« How to unpack XCP.DAT? | Main | Reading assembly code »

The highlighter

Today I'll present you a pretty small yet useful plugin.

If you tried to trace an obfuscated code in the debugger you already know that it is quite difficult to follow. The code modifies itself, performs complex computations, repeats itself so that after a while you are lost and do not even remember if the current instruction is something you saw before or a completely new thing. You could rename locations and put comments to make the code more recognizable but this is a ungrateful and tedious task which distracts you from the main goal of following the logic of the application. Imagine finding a name for the 30th loop of the 23d meaningless function!

It is much better in these cases to relax and let the application to execute without trying to understand it. Quite often all this obfuscated code ends up doing something trivial. If you let the code execute to the end of a function or a logic chunk, the result becomes apparent by itself and you can move on by giving the function a nice name. The function is still obfuscated but you do not care at all since you know its purpose and the outcome.

If you decide to let the code do its job without trying to understand how it is done, your task is much simpler. You just need to follow the execution flow till its end. No need to care about the register values, the meaning of loops or if-then-else or other constructs. Very simple trick: single step the function until we return from the function or jump out of it.

This simple trick is easier to state than to do since the obfuscated code will not have precise function boundaries. More than that there might be many useless jumps or repeated code with the only purpose of confusing you.

The highlighter plugin solves this very problem: it makes apparent the code which has been single stepped in the debugger. Here is how the disassembly listing looks with the plugin:

The little blue boxes denote instructions which have already been executed.

Since the plugin is very simple and light, it has no configuration parameters - just copy it to the plugins subdirectory and it is ready to use. As usual, it comes with the source code: highlighter.zip.

Happy code exploration!

Posted by Ilfak Guilfanov on November 27, 2005 12:18 AM |

Comments

Thanks Ilfak,

With each blog I learn more and more that I never knew I didn't know. ;-)

Most useful.

Posted by: Sentinel | November 27, 2005 01:08 AM

Thank you for kind words! :)

Posted by: ilfak | November 27, 2005 01:26 AM

Oh it is just another of those
weird coincidences. Some days ago I had the same idea not only to work with obfuscation: change color of already visited code. I was thinking about it and I wanted to write a plugin but I planed to change the background color is it possible? ah and I have an idea about how to select colors..but I wont tell you I will try to implement it :)
ah and can the color in the graphs be changed?

see you, nice blog!

Posted by: juano | November 27, 2005 04:19 PM

Alas, in the current version of IDA Pro the debugger colors override the item colors, so the modified the background colors will not be visible.

Posted by: ilfak | November 27, 2005 10:18 PM

juano: Have you seen Process Stalker?:

http://www.openrce.org/downloads/details/171/Process%20Stalker

It will do exactly what you want with the graph background coloring. The work is based off of an IDA plug-in but does not use the IDA debugger (yet ;-) )

-pedram

Posted by: Pedram Amini | November 28, 2005 03:07 AM

Yes I have seen process stalker but my idea is to change color depending on how many times or how much time you have traced the same line/function. Is it possible to disable the debugger colors override?. And it is possible to change the color of the call to a colored function?
thanks :)

Posted by: juano | November 28, 2005 06:01 AM

Juano: take a look at the ps_view_recording_stats process stalker script. You could use that script as the basis for creating the kind of visualization you are looking for. If you do end up doing so please share the script.

It won't apply back to IDA obviously, but that just got me thinking. I should modify the ps_idc_gen script to also extract / apply the block colors. Then you could get the results you are looking for. Though the process is a tad convoluted through multiple steps.

Posted by: Pedram Amini | November 30, 2005 06:49 PM

nice plugin idea here
i am not a ida user but
i just would like to know
whether you have ever used
ollydbgs hittrace

usage procedure
after opening the binary
hit shift+end to select all code in disassembler window then
right click --> hit trace -->add selection

now if you start single stepping through the code
ollydbg will higlight the instructions traced

is your above code doing the same ? or is it different ? coz if it has some different functions or added functionalities i would like to transfer them to ollydbg through a plugin

hope you could answer (if you havent used ollydbgs hittrace as i enumerated above can you please check it out and see if that functionality exactly duplicates the behaviour of your plugin

hope i get an answer
thanks and regards

Posted by: bluffer | December 5, 2005 07:02 PM

According to your description it looks more or less the same.

The details might be slightly different but since the highlighter is a plugin, it can be modified as desired.

BTW, the plugin could be improved in the future - better work with colors (more times an instruction is executed, more saturated the color) but this will require a new version of IDA which will allow the user to specify any color in the debugger.

Posted by: ilfak | December 5, 2005 08:02 PM

Ilfak
thanks for replying
any way i wanted to link this image yesterday but the bmp was about 1 mb :)

Posted by: bluffer | December 6, 2005 07:43 PM

The image is still not visible - a direct link will work better...

Posted by: ilfak | December 6, 2005 08:25 PM

yeah i noticed yesterday it wasnt showing up
i embedded the ling in

i dont know why your gif show but not mine ( i saw you have a /a at the end of your gif may be thats the problem

whatever here is the link

the grey marker shows all code have been selected
the red color marker shows the single stepped instruction (f7)

http://show.imagehosting.us/show/980503/0/nouser_980/T0_-1_980503.gif

Posted by: Anonymous | December 7, 2005 04:50 PM

This is pretty handy, however, the highlighting disappears once the debug session is terminated, or on reloading the database. I have tried to figure how to tweak the code to keep the highlighting permanently, but can't seem to be able to get it working. Any pointers?

Thanks!

Posted by: Anonymous | February 25, 2006 02:41 AM

There are several ways of doing it.

Method A.

To make the results persistent, you need to save the 'execset' into the database and reload it when the database is reopened.

Also make the user defined prefix permanent so it stay visible even when the debugger is off.

Method B.

In addition to displaying the color in the line prefix (line 35), change the item color using the 'set_item_color' function. In other words just add the

set_item_color(event->ea);

statement undef the if. This will be enough.

Good luck!

Posted by: Ilfak Guilfanov | February 25, 2006 03:00 AM

Latest news: Hex-Rays decompiler has been released!