Uncategorized

RET-Sync: multi-debugger tool for IDA Dissassembler

ret-sync stands for Reverse-Engineering Tools synchronization. It’s a set of plugins that help to synchronize a debugging session (WinDbg/GDB/LLDB/OllyDbg2/x64dbg) with IDA disassembler. The underlying idea is simple: take the best from both worlds (static and dynamic analysis).

From debuggers and dynamic analysis we got:

    local view, with live dynamic context (registers, memory, etc.)
    built-in specialized features/API (ex: Windbg’s !peb, !drvobj, !address, etc.)

From IDA and static analysis we got:

    macro view over modules
    code analysis, signatures, types, etc.
    fancy graph view
    persistent storage of knowledge within IDBs

Keys features:

    Pass data (comment, command output) from debugger to disassembler (IDA)
    Multiple IDBs can be synced at the same time allowing to easily trace through multiple modules
    No need to deal with ALSR, addresses are rebased on-the-fly
    IDBs and debugger can be on different hosts

ret-sync is a fork of qb-sync that I developed and maintained during my stay at Quarkslab.

https://github.com/bootleg/ret-sync
https://github.com/quarkslab/qb-sync

Standard
Uncategorized

IDA 6.9 released

https://www.hex-rays.com/products/decompiler/news.shtml#151221
https://www.hex-rays.com/products/ida/6.9/index.shtml

It has AArch64 support!

There’s another comment on Twitter from The Rootless Monster, wondering about UEFI TE support in the latest release, unclear if TE support has changed in 6.9:

 

Standard
Uncategorized

Hex Rays contest results

We’ve had 7 contestants this year! All plugins were interesting, but we had to choose three. Here’s the final ranking:

*  First prize (1900 USD): Yaniv Balmas, Dynamic IDA Enrichment (DIE) framework
 * Second prize (950 USD): Steven H. H. Ding, Kam1n0
 * Third prize (450 USD): Alexander Matrosov, Eugene Rodionov, Rodrigo Branco & Gabriel Barbosa, HexRaysCodeXplorer

https://hex-rays.com/contests/2015/index.shtml

Note that one of the winners is from firmware security researchers! Congratulations!

https://hex-rays.com/contests/2015/codexplorer/CodeXplorer-Plugin_Contest_2015.zip

https://github.com/REhints/HexRaysCodeXplorer

Standard
Uncategorized

More IDA plugins for UEFI

The other day I posted a pointer to a new list of IDA plugins:

https://firmwaresecurity.com/2015/09/18/new-list-of-ida-plugins/

Here are a few more IDA plugins for UEFI, the new list only mentions Danse-Macbre’s IDA-EFItools project:

https://github.com/danse-macabre/ida-efitools

http://ho.ax/posts/2012/09/ida-pro-scripts-for-efi-reversing/
https://github.com/snare/ida-efiutils/

https://github.com/gdbinit/TELoader

http://www.hexblog.com/?p=116

http://bioshacking.blogspot.com/2012/06/ida-pro-support-for-efi-byte-code-ebc.html

Also see chapter 4 and 22 (at least) of this new book:
https://www.nostarch.com/rootkits

Does anyone know of any others? If so, please leave a Comment (see left) or send email (see upper right). Thanks.

Standard
Uncategorized

new list of IDA Plugins

There’s a new list of IDA Pro plugins:

Of the dozens on the list, besides the classics, I found a handful of interesting ones I’d never heard of, including these 3 ROM/firmware-related ones:

* Bootroom Analysis Library: IBAL is the IDA Pro Bootrom Analysis Library, which contains a number of useful functions for analyzing embedded ROMs.
* EFI Scripts: Some IDA scripts and tools to assist with reverse engineering EFI executables.
* Sega Genesis/Megadrive Tools: Special IDA Pro tools for the Sega Genesis/Megadrive romhackers. Tested work on v5.2, v6.6. Should work on other versions.

I’ve mentioned a few (3?) UEFI-centric IDA plugins in earlier blog posts, plugins I didn’t see on this list. I guess I need to track them down and help with this list.

https://github.com/onethawt/idaplugins-list/blob/master/README.md
https://github.com/onethawt/idaplugins-list/

Standard
Uncategorized

tool: TELoader, TE image loader for IDA

The EFI Monster (@osxreverser)  has just released a UEFI TE (Terse Executable) image loader for IDA. See the readme for a pointer to the 44con talk’s PDF, as well as the source:

https://github.com/gdbinit/TELoader

 

Standard
Uncategorized

Immunity: free Infiltrate tickets for improving BinNavi

Dave Aitel of Immunity has announced free tickets to Infiltrate for people who can improve the recently-opensourced BinNavi project:

INFILTRATE Contests: BINNAVI
Every year, from HackCup to various coding challenges, we like to think of unique ways you can join us at THE BEST SECURITY CONFERENCE here in Miami next April 7th and 8th. We are starting this year with two new contests now that BinNavi is Open Sourced: 1) If you and your friends add Capstone (or another disassembler/analyzer) to BinNavi, to remove the IDA requirement, then we will send you three free tickets to INFILTRATE 2016! 2) If you and your friends integrate a decompiler with BinNavi, then we will also send you three free tickets to INFILTRATE 2016! If you do both, you get six free tickets to INFILTRATE.

Details:
https://lists.immunityinc.com/pipermail/dailydave/2015-August/000987.html

Standard