FindCrypt2

I realized that it is quite easy to make FindCrypt work with big endian programs. For that we just need to know the size of each constant array element and swap them if required. So here is the second version of FindCrypt. It introduces the following improvements:it works with both little and big endian programs it […]

FindCrypt

While analyzing a program quite often we want to know if it uses any crypto algorithm. Knowing the algorithm name would be useful too. Here is the plugin which can help us answer these questions.

Tracing exception handlers

Suppose our goal is to dissect a new program. The ultimate method of analysis is single stepping the program of interest. Each executed instruction must be single stepped at least once so we won’t miss anything important.

The unispector

How do you spell “I love you” in Greek?…

The highlighter

Today I’ll present you a pretty small yet useful plugin.

The ultimate stealth method

The last described method does not work if the application uses an “unsupported” antidebugging trick. For example, if the application directly checks the PEB field instead of calling the IsDebuggerPresent function, the method will fail. Or the application could use something else, something from the future…

Simple trick to hide IDA debugger

Quite often IDA users ask for a plugin or feature to hide the debugger from the application. In fact there are many anti-debugging tricks and each of them requires an appropriate reaction from the debugger, let’s start with something simple: we will make the IsDebuggerPresent function call always return zero.

Several files in one IDB, part 4

Final method of loading several files into a database

TLS callbacks

I promised to tell you about the TLS callbacks. Here is the discussion.

Several files in one IDB, part 3

The third method to create a database with several PE files.