Recently in Tools watch Category

IDA represents stack frame as a structure. So you need to convert frame offset to structure offset and call SetMemberName.

The following code snapshot demonstrates that.
# find next "mov xxx, eax" instruction
def get_next_eax_store(ea):
	temp_ea = ea
	max_steps = 10
	for step in range(0, max_steps):
		temp_ea = idc.NextHead(temp_ea) # get next instruction
		idaapi.decode_insn(temp_ea)     #decode it
		if idaapi.cmd.itype == idaapi.NN_mov and idaapi.cmd.Op2.type == idaapi.o_reg:
			return idaapi.cmd, temp_ea
			break
	return 0, temp_ea
...
cmd, addr = get_next_eax_store(ea)
if cmd != 0 and cmd.Op1.type == idaapi.o_phrase: # take only "mov [ebp-xxx],eax" instructions
	sid = idc.GetFrame(ea)
	if sid != None:
		offset = idc.GetFrameLvarSize(ea) - (~(int(cmd.Op1.addr) - 1) & 0xFFFFFFFF)
		idc.SetMemberName(sid, offset, "NewLocalName")

The salt is
offset = GetFrameLvarSize(ea) - (~(int(cmd.Op1.addr) - 1) & 0xFFFFFFFF)
The cmd.Op1.addr (from command "mov [ebp-0x14]") contains -0x14, or 0xFFFFFFEC. Minus 1, then invert converts complement code to true form, & 0xFFFFFFFF is python trick to get valid positive number. So it produces 0x14 for initial value -0x14. Then subtract it from size of local vars, and get a structure offset which can be use as SetMemberName argument.

Случайно наткнулся на утилиту SnD Reverser Tool. В частности, позволяет просканировать PE на константы криптоалгоритмов.

Сигнатуры MFC v8 для ARM: mfc8_arm.sig

Привет, реверсеры. Вышла IDA 6.0: http://www.hex-rays.com/idapro/idadown.htm

А консалтерам на заметку - еще вышел OSSEC 2.5: http://www.ossec.net/main/ossec-v25-released

Utility for entropy calculation of 32-bit executable and binary files is released. It can be useful for express searching of a file blocks with a high entropy - encrypted chunks, encryption keys, etc. Utility can be built as a IDA plugin and as a standalone program.
It allows to calculate entropy of a sections of the file by utility launch, calculate entropy of any block of the file, build entropy map of a specified section.

ida-ent-gen.PNG

Double-click on the row in ListView copies Address and Length to appropriate fields on the form. Calculate button shows entropy for a data block from StartAddress to StartAddress + Length. Draw button allows to build entropy map of the data block. ChunksSize specifies a length of chunks used for entropy calculation in this mode. And StepSize field is used as a indent between current and next chunks. Double-click on the map in IDA plugin mode allows to go to the specified location in IDA listing.

ida-ent-graph.PNG

Deep Analyze button performs a lot of calculations from StartAddress to StartAddress + Length with a varying block size from 1 to ChunkSize and with StepSize indent. If calculated entropy value is greater than MaxEntropy for the chunk, it will be added to result report. Double-click on the row in IDA plugin mode allows to go to the specified location in IDA listing.

ida-ent-table.PNG

Launch feature in IDA plugin mode is IDA listing selection check. I.e. utility fills StartAddress, Length and pushes to Calculate button. To start utility as IDA plugin simply copy in to ./IDA/plugins/ and press F11 (default hotkey) or choose Edit -> Plugins ->Entropy plugin.

In standalone mode utility shows GetOpenFileName dialog when started without command-line parameters. Command line format is "ida-ent.exe [-sw] filename", where switches are one of the following: --binary (-b), --pe (-p), --elf (-e). By default utility tries to determine file format (PE, ELF) by checking signature.

UPD: Overlay (non-empty data block in the rest of file) detection was added in standalone mode for PE (checked) and ELF (not checked). Problem with a window focus in plugin mode was fixed. Also utility was released under GNU GPL.

Sources (for MS Visual C++ 2008 EE) and precompiled standalone utility, IDA Pro 5.5 plugin, IDA Free 4.9 plugin are available in the archive.

PTF от vulnerabilityassessment.co.uk обновился до версии 0.57. На данный момент это единственный адекватный фреймворк, описывающий техническую часть проведения теста на проникновение. Аналогичный фреймворк есть от организации Open Information Systems Security Groups - ISSAF, но у них сайт на PHP, значит ничего хорошего ждать от них не приходится :)
ИдаПро 5.5 + ХексРейс 1.1 утекли, правда без SDK :(.

Линк на форуме: http://reng.ru/board/viewtopic.php?f=4&t=2638 (ссылки скоро сдохнут)
Чейнджлог: http://www.hex-rays.com/idapro/55/index.htm

About this Archive

This page is an archive of recent entries in the Tools watch category.

Thoughts is the previous category.

Find recent content on the main index or look in the archives to find all content.