In these days I have been looking to a bunch of malware that keeps making use of an inlined version of the strlen function, like the following:

http://photos1.blogger.com/blogger/272/2307/320/original_strlen.png ("http://photos1.blogger.com/blogger/272/2307/1600/original_strlen.png")

So I thought it would have been nice to have this automatically handled.... Luckily, IDA Pro features a simple & useful scripting engine, so it took me just some minutes to write an IDC script to go through the code and automatically identify and handle such situations.

The script can be downloaded from my OpenRCE repository (https://www.openrce.org/repositories/users/Paolo/find_strlen.idc), and below you can see what are the results it produces.

Collapsed:

http://photos1.blogger.com/blogger/272/2307/320/collapsed_detected_strlen.png ("http://photos1.blogger.com/blogger/272/2307/1600/collapsed_detected_strlen.png")

and uncollapsed:

http://photos1.blogger.com/blogger/272/2307/320/uncollapsed_detected_strlen.png ("http://photos1.blogger.com/blogger/272/2307/1600/uncollapsed_detected_strlen.png")

I think it is much nicer, no?

http://reversingitout.blogspot.com/2006/04/scripting-fun.html