Reversing It Out
November 17th, 2007, 17:04
I have been receiving several emails regarding the Explicator IDA Pro plugin, that was somewhat showed in one of my previous post, so I thought I will provide some more information about it.
The Explicator IDA Pro plugin is designed to collect information from IDA Pro, and based on this, will attempt to rebuild some kind of C representation of the current function.
Currently, it does feature:
* basic dataflow analysis (improved version of Desquirr code base)
* basic loop recognition
* graphing interface
* limited commenting abilities
* lots of bugs
So, let's see an example of Explicator's use. For example, let's take the following subroutine from some silly malware sample:
http://photos1.blogger.com/blogger/272/2307/320/image_1.0.png ("http://photos1.blogger.com/blogger/272/2307/1600/image_1.0.png")
So, if we invoke the plugin, we obtain this:
http://photos1.blogger.com/blogger/272/2307/320/image_2.png ("http://photos1.blogger.com/blogger/272/2307/1600/image_2.png")
This is nice, but if we get back to the disassembly, we see that explicator added repeatable comments for some (sic!) of the API functions inside the function:
http://photos1.blogger.com/blogger/272/2307/320/image_3.png ("http://photos1.blogger.com/blogger/272/2307/1600/image_3.png")
So, now we may want to improve the disassembly by adding enumerations, so we convert the first operand of the RegOpenKeyA API function into enumeration:
If we invoke again Explicator, we can see that the enumeration has been used in producing the output:
http://photos1.blogger.com/blogger/272/2307/320/image_4.png ("http://photos1.blogger.com/blogger/272/2307/1600/image_4.png")
The same applies for structure.
Ok, now that we are satisfied with the result, we will tell Explicator to add a repeatable comment to the current function, so that whenever that function will be called we will also have next to us the translated code.
http://photos1.blogger.com/blogger/272/2307/320/image_5.png ("http://photos1.blogger.com/blogger/272/2307/1600/image_5.png")
and from the caller:
http://photos1.blogger.com/blogger/272/2307/320/image_6.png ("http://photos1.blogger.com/blogger/272/2307/1600/image_6.png")
If we examine a bit the argument that is passed to our function, we see that it is a pointer to a C-Style string, so why do not we add a proper prototype to our function? Let's do it and invoke again Explicator for the final result:
http://photos1.blogger.com/blogger/272/2307/320/image_7.png ("http://photos1.blogger.com/blogger/272/2307/1600/image_7.png")
Of course, such a lovely output is not always the case: sometimes the function is too complex, too optimized or something is still not supported in Explicator, so do not espect it to be a silver bullet.
If you are wondering when the Explicator will be released, the answer is "I do not know". Basicly it will be released when I feel it is stable enough and useful enough.
But eventually it will be released for free on the OpenRCE website.
http://reversingitout.blogspot.com/2006/08/explicator.html
The Explicator IDA Pro plugin is designed to collect information from IDA Pro, and based on this, will attempt to rebuild some kind of C representation of the current function.
Currently, it does feature:
* basic dataflow analysis (improved version of Desquirr code base)
* basic loop recognition
* graphing interface
* limited commenting abilities
* lots of bugs
So, let's see an example of Explicator's use. For example, let's take the following subroutine from some silly malware sample:
http://photos1.blogger.com/blogger/272/2307/320/image_1.0.png ("http://photos1.blogger.com/blogger/272/2307/1600/image_1.0.png")
So, if we invoke the plugin, we obtain this:
http://photos1.blogger.com/blogger/272/2307/320/image_2.png ("http://photos1.blogger.com/blogger/272/2307/1600/image_2.png")
This is nice, but if we get back to the disassembly, we see that explicator added repeatable comments for some (sic!) of the API functions inside the function:
http://photos1.blogger.com/blogger/272/2307/320/image_3.png ("http://photos1.blogger.com/blogger/272/2307/1600/image_3.png")
So, now we may want to improve the disassembly by adding enumerations, so we convert the first operand of the RegOpenKeyA API function into enumeration:
push 80000002h --> push HKEY_LOCAL_MACHINE
If we invoke again Explicator, we can see that the enumeration has been used in producing the output:
http://photos1.blogger.com/blogger/272/2307/320/image_4.png ("http://photos1.blogger.com/blogger/272/2307/1600/image_4.png")
The same applies for structure.
Ok, now that we are satisfied with the result, we will tell Explicator to add a repeatable comment to the current function, so that whenever that function will be called we will also have next to us the translated code.
http://photos1.blogger.com/blogger/272/2307/320/image_5.png ("http://photos1.blogger.com/blogger/272/2307/1600/image_5.png")
and from the caller:
http://photos1.blogger.com/blogger/272/2307/320/image_6.png ("http://photos1.blogger.com/blogger/272/2307/1600/image_6.png")
If we examine a bit the argument that is passed to our function, we see that it is a pointer to a C-Style string, so why do not we add a proper prototype to our function? Let's do it and invoke again Explicator for the final result:
http://photos1.blogger.com/blogger/272/2307/320/image_7.png ("http://photos1.blogger.com/blogger/272/2307/1600/image_7.png")
Of course, such a lovely output is not always the case: sometimes the function is too complex, too optimized or something is still not supported in Explicator, so do not espect it to be a silver bullet.
If you are wondering when the Explicator will be released, the answer is "I do not know". Basicly it will be released when I feel it is stable enough and useful enough.
But eventually it will be released for free on the OpenRCE website.
http://reversingitout.blogspot.com/2006/08/explicator.html