Difference between revisions of "IDA Pro"

From YobiWiki
Jump to navigation Jump to search
Line 16: Line 16:
 
ln -s libelf.so.0.8.13 libelf.so
  
ln -s libelf.so.0.8.13 libelf.so
 
popd
  
popd
mkdir pin-2.13-61206-gcc.4.4.7-linux/source/tools/@idapin
 +
mkdir pin-2.13-61206-gcc.4.4.7-linux/source/tools/@idapin65
cd pin-2.13-61206-gcc.4.4.7-linux/source/tools/@idapin
 +
cd pin-2.13-61206-gcc.4.4.7-linux/source/tools/@idapin65
 
wget https://www.hex-rays.com/products/ida/support/freefiles/idapin65.zip
  
wget https://www.hex-rays.com/products/ida/support/freefiles/idapin65.zip
 
7z x idapin65.zip
  
7z x idapin65.zip
 
make TARGET=ia32e
  
make TARGET=ia32e
 
make TARGET=ia32
  
make TARGET=ia32
  +
 
==Usage==
  
==Usage==
 
In IDA select "PIN Tracer" and configure it.
  
In IDA select "PIN Tracer" and configure it.

Revision as of 17:52, 5 June 2014

Intro

IDA Pro combines an interactive, programmable, multi-processor disassembler coupled to a local and remote debugger and augmented by a complete plugin programming environment.

  • Official page
  • Windows, Linux, Mac OS X
  • x86-32, x86-64, ARM and many others
  • ELF, Java bytecode, Dalvik, ARM,...
  • disassembler, some debugger

PIN Tracer

Install

Adapted from https://www.hex-rays.com/products/ida/support/tutorials/pin/pin_tutorial.pdf 

apt-get install gcc-multilib g++-multilib
pushd pin-2.13-61206-gcc.4.4.7-linux/ia32/runtime
ln -s libelf.so.0.8.13 libelf.so
popd
pushd pin-2.13-61206-gcc.4.4.7-linux/intel64/runtime
ln -s libelf.so.0.8.13 libelf.so
popd
mkdir pin-2.13-61206-gcc.4.4.7-linux/source/tools/@idapin65
cd pin-2.13-61206-gcc.4.4.7-linux/source/tools/@idapin65
wget https://www.hex-rays.com/products/ida/support/freefiles/idapin65.zip
7z x idapin65.zip
make TARGET=ia32e
make TARGET=ia32

Usage

In IDA select "PIN Tracer" and configure it.

  • Path to PIN: pin-2.13-61206-gcc.4.4.7-linux/pin
  • Path to tool: pin-2.13-61206-gcc.4.4.7-linux/source/tools/@idapin/

See PIN tutorial

Python

Install

Based on idapython (shipped with IDA Pro)
Some require PySide as well
To install it on Linux for IDA Pro, see Hexblog, but let's install it locally in idapython instead of /
Download PySide 2011/12/30 for IDAPython 1.5+, Python 2.7 (2.6) and Qt 4.8.4 (IDA 6.5), Linux version 

tar xvfz os_package_pyside_python27_package.tgz -C /path/to/ida

Patching

IDA Pro can natively patch code/data in its DB but not the original file, but you can do:

See also plugins Fentanyl and idapatcher here below

Extensions

ida-patcher

  • View->Open subviews->Patches

Fentanyl

Easy patching!
See also here 

File > Script file > Fentanyl/main.py

Alt-N      Convert instructions to nops
Alt-X      Nop all xrefs to this function
Alt-J      Invert conditional jump
Alt-P      Patch instruction
Alt-Z      Undo modification (Won't always work. Should still be careful editing.)
Alt-Y      Redo modification (Won't always work. Should still be careful editing.)
Alt-S      Save file
Alt-C      Find Code Caves
Ctrl-Alt-F Make jump unconditional
Ctrl-Alt-N Neuter the binary (remove calls to fork, setuid, setgid, getpwnam, set groups, and chdir)

Hex-Rays

The most expensivepowerful IDA Pro plugin is the Hex-Rays decompiler

  • x86 and ARM
  • decompiler

Limitations specific to ARM:

  • floating point instructions are not supported
  • VFP/SIMD/Neon/... instructions are not supported
  • functions having an argument that is passed partially on registers and partially on the stack are not supported (e.g. int64 passed in R3 and on the stack)

Addons

ida-decompiler

Decompile small functions in IDA

arm-thumb-decompiler

Mainly for Thumb right now

IDA Pro ARM debugger

Support ARM code debugging via JTAG or software emulators

Garts: Get all referenced text strings

aka A Better String Viewer 

File > Script file > garts.py

To sort

Retrieved from "https://wiki.yobi.be/index.php?title=IDA_Pro&oldid=8948"