米兰bohacek hexrays_tools,布拉格查尔斯特大学
这个插件增加了新的功能,许多的编译器和艾达:
使用指针变量的访问在多个功能互动的结构重建
发现一个结构相匹配给定的模式访问指针变量
函数原型:删除删除助手返回类型,参数,转换为__usercall
-从分配到另一个侧式快速传播,或从一个函数调用的函数指针
处理的C++类和虚函数表,用于导航到从编译器支持虚拟函数
结构编辑器的改进
显示图中的树的相关结构
和几个小的特点
评价:此插件是非常在处理复杂的,面向对象的代码。在结构重构和C + +的支持是主要的集锦,甚至更小的特征有助于许多重复性的工作。
原文:
hexrays_tools by Milan Bohacek, Charles University in Prague
This plugin adds dozens of new functions to the decompiler and IDA:
- interactive structure reconstruction using pointer variable accesses across multiple functions
- finding a structure which matches a given pattern of accesses to a pointer variable
- function prototype helpers: remove return type, remove argument, convert to __usercall
- quick propagation of type from one side of assignment to another, or from a function call to the function pointer
- handle C++ classes and virtual function tables, with support for navigation to virtual functions from the decompiler
- structure editor improvements
- show a tree of related structures in a graph
- and several more minor features
Our comments: Milan's plugin is invaluable when dealing with complex, object-oriented code. While structure reconstruction and C++ support are the main highlights, even the smaller features help with many repetitive tasks which are common when dealing with big code bases. It's a clear winner of this year's submissions.
这idapython脚本使用IDA的调试API记录程序连同它们的参数的函数调用(前、后)。
这是非常有用的在处理,加壳的软件使用的辅助函数来解密他们的字符串,或程序使许多间接调用。
评价:插件被记录和提供了一些额外的功能。从动态执行信息增广静态反汇编可以加快一个未知的二进制的分析,所以它可能会给许多分析人士带来非常有用的信息!
原文:
funcap by Andrzej Dereszowski
This IDAPython script uses IDA's debugging API to record function calls in a program together with their arguments (before and after).
This is very useful when dealing with malware which uses helper functions to decrypt their strings, or programs which make many indirect calls.
Our comments: The plugin is well-documented and offers several extra features (such as the call graph). Augmenting static disassembly with info from dynamic execution can speed up investigation of an unknown binary, so it will likely be very useful for many analysts!
原文:
CrowdDetox by Jason Geffner
CrowdDetox is another decompiler plugin. It tries to solve the problem which can happen when dealing with obfuscated binaries: removal of junk code (useless code).
Our comments:
While the decompiler already does some dead code removal, it opts for pessimistic approach and doesn't remove code unless it can prove its results are not used. Jason's plugin is useful in situations where you can make more assumptions and be more aggressive in code removal.
We thank Jason for contacting us before the contest and implementing our feedback (e.g. making the plugin optional and not always-on). The code is very well commented and has a supporting whitepaper which explains the approach used.