OpenRCE_Sirmabus
May 13th, 2008, 10:03
"Function String Associate" IDA Plug-in:
I thought of this idea the other day based on the observation of "assert()", development, debug text strings, etc., that software developers often leave in programs I want to reverse.
As I'm sure others do, I look at these comments to help me determine what a particular function is for (x86 binary targets that is).
I thought, wouldn't be nice to somehow data mine this stuff and automatically put some of it as a function comment?
Based on this, what this plug-in does is iterate through every function in IDA and auto-comments every function that has these strings (unless it already has a comment). It applies a little logic to it, to try to put the most relevant strings first.
Sort of a proof of concept thing. It's hard to say how useful it is yet.
So far it does seem to help as I browse around a DB. I'm putting together things a bit faster because of it.
Of course it's only works as well as your target uses such messages mixed in it's code.
So far on programs I've used it it on, the plug-in finds such strings on about 15% of all functions.
With source. If you expand on the idea, add helpful modifications, etc., share it here please.
http://www.openrce.org/repositories/users/Sirmabus/IDA_FunctionStringAssociate_PlugIn.zip
https://www.openrce.org/blog/view/1137/"Function_String_Associate"__IDA_Plug-in
I thought of this idea the other day based on the observation of "assert()", development, debug text strings, etc., that software developers often leave in programs I want to reverse.
As I'm sure others do, I look at these comments to help me determine what a particular function is for (x86 binary targets that is).
I thought, wouldn't be nice to somehow data mine this stuff and automatically put some of it as a function comment?
Based on this, what this plug-in does is iterate through every function in IDA and auto-comments every function that has these strings (unless it already has a comment). It applies a little logic to it, to try to put the most relevant strings first.
Sort of a proof of concept thing. It's hard to say how useful it is yet.
So far it does seem to help as I browse around a DB. I'm putting together things a bit faster because of it.
Of course it's only works as well as your target uses such messages mixed in it's code.
So far on programs I've used it it on, the plug-in finds such strings on about 15% of all functions.
With source. If you expand on the idea, add helpful modifications, etc., share it here please.
http://www.openrce.org/repositories/users/Sirmabus/IDA_FunctionStringAssociate_PlugIn.zip
https://www.openrce.org/blog/view/1137/"Function_String_Associate"__IDA_Plug-in