Want to Join Us ?

you'll be able to discuss, share and send private messages.

ida pro plugin labeless, sync IDA with OllyDbg by a1ext

Discussion in 'Plugins' started by storm shadow, Oct 7, 2015.

Share This Page

  1. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    Contributed By Check Point Software Technologies LTD.
    Description

    Labeless is a plugin system for dynamic, seamless and realtime synchronization between IDA Database and Olly. It consists of two parts: IDA plugin and OllyDbg plugin.
    Labeless significantly reduces time that researcher spends on transferring already reversed\documented code information from IDA (static) to debugger (dynamic). It saves time, preventing from doing the same job twice. Also, you can document and add data to the IDB on the fly and your changes will be automatically propagated to Olly, even if you will restart the virtual machine or instance of Olly will crash. So, you will never lose your research.
    This solution is highly upgradable. You can implement any helper scripts in Python on OllyDbg side and then just call them from IDA with one line of code, parsing the results and automatically propagating changes to IDB.
    It features:
    • Seamless synchronization of labels, function names, comments and global variables syncing with demangling
    • Synchronization modes
      • On demand
      • On rename (update on-the-fly)
    • Supports image base-independent synchronization
    Also, we provide dynamic dumping of debugged process memory regions functionality. It can be useful in the following cases:
    • When debugged process has extracted/temporary/injected module which doesn't appear in modules list
    • When it doesn't have a valid PE header
    • When it have corrupted import table, etc.
    We can take that memory region and put it in the IDB, fixing imports 'on-the-fly', using OllyDbg functionality. No more need in ImpRec or BinScylla, searching for the regions in memory that contain the real IAT, because we get that information dynamically from the debugged process itself.
    As a result we have a lot of memory regions that may represent even different modules (if the unpacking process if multistage) with valid references between them, which gives us a possibility to build a full control flow graph of the executable. Basically, we will end up with one big IDB, containing all the info on the specific case.
    Installation

    Dependencies

    • Python 2.7
    • protobuf 2.6.1
    • Visual Studio 2010 + Qt 4.8.4 (built with "QT" namespace) - required by IDA-side plugin (to proper use IDA's Qt). You can configure Qt by yourself with the following command:
      configure -platform win32-msvc2010 -shared -release -no-webkit -opensource -no-qt3support -no-phonon -no-phonon-backend -opengl desktop -nomake demos -nomake examples -nomake tools -no-script -no-scripttools -no-declarative -qtnamespace QT
    • Visual Studio 2012 (or newer) to build Olly-side plugin
    IDA part:

    • Copy IDA plugin IDA\plugins\labeless_ida.plw to IDA's plugins directory, for example c:\IDA68\plugins
    Olly part:

    • Copy both Olly\get-pip.py and Olly\setup_protobuf.bat files to guest machine, then run setup_protobuf.bat and wait for the successful installation
    • Copy Olly\Plugins\labeless_olly.dll to OllyDbg plugins directory. If you want to use Labeless with Olly FOFF mod (aka DeFixed edition), please use the plugin from the following path: Olly\Plugins\labeless_olly_foff.dll
    • Copy the whole directory Olly\python to OllyDbg home directory
    Checking if everything works

    • Start Olly and check for Labeless item presence in Plugins menu. If there is any problem, then check Olly's log window for details.
    • Start working with existing IDA database or use 'Labeless -> Load stub database...' from the menu
    • Open Labeless settings dialog using menu 'Edit -> Plugins -> Labeless'. You can use main menu 'Labeless -> Settings...' or using hotkey Alt+Shift+E as well
    • Enter IP address and port of the guest machine. Click on 'Test connection' button.
    • If IDA displays the message 'Successfully connected!', then configuration is done correctly.
    How to use

    • If you want to sync labels (names) from IDA to Olly you should check 'Enable labels & comments sync' in Labeless settings dialog in IDA. There is one required field called 'Remote module base', which should be set to the current module base of the analyzed application. You can find out that information in the debugger (Olly).
    • Select needed features, like Demangle name, Local labels, Non-code names
    • If you want to sync labels right now - press 'Sync now' button. Labeless will sync all found names in your IDB with Olly. Settings dialog will be automatically closed, while saving all settings
    • If you want to customize settings for IDADump engine, do it in the 'IDADump' tab.
    • Click on 'Save & Close'
    Things automatically performed in the background

    • If you enabled 'Enable labels & comments sync' option, then Labeless will automatically synchronize all the data on any rename operation in IDA


    Download


    https://github.com/a1ext/labeless/releases/download/v_1_0_0_7/Labeless.v.1.0.0.7.zip
    source

    https://github.com/a1ext/labeless
    added link:
    https://github.com/a1ext/labeless/r...0_0_7/Labeless.v.1.0.0.7_with_IDA66_build.zip
    Slides pdf
    https://www.virusbtn.com/pdf/conference_slides/2015/ChailytkoTrafimchuk-VB2015.pdfLabeless -
     

    Attached Files:

    Last edited: Nov 8, 2015
    Rip Cord likes this.
  2. computerline

    Well-Known Member Ida Pro Expert

    Only support for Olly 1.10 :(
     
  3. m4n0w4r

    Well-Known Member

    I copied labeless_ida.plw to IDA's plugins directory (i'm using IDA 6.6). I got the error notification when start IDA:

     
  4. computerline

    Well-Known Member Ida Pro Expert

    Because the file is build with ida 6.8 sdk, it will not work with IDA 6.6, must be rebuild, but even after rebuild, it has weigh error with IDA 6.6 GUI and make ida crash anytime :( I'm trying to fix it.
     
    m4n0w4r, Rip Cord and storm shadow like this.
  5. computerline

    Well-Known Member Ida Pro Expert

    m4n0w4r, Rip Cord and storm shadow like this.
  6. m4n0w4r

    Well-Known Member

    storm shadow likes this.
  7. a1ext

    Well-Known Member Ida Pro Expert Developer

    • a1ext
    • Oct 8, 2015
    • 65
    • 107
    Rip Cord, m4n0w4r and storm shadow like this.
  8. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    thx m8 ill upload it here also.
     

    Attached Files:

    Rip Cord, m4n0w4r and a1ext like this.
  9. a1ext

    Well-Known Member Ida Pro Expert Developer

    • a1ext
    • Oct 8, 2015
    • 65
    • 107
    thanks
     
    Rip Cord likes this.
  10. a1ext

    Well-Known Member Ida Pro Expert Developer

    • a1ext
    • Oct 8, 2015
    • 65
    • 107
  11. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

  12. a1ext

    Well-Known Member Ida Pro Expert Developer

    • a1ext
    • Oct 8, 2015
    • 65
    • 107
    Rip Cord likes this.
  13. Rip Cord

    Administrator Staff Member Admin Developer

    thanks, link added to storm shadow's post
     
    storm shadow likes this.
  14. a1ext

    Well-Known Member Ida Pro Expert Developer

    • a1ext
    • Oct 8, 2015
    • 65
    • 107
    Are somebody want to test labeless for Ollydbg 2.01 ?
     
    m4n0w4r likes this.
  15. m4n0w4r

    Well-Known Member

    Can you share plugin for Ollydbg 2.01?
     
  16. a1ext

    Well-Known Member Ida Pro Expert Developer

    • a1ext
    • Oct 8, 2015
    • 65
    • 107
    Yes, I can.
    There is test environment, you may find labeless_olly2.dll in "plugins" directory.
    Let me know if you got some strange behavior or find a bug.

    P.S. I want to do some refactoring in order to minimize duplicated python code between different backends.
    Edited: sorry for my English
     
    Last edited: Nov 15, 2015
  17. computerline

    Well-Known Member Ida Pro Expert

    Everything work fine ! need some code example & document to use ollydbg2 python binding :)
     
    Rip Cord likes this.
  18. a1ext

    Well-Known Member Ida Pro Expert Developer

    • a1ext
    • Oct 8, 2015
    • 65
    • 107
    0vercl0k's samples should work, but I've not tested them. I've partially used his code (swig wrapper, wrappers for olly2 APIs) and he allowed to do that.

    P.S. There is one difference, use
    Code (Text):
    ollyapi2
    instead of
    Code (Text):
    ollyapi
     
    Rip Cord and computerline like this.
  19. a1ext

    Well-Known Member Ida Pro Expert Developer

    • a1ext
    • Oct 8, 2015
    • 65
    • 107
    Also, i made python scripts outside common module, you should replace
    Code (Text):
    from ollyapi import *
    with
    Code (Text):
    from ollyapi2 import *
    from breakpoints import *
    from utils import *
    from threads import *
    from sym import *
    from memory import *
    [​IMG]
    [​IMG]
    I know, that should be refactored.
     
  20. computerline

    Well-Known Member Ida Pro Expert

    Thanks you ! that awesome work ! :)
     
Top