CodeDoctor 0.90 (IDA Edition) - IDA Plugin by hnedka (12.11.2009)
CodeDoctor 0.90 (IDA Edition) - IDA Plugin by hnedka (12.11.2009)History:
0.90 (12.11.2009) - initial public release
note: examples are from OllyDbg, but they work exactly the same way in IDA
________________________________________________________________________________
Functions:
1) Deobfuscate
Select instructions in disasm window and execute this command. It will try
to clear the code from junk instructions.
Example:
Original:
00874372 57 PUSH EDI
00874373 BF 352AAF6A MOV EDI,6AAF2A35
00874378 81E7 0D152A41 AND EDI,412A150D
0087437E 81F7 01002A40 XOR EDI,402A0001
00874384 01FB ADD EBX,EDI
00874386 5F POP EDI
Deobfuscated:
00874372 83C3 04 ADD EBX,4
________________________________________________________
2) Deobfuscate - Single Step
This works like previous command, but does one transformation at a time
_______________________________________________________
3) Move NOPs to bottom
Converts this:
00874396 50 PUSH EAX
00874397 90 NOP
00874398 90 NOP
00874399 52 PUSH EDX
0087439A BA 3F976B00 MOV EDX,somesoft.006B973F
0087439F 90 NOP
008743A0 90 NOP
008743A1 90 NOP
to this:
00874396 50 PUSH EAX
00874397 52 PUSH EDX
00874398 BA 3F976B00 MOV EDX,somesoft.006B973F
0087439D 90 NOP
0087439E 90 NOP
0087439F 90 NOP
008743A0 90 NOP
008743A1 90 NOP
Limitations: it breaks all jumps and calls pointing inwards
________________________________________________________
4) Undo / Redo
Undo or Redo last operation (from one of the above functions)
________________________________________________________
中文解释:
CodeDoctor 0.90 的IDA插件版 - 作者: hnedka - 编译时间: 12.11.2009
更新历史:
0.90 (12.11.2009) - 初始版本
说明: 例子是从OD里扣出来的, 但是在IDA里的工作方式应该是完全一样的
________________________________________________________
功能:
1.反混淆
在反汇编窗口中选择并执行这条指令。它会尝试从垃圾指令中清理出正确的代码。
举例:
原始指令:
00874372 57 PUSH EDI
00874373 BF 352AAF6A MOV EDI,6AAF2A35
00874378 81E7 0D152A41 AND EDI,412A150D
0087437E 81F7 01002A40 XOR EDI,402A0001
00874384 01FB ADD EBX,EDI
00874386 5F POP EDI
反混淆后:
00874372 83C3 04 ADD EBX,4
________________________________________________________
2.反混淆-单步
这条指令同上一条相似,区别在于单步操作,一次只转换一条指令。
________________________________________________________
3.将nop后置
将这种形式的代码:
00874396 50 PUSH EAX
00874397 90 NOP
00874398 90 NOP
00874399 52 PUSH EDX
0087439A BA 3F976B00 MOV EDX,somesoft.006B973F
0087439F 90 NOP
008743A0 90 NOP
008743A1 90 NOP
转换为:
00874396 50 PUSH EAX
00874397 52 PUSH EDX
00874398 BA 3F976B00 MOV EDX,somesoft.006B973F
0087439D 90 NOP
0087439E 90 NOP
0087439F 90 NOP
008743A0 90 NOP
008743A1 90 NOP
限制:它会中断这段代码中所有跳转和call指令的指向显示
________________________________________________________
4.取消/重做
取消或重复上一次操作 (仅取消或重做上述功能之一, 非IDA操作)
________________________________________________________ 看介绍挺好的
下来试试
THX FOR SHARE 不错,加油 very Strong!:)eee :victory: kanikan
页:
[1]