From Collaborative RCE Tool Library

Jump to: navigation, search

Tool Extensions


Tool name: Class Informer
Rating: 5.0 (1 vote)
Author: Sirmabus                        
Website: http://www.macromonkey.com/bb/viewforum.php?f=65
Current version: 1.02
Last updated: March 28, 2011
Direct D/L link: Locally archived copy
License type: Free
Description: Scans an MSVC 32bit target IDB for vftables with C++ RTTI, and MFC RTCI type data.
Places structure defs, names, labels, and comments to make more sense of class vftables ("Virtual Function Table") and make them read
easier as an aid to reverse engineering.
Creates a list window with found vftables for browsing.

RTTI ("Run-Time Type Identification"):
http://en.wikipedia.org/wiki/RTTI

RTCI ("Run Time Class Information") the MFC forerunner to "RTTI":
http://msdn.microsoft.com/en-us/library/fych0hw6(VS.80).aspx
------------------------------------------------------------

See also screenshot example of vftable info set by plug-in below.
Also listed in: COM Tools, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Firebug
Rating: 5.0 (1 vote)
Author: Joe Hewitt                        
Website: http://getfirebug.com
Current version: 1.11.2
Last updated: February 23, 2013
Direct D/L link: http://addons.mozilla.org/firefox/downloads/latest/1843
License type: BSD / Open Source (JavaScript)
Description: Firebug integrates with Firefox, to put a wealth of web development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.

Probably the most advanced web/javascript debugger in existence.
Also listed in: Firefox Extensions, Javascript Debuggers, Web Application Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA Process Dumper
Rating: 5.0 (1 vote)
Author: thE Cur!ouZ                        
Website: N/A
Current version: 1.0
Last updated: July 9, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: IDA Process Dumper

Plugin to make a dump of the running process under IDA debugger.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA Stealth
Rating: 5.0 (1 vote)
Author: Jan Newger                        
Website: http://newgre.net/idastealth
Current version: 1.3.3
Last updated: June 28, 2011
Direct D/L link: http://newgre.net/idastealth
License type: Free / Open Source
Description: IDAStealth is a plugin which aims to hide the IDA debugger from most common anti-debugging techniques. The plugin is composed of two files, the plugin itself and a dll which is injected into the debuggee as soon as the debugger attaches to the process. The injected dll is actually responsible for implementing most of the stealth techniques either by hooking syscalls or by patching some flags in the remote process.
Also listed in: IDA Extensions, Tool Hiding Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ImpREC Plugin Pack
Rating: 5.0 (1 vote)
Author: Multiple authors                        
Website: N/A
Current version: 080222
Last updated: February 22, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source (partly)
Description: A pack containing a big bunch of plugins for ImpREC.

It also contains source code for many of these plugins, for most common programming languages/compilers (VC++/Delphi/MASM/TASM). This source code is of course good for use as template code for new plugins.

It contains the following plugins WITH source:

ASProtect 1.2x
eXcalibur 1.x
Morphine 3.3
Perplex 1.01
PESpin 1.3.04
RLPack 0.7
tELock 0.92x
Yoda 1.02


It contains the following plugins WITHOUT source:

ACProtect #1.dll
ACProtect #2.dll
ACProtect #3.dll
Alex Protector.dll
Armadillo 2.6.dll
ASProtect 1.22.dll
ASProtect 1.23 rc4.dll
ASProtect 1.2x Emul API #1.dll
ASProtect 1.2x Emul API #2.dll
ASProtect 1.2x.dll
ASProtect 1.3.dll
ASProtect 2.xx.dll
CoolCrypt.dll
Cryptocrack's PE Protector.dll
Excalibur.dll
ExeCryptor.dll
EXEStealth275.dll
Expressor 1.5.x.dll
ExtOverlay.dll
GoatsPEMutilator16.dll
HowTo.txt
Krypton 0.4 - 0.5 #1.dll
Krypton 0.4 - 0.5 #2.dll
Krypton 0.5.dll
Morphine.dll
NTKrnl Protector 0.1.x.dll
Null.dll
Obsidium #1.dll
Obsidium #2.dll
Obsidium #3.dll
Obsidium 1.3.dll
Obsidium 1.3.dll.txt
PE123.dll
PECompact 2.7.x.dll
PELock 1.06 (regged).dll
PELock 1.06 (regged).dll.txt
PELock 1.0x.dll
Perplex101.dll
PESpin.dll
PESpinPlugin.dll
Plugin.txt
PrivateExeProtector 1.8.dll
PrivateExeProtector 1.8.txt
Privilege.dll
Protection Plus 4.x.dll
RLPack 0.7.dll
RLPack 0.7.x.dll
RLPack 0.x.dll
RLPack 1.16.dll
RLPack 1.18.dll
SDProtector 1.12.dll
SVK Protector #1.dll
SVK Protector #2.dll
tELock 0.71.dll
tELock 0.92.dll
tELock 0.98 #1.dll
tELock 0.98 #2.dll
tELock 0.98 #3.dll
tELock 0.98 #4.dll
tELock 0.98 #5.dll
tELock 0.99.dll
tELock 0.9x.dll
TPP.dll
VisualProtect.dll
Yoda Crypter 1.02.dll
Also listed in: ImpREC Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: RE-SIGS
Rating: 5.0 (1 vote)
Author: dihux                        
Website: N/A
Current version: v0.14
Last updated: August 8, 2011
Direct D/L link: Locally archived copy
License type: Free
Description: from readme.txt:

INFO
RE-SIGS is a signature file for IDA.

RE-SIGS does not support delphi signatures anymore.
Maybe there will be a pure delphi version in the future.

Help out with the project if you want :-)


INSTALL
Copy RESIGS*.sig into IDA\sig


ADDED SIGNATURES
MATH LIBS
- MIRACL v43 v54 v72 v85 v45 v510 v474 v542 v544
- BigLib v0.01e by roy
- ECC Bignums
- Borzoilib
- BigNumberQs
- MPI
- Freelip
- GiantInt
- Mixint v0.7
- Bignum library by drizz v1.0 RC2
- Bignum library v1.0 by _ged/TKM!
- Witeg's biglib
- Pegwit v8.7
- Pegwit modified version found in software
- Slavasoft FastCRC Library v1.51
- Slavasoft QuickCrypt Library v2.51
- Slavasoft QuickHash Library v3.02
- libtomcrypt v1.16
- libtommath v0.39
- Cryptohash by drizz all versions up to v1.0 RC4
- FGInt

+ many more


OTHER
- masm32v10lib
- fpuv10lib // from masm32 pack
- datetimev10lib // from masm32 pack
- mfmplayer v?
- minifmod v?
- pnglib v?
- many user identified procedures
- many known hashes/cipher implementations
- textscroller v? lib // requested
- rceapi // precompiled

+ many more


COUNT
6522 identified functions


OTHER INFO
Requests, incorrect named functions, fake hits, contributions
tips etc. goes to me at IRC EFNet.


HISTORY
v0.14 08.08.2011 PUBLIC
v0.13 10.01.2011 INTERNAL
v0.12 14.11.2010 INTERNAL
v0.11 05.10.2010 INTERNAL
v0.10 02.07.2010 INTERNAL
v0.09 24.06.2010 INTERNAL
v0.08 30.11.2009 INTERNAL
v0.07 24.09.2009 INTERNAL
mr. anon#3 contributed with:
- Pegwit v8.7 // compiled with VC9
- Pegwit modified version found in software
- Slavasoft FastCRC Library v1.51 // precompiled
- Slavasoft QuickCrypt Library v2.51 // precompiled
- Slavasoft QuickHash Library v3.02 // precompiled
- libtomcrypt v1.16 // compiled with vs6 and vs2008
- libtommath v0.39 // compiled with vs6 and vs2008

v0.06 19.09.2009 INTERNAL
mr. anon#2 requested:
- textscroller lib // precompiled

v0.05 06.09.2009 INTERNAL
v0.04 25.08.2009 INTERNAL
v0.03 24.08.2009 INTERNAL
mr. anon#1 requested:
- masm32v10lib // precompiled
- fpuv10lib // precompiled
- datetimev10lib // precompiled
- mfmplayer // precompiled
- minifmod // precompiled
- pnglib // precompiled

v0.02 25.07.2009 INTERNAL
v0.01 09.07.2009 INTERNAL
Also listed in: IDA FLIRT Signatures
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: TurboDiff
Rating: 5.0 (1 vote)
Author: Nicolás Economou                        
Website: http://tinyurl.com/turbodiff
Current version: 1.01
Last updated: October 14, 2009
Direct D/L link: http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=tool&page=turbodiff&file=turbodiff_v1.0.1.zip
License type: GPLv2
Description: Turbodiff is a binary diffing tool developed as an IDA plugin. It discovers and analyzes differences between the functions of two binaries.
Also listed in: Executable Diff Tools, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: patchdiff2
Rating: 4.5 (2 votes)
Author: Nicolas Pouvesle                        
Website: http://code.google.com/p/patchdiff2/
Current version: 2.0.8
Last updated: June 10, 2010
Direct D/L link: http://patchdiff2.googlecode.com/files/patchdiff2_0_8.zip
License type: GNU General Public License v2
Description: PatchDiff2 is a plugin for the Windows version of the IDA dissassembler that can analyze two IDB files and find the differences between both. PatchDiff2 is free and fully integrates with the latest version of IDA (5.6). The plugin can perform the following tasks:

- Display the list of identical functions
- Display the list of matched functions
- Display the list of unmatched functions (with the CRC)
- Display a flow graph for identical and matched functions

The main purpose of this plugin is to be fast and give accurate results when working on a security patch or a hotfix. Therefore this tool is not made to find similar functions between two different programs. Patchdiff2 supports all processors that IDA can handle and is available in two versions: 32 bit and a 64 bit.
Also listed in: Diff Tools, Executable Diff Tools, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: +HCU .gdbinit
Rating: 4.0 (1 vote)
Author: +HCU                        
Website: http://reverse.put.as
Current version: 7.3
Last updated: April 16, 2010
Direct D/L link: http://reverse.put.as/wp-content/uploads/2010/04/gdbinit73
License type: Free
Description: # Version 7.3 (16/04/2010)
# Support for 64bits targets. Default is 32bits, you should modify the variable or use the 32bits or 64bits to choose the mode.
# I couldn't find another way to recognize the type of binary… Testing the register doesn't work that well.
# TODO: fix objectivec messages and stepo for 64bits

# Version 7.2 (11/10/2009)
# Added the smallregisters function to create 16 and 8 bit versions from the registers EAX, EBX, ECX, EDX
# Revised and fixed all the dumpjump stuff, following Intel manuals. There were some errors (thx to rev who pointed the jle problem).
# Small fix to stepo command (missed a few call types)

NOTE: Save it as .gdbinit
Also listed in: GDB Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: BinDiff
Rating: 4.0 (1 vote)
Author: zynamics GmbH                        
Website: http://www.zynamics.com/bindiff.html
Current version: 2.1
Last updated: 2009
Direct D/L link: N/A
License type: Commercial (IDA Pro plugin)
Description: A very powerful executable file diffing tool, in the form of an IDA Pro plugin.
Also listed in: Executable Diff Tools, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Fast IDB2Sig and LoadMap IDA plugins
Rating: 4.0 (2 votes)
Author: TQN                        
Website: N/A
Current version: 1.5
Last updated: September 14, 2004
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: It took me two weeks to write two IDA plugins, a renew, fast IDB2Sig plugin and a new, very fast LoadMap plugin.
The IDB2SIG plugin I rewrote base on the orginal source code and idea of:
- Quine (quine@blacksun.res.cmu.edu)
- Darko
- IDB2PAT of J.C. Roberts <mercury@abac.com>
Thanks all of you very much. I think all of you will allow me to public the new source code.
The LoadMap plugin I wrote base on the idea of Toshiyuki Tega. It will supports loading and parsing VC++, Borland (Delphi/BC++/CBuilder) and DeDe map files.
And with two plugins, I need only two days to create two signature file for Delphi 6/7. Very fast and convenience. Hereafter, we can use two above plugins to create signature files, load map symbols...

Source is included, and plugins are precompiled for IDA 4.5 and 5.2.

---- UPDATED by Swine
06.10.2011 Fixed behavior for 64-bit disassemblies
Also listed in: IDA Signature Creation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Regmon and Filemon Log Duplicate Remover
Rating: 4.0 (1 vote)
Author: Kayaker                        
Website: N/A
Current version: 1.0
Last updated: November 11, 2002
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Designed to remove duplicate entries (at a designated filtering level) in Regmon and Filemon logs so it becomes humanly possible to scan large multi-thousand line logs for unique occurrences of a registry or file path being accessed.

The application parses the "Path" string of each entry and cuts it off at a subdirectory (\) level set by the user (Filter Level). A CRC32 value is then calculated on the remaining string. Any further occurrences of the same CRC32 value are considered "duplicates" and are discarded.

The string the CRC32 value is calculated on is actually a combination of the Process, plus the filtered Path string, and optionally the Request (CreateKey, OpenKey, QueryValueEx, etc.). Entries with one or more CLSID {} values can be handled separately so unique values are preserved irregardless of the Filter Level chosen.

Of course only the first occurrence is kept and is really only the "root" of the Path entry (unless you choose a Filter Level setting of 0), but by selecting a series of Filter Level settings you can choose the degree of detail you want to reveal.

Full MASM source is included.
Also listed in: Filemon Extensions, Regmon Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Ultimate Aspacker Unpacker
Rating: 4.0 (2 votes)
Author: Pnluck                        
Website: http://spin.quequero.org/Category:Pn
Current version:
Last updated: July 19, 2007
Direct D/L link: http://spin.quequero.org/uicwiki/images/Uau_rar.zip
License type: GNU GPL v2
Description: The Ultimate Aspacker Unpacker is an Aspack 2.12 offline unpacker extension for the CFF Explorer which supports any kind of PE file. Includes GPLv2 licensed source & binaries (DLL) for x86, x86_64 and Intel Itanium.

Authored by: Luciano Giuseppe 'Pnluck' and aCaB
Also listed in: CFF Explorer Extensions, Unpacking Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Immunity Debugger
Rating: 3.0 (1 vote)
Author: Immunity Inc / Oleh Yuschuk                        
Website: http://debugger.immunityinc.com
Current version: 1.6
Last updated: March 27, 2008
Direct D/L link: N/A
License type: Free
Description: Immunity Debugger is based on OllyDbg.

Immunity Debugger is a powerful new way to write exploits, analyze malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry's first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility.

* A debugger with functionality designed specifically for the security industry
* Cuts exploit development time by 50%
* Simple, understandable interfaces
* Robust and powerful scripting language for automating intelligent debugging
* Lightweight and fast debugging to prevent corruption during complex analysis
* Connectivity to fuzzers and exploit development tools
Also listed in: OllyDbg Custom Versions, Ring 3 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDACompare
Rating: 2.0 (1 vote)
Author: David Zimmer                        
Website: http://sandsprite.com/blogs/index.php?uid=7&pid=185
Current version: 5.4
Last updated: March 5, 2009
Direct D/L link: https://github.com/dzzie/IDACompare/raw/master/IDACompare.exe
License type: Free
Description: Update: This tool is no longer available for download through the iDefense website. An copy of the installer has been made available by the author.

IDACompare is a plugin designed to compare and match up equivalent functions across two IDA databases. IDACompare was primarily designed for analyzing changes across malcode variants, it should also find good use when conducting patch analysis.

Once function matches have been made, names can be ported across disassemblies, or sequentially renamed in both.

Project also implements a signature scanner, letting you build your own listing of known functions.
Also listed in: Executable Diff Tools, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ASProtect 1.22 - 1.23 Beta 21 ImpREC Plugin
Rating: 0.0 (0 votes)
Author: schenker                        
Website: N/A
Current version: 0.0
Last updated:
Direct D/L link: Locally archived copy
License type:
Description: ImpRec plugin for fixing imports for ASProtect 1.22 - 1.23 Beta 21 targets, it uses Beaengine library.
Also listed in: ImpREC Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Adobe Flash disassembler
Rating: 0.0 (0 votes)
Author: Marian Radu                        
Website: http://www.hex-rays.com/contest2009
Current version:
Last updated: November 19, 2009
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Shockwave Flash is a very common and widely used file format that, unfortunatelly, has not been able to make its way into IDA's recognized file formats. The increasing numbers of grayware and malware SWF files require security researchers to disassemble and analyse such files and IDA is again an ideal tool to use.

The 2 plugins present in this archive will enable IDA to parse SWF files, load all SWF tags as segments for fast search and retrieval, parse all tags that can potentially contain ActionScript2 code, discover all such code(a dedicated processor module has been written for it) and even name the event functions acording to event handled in it (eg. OnInitialize).

There are two different modules: a file loader module and a processor module. Together, they make it possible to analyze Flash SWF files with IDA, as simple as that. It was very easy to install and run the plugin: just copy 2 files to the IDA subdirectories and it is ready.

Flash files can be loaded very easily into IDA, and you'll see a bytecode, as in the screenshot here below.
Also listed in: Flash Disassemblers, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Advanced obj and lib IDA signature ripper
Rating: 0.0 (0 votes)
Author: gerbay                        
Website: http://www.woodmann.com/forum/showthread.php?t=9931
Current version: 1.0
Last updated: May 23, 2007
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: It loads obj and lib (COFF format) files signature to ida database.

It identifies so many labels more than flair signatures.

FLIRT signature creation not possible for some situation, for example you can try to create flirt signature for flexlm libs, but this plugin will work in such situations too!
Also listed in: IDA Signature Creation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: AsProtect Signatures for IDA
Rating: 0.0 (0 votes)
Author: hnedka                        
Website: N/A
Current version: 0.1
Last updated: November 12, 2009
Direct D/L link: http://rapidshare.com/files/301642596/AsProtect.sig
License type: freeware
Description: Signature pack for IDA, that contains many AsProtect functions (~500). Run it on dumped AsProtect.dll.
Also listed in: IDA FLIRT Signatures
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ClassAndInterfaceToNames
Rating: 0.0 (0 votes)
Author: Frank Boldewin                        
Website: http://www.reconstructer.org
Current version:
Last updated: June 16, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: This small IDAPython script scans an idb file for class and interfaces UUIDs and creates the matching structure and its name. Unfortunately IDA doesn't do this automatically, thus this little helper. It personally helped me alot, while reversing several malwares using the COM interface, e.g. for browser or outlook manipulation, BITS file transfer or dumping the protected storage. The script was tested with IDAPython v0.9.0 and Python 2.4. Make sure to copy interfaces.txt + classes.txt + ClassAndInterfaceToNames.py to IDADIR, e.g. C:\Program Files\IDA
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Code Snippet Creator
Rating: 0.0 (0 votes)
Author: servil                        
Website: https://code.google.com/p/idaplugs/downloads/list
Current version: 0.989 beta
Last updated: 2008
Direct D/L link: Locally archived copy
License type: Freeware
Description: -------------------------------------------------------------------------------
code snippet creator plugin for ida pro by servil
version 0.989 beta (Feb 2008)
supported ida versions: 4.9 and above till API change
(tested on 5.2 without backward compatibility enforcement)
-------------------------------------------------------------------------------

basic ida plugin to automate migration of one or more functions from host
program to custom assembly project (primarily masm targetted). some effort was
put to be generic and able to process any processor and format based on
function model using basic assembler data types (byte, word, dword...), however
focussed and only properly tested on 32-bit borland and msvc code and is
expected to give best results for these compilers (generally the more actual
format is distant from pe-32 the less functionality you may expect), also all
runtime features only are available for pe-32 formats.

major features:

* static code and data flowgraph traversal
* static data formatting and bounds determining
* code and data integrity care
* integrated runtime evaluated addressing resolver (orig. executable required)
* integrated process data dumping with emulation of accessed virtual data and
stack variables (orig. executable required)
* iat address translation for dynamic runtimes build (pe-32 only)
* lexical compatibility adjustments, name conflicts resolving and basic
output garbage cleanup
* final flowgraph (kernel version 5.1 and newer)

plugin is designed to cover all possible address ranges the root function(s)
can access in real. the plugin is not click and go solution, only benefit csc
gives is reduction of boring uphill work - in most cases output will need
manual adjustments to pass compiler. plugin always builds reportlist hiliting
warnings, problems, unsure places, etc..., beside it doubtful lines are
commented in the sourcecode also.
code traversal is based on x-refs, not raw operand values, so that mutual
linkage of related ranges can be flexibly adjusted by user offsets or x-refs
manager (see below).

the plug got 4 components:

1. code ripper self
this is the main component: basic (optionally) recursive deadcode traversal
and creating output source file. additional options and adjustments are
available from startup dialog. most obvious enough, two run-time features
explained here:
* runtime evaluated addressing resolver is useful for discovering indirect
or runtime-evaluated jump/call targets (eg. call dword ptr [edx+08h], jmp
eax, etc.): while targets are evaluated and reached at run-time in host
application naturally, they are invisible at export time from deadcode,
thus they wouldn't be expectingly not even exported. the resolver cares of
tracing real targets and including targets to output - recommended for
images written by OOP language.
* process data dumper recognizes offsets to image range and to a known heap
block. currently these dynamic block types are recognized: msvc malloc,
delphi/cbuilder getmem, bcc malloc, gnu gcc malloc, virtualalloc, stack
variables. relaxing the rules for offset recognition may increase amount
of false offsets rapidly. runtime engines can process both standalone
executables and dll`s on certain conditions (a loader directly executable
by createprocess is present, loads the dll at some time and executes
desired code there).
2. indirect flow resolver from external debugger (deprecated)
3. flirt names matching (a helper for code ripper)
comparing libnames recognized by flirt to real library names is helpful to
prevent later linking problems (unmatched names get library flag removed),
worx in conjunctin with code ripper's 'include library functions` option
turned off.
4. xrefs manager (plugin call parameter 3)
view/create/remove user links between any two places of disassembly. two
samples of usage: for code ripper to cover code or data ranges not referred
from any of collected static areas or to change anchor point of non-head
memory operands (o_mem).
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CodeDoctor
Rating: 0.0 (0 votes)
Author: hnedka                        
Website: N/A
Current version: 0.90
Last updated: November 12, 2009
Direct D/L link: see details
License type: freeware
Description: <nowiki>CodeDoctor is a plugin for Olly and IDA.

History:
11.11.2009 - 0.90 - initial public release

________________________________________________________________________________
Functions:

1) Deobfuscate

Select instructions in disasm window and execute this command. It will try
to clear the code from junk instructions.

Example:

Original:
00874372 57 PUSH EDI
00874373 BF 352AAF6A MOV EDI,6AAF2A35
00874378 81E7 0D152A41 AND EDI,412A150D
0087437E 81F7 01002A40 XOR EDI,402A0001
00874384 01FB ADD EBX,EDI
00874386 5F POP EDI

Deobfuscated:
00874372 83C3 04 ADD EBX,4

________________________________________________________

2) Deobfuscate - Single Step

This works like previous command, but does one transformation at a time
_______________________________________________________

3) Move NOPs to bottom

Converts this:

00874396 50 PUSH EAX
00874397 90 NOP
00874398 90 NOP
00874399 52 PUSH EDX
0087439A BA 3F976B00 MOV EDX,somesoft.006B973F


to this:

00874396 50 PUSH EAX
00874397 52 PUSH EDX
00874398 BA 3F976B00 MOV EDX,somesoft.006B973F
0087439D 90 NOP
0087439E 90 NOP

Limitations: it breaks all jumps and calls pointing inwards
________________________________________________________

4) Undo / Redo

Undo or Redo last operation (from one of the above functions)

________________________________________________________

5) Retrieve Jumpy function

This will statically parse instructions and follow all jumps. This is useful
for situations, when program jumps here and there and here and there... When
it encounters some instruction, that can't be followed, it stop and copies
all parsed instruction to an allocated place in memory.

Use settings to set some parameters:
Step over calls - if set, it will step over calls, otherwise it will follow them
Step over jccs - dtto, but for Jccs
Deobfuscate - it will deobfuscate instruction, when it encounters Jcc, RET,
JMP reg/exp, CALL reg/exp; useful for multi-branch

Example:

Original:
00874389 /EB 05 JMP SHORT somesoft.00874390
0087438B
Also listed in: Deobfuscation Tools, IDA Extensions, OllyDbg Extensions, Resource Editors, Unpacking Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Com helper
Rating: 0.0 (0 votes)
Author: servil                        
Website: https://code.google.com/p/idaplugs/downloads/list
Current version: 2
Last updated: 2008
Direct D/L link: Locally archived copy
License type: Freeware
Description: Improved version of DataRescue's com helper plugin.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CoverIt
Rating: 0.0 (0 votes)
Author: Ilfak Guilfanov                        
Website: http://www.hexblog.com/2006/03/coverage_analyzer.html
Current version: 1.0
Last updated: March 27, 2006
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: A code coverage plugin for IDA Pro. It colors all executed instructions directly inside the IDA GUI, including any collapsed functions containing executed instructions.
Also listed in: IDA Extensions, Code Coverage Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Delphi 6 Full IDA Signatures
Rating: 0.0 (0 votes)
Author: TQN                        
Website: N/A
Current version: 1.0
Last updated: September 14, 2004
Direct D/L link: Locally archived copy
License type: Free
Description: I am very glad to say with you: Wow, at the end, I have finished creating the full IDA signatures for Delphi 6 (RTL/VCL/BDE/CLX...).
Also listed in: IDA FLIRT Signatures
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Delphi 7 Full IDA Signatures
Rating: 0.0 (0 votes)
Author: TQN                        
Website: N/A
Current version: 1.0
Last updated: September 14, 2004
Direct D/L link: Locally archived copy
License type: Free
Description: I am very glad to say with you: Wow, at the end, I have finished creating the full IDA signatures for Delphi 7 (RTL/VCL/BDE/CLX...).
Also listed in: IDA FLIRT Signatures
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Desquirr - Decompiler Plugin for IDA Pro
Rating: 0.0 (0 votes)
Author: David Eriksson                        
Website: http://desquirr.sourceforge.net/desquirr/
Current version: 20070130 (desquirr-20070130-bin-ida_v5_0.zip)
Last updated: November 13, 2003
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Desquirr is a decompiler plugin for IDA Pro.

Desquirr currently consists of a little more than 5000 lines of C++ code, not counting empty lines or lines beginning with comments

Read the Master Thesis at http://desquirr.sourceforge.net/desquirr/desquirr_master_thesis.pdf
Also listed in: IDA Extensions, Decompilers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Dump_all/load_all Set Of Tools For IDA 5.x
Rating: 0.0 (0 votes)
Author: deroko / ARTeam                        
Website: http://arteam.accessroot.com
Current version: 1.0
Last updated: September 23, 2008
Direct D/L link: http://arteam.accessroot.com/releases.html?fid=46
License type: Free
Description: A set made of two programs (an IDA plugin and a dumper) useful to analyze dumped memory regions inside IDA. Useful for malware or VMs to analysis of dynamically allocated memory code sections (full sources included)

dump_all/load_all set of tools by deroko ARTeam

dump_all.exe is program which will dump all regions of a certain executable into specified folder. All dumps are stored as r00000000.dmp where 00000000 is virtual address of a paticilar memory region.

Advice is to create always new folder for these dumped regions, as load_all will load all of these regions to IDA database. Just to keep everything organized, and to avoid loading of wrong files, which could occur under some cicumstances.

load_all.plw is and IDA plugin which will actually load all of these memory regions into IDA database. Example plugin is compiled with IDA 5.2 SDK, but you may compile it for other versions too.

Plugin will prompt you for file, so you are free to select any of these
.dmp, and plugin will load all of them into database. This could be useful
when analyzing malware or some protection with many buffers, for better
analyze of a VM, or import protection. This will avoid need to dump regions
manually.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Eventbug
Rating: 0.0 (0 votes)
Author: Jan Odvarko (Honza)                        
Website: http://getfirebug.com/releases/extensions.html#eventbug
Current version: 0.1b4
Last updated: March 19, 2010
Direct D/L link: http://getfirebug.com/releases/eventbug/1.5/eventbug-0.1b4.xpi
License type: Free / Open Source
Description: Eventbug is a plugin for Firebug, which adds an event panel that lets you dynamically see the all currently assigned event handlers for any DOM object.
Also listed in: Firebug Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ExtraPass
Rating: 0.0 (0 votes)
Author: Sirmabus                        
Website: https://www.openrce.org/blog/view/839/An_%22extra_pass%22_for_IDA_Pro
Current version: 2.1
Last updated: February 8, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: I made this little IDA plug-in to help working with some Win32 targets that don't disassemble so well. In particular exe's that have a lot of C++ indirections and lots of embedded script stubs..

It basically does a few more passes over an IDA code section. Prefers code over data. It can find a lot of missing code, functions, and alignment blocks. Works particularly well on large EXE's where there is a lot of disconnected code from heavy C++ OOP, script binds, etc.

Intended for typical Win32, mainly Microsoft complied binaries.
Won't work well (probably for the worse) with Delphi EXE's since those tend to have a lot of mixing of constant data in the ".text" section, but the align and missing function options might be of use still.

My 2nd attempt at it, it's simple but it works well. IMHO it's working well now.
Really can clean up discombobulated code.

[Feb, 8, 2007] 2.1 A lot of improvement!
[Nov, 26, 2007] 2.0 version. Now fixes align blocks, and finds missing functions, plus has a UI.
[Aug, 28, 2007] New and improved.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: FireQuery
Rating: 0.0 (0 votes)
Author: Binary Age                        
Website: http://firequery.binaryage.com
Current version: 0.7
Last updated: February 27, 2010
Direct D/L link: N/A
License type: Free / Open Source
Description: FireQuery is a collection of Firebug enhancements for jQuery. Requires Firebug 1.3 or greater.

Features:
* jQuery expressions are intelligently presented in Firebug Console and DOM inspector
* attached jQuery data are first class citizens
* elements in jQuery collections are highlighted on hover
* jQuerify: enables you to inject jQuery into any page
Also listed in: Firebug Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: flowinsp
Rating: 0.0 (0 votes)
Author: servil                        
Website: https://code.google.com/p/idaplugs/downloads/list
Current version: 0.977 beta
Last updated: 2008
Direct D/L link: Locally archived copy
License type: Free
Description: ---------------------------------------------------------------------------
Runtime-evaluated addressing resolver plugin for Ida Pro by servil
version 0.977 beta
---------------------------------------------------------------------------

Flow Inspector reveals run-time evaluated call/jump targets
(eg. call dword ptr [ecx+1ch], jmp eax, etc), especially suitable for binaries
written in high-level language using OOP. Resolving is done in application
tracing mode (thus the debuggee is fully run during plugin activity).
Flowinsp only runs for Win32-PE targets (due to tracing layer API).
It is optional how the caller -> callee pairs are described in idabase (as
comments, x-refs, or by renaming o_mem address).
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Fubar
Rating: 0.0 (0 votes)
Author: servil                        
Website: https://code.google.com/p/idaplugs/downloads/list
Current version: 0.982 beta
Last updated: 2008
Direct D/L link: Locally archived copy
License type: Freeware
Description: ---------------------------------------------------------------------------
fubar plugin v0.982 eternal beta: post-analysis tasks for ida pro by servil
supported ida versions: 4.90 and above till API change
(tested on 5.2 without backward compatibility enforcement)
---------------------------------------------------------------------------

various additional idabase formatting and describing, main units:

* resource parser and dereferencer
* mfc message map parser
* vcl object templates parser
* more... see main dialog for available steps, most jobs obvious enough
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Function String Associate
Rating: 0.0 (0 votes)
Author: Sirmabus                        
Website: http://www.woodmann.com/forum/showthread.php?t=11748
Current version:
Last updated: May 13, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: I thought of this idea the other day based on the observation of "assert()", development, debug text strings, etc., that software developers often leave in programs I want to reverse.
As I'm sure others do, I look at these comments to help me determine what a particular function is for (x86 binary targets that is).
I thought, wouldn't be nice to somehow data mine this stuff and automatically put some of it as a function comment?

Based on this, what this plug-in does is iterate through every function in IDA and auto-comments every function that has these strings (unless it already has a comment). It applies a little logic to it, to try to put the most relevant strings first.

Sort of a proof of concept thing. It's hard to say how useful it is yet.
So far it does seem to help as I browse around a DB. I'm putting together things a bit faster because of it.

Of course it's only works as well as your target uses such messages mixed in it's code.
So far on programs I've used it it on, the plug-in finds such strings on about 15% of all functions.

With source. If you expand on the idea, add helpful modifications, etc., share them please.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: GUID-Finder
Rating: 0.0 (0 votes)
Author: Sirmabus                        
Website: http://www.openrce.org/repositories/users/Sirmabus
Current version: 1.0b
Last updated: January 17, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: A GUID/UUID finding/fixing IDA plug-in.

The COM side of RE'ing (at least with "dead listing") can be pretty elusive.
With this you can at least partially glean what interfaces and classes a target is
using.

This plug-in scans the IDB for class and interfaces GUIDs and creates the matching
structure with label. IDA can find these on it's own, but it often misses them, so
this can fill in the gap.
Plus this plug-in allows you to easily add custom declarations, and is handy to do
a general audit for such GUIDs.

This is based Frank Boldewin's IDA Python script that you can find here:
http://www.openrce.org/downloads/details/250/ClassAndInterfaceToNames
or off his home page:
http://www.reconstructer.org/code/ClassAndInterfaceToNames.zip

It's a great utility, I found me self using it regularly. But I wanted one that
wasn't dependant on IDA Python, and one that might be a bit faster.
I've made some enhancements too (see below).

Some interesting reading:
http://en.wikipedia.org/wiki/Globally_Unique_Identifier
http://en.wikipedia.org/wiki/UUID

[How to run it]
Just invoke it using your selected IDA hot-key, or from "Edit->Plugins".
Normally you will want to keep the ""Skip code segments for speed"" check box checked,
because it can make a big difference in the run time. With unchecked, code segments are
also scanned. You'll want to scan the code to if the target is a Delphi, or others where
data tends to be code/.text segment, or if you just want to be more thorough.

It might take some time to scan everything depending on the size of the IDB your computer,
etc..

When it's done, you should see a list of interfaces and classes in the IDA log window.
If you want to go look at a particular entry to RE (to look at xrefs, etc.) just click on
the line and IDA will jump to it.


[How it works]
1. Loads in GUID/UUID defs for the two text files "Interfaces.txt" and "Classes.txt".
A little enhancement here over Frank's format, you can have blank lines and have
comments prefixed with '#' (first char, whole line only. Not a very forgiving parser).

In the source is "DumpLib", a utility I created to parse LIB files (like "uuid.lib")
to gather more GUIDs. As of this build, it's a collection of Frank's original UUIDs
plus all the ones to be found in VS2005 libraries along with DirectX 9.1,.

There could be more explicitly created in header (.h/.hpp) files but have yet to make
a utility to parse them.

If you want to add custom GUID defines (from 3rd party software, etc.), just edit
these text files manually.

2. After it loads in the defs, the plug-in iterates through all segments in your currently
open IDB. By default it will skip code/".text" segments, and import/export segments for
speed. Usually you find GUIDs in the ".rdata", and ".data" segments.

I originally intended to sort all the GUIDs by similarity and search with partial wild
cards for speed. If you take a look at the GUID defs you will see that many GUIDs share
common numbers that often differ only be the least significant digits ("Data4").
At least in theory, searching for groups wild cards should make searching faster.
Maybe next version..


[Known problems/issues/limitations]
1. If a given GUID 16byte def just so happens to match something that is not really a GUID,
the plug-in will try to convert it to one regardless (another reason not to run it
over code sections). So far I have not found this to be much of issue, although it could
be. Could add a confirm dialog for each to let the user decide.

2. Some GUID set operations will fail. This is usually because something is bad/wrong at the
particular address; like a partial code def, or incorrect xref.
The plug-in will display most of these errors in the IDA log window for manual correction.

3. TODO: Other GUID times like "DIID", "LIBID", "CATID", usefull?
Also listed in: COM Debugging Tools, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Guid Scanner
Rating: 0.0 (0 votes)
Author: ajron                        
Website: http://ajron.vtools.pl/en/guidscanner.html
Current version: build 101114
Last updated: November 14, 2010
Direct D/L link: http://vtools.pl/pliki/scan4g.rar
License type: Free
Description: This tool scans PE files (exe, dll, etc.) for Globally Unique IDentifiers (Classes and Interfaces) in 16-bytes binary form. The results can be copied to the clipboard or saved as a script for the IDA disassembler and applied in the IDA database.

Usage:
scan4g.exe [path]
Also listed in: COM Debugging Tools, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: HASP SRM 5.0 build 24 Sep 2010 IDA signatures
Rating: 0.0 (0 votes)
Author: souz                        
Website: N/A
Current version: 1.0
Last updated: September 24, 2010
Direct D/L link: Locally archived copy
License type: Free
Description: Safenet HASP SRM 5.0 build 24-Sep-2010 IDA signature finder
Also listed in: Dongle IDA Signatures, Dongle Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Header Pack Script
Rating: 0.0 (0 votes)
Author: Daniel Pistelli                        
Website: http://ntcore.com
Current version: 1.0.0.1
Last updated:
Direct D/L link: http://ntcore.com/Files/richsign/HeaderPack.cff
License type: Freeware/Open
Description: This neat little script does the following:

-- packs the dos header + PE header + section headers
-- removes useless things like the Rich Signature
-- removes linker references inside the PE header
-- strips the debug information (if any) from the PE
-- if it's a .NET, removes Strong Name Signature
-- updates checksum

The header produced by this script comes, as I said, without DOS stub: I don't think it will be missing in 2008. The most efficient way to use this script is to execute it automatically after every linking. The PE header could be packed even more (for example one could reduce the data directory entries), but this goes beyond what I wanted to do: I just wanted my executables to be garbage clean.
Also listed in: CFF Explorer Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Hex-Rays
Rating: 5.0 (3 votes)
Author: Hex-Rays sprl (Ilfak Guilfanov)                        
Website: http://www.hex-rays.com
Current version: 1.0
Last updated: September 17, 2007
Direct D/L link: N/A
License type: Commercial (IDA Pro plugin)
Description: Hex-Rays is created by Ilfak Guilfanov, famous author of IDA Pro. It is a commercial IDA Pro plugin, and aims to be the best decompiler ever created.
Also listed in: Decompilers, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Hexer Plugin - Calculating the entropy of a file
Rating: 0.0 (0 votes)
Author: Sebastian Porst                        
Website: http://www.the-interweb.com/serendipity/index.php?/archives/99-Sample-Hexer-Plugin-Calculating-the-entropy-of-a-file.html#extended
Current version: 1.4.0
Last updated: July 1, 2008
Direct D/L link: http://www.the-interweb.com/serendipity/exit.php?url_id=699&entry_id=107
License type: Free / Open Source
Description: I finally got around to write an example plugin for my hex editor Hexer to show how simple it is to extend Hexer according to your own needs. The Java plugin I am going to present calculates the entropy of files according to the method presented on Ero Carrera's blog. The plugin adds a new tab containing a line chart and a button to the File Statistics dialog. When the user clicks the button, the entropy of the active file (that is the file in the last active hex window) is calculated and shown in the line chart. The screenshot below shows the entropy distribution of Notepad.exe.

You can download the source file of the plugin here. The archive contains the source file EntropyCalculator.java as well as two class files which were created by compiling the source file using Java 1.6. To install the plugin, simply copy the two class files to the plugins directory of your Hexer installation. Since the plugin uses the JFreeChart library to display the graph it is also necessary to get the files jcommon-1.0.12.jar and jfreechart-1.0.9.jar from the JFreeChart package. Copy those files into the jars directory of your Hexer installation.

At the beginning of the source file the methods getDescription(), getGuid(), getName(), and init() are implemented. These methods must be implemented by all classes that implement the Hexer plugin interface IPlugin. The first three methods return the name, the description, and the GUID of the plugin. These values are necessary for plugin management. The init() method is called once by Hexer when the plugin is loaded for the first time. Its parameter of type IPluginInterface can be used by the plugin to interact with Hexer.

Afterwards the necessary methods of the IStatsPlugin plugin are implemented. This interface must be implemented by all plugins that want to extend the File Statistics dialog. The method getStatsDescription() returns the description of the file statistic as displayed in the tab header of the File Statistics dialog ("Entropy" in this case). The method getStatsComponent() returns the component that is used to display the calculated file statistic in the File Statistics dialog. For the Entropy Calculator plugin we only need the line chart and the button.

That's all that is necessary to extend the Hexer File Statistics dialog. The remaining methods are used to calculate and display the entropy. They are basically a direct Python-to-Java conversion of the code from Ero Carrera's blog. The only difference is that I averaged the entropies of larger files to make sure that the dataset is small enough for the line chart component to handle.

If you do not want to extend the File Statistics dialog but prefer to have your own Entropy dialog you can simply modify the plugin. Just implement the interface IPlugin instead of IStatsPlugin, add a menu to the Hexer main menu in the init() method, and create the dialog when the menu is clicked.
Also listed in: Entropy Analyzers, Hexer Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Hotch
Rating: 0.0 (0 votes)
Author: sp                        
Website: http://www.the-interweb.com/serendipity/index.php?/archives/108-Hotch-1.0.0.html
Current version: 1.0.0
Last updated: July 10, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Hotch - named after everyone's favourite TV profiler - is an IDA plugin that can be used to profile binary files. It sets breakpoints on all basic blocks of a program, records breakpoints hits and tries to figure out statistics from these hits. Click here to seen an example of a simple profiling session (starting Notepad and exiting Notepad again). Click here to see a huge 6.5 MB results file that shows a larger profiling session (loading a file in Notepad and playing around in it).

Random Notes:

* "This is really slow for larger files". Yeah, it is really slow in IDA up to 5.2 but Ilfak fixed some things in IDA 5.3 and it works acceptably fast now. So patience, young padawan.
* "The timing results don't really make sense". Yeah, I know. Since I execute a callback function after each breakpoint hit tight loops take disproportionally much time. For anything but tight loops the timing results should kinda work, at least relative to each other of course.
* Ignore the source file libida.hpp, it's an early version of my experimental-at-best C++ wrapper library for the IDA SDK.
* I take feature requests for Hotch.
Also listed in: Code Coverage Tools, IDA Extensions, Profiler Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA 2 PAT
Rating: 0.0 (0 votes)
Author: J.C. Roberts                        
Website: N/A
Current version: 1.0
Last updated:
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: For the most part, this plugin is an exercise in futility. There are
very few valid reasons why anyone should ever want to build signatures
of the functions in an existing disassembly. There are better
reasons, methods and tools for creating signatures for use with IDA.
Most importantly, the right way to create signatures is from object
files, object libraries or dynamically linked libraries, so please
realize this plugin is nothing more than a kludge since we are asking
FLAIR to do something it was not designed to do.

**********************************************************************
Option: Create patterns for Non-Auto Named Functions

If you find the rare situation where you want to make patterns
from functions in an existing database, this option is probably your
best bet. It will only create patterns for functions without
auto generated names and it will exclude functions marked as libraries
(e.g. they were already found and named through other FLAIR
signatures). You may want to remove named functions like _main and
WinMain from the resulting pattern file, since these will already
exist in the disassembly where it's applied.

**********************************************************************
Option: Create Patterns for Library Functions Only

I did include the ability to build patterns for functions IDA has
already marked as libraries. This is forpeople doing source code
recovery/recreation since the pattern file can be further parsed to
figure out which header files are needed. There are probably better
ways to go about this as well but until I have time to write specific a
plugin for figuring out which headers are included, this can give you
a step in the right direction.Out side of gathering information on
applied library signatures, this feature is pointless since you're
building patterns for function that were previously found with other
signatures you already have.

**********************************************************************
Option: Create Patterns for Public Functions Only

This could be useful when dealing with a situation where functions
were once stored in a DLL and are now statically linked in an
executable. It's still may a better bet to build a signature from the
DLL and then apply it to the statically linked executable.

**********************************************************************
Option: Create Patterns For Everything

You generally do NOT want to build patterns for every function in
the disassembly. The only place where I can see a legitimate use for
creating signatures of every function in the database is if your goal
is to see how similar two executables are. Instead of using a hex
editor and doing a re-synchronizing binary compare between the two
executables,you could use IDA signatures to get a different/better
way to visualize the similarities.

There are a lot of problems with trying to do this. The first and
most obvious problem is reserved name prefixes (e.g. sub_) on
auto generated function names. Another cascading problem is of course
references to these names withing other functions and whether or not
to keep these references in the patterns in order to cut down the
number of collisions. There are plenty of other problems with this
approach that I won't mention but there are quite a few of them.

I've hacked together a simple work-around. When the user has
selected everything mode, the plugin will prepend the auto generated
function names with FAKE_ and references to these sub routines are
kept to reduce collisions. This should (in theory) work, since every
reference will also have it's own public pattern in the resulting
file. In other words, the named references will resolve to another
(public) function pattern in the file. The problem with this approach
is of course having erroneous address numbers in names of functions
where the signature is applied (e.g. the nameFAKE_sub_DEADBEEF could
be applied to any address where a matching function is found). My
guess why this will work is because a module in a library may have a
by name reference to another object in the library. The pattern file
of a library would keep the references, since the names are defined
in other pattern lines of the file. Of course I could be wrong but
it's worth a shot. If need be comment out the "sub_" tests in
part #7 (references) of make_pattern() to get rid of the refs.


**********************************************************************
Option: Create Pattern For User Selected Function

This allows the user to select a function from the list and
create a pattern for it. It does not work on functions with auto
generated names but probably could with a bit more work.

______________________________________________________________________
**********************************************************************
----------------------------------------------------------------------

LIMITATIONS:

* References and tail bytes are only used by sigmake to resolve
collisions. Auto generated names with reserved prefixes "loc_" "byte_"
"dword_" are not going to be repeatable in the binary where you would
apply the resulting signature. If those references were kept and used
to resolve a collision, you'd end up with a useless signature that
would not be applied because those names do not exist in executable
where the resulting signature is being applied.

* Reference offsets that greater than 0x8000 bytes from the
function start may make this plugin explode or more likely, just make
unusable patterns.

* All references are assumed to be 4 bytes long. This will cause
some problems for situations (e.g. processors) where this is not true.


______________________________________________________________________
**********************************************************************
----------------------------------------------------------------------
TODO:
* Error checking for reference offsets > 0x8000
* Change reference length from being fixed at 4 bytes.
* Create "append" versus "overwrite" dialog.
* Deal with the user choosing a function with an auto
generated name in the "Single Function" mode.


______________________________________________________________________
**********************************************************************
----------------------------------------------------------------------
DEVELOPMENT:

I did this in MSVC++ v6. There are two projects in the workspace. One
is for the plugin and the other for IDAG.EXE so we can debug the
plugin once IDA loads it e.g. start the plugin and at the choose file
dilog break. In the list of modules, you'll find "run()" and other
functions from the plugin.

Depending on where you install IDA, you'll need to adjust where the
plugin is written. I've got output set to "C:\IDA\PLUGINS\IDB2PAT.plw"
The same is true for the location of the SDK and such.

When it's set to build the debug version, there will be a lot of
warnings due to info truncation of debug symbols. It's not a big deal.
Also listed in: IDA Signature Creation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA Free 4.9 SDK Library Patch
Rating: 0.0 (0 votes)
Author: xtc                        
Website: http://www.woodmann.com/forum/showthread.php?t=10756
Current version: 0.1
Last updated: November 7, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: This package is for patching the Visual C++ libraries of the IDA 4.9 SDK to work with the free version.

The included patchlib program serves two purposes:
1) Remap the export ordinals to match the free version of ida.wll.
2) Ensure that names are not used when importing from the library.

To facilitate the remapping, patchlib needs two files, ida.wll.exports and ida.wll.names.
ida.wll.exports contains a list of remapped ordinals and undecorated symbol names.
ida.wll.names contains a list of decorated symbols.

With the patched library you can build loaders and plugins.
Processor modules are blocked by the free version.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA Inject
Rating: 0.0 (0 votes)
Author: Jan Newger                        
Website: http://newgre.net/idainject
Current version: 1.0.3
Last updated: July 18, 2008
Direct D/L link: http://newgre.net/system/files/IDAInject.rar
License type: Free / Open Source
Description: This plugin allows you to inject dlls into a debugged process, either prior to process creation or when the debugger is attached. The injected dll can then do some fancy stuff inside the debugged process.
To realize dll injection before process creation, new import descriptors are added to the image import directory of the debuggee, whereas injection into an already running process is realized via shellcode injection, which in turn loads the dll in question.
In either case, a full path to the dll can be supplied, so it is not necessary for the dll to be in the search path.
Also listed in: Code Injection Tools, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA Plugin Depack APlib And LZMA
Rating: 0.0 (0 votes)
Author: deroko / ARTeam                        
Website: http://arteam.accessroot.com
Current version: 1.0
Last updated: September 23, 2008
Direct D/L link: http://arteam.accessroot.com/releases.html?fid=45
License type: Free
Description: A plugin for IDA 5.2 and following, to decompress aplib or lzma packed data in your target when analyzing with IDA.

The plugin supports aPlib which is quite common in malware, but there's also support for packman lzma compression, even if this one is very rare.

Run plugin by pressing CTRL+9 and you will be prompted with a window for unpacking or simply go to Edit->plugins->aplib depack

Full C sources are included, aswell. See the readme.txt for further details and instructions.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA Signature: Sentinel SuperPro VC++ library 64bit
Rating: 0.0 (0 votes)
Author: prt                        
Website: N/A
Current version: rev1
Last updated: September 2, 2013
Direct D/L link: Locally archived copy
License type: free
Description: IDA Signature: Sentinel SuperPro VC++ library 64bit
version: rev1

2013.09.02 rev1:
Add Sentinel SuperPro v7.1
Add Sentinel SuperPro v7.0
Add Sentinel SuperPro v6.6.0
Add Sentinel SuperPro v6.5.0
Also listed in: Dongle IDA Signatures
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA2PAT Reloaded
Rating: 0.0 (0 votes)
Author: Sirmabus                        
Website: http://www.woodmann.com/forum/showthread.php?t=11916
Current version: 1.0B
Last updated: July 19, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: An IDA Pro 5.xx plug-in to generate a pattern file.

You've probably seen or more of the different variants of this plug-in:
"ida2sig", "ida2pat", etc.
We want to create a pattern (".pat") file to assemble a FLIRT signature file (".sig"), using the FLAIR utility "sigmake.exe". This will allow one to apply these sigs to help port updats, etc.

I had preferred TQN's "ida2sig" version since it fastest (see below) I could find. But it had the same problems as the previous version. And I wanted to make a build I could updated with the latest FLAIR lib, etc.

[How to run it]
1. Invoke it using your selected IDA hot-key or from "Edit->Plugins".
2. Select the destination ".pat" file.
3. After it is done, convert your pattern file into a signature file using
"sigmake.exe",.

[Design & Outstanding issues]
There are zero options, the assumption is you want to save only, and all function names that are not autogenerated. That is for the most part, all functions that are not "sub_69B470", and "unknown_libname_228".

There are unfortunately ambiguities, and errors using function name flags like "pFunc->flags & FUNC_LIB", "is_public_name()", "dummy_name_ea()", etc., to determine what is a library, public, etc., function.

Biggest hurdle, consider this.. You go do your RE work, you rename some functions with a name that makes sense to you; or you just rename it specifically so you can come back to it later using a custom sig, etc.
Maybe all is well on the first time because IDA will see it as a user function and thus traditional IDA2PAT will create a pattern for it. But next time after update, etc., you apply the sig. It is no longer a "user function", IDA marks it as a library, or worse as autogenerated. Don't like this. We want to be able to apply a sig, work on the DB rename some functions with better fitting names as my understanding grows, etc., then create a new patterns and not have name collisions, etc.

AFAIK there is no solid way to determine what is "autogenerated", "user-generated" or otherwise, using the stock IDA SDK functions.

What "IDA2PAT Reloaded" does is solely rely on function name patterns instead. It simply rejects functions that start with ""sub_..", "unknown_libname_..", or that start with the characters '$', '@', '?', and '_', etc.

This will be a problem if you intentionally use using something like "sub_MyFunction", or "unknown_libname_MyFunction", etc., as your naming convention. This design assumes IDA is setup to display autogenerated function names as "sub_xxxxxx", etc., in the defaults.

Speed:
TQN's version was definitely faster then others, he replaced the file streaming "qfprintf()" with a very large buffer, then saved the buffer at the end. The real issue was a single "qflush()" call after each pattern create in
Quine's original code. FYI, a file "flush" causes the OS to flush it's write cache causing a file performance hit.

As a baseline, just iterating through around 100k functions (with zero processing) takes ~12seconds on my machine on average. Thus, any processing on top of that is just additive. IDA2PAT-Reloaded only adds ~3 seconds to the base line on a modern machine.
Also listed in: IDA Signature Creation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA2SICE
Rating: 0.0 (0 votes)
Author: Mostek                        
Website: http://mostek.subcultural.com
Current version: 4.09
Last updated: October 30, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: IDA to SoftIce is an IDA plugIn which loades IDA symbols to SoftIce. It can export them as nms file too.
To get the last version go to News page.

I started the project in May 2000 and it took me almost 9 months to reverse everything needed to make the plugIn (well around 4 month of real work).
The main reason for the plug was that at that time, you could only see global procedures and variables.
And because there was no local variables in SIce, reversing was really a pain in the .... So this plugIn solves that. :)

Some info:
Currently PE and LE file types are suported.
Use map2sice utilitie for all other types ( included in the package ).

One of the nicest feature of the plug is that you can see structures in SIce.
ex.: In IDA you set local/global structure and when in SIce you can use command '? myStructure' or '? myStructure.element.element', .....
PlugIn suports structure(union) in structure(union)).
Also listed in: IDA Extensions, SoftICE Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDAAPIHelp
Rating: 0.0 (0 votes)
Author: Frank Boldewin                        
Website: http://www.reconstructer.org
Current version: 0.3
Last updated: October 17, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: IDAAPIHelp is a small IDAPython script, that saves time when searching for API Information while e.g. analyzing a malware with IDA Pro. It looks at cursor position for a valid api call and if found it tries to show you the eligible API Info from the provided helpfile.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDAPerl
Rating: 0.0 (0 votes)
Author: Willem Jan Hengeveld                        
Website: http://www.xs4all.nl/~itsme/projects/idcperl
Current version: 0.3
Last updated: May 12, 2008
Direct D/L link: N/A
License type: Free / Open Source
Description: IDAPerl, is a plugin for IDA Pro, which adds Perl scripting support.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: JABi (Just Another Bin2inc)
Rating: 0.0 (0 votes)
Author: PsYcHoCoDe                        
Website: N/A
Current version: 0.0a
Last updated: April 20, 2012
Direct D/L link: Locally archived copy
License type: Freeware
Description: -> What's NEW in v.0.0a:
+ SYNTAX: the D programming language now supported :P
+ SYNTAX: Windows Registry Entry
+ Added: lil' bit better documented plugin sample and SDK...
+ Added: CRC32 internal function is now accessible for use in your plugins ;)
- Bugfix: tiny C syntax problem...
Enjoy! ;)

*** WHAT THE HELL iS THAT?!
-> JABi is a binary file to source include file generator. The 'syntaxes' are the supported output formats >:)

*** Why could i possibly need ANOTHER tool for this job?!
-> JABi is actually *REALLY FAST* and *TINY* (pure ASM code), totally commandline driven (to use it in your compilation scripts), has support for Pre/PostProcessing PLUGINS! and currently supports MASM/TASM/FASM, C, NASM, D language and Windows Registry Entry Syntaxes. I'm planning on expanding the 'supported syntax' list, depending on your feedback, of course, any suggestions are encouraged ;)

*** You said something about pre/postprocessing plugins -> now what the hell is that?!
-> These plugins are actually DLLs, so one could easily expand his JABi features :P Preprocessors receive control just before the actual dumping of the binary file to the memory, while postprocessors execute right after the dumping to memory! So basically, the coder has the full control over what is getting dumped and how it's gonna look in the end of the process >:) The only limit is the coder's imagination actually :P

*** That sound's nice, actually... So, how do I create a new *Processor?!
-> I've included a lil' SDK in the package. It's done in MASM32, but i'm ready to include user contributed SDK's in the package, any ports of the SDK will be appreciated. I just code mostly asm.

*** Are combined plugins a supported option?! (PREPROCESSOR+POSTPROCESSOR=Single Plugin)
-> Yep, they sure ARE supported. However, if you specify such a combined plugin only as a POSTPROCESSOR on the command line, it's PREPROCESSING phase WILL NOT BE executed, and vice versa. If one want's to use BOTH processor phases, he MUST supply BOTH PRE and POST parameter @ the command line the given plugin's name. Actually the plugin example, bundled with the SDK is such a combined processor ;)

*** I LiKE the tool! How could I assist in the further development?
-> You could send plugins you've developed, send samples of other syntaxes, that aren't currently supported by JABi, so i am able to further expand the list... I'm open to any kind of support and ideas on this tiny project.

PS: I believe there's need for a new category for this kind of tools (binary/source embedders maybe, just an idea), since they're must-have for anyone, who digs selfmodifying code, be it a software protectionist, reverse engineer or whatever. The problem comes, when one get's to need one of those, since there're plenty of 'solutions' in the field, but almost none of them is actually suitable for such coder's needs... :/ That was actually why I coded this one... I hope you'll like it...
Also listed in: Assemblers, Code Snippet Creators, Installer Tools, Needs New Category, Patch Packaging Tools, Source Code Tools, Specific by Compiler
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Key-lok II C++ library IDA Signatures
Rating: 0.0 (0 votes)
Author: prt                        
Website: N/A
Current version: rev1
Last updated: July 5, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: IDA Signature: Key-lok II C++ library
version: rev1
Also listed in: Dongle IDA Signatures, KEYLOK Dongle Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: MFC42Ord2FuncNames
Rating: 0.0 (0 votes)
Author: Frank Boldewin                         
Website: http://www.reconstructer.org
Current version:
Last updated: June 03, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: MFC42Ord2FuncNames is a small IDAPython script which converts MFC42 functions into its realnames. Normally IDA Pro should do this automatically, but in some cases the IDA auto-analysis fails. Watch the short flash movie included in the package for details.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: mIDA
Rating: 0.0 (0 votes)
Author: Tenable Network Security                        
Website: http://cgi.tenablesecurity.com/tenable/mida.php
Current version: 1.0.10
Last updated: October 21, 2008
Direct D/L link: http://cgi.tenablesecurity.com/tenable/dl.php?p=mIDA-1.0.8.zip
License type: Free
Description: mIDA is a plugin for the IDA disassembler that can extract RPC interfaces from a binary file and recreate the associated IDL definition. mIDA is free and fully integrates with the latest version of IDA (5.0).
This plugin can be used to :

* Navigate to RPC functions in IDA
* Analyze RPC function arguments
* Understand RPC structures
* Reconstruct an IDL definition file

The IDL code generated by mIDA can be, most of the time, recompiled with the MIDL compiler from Microsoft (midl.exe).
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Mapgen
Rating: 0.0 (0 votes)
Author: servil                        
Website: https://code.google.com/p/idaplugs/downloads/list
Current version: 0.985 beta
Last updated: 2008
Direct D/L link: Locally archived copy
License type: Freeware
Description: ---------------------------------------------------------------------------
map file exporter plugin for ida pro by servil version 0.985 beta
---------------------------------------------------------------------------

the plugin extends mapfile generating to export better information into
ollydbg. exported files can be processed by modified mapconv plugin included
in this archive.

features:
- imports comments as comments and labels as labels
- all segments
- relocated images (dlls) taken into account
- extended by exporting local variables, enums, struct offsets,
register variables and forced operands
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Matrix Dongle 2.6.0 IDA Signatures
Rating: 0.0 (0 votes)
Author: Sope                        
Website: N/A
Current version:
Last updated: September 13, 2008
Direct D/L link: Locally archived copy
License type:
Description: Recently, while RE an target I had to create IDA signature file for Matrix Dongle ver 2.6.0 hence uploaded here. It will help you to identify many fucntions.
Also listed in: Dongle IDA Signatures, Matrix Dongle Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Matrix Dongle C++ library IDA Signatures
Rating: 0.0 (0 votes)
Author: prt                        
Website: N/A
Current version: rev1
Last updated: August 5, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: IDA Signature: Matrix Dongle C++ library
version: rev1

2007.08.05 rev1:
Matrix SDK v2.60
Also listed in: Dongle IDA Signatures, Matrix Dongle Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: OllyDbg (OllyICE Modification)
Rating: 0.0 (0 votes)
Author: Hacnho                        
Website: N/A
Current version: 1.10.0
Last updated: August 27, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: This is the final OllyDbg release from Hacnho, his further enhanced OllyDbg Hacnho modification. It includes all the bug fixes from his original Hacnho. It is also compressed using the Themida 1.xx Ring-0 engine to help hide the debugger from detection. Be warned it runs quite slowly because of this and it is not very compatible with certain operating systems (WinXP SP2) and applications like anti-virus tools. Blue Screens of Death (BOD) are quite common with this Olly.
Also listed in: OllyDbg Custom Versions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Ordinal imports/exports resolver
Rating: 0.0 (0 votes)
Author: servil                        
Website: https://code.google.com/p/idaplugs/downloads/list
Current version: 1
Last updated: 2008
Direct D/L link: Locally archived copy
License type: Freeware
Description: Ordinal imports resolver
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PDB
Rating: 0.0 (0 votes)
Author: servil                        
Website: https://code.google.com/p/idaplugs/downloads/list
Current version:  ?
Last updated: 2008
Direct D/L link: Locally archived copy
License type: Freeware
Description: This is yet another extension built on original Datarescue`s PDB plugin.

Main enhancements from original plugin:
* Integrates advantages of Microsoft Debug Information Accessor (DIA). The
interface provided by DIA offers more complete description of executable
against DbgHelp(ImagHlp) API. If DIA server is not installed DbgHelp's engine
is used (use newest version possible to achieve best results).
* Preserved names mangling on public symbols (ida still shows C prototype where
full ida typeinfo can't be successfully set).
* Replication of complex types (struct, enum) and typedefs from PDB.
* Scoped UDT members handled (inherited members and nested typedefs, structs
and enums).
* Exact format to static data symbols and static struct members, forced code at
function start (extern symbols format preserved).
* Full ida typeinfo to static symbols and struct members.
* Names, exact format and full ida typeinfo to function arguments and local
symbols stored at frame, recursive traversal all nested sub-blocks of function
(with DIA only). Supported (both top and bottom) ebp- and esp-based frame
models, support for register variables and params was removed during testing
(see known problems and anomalies/#3).
* Source lines import to idabase where file accessible (as anterior lines).
* Foreign program databases support for importing data types only. Selective
filtering of unwanted types is offered before own storage. For this feature
call the plugin with argument 2 (use IDC command or edit plugins.cfg for that).
* Alots of minor adjustments not worth to mention.
* No UI (lazy) - always apply all features.

Source code included.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PE Validator Script
Rating: 0.0 (0 votes)
Author: Daniel Pistelli                        
Website: http://ntcore.com/
Current version: 1.0.0.1
Last updated:
Direct D/L link: http://ntcore.com/Files/PEValidator.cff
License type: Freeware/Open
Description: A simple script for the CFF Explorer which detects some of the most common PE integrity problems. Some of the things checked by this script:

-- check CRC32 (useful for drivers)
-- check number of rva and sizes
-- check image size
-- check sections
-- check that EP is valid
-- check that EP is in code
-- check that the EP section is executable
-- check data directories RVAs
-- check whether the API IsDebuggerPresent is imported
Also listed in: CFF Explorer Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PESpin ImpREC Plugin
Rating: 0.0 (0 votes)
Author: tnagareshwar                        
Website: http://www.securityxploded.com/pespinplugin.php
Current version: 1.0
Last updated: June 17, 2006
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: ImpREC plugin for PESpin 1.3 & 1.304.

Including full source, AND tutorial on how to write your own ImpREC plugins!
Also listed in: ImpREC Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ProcessStalker GDL Viewer
Rating: 0.0 (0 votes)
Author: AmesianX                        
Website: https://www.openrce.org/forums/posts/707
Current version: 1.0
Last updated: January 28, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: A GUI plugin for bringing up the GDL graphs of ProcessStalker directly inside IDA Pro.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: QuickUnpack CFF Explorer Extension
Rating: 5.0 (1 vote)
Author: Shub-nigurrath                        
Website: http://arteam.accessroot.com/releases.html
Current version: 1.0
Last updated: January 24, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: Extension for CFF Explorer. This is an adaptation of the already released QuickUnpack DLL (http://www.woodmann.com/collaborative/tools/index.php/QuickUnpack_DLL), which is in turn based on the original QUnpack sources (by FEUERRADER of AHTeam).
Also listed in: CFF Explorer Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Resource Tweaker
Rating: 5.0 (1 vote)
Author: Daniel Pistelli                        
Website: http://ntcore.com/restweaker.php
Current version: 1.0.0.1
Last updated:
Direct D/L link: http://ntcore.com/Files/ResourceTweaker.zip
License type: Freeware
Description: Resource Tweaker is an extension for the CFF Explorer, which makes it possible for older resource editors such as Resource Hacker to edit PE64 files (you can edit all non-x86 PEs). Win32 resources haven't changed much (what changed are bitmaps, icons, cursors which can be edited with the CFF Explorer), although the PE format has. It doens't make much sense to reinvent the wheel, since, through this extension, you can keep using your favourite resource editor. This extension works 100%.
Also listed in: CFF Explorer Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Reveal Imports
Rating: 0.0 (0 votes)
Author: ZaiRoN                        
Website: http://zairon.wordpress.com/2008/11/04/ida-plugin-reveal-imports/
Current version: 1.0
Last updated: November 4, 2008
Direct D/L link: http://www.box.net/shared/static/pbm0okvb86.zip
License type: Free
Description: The plugin reveals imports of a dumped process. It will come in handy when you need to analyze a dump without rebuilding the file using an external tool.

Usage: put the plugin inside IDA plugin directory and to run the plugin hit ALT+z.
Here is a screeshot. As you can see the plugin creates a new window filled with revealed imports.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Rockey4 2.x Dongle C++ library IDA Signatures
Rating: 0.0 (0 votes)
Author: prt                        
Website: N/A
Current version: rev1
Last updated: July 5, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: IDA Signature: Rockey4 v2.x C++ library
version: rev1

2007.07.05 rev1:
Add Rockey4 v2.05
Add Rockey4 v2.06
Also listed in: Dongle IDA Signatures, Rockey Dongle Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Rockey4ND 1.x Dongle C++ library IDA Signatures
Rating: 0.0 (0 votes)
Author: prt                        
Website: N/A
Current version: rev2
Last updated: October 11, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: IDA Signatures: Rockey4ND v1.x C++ library

2007.07.05 rev1:
Add Rockey4ND v1.20

2007.10.11 rev2:
Add Rockey4ND v1.15
Add Rockey4ND v1.16
Also listed in: Dongle IDA Signatures, Rockey Dongle Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SSL Key/Cert Finder
Rating: 0.0 (0 votes)
Author: Tobias Klein                        
Website: http://www.trapkit.de/research/sslkeyfinder/
Current version: 1.0
Last updated: February 5, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: IDA plugin that finds and extracts SSL keys/certs from executables.
Also listed in: Crypto Tools, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Safenet Sentinel Hardware Keys 1.x C++ library IDA Signatures
Rating: 0.0 (0 votes)
Author: prt                        
Website: N/A
Current version: rev1
Last updated: November 15, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: New sentinel dongle:
http://www.safenet-inc.com/products/sentinel/hardware_keys.asp

IDA Signature: Safenet Sentinel Hardware Keys v1.x C++ library
version: rev1

2006.11.15 rev1:
Sentinel Hardware Keys v1.0.2
Also listed in: Dongle IDA Signatures, Sentinel Dongle Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Scripts for Perl Decompiling
Rating: 0.0 (0 votes)
Author: Swine                        
Website: N/A
Current version: 1.0
Last updated: April 1, 2011
Direct D/L link: Locally archived copy
License type: Free/GPL
Description: Bash & IDA Scripts for automated decompiling of Perl program compiled by perlcc

REVISION HISTORY
Version Author Date
1.0 Swine ????????

perlcc parses Perl script and makes C code (which is in turn compiled to executable through CC) that initializes execution tree, which is later interpreted through perl_run documented function. The execution tree can be decompiled by documented Perl B::Decomp module (in latest Perl releases this module has gone along with perlcc). The trick is to inject the call to decompiler into the target program.

See README inside the archive for further details
Also listed in: Decompilers, IDA IDC Scripts
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Sentinel SuperPro 6.x Dongle C/C++ library IDA Signatures
Rating: 0.0 (0 votes)
Author: prt                        
Website: N/A
Current version: rev7
Last updated: April 17, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: IDA Signature: Sentinel SuperPro v6.x C/C++ library
version: rev7

2007.04.11 rev7:
Fixed some Sentinel obfuscated functions. (Thanks to Meteo)

2007.03.01 rev6:
Fixed Sentinel obfuscated functions. (Thanks to Meteo)

2006.10.27 rev5:
Add Sentinel SuperPro v6.4.4
Add Sentinel SuperPro v6.4.3

2006.03.11 rev4:
Add Sentinel SuperPro v6.4.2
Add Sentinel SuperPro v6.4.1

2005.05.07 rev3:
Add Sentinel SuperPro v6.4

2004.12.31 rev2:
Add Sentinel SuperPro v6.3.1.9
Add Sentinel SuperPro v6.3.1.8
Add Sentinel SuperPro v6.3.1.2
Add Sentinel SuperPro v6.3.1.1

2004.12.09 rev1:
Add Sentinel SuperPro v6.3.1.10
Add Sentinel SuperPro v6.3.1.4
Add Sentinel SuperPro v6.3.1
Add Sentinel SuperPro v6.3
Add Sentinel SuperPro v6.2.1
Add Sentinel SuperPro v6.2
Add Sentinel SuperPro v6.1
Add Sentinel SuperPro v6.0
Also listed in: Dongle IDA Signatures, Sentinel Dongle Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SentinelLM Dongle C/C++ library IDA Signatures
Rating: 0.0 (0 votes)
Author: prt                        
Website: N/A
Current version: rev2
Last updated: June 14, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: IDA Signature: SentinelLM C/C++ library
version: rev2

2007.06.14
Add SentinelLM v8.0
Add SentinelLM v8.0.2
Fixed some obfuscated functions.

2004.12.30 rev1:
inculde:
SentinelLM v7.0
SentinelLM v7.0 SP2
SentinelLM v7.1
SentinelLM v7.1.1
SentinelLM v7.1.2
SentinelLM v7.2
SentinelLM v7.2.0.1
SentinelLM v7.2.0.3
SentinelLM v7.2.0.4
SentinelLM v7.2.0.5
SentinelLM v7.2.0.6
SentinelLM v7.2.0.8
SentinelLM v7.2.0.9
SentinelLM v7.2.0.12
SentinelLM v7.2.0.18
SentinelLM v7.3.0
Also listed in: Dongle IDA Signatures, Sentinel Dongle Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SiDAg
Rating: 0.0 (0 votes)
Author: Zool@nder                        
Website: N/A
Current version: 1.0
Last updated: August 31, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: The is a GUI tool that helps beginners making IDA signatures from Obj files/ librarries and PAT files.
Also listed in: IDA Signature Creation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: VtablesStructuresFromPSDK2003R2
Rating: 0.0 (0 votes)
Author: Frank Boldewin                        
Website: http://www.reconstructer.org
Current version:
Last updated: July 16, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: This small IDAPython script includes all vtable structures that can be found in the files of the Microsoft PSDK 2003-R2. After running the script in IDA it adds these vtable structures to an IDB file. This will save time while reconstructing COM code.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Zaesars heap plugin
Rating: 0.0 (0 votes)
Author: Zaesar                        
Website: http://www.deneke.biz/obsidian
Current version:
Last updated: October 21, 2006
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Heap plugin for the Obsidian non-intrusive debugger, helpful if you are manipulating the heaps structure etc.

PS.
Don't mind the dirty way in which this module was put into a dll. It was received before the plugin interface was available, and "ported" making as few changes as possible when the plugin system was published.
Also listed in: Obsidian Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


...

There were too many (recursive) child objects of this category to display them all, please use the sub categories below to increase the detail of your search criteria!


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.


Subcategories

There are 13 subcategories to this category.





Views
Category Navigation Tree
   Needs New Category  (3)