The Twitter-hood

August 6, 2020 in Uncategorized

Some people write badly about you. It stings. But then you wonder… what, why, por que? Is this something I said, something I implied, something I thought of?

In the era of rapid judgment AD 2020 I found myself a subject to Twitter blocks and criticism on more than one occasion. My lesson learned bit is that dudes (so far dudes only) blocked me on Twitter because they don’t agree with my opinion/take/whatever. I always believed that if we were about to drive someone to obscurity by social media banning then it would require us to follow a meticulously explored path of questioning and probing, you know, to understand their point of view, but hell no…. it’s far easier to just block & forget.

Cuz Twitter.

As such I reply to my blockers: come at me with arguments and not blocks. I am not always right, but will listen and will change my mind, if you make me so…

IDA colonoscopy

July 31, 2020 in IDA/Hex-Rays

One of the most annoying things I come across during analysis are … function names. It’s great to have many of them resolved either via flirt of symbols, but the length of some of these function names is making it really hard to read code.

It is especially important with ‘basic’ string functions that hide behind constructs like:

std::basic_string,std::allocator,_STL70>::assign
(std::basic_string,std::allocator,_STL70> const &,uint,uint)
std::basic_string,std::allocator,_STL70>::operator=(ushort const *)

Why not simple ‘assign’ and ‘operator’?

It’s because it’s puristic and accurate, that’s why 🙂

Reading code listings relying on these functions is difficult, and it involves a lot of mental processing to find the actual method name in these long strings.

I got bored doing so and coded a very badly written idapython script that replaces these names with a shorter version. Again, this is a blasphemy to both IDA and IDAPython so you have been warned.

import idaapi
import idc
import types
import os
import pprint
import random

mask = idc.GetLongPrm(idc.INF_SHORT_DN)

for func_ea in idautils.Functions():
    function_name = idc.GetFunctionName(func_ea)
    function_name_dem = idc.Demangle(function_name, mask)
    if function_name_dem != None:
       function_name = function_name_dem
    m=re.search(r'hex_',function_name,re.IGNORECASE) 
    if not m:
       print function_name 
       m=re.search(r'basic_string.*?::([^:=]+)\(',function_name,re.IGNORECASE) 
       if m: 
          short_fun = m.group(1) 
          short_fun1 = re.sub('[\(=< ~\'\"\+\`-].+$','',short_fun) 
          cnt=0 
          while True: 
             short_fun = 'hex_string_' + short_fun1 + "_" + str(cnt) 
             res = MakeName(func_ea,short_fun) 
             if res: 
                print short_fun 
                break 
             cnt = cnt + 1 
             if cnt>1000: 
                break

The result:

before

after