Want to Join Us ?

you'll be able to discuss, share and send private messages.

NEW IDA Pro ExtraPass plugin v3.4 by Sirmabus

Discussion in 'Plugins' started by storm shadow, May 10, 2015.

Share This Page

  1. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    An IDA Pro Win32 target clean up plug-in by Sirmabus.
    Version 3.4
    It does essentially four cleaning/fixing steps:
    1. Convert stray code section values to "unknown".
    2. Fix missing "align" blocks.
    3. Fix missing code bytes.
    4. Locate and fix missing/undefined functions.
    It's intended for, and only tested on typical MSVC and Intel complied Windows 32bit binary executables
    but it might still be helpful on Delphi/Borland and other complied targets.
    Update [May 2015]:
    Updated to IDA SDK 6.7, no 64bit version yet.

    http://sourceforge.net/projects/idaextrapassplugin/?source=typ_redirect

    source
    http://www.macromonkey.com/bb/index.php/topic,21.0.html
     

    Attached Files:

    Rip Cord likes this.
  2. sendersu

    Active Member

    I"ve one idea/proposal
    after your great plugin ExtraPass 3.4 has been ran on some target in IDA
    it says a couple of times about some issues, eg:
    ......
    0049A2DF "sub_49A2D4" problem? <click me>
    ......

    and here is the sub itself:
    http://prntscr.com/7cqac1

    [​IMG]

    so, ideally that block should be align xx
    but for some reason plugin decided to create the subroutine
    Question:
    are there any ways to deduce this case and add extra logic inside?
    thanks
     
    Last edited: Jul 12, 2015
    storm shadow likes this.
  3. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    I will email @Sirmabus the dev to see if he can help out with this one.
     
    Rip Cord likes this.
  4. Sirmabus

    Member Ida Pro Expert

    That error happens in "TryFunction()" when it encounters something unepected when it thinks it's looking at what should probably
    be a funciton in the specificed address range.

    Like IDA it's self makes mistakes or the wrong assumption, or why there even has to be this plug-in like this in the first place - it's not an exect sciense.
    In other words it's based on assumptions of paterns and what is the best usual case(s).
    It's not perfect, but doesn't mean it can't be made better.
    Better solutions these days use some kind of statistical, so called "learning" approach.

    As a matter of fact I read a research white paper recently where there is a better method of finding function boundries then what IDA can do.
    I'd like to incorperate it into my tool in the future.

    The bottom line is you will get errors like this from time to time, maybe something is odd about the function, or maybe it's
    not really a function at all. Maybe half a function that IDA got confussed on, etc.
    I'm going for trying to fix most of the common cases, but not for 100% accuracy.
    To fix/better it, it takes time and energy to test and account for each bad case.
    The code is there, anyone is welcome to work on it too..

    --------------------------------------------------------------------------------------------------------

    I havn't seen this case much. Maybe something broke or or something to do with specific situation that causes this.
    Where it's at is line #584 "if (!IsAlignByte(StartValue, NULL))"
    Either the code broke out (didn't look like an alignment) or the IDA SDK doAlign() failed (happens with IDA).

    The check for alignment sections pass is before the fix code and functions pass.

    I don't have your IDB so I can't walk though it.
    If you run a debug build of the plug-in and make a test thing like
    Code (Text):
    if(s_eaCurrentAddress == 0x49A2D4)
    {
         int breakhere= 0;
    }
    Put a break point on the "breakhere", or put an "_asm int 3;" in there instead.
    Easier then trying to make a conditional breakpoint.
    You can trace through and see if the code calls a doAlign()

    Also see the comments line #742, and you can uncomment the "msg("%08X %d ** align fail **\n", eaStartAddress, uAlignByteCount);"

    Unfortunatly there are problems like that in IDA where some API calls fail for unnknown reasons (the API doesn't return detailed error codes).

    Humm, maybe I need to keep some kind of list that checks if an area is already marked as alignment then don't try to fix it's code or try to put a function there.
    It would cover the cases where doAlign() might fail at least.
    Next time I update the plug-in I'll try this.
     
    Last edited: Jun 7, 2015
    sendersu and Rip Cord like this.
  5. sendersu

    Active Member

    Hi, thanks for such a wide and full explanation!
    unfortunately I lost that IDA db, so I"ll try to debug next time......

    meanwhile, what I've learned might be very important for any ExtraPass plugin user:

    once you run the plugin, you might encounter a condtion, when all the strings (ASCIIZ in my case) become...... a bytes....... so in IDA/HR you'l lsee the refs to ukn_xxx instead of pure string itself......

    that was very annoying (as a I've tried to fix it by hands - pressing 'A' shortcut (for making string) really dozens of times.....
    then, I've tried to run the default IDA's feature: //Reanalyze

    [​IMG]

    and then the magic comes back to life - all my strings became strings once again :)
    I can't tell the feeling in that moment :)
     
    Rip Cord and storm shadow like this.
Top