HTDark | Underground Hacking Forum and Cybersecurity Community
  • Earn real money by being active: Hello Guest, earn real money by simply being active on the forum — post quality content, get reactions, and help the community. Once you reach the minimum credit amount, you’ll be able to withdraw your balance directly. Learn how it works.

Reverse Engineering FindFunc v1.4 - IDA PRO plugin to find code functions

Status
Not open for further replies.
itsMe

itsMe

*KillmeMories*
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
Joined
Jan 8, 2019
Messages
56,608
Solutions
2
Reputation
32
Reaction score
100,454
Points
2,313
Credits
32,600
‎6 Years of Service‎
 
76%
ffmain.png


FindFunc is an IDA PRO plugin to find code functions that contain a certain assembly or byte pattern, reference a certain name or string, or conform to various other constraints. This is not a competitor to tools like Diaphora or BinNavi, but it is ideal to find a known function in a new binary for cases where classical bindiffing fails.

Filtering with Rules

The main functionality of FindFunc is letting the user specify a set of “Rules” or constraints that a code function in IDA PRO has to satisfy. FF will then find and list all functions that satisfy ALL rules (so currently all Rules are in an AND-conjunction). Exception: Rules can be “inverted” to be negative matches. Such rules thus conform to “AND NOT”.

FF will schedule the rules in a smart order to minimize processing time. Feature overview:

    Currently, 6 Rules are available, see below
    Code matching respects Addressing-Size-Prefix and Operand-Size-Prefix
    Aware of function chunks
    Smart scheduling of rules for performance
    Saving/Loading rules from/to file in simple ascii format
    Several independent Tabs for experimentation
    Copying rules between Tabs via clipboard (same format as a file format)
    Advanced copying of instruction bytes (all, opcodes only, all except immediate)

Button “Search Functions” clears existing results and starts a fresh search, “Refine Results” considers only results of the previous search.
Advanced Binary Copying

A secondary feature of FF is the option to copy binary representation of instructions with the following options:

    copy all -> copy all bytes to the clipboard
    copy without immediate -> blank out (AA ?? BB) any immediate values in the instruction bytes
    opcode only -> will blank out everything except the actual opcode(s) of the instruction (and prefixes)

Changelog v1.4

    new: clone tab option to clone rule + result list (right click on tab)
    new: add advanced copy menu: mask all but opcode and immediate
    guard against empty or invalid input when editing
    middle-click copies the resp. cell in rules and result tables to clipboard
    allow pasting immediates directly (0xABC or ABCh for hex, else dec)
    immediate-rules are now serialized in hex representation
    inverted rules now have red font-color
    rename button ‘Search Functions’ to ‘Find Functions’ – branding! 😉

To see this hidden content, you must like this content.
 
Status
Not open for further replies.
Back
Top