Hack-Crack 信息安全 【Mars Information Serurity Institute】
站点说明

Scan the QRcode to download

扫描上方二维码下载我的最新应用,Findu(支持iOS Android)关注自己所关注的人,让一切都变的无所遁形,再也不怕搭到黑车啦!

【Findu Today】

本站所破解的程序仅限于分析研究只用,不可用于非法用途,如果喜欢该软件请购买正版。由于程序所造成的损失本人概不负责。

【订阅本站文章】

联系方式:

博客:http://www.h4ck.org.cn

Blog:http://h4ck.ws

微博:http://www.obaby.org.cn

Codes:http://code.h4ck.org.cn

Twitter:http://twitter.com/#!/ob4by

QQ:382291381

danteng link
分类目录/搜索
版权信息:
Nginx Ubuntu php mysql [Valid RSS] Valid CSS!

hacker emblem

知识共享许可协议
火星信息安全研究院 by
obaby is licensed under a Creative Commons 署名-非商业性使用-相同方式共享 2.5 中国大陆 License.
基于www.h4ck.org.cn上的作品创作。

IDA Unicode String Anylist and comment maker

早在很久之前就写过一个导入Unicode字符串注释的脚本,但是脚本操作还是有自己的局限性。每次都要通过其他的分析工具搜索定位到字符串,然后导出,在然后倒入。这是多么蛋疼的时间事情啊。 😎


(关于插图
Augusta Ada King, Countess of Lovelace (10 December 1815 – 27 November 1852), born Augusta Ada Byron, was an English writer chiefly known for her work on Charles Babbage’s early mechanical general-purpose computer, the analytical engine. Her notes on the engine include what is recognised as the first algorithm intended to be processed by a machine; thanks to this, she is sometimes considered the “World’s First Computer Programmer”
She was the only legitimate child of the poet Lord Byron (with Anne Isabella Milbanke). She had no relationship with her father, who died when she was nine. As a young adult, she took an interest in mathematics, and in particular Babbage’s work on the analytical engine. Between 1842 and 1843, she translated an article by Italian mathematician Luigi Menabrea on the engine, which she supplemented with a set of notes of her own. These notes contain what is considered the first computer programme — that is, an algorithm encoded for processing by a machine. Though Babbage’s engine has never been built, Lovelace’s notes are important in the early history of computers. She also foresaw the capability of computers to go beyond mere calculating or number-crunching while others, including Babbage himself, focused only on these capabilities.
)
到网上随便搜了搜发现hexrays曾经发布过一个处理unicode字符串的插件,猛击此处访问插件页面。插件的名字叫做unispector。并且在插件页面提供了相关的源代码下载,但是偶下载编译之后在新版的ida下无法成功加载,并且没有出现应有的效果。

其实没有出现应有的效果和插件处理unicode的逻辑是有关的,源代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
// Refresh our window contents
static void refresh_window(ea_t ea)
{
  qfree(text);                            // destroy the old string contents
  text = NULL;
  if ( isASCII(get_flags_novalue(ea)) )   // is an ascii string constant?
  {
    long stype = get_str_type(ea);        // string type
    if ( stype == ASCSTR_UNICODE          // is unicode string?...
      || stype == ASCSTR_ULEN2
      || stype == ASCSTR_ULEN4 )
    {
      int delta = 0;
      if ( stype == ASCSTR_ULEN2 )
        delta = 2;
      if ( stype == ASCSTR_ULEN4 )
        delta = 4;
      size_t size = get_item_size(ea);
      if ( size > delta )
      {
        size -= delta;
        text = (wchar_t *)qalloc(size*sizeof(wchar_t));
        if ( text != NULL )
        { // get string contents from the database
          get_many_bytes(ea+delta, text, size);
          text[size/2] = '\0';
          // if the window was not created, do it now
          if ( hwnd == NULL )
            create_window();
        }
      }
    }
  }
  if ( hwnd != NULL )              // our window exists only if a unicode string
  {                                // has been encountered
    SetWindowTextW(th, text);
//    RECT r;
//    GetClientRect(hwnd, &r);
//    InvalidateRect(hwnd, &r, true);
  }
  must_refresh = false;                   // we did refresh the window
}

如果到ida解析完的数据库中查看对应的字符串就会发现,数据的前缀为unk,也就是未识别的数据格式,而插件处理的数据格式的时候会首先调用 isASCII判断是否是字符串,通常这种情况会直接导致调用时候返回了,因为ida并没有解析出正确的数据格式。所以这个插件也就识别不了什么中文了。

即使得到的是字符串,那么对于字符串类型也仅限于 ASCSTR_UNICODE, ASCSTR_ULEN2 , ASCSTR_ULEN4三种,同样这个过滤会导致无法识别unicode。所以最有效的办法就是直接从ea处读取unicode字符串,然后自己转换。相关的代码这里就不贴鸟,还有关键性的字符串搜索的代码没有完成。真是蛋疼啊,蛋疼。 :p

该插件对应的快捷键为”Ctrl+Alt+U”,插件调用之后会解析当前的鼠标指针位置处的字符串,并且以重复注释的形式标明,注释之后的样子是下面这样滴:

将对应的全部unicode处理之后就是下面的样子啦。

所有在我的机器上能显示的字符已经都可以显示了,并且和源程序显示的是一样滴。 smile

猛击此处下载该插件(目前仅适用于6.0以上版本,如果有问题给我发消息,或者留言~),猛击此处下载iloveyou测试程序。

《IDA Unicode String Anylist and comment maker》有 4 条评论

发表评论

电子邮件地址不会被公开。 必填项已用*标注