Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Administrator

Pages: [1]
IDA Pro / Re: IDA Class Informer
« on: June 01, 2017, 11:27:52 PM »
Mentioned in Chris Eagle's popular IDA Pro book:

qwerty9384 made a tutorial game hacking tutorial using Class Informer:

In this thread, someone has made a IDA 6.8 version and more (use at your own risk):

IDA Pro / StringMiner
« on: May 10, 2016, 11:01:39 PM »
Work in progress..

IDA Pro / Signature Matching Plugins
« on: May 09, 2015, 11:18:41 PM »
IDA Signsrch
IDA Pro plug-in conversion of Luigi Auriemma's signsrch signature matching


Example search output:

Update May 2015:
1) Added a 64bit version.
2) Updated to IDA SDK 6.8 version.

> Sourceforge IDA Signsrch <

IDA Pro / IDA ExtraPass PlugIn
« on: May 09, 2015, 02:35:36 PM »
DA ExtraPass plugin
An IDA Pro Win32 target clean up plug-in by Sirmabus.
Version 3.4

It does essentially four cleaning/fixing steps:
1. Convert stray code section values to "unknown".
2. Fix missing "align" blocks.
3. Fix missing code bytes.
4. Locate and fix missing/undefined functions.

It's intended for, and only tested on typical MSVC and Intel complied Windows 32bit binary executables
but it might still be helpful on Delphi/Borland and other complied targets.


Update [May 2017]:
Added 64bit version. Improved find/fix alignment pass.

Update [May 2015]:
Updated to IDA SDK 6.7

>> Sourceforge: ExtraPass plugin

IDA Pro / Informational comment plug-ins
« on: May 08, 2015, 11:20:22 PM »
I've updated my what I call "informational comment plug-ins".
They are three plugins meant to be applied together in sequence.
I usually run these after I run my "Extra Pass" (cleaner fixer) and "Class Informer" (if the target has C++ Run Time Type Info).

>> Sourceforge: Function String Associate
>> Sourceforge: Mark Reference Counts
>> Sourceforge: WhatAPIs

It's easier to express what they do in "before and after" images.

Here (the "before") you have a fairly common IDA Pro 32bit function example:

Pretty cool that IDA was able to derive the function arguments, but other then that
it probably won't look that significant to you.

Then looking at at a reference it looks even less significant out of the typical thousands of auto-named functions:

Now the three plug-ins ran in sequence:
1) Function String associate
2) Mark reference counts
3) WhatAPIs
(If you don't run them in this way the comment order will be messed up)

Now at a glance you see there is extra information about this function's contents:

Here's the break down:
First you see a '5'. This tells you there are 5 references to this function.
The count can give you some hints about the relevance of a function and some idea of it's hierarchy.
If it were just '1' count then you'ed know it's a child of your function; then say if it had 1000 references you could assume
that it might be some kind of common library function.
IDA function reference count to comment plug-in Blog Post

Then you see the tag "STR:" which indicates that what follows are strings found in function.
In this case there is a string contained in it "DEBUG WINDOW". We can use this as a hint as to what the function might
might be about (literally a "debug window").

Then finally you see the tag "<API*>".  This lists API functions (from the import table) that this function is using.
More hints.

From the string above and the fact we see windows UI creation functions, eureka! This function is probably
in fact one that creates a "debug window".   Not even looking at the function we can just glean this from these comments alone..

Then look at a reference (one of the five) to this very same function:

All that information is visible even as a reference!

The reference count comments are also placed for data items.
So now as you are looking through functions and see their data references, and, or, directly at variables in a data segment
you can get some idea of their significance.
If you see some constant or dynamic data element with only one or two references you can infer (a hint) that it's probably not
that significant.  But then on the other hand you see what looks to be a pointer value with 10,000 references then you can make
some assumptions that it's an important data item.

After while this extra info will feel natural, useful, and intuitive.
To me it's a world of difference. If I look at a plain IDB now with out this I feel sort of blind.

[The future]
Hopefully you will find these information comments useful.  However it does have some problems and is not the ideal setup.
For one thing it might be harder to pick out your own comments with these placed.
Then if you accidentally overwrite a comment set with your own you'll loose them. You can't just run the plugins again to replace them (it will cause a mess).

If you use BinDiff or the open source Diaphora to port over your comments from one IDB to the next then that can make a mess of these comments too.
And what if you want to add your own auto-generated comments?
If nothing else they are handy for a debugging or development feature; similar to how people set the background color for the same purposes.
Too many function and data comments will become visual noise.

What would be ideal here to use a custom view!
Then these comments could show up more natively like IDA's own on the fly cross reference (light green colored) comments.
With this type of setup this data can be globally switched on and off, the text could be custom colored, users could add there own per function and data item text (through another plug-in or via Python bindings, etc.) and can optionally be persistently stored inside the IDB.
This view will look pretty much the same as the IDA "Disassembly" view your already familiar with, it'll just show extra information above the function header, below any exiting comment(s).
Finally the data could be ported over from one IDB to another by using names or better, be added to the port tool functionality it's self.

[May 2015] Updated to IDA 6.7 and now there are 64bit versions as well.
Downloads and Source:
>> Sourceforge: Function String Associate
>> Sourceforge: Mark Reference Counts
>> Sourceforge: WhatAPIs

IDA Pro / Re: IDA2PAT Reloaded doesn't seem to log all signatures.
« on: May 03, 2015, 12:27:19 AM »
From a question PM'ed to me on

Originally Posted by BackDoorMan
Hello sir

I've just downloaded your IDA plugin for generating .pat files however it doesn't export sigs for all of the functions.
What could be the problem?


== IDA2PAT-Reloaded plug-in: v: 1.1 - Mar 28 2011, By Sirmabus ==

Support forum:

Functions to process: 14835

Working, <Press Pause/Break key to abort>...

Patterns created: 79

Process time: 11.41 seconds.


As you can see 79 patterns of 14835 functions.

I also used idb2pat python script which exports fine but it doesn't seem to mask pointers... ipso facto generated .sig file doesn't match all the functions.

IDA2PAT reloaded signature:

IDB2PAT.PY signature:

Thanks in advance!
Best regards.

Re: IDA2PAT Reloaded doesn't seem to log all signatures.

I'll add that to the list of the one I need to update and make a 64bit version of.
I've updated most locally and should have them up on my website soon.
Reminds me too there is an update to FLAIR that should add a little more integrity to sigs now that I could look into.

First one issue:
I made my version to only save user named functions.
To reject all the default ones like "sub_402230", etc.
The original tool tried to use flags to determine if functions were "auto-generated" or not but those flags are unreliable so I use a string filter.
Could be something messing up there.

The whole pattern matching thing is a loaded issue.
First of all IDA's FLAIR system is pretty ambiguous. That's why you'll see IDA placing bad signatures for it's run time set, etc.

I've done research in the area and made my own simple signature tool still in progress I haven't released.
The biggest problem with FLAIR and in general similar simple signature matching is they don't consider things like uniqueness, commonality, etc.

Imagine you are interested in a "std::string" constructor function. The problem is even though you name one of them there could be many of the same exact function.
To make matters worse it could be a small function with very little details (like immediate values, etc.) to discern it form any other number of similar functions.

Then sure your named one should end up in your .PAT file (from a IDA2PAT tool), but will fail in sigmake.exe if there is a conflict (because two or more have the same signature, etc).
If your resolve the conflict (by editing the result file) and the signature makes it to your .SIG file imagine now applying it to a new/updated target.
It's going to apply the name to the first match it finds. It's probably not going to be the one you wanted it to match too.
On top of that it will match a bunch more (all with serialized names).

See the problem?
FAIR is pretty dumb to the whole scene. It doesn't know about the degree of significance, about similarity, relative positions, etc.

Then another issue is knowing properly how to mask out the non-exclusive features in the PAT generation.
So when you have things like "mov dword_1B4B52C,eax" the tool should keep most of the details, maybe only masking out the "dword_1B4B52C" part and keeping the rest.
The address won't (probably not anyhow) translate over when applied as a signature so it needs to get masked.
But actually when you think about it, it is a significant detail. If nothing else there is a relative position hint in it somewhere.
Just that AFAIK no existing tool stores any meaningful context of it.

What is needed is a new type of tool that considers the whole picture.
And some things will just have to go. For functions that can't be tracked reliably it will say so and reject them, etc.

I'll update my variation to a newer IDA SDK as that might help.
But I think any more time spent on FLAIR (a broken system from my perspective) would be kind of a waste.

IDA Pro / Dump arguments scrip
« on: January 02, 2015, 03:24:00 PM »
Here is the Python version of a script I first did in IDC some years ago that I use a lot.
I use it to dump function arguments out; most useful for ones that have strings.

The typical case is when you find some sort of dump/log/assert functions that have many interesting strings.
If you see something of interest you click on the address to jump to the function for examination.

Example with this Lua script loader function (I labeled "LoadLuaScripFile_Func00") I can now see where these scripts are being loaded and some of their names/labels:

To use it:
1) Go to the function of interest and click on the name or inside of it so it's selected.
2) Run the script
3) It will ask you for an argument count (three in the example above).
4) It will dump out references to the output window (where you can click on the address to jump)

>Download ShowFuncArgs_IDA_Script.rar <

General Discussion / Bombarded by spam..
« on: January 01, 2015, 11:50:27 PM »
Not so surprising, my little forum here gets bombarded with spammer bot accounts despite using Google reCAPTCHA, etc.
Getting a half a dozen or so spam accounts every day.

Until I get better anti-spam measures had to set admin account approval for now..

Update: Apologies to those that tried to register in the last month or so.
Forgot to check and out of all that needed approval most were bots anyhow.

Macromonkey Script System / Download latest version
« on: December 31, 2014, 07:02:19 AM »
Version 2.2

As I'm putting my site back up would like to update it to the latest LuaJit and more, but for now the latest version here: > MacroMonkey 2.2 <

Macromonkey Script System / Introduction
« on: December 30, 2014, 11:17:03 PM »

MacroMonkey™ is a free, feature packed macro/botting scripting system for Windows. Intended to be a friendly scripting environment to make MMO macros and bots from the simple to the complex.
Aimed mostly towards MMO games, but can be used to automate almost any windows program.

You can send simulated key presses, mouse moves and clicks, read screen pixels, interact with windows and processes at a low level, talk between other MacroMonkey instances, and much more.

Uses the powerful, fast, lightweight, and easy to learn Lua scripting language, with addition of many extensions for automation needs.
In development for several years, coded in optimized C/C++. Built for high performance and low resource use to run well on anything from a Pentium III to the latest Windows machines.

Extensions include:
  • Direct Window and process, access and manipulation.
  • Timer support.
  • Simulated mouse and keyboard inputs.
  • Screen pixel and color space support.
  • Unique scriptable GUI system.
  • Custom network library for transmitting data between multiple instances over LAN, or Internet.
  • Support for communication with external processes.
  • Windows registry, "INI" and XML file support.
  • Audio support.
  • Text to speech system.

Getting started

The best way to start and see if MacroMonkey is the tool for you, is to try some of the examples in the "examples" directory.

A good visual example, the GUI (Graphical User Interface) sample:

Another visual example, a simple TUI (Text User Interface):

Server and client network communication example:
1) Open a server connection.
Examples\Network\Network Server.mms

2) Open one or more client connections.
Examples\Network\Network Client.mms

3) Press a key in any of the consoles to send a packet, and get one back.

Try the IPC (Inter-Process Communication) system:
Examples\IPC Test.mms
Creates an instance of Examples\Data\TestProcess.exe with DLL Examples\Data\TestInject.DLL injected.
1) Press '1' or '2' in the console window to send an IPC message to the process.
2) Press '1' or '2' in the process window to send an IPC message event to the script (console window).

And try the many more examples/samples/tests in the "examples" directory..
There are samples for most of not all of MM's libraries.


MacroMonkey uses the powerful, fast, lightweight, and easy to learn Lua scripting language.
Lua version: 5.1.4 as of September 2009.
See: About Lua
Wikipedia, Lua programming language
Learning Lua

Lua is a tried and true language used by many for industrial applications, video game logic, configuration, etc.
It's first release was fifteen years ago. Since then it has been banged on (tested) a lot and lot of bright minds have worked on it.

If you used any other programming language then Lua will probably come easy to you.
Sirmabus: I found it similar in syntax to the C language. And it's easy for me to switch between C/C++ and Lua.

Lua example:
Code: [Select]
-- Classic hello world
print("Hello World!")

Lua allows you to create your own object oriented language features through the use of meta-mechanisms instead of implementing these features directly in the language.
It's very flexible and allows you to create your own "class"/object concepts with inheritance, encapsulation, etc.
See: Object-oriented programming (OOP) and Lua Metatables - Classes.

Building C/C++ extensions/libraries is easy. Just include a single header and library file from the MM SDK folder.
And use the Lua C API (see "The Application Program Interface") or one of the many binding setups like "Binding Code To Lua" et al.

To communicate to a service DLL (a remote/injected DLL that provides "services") the MM IPC facility can be used. This way communication is done via raw data (with the help of the MM Pack library). No need to create a go-between extension DLL, nor even learn the Lua C API.


MM has the base Lua Standard library (with some improvements), in addition it has many libraries to facilitate automation use and added script utility.
MM with simplicity in mind, uses Lua tables, metatables, and metamethods to make it's libraries more object oriented and modular.


bit   Bitwise operators
console   MM console support.
win   Windows lib.
color   Color space support.
audio   Audio lib.
time   Time lib.
process   Processes support.
input   User Input, both actual and simulated.
ini   INI file support.
registry   Windows registry support.
hash   Data hash and checksum (MD5, etc.) lib.
lxp   LuaExpat XML lib.
xml   LuaXml XML file lib.
vector2, vector3   Vector math.
speech   Text to speech engine.
server, client, ClientConnection   Lan/Wan network communication system.
ipc   IPC (Inter-Process Communication) system.
gui   GUI lib.
gui.Window, gui.Menu, gui.TabControl, ...    GUI window system and controls.

Library gui example:

Code: [Select]
-- Show a simple GUI message box with "Yes", "No", and "Cancel" buttons.
gui.MessageBox("Test", "This is a message box", gui.MB_YESNOCANCEL)

IDA Pro / IDA Class Informer
« on: December 30, 2014, 02:58:41 PM »
An IDA Pro MSVC object RTTI vftable finder, fixer, and lister plug-in.
Lists found RTTI structures and C++ classes.

RTTI ("Run-time type information"): Wikipedia RTTI

Based off article and IDC scripts by Igor Skochinsky:
Recon 2012: Compiler Internals

> Sourceforge ClassInformer <


Example list output:

Sample RTTI vftables commented by plugin:

[May 2017]: Version 2.4
Will now scan all "DATA" type segments. Before would only scan the first ".rdata" and ".data" named segments.
Added a "segment select" to allow manually selecting the segments to scan.

[Jan 2016]: Version 2.2
Updated to IDA SDK 6.9 and now using MSVC 2015.

[May 2015]: Version 2.0, major update.
Added a fully functional 64bit version.
Different, more accurate scanning method.
Fancy "material design" inspired user interface.
Updated to IDA SDK 6.7

To build requires a minimal Qt 5.4.1 SDK install.
See: Qt 4.8.4 on Windows for IDA Pro C/C++ plug-in development – Part 1 of 3
Also requires my: IDA Support Library

> Sourceforge ClassInformer <

IDA Pro / My plugins update
« on: December 30, 2014, 11:49:07 AM »
Now that my site is back up I'm  in the process of updating my many plugins to at least IDA SDK version 6.5 since the non-Qt version is gone for good
and my UI customizations are broke, etc.
Hopefully I'll find a nice way using the latest Qt stuff to properly do my custom segment selector, etc., sans Windows API hacks.

In the process of updating to a new IDA SDK and making 64bit versions.

The latest versions of my public plugins for now:
IDA Signsrch
IDA2PAT Reloaded

To avoid conflicts I no longer compile my plug-ins with default hot keys.
You'll have to either edit your "plugins.cfg" and add them there or invoke from IDA's "Edit-Plugins" menu.

Also I'm usually compiling these with the latest IDA SDK (version 6.7, and about to update to 6.8 as of this writing).
For those using 6.6 or what ever you'll have to fix the differences and recompile with what ever SDK you have.
See pages to compare API updates.

General Discussion / Welcome to my new fourum
« on: December 17, 2014, 04:00:14 PM »
I don't currently plan on bringing back the old forum as I want to start fresh and it would frankly be a lot of
work since while I saved my SQL DB I didn't do ab "export" that would have made it much easier.

Still a bit under construction, figuring/deciding on a new layout, etc.

Pages: [1]