Class Informer By Sirmabus

walter

New member
I was hoping someone could help. I've been looking for class informer 2.1, and I haven't been able to find it ANYWHERE. Version 2.2 and 2.0 do not run on my configuration, but version 2.1 will likely run as it was compiled for IDA 6.8.

I wanted to build the plugin myself, but relies on QT, which is a 20 GB download!
 

Storm Shadow

Administrator
Staff member
Developer
Ida Pro Expert
Elite Cracker
version 2.1 i have not seen.
Anyway Just download http://sourceforge.net/projects/classinformer/

the 6.7 one works on 6.7 and 6.8 , and @Sirmabus made one also for 6.9 also.

I wanted to build the plugin myself, but relies on QT, which is a 20 GB download!
its only 1 gb dl , and 4 gb recompiled with Qt Namespace . Also in ida sdk there are prebuild libs with QT namespace.


@Sirmabus is a member here but also have he own forum, http://www.macromonkey.com/bb/index.php/topic,13.0.html.

what error are you getting when you start ida ? if you get a error.
 

walter

New member
version 2.1 i have not seen.
Anyway Just download http://sourceforge.net/projects/classinformer/

the 6.7 one works on 6.7 and 6.8 , and @Sirmabus made one also for 6.9 also.


its only 1 gb dl , and 4 gb recompiled with Qt Namespace . Also in ida sdk there are prebuild libs with QT namespace.


@Sirmabus is a member here but also have he own forum, http://www.macromonkey.com/bb/index.php/topic,13.0.html.

what error are you getting when you start ida ? if you get a error.

Thank you for the reply.

There are no error messages. The 2.0 version of the plugin technically runs, but after performing the operations, fails to pop up the "class list" window as it did with version 1.0 of the plugin.
I used this on two modules. The first module did not seem to change anything at all. The second module created a *lot* of garbage and redundant structures. Way more than I know this module contains. The plugin doesn't show me a list of classes, with a link to the static vtable in the data segment, like version 1.0 of the plugin did. Instead it created (only for module 2) a lot of structures, which did not seem to help me at all.

These modules do not contain RTTI data, (I checked manually). Is that required for the plugin?

Here is the full output from module 1:

>> Class Informer: v: 2.0, built: May 5 2015, By SirmabusWorking..


Processing C/C++ ctor & dtor tables.
0043886E I: "_initterm", 6 bytes.
0044C25C import: "__imp__initterm".

0043886E processInitterm: "_initterm"
004383A8 "_initterm" xref.
0043839E Two instruction pattern match #0
0045924C to 00459250 CTOR table.
004383F7 "_initterm" xref.
004383ED Two instruction pattern match #0
00459000 to 00459248 CTOR table.

0044C25C processInitterm: "__imp__initterm"

Processing time: 0.02 seconds.


Scanning for for RTTI Complete Object Locators.
N: ".rdata", A: 0044C5D4 - 00459000, S: 50.5 KB.
N: ".data", A: 00459000 - 00462000, S: 36 KB.
Total COL: 0


Scanning for vftables.
N: ".rdata", A: 0044C5D4-00459000, S: 50.5 KB.
N: ".data", A: 00459000-00462000, S: 36 KB.



=========== Stats ===========
RTTI vftables: 0
Functions fixed: 0
Processing time: 0.07 seconds
Done.



>> Class Informer: v: 2.0, built: May 5 2015, By Sirmabus
Working..


Processing C/C++ ctor & dtor tables.
0043886E I: "_initterm", 6 bytes.
0044C25C import: "__imp__initterm".

0043886E processInitterm: "_initterm"
004383A8 "_initterm" xref.
0043839E Two instruction pattern match #0
0045924C to 00459250 CTOR table.
004383F7 "_initterm" xref.
004383ED Two instruction pattern match #0
00459000 to 00459248 CTOR table.

0044C25C processInitterm: "__imp__initterm"

Processing time: 8.03 milliseconds.


Scanning for for RTTI Complete Object Locators.
N: ".rdata", A: 0044C5D4 - 00459000, S: 50.5 KB.
N: ".data", A: 00459000 - 00462000, S: 36 KB.
Total COL: 0


Scanning for vftables.
N: ".rdata", A: 0044C5D4-00459000, S: 50.5 KB.
N: ".data", A: 00459000-00462000, S: 36 KB.



=========== Stats ===========
RTTI vftables: 0
Functions fixed: 0
Processing time: 0.02 seconds
Done.

Module 2 output was similar to this but I can post if needed.

I would ultimately like to build this from source, because it appears to not function the way I want, to the point of me thinking that it is actually broken. I just had a hard time believing that version 2.0 would function so much more poorly for me than version 1, so assumed it was broken. Regarding the VS2015 source project: The project structure seems to be as badly handled as the operation of the plugin itself. There are broken file links (referencing the author's project file in an absolute path, for example) and namespace issues. Also a lack of documentation on simply how to build the project. I have gone over literally every single project setting and narrowed down the problem to one thing. I am getting linker errors due to the inclusion of QT_NAMESPACE=QT in the preprocessor definitions within the .vcxproj file. Removing this #define causes naming conflicts between the IDA SDK and the QT SDK.

If anyone out there is able to help, I would be extremely grateful. I've been banging my head on this problem for days.

I also messaged the author through sourceforge, some time ago, but no response.
 

Storm Shadow

Administrator
Staff member
Developer
Ida Pro Expert
Elite Cracker
actuelly the classinformer plugin window show if you have a file with RTTI vftables
Code:
RTTI vftables: 1F
unctions fixed: 0
Processing time: 0.06 seconds
IDA updating, please wait..
Done.
 

walter

New member
2.2 is only accessible via SVN
Code:
svn checkout svn://svn.code.sf.net/p/classinformer/code/ classinformer-code

I'm making some progress though, I just found after a lot of searching, that you have to recompile Qt from source with the QT namespace in order to do any IDA plugin development. I did not know this, but seems to be common knowledge for plugin developers :(

Might be able to take it from here on my own.

Can you recommend any plugins which are designed to reconstruct data in a similar way, but without the RTTI information?

Really appreciate the help
 

walter

New member
Yes, the plugin also reports zero RTTI, but I had checked it manually after the fact to be sure.

The thing here is that version 1.0 reconstructed a fair amount of data without RTTI, so it seemed from a design perspective, that the plugin will do what it can to reconstruct data with or without whatever data is available. Newer versions seem to not really be helpful without the RTTI.

I either want to modify the plugin or find a new one that seems to be more suited for what I am trying to do.
 

Storm Shadow

Administrator
Staff member
Developer
Ida Pro Expert
Elite Cracker
i think i know why the one build for 6.7 dont find anything in 6.8
test build classinformer 2.0 https://github.com/nihilus/IDA_ClassInformer

Code:
else
	// IDA demangler for everything else
	{
		int result = demangle_name(outStr, (MAXSTR - 1), mangled, (MT_MSCOMP | MNG_NODEFINIT));
		if (result < 0)
		{
			//msg("** getPlainClassName:demangle_name() failed to unmangle! result: %d, input: \"%s\"\n", result, mangled);
			return(FALSE);
		}
 
		// No inhibit flags will drop this
		if (LPSTR ending = strstr(outStr, "::`vftable'"))
			*ending = 0;
	}
 
	return(TRUE);
}


it appears that demangle_name is Depreciated from 6.8 so it wont find much
name.hpp idasdk 6.8
Code:
#ifndef NO_OBSOLETE_FUNCS
idaman DEPRECATED char *ida_export validate_name(char *name); // use validate_name3()
idaman DEPRECATED char *ida_export validate_name2(char *name, size_t bufsize);
idaman DEPRECATED char *ida_export get_true_name(ea_t from, ea_t ea, char *buf, size_t bufsize);
idaman DEPRECATED char *ida_export get_name(ea_t from, ea_t ea, char *buf, size_t bufsize);
idaman DEPRECATED char *ida_export get_colored_name(ea_t from, ea_t ea, char *buf, size_t bufsize);
idaman DEPRECATED int32 ida_export demangle_name(char *buf, size_t bufsize, const char *name, uint32 disable_mask);


if you build the 2.2 version its gonna be a pain to do
 
Last edited:

computerline

New member
Ida Pro Expert
You could test my build of v2.0 for IDA 6.8. As I compared the version 2.0 vs 2.2, there not much difference, it only modify some to support IDA 6.9, so couldn't need to rebuild
 

Attachments

  • classinformer_plugins.zip
    433.8 KB · Views: 58

computerline

New member
Ida Pro Expert
Yes, the plugin also reports zero RTTI, but I had checked it manually after the fact to be sure.

The thing here is that version 1.0 reconstructed a fair amount of data without RTTI, so it seemed from a design perspective, that the plugin will do what it can to reconstruct data with or without whatever data is available. Newer versions seem to not really be helpful without the RTTI.

I either want to modify the plugin or find a new one that seems to be more suited for what I am trying to do.
Could you give me some sample, I could test
 

Storm Shadow

Administrator
Staff member
Developer
Ida Pro Expert
Elite Cracker
You could test my build of v2.0 for IDA 6.8. As I compared the version 2.0 vs 2.2, there not much difference, it only modify some to support IDA 6.9, so couldn't need to rebuild
problem is that mentioned in post #35

that demangle_name and Get_long_name is depritiated from 6.8 so that is why it wont find much else than RTTI , demangle_name and Get_long_name




Code:
static UINT doInittermTable(func_t *func, ea_t start, ea_t end, LPCTSTR name)
{
	UINT found = FALSE;
 
	if ((start != BADADDR) && (end != BADADDR))
	{
		// Should be in the same segment
		if (getseg(start) == getseg(end))
		{
			if (start > end)
				swap_t(start, end);
 
			// Try to determine if we are in dtor or ctor section
			if (func)
			{
				char funcName[MAXSTR]; funcName[SIZESTR(funcName)] = 0;
				if (get_long_name(BADADDR, func->startEA, funcName, SIZESTR(funcName)))
				{
					_strlwr(funcName);
 
					// Start/ctor?
					if (strstr(funcName, "cinit") || strstr(funcName, "tmaincrtstartup") || strstr(funcName, "start"))
					{
						msg("	"EAFORMAT" to "EAFORMAT" CTOR table.\n", start, end);
						setIntializerTable(start, end, TRUE);
						found = TRUE;
					}
					else
					// Exit/dtor function?
					if (strstr(funcName, "exit"))
					{
						msg("	"EAFORMAT" to "EAFORMAT" DTOR table.\n", start, end);
						setTerminatorTable(start, end);
						found = TRUE;
					}
				}
			}
 
			if (!found)
			{
				// Fall back to generic assumption
				msg("	"EAFORMAT" to "EAFORMAT" CTOR/DTOR table.\n", start, end);
				setCtorDtorTable(start, end);
				found = TRUE;
			}
		}
		else
			msg("	** Miss matched segment table addresses "EAFORMAT", "EAFORMAT" for \"%s\" type **\n", start, end, name);
	}
	else
		msg("	** Bad input address range of "EAFORMAT", "EAFORMAT" for \"%s\" type **\n", start, end, name);
 
	return(found);
}




and ida 6.9 @sinabus have changed to QT5 in version 2.2

so
Code:
#include <QtGui/QDialogButtonBox> //Qt4
is changed to

Code:
#include <QtWidgets/QDialogButtonBox> //Qt5
 
Last edited:

sendersu

Member
Hi Sirmabus
Looks like I've found a bug in the classinformer plugin


during appyling the plugin to one of the dlls I've got this @ the top of found types: (did copy paste from popup menu over the errored line)

Code:
1073F5E4 2  ??** MAXSTR overflow! Fn::Functor1<std::pair<std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > >::CalleeRef<std::map<std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::less<std::basic_string<char,std::char_traits<char>,std::allocator<char> > >,std::allocator<std::pair<std::basic_string<char,std::char_traits<char>,std::allocator<char> > const ,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > >,std::pair<std::_Tree_iterator<std::_Tree_val<std::_Tree_simple_types<std::pair<std::basic_string<char,std::char_traits<char>,std::allocator<char> > const ,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > > >,bool> (__thiscall std::map<std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::less<std::basic_string<char,std

http://prntscr.com/bzsmbm
http://prntscr.com/bzsmm2

Looks like not enough room for the type name... any idea if it's possible to fix it?
Thanks
 
Top