Log in

View Full Version : "Function String Associate" IDA Plug-in

Sirmabus
May 13th, 2008, 03:25
"Function String Associate" IDA Plug-in:

I thought of this idea the other day based on the observation of "assert()", development, debug text strings, etc., that software developers often leave in programs I want to reverse.
As I'm sure others do, I look at these comments to help me determine what a particular function is for (x86 binary targets that is).
I thought, wouldn't be nice to somehow data mine this stuff and automatically put some of it as a function comment?

Based on this, what this plug-in does is iterate through every function in IDA and auto-comments every function that has these strings (unless it already has a comment). It applies a little logic to it, to try to put the most relevant strings first.

Sort of a proof of concept thing. It's hard to say how useful it is yet.
So far it does seem to help as I browse around a DB. I'm putting together things a bit faster because of it.

Of course it's only works as well as your target uses such messages mixed in it's code.
So far on programs I've used it it on, the plug-in finds such strings on about 15% of all functions.

With source. If you expand on the idea, add helpful modifications, etc., share it here please.
dELTA
May 13th, 2008, 04:10
Nice idea Sirmabus.

CRCETL:
http://www.woodmann.com/collaborative/tools/Function_String_Associate

One idea:
I think it would be really helpful for navigation to be able to display the strings also for the function called by the function in question, to a configurable depth, and presented indented in a tree-like fashion.

Example:
Function A calls function B and C.
Function B also calls function D.

The comment on function A (if call depth is configured to 2) would then look like:

Code:
"This is string found in function A"

"This is another string found in function A"

    "This is string found in function B"

    "This is another string found in function B"

        "This is string found in function D"

        "This is another string found in function D"

    "This is string found in function C"

    "This is another string found in function C"


This would make it much easier to navigate unknown code that is spread out over a few call depths, where a more-than-one-level-deep call would otherwise obscure anything below it, see what I mean?
Sirmabus
May 13th, 2008, 04:59
That would certainly complicate things more, and probably take a hell of a lot
of processing :-P
Also, many true function hierarchies might not be known until run time analysis do to indirections via vtables, etc.

At least these comments are set as repeatable. So as you browse around in IDA you can see the comments nested inside of other functions.
dELTA
May 13th, 2008, 08:22
Yes, but remember, the more processing the computer has to do, the less you have to do yourself...
abuse007
May 13th, 2008, 21:17
Hi Delta,

I haven't used Sirmabus' "Function String Associate" IDA Plug-in yet, but if I understand your enhancement suggestion, I think you can get that information from IDA's Graph Functions. If the assert strings are in the function comment, when you graph the functions, with show comments enabled, that should give you a graph (which can be restricted in depth from/to the current function) that shows the comments.

Does this give you the functionality you suggested?
dELTA
May 14th, 2008, 03:40
Ok, cool, that should provide a good overview of similar kinds, yes (depending on how the comments are displayed in this case).