I quickly realized that if I’d had an x86 emulator that used IDA as its memory store, I could stop writing new scripts and just run the emulator whenever I encountered obfuscated code. I still have an IDC script that will unpack UPX in place. When the scripts were finished, I could simply disassemble the modified bytes that were present in IDA. Many of my initial efforts to perform deobfuscation involved writing IDC scripts to mimic the behavior of the de-obfuscation routines while writing changes back into the IDA database. In 2002, IDA did not yet have a built-in debugger, and IDAPython was still a few years away. When I first started analyzing obfuscated code, I quite often wished that I could simply de-obfuscate the code within IDA without the need to run the code under debugger control, capture modified memory regions, and finally copy the modified blocks back into IDA in order to disassemble and analyze the, now de-obfuscated, code. Any technical or maintenance issues regarding the code herein should be directed to the author. His views and opinions are his own and not those of Hex-Rays. “REmatch, a complete binary diffing framework that is free and strives to be open source and community driven.įrom all the #infosec community projects coming out, REmatch is something I'm really excited about.This is a guest entry written by Chris Eagle. REmatch, a simple binary diffing utility that just works.
Rematch is still a work in progress and is not fully functional at the moment. We’re currently working on bringing up basic functionality.
Check us out again soon or watch for updates! It is intended to be used by reverse engineers by revealing and identifying previously reverse engineered similar functions and migrating documentation and annotations to current IDB. It does that by locally collecting data about functions in your IDB and uploading that information to a web service (which you’re supposed to set up as well). Upon request, the web service can match your functions against all (or part) of previously uploaded functions and provide matches.
A secondary goal of this (which is not currently pursued) is to allow synchronization between multiple reverse engineers working on the same file.
0 kommentar(er)
