Log in

View Full Version : IDA 4.50 released, with integrated debugger!


dELTA
February 20th, 2003, 18:42
For the people interested, I can report that IDA 4.50 was released about a week ago.

In addition to quite a few general improvements, it now has an integrated debugger!!!

The combination of the usual deadlisting and the debugger makes it a really cool tool, that is very powerful and even conceptually new in some ways. For example being able to see the runtime stack split up nicely into its frames with all named stack variables and function parameters is really cool, not to mention some of the other stuff... Seems really nice to me anyway.

Here's a little tutorial about it from Datarescue:

http://www.datarescue.com/idabase/debugger/index.htm


And here's a list of all updates in the new version:

http://www.datarescue.com/idabase/idanew.htm


*drool*...

squidge
February 21st, 2003, 03:13
Yup, and you can get it from the usual places already... Not found a version that actually has the integrated debugger however

Manko
February 21st, 2003, 03:27
Yeah! It would be nice to get to play with THAT one!

Besides, it seems this crack is much more stable, though I've not had the time to try it fully...

/Manko

dELTA
February 21st, 2003, 07:57
Here's some more or less interesting info from the Datarescue (IDA) messageboard:

Latest version of IDA uses the network to check for other copies running with the same key. Also, some possible plans for harder protections in IDA:

http://www.datarescue.com/ubb/ultimatebb.php?ubb=get_topic;f=1;t=000490


Datarescue strikes hard against people running pirated version and asking support questions:

http://www.datarescue.com/ubb/ultimatebb.php?ubb=get_topic;f=1;t=000475


No more freeware version if IDA at Datarescue's website (but Fravia+ promises to keep hosting it as long as he's allowed to):

http://www.datarescue.com/ubb/ultimatebb.php?ubb=get_topic;f=1;t=000478


/dELTA

Iwarez
March 1st, 2003, 17:31
I tried the debugger and it works good, but it can't (yet) offer the great overview that ollydebug allows me now. Maybe I can use it together with ollydebug to sort out difficult problems. Anyways, the datarescue guys did good work with version 4.50.

banshee
March 2nd, 2003, 01:17
Iwarez: Can you tell if the debugger designed as standalone plugin or it is integrated in IDA? One more question: are you registered IDA user or somebody already warezed new version?

squidge
March 2nd, 2003, 05:27
I've see new version warezed, but not with the integrated debugger.

esther
March 2nd, 2003, 06:13
*sigh****One more question: are you registered IDA user or somebody already warezed new version?

Hopes this topic will not becomes another "where can I find the warez version" shits in here.

squidge
March 2nd, 2003, 09:04
Quote:
Originally posted by banshee
Iwarez: Can you tell if the debugger designed as standalone plugin or it is integrated in IDA?


If the next question after reply to this is "Will it work on an earlier version?", then the answer is no. It's requires version 4.50 to operate.

Iwarez
March 2nd, 2003, 16:28
I'am a registered user and the debugger is integrated. I think the released 4.50 version is fake.... Also, I don't think the real version will be warezed as the distribution system changed (eg. no downloads) and they are much more cautious after the 'cracked' version of 4.30

squidge
March 2nd, 2003, 18:34
Don't the new versions also have the "call home" (to help against warez versions) and "network check" function to ensure no one else on the local network is using IDA with the same serial? (to combat companies buying one copy and using it all over the company).

dELTA
March 3rd, 2003, 08:32
Check the URL to their message board that I posted above. They claim to have no "calling home" of any sorts, but it does give you a warning if you run it on the same LAN as another copy of the same license (it still works though). It sends one UDP broadcast package and then starts to listen on the same port, and then responds to any such broadcast it receives I think.

banshee
March 5th, 2003, 04:51
Quote:
Originally posted by esther
Hopes this topic will not becomes another "where can I find the warez version" shits in here.


I'm not asking for warezed version. Thing I wanted to know: is it possible to somehow make debugger available in demo version to test it. IDA released by Skamer as discussed on exetools forum has only time and save limitations removed, there is no debugger. So who is right: Iwarez says "I'am a registered user and the debugger is integrated." and squidge says "If the next question after reply to this is "Will it work on an earlier version?", then the answer is no. It's requires version 4.50 to operate." Squidge do you mean that debugger is a plugin? In 4.5 demo there are hidden forms and menus for debugger to work. If the debugger is integrated it could be enabled, I think.

squidge
March 5th, 2003, 05:07
I've not used 4.50 personally, but from what I've read, the debugger can only be used on 4.50.

Iwarez
March 5th, 2003, 17:24
As I said, it's not in the previous versions. And it's not standalone. The version 4.30 I had before had no trace of a debugger. The Datarescue forum did talk about the debugger after the 4.30 was released and they asked there if there was any need to integrate it. So, you need to have 4.50 to have the debugger.

Tron101
March 11th, 2003, 18:54
Quote:
Originally posted by banshee
In 4.5 demo there are hidden forms and menus for debugger to work. If the debugger is integrated it could be enabled, I think.



Banshee I think you are right about the debugger residing in the demo version, but it's just disabled.... I wonder if we can re-enable it. I'll have a look at it to see what I can do.


Btw, is there any way to enable "Patching" in 4.3 and 4.5? It doesn't seem to allow it anymore even though the option is there before you open up a file to disassemble, but it disappears after you open a file/previous project.

Iwarez
March 12th, 2003, 06:21
Check the idagui.cfg file.

If this line is not there add it:
DISPLAY_PATCH_SUBMENU = YES // Display the Edit,Patch submenu

banshee
March 12th, 2003, 15:02
Some results of my investigation:
Forms and I think all debugger routines exsists in demo exe. You can enable hidden Debugger submenu in the Main menu just by editing resources. Set Visible to True (it's BCB 5 application), thats all. But debugger still remain not active at any time. Then I found some magic dword 0x0054BA00, setting it <>0 enables something - you can setup process, debugger, view breakpoints list, watch list etc. but when you try to open Debugger window or start process program crashes. I think that dword must be part of some structure and must contain some address. I tried to imagine what address it could be and wrote a script to find possible addresses (it is not perfect I think ;-) :

static main()
{
auto i,a,filename,filehandle;
a=1;
filename=AskFile(1,"*.*","File for saving list of addresses";
filehandle=fopen(filename,"wt";
Message("\nList of addresses:";
fprintf(filehandle,"\nList of addresses:";
for(i=0x00401000; i<0x005bff70; i++) i is searched address
{
if (Dword(i+0x0c)<0x00401000) a=0; down range of the code
if (Dword(i+0x0c)>0x005285b1) a=0; upper range of the code
if (Dword(i+0x28)>0x000000ff) a=0;
if (Dword(i+0x3c)<0x00401000) a=0;
if (Dword(i+0x3c)>0x005285b1) a=0;
if (Dword(i+0x4c)<0x00401000) a=0;
if (Dword(i+0x4c)>0x005285b1) a=0;
if (Dword(i+0x54)<0x00401000) a=0;
if (Dword(i+0x54)>0x005285b1) a=0;
if (Dword(i+0x5c)<0x00401000) a=0;
if (Dword(i+0x5c)>0x005285b1) a=0;
if (Dword(i+0x60)<0x00401000) a=0;
if (Dword(i+0x60)>0x005285b1) a=0;
if (Dword(i+0x64)<0x00401000) a=0;
if (Dword(i+0x64)>0x005285b1) a=0;
if (Dword(i+0x68)<0x00401000) a=0;
if (Dword(i+0x68)>0x005285b1) a=0;
if (Dword(i+0x6c)<0x00401000) a=0;
if (Dword(i+0x6c)>0x005285b1) a=0;
if (Dword(i+0x70)<0x00401000) a=0;
if (Dword(i+0x70)>0x005285b1) a=0;
if (Dword(i+0x74)<0x00401000) a=0;
if (Dword(i+0x74)>0x005285b1) a=0;
if (Dword(i+0x78)<0x00401000) a=0;
if (Dword(i+0x78)>0x005285b1) a=0;
if (Dword(i+0x7c)<0x00401000) a=0;
if (Dword(i+0x7c)>0x005285b1) a=0;
if (Dword(i+0x84)<0x00401000) a=0;
if (Dword(i+0x84)>0x005285b1) a=0;
if (Dword(i+0x88)<0x00401000) a=0;
if (Dword(i+0x88)>0x005285b1) a=0;
if (Dword(i+0x8c)<0x00401000) a=0;
if (Dword(i+0x8c)>0x005285b1) a=0;
if (a==1) Message("\n%08X function %08X %08X",i,Dword(i+0x3C),Dword(i+0x8C));
if (a==1) fprintf(filehandle,"\n%08X function %08X %08X",i,Dword(i+0x3C),Dword(i+0x8C));
a=1;
}
fclose(filehandle);
}

The conditions of comparing is that there must be addresses of some functions at certain offsets to the address we trying to find. I found about 64 addresses that may satisfy the conditions, here is the result

List of addresses:
00495438 function 00512840 nullsub
00495628 function 00512840 nullsub
00495708 function 004957D8 n
00495728 function 00512840 nullsub
004973EC function 00512840 nullsub
00497614 function 00512840 nullsub
004976F0 function 00512840 nullsub
004977E0 function 00512840 nullsub
00498B9C function 00512840 nullsub
00498C84 function 00512840 nullsub
00498D50 function 00512840 nullsub
00498E18 function 00512840 nullsub
0049AF0C function 00512840 nullsub
0049B148 function 00512840 nullsub
0049D258 function 00512840 nullsub
0049DABC function 00512840 nullsub
0049E2E4 function 00512840 nullsub
0049ECF0 function 00512840 nullsub
0049F80C function 00512840 nullsub
0049FFE0 function 00512840 nullsub
004A0084 function 004A01DC n
004A01E4 function 004A0310 n
004A0A5C function 00512840 nullsub
004A1A98 function 00512840 nullsub
004A2A28 function 00512840 nullsub
004A2B1C function 00512840 nullsub
004A2C18 function 00512840 nullsub
004A9898 function 00512834 __fastcall System::TObject::SafeCallException(System::TObject *,void *) proc near
004A989C function 00512840 nullsub
004A9944 function 004A9A0E n
004A9E48 function 00512840 nullsub
004AA120 function 00512840 nullsub
004B0434 function 004B051C n
004B0454 function 00512840 nullsub
004B0570 function 004B0660 n
004B0590 function 00512840 nullsub
004B06B0 function 004B0794 n
004B06C0 function 004B0788 n
004B06D0 function 00512840 nullsub
004B9834 function 004B998C n
004BA1A4 function 004BA2E8 n
004BA1C4 function 00512840 nullsub
004BAF84 function 004BD4B4 __fastcall Forms::TCustomForm::AfterConstruction(void) proc near
004BB098 function 004BB23C n
004BB0A4 function 004BB1F0 n
004BB0A8 function 004BB228 n
004BB2B4 function 004BB37C n
004BB36C function 004BB458 n
004C5C1C function 00512840 nullsub
004C5E9C function 004C600C n
004C5EA8 function 004C5FCC n
004C6024 function 00512840 nullsub
004C6A68 function 00512840 nullsub
004C7724 function 00512840 nullsub
004CD0B0 function 00512840 nullsub
004CD1EC function 00512840 nullsub
004CEB18 function 004BD4B4 __fastcall Forms::TCustomForm::AfterConstruction(void) proc near
004CF888 function 004CF918 n
004CF9AC function 00512840 nullsub
004CFAE0 function 00512840 nullsub
004D05F8 function 004D06C4 n
004D0608 function 00512840 nullsub
004D0EF4 function 004D1028 n
004D102C function 004D10D0 n
004D103C function 00512840 nullsub
004D1100 function 00512840 nullsub
004DFD98 function 00512840 nullsub
004E14F0 function 004E15A8 n
004E26A0 function 00512840 nullsub
004E3694 function 004E37E0 n
004E3698 function 004E381E n
004E3850 function 00512840 nullsub
004E44DC function 00512840 nullsub
004E5A4C function 004F6048 __fastcall Comctrls::TCustomListView::CMDrag(Controls::TCMDrag & proc near
004E5B14 function 00512840 nullsub
004E69F4 function 00512840 nullsub
004E6A9C function 004E6C08 n
004E73E8 function 004F9F8C __fastcall Comctrls::TToolBar::WMEraseBkgnd(Messages::TWMEraseBkgnd & proc near
004E7EE4 function 00512840 nullsub
004EFA7C function 00512840 nullsub
004F2528 function 00512840 nullsub
004FD470 function 004FCBB8 n
004FD6C4 function 00512840 nullsub
004FD7C0 function 00512840 nullsub
004FE058 function 004FCC58 n
005075FC function 00512840 nullsub
0052B9F0 function 004A9964 n
0052B9F4 function 005060D0 SomeFunction
0053F7A8 function 005060D0 SomeFunction
0054A6E0 function 004D0F14 n
0054A6E4 function 005060D0 SomeFunction
0054A850 function 005060D0 SomeFunction
0054EB48 function 005060D0 SomeFunction

first address is that magic value, second is the value at 03Ch offset to the first, it is an address called somewhere as a function and comments are is there any real function at that address (n means no function). I checked only one offset - 03Ch, so there are 15 more to check. Could somebody take a look may be I'm doing something wrong. And if here is some Delphi/BCB gurus their advice might be helpful.

P.S. May be my explanation is not clear enough, so any questions?

P.P.S. I forgot - all addresses is for +Skamer's internal release.

dELTA
March 12th, 2003, 15:50
To be honest, I don't think Ilfak and the guys would ever leave the code of the non-demo parts intact in the demo version.

The only reason that the resources are still there but disabled is most likely just because they are not as convenient to #define away as the code itself. That is also most likely the reason that the program crashes once you have re-enabled the resources, since the code they are referring to in most parts just isn't there.

But hey, you never know, let us know if you find out they made some embarrasing mistakes with leaving the code intact.

I can already imagine the nerd-tabloid headlines:

"ILFAK GUILFANOV LEAVES INTACT CODE IN IDA DEMO VERSION, WE HAVE THE EXCLUSIVE HEX-DUMPS".



dELTA

squidge
March 12th, 2003, 18:11
Quote:
Originally posted by dELTA

I can already imagine the nerd-tabloid headlines:

"ILFAK GUILFANOV LEAVES INTACT CODE IN IDA DEMO VERSION, WE HAVE THE EXCLUSIVE HEX-DUMPS".



dELTA


LOL Although, like yourself, I find it highly unlikely to see the code in there, so not bothered to even look myself. The demo version is quite well protected* against hackers, with large portions missing, so I don't see why they should leave the debugger in there.

* = meaning it takes quite a while to hack it, compared to certain other commercial software using ready made off-the-shelf protection

banshee
March 13th, 2003, 08:48
Guys, I'm sorry, I've mistaken. Given addresses is not for +Skamer's release, but for native demo. But nobody going to check it, so doesn't matter ;-)

kr0n0
March 19th, 2003, 08:48
is +Fravia still hosting the demo legal version? 4.3 right?
since going throught datarescue requires one to register... etc...

could someone point the url?
(not that i didn't search; i did)
thnx

banshee
March 27th, 2003, 10:48
There is 4.5 demo on ftp.exetools.com May be I didn't understand you, what do you mean saying legal demo?

esther
March 27th, 2003, 12:43
Hi kr0n0,

Theres an old version in fravia anti crack de (ida3b)

Not 4.3.


>May be I didn't understand you, what do you mean saying legal
demo

Theres no demo out in fravias site only beta version

updated:

I supposed legal demo means you have to fill the form and download at dataresuce's site