climacros – IDA productivity tool

Introduction

A few weeks ago, I proposed an IDA features to improve the CLI and add macros support. After a few email exchanges with Arnaud from Hex-Rays, we could not agree on how to best do it and still accommodate to everyone’s needs. Finally, Arnaud kindly wrote a quick IDAPython script to show me how I can intercept the CLI text before it gets executed. Please see Hack of the day #2: Command-Line Interface helpers.

Unfortunately, the QT approach did not work for me due to many reasons:

  • I don’t want the text to be replaced on the fly.
  • I don’t want the expanded text (macros) to be part of the history. Instead the macros should remain un-expanded as they get stored in the history.

The biggest issue we were discussing is how to format numbers: 0xHEXNUM, HEXNUM, #HEXNUM, …?

How many hardcoded macros should we have and what should they do?

In all cases, since IDA is highly programmable and I have access to the awesome IDA support team (thank you guys!), the ball is now in my court and all I had to do is write a plugin.

Enter ‘climacros’

I woke up one day with the solution to this dilemma. I don’t have to hardcode anything, instead just let the users define their own macros backed by Python expressions. The only thing I hardcoded was how to embed an expression in the CLI text. I opted for something simple inspired by the PHP/ASP syntax, something like ${ expression }$ (anything between those special tags is evaluated in Python).

With this basic idea, I set about implementing all the default macros that I think are useful for my daily work with WinDbg’s CLI.

This is climacros in action:

No more copy/paste in order to get the current address from the disassembly view! 🙂

climacros is written in C++ and is opensource. You can also grab the Windows binaries from here.

Future work

If this plugin is well received, I think people will ask for features like:

  • Macros profiles: to have a set of macros that one can switch between them quickly
  • Import/Export macros: to be able to transfer macros with users
  • Macro expansion using a scripting language of your choice and not just Python

Let me know!

 

QScripts – IDA Scripting productivity tool

Just a quick post to introduce QScripts. QScripts is a productivity tool that helps IDA users speed up their scripts development. The idea for QScripts sprang from my autox script that I wrote for the Batchography book.

With QScripts, you will be able to develop your scripts in your favorite text editor, save the script and see the results in IDA. Therefore, it makes sense to resize IDA and the text editor to see things side by side.

Please grab your copy from here.

Daenerys: IDA Pro and Ghidra interoperability framework

Ghidra has only been released for a short while and the RCE community started adopting it (scripts, tutorials, articles, etc.) really quick. Since Ghidra is free and open-source (coming soon™), I expect a torrent of contributions in the form of tools, plugins and scripts.

I think it is important not to create a schism between IDA users and new Ghidra users because that will not benefit the RCE community. For that reason, I think it would be cool to have a simple way to seamlessly run scripts between the two SRE frameworks.

Today I introduce the Daenerys framework that lets you run IDA scripts in Ghidra and vice versa. Since I am a long term IDA user, it is easier for me to start writing the IDA-to-Ghidra adapters first. As time goes by, I will become more familiar with Ghidra’s APIs and will be able to write the adapters that let users run Ghidra scripts seamlessly in IDA as well.

If you have watched the Game of Thrones show, you are perhaps familiar with Daenerys Targaryen (aka “The mother of dragons”). I chose her name for this project because IDA’s logo is represented by a certain medieval lady and Ghidra by a dragon (some say from the GodZilla lore / King Ghidorah). Having the Daenerys framework’s logo as a lady and a dragon standing on equal footing represents a harmonious relationship between the two.

If you are a graphics designers, I would appreciate it if you can create a logo for the framework better than the one I found using Bing.com’s public domain image search.

The Daenerys framework is still in its infancy and your contributions/suggestions are welcome.

Finally, I hope the RCE community continues to strive and becomes more accessible to everyone interested in the field.

Ghidra: A quick overview for the curious

Ghidra, is a software reverse engineering (SRE) suite of tools developed by NSA’s Research Directorate in support of the Cybersecurity mission. It was released recently and I became curious about it and wanted to check it out.

I have not researched to see if someone else did a similar overview article or not, however, I am writing this article for myself and those who don’t want to run Ghidra themselves and just want to learn a bit about it.

I know that it is unfair to compare Ghidra to IDA Pro, but I cannot help it: I am a long time user of IDA Pro and it is my only point of reference when it comes to reverse engineering tools.

This article is going to be long and will contain lots of screenshots. I just started playing with Ghidra and therefore, I might be wrong or might be presenting inaccurate or incomplete information so please excuse me ahead of time.

Table of contents

Continue reading

Using Z3 with IDA to simplify arithmetic operations in functions

I have been meaning to learn about SMT based program analysis for a long time and recently I started learning about the topic. There are so many frameworks, articles and tutorials out there that I shall explore as time goes by.

Since I am still learning, I do not claim that the following material is rocket science or advanced by any means, instead, it is very basic and should be approachable enough by absolute beginners to Z3 (a theorem prover from Microsoft Research). All I know so far comes from reading Dennis Yurichev‘s e-book “Quick introduction into SAT/SMT solvers and symbolic execution” in addition to the Z3Py introductory material by Eric (https://github.com/ericpony/z3py-tutorial).

In last week’s blog post, I illustrated how to write a basic emulator to evaluate a function’s return value without running it. In today’s blog post, I am going to show how to convert thousands of arithmetic operations from x86 assembly code into simplified Z3 expressions. Continue reading

Writing a simple x86 emulator with IDAPython

Often times, when I stumble upon IDAPython scripts, I notice that they are using inefficient / incorrect IDAPython APIs to disassemble or decode instructions (for instance using idc.GetMnem() or idc.GetDisasm()). Therefore, in this blog post, I am going to illustrate how to use IDA’s instruction decoding functions from IDAPython in order to write a very simple x86 emulator. The goal is to demonstrate the correct use of instruction decoding IDAPython APIs. By the end of this post, you should be able to solve similar problems using IDAPython. Continue reading

Blizzard CTF 2017 – The LichKing Reverse Engineering challenge walkthrough

The Lichking challenge

Challenge demo. Click on the picture to enlarge it.

I created this challenge for the Blizzard 2017 CTF competition that took place on 11/05/2017 in the eSports Arena in Santa Ana, Orange County, CA.
(https://ctftime.org/event/487). After the CTF event was over, I decided to release it to public and see who can crack it.

This challenge is inspired by the picture password login feature from Windows 8. When you run the challenge, you will be presented with a picture. Your goal is guess what are the 4 secret coordinates (hidden spots) in the picture that you should be clicking using the correct sequence. Once guessed correctly, a congratulatory message box is displayed. If you fail to guess the right 4 points coordinates, then you will see an error message.

This is a pure reverse engineering puzzle and therefore you won’t find any obfuscation or anti-debugging/reverse engineering tricks whatsoever. In the challenge, I left a bunch of hints to make it easy for others to solve the puzzle. Nonetheless, taking the brute-force approach leads to uncovering the hidden message, however this is not the proper solution I am expecting from participants. Continue reading

StarCraft: Emulating a buffer overflow for fun and profit – REcon Brussels, 2018

Today I present my talk at REcon Brussels. It was about a problem I had to solve at work.

Basically, the classic StarCraft 1.16.1 had a buffer overflow that was exploited to create impressive maps well beyond the original game programming.

In this talk, I explained how I tackled the problem and emulated the buffer overflow so that exploited maps work on the latest version of StarCraft.

By the way, “StarCraft: Remastered” is free (in low-resolution, the HD resolution must be purchased). Download it from Battle.net.

Here’s the full talk abstract:

StarCraft 1.16.1 and older had a buffer overflow bug in the map parsing code. The hackers in South Korea leveraged the buffer overflow to create mods for the game. The mods became so popular that if we fix the buffer overflows we kill all the mods.

This talk shares the technical difficulties faced while solving this problem and also illustrates the various reverse engineering techniques used along the way:

  • How I approached the problem and how the reverse engineering efforts helped solving them
  • How I developed the tracers and instrumentation tools needed for the job
  • How the emulator was designed

You can also download the slides from here:

Introducing Ganxo v0.1 Alpha – An open source API hooking framework

Hello,

Today I release the first Alpha version of Ganxo (pronounced as “Gun Show” or “Gan Chou”), an open source API hooking framework. In Catalan, Ganxo means “hook”, thus the framework’s name.

Writing an API hooking framework was always on my to do list. I started developing Ganxo back in April 2016 and after two weeks of development during my free time, I got busy with other things and abandoned my efforts.

My initial goals were to accomplish the following before going public with it:

  • Support x86 and x64 hooking
  • Write a more extensive test suite
  • Fully document it

This past weekend, I decided to release Ganxo even though I have not met all my goals. As of today, Ganxo works on MS Windows and supports x86 API hooking. The groundwork is laid down and it should be easy to add x64 bits hooking support on Windows or even just port it to other operating systems.

Feel free to clone the code from here and start using it today.

Stay tuned, I plan more features in the coming future!

While at it, check out my Batchography book!

Genesis

Hi there,

This is not the real genesis! This is a continuation from my WordPress hosted blog http://0xeb.wordpress.com/.

This blog will be dedicated to programming, reverse engineering and ranting about the IT industry.

Notable previous blog posts: