38 AM | Permalink | Comments (14)

Suppose our goal is to dissect a new program. The ultimate method of analysis is single stepping the program of interest. Each executed instruction must be single stepped at least once so we won't miss anything important.

Continue reading "Tracing exception handlers" »

Posted by Ilfak Guilfanov at 11:28 PM | Permalink | Comments (6)

How do you spell "I love you" in Greek?...

Continue reading "The unispector" »

Posted by Ilfak Guilfanov at 01:54 PM | Permalink | Comments (9)

Today I'll present you a pretty small yet useful plugin.

Continue reading "The highlighter" »

Posted by Ilfak Guilfanov at 12:18 AM | Permalink | Comments (14)

The last described method does not work if the application uses an "unsupported" antidebugging trick. For example, if the application directly checks the PEB field instead of calling the IsDebuggerPresent function, the method will fail. Or the application could use something else, something from the future...

Continue reading "The ultimate stealth method" »

Posted by Ilfak Guilfanov at 04:06 PM | Permalink | Comments (7)

Quite often IDA users ask for a plugin or feature to hide the debugger
from the application. In fact there are many anti-debugging tricks and
each of them requires an appropriate reaction from the debugger, let's
start with something simple: we will make the IsDebuggerPresent
function call always return zero.

Continue reading "Simple trick to hide IDA debugger" »

Posted by Ilfak Guilfanov at 04:51 PM | Permalink | Comments (9) | TrackBacks (1)

Final method of loading several files into a database

Continue reading "Several files in one IDB, part 4" »

Posted by Ilfak Guilfanov at 06:25 PM | Permalink

I promised to tell you about the TLS callbacks.
Here is the discussion.

Continue reading "TLS callbacks" »

Posted by Ilfak Guilfanov at 11:56 PM | Permalink | Comments (2)

The third method to create a database with several PE files.

Continue reading "Several files in one IDB, part 3" »

Posted by Ilfak Guilfanov at 10:35 PM | Permalink

The second method to create a database with several PE files.

Continue reading "Several files in one IDB, part 2" »

Posted by Ilfak Guilfanov at 08:38 PM | Permalink

IDA Pro can load one PE file into a database and analyze it. Some users assume this is the maximum. Let's take a closer look at the situation...

Continue reading "Several files in one IDB" »

Posted by Ilfak Guilfanov at 12:18 AM | Permalink | Comments (2) | TrackBacks (1)