![]() In the meantime, Hex-Rays had begun shipping GUI versions of IDA for Linux and OS X in addition to Windows, as well as local and remote debuggers for each of those platforms, including a Bochs-based emulation plugin that provided a native IDA debugging interface to a Bochs emulation of code loaded in IDA. ![]() ![]() The developers of Unicorn did exactly what I had elected not to do 12 years earlier, they ripped the hardware support out of QEMU and were able to release a tool that allowed for the easy creation of emulators for most architectures supported by QEMU. QEMU was the most likely candidate at the time but was almost too fully featured as I had no interest in anything other than the instruction set emulator, and I did not want to invest the time to remove all of the hardware support that QEMU provided.įast forward to 2015 and the release of the Unicorn Engine. Thus was born the x86emu plugin.Īt the time, I didn’t really want to write an x86 emulator from scratch, and I searched for existing emulators that I could modify to suit my purposes. I quickly realized that if I’d had an x86 emulator that used IDA as its memory store, I could stop writing new scripts and just run the emulator whenever I encountered obfuscated code. I still have an IDC script that will unpack UPX in place. When the scripts were finished, I could simply disassemble the modified bytes that were present in IDA. Many of my initial efforts to perform deobfuscation involved writing IDC scripts to mimic the behavior of the de-obfuscation routines while writing changes back into the IDA database. In 2002, IDA did not yet have a built-in debugger, and IDAPython was still a few years away. When I first started analyzing obfuscated code, I quite often wished that I could simply de-obfuscate the code within IDA without the need to run the code under debugger control, capture modified memory regions, and finally copy the modified blocks back into IDA in order to disassemble and analyze the, now de-obfuscated, code. ![]() Any technical or maintenance issues regarding the code herein should be directed to the author. His views and opinions are his own and not those of Hex-Rays. This is a guest entry written by Chris Eagle.
0 Comments
Leave a Reply. |