I realized that it is quite easy to make FindCrypt work with big endian programs. For that we just need to know the size of each constant array element and swap them if required. So here is the second version of FindCrypt. It introduces the following improvements:it works with both little and big endian programs
it […]
While analyzing a program quite often we want to know if it uses any crypto algorithm. Knowing the algorithm name would be useful too. Here is the plugin which can help us answer these questions.
Suppose our goal is to dissect a new program. The ultimate method of analysis is single stepping the program of interest. Each executed instruction must be single stepped at least once so we won’t miss anything important.
How do you spell “I love you” in Greek?…
Today I’ll present you a pretty small yet useful plugin.
The last described method does not work if the application uses an “unsupported” antidebugging trick. For example, if the application directly checks the PEB field instead of calling the IsDebuggerPresent function, the method will fail. Or the application could use something else, something from the future…
Quite often IDA users ask for a plugin or feature to hide the debugger
from the application. In fact there are many anti-debugging tricks and
each of them requires an appropriate reaction from the debugger, let’s
start with something simple: we will make the IsDebuggerPresent
function call always return zero.
Final method of loading several files into a database
I promised to tell you about the TLS callbacks. Here is the discussion.
The third method to create a database with several PE files.