Results 1 to 9 of 9

Thread: IDA PRO Disassembly Window Manipulation

  1. #1

    IDA PRO Disassembly Window Manipulation

    Hello,

    Too long in this business. Gotten used to seeing and doing things my way.

    Most importantly, seeing code in ALL-CAPS. And with double spaced lines. Most of the time, that is.

    I'm trying to write a plugin for IDA (anywhere 6.1 or upwards), that will automatically convert all lines in the disassembly in CAPITALS. And, double space the lines.

    So, instead of:
    ------------
    .text:0100739D push 70h
    .text:0100739F push offset stru_1001898
    .text:010073A4 call __SEH_prolog
    .text:010073A9 xor ebx, ebx
    -------snip


    You get:
    ------------
    .TEXT:0100739D PUSH 70H

    .TEXT:0100739F PUSH OFFSET STRU_1001898

    .TEXT:010073A4 CALL __SEH_PROLOG

    .TEXT:010073A9 XOR EBX, EBX
    -----snip

    I don't mind wading though tons of documentation. But any kind soul willing to give me a pointer where exactly to begin? (No, not begin how to use the SDK, I mean, where to begin when you want to manipulate the display in the UI? And that too in the default disassembly window?). The IDA SDK documentation is not exactly...of a sterling quality.

    And it's not something I can ask Ilfak or the hex-rays board (you know how it is).

    Any suggestions please?

    And I really don't mind doing this in IDAPython too, if you think that's going to be better and a more elegant solution.

    Have Phun
    Blame Microsoft, get l337 !!

  2. #2

    Convert to upper case

    I found this. It's from PBrennick.

    Hope it helps.

    Code:
      mov edx, OFFSET String3      ; Point to the string
    A0: mov al, byte ptr [edx]       ; Get a character or next character
        cmp al, 0                    ; End of string?
        je Display_String            ; Go show it if yes
        cmp al, 'A'                  ; Check for lower boundary
        jb A1                        ; Jump if not a letter
        cmp al, 'Z'                  ; Uppercase?
        ja A3                        ; Go check for lower, if no
        or al, 20h                   ; Convert to lowercase
        mov byte ptr [edx], al       ; Store it
    A3: cmp al, 'w'                  ; Compare character for upper bounds, first check
        jg A2                        ; Jump if possible upper bounds error
        cmp al, 'a'                  ; Check for lowercase
        jb A1                        ; Jump if not a letter
        add al, 3                    ; Otherwise add 3 to al
        mov byte ptr [edx], al       ; Store it
        jmp A1                       ; Done with this character
    A2: cmp al, 'z'                  ; Compare character for upper bounds, second check
        ja, A1                       ; Jump if not a letter
        sub al, 23                   ; Otherwise do a wraparound
        mov byte ptr [edx], al       ; Store it
    A1: inc edx                      ; Point to next character
        jmp A0                       ; Go get it
    Display_String:                  ;

  3. #3
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    My first thought was to use a monospaced SMALL-CAPS font, but that wouldn't get you your empty lines and might look crappy and I couldn't find one to try anyway.

    I'd take a look at MakeLine() and MakeNull() in lines.hpp, and their use in any out.cpp file in the sdk/module directory. Not sure if that quite fits the bill but probably a place to start.

  4. #4
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    For capitalizing the mnemonics, you can patch \procs\pc.w32 - overwrite the lowercase mnemonics with their uppercase versions.

  5. #5
    Quote Originally Posted by disavowed View Post
    For capitalizing the mnemonics, you can patch \procs\pc.w32 - overwrite the lowercase mnemonics with their uppercase versions.
    Ugh!

    But that *does* seem like a good idea ATM.

    Strange that you can build instrumentation inside IDA using the SDK and Python, but can't do something as easy as this...

    Thanks Disa.

    Have Phun
    Blame Microsoft, get l337 !!

  6. #6
    Quote Originally Posted by Kayaker View Post
    My first thought was to use a monospaced SMALL-CAPS font, but that wouldn't get you your empty lines and might look crappy and I couldn't find one to try anyway.

    I'd take a look at MakeLine() and MakeNull() in lines.hpp, and their use in any out.cpp file in the sdk/module directory. Not sure if that quite fits the bill but probably a place to start.
    Yup. lines.hpp is definitely the way to go. Now, where the heck did I put that copy of Borland C++ .....


    Thanks K.

    Have Phun
    Blame Microsoft, get l337 !!

  7. #7
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    I was playing with this to gain some experience in plugin writing. I've been able to produce capitalized disassembly text, but not as a direct replacement for the original. Producing CAPS is straightforward enough and can be placed in several different notification callbacks, but that's where it gets tricky.

    I haven't been able to find, or if it's even possible, to directly manipulate the default disassembly text from one of the many notification callbacks without maybe instead using a custom processor module. I'm starting to think Disa's solution might be the most practical way to get the capitalization.

    A few notes from spelunking the header files, for general interest. Information about an instruction is kept in the insn_t structure defined in ua.hpp. It's fields can be accessed from the "cmd" variable, for example:

    msg("address:%a, opcode text:%s \n", cmd.ea, cmd.get_canon_mnem());

    cmd.get_canon_mnem() is a pointer to a function which retrieves the opcode text (i.e. "mov", not "MOV") from the .rdata section of pc.w32 processor module that disavowed pointed to. So that field in the insn_t/cmd structure cannot be directly modified.

    There are several notification callbacks one can use (enum hook_type_t in loader.hpp), each with dozens of events which can be hooked. The most practical here are probably from the processor module (HT_IDP - idp_notify events defined in idp.hpp) or the user interface (HT_UI - ui_notification_t events defined in kernwin.hpp).

    There are examples of using these notification callbacks in the SDK directory, or like the simple one here:
    http://www.hexblog.com/?p=54

    Also this is useful for plugin writing in general:
    http://www.binarypool.com/idapluginwriting/


    As for producing capitalized text, I just took the default void idaapi out(void) function found in most of the /module/out.cpp files and added a simple conversion before the final MakeLine() call:

    Code:
    ...
        // added code -----------------------------------------------------
    
        for(int i = 0; i < sizeof buf; i++)
        {
            buf[i] = toupper(buf[i]);
        }
        
        // end added code -------------------------------------------------    
        
        MakeLine(buf);                        // pass the generated line to the kernel
    }
    This was inserted into several different HT_IDP and HT_UI notification event callbacks and did produce the extra capitalized disassembly text, but as I said I couldn't find a way to have it *replace* the original. Also, it's a pretty crude brute force capitalization, text such as API names are also converted, so it would need to be made selective.

    Some of the idp_notify events such as custom_out, custom_mnem and others seems like they might be likely candidates, IF you can convince the kernel not to display its default disassembled instruction and use yours instead, but I still can't figure out if that's possible.

    It's been fun though, thanks for the ride

  8. #8
    Thanks Kayaker, I'm trying to get this done too...

    Somewhere it implies that the entire text of the disassembly has to be manipulated and redrawn.

    I think the only way to see this happen consistently is for Ilfak to put this as an option in IDA.

    I recall asking this in the IDA Forums, way before Ilfak and Pierre separated (back then it was Data rescue, and being a member of the board didn't require you to have a license) and Pierre gave me a page long description of how difficult it is. With his usual rambling of how IDA Sales are getting affected. This was IDA 3.92 I think...

    Well, let's hope Ilfak frequents these boards and sees this post.



    Have Phun
    Blame Microsoft, get l337 !!

  9. #9
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    I don't think hooking represents the best choice this time because when the installed callback (i.e. HT_IDP and HT_UI) starts to catch events the deadlist is already on the screen... everything should be done when the file is fully loaded.
    So, it seems like there are two ways and Kayaker described a possible way. Besides that I think you can try directly with the ui specific kernel services, there's a specific section inside kernwin.hpp. Take a look at it giving an eye to the "Custom viewer sample plugin" provided by Ilfak.
    A mind is like a parachute. It doesnt work if it's not open.

Similar Threads

  1. Static Disassembly - Best way forward
    By live_dont_exist in forum The Newbie Forum
    Replies: 20
    Last Post: March 30th, 2012, 00:10
  2. MIPS Decoding and Disassembly
    By peterg70 in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: July 14th, 2007, 20:28
  3. Calc.exe Disassembly
    By 414B in forum OllyDbg Support Forums
    Replies: 7
    Last Post: May 14th, 2007, 16:42
  4. Art Of Disassembly
    By CuTedEvil in forum Advanced Reversing and Programming
    Replies: 20
    Last Post: November 26th, 2003, 14:59
  5. Manipulation of folder's content.
    By Bratsch in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: December 29th, 2000, 16:14

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •