Results 1 to 6 of 6

Thread: "Function String Associate" IDA Plug-in

  1. #1

    Lightbulb "Function String Associate" IDA Plug-in

    "Function String Associate" IDA Plug-in:

    I thought of this idea the other day based on the observation of "assert()", development, debug text strings, etc., that software developers often leave in programs I want to reverse.
    As I'm sure others do, I look at these comments to help me determine what a particular function is for (x86 binary targets that is).
    I thought, wouldn't be nice to somehow data mine this stuff and automatically put some of it as a function comment?

    Based on this, what this plug-in does is iterate through every function in IDA and auto-comments every function that has these strings (unless it already has a comment). It applies a little logic to it, to try to put the most relevant strings first.

    Sort of a proof of concept thing. It's hard to say how useful it is yet.
    So far it does seem to help as I browse around a DB. I'm putting together things a bit faster because of it.

    Of course it's only works as well as your target uses such messages mixed in it's code.
    So far on programs I've used it it on, the plug-in finds such strings on about 15% of all functions.

    With source. If you expand on the idea, add helpful modifications, etc., share it here please.
    Attached Files Attached Files
    Last edited by Sirmabus; May 13th, 2008 at 03:31.

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,204
    Blog Entries
    5
    Nice idea Sirmabus.

    CRCETL:
    http://www.woodmann.com/collaborative/tools/index.php/Function_String_Associate

    One idea:
    I think it would be really helpful for navigation to be able to display the strings also for the function called by the function in question, to a configurable depth, and presented indented in a tree-like fashion.

    Example:
    Function A calls function B and C.
    Function B also calls function D.

    The comment on function A (if call depth is configured to 2) would then look like:

    Code:
    "This is string found in function A"
    "This is another string found in function A"
        "This is string found in function B"
        "This is another string found in function B"
            "This is string found in function D"
            "This is another string found in function D"
        "This is string found in function C"
        "This is another string found in function C"
    This would make it much easier to navigate unknown code that is spread out over a few call depths, where a more-than-one-level-deep call would otherwise obscure anything below it, see what I mean?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  3. #3
    That would certainly complicate things more, and probably take a hell of a lot
    of processing :-P
    Also, many true function hierarchies might not be known until run time analysis do to indirections via vtables, etc.

    At least these comments are set as repeatable. So as you browse around in IDA you can see the comments nested inside of other functions.

  4. #4
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,204
    Blog Entries
    5
    Yes, but remember, the more processing the computer has to do, the less you have to do yourself...
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  5. #5
    abuse007
    Guest

    Can Graph Functions be used instead?

    Hi Delta,

    I haven't used Sirmabus' "Function String Associate" IDA Plug-in yet, but if I understand your enhancement suggestion, I think you can get that information from IDA's Graph Functions. If the assert strings are in the function comment, when you graph the functions, with show comments enabled, that should give you a graph (which can be restricted in depth from/to the current function) that shows the comments.

    Does this give you the functionality you suggested?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,204
    Blog Entries
    5
    Ok, cool, that should provide a good overview of similar kinds, yes (depending on how the comments are displayed in this case).
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

Similar Threads

  1. Replies: 0
    Last Post: February 13th, 2014, 07:42
  2. IDA PRO - Auto Complete/Goto Function by "symbolic" name
    By Harakiri in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: September 6th, 2011, 04:45
  3. "Function String Associate" IDA Plug-in
    By OpenRCE_Sirmabus in forum Blogs Forum
    Replies: 1
    Last Post: May 14th, 2008, 03:42
  4. Replies: 1
    Last Post: December 14th, 2007, 13:35
  5. OllyDbg Format String Vulnerability ("INT3 AT")
    By SKiLLa in forum OllyDbg Support Forums
    Replies: 0
    Last Post: May 18th, 2005, 06:23

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •