Sharing IDA .idb files? [Archive] - RCE Messageboard's Regroupment

View Full Version : Sharing IDA .idb files?

5aLIVE

June 25th, 2007, 07:17

I was looking over an IDA database file which I had annotated and printed function graphs of a year or so ago. I got so far with the analysis and archived it for a rainy day.

I gave the functions of interest a quick review to remind me where I left off.
My first observation is that I will need to refesh my knowledge on some aspects of assembly language before I consider ressurecting this little project.

Anyway, I got to thinking if there was a way to share a condensed version version of the .idb file.

In other words, can the database just contain the functions, code and data of interest and still be loaded and navigated using IDA?

Of course, the alternative is to copy and paste disassembly listings direct from IDA. I also noticed that you can only print graphs to file (PDF for example) or possibly use screen dumps which are a little limited unless I am missing something?

I am running IDA 4.3 which has served me well to date. What do you guys do if you want to submit for shared analysis?

Thanks,
5aLIVe.

Polaris

June 25th, 2007, 08:22

In case of a concurrent analysis on a large project, in my opinion the best way is to use the "dump database to idc" & "dump typeinfo to idc" functionalities of IDA. If you use such functions on a database, IDA will create IDC files that, when run over a new database, will convert the new database to the same database the idc files where generated from. With such IDC files, you can set up a CVS system, and work like any normal s.e. project - committing, checking out, etc, etc...

In case you just need to pass by the information to a coworker, then send him the IDB, it is the easiest solution.

And, if you feel like experimenting, you can try the IDASync plugin, here: hxxp://labs.idefense.com/software/static.php#more_ida+sync

Hope this helps

5aLIVE

June 25th, 2007, 12:39

[Originally Posted by Polaris;66674]
In case of a concurrent analysis on a large project, in my opinion the best way is to use the "dump database to idc" & "dump typeinfo to idc" functionalities of IDA.

Where are these funtions that you speak of? I don't see them in the menus or context menus? You mean after adding any comments for example you save the entire database using a different name? In that case, how do I "merge" databases?

[Originally Posted by Polaris;66674]
If you use such functions on a database, IDA will create IDC files that, when run over a new database, will convert the new database to the same database the idc files where generated from. With such IDC files, you can set up a CVS system, and work like any normal s.e. project - committing, checking out, etc, etc...

This sounds like a workable idea, so if I were to share the original database we could then exchange our findings by dumped idc files. Say I provided the original database to one other person and my dumped files "A". The second person opens the original database adds some anaysis and sends his findings "B" to me.

Can I then merge both analysis comments A and B on the original database. Say for example I added a comment at line x and the others person adds a different comment at this line also. In other words, will comment B be appended to comment A?

I would try this out for myself if I were able to find the aforementioned funtions.

[Originally Posted by Polaris;66674]
In case you just need to pass by the information to a coworker, then send him the IDB, it is the easiest solution.

This would probably be the easiest, does IDA permit sharing of databases across all it's versions, provided that the original database was produced from a legal copy of IDA?

[Originally Posted by Polaris;66674]
And, if you feel like experimenting, you can try the IDASync plugin, here: hxxp://labs.idefense.com/software/static.php#more_ida+sync

This looks like a nice tool, but I think that it would only be useful on a LAN setup. I'd be looking to have the same functionality but over a WAN if it were possible.

[Originally Posted by Polaris;66674]
Hope this helps

[/QUOTE]
Thanks for the insight

.

I'm sure you're well aware that size of the IDC files can get quite large even when packed, which makes sharing them on a forum such as this impractical.

Polaris

June 25th, 2007, 14:23

Quote:

Where are these funtions that you speak of? I don't see them in the menus or context menus? You mean after adding any comments for example you save the entire database using a different name? In that case, how do I "merge" databases?

You can find such commands under File->Produce Output File->Dump Database To Idc File and File->Produce Output File->Dump Typeinfo To Idc File. Idc files are source code files very similar to C (actually, IDC is a subset of C) so it is not gonna be very difficult to merge them even automatically using tools like WinMerge - I never tried, but I cannot imagine any issue.

Of course you can design you're own IDC merger that does all kind of stuff... You know better than me what you need

Quote:

This would probably be the easiest, does IDA permit sharing of databases across all it's versions, provided that the original database was produced from a legal copy of IDA?

To some extent yes. Usually, it happens that a database is usually converted to newer format when loaded into an IDA version that is newer than the one used to generate the IDB. Sadly, database downgrading is not possible. Also, between 4.7 and 4.8 (if I'm not wrong :thinking

the database format has been heavily reworked, so IDA will suggest to re-do the analysis from scratch using the new version... Compatibility between 4.7 and 4.8 is something to be careful with.

An idb created with a legit version should work anywhere.

If you wanna my opinion: either each partecipant to the project gets IDA Free and you share everything in complete legality and without version issues, or either every project member gets the latest regged IDA, and you work with regged versions.

Quote:

I'm sure you're well aware that size of the IDC files can get quite large even when packed, which makes sharing them on a forum such as this impractical.

Well, you didn't talk about posting stuff on this board in your original message, so...

5aLIVE

June 25th, 2007, 15:32

Quote:

[Originally Posted by Polaris;66678]
You can find such commands under File->Produce Output File->Dump Database To Idc File and File->Produce Output File->Dump Typeinfo To Idc File. Idc files are source code files very similar to C (actually, IDC is a subset of C) so it is not gonna be very difficult to merge them even automatically using tools like WinMerge - I never tried, but I cannot imagine any issue.

Of course you can design you're own IDC merger that does all kind of stuff... You know better than me what you need .

Excellent, I see the commands now. There are so many facets to IDA, I clearly overlooked these. In the past ,I read the sparse manual and the handfull of tutorials found on the web but never recall this feature being documented.

Quote:

[Originally Posted by Polaris;66678]
If you wanna my opinion: either each partecipant to the project gets IDA Free and you share everything in complete legality and without version issues, or either every project member gets the latest regged IDA, and you work with regged versions.

This makes perfect sense to me, working with IDA Free would be the most practical way to work concurrently on this project.

Quote:

[Originally Posted by Polaris;66678]
Well, you didn't talk about posting stuff on this board in your original message, so...

That is certinly true, my comment was more of an observation, rather than my intention

.

Thanks again for your help, you certainly know your stuff when it comes to IDA.

Regards,
5Alive

5aLIVE

June 26th, 2007, 03:18

Just a little update, I tried dumping the database and typeinfo to idc files as you described above.

I then Hit F2 to load both the IDC scripts to the original database as a quick and simple test, of course this exercise would add no further information to the database as I hadn't made any changes since.

The typeinfo script appears to run fine, however I get the following warning/error when loading and running the dumped database IDC "test.idc, 789265: Function 'Functions' is too large (max compiled size is 64k)"

The original database file is 11.7MB, the dumped database is 19.1MB. I

I can't find any information on this in the help docs. Is this a bug (vers 4.3)or is there a setting I can change or something?

Would it be possible to write a script that produces a dumped IDC file which only contains references to comments (MakeRptCmt) for example?

Thanks,
5aLIVE

Polaris

June 26th, 2007, 04:09

Quote:

[Originally Posted by 5aLIVE;66687]Just a little update, I tried dumping the database and typeinfo to idc files as you described above.

I then Hit F2 to load both the IDC scripts to the original database as a quick and simple test, of course this exercise would add no further information to the database as I hadn't made any changes since.

The typeinfo script appears to run fine, however I get the following warning/error when loading and running the dumped database IDC "test.idc, 789265: Function 'Functions' is too large (max compiled size is 64k)"

The original database file is 11.7MB, the dumped database is 19.1MB. I

I can't find any information on this in the help docs. Is this a bug (vers 4.3)or is there a setting I can change or something?

No, this is definetely a bug... Basically what happens is that the function that is responsible for recreating functions ("Functions" Hehe

) s too large. It is not a fatal problem... Just locate the "Functions" function inside the IDC file, and split it into different smaller functions. Please just remember to add invocation for the newly created functions in the main function of the script ("main"

.

Be prepared to do the same on other functions too.

Quote:

Would it be possible to write a script that produces a dumped IDC file which only contains references to comments (MakeRptCmt) for example?

Yes, basically you have to loop through all the code and just get the rept commands. Using IDAPython I would do:

Code:



    ...

    current = MinEA()

    max = MaxEA()

    while current <= max:

         my_comment = RptCmt(current)



         # Dump information in your favourite command



         current = current + 1

    ...

5aLIVE

June 26th, 2007, 07:17

Quote:

[Originally Posted by Polaris;66688]No, this is definetely a bug... Basically what happens is that the function that is responsible for recreating functions ("Functions" Hehe ) s too large. It is not a fatal problem... Just locate the "Functions" function inside the IDC file, and split it into different smaller functions. Please just remember to add invocation for the newly created functions in the main function of the script ("main".

Be prepared to do the same on other functions too.

Yes, basically you have to loop through all the code and just get the rept commands. Using IDAPython I would do:

Code:

...
current = MinEA()
max = MaxEA()
while current <= max:
my_comment = RptCmt(current)

# Dump information in your favourite command

current = current + 1
...

Aha a bug you say! I loaded idag.exe into IDA to see if I could find the error string reference and then try to locate the source of the bug and patch it.
I couldn't find the string ref so I abandoned that idea.

Maybe when I have some spare time I can learn to develop a plugin or script which has the same functionality as producing a database dump IDC file to overcome this bug. I'll start by writing a simple script like you have outlined above.

I'll split up the funtion list and try that for now.
Like this :

Code:



#define UNLOADED_FILE   1

#include <idc.idc>



static main(void) {

        GenInfo();              // various settings

        Segments();             // segmentation

        Enums();                // enumerations

        Structures();           // structure types

        Bytes();                // individual bytes (code,data)

        Functions1();          // function definitions #1

        Function2();            // function definitions #2

        SegRegs();              // segment register values

//------------------------------------------------------------------------

// Information about functions #1



static Functions1(void) {



	MakeFunction    (0x4012a4,0x4012aa);

	SetFunctionFlags(0x4012a4,0xc0);

             .	

             .

             .

            MakeFunction    (0x4092ac,0x4012b2);

	SetFunctionFlags(0x4092ac,0xc0);

	}



//------------------------------------------------------------------------

// Information about functions #1



static Functions2(void) {

                                 MakeFunction    (0x4092b4,0x4012ba);

                                 SetFunctionFlags(0x4092ac,0xc0);

                                  .

                                  .

                                  .

                                  MakeFunction    (0x7027fc,0x702822);

	                     SetFunctionFlags(0x7027fc,0x54);  

                                  }



//------------------------------------------------------------------------

I tried dividing the funtion declarations into two equal parts. I still received a the same warning/error which implies that I would need to sub-divide further. I'm not sure what a 64k compiled size translate to in terms of MakeFunction/Setfunction declarations but I'd probably have to sub-divide to the nth degree before this would work. So a script or a patch is the way to go.

Thanks,
5aLIVE.