Hex blog

Function call graph plugin sample

Fri, 19 Jun 2009 21:02:48 +0100

IDA Pro already has a function call graph facility, nonetheless it employs WinGraph32.

IDA Pro 5.5 and Hex-Rays 1.1 have been released!

Mon, 15 Jun 2009 17:30:59 +0100

IDA Pro 5.5

We are happy to announce a new version of IDA Pro! The major news is the new docking user interface. There are many other improvements: processor modules, file formats, analysis tweaks, well, the usual stuff. There is a new MS Windows Crash Dump Loader and improved Bochs debugger. The complete list of new features and bug fixes is available here

http://www.hex-rays.com/idapro/55/index.htm

Hex-Rays 1.1

We also release a new version of our decompiler: now with the floating point support. It was a technically challenging task and required lots of testing, but we are very happy with the end result. It can really handle floating point computations and generates reliable output. All subtle nuances, like conversion rules, fpu stack state, predefined compiler helper functions, are all taken care of.

The decompiler uses debug information if it is available: in this case, even local variable names and types will be restored. If there is no debug information, the decompiler will still generate correct and precise output. In fact, it is designed to work without debug information, which means that virtually any compiler-generated executable can be analyzed and turned into C output.

New pricing and support plans

With this release, we update the pricing of IDA Pro and Hex-Rays Decompiler. While the initial purchase prices are increased, upgrade prices go down. In order to streamline the upgrade process, we will use the same rules for all our products: now a support plan is renewable any time while it is active and also three months after its expiration. The new support period is counted from the expiration date of the previous support period.

If you upgraded your IDA/Hex-Rays copy the last month with older prices, do not worry. For you, we will add a month of support for the IDA license, and three months of support for Hex-Rays Decompiler.

We will continue to accept old-style upgrade orders until 12 October 2009.

How to request the new versions

As usual, the new versions are free for users whose licenses are within active support plan. Submit your ida.key to

https://www.hex-rays.com/updida.shtml

and expect a message from us within 5-10 minutes. Sometimes we do not have your email in the database, so please specify it (otherwise we will have no means of communicating with you).

To request the new version of the decompiler, please use Edit, Plugins, Hex-Rays, Check for updates in IDA.

Is your key too old?

If your key is too old for a free update, you might still be eligible for a discounted upgrade. Until 12 October 2009 we offer the upgrade prices for all purchases made two years ago or less. The order forms can be found here:

http://www.hex-rays.com/idapro/idaorder.htm

We will arrange an electronic delivery to existing customers.

That's all folks! Enjoy the release.

IDA Pro 5.5 goes alpha

Tue, 02 Jun 2009 15:12:44 +0100

After many months of work, IDA Pro 5.5 is now in alpha stage and this week the beta will be out for testing.

Decompiling floating point

Tue, 05 May 2009 13:13:32 +0100

It is a nice feeling, when, after long debugging nights, your software finally runs and produces meaningful results. Another hallmark is when other users start to use it and obtain useful results. Usually this period is very busy: lots of new bugs are discovered and fixed, unforeseen corner cases are handled. Then another period starts: when users come back for more copies,with more ideas, request more functionality, etc. This is what is happening with the decompiler now and I feel it is time to update you with the latest news.

IDA v5.4 demo

Fri, 17 Apr 2009 17:01:55 +0100

Just a quick note for interested parties: we prepared the new demo version of IDA Pro. The new demo includes the bochs debugger. The debugger is fully functional with just one limitation: it will become inactive after a number of commands. I prefer to tell you this in advance rather than this limitation to be discovered in the middle of a heavy debugging session ;)

Here's the download link:

http://www.hex-rays.com/idapro/idadowndemo.htm

Enjoy!

Advanced Windows Kernel Debugging with VMWare and IDA's GDB debugger

Thu, 19 Feb 2009 14:21:04 +0100

We have already published short tutorial on Windows kernel debugging with IDA and VMWare on our site, but the debugging experience can still be improved.

VMWare's GDB stub is very basic, it doesn't know anything about processes or threads (for Windows guests), so for anything high-level we'll need to do some extra work. We will show how to get the loaded module list and load symbols for all them using IDAPython.

IDA Pro has 9 debugger modules

Thu, 05 Feb 2009 19:43:41 +0100

Since the number of debugger modules in IDA surpassed the magical number seven plus or minus two, we created a small table describing what is available and what is not:

http://www.hex-rays.com/idapro/debugger/index.htm

Direct links to tutorials are available here:

http://www.hex-rays.com/idapro/idasupport.htm

I know, I know - we need to add 64-bit support for all platforms, port the Bochs debugger module to Linux, and... any other suggestions? I personally would love to have source level debugging, yet it requires some substantial changes to the kernel. We probably will move in this direction, sooner or later...

Kernel debugging with IDA

Fri, 30 Jan 2009 14:02:18 +0100

When IDA introduced debugging facilities years ago, the task of analyzing hostile code became more enriched: no more looking at static code and figuring out what it does, instead just run the malware in a virtual machine and debug it remotely, even debug just a small code snippet from the database (Bochs based debugger plugin).

IDA v5.4 release is not that far away

Tue, 20 Jan 2009 01:29:01 +0100

I'm happy to inform you that we are entering the beta stage of IDA v5.4!

In addition to numerous small and not that small improvements, the new version will have three debugger modules: bochs, gdb, and windbg, selectable on the fly (the active debugger session will be closed, though ;))

With the bochs debugger, we offer three different worlds: run-any-code-snippet facility, windows-like-environment for PE files, and any-bochs-image bare-bone machine emulation mode. You can read more about this module in our blog: http://hexblog.com/2008/11/bochs_plugin_goes_alpha.html
With gdb, x86 and arm targets are supported. Among other things, it is possible to connect IDA to QEMU or debug a virtual machine inside VMWare. We tried it iPhone as well. However, while it works in some curcimstances, there were some problems on the gdbserver side.
With windbg, user and kernel mode debugging is available. The debugger engine from Microsoft, which is currently the only choice for driver and kernel mode debugging, can be used from IDA. It can automatically load required PDB files and populate the listing with meaningful names, types, etc. Speaking of PDB files, IDA imports more information from them: local function variables and types are retrieved too, c++ base classes are handled, etc.

The gdb and windbg debugger modules support local and remote debugging. We tried to make the debugger modules as open as possible: target-specific commands can be sent to all backend engines in a very easy and user-friendly way.

As usual, better analysis and many minor changes have been made. If you spend plenty of time analyzing gcc generated binaries, you'll certainly appreciate that IDA handles its weird way of preparing outgoing function arguments. Now it can trace and find arguments copies to the stack with mov statements.

The new IDA will support Python out of box, thanks to Gergely Erdelyi, who kindly agreed the Python plugin to be included in the official distribution. In fact, the main IDA window will have a command line to enter any python (or other language) expressions and immediately get a result in the message window.

We will prepare the detailed list of improvements later this week.

IDA and MIPS

Fri, 21 Nov 2008 13:54:43 +0100

If you analyze MIPS binaries, you may find useful the following addition to IDA:

http://www.binary-art.net/?p=1002

This is MIPS emulator for Linux. It can generate an IDC script after emulation, which then can be applied to the database and make it more readable.

Bochs plugin goes alpha

Fri, 07 Nov 2008 12:51:41 +0100

Bochs debugger plugin is in alpha stage now, all of the 3 loaders mentioned in the previous blog entry, are now complete.

From simple to complex

Fri, 10 Oct 2008 18:22:30 +0100

The last week Elias ran a sample malware in the Bochs emulator and I was curious to see what it exactly does. So I took the unpacked version of the malware and fed it into the decompiler. It turned out to be a pretty short downloadler (different AV vendors give it different names: Lighty after the compression method, or FraudLoad, or FakeAlert, etc). Such simple code is very easy to decompile. I renamed some functions and added some comments to it. The final text looks like this:

Bochs Emulator and IDA?

Fri, 03 Oct 2008 00:11:14 +0100

The next version of IDA will be released with a bochs debugger plugin, and what is nice about is that you will be able to use it easily by just downloading bochs executables and telling IDA where to find it.

BITS used as a covert channel

Thu, 25 Sep 2008 23:12:18 +0100

The idea to use BITS to download files from the internet is not new. If you check the corresponding page from Wikipedia, you will find that

Background Intelligent Transfer Service (BITS) is a component of modern Microsoft Windows operating systems that facilitates prioritized, throttled, and asynchronous transfer of files between machines using idle network bandwidth.

The web page ends with a list of third-party applications that use BITS. However, as any technical method, it can be used for evil purposes as well. Eric Landuyt analyzed a malware that exploits it for bad:

http://www.datarescue.com/laboratory/trojan2008/index.html

I liked the "proof of concept" WinDbg script that runs the malware in a controlled manner. Breakpoints with actions are very powerful, indeed.

Nice work, Eric!

The IDA Pro book

Tue, 26 Aug 2008 18:53:07 +0100

This is not the first book about IDA Pro. However, this is the first book I recommend to anyone using IDA Pro because of the following points:

Comprehensive: it describes all major IDA features by starting at the beginning and going all the way to the end. Experienced users may be tempted to skip the first few chapters; resist this temptation and you will discover something new (I did :)
Accurate: it is very difficult to be detailed and precise when describing such a complex product. Chris does it excellently well.
Real: handles real world malware, packers, and obfuscated code
No fillers: it is direct and concise
Profound: this is not just a collection of recipes or tricks, but will give you a better understanding of the IDA architecture, thus saving you from unnecessary frustration. Knowing the limitations of your tool is just as important as knowing its capabilities.

It comes tons of code snippets, scripts, and sample modules. Programming for IDA Pro is covered too: from simple plugins to processor modules.

If you want to use IDA efficiently, get your copy from No Starch Press!

UPD for numerologists: the book has exactly 640 pages, no less, no more!