From Collaborative RCE Tool Library

Jump to: navigation, search

Tool Extensions


Tool name: CPU Initialization Patch
Rating: 5.0 (1 vote)
Author: blurcode                        
Website: http://www.woodmann.com/forum/showthread.php?t=11302
Current version: 1.0.0.1
Last updated: April 12, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: This is a plugin for OllyDbg 1.10, which hot-patches Olly's code to resolve the issue of OllyDbg taking 100% CPU time as soon as the debugged process is running (i.e. after having pressed F9 inside OllyDbg).

If nothing else, this problem causes any laptop that you might be reversing on to lose much more battery life than necessary, and also to sound like a jet plane due to constant maximum fan rotation, so this plugin will come in hand for any laptop reversers at least.

For more info, please see the following thread:
http://www.woodmann.com/forum/showthread.php?t=11302

Changelog:
Version 1.0.0.1
April 12, 2008
- keeps the last selected option after restart
Version
February 11, 2008
Version 1.0.0.0
- initial release
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDAFicator
Rating: 5.0 (1 vote)
Author: AT4RE                        
Website: http://www.at4re.com
Current version: 1.2.12
Last updated: May 6, 2008
Direct D/L link: http://www.at4re.com/tools/Releases/Zool@nder/IDAFicator/IDAFicator_1.2.12.zip
License type: Free
Description: This plugin tries to make the life of OllyDBG© users easier by bringing to him some fast and frequently used function. And here is the list of features brought by the plugin:
Versio, : 1.2.8
What's new:
- optimized assembling abilities (ONE.SHOT.ASSEMBLER)
- new breakpoints menu
- 3 new custom functions
- new mouse actions and shortcuts in disasm and dump windows

Version : 1.2.0
* 11 buttons added to the native toolbar:
1. The go back/forward button.
2. and finally The Reach beginning/End of procedures button
3. The search for all text string button.
4. Hardware Breakpoints Dialog box opener (In a non modal non child DB).
5. Multi-Commands assembler.
6. Target directory opener.
7. Customizable buttons.


* IDA-like mouse features:
1. The DISASSEMBLY WINDOW:
2. The DEFAULT DUMP WINDOW:
3. The STACK WINDOW:

* Dump and set a HWBP on [ESP].

* 'Universal' stolen code restoring

* Address Informer

* Direct Address Copier

And more.

What's new:
1. Adding support for asm like command in 'multicommand assembler'.
Added commands til now are:
1.1) PUSHSTR -> There'are 2 versions of this cmd:
1.1.1) First one, without argument
(ex: pushstr 'kernel32.dll' -> PUSH 3D0000 ; ASCII "kernel32.dll" )
1.1.2) Second one, accept one argument (The address where to assemble)
ex: pushstr 'kernel32.dll', 401000 -> PUSH 00401000

1.2) PUSHALL -> push several commands
(ex: pushall 0402000, @GWL_EXSTYLE
call GetWindowLongA

assembled to: ->
PUSH 00402000
CALL user32.GetWindowLongA)

+/- all constants in windows.inc (thanks hutch and iczelion for this
file) can be used just with the prefix '@'

1.3) INVOKE -> Works like its homologous asm command with an extra
Note that:
1.3.1 - The strings will be assembled in a 'rundom' address
allocated in debugee memory
1.3.2 - you can integrate string directly in the invoke macro
( ex1: invoke MessageBoxA, 'Text1 from invoke macro', 'Text2 from invoke macro', @MB_OK
-> PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
PUSH 1D0030 ; |Title = "Text2 from invoke macro"
PUSH 1D0048 ; |Text = "Text1 from invoke macro"
PUSH 00402000 ; |hOwner = 00402000
CALL DWORD PTR DS:[<&user32.MessageBoxA>> ; \MessageBoxA

ex1: And invoke GetPrivateProfileIntA, 'Section Name', 'Key', 0, 'B:\bla\bla\bla\bla.ini'
-> PUSH 1D0060 ; /IniFileName = "B:\bla\bla\bla\bla.ini"
PUSH 0 ; |Default = 0
PUSH 1D0077 ; |Key = "Key"
PUSH 1D007B ; |Section = "Section Name"
CALL DWORD PTR DS:[<&kernel32.GetPrivate> ; \GetPrivateProfileIntA
)

1.4) Note that the constants are located in 'BYTES.OEP' file provided
with this version (version of 06/05/ 2008) and you've to re^lace the old
one. Otherwise, all constants will return 0 and will assembled : push 0.


2- Position saving for most important and most used dialog boxes.
Please, consider to use the pushstr macro instead of invoke one if the
lenght of pushed text is > 40 chars Privacy note: The last entered piece
of text to assemble in MCasm is stored in registry
("HKEY_CURRENT_USER\Software\IDAFicator Plugin"), just in case.

3- MuCAsm now remembers last entered text even between debugging 2 sessions.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PhantOm
Rating: 5.0 (2 votes)
Author: Hellsp@wn & Archer                        
Website: N/A
Current version: 1.26
Last updated: April 5, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: Plugin (with driver) for hiding OllyDbg from following methods of detection:

// driver - extremehide.sys

[+] NtQueryInformationProcess.
[+] SetUnhandledExceptionFilter.
[+] OpenProcess.
[+] Invalid Handle.
[+] NtSetInformationThread.
[+] RDTSC.
[+] NtYieldExecution.
[+] NtQueryObject.
[+] NtQuerySystemInformation.
[+] Windows hide.
[+] GetProcessTimes.
[+] NtSetContextThread.

// plugin - PhantOm.dll

[+] PEB BeingDebugged.
[+] PEB NtGlobalFlag.
[+] GetStartupInfo.
[+] Process Heaps.
[+] GetTickCount.
[!] Protect DRx.
[!] Hide DRx.
[!] Fake Windows version.
[!] Custom Handler.
[+] BlockInput

What's new - 1.26
[*] Fixed bug with loading driver
[*] Fixed bug with memory breakpoints
(Now, when "custom handler exceptions" option is
checked - memory breapoints on access/write will work,
but break-on-access won't work)
[*] Fixed bug with updating plugin (after previous version)

What's new - 1.25
[*] Now you can manually set names of services (HIDENAME and RDTSCNAME)
[*] Fixed some minor bugs
[*] Fixed bug with memory breakpoints

What's new - 1.20
[*] Added own exception handler (C0000005)
[*] Added option to change caption of main OllyDbg window
[*] Added own exception handler (OUTPUT_DEBUG_STRING_EVENT)
[*] Impoved removing of int 3 breakpoint at EP, when pause is set to "system breakpoint"
[*] Added hook for BlockInput (only for Windows XP)
[*] Added own exception handler (C0000094)
[*] Added hide from GetStartupInfo
[*] Fixed bug with plugin options
[*] Added protection from detecting driver
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Fast IDB2Sig and LoadMap IDA plugins
Rating: 4.0 (1 vote)
Author: TQN                        
Website: N/A
Current version: 1.0
Last updated: September 14, 2004
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: It took me two weeks to write two IDA plugins, a renew, fast IDB2Sig plugin and a new, very fast LoadMap plugin.
The IDB2SIG plugin I rewrote base on the orginal source code and idea of:
- Quine (quine@blacksun.res.cmu.edu)
- Darko
- IDB2PAT of J.C. Roberts <mercury@abac.com>
Thanks all of you very much. I think all of you will allow me to public the new source code.
The LoadMap plugin I wrote base on the idea of Toshiyuki Tega. It will supports loading and parsing VC++, Borland (Delphi/BC++/CBuilder) and DeDe map files.
And with two plugins, I need only two days to create two signature file for Delphi 6/7. Very fast and convenience. Hereafter, we can use two above plugins to create signature files, load map symbols...

Source is included, and plugins are precompiled for IDA 4.5 and 5.2.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: API Help
Rating: 0.0 (0 votes)
Author: Phoenix                        
Website: N/A
Current version:
Last updated: June 26, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: Assists in finding API addresses and setting breakpoints, includes auto-completion feature. Supports ~120 DLL and ~14000 API.
For XPsp2 only! (place aphlp.ahd in main OllyDbg directory)
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Advanced obj and lib IDA signature ripper
Rating: 0.0 (0 votes)
Author: gerbay                        
Website: http://www.woodmann.com/forum/showthread.php?t=9931
Current version: 1.0
Last updated: May 23, 2007
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: It loads obj and lib (COFF format) files signature to ida database.

It identifies so many labels more than flair signatures.

FLIRT signature creation not possible for some situation, for example you can try to create flirt signature for flexlm libs, but this plugin will work in such situations too!
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: AnalyzeThis!
Rating: 0.0 (0 votes)
Author: Joe Stewart                        
Website: http://www.joestewart.org
Current version:
Last updated: October 26, 2004
Direct D/L link: Locally archived copy
License type: Free
Description: This plugin allows the OllyDbg analysis function to operate outside of the standard code segment as defined by the PE header. Particularly useful for packed files.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Asm2Clipboard
Rating: 0.0 (0 votes)
Author: fatmike                        
Website: N/A
Current version:
Last updated: April 8, 2005
Direct D/L link: Locally archived copy
License type: Free
Description: Copy asm code to clipboard.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: BinDiff
Rating: 4.0 (1 vote)
Author: SABRE Security                        
Website: http://www.sabre-security.com/products/bindiff.html
Current version: 2.0
Last updated: October 2007
Direct D/L link: N/A
License type: Commercial (IDA Pro plugin)
Description: A very powerful executable file diffing tool, in the form of an IDA Pro plugin.
Also listed in: Executable Diff Tools, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CLBPlus!
Rating: 0.0 (0 votes)
Author: Robert Ayrapetyan                        
Website: N/A
Current version: 1.0
Last updated: October 1, 2005
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Extends standard capabilities of conditional log breakpointing, utilizing OllyDbg feature which allows passing commands to plugins from "Set conditional log breakpoint window". Version only supports a DUMP command, but with included source this is great example for creating additional functions.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Cleanup Ex
Rating: 0.0 (0 votes)
Author: Gigapede                        
Website: N/A
Current version: 1.12
Last updated: March 11, 2003
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Deletes all .udd, .bak files. Plugin & udd dir support.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Code Ripper
Rating: 0.0 (0 votes)
Author: Ziggy                        
Website: N/A
Current version:
Last updated: April 19, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: Rips selected code from OllyDbg disassembler window and formats according to MASM, C/C++ (inline assembler) or Delphi (inline assembler). Customizable, supports labels, comments, detailed help.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CommandBar
Rating: 0.0 (0 votes)
Author: Gigapede                        
Website: N/A
Current version: 3.20.110
Last updated: April 18, 2006
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: SoftICE commands in a small bar on the bottom. Macro function support.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Conditional Branch Logger
Rating: 0.0 (0 votes)
Author: Blabberer / dELTA / Kayaker                        
Website: N/A
Current version: 1.0
Last updated: June13, 2007
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Conditional Branch Logger is a plugin which gives control and logging capabilities for conditional branch instructions over the full user address space of a process. Useful for execution path analysis and finding differences in code flow as a result of changing inputs or conditions. It is also possible to log conditional jumps in system dlls before the Entry Point of the target is reached. Numerous options are available for fine tuning the logging ranges and manipulating breakpoints.
Also listed in: Code Coverage Tools, OllyDbg Extensions, Profiler Tools, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CoverIt
Rating: 0.0 (0 votes)
Author: Ilfak Guilfanov                        
Website: http://www.hexblog.com/2006/03/coverage_analyzer.html
Current version: 1.0
Last updated: March 27, 2006
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: A code coverage plugin for IDA Pro. It colors all executed instructions directly inside the IDA GUI, including any collapsed functions containing executed instructions.
Also listed in: IDA Extensions, Code Coverage Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Data Ripper
Rating: 0.0 (0 votes)
Author: Ziggy                        
Website: N/A
Current version: 1.2
Last updated: January 28,.2006
Direct D/L link: Locally archived copy
License type: Free
Description: Rips any kind of data from an app being debugged with OllyDbg. The ripped data can be formatted and "declared" in the syntax of MASM, C/C++ and Delphi. Data Ripper is useful whenever you need to rip data, tables, etc. out of an app so the data can be used in another compiled program.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DeJunk
Rating: 0.0 (0 votes)
Author: flyfancy                        
Website: N/A
Current version:
Last updated: October 16, 2003
Direct D/L link: Locally archived copy
License type: Free
Description: Find/remove junkcode from packers, customizable.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DebugPlugin
Rating: 0.0 (0 votes)
Author: TBD                        
Website: N/A
Current version: 1.0
Last updated: November 28, 2002
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Loads OllyDbg and breakpoints on load plugin routine.
For OllyDbg 1.08b ONLY.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Desquirr - Decompiler Plugin for IDA Pro
Rating: 0.0 (0 votes)
Author: David Eriksson                        
Website: http://desquirr.sourceforge.net/desquirr/
Current version: 20070130 (desquirr-20070130-bin-ida_v5_0.zip)
Last updated: November 13, 2003
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Desquirr is a decompiler plugin for IDA Pro.

Desquirr currently consists of a little more than 5000 lines of C++ code, not counting empty lines or lines beginning with comments

Read the Master Thesis at http://desquirr.sourceforge.net/desquirr/desquirr_master_thesis.pdf
Also listed in: IDA Extensions, Decompilers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Exception Counter
Rating: 0.0 (0 votes)
Author: ZeetreX                        
Website: N/A
Current version: 0.1
Last updated: August 25, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: A plugin to automate the process of unpacking with exceptions. (Count the number of exceptions before the app runs and then pass exceptions n-1 times in next restart)
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ExtraCopy
Rating: 0.0 (0 votes)
Author: Regon                        
Website: N/A
Current version: 0.9
Last updated: July 1, 2003
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Copy portions of code inside OllyDbg and to clipboard.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ExtraPass
Rating: 0.0 (0 votes)
Author: Sirmabus                        
Website: https://www.openrce.org/blog/view/839/An_%22extra_pass%22_for_IDA_Pro
Current version: 2.1
Last updated: February 8, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: I made this little IDA plug-in to help working with some Win32 targets that don't disassemble so well. In particular exe's that have a lot of C++ indirections and lots of embedded script stubs..

It basically does a few more passes over an IDA code section. Prefers code over data. It can find a lot of missing code, functions, and alignment blocks. Works particularly well on large EXE's where there is a lot of disconnected code from heavy C++ OOP, script binds, etc.

Intended for typical Win32, mainly Microsoft complied binaries.
Won't work well (probably for the worse) with Delphi EXE's since those tend to have a lot of mixing of constant data in the ".text" section, but the align and missing function options might be of use still.

My 2nd attempt at it, it's simple but it works well. IMHO it's working well now.
Really can clean up discombobulated code.

[Feb, 8, 2007] 2.1 A lot of improvement!
[Nov, 26, 2007] 2.0 version. Now fixes align blocks, and finds missing functions, plus has a UI.
[Aug, 28, 2007] New and improved.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Firebug
Rating: 5.0 (1 vote)
Author: Joe Hewitt                        
Website: http://www.getfirebug.com
Current version: 1.03
Last updated: April 4, 2007
Direct D/L link: http://www.getfirebug.com/releases/firebug1.0-current.xpi
License type: Free / Open Source
Description: Firebug integrates with Firefox, to put a wealth of web development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.

Probably the most advanced web/javascript debugger in existence.
Also listed in: Javascript Debuggers, Firefox Extensions, Web Application Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: FullDisasm
Rating: 0.0 (0 votes)
Author: BeatriX                        
Website: N/A
Current version: 1.7
Last updated: October 25, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: This plugin replaces the default OllyDbg disassembly routine with an engine which supports MMX, FPU, SSE, SSE2, SSE3, SSSE3, SSE4.1 and SSE4.2 instructions. Displays processor support for these technologies. Allows disassembling globally or only on selected lines in Masm, Nasm or GoAsm syntax. Available as a plugin for OllyDbg or Immunity Debugger.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: GUID-Finder
Rating: 0.0 (0 votes)
Author: Sirmabus                        
Website: http://www.openrce.org/repositories/users/Sirmabus
Current version: 1.0b
Last updated: January 17, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: A GUID/UUID finding/fixing IDA plug-in.

The COM side of RE'ing (at least with "dead listing") can be pretty elusive.
With this you can at least partially glean what interfaces and classes a target is
using.

This plug-in scans the IDB for class and interfaces GUIDs and creates the matching
structure with label. IDA can find these on it's own, but it often misses them, so
this can fill in the gap.
Plus this plug-in allows you to easily add custom declarations, and is handy to do
a general audit for such GUIDs.

This is based Frank Boldewin's IDA Python script that you can find here:
http://www.openrce.org/downloads/details/250/ClassAndInterfaceToNames
or off his home page:
http://www.reconstructer.org/code/ClassAndInterfaceToNames.zip

It's a great utility, I found me self using it regularly. But I wanted one that
wasn't dependant on IDA Python, and one that might be a bit faster.
I've made some enhancements too (see below).

Some interesting reading:
http://en.wikipedia.org/wiki/Globally_Unique_Identifier
http://en.wikipedia.org/wiki/UUID

[How to run it]
Just invoke it using your selected IDA hot-key, or from "Edit->Plugins".
Normally you will want to keep the ""Skip code segments for speed"" check box checked,
because it can make a big difference in the run time. With unchecked, code segments are
also scanned. You'll want to scan the code to if the target is a Delphi, or others where
data tends to be code/.text segment, or if you just want to be more thorough.

It might take some time to scan everything depending on the size of the IDB your computer,
etc..

When it's done, you should see a list of interfaces and classes in the IDA log window.
If you want to go look at a particular entry to RE (to look at xrefs, etc.) just click on
the line and IDA will jump to it.


[How it works]
1. Loads in GUID/UUID defs for the two text files "Interfaces.txt" and "Classes.txt".
A little enhancement here over Frank's format, you can have blank lines and have
comments prefixed with '#' (first char, whole line only. Not a very forgiving parser).

In the source is "DumpLib", a utility I created to parse LIB files (like "uuid.lib")
to gather more GUIDs. As of this build, it's a collection of Frank's original UUIDs
plus all the ones to be found in VS2005 libraries along with DirectX 9.1,.

There could be more explicitly created in header (.h/.hpp) files but have yet to make
a utility to parse them.

If you want to add custom GUID defines (from 3rd party software, etc.), just edit
these text files manually.

2. After it loads in the defs, the plug-in iterates through all segments in your currently
open IDB. By default it will skip code/".text" segments, and import/export segments for
speed. Usually you find GUIDs in the ".rdata", and ".data" segments.

I originally intended to sort all the GUIDs by similarity and search with partial wild
cards for speed. If you take a look at the GUID defs you will see that many GUIDs share
common numbers that often differ only be the least significant digits ("Data4").
At least in theory, searching for groups wild cards should make searching faster.
Maybe next version..


[Known problems/issues/limitations]
1. If a given GUID 16byte def just so happens to match something that is not really a GUID,
the plug-in will try to convert it to one regardless (another reason not to run it
over code sections). So far I have not found this to be much of issue, although it could
be. Could add a confirm dialog for each to let the user decide.

2. Some GUID set operations will fail. This is usually because something is bad/wrong at the
particular address; like a partial code def, or incorrect xref.
The plug-in will display most of these errors in the IDA log window for manual correction.

3. TODO: Other GUID times like "DIID", "LIBID", "CATID", usefull?
Also listed in: COM Debugging Tools, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: GoDup
Rating: 0.0 (0 votes)
Author: godfather+                        
Website: N/A
Current version: 1.2
Last updated: August 9, 2004
Direct D/L link: Locally archived copy
License type: Free
Description: IDA signature loader/map loader/resource viewer/process info. View dialogs, version info and Delphi/BorlandC forms.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Header Pack Script
Rating: 0.0 (0 votes)
Author: Daniel Pistelli                        
Website: http://ntcore.com
Current version: 1.0.0.1
Last updated:
Direct D/L link: http://ntcore.com/Files/richsign/HeaderPack.cff
License type: Freeware/Open
Description: This neat little script does the following:

-- packs the dos header + PE header + section headers
-- removes useless things like the Rich Signature
-- removes linker references inside the PE header
-- strips the debug information (if any) from the PE
-- if it's a .NET, removes Strong Name Signature
-- updates checksum

The header produced by this script comes, as I said, without DOS stub: I don't think it will be missing in 2008. The most efficient way to use this script is to execute it automatically after every linking. The PE header could be packed even more (for example one could reduce the data directory entries), but this goes beyond what I wanted to do: I just wanted my executables to be garbage clean.
Also listed in: CFF Explorer Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Hex-Rays
Rating: 5.0 (3 votes)
Author: Hex-Rays sprl (Ilfak Guilfanov)                        
Website: http://www.hex-rays.com
Current version: 1.0
Last updated: September 17, 2007
Direct D/L link: N/A
License type: Commercial (IDA Pro plugin)
Description: Hex-Rays is created by Ilfak Guilfanov, famous author of IDA Pro. It is a commercial IDA Pro plugin, and aims to be the best decompiler ever created.
Also listed in: Decompilers, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Hide Caption
Rating: 0.0 (0 votes)
Author: Gigapede                        
Website: N/A
Current version: 1.00
Last updated: November 21, 2002
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Hides MDI windows caption to get more space
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Hide Debugger
Rating: 0.0 (0 votes)
Author: Asterix                        
Website: N/A
Current version: 1.24
Last updated: April 19, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: This plugin hides OllyDbg from many debugger detection tricks.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA 2 PAT
Rating: 0.0 (0 votes)
Author: J.C. Roberts                        
Website: N/A
Current version: 1.0
Last updated:
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: For the most part, this plugin is an exercise in futility. There are
very few valid reasons why anyone should ever want to build signatures
of the functions in an existing disassembly. There are better
reasons, methods and tools for creating signatures for use with IDA.
Most importantly, the right way to create signatures is from object
files, object libraries or dynamically linked libraries, so please
realize this plugin is nothing more than a kludge since we are asking
FLAIR to do something it was not designed to do.

**********************************************************************
Option: Create patterns for Non-Auto Named Functions

If you find the rare situation where you want to make patterns
from functions in an existing database, this option is probably your
best bet. It will only create patterns for functions without
auto generated names and it will exclude functions marked as libraries
(e.g. they were already found and named through other FLAIR
signatures). You may want to remove named functions like _main and
WinMain from the resulting pattern file, since these will already
exist in the disassembly where it's applied.

**********************************************************************
Option: Create Patterns for Library Functions Only

I did include the ability to build patterns for functions IDA has
already marked as libraries. This is forpeople doing source code
recovery/recreation since the pattern file can be further parsed to
figure out which header files are needed. There are probably better
ways to go about this as well but until I have time to write specific a
plugin for figuring out which headers are included, this can give you
a step in the right direction.Out side of gathering information on
applied library signatures, this feature is pointless since you're
building patterns for function that were previously found with other
signatures you already have.

**********************************************************************
Option: Create Patterns for Public Functions Only

This could be useful when dealing with a situation where functions
were once stored in a DLL and are now statically linked in an
executable. It's still may a better bet to build a signature from the
DLL and then apply it to the statically linked executable.

**********************************************************************
Option: Create Patterns For Everything

You generally do NOT want to build patterns for every function in
the disassembly. The only place where I can see a legitimate use for
creating signatures of every function in the database is if your goal
is to see how similar two executables are. Instead of using a hex
editor and doing a re-synchronizing binary compare between the two
executables,you could use IDA signatures to get a different/better
way to visualize the similarities.

There are a lot of problems with trying to do this. The first and
most obvious problem is reserved name prefixes (e.g. sub_) on
auto generated function names. Another cascading problem is of course
references to these names withing other functions and whether or not
to keep these references in the patterns in order to cut down the
number of collisions. There are plenty of other problems with this
approach that I won't mention but there are quite a few of them.

I've hacked together a simple work-around. When the user has
selected everything mode, the plugin will prepend the auto generated
function names with FAKE_ and references to these sub routines are
kept to reduce collisions. This should (in theory) work, since every
reference will also have it's own public pattern in the resulting
file. In other words, the named references will resolve to another
(public) function pattern in the file. The problem with this approach
is of course having erroneous address numbers in names of functions
where the signature is applied (e.g. the nameFAKE_sub_DEADBEEF could
be applied to any address where a matching function is found). My
guess why this will work is because a module in a library may have a
by name reference to another object in the library. The pattern file
of a library would keep the references, since the names are defined
in other pattern lines of the file. Of course I could be wrong but
it's worth a shot. If need be comment out the "sub_" tests in
part #7 (references) of make_pattern() to get rid of the refs.


**********************************************************************
Option: Create Pattern For User Selected Function

This allows the user to select a function from the list and
create a pattern for it. It does not work on functions with auto
generated names but probably could with a bit more work.

______________________________________________________________________
**********************************************************************
----------------------------------------------------------------------

LIMITATIONS:

* References and tail bytes are only used by sigmake to resolve
collisions. Auto generated names with reserved prefixes "loc_" "byte_"
"dword_" are not going to be repeatable in the binary where you would
apply the resulting signature. If those references were kept and used
to resolve a collision, you'd end up with a useless signature that
would not be applied because those names do not exist in executable
where the resulting signature is being applied.

* Reference offsets that greater than 0x8000 bytes from the
function start may make this plugin explode or more likely, just make
unusable patterns.

* All references are assumed to be 4 bytes long. This will cause
some problems for situations (e.g. processors) where this is not true.


______________________________________________________________________
**********************************************************************
----------------------------------------------------------------------
TODO:
* Error checking for reference offsets > 0x8000
* Change reference length from being fixed at 4 bytes.
* Create "append" versus "overwrite" dialog.
* Deal with the user choosing a function with an auto
generated name in the "Single Function" mode.


______________________________________________________________________
**********************************************************************
----------------------------------------------------------------------
DEVELOPMENT:

I did this in MSVC++ v6. There are two projects in the workspace. One
is for the plugin and the other for IDAG.EXE so we can debug the
plugin once IDA loads it e.g. start the plugin and at the choose file
dilog break. In the list of modules, you'll find "run()" and other
functions from the plugin.

Depending on where you install IDA, you'll need to adjust where the
plugin is written. I've got output set to "C:\IDA\PLUGINS\IDB2PAT.plw"
The same is true for the location of the SDK and such.

When it's set to build the debug version, there will be a lot of
warnings due to info truncation of debug symbols. It's not a big deal.
Also listed in: IDA Extensions
More details: Click here for more details, s