ida pro plugin labeless, sync IDA with OllyDbg by a1ext

Storm Shadow

Administrator
Staff member
Developer
Ida Pro Expert
Elite Cracker
Contributed By Check Point Software Technologies LTD.
Description

Labeless is a plugin system for dynamic, seamless and realtime synchronization between IDA Database and Olly. It consists of two parts: IDA plugin and OllyDbg plugin.
Labeless significantly reduces time that researcher spends on transferring already reversed\documented code information from IDA (static) to debugger (dynamic). It saves time, preventing from doing the same job twice. Also, you can document and add data to the IDB on the fly and your changes will be automatically propagated to Olly, even if you will restart the virtual machine or instance of Olly will crash. So, you will never lose your research.
This solution is highly upgradable. You can implement any helper scripts in Python on OllyDbg side and then just call them from IDA with one line of code, parsing the results and automatically propagating changes to IDB.
It features:
  • Seamless synchronization of labels, function names, comments and global variables syncing with demangling
  • Synchronization modes
    • On demand
    • On rename (update on-the-fly)
  • Supports image base-independent synchronization
Also, we provide dynamic dumping of debugged process memory regions functionality. It can be useful in the following cases:
  • When debugged process has extracted/temporary/injected module which doesn't appear in modules list
  • When it doesn't have a valid PE header
  • When it have corrupted import table, etc.
We can take that memory region and put it in the IDB, fixing imports 'on-the-fly', using OllyDbg functionality. No more need in ImpRec or BinScylla, searching for the regions in memory that contain the real IAT, because we get that information dynamically from the debugged process itself.
As a result we have a lot of memory regions that may represent even different modules (if the unpacking process if multistage) with valid references between them, which gives us a possibility to build a full control flow graph of the executable. Basically, we will end up with one big IDB, containing all the info on the specific case.
Installation

Dependencies

  • Python 2.7
  • protobuf 2.6.1
  • Visual Studio 2010 + Qt 4.8.4 (built with "QT" namespace) - required by IDA-side plugin (to proper use IDA's Qt). You can configure Qt by yourself with the following command:
    configure -platform win32-msvc2010 -shared -release -no-webkit -opensource -no-qt3support -no-phonon -no-phonon-backend -opengl desktop -nomake demos -nomake examples -nomake tools -no-script -no-scripttools -no-declarative -qtnamespace QT
  • Visual Studio 2012 (or newer) to build Olly-side plugin
IDA part:

  • Copy IDA plugin IDA\plugins\labeless_ida.plw to IDA's plugins directory, for example c:\IDA68\plugins
Olly part:

  • Copy both Olly\get-pip.py and Olly\setup_protobuf.bat files to guest machine, then run setup_protobuf.bat and wait for the successful installation
  • Copy Olly\Plugins\labeless_olly.dll to OllyDbg plugins directory. If you want to use Labeless with Olly FOFF mod (aka DeFixed edition), please use the plugin from the following path: Olly\Plugins\labeless_olly_foff.dll
  • Copy the whole directory Olly\python to OllyDbg home directory
Checking if everything works

  • Start Olly and check for Labeless item presence in Plugins menu. If there is any problem, then check Olly's log window for details.
  • Start working with existing IDA database or use 'Labeless -> Load stub database...' from the menu
  • Open Labeless settings dialog using menu 'Edit -> Plugins -> Labeless'. You can use main menu 'Labeless -> Settings...' or using hotkey Alt+Shift+E as well
  • Enter IP address and port of the guest machine. Click on 'Test connection' button.
  • If IDA displays the message 'Successfully connected!', then configuration is done correctly.
How to use

  • If you want to sync labels (names) from IDA to Olly you should check 'Enable labels & comments sync' in Labeless settings dialog in IDA. There is one required field called 'Remote module base', which should be set to the current module base of the analyzed application. You can find out that information in the debugger (Olly).
  • Select needed features, like Demangle name, Local labels, Non-code names
  • If you want to sync labels right now - press 'Sync now' button. Labeless will sync all found names in your IDB with Olly. Settings dialog will be automatically closed, while saving all settings
  • If you want to customize settings for IDADump engine, do it in the 'IDADump' tab.
  • Click on 'Save & Close'
Things automatically performed in the background

  • If you enabled 'Enable labels & comments sync' option, then Labeless will automatically synchronize all the data on any rename operation in IDA


Download


https://github.com/a1ext/labeless/releases/download/v_1_0_0_7/Labeless.v.1.0.0.7.zip
source

https://github.com/a1ext/labeless
added link:
https://github.com/a1ext/labeless/r...0_0_7/Labeless.v.1.0.0.7_with_IDA66_build.zip
Slides pdf
https://www.virusbtn.com/pdf/conference_slides/2015/ChailytkoTrafimchuk-VB2015.pdfLabeless -
 

Attachments

  • ChailytkoTrafimchuk-VB2015.pdf
    1.2 MB · Views: 11
Last edited:

m4n0w4r

New member
I copied labeless_ida.plw to IDA's plugins directory (i'm using IDA 6.6). I got the error notification when start IDA:

LoadLibrary(F:\IDA Tools\IDA Pro 6.6 Orginal\plugins\labeless_ida.plw) error: The specified procedure could not be found.
F:\IDA Tools\IDA Pro 6.6 Orginal\plugins\labeless_ida.plw: can't load file
 

a1ext

New member
Developer
Ida Pro Expert
Can you share plugin for Ollydbg 2.01?
Yes, I can.
There is test environment, you may find labeless_olly2.dll in "plugins" directory.
Let me know if you got some strange behavior or find a bug.

P.S. I want to do some refactoring in order to minimize duplicated python code between different backends.
Edited: sorry for my English
 
Last edited:

a1ext

New member
Developer
Ida Pro Expert
Also, i made python scripts outside common module, you should replace
Code:
from ollyapi import *
with
Code:
from ollyapi2 import *
from breakpoints import *
from utils import *
from threads import *
from sym import *
from memory import *

Clipboard02.png

Clipboard03.png
I know, that should be refactored.
 
Top