Displaying 1 to 20 from 20 results

mcsema - Framework for lifting x86, amd64, and aarch64 program binaries to LLVM bitcode

McSema is an executable lifter. It translates ("lifts") executable binaries from native machine code to LLVM bitcode. LLVM bitcode is an intermediate representation form of a program that was originally created for the retargetable LLVM compiler, but which is also very useful for performing program analysis methods that would not be possible to perform on an executable binary directly. McSema enables analysts to find and retroactively harden binary programs against security bugs, independently validate vendor source code, and generate application tests with high code coverage. McSema isn’t just for static analysis. The lifted LLVM bitcode can also be fuzzed with libFuzzer, an LLVM-based instrumented fuzzer that would otherwise require the target source code. The lifted bitcode can even be compiled back into a runnable program! This is a procedure known as static binary rewriting, binary translation, or binary recompilation.

IDASkins - Advanced skinning plugin for IDA Pro

Plugin providing advanced skinning support for IDA Pro utilizing Qt stylesheets, similar to CSS. The screenshot above shows the "IDASkins Dark" theme in combination with the idaConsonance theme.

ScratchABit - Easily retargetable and hackable interactive disassembler with IDAPython-compatible plugin API

ScratchABit is an interactive incremental disassembler with data/control flow analysis capabilities. ScratchABit is dedicated to the efforts of the OpenSource reverse engineering community (reverse engineering to produce OpenSource drivers/firmware for hardware not properly supported by vendors, for hardware and software interoperability, for security research). ScratchABit supports well-known in the community IDAPython API to write disassembly/extension modules.

vm86 - 🍔 A x86 Script Instruction Virtual Machine

This is a very simple and lightweight x86 virtual machine which can load and run the assembly code from ida pro directly. And we call it in c language first.

ida-xtensa2 - IDAPython plugin for Tensilica Xtensa (as seen in ESP8266), version 2

This is a processor plugin for disassemblers which use IDAPython API, to support the Xtensa core found in Espressif ESP8266. It does not support other configurations of the Xtensa architecture, but that is probably (hopefully) easy to implement. Originally developed for IDA (https://github.com/themadinventor/ida-xtensa), this fork is used almost exclusively with ScratchABit open-source disassembler: https://github.com/pfalcon/ScratchABit . Copy the file to the plugins/cpu/ directory in your ScratchABit install.

iBoot64helper - IDAPython utility to help with iBoot64 reverse engineering

This aims to become an IDAPython utility to help with iBoot64 reverse engineering. Currently it just locates iBoot's proper loading address, rebases the image, and identifies ARM64 functions based on a common function prologue. As you can see in the screenshot below, 1347 functions are recognized after running it on iBoot version 4076.1.43. I will be adding features to it, like function renaming based on string usage, etc.

Utilities - Uncategorized utilities

Uncategorized utilities that do not need their own repository. Small dumb utility to port obvious function matches across two IDA databases.

cracknet - A

A .net Crackme Challenge made for the SecTalks Brisbane 2017 CTF Event. Note that this is a debug build and not a release build, due to compiler instructions. Only the executable needs to be included for the challenge.

golang_loader_assist - Making GO reversing easier in IDA Pro

This is the golang_loader_assist.py code to accompany the blog I wrote, Reversing GO binaries like a pro (in IDA Pro). There is also the hello-go directory which contains the simple hello world code I used as an example.

ida-evm - IDA Processor Module for the Ethereum Virtual Machine (EVM)

IDA Processor Module for the Ethereum Virtual Machine (EVM). This plugin is under active development. New issues and contributions are welcome, and are covered by bounties from Trail of Bits. Join us in #ethereum on the Empire Hacking Slack to discuss Ethereum security tool development.

continuum - Plugin adding multi-binary project support to IDA Pro (WIP)

continuum is an IDA Pro plugin adding multi-binary project support, allowing fast navigation in applications involving many shared libraries. This project is still work in progress and not suitable for production use.

ida-cmake - IDA plugin CMake build-script

This repository holds CMake build scripts and a Python helper allowing compilation of C++ IDA plugins for Windows, macOS and Linux without much user effort. Substitute <ida-sdks-path> with a directory of the IDA SDK corresponding to your IDA version.

JARVIS - "Just Another ReVersIng Suite" or whatever other bullshit you can think of

The auxiliary plugin jarvis_launcher.py registers a shortcut (Alt-J) which launches the actual plugin. JARVIS is written in PySide (Qt). It consists of a dockable Widget with several tabs, one for each different category.

bap-ida-python - integration with IDA

This package provides the necessary IDAPython scripts required for interoperatibility between BAP and IDA Pro. It also provides many useful feature additions to IDA, by leveraging power from BAP. BAP-IDA integration package installs several plugins into IDA distribution. Some plugins works automatically, and do not require user intervention, while others are invoked with keybindings, or via the Edit->Plugins menu, that can be popped at with the Ctrl-3 bindging.


Note that CVODES and IDAS contain all functions provided by CVODE and IDA (for integration without sensitivity analysis). If you need to use the latter, you can set enable_sensitivities=false in deps/build.jl and (re)build the package. before you install the package. Downloading and/or re-building of the library can be triggered by Pkg.build("Sundials") if anything goes wrong.

Cardinal - Similarity Analysis to Defeat Malware Compiler Variations

CPC Aggregation by Reversing and Dumping in Arrays Lightweight (CARDINAL) is a tool that can find similarities between binaries compiled with different optimization flags, or even completely different compilers. CARDINAL accurately finds the number of arguments at each callsite, also known as the callsite parameter cardinalities (CPC's), and creates a easily comparable signature by aggregating them per function and dumping the result into a Bloom filter. Bloom filters are compared via the Jaccard index from which a similarity score is calculated. CARDINAL is proven to tolerate differences between binaries produced using the same source but different compiler configurations, from using different optimization levels to using completely different compilers. We hope that CARDINAL paves the way for future static analyses that similarly tolerate radical code transformations like a dynamic analysis, yet still retain the benefits of static analysis. For more information, see the paper. The test harness automates the above steps for a large number of binaries. We run the tests en masse by executing a find command and running the above steps on all matching files. The test harness is designed to perform the isocompiler modulation, different compiler, and different source tests, and as such, the harness only handles files that conform to the naming scheme adopted for the aforementioned tests. The scheme is as follows: [name_of_test_binary].simple.lin.[name_of_compiler].[optimization_flag].elf "Name of compiler" can be "clang" or "gcc" and "optimization flag" can be "o0," "o1," "o2," or "o3".

polichombr - Collaborative malware analysis framework

This tool aim to provide a collaborative malware analysis framework. Scripts under the folder examples permits some basic actions for a Polichombr instance.