ida pro plugin labeless, sync IDA with OllyDbg by a1ext

a1ext

New member
Developer
Ida Pro Expert
I've got a reason why IDA 6.9 (Qt 5.4.1) crashes at exit.
The case is when sove of view were opened (settings view or "python remote execution" view) before IDA exit.
Because of:
1) some QStringLiterals from Labeless are used by IDA's GUI (they all are shared and some of them are cached in QtGui (font database in this case))
2) Labeless is PLUGIN_FIX and as other plugins it unloads before IDA exit
3) when Labeless plugin is unloaded QtGui still has references to some strings which point to unloaded memory (at this time QApplication instance is alive)

There is Qt bug report (not mine) https://bugreports.qt.io/browse/QTBUG-46880

So, I work on fixing that and soon Labeless will be ready for IDA 6.9.
P.S. x64dbg support is almost done.
 

Storm Shadow

Administrator
Staff member
Developer
Ida Pro Expert
Elite Cracker
Qt is very buggy when closing events.Also you have the problem, that the plugin is runing instance inside another main window, this case IDA itself.
Have you tried QtGui.QCloseEvent() uppon exit?

@mr.exodia will be happy to hear that you are working on Labeless for x64dbg also.
 

a1ext

New member
Developer
Ida Pro Expert
Qt is very buggy when closing events.Also you have the problem, that the plugin is runing instance inside another main window, this case IDA itself.
Have you tried QtGui.QCloseEvent() uppon exit?

@mr.exodia will be happy to hear that you are working on Labeless for x64dbg also.
What do you mean?

The problem is that I can't do clean-up of Qt internal structures (which are caches some of shared data) in my plugin.

P.S. Abou x64dbg, he knows. I spoke to him.
 

m4n0w4r

New member
I try dumping and feel ok.

About x64dbg:
I used x64dbg version (13-Feb-2016) that you attched in labeless_release_full_1.1.0.1.7z. After config labeless (My OS: Windows 7 Pro x64 SP1)

x32dbg works fine:
[PLUGIN] Labeless v16842753 Loaded!LL: Labeless::startServer: Server thread started.
Labeless
Written by Aliaksandr Trafimchuk
Handling command line...
Reading notes file...
Initialization successful!
LL: trying to bind()...
LL: ok, binded at 0.0.0.0:3852
Process Started: 00400000 C:\Users\m4n0w4r\Desktop\zbar\CrackMe.exeBreakpoint at 00401000 set!
DLL Loaded: 77860000 C:\Windows\SysWOW64\ntdll.dll
DLL Unloaded: 77560000 ???
DLL Unloaded: 75F80000 ???
DLL Unloaded: 77560000 ???
DLL Unloaded: 77460000 ???
DLL Loaded: 75F80000 C:\Windows\SysWOW64\kernel32.dll
DLL Loaded: 770C0000 C:\Windows\SysWOW64\KernelBase.dll
DLL Loaded: 76990000 C:\Windows\SysWOW64\user32.dll
DLL Loaded: 77130000 C:\Windows\SysWOW64\gdi32.dll
DLL Loaded: 76C70000 C:\Windows\SysWOW64\lpk.dll
DLL Loaded: 75250000 C:\Windows\SysWOW64\usp10.dll
DLL Loaded: 766D0000 C:\Windows\SysWOW64\msvcrt.dll
DLL Loaded: 76F90000 C:\Windows\SysWOW64\advapi32.dll
DLL Loaded: 77110000 C:\Windows\SysWOW64\sechost.dll
DLL Loaded: 763C0000 C:\Windows\SysWOW64\rpcrt4.dll
DLL Loaded: 751F0000 C:\Windows\SysWOW64\sspicli.dll
DLL Loaded: 751E0000 C:\Windows\SysWOW64\cryptbase.dll
System breakpoint reached!
LL: Labeless::eek:nClientSockAccept: Connected from: 127.0.0.1:2610
LL: socket 00000334 accepted
LL: Labeless::eek:nClientSockRead: Received 112 bytes of 112.
LL: Labeless::eek:nClientSockBufferReceived: new request pushed { jobId: 1, bkg: 0, finished: 0 }
LL: Labeless::serverThread: jobId 1 socket 00000334 Response sent, len: 0x00000019
LL: Labeless::serverThread: jobId 1 is removed
LL: Labeless::eek:nClientSockAccept: Connected from: 127.0.0.1:2611
LL: socket 000004F0 accepted
LL: Labeless::eek:nClientSockRead: Received 1472 bytes of 1472.
LL: Labeless::eek:nClientSockBufferReceived: new request pushed { jobId: 2, bkg: 0, finished: 0 }
LL: Labeless::serverThread: jobId 2 socket 000004F0 Response sent, len: 0x0000000A
LL: Labeless::serverThread: jobId 2 is removed
LL: Labeless::eek:nClientSockAccept: Connected from: 127.0.0.1:2612
LL: socket 0000030C accepted
LL: Labeless::eek:nClientSockRead: Received 1235 bytes of 1235.
LL: Labeless::eek:nClientSockBufferReceived: new request pushed { jobId: 3, bkg: 0, finished: 0 }
LL: Labeless::serverThread: jobId 3 socket 0000030C Response sent, len: 0x0000000A
LL: Labeless::serverThread: jobId 3 is removed

x64dbg load fail:
[PLUGIN] Failed to load plugin: labeless_x64dbg.dp64Handling command line...
Reading notes file...
Initialization successful!

I tried the latest version of x64dbg(16-May-2016) but both of x32dbg & x64dbg fail:
[PLUGIN] Failed to load plugin: labeless_x64dbg.dp32
[PLUGIN] Failed to load plugin: labeless_x64dbg.dp64

Regards,
 

a1ext

New member
Developer
Ida Pro Expert
I try dumping and feel ok.

About x64dbg:
I used x64dbg version (13-Feb-2016) that you attched in labeless_release_full_1.1.0.1.7z. After config labeless (My OS: Windows 7 Pro x64 SP1)

x32dbg works fine:


x64dbg load fail:


I tried the latest version of x64dbg(16-May-2016) but both of x32dbg & x64dbg fail:


Regards,
Please check the following restrictions:
  • Are you set up python x64 system-wide?
  • Are you performed set up of protobuf and labeless python module for your python x64? You should specify full path to the python.exe like
c:\Python27x64\python.exe setup_protobuf.py
c:\Python27x64\python.exe setup.py install

About x64dbg, the Labeless plugin is binary depends on x64dbg SDK. I'll periodically update Labeless with the latest x64dbg snapshot, because SDK wrappers require update & rebuild.
 

m4n0w4r

New member
Please check the following restrictions:
  • Are you set up python x64 system-wide?
  • Are you performed set up of protobuf and labeless python module for your python x64? You should specify full path to the python.exe like


About x64dbg, the Labeless plugin is binary depends on x64dbg SDK. I'll periodically update Labeless with the latest x64dbg snapshot, because SDK wrappers require update & rebuild.

Thanks, i dont setup python x64 on my laptop. Will try it!
Once again, your plugin is so great :)

Regards,
 

computerline

New member
Ida Pro Expert
The sync & dumping features work very well, same as @m4n0w4r, I coudn't load x64dbg plugin. There the problem while the debugger (in my case is OllyDbg) stop while sync, and IDA continue show nag repeatly that only one way to use taskmgr to stop IDA.
 

Attachments

  • errlog_ollydbg2.png
    errlog_ollydbg2.png
    58.3 KB · Views: 7

ThangCuAnh

New member
Author build the x32/64dbg labeless plugin with old pdk.
In old pdk, the old, error import function in x32/64dbg.dll is:
void Script::Function::DeleteRange(unsigned long,unsigned long)
decorated name: ?DeleteRange@Function@Script@@YAXKK@Z

In new pdk, they are:
void Script::Function::DeleteRange(unsigned long,unsigned long,bool)
?DeleteRange@Function@Script@@YAXKK_N@Z

I have patched them and they run well.
 

a1ext

New member
Developer
Ida Pro Expert
The sync & dumping features work very well, same as @m4n0w4r, I coudn't load x64dbg plugin. There the problem while the debugger (in my case is OllyDbg) stop while sync, and IDA continue show nag repeatly that only one way to use taskmgr to stop IDA.
Could you describe what you did before that happen?
 

a1ext

New member
Developer
Ida Pro Expert
Author build the x32/64dbg labeless plugin with old pdk.
In old pdk, the old, error import function in x32/64dbg.dll is:
void Script::Function::DeleteRange(unsigned long,unsigned long)
decorated name: ?DeleteRange@Function@Script@@YAXKK@Z

In new pdk, they are:
void Script::Function::DeleteRange(unsigned long,unsigned long,bool)
?DeleteRange@Function@Script@@YAXKK_N@Z

I have patched them and they run well.
I'll update the x64dbg build in the new LL release soon.
 
Top