|
|
Recently I created a pair of Perl scripts to assist me with a reverse engineering job for a pocketpc application. The scripts parse assembly code which is re-engineered by IDA and create a GraphVis .dot file of it. This .dot file can be used with GraphVis to create a graphical representation of the branches within the code.
There are two kind of scripts: *_sub.pl and *_loc.pl. The first one looks for jumps to other subroutines, the second one looks for jumps to other memory locations. It is recommended not to use a complete assembly program as input for the scripts, but only the part of interest. Or you must use a large ... LARGE... printer.
.
What you need
- IDA to reverse engineer assembly code
- GraphVis to create graphs
- The Perl scripts I created (see below)
- Some assembly and Perl skills
GraphVis and Perl can be downloaded for free and are both available for both Windows and Linux platform. However, I used GraphVis under Windows and Perl under Linux. For other tools see http://www.exetools.com.
How to use
1. First reverse engineer the program of your choice with IDA
2. Save only the part of interest to a separate file (for example: )
3. I was only interested in the memory location branching, so I ran pocketty.txt through the sh3_ida2graphvis_loc.pl script:
4. Then I loaded the graph.dot into GraphVis, using the 'dot' tool under Windows.
5. The resulting gif-file is still very big, so only a part is shown below.
A graphical reprentation works better than ascii-only.
Downloads
Note: these scripts currently only work for SH3 assembly code. However, it is not difficult to change the scripts for other assembly code by editing the functions:
find_condition()
find_conditional_branch()
find_unconditional_branch()
Download sh3_ida2graphvis_sub.pl - Perl script for sub routine branching of IDA SH3 assembly code
Download sh3_ida2graphvis_loc.pl - Perl script for memory location branching of IDA SH3 assembly code
Last update notes
Fixed file downloads
There are two kind of scripts: *_sub.pl and *_loc.pl. The first one looks for jumps to other subroutines, the second one looks for jumps to other memory locations. It is recommended not to use a complete assembly program as input for the scripts, but only the part of interest. Or you must use a large ... LARGE... printer.
.
What you need
- IDA to reverse engineer assembly code
- GraphVis to create graphs
- The Perl scripts I created (see below)
- Some assembly and Perl skills
GraphVis and Perl can be downloaded for free and are both available for both Windows and Linux platform. However, I used GraphVis under Windows and Perl under Linux. For other tools see http://www.exetools.com.
How to use
1. First reverse engineer the program of your choice with IDA
2. Save only the part of interest to a separate file (for example: )
3. I was only interested in the memory location branching, so I ran pocketty.txt through the sh3_ida2graphvis_loc.pl script:
perl sh3_ida2graphvis_loc.pl < pocketty.txt > graph.dot
4. Then I loaded the graph.dot into GraphVis, using the 'dot' tool under Windows.
5. The resulting gif-file is still very big, so only a part is shown below.
A graphical reprentation works better than ascii-only
.
Downloads
Note: these scripts currently only work for SH3 assembly code. However, it is not difficult to change the scripts for other assembly code by editing the functions:
find_condition()
find_conditional_branch()
find_unconditional_branch()
Download sh3_ida2graphvis_sub.pl - Perl script for sub routine branching of IDA SH3 assembly code
Download sh3_ida2graphvis_loc.pl - Perl script for memory location branching of IDA SH3 assembly code
PS: If you have made changes to the scripts to fit them for other assembly languages I like to place them here.
Last update notes
Fixed file downloads
External links ...
External linksWas this article useful to you? Please help me by using the toolbar below to tweet the article, give it an eKudo or add it to Hyves, Facebook, Delicous, Digg or another site. Thanks!
Comments on this article
There are no comments on this article yet. You can be first.Add comment
Adding a comment is simple and registration is not needed!Your IP address is logged, but will not published, all comments need E-mail confirmation and are moderated one by one. Abuse is not tolerated. It is not possible to edit your comment afterwards.
){kind=link}