Want to Join Us ?

you'll be able to discuss, share and send private messages.

Class Informer By Sirmabus

Discussion in 'Plugins' started by storm shadow, Feb 8, 2013.

Share This Page

  1. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    fixed :p
     
    Rip Cord and sendersu like this.
  2. sendersu

    Active Member

    looks fantastic

    1 more update:
    the 1st line of 1st post says "Class Informer 1.06 from macromonkey"
    but.... in reality one should read 2.0? :)
     
    storm shadow likes this.
  3. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    test
     
    sendersu likes this.
  4. Nihilus

    Well-Known Member Developer

    Darn it... Now I must sync my repo ;-)
     
    storm shadow likes this.
  5. Nihilus

    Well-Known Member Developer

    Does anyone have 1.06 at hand?
     
  6. sendersu

    Active Member

  7. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

  8. walter

    New Member

    I was hoping someone could help. I've been looking for class informer 2.1, and I haven't been able to find it ANYWHERE. Version 2.2 and 2.0 do not run on my configuration, but version 2.1 will likely run as it was compiled for IDA 6.8.

    I wanted to build the plugin myself, but relies on QT, which is a 20 GB download!
     
  9. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    version 2.1 i have not seen.
    Anyway Just download http://sourceforge.net/projects/classinformer/

    the 6.7 one works on 6.7 and 6.8 , and @Sirmabus made one also for 6.9 also.

    its only 1 gb dl , and 4 gb recompiled with Qt Namespace . Also in ida sdk there are prebuild libs with QT namespace.


    @Sirmabus is a member here but also have he own forum, http://www.macromonkey.com/bb/index.php/topic,13.0.html.

    what error are you getting when you start ida ? if you get a error.
     
  10. walter

    New Member

    Thank you for the reply.

    There are no error messages. The 2.0 version of the plugin technically runs, but after performing the operations, fails to pop up the "class list" window as it did with version 1.0 of the plugin.
    I used this on two modules. The first module did not seem to change anything at all. The second module created a *lot* of garbage and redundant structures. Way more than I know this module contains. The plugin doesn't show me a list of classes, with a link to the static vtable in the data segment, like version 1.0 of the plugin did. Instead it created (only for module 2) a lot of structures, which did not seem to help me at all.

    These modules do not contain RTTI data, (I checked manually). Is that required for the plugin?

    Here is the full output from module 1:


    Module 2 output was similar to this but I can post if needed.

    I would ultimately like to build this from source, because it appears to not function the way I want, to the point of me thinking that it is actually broken. I just had a hard time believing that version 2.0 would function so much more poorly for me than version 1, so assumed it was broken. Regarding the VS2015 source project: The project structure seems to be as badly handled as the operation of the plugin itself. There are broken file links (referencing the author's project file in an absolute path, for example) and namespace issues. Also a lack of documentation on simply how to build the project. I have gone over literally every single project setting and narrowed down the problem to one thing. I am getting linker errors due to the inclusion of QT_NAMESPACE=QT in the preprocessor definitions within the .vcxproj file. Removing this #define causes naming conflicts between the IDA SDK and the QT SDK.

    If anyone out there is able to help, I would be extremely grateful. I've been banging my head on this problem for days.

    I also messaged the author through sourceforge, some time ago, but no response.
     
  11. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    do you have the project files, i cant seem to find them
     
  12. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    actuelly the classinformer plugin window show if you have a file with RTTI vftables
    Code (Text):
    RTTI vftables: 1F
    unctions fixed: 0
    Processing time: 0.06 seconds
    IDA updating, please wait..
    Done.
     
  13. walter

    New Member

    2.2 is only accessible via SVN
    Code (Text):
    svn checkout svn://svn.code.sf.net/p/classinformer/code/ classinformer-code
    I'm making some progress though, I just found after a lot of searching, that you have to recompile Qt from source with the QT namespace in order to do any IDA plugin development. I did not know this, but seems to be common knowledge for plugin developers :(

    Might be able to take it from here on my own.

    Can you recommend any plugins which are designed to reconstruct data in a similar way, but without the RTTI information?

    Really appreciate the help
     
  14. walter

    New Member

    Yes, the plugin also reports zero RTTI, but I had checked it manually after the fact to be sure.

    The thing here is that version 1.0 reconstructed a fair amount of data without RTTI, so it seemed from a design perspective, that the plugin will do what it can to reconstruct data with or without whatever data is available. Newer versions seem to not really be helpful without the RTTI.

    I either want to modify the plugin or find a new one that seems to be more suited for what I am trying to do.
     
  15. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    i think i know why the one build for 6.7 dont find anything in 6.8
    test build classinformer 2.0 https://github.com/nihilus/IDA_ClassInformer

    Code (C):
    else
        // IDA demangler for everything else
        {
            int result = demangle_name(outStr, (MAXSTR - 1), mangled, (MT_MSCOMP | MNG_NODEFINIT));
            if (result < 0)
            {
                //msg("** getPlainClassName:demangle_name() failed to unmangle! result: %d, input: \"%s\"\n", result, mangled);
                return(FALSE);
            }
     
            // No inhibit flags will drop this
            if (LPSTR ending = strstr(outStr, "::`vftable'"))
                *ending = 0;
        }
     
        return(TRUE);
    }

    it appears that demangle_name is Depreciated from 6.8 so it wont find much
    name.hpp idasdk 6.8
    Code (C):
    #ifndef NO_OBSOLETE_FUNCS
    idaman DEPRECATED char *ida_export validate_name(char *name); // use validate_name3()
    idaman DEPRECATED char *ida_export validate_name2(char *name, size_t bufsize);
    idaman DEPRECATED char *ida_export get_true_name(ea_t from, ea_t ea, char *buf, size_t bufsize);
    idaman DEPRECATED char *ida_export get_name(ea_t from, ea_t ea, char *buf, size_t bufsize);
    idaman DEPRECATED char *ida_export get_colored_name(ea_t from, ea_t ea, char *buf, size_t bufsize);
    idaman DEPRECATED int32 ida_export demangle_name(char *buf, size_t bufsize, const char *name, uint32 disable_mask);

    if you build the 2.2 version its gonna be a pain to do
     
    Last edited: Jul 10, 2016
  16. computerline

    Well-Known Member Ida Pro Expert

    You could test my build of v2.0 for IDA 6.8. As I compared the version 2.0 vs 2.2, there not much difference, it only modify some to support IDA 6.9, so couldn't need to rebuild
     

    Attached Files:

  17. computerline

    Well-Known Member Ida Pro Expert

    Could you give me some sample, I could test
     
  18. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    problem is that mentioned in post #35

    that demangle_name and Get_long_name is depritiated from 6.8 so that is why it wont find much else than RTTI , demangle_name and Get_long_name




    Code (C):
    static UINT doInittermTable(func_t *func, ea_t start, ea_t end, LPCTSTR name)
    {
        UINT found = FALSE;
     
        if ((start != BADADDR) && (end != BADADDR))
        {
            // Should be in the same segment
            if (getseg(start) == getseg(end))
            {
                if (start > end)
                    swap_t(start, end);
     
                // Try to determine if we are in dtor or ctor section
                if (func)
                {
                    char funcName[MAXSTR]; funcName[SIZESTR(funcName)] = 0;
                    if (get_long_name(BADADDR, func->startEA, funcName, SIZESTR(funcName)))
                    {
                        _strlwr(funcName);
     
                        // Start/ctor?
                        if (strstr(funcName, "cinit") || strstr(funcName, "tmaincrtstartup") || strstr(funcName, "start"))
                        {
                            msg("   "EAFORMAT" to "EAFORMAT" CTOR table.\n", start, end);
                            setIntializerTable(start, end, TRUE);
                            found = TRUE;
                        }
                        else
                        // Exit/dtor function?
                        if (strstr(funcName, "exit"))
                        {
                            msg("   "EAFORMAT" to "EAFORMAT" DTOR table.\n", start, end);
                            setTerminatorTable(start, end);
                            found = TRUE;
                        }
                    }
                }
     
                if (!found)
                {
                    // Fall back to generic assumption
                    msg("   "EAFORMAT" to "EAFORMAT" CTOR/DTOR table.\n", start, end);
                    setCtorDtorTable(start, end);
                    found = TRUE;
                }
            }
            else
                msg("   ** Miss matched segment table addresses "EAFORMAT", "EAFORMAT" for \"%s\" type **\n", start, end, name);
        }
        else
            msg("   ** Bad input address range of "EAFORMAT", "EAFORMAT" for \"%s\" type **\n", start, end, name);
     
        return(found);
    }



    and ida 6.9 @sinabus have changed to QT5 in version 2.2

    so
    Code (Text):
    #include <QtGui/QDialogButtonBox> //Qt4
     
    is changed to

    Code (Text):
    #include <QtWidgets/QDialogButtonBox> //Qt5
     
    Last edited: Jul 11, 2016
  19. sendersu

    Active Member

    Hi Sirmabus
    Looks like I've found a bug in the classinformer plugin


    during appyling the plugin to one of the dlls I've got this @ the top of found types: (did copy paste from popup menu over the errored line)

    Code (Text):
    1073F5E4 2  ??** MAXSTR overflow! Fn::Functor1<std::pair<std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > >::CalleeRef<std::map<std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::less<std::basic_string<char,std::char_traits<char>,std::allocator<char> > >,std::allocator<std::pair<std::basic_string<char,std::char_traits<char>,std::allocator<char> > const ,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > >,std::pair<std::_Tree_iterator<std::_Tree_val<std::_Tree_simple_types<std::pair<std::basic_string<char,std::char_traits<char>,std::allocator<char> > const ,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > > >,bool> (__thiscall std::map<std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::less<std::basic_string<char,std
    http://prntscr.com/bzsmbm
    http://prntscr.com/bzsmm2

    Looks like not enough room for the type name... any idea if it's possible to fix it?
    Thanks
     
  20. sendersu

    Active Member

Top