Contributed By Check Point Software Technologies LTD.
Description
Labeless is a plugin system for dynamic, seamless and realtime synchronization between IDA Database and Olly. It consists of two parts: IDA plugin and OllyDbg plugin.
Labeless significantly reduces time that researcher spends on transferring already reversed\documented code information from IDA (static) to debugger (dynamic). It saves time, preventing from doing the same job twice. Also, you can document and add data to the IDB on the fly and your changes will be automatically propagated to Olly, even if you will restart the virtual machine or instance of Olly will crash. So, you will never lose your research.
This solution is highly upgradable. You can implement any helper scripts in Python on OllyDbg side and then just call them from IDA with one line of code, parsing the results and automatically propagating changes to IDB.
It features:
As a result we have a lot of memory regions that may represent even different modules (if the unpacking process if multistage) with valid references between them, which gives us a possibility to build a full control flow graph of the executable. Basically, we will end up with one big IDB, containing all the info on the specific case.
Installation
Dependencies
Download
https://github.com/a1ext/labeless/releases/download/v_1_0_0_7/Labeless.v.1.0.0.7.zip
source
https://github.com/a1ext/labeless
added link:
https://github.com/a1ext/labeless/r...0_0_7/Labeless.v.1.0.0.7_with_IDA66_build.zip
Slides pdf
https://www.virusbtn.com/pdf/conference_slides/2015/ChailytkoTrafimchuk-VB2015.pdfLabeless -
Description
Labeless is a plugin system for dynamic, seamless and realtime synchronization between IDA Database and Olly. It consists of two parts: IDA plugin and OllyDbg plugin.
Labeless significantly reduces time that researcher spends on transferring already reversed\documented code information from IDA (static) to debugger (dynamic). It saves time, preventing from doing the same job twice. Also, you can document and add data to the IDB on the fly and your changes will be automatically propagated to Olly, even if you will restart the virtual machine or instance of Olly will crash. So, you will never lose your research.
This solution is highly upgradable. You can implement any helper scripts in Python on OllyDbg side and then just call them from IDA with one line of code, parsing the results and automatically propagating changes to IDB.
It features:
- Seamless synchronization of labels, function names, comments and global variables syncing with demangling
- Synchronization modes
- On demand
- On rename (update on-the-fly)
- Supports image base-independent synchronization
- When debugged process has extracted/temporary/injected module which doesn't appear in modules list
- When it doesn't have a valid PE header
- When it have corrupted import table, etc.
As a result we have a lot of memory regions that may represent even different modules (if the unpacking process if multistage) with valid references between them, which gives us a possibility to build a full control flow graph of the executable. Basically, we will end up with one big IDB, containing all the info on the specific case.
Installation
Dependencies
- Python 2.7
- protobuf 2.6.1
- Visual Studio 2010 + Qt 4.8.4 (built with "QT" namespace) - required by IDA-side plugin (to proper use IDA's Qt). You can configure Qt by yourself with the following command:
configure -platform win32-msvc2010 -shared -release -no-webkit -opensource -no-qt3support -no-phonon -no-phonon-backend -opengl desktop -nomake demos -nomake examples -nomake tools -no-script -no-scripttools -no-declarative -qtnamespace QT - Visual Studio 2012 (or newer) to build Olly-side plugin
- Copy IDA plugin IDA\plugins\labeless_ida.plw to IDA's plugins directory, for example c:\IDA68\plugins
- Copy both Olly\get-pip.py and Olly\setup_protobuf.bat files to guest machine, then run setup_protobuf.bat and wait for the successful installation
- Copy Olly\Plugins\labeless_olly.dll to OllyDbg plugins directory. If you want to use Labeless with Olly FOFF mod (aka DeFixed edition), please use the plugin from the following path: Olly\Plugins\labeless_olly_foff.dll
- Copy the whole directory Olly\python to OllyDbg home directory
- Start Olly and check for Labeless item presence in Plugins menu. If there is any problem, then check Olly's log window for details.
- Start working with existing IDA database or use 'Labeless -> Load stub database...' from the menu
- Open Labeless settings dialog using menu 'Edit -> Plugins -> Labeless'. You can use main menu 'Labeless -> Settings...' or using hotkey Alt+Shift+E as well
- Enter IP address and port of the guest machine. Click on 'Test connection' button.
- If IDA displays the message 'Successfully connected!', then configuration is done correctly.
- If you want to sync labels (names) from IDA to Olly you should check 'Enable labels & comments sync' in Labeless settings dialog in IDA. There is one required field called 'Remote module base', which should be set to the current module base of the analyzed application. You can find out that information in the debugger (Olly).
- Select needed features, like Demangle name, Local labels, Non-code names
- If you want to sync labels right now - press 'Sync now' button. Labeless will sync all found names in your IDB with Olly. Settings dialog will be automatically closed, while saving all settings
- If you want to customize settings for IDADump engine, do it in the 'IDADump' tab.
- Click on 'Save & Close'
- If you enabled 'Enable labels & comments sync' option, then Labeless will automatically synchronize all the data on any rename operation in IDA
Download
https://github.com/a1ext/labeless/releases/download/v_1_0_0_7/Labeless.v.1.0.0.7.zip
source
https://github.com/a1ext/labeless
added link:
https://github.com/a1ext/labeless/r...0_0_7/Labeless.v.1.0.0.7_with_IDA66_build.zip
Slides pdf
https://www.virusbtn.com/pdf/conference_slides/2015/ChailytkoTrafimchuk-VB2015.pdfLabeless -
Attachments
Last edited: