A binary analysis tool like a decompiler is incomplete without a programming interface. Sure, decompilers tremendously facilitate binary analysis. You can concentrate of the program logic expressed in a familiar way. Just add comments, rename variables and functions to get almost the original source code, almost perfect. However, quite often there is a small ugly detail and the output falls short of being satisfactory.

It can be because of an awkward expression

which could be represented more concisely:

It can also be an inline function

which could be collapsed:

It can be a while-loop

which could be converted into a for-loop:

All these transformations improve the readability but the decompiler can not perform them automatically: they change the meaning of the program. Only the user who knows that these transformations can be safely applied should activate them.

We could add extensive set of manual transformation commands to the decompiler (we might do it one day), but there are really too many of them. Besides, some transformations can be applied only in some particular circumstances proper to a particular version of a compiler used with particular command line options. In short, there is no way we can predict all possible transformations and implement them.

Hex-Rays SDK allows you to manipulate the decompilation result as you want. You can play with the output data structure (called ctree), modify it, rename variables, and change their types. Watch such a plugin in action:

This plugin introduces a new command to swap if branches. I personally prefer to have the shorter if branch first: shorter means simpler. Having simplest problems to be solved first is a good approach in programming, it frees one's mind for complex problems and makes the unsolved part of the problem shorter (thus hopefully simpler ;)

Other things you can do with the current SDK:

• Decompile any function
• Modify the pseudocode
• Change local variable names and types
• Introduce your own interactive commands
• Install callbacks to react to decompiler events

The above functionality it enough to implement the Inliner, Exporter, Transformer, and Vizier(partially) plugins mentioned here.

In the future we will add support for other plugin types. The decompiler will handle other target processors and data flow analysis functions will be exported. This will allow you to write more complex analysis and transformation rules.

What about writing your own vulnerability scanner based on Hex-Rays? ;)
It is quite difficult today but will be within reach very soon.

Posted by Ilfak Guilfanov at 10:08 PM | Permalink | Comments (3)

If you ever used IDA to analyze embedded stuff, you would immediately notice its pc-centric nature. While any embedded SDK targets specific devices with real-world part numbers, IDA just provides you with a universal analysis framework. You are supposed to know how the device works, its idiosyncrasies, programming model, memory organization, and all other practical stuff. If there is an automatic way to determine the entry point or interrupt vectors, IDA will use it but in general you will have to find out the correct parameters yourself.

The following tutorial fills the gap for C166 (and explains many other things!):

http://andywhittaker.com/ECU/DisassemblingaBoschME755/tabid/96/Default.aspx

Thanks, Andy!

Posted by Ilfak Guilfanov at 02:52 PM | Permalink | Comments (3)

If I have an instruction like

     mov eax, [edi-0ch]

and I know that that's really the sum of an offset to a structure not at edi and the offset of a member within that structure, how do I get IDA to display it as such without using a manual operand?

       _IMAGE_SECTION_HEADER:
       +0x000 Name                 : char[8]
       +0x008 Misc                 : __unnamed
       +0x00c VirtualAddress       : DWORD
       +0x010 SizeOfRawData        : DWORD
edi--> +0x014 PointerToRawData     : DWORD
       +0x018 PointerToRelocations : DWORD
       +0x01c PointerToLinenumbers : DWORD
       +0x020 NumberOfRelocations  : DWORD
       +0x022 NumberOfLinenumbers  : DWORD
       +0x024 Characteristics      : DWORD

Pressing T to convert the operand to a struct offset does not help. By default, this command assumes that the offsets are calculated from the beginning of the structure. We need a more powerful form of this command which would allow us to specify the offset deltas. We can do that by making a selection with the mouse before pressing T: in this case another, more powerful dialog form will appear.

We enter 0x14 as the delta value, select the desired structure type (IMAGE_SECTION_HEADER), and (since it is a union) the exact union field we want to see (say, VirtualSize). Here is the result:

  mov     eax, dword ptr 
     [edi-(IMAGE_SECTION_HEADER.NumberOfRelocations-14h)]

  mov     eax, [edi+(IMAGE_SECTION_HEADER.Misc.VirtualSize-14h)]

• invert the operand sign by pressing _ (underscore)
• select the instruction
• press T. delta is 0x14, select the desired structure and its field

Posted by Ilfak Guilfanov at 05:53 PM | Permalink | Comments (0)

What happened to OpenRCE, does anyone know? It would be a pity to lose such a nice resource.
This news is not a bright one neither but I hope that the explanation for openrce is purely technical.

Posted by Ilfak Guilfanov at 01:15 PM | Permalink | Comments (2)