基于IDA的逆向分析协同工具目前还没有发现比较好用的东西,而像传统的基于源代码的开发IDE则有比较多的选择。对于大型项目和代码的分析,仅靠一人之力其实是比较困难的,并且需要分析的内容太多。这也是这个插件开发出来的原因。
开源是一种态度
对于开源我并没有什么太高深的理解,只是这两天的事情给我的一些启发而已。在这里简单的表述一下,首先要明确的第一件事情是开源不代表免费,也不代表你拥有代码的全部处置权。这里我不想对于对待的所有的权利进行说明,也不想讨论权利的问题。只是从开源代码的生命周期来看。
其实自从去年开始处理IDA的各种插件开始,接触到很多非常不错的插件,但是很多的插件都是停留在5.0-5.5的状态,并且很多的插件没有提供源代码。像这种插件就只能任由他死去。而对于另外一些开放源代码的插件则可以通过简单的sdk的修正和一些简单的修复就可以重新编译出来支持IDA Pro 6.x以上的版本。而这一些使得代码能够有更长远的生命,也能够让更多的人用到这个东西。于是在无形中代码就变得更加长命。而由于多年以前代码的托管并不是十分方便,于是很多的代码并没有托管到第三方的开源代码服务器上,只能下载到压缩包。
OllyDbg v1.10 And Wow64
IDA SYNC For IDA 6.x
IDA Sync was written to allow multiple analysts to synchronize their reverse engineering efforts with IDA Pro in real time. Users connect to a central server through the ida_sync plugin. Once connected, all comments and name changes made with the registered hot keys are immediately transmitted to all other users working on the same project. The central server stores a copy of all changes as well, allowing new analysts to jump on the project and immediately receive up to date information.
generate_disasm_line 以及 generate_disassembly
但从字面上也很容易理解这两个函数的意思,但是事实在实际使用的时候效果却并不是想要的那样。
idaman int ida_export generate_disassembly(
// Generate disassembly (many lines)
// and put them into a buffer
// Returns number of generated lines
ea_t ea, // address to generate disassembly for
char *lines[], // buffer to hold pointer to generated lines
int bufsize, // size of buffer
int *lnnum, // number of "the most interesting" line
// may be NULL
bool as_stack); // Display undefined items as 2/4/8 bytes
idaman bool ida_export generate_disasm_line(
// Generate one line of disassembly
// This function discards all "non-interesting" lines
// It is designed to generate one-line desriptions
// of addresses for lists, etc.
ea_t ea, // address to generate disassembly for
char *buf, // pointer to the output buffer
size_t bufsize, // size of the output buffer
int flags=0);
#define GENDSM_FORCE_CODE 1 // generate a disassembly line as if
// there is an instruction at 'ea'
#define GENDSM_MULTI_LINE 2 // if the instruction consists of several lines,
// produce all of them (useful for parallel instructions)
基于 Visual Studio 和虚拟机的驱动调试
C语言混乱代码
偶然看到的这么个东西,话说这个活动很久了。看了代码果然不一般啊,不一般。
/*
+
+
+
+
[ >i>n[t
*/ #include
/*2w0,1m2,]_r>i>=>(['0n1'0)1;
*/int/**/main(int/**/n,char**m){FILE*p,*q;int A,k,a,r,i/*
#uinndcelfu_dseti/_*/;char*d="P%" "d\n%d\40%d"/**/
"\n%d\n\00wb+",b[1024],y[]="yuriyurarararayuruyuri*daijiken**akkari~n**"
"/y*u*k/riinrarararayuruy9uriyu3riyurar_aBrMaPrOaWy^?"
"*]/f]`;hvroai+b+i>++b++>l[rb";int/**/u;for(i=0;i<101;i++)y[i*2]^="~hktrvg~dmG*eoa+%squ#l2"
":(wn\"1l))v?wM353{/Y;lgcGp`vedllwudvOK`cct~[|ju {stkjalor(stwvne\"gt\"yogYURUYURI"[
i]^y[i*2+1]^4;/*!*/p=(n>1&&(m[1][0]-'-'||m[1][1] !='\0'))?fopen(m[1],y+298):stdin;
/*y/riynrt~(^w^)],]c+h+a+r+*+*[n>)+{>f+oy++>u>>+r >+u+++y>--u---r>++i+++" < )< ;[>-m-.>a-.-i.++n.>[(w)*/!q/**/)
return+printf("Can " "not\x20open\40%s\40" "" "for\40%sing\n",m[!p?1:2],!p?/*
o=82]5< <+(+3+1+&.(+ m +-+1.)<)<|<|.6>4>-+(> m- &-1.9-2-)-|-|.28>-w-?-m.:>([28+
*/"read":"writ");for ( a=k=u= 0;y[u]; u=2 +u){y[k++ ]=y[u];}if((a=fread(b,1,1024/*
,mY/R*Y"R*/,p/*U*/)/* R*/ )>/*U{ */ 2&& b/*Y*/[0]/*U*/=='P' &&4==/*"y*r/y)r\}
*/sscanf(b,d,&k,& A,& i, &r)&& ! (k-6&&k -5)&&r==255){u=A;if(n>3){/*
]&<1<6< ?3> +:+ .1>3+++ . -m-) -;.u+=++.1<0< <; f>1,i>>1,r);u = k-5?8:4;k=3;}else
/*]>*/{(u)=/*{ p> >u >t>-]s >++(.yryr*/+( n+14>17)?8/4:8*5/
4;}for(r=i=0 ; ;){u*=6;u+= (n>3?1:0);if (y[u]&01)fputc(/*
h.a r -(-).)8+<1. >;+i.(< )< <)+{+i.f>([180*/1*
(r),q);if(y[u ]&16)k=A;if (y[u]&2)k--;if(i/*
("^w^NAMORI; { I*/==a/*" )*/){/**/i=a=(u)*11
&255;if(1&&0>= (a= fread(b,1,1024,p))&&
")]i>(w)-;} { /i-f-(-m--M1-0.)< {"
[ 8]==59/* */ )break;i=0;}r=b[i++]
;u+=(/**>> *..*&*^&%%$^**/+8&*
(y+u))?(10- r?4:2):(y[u] &4)?(k?2:4):2;u=y[u/*
49;7i\(w)/;} y}ru\=*ri[ ,mc]o;n}trientuu ren (
*/]-(int)'`';} fclose( p);k= +fclose( q);
/*] < *.na/m*o{ri{ d;^w^;} }^_^}}
" */ return k- -1+ /*\' '-`*/
( -/*}/ */0x01 ); {;{ }}
; /*^w^*/ ;}