From Collaborative RCE Tool Library

Jump to: navigation, search

Code Snippet Creator

Tool name: Code Snippet Creator
Rating: 0.0 (0 votes)
Author: servil                        
Current version: 0.989 beta
Last updated: 2008
Direct D/L link: Locally archived copy
License type: Freeware
Description: -------------------------------------------------------------------------------
code snippet creator plugin for ida pro by servil
version 0.989 beta (Feb 2008)
supported ida versions: 4.9 and above till API change
(tested on 5.2 without backward compatibility enforcement)

basic ida plugin to automate migration of one or more functions from host
program to custom assembly project (primarily masm targetted). some effort was
put to be generic and able to process any processor and format based on
function model using basic assembler data types (byte, word, dword...), however
focussed and only properly tested on 32-bit borland and msvc code and is
expected to give best results for these compilers (generally the more actual
format is distant from pe-32 the less functionality you may expect), also all
runtime features only are available for pe-32 formats.

major features:

* static code and data flowgraph traversal
* static data formatting and bounds determining
* code and data integrity care
* integrated runtime evaluated addressing resolver (orig. executable required)
* integrated process data dumping with emulation of accessed virtual data and
stack variables (orig. executable required)
* iat address translation for dynamic runtimes build (pe-32 only)
* lexical compatibility adjustments, name conflicts resolving and basic
output garbage cleanup
* final flowgraph (kernel version 5.1 and newer)

plugin is designed to cover all possible address ranges the root function(s)
can access in real. the plugin is not click and go solution, only benefit csc
gives is reduction of boring uphill work - in most cases output will need
manual adjustments to pass compiler. plugin always builds reportlist hiliting
warnings, problems, unsure places, etc..., beside it doubtful lines are
commented in the sourcecode also.
code traversal is based on x-refs, not raw operand values, so that mutual
linkage of related ranges can be flexibly adjusted by user offsets or x-refs
manager (see below).

the plug got 4 components:

1. code ripper self
this is the main component: basic (optionally) recursive deadcode traversal
and creating output source file. additional options and adjustments are
available from startup dialog. most obvious enough, two run-time features
explained here:
* runtime evaluated addressing resolver is useful for discovering indirect
or runtime-evaluated jump/call targets (eg. call dword ptr [edx+08h], jmp
eax, etc.): while targets are evaluated and reached at run-time in host
application naturally, they are invisible at export time from deadcode,
thus they wouldn't be expectingly not even exported. the resolver cares of
tracing real targets and including targets to output - recommended for
images written by OOP language.
* process data dumper recognizes offsets to image range and to a known heap
block. currently these dynamic block types are recognized: msvc malloc,
delphi/cbuilder getmem, bcc malloc, gnu gcc malloc, virtualalloc, stack
variables. relaxing the rules for offset recognition may increase amount
of false offsets rapidly. runtime engines can process both standalone
executables and dll`s on certain conditions (a loader directly executable
by createprocess is present, loads the dll at some time and executes
desired code there).
2. indirect flow resolver from external debugger (deprecated)
3. flirt names matching (a helper for code ripper)
comparing libnames recognized by flirt to real library names is helpful to
prevent later linking problems (unmatched names get library flag removed),
worx in conjunctin with code ripper's 'include library functions` option
turned off.
4. xrefs manager (plugin call parameter 3)
view/create/remove user links between any two places of disassembly. two
samples of usage: for code ripper to cover code or data ranges not referred
from any of collected static areas or to change anchor point of non-head
memory operands (o_mem).
Related URLs: No related URLs have been submitted for this tool yet

RSS feed Feed containing all updates for this tool.

You are welcome to add your own useful notes about this tool, for others to see!

If you find that any information for the tool above is missing, outdated or incorrect, please edit it!
(please also edit it if you think it fits well in some additional category, since this can also be controlled)

Category Navigation Tree
   Code Coverage Tools  (13)
   Code Ripping Tools  (2)
   Helper Tools  (3)
   Hex Editors  (13)
   Memory Patchers  (7)
   Packers  (20)
   Profiler Tools  (11)
   String Finders  (10)
   Tool Hiding Tools  (7)
   Tracers  (22)
   Needs New Category  (3)