I Would like to know if someone have successed to use the plugin i2s with IDA 5.x ?
It works under IDA 4.6 but not with the last version.
Is someone has tried it ?

Someone tells me I must change some points in the source (but first, I don't know which one) an compile it with the new SDK. I can't because I have only the SDK 4.6.

In fact, When I put those lines in the plugins.cfg file...
I2S_Conversion i2s F12 0
I2S_Save_NMS i2s Shift-F12 1
I2S_Source_Info i2s Ctrl-F12 2
I2S_Setup i2s 0 3
and when I restart IDA, those Items don't apear in the "Plugin" menu.

Silly question : have you checked you are using a plugin binary compiled for 4.9 and above? Each version of IDA previous than 4.9 (if I am correct) needs plugins that have been compiled specifically for that version...

Yes, I agree with you, but I can't try i2s v5 because I think it doesn't exist. I don't find it anywhere in the web, so ....

Well, then you have 3 possibilities: you recompile it yourself, you ask the author to port it, or you simply do not use it

Yes, for the moment I use IDA 4.5 with its i2s Plugin, so there isn't problemo.

But Now I can use IDA 5.00 I would like to work with it Too and the i2s plugin is very interesting, isn't it ?

I have downloaded IDASDK 5.0 so I'll try to compile a new i2s but I think that will be very hard.

Thanks for your reply.
Bye.

Hi

It's challenging but not impossible. I'll give you a few tips to get you started. The new SDK uses a number of functions which i2s uses that need to be modified. Basically you need to recompile ida2sice_408 under the new SDK and "fix" every compiler error.

Most of the errors will be because of the new string-safe or buffer overflow versions of previous functions. I place these into 2 groups.

Group 1: The functions strncpy, sprintf and strcat
have been replaced with their string-safe versions,
qstrncpy, qsnprintf and qstrncat.

Group 2: The following functions were also modified to protect
against buffer overflow and required updating:
get_member_name, get_root_filename, get_input_file_path,
get_true_segm_name, get_struc_name.


Here is an example of modifying a single line in i2s to be compatible with the new version of strcpy (now qstrncpy).
As you can see all we're doing is adding a buffer size element to the function (which is what string-safe functions do). The commented-out code is the *old* i2s function, below it is the new declaration. This is all that is needed:




Here is an example of modifying one of the functions in the 2nd group. You need to add a buffer and a buffer size element. What I did was to define a buffer with the name 'member_name' and give it a size [MAXNAMELEN]. This could then be used in place of the (char *buf, size_t bufsize) parameters of the new version of the get_member_name function.



In some cases you will need to combine the modifications in these two groups in creative ways:




If you're still in the game after all this, there will be a few more changes to make but you should be comfortable enough with the i2s code by that time that you should be able to work with them yourself. The most problematic one will be with the new version of supval, but it too can be fixed if you spend a bit of time on it.

// OLD: char *supval(nodeidx_t alt, char tag=stag)
// NEW: ssize_t supval(sval_t alt, void *buf, size_t bufsize, char tag=stag)


Here is one last modification I found necessary to make to kernwin.hpp before starting it all:



In total there are just over 100 compiler errors of 3 or 4 types which need repairing. It took me a few days to do it but don't be discouraged by them. Be patient and think of it as a great way of learning to work with the IDA SDK and the excellent example of Mostek's Ida2Sice plugin.

If you need further help as you go along I will be glad to help.

Cheers,
Kayaker

Hi guys

I've working on this for a few months now, but couldn't find the time to finish it.

As Kayaker said IDA guys changed the procedures with buffer safe ones.
They did this in the past also, but not to this extend.

Well I'll finish it today -> I only have 12 errors left.

Will inform you...

Peace
Mostek

Yes good
I think It was too much for me because I use only asm but not C/C++.
More over I don't Know those functions (qstrncpy...) and the nb of args for them.

So I will stay this work for you. (Sorry)
Bye

No problem, I've already finished fixing the bugs and tomorrow will finish rescanning if everything is ok (10/16 files already rescanned).

So tomorrow there should be a new release of i2s.

Peace
Mostek

Hiya Mostek, glad to see you around. I figured if there was an updated release it should come from the author and not me, so I only posted 'guidelines'. In any case I had fun playing with your code

Btw, I found a situation which gave a non-critical error msg. I was reversing the Raide antirootkit driver and on saving the nms file it gave an error from here within SetSection_SYMD:



Well Softice didn't crash, the entire code could be traced, and the i2s definitions (with full source definitions) worked perfectly, so there was no problem.

The error only ocurred when 'Create Source Files' was selected. I did a bit of testing, outputting results involving pSegmentCurrent in various parts of the code for example, but couldn't figure out the *exact* problem. I suspected it was because of the unique nature of the Raide driver. It has the usual segments and in all respects is a 'normal' driver, except that it has an embedded PE file within the .data section. IDA correctly disassembles all the functions within this embedded PE file/.data section. I thought that maybe when i2s translates this code in a non-standard section it might cause a problem.

It's not a big deal but I thought I'd mention it anyway. If you're curious, the Raide driver is here.
http://www.rootkit.com/vault/petersilberman/RAIDE_BETA_1.zip

Other drivers seem to be OK. It is possible too that the cause is my own modifications, particularly with the new supval definition where it may be used with pSegmentCurrent.

Regards,
Kayaker

Thanks for the info Kayaker > I'll look into it.
Anyway which version of IDA did you use?

And it's nice sombody is actualy looking at the code.

And did you understand anything? : ))
Even I get lost in there.



Anyway about the new version -> I have finished re-checking the code and now I'm fixing the bugs. Currently the code and source have offset so need to find why and of course need to do a check on other parts too.

So it looks it wont be finished until the end Sunday.
But at least it's time for another version.

Peace
Mostek

I will now move the thread a bit off topic, I hope you will excuse me

Now, we do all know that softICE is almost dead - Numega/Compuware discontinued it recently, and Microsoft is making its use more and more difficult with every modification they make to the operating system. I love sice, as it is the first debugger I used when I was moving my first steps into the reversing world, but I hardly see any more use for it.

So, does it still make much sense to extract information from IDA into Sice? Wouldn't be much more useful to do something similar, but for WinDBG? Microsoft's kernel debugger works well, has been improved a lot in the last releases, is documented and supported and will be perfectly working even on Vista. I think that having an IDA plugin able to be the bridge with WinDBG would be nowadays much more useful...

Enough off topic stuff for now Mostek's job is awesome and I am glad it is gonna be ported to newer versions of IDA

sorry for polluting the thread with offtopic info

polaris if you mean importing map created by ida to windbg than it sure exists

look for skywings debugger extension (just browse his blog ) nynaeve some name and you can simply do !map "mapname" i havent tried map yet but i have used other extensions in that and i have a pretty old version v 1.01 of it and recently i saw skywing has released 6 or more newer versions

i think you might already know it

Actually, I did not know... I will check this out, sounds interesting!!! Thanks!

Well you are right Polaris -> the i2s is becoming obsolete too.

But now making a new plugIn for WinDbg would be a little to much time consuming and as it was said it looks there is already something available.

Anyway the i2s was first written to reverse a driver and the usage is probably the same today -> mostly the driver reversers use it as they are probably the only ones still using SIce.

So this release will probably be the last one.

Well there are other things in life too, so there is still happines areound.

Peace
Mostek

Hi Mostek

i2sice is a great tool. So donīt forget update it. pls

Iīm waiting anxious.

Regards

NoLOcKs

Go and get it.

Hi Mostek,

It works perfectly, This is a great plugin.
I think IDA is the best disassembler and Sice the Best Debugger, so your tool is essential.
Thoses tools are smashing to debug our own programs or make some Keygens.

Thanks for all.

Oh this is wonderful. I finally got a chance to fully test it and the new i2s works perfectly now on the Raide driver, no error msg on saving the nms.

I am so happy I still use Softice for virtually all my debugging and reversing needs. For unsourced drivers especially there is no better combination than Sice + I2S!

Thank you once again Mostek for your great tool and for updating it again.

I'll have to take a look at that WinDbg extension option, that sounds interesting as well.

Cheers,
Kayaker