IDA plugins and scripts

A collection of IDA plugins and scripts can be found in the following places:

  • OpenRCE: a collection of about 80 plugins.
  • devttys0: several IDA plugins and scripts from Craig Heffner.
  • PatchDiff2:  IDA plugin that can analyze two IDB files and find the differences between both.
  • RebuildFunctions: rebuild functions and fix the disassemble code in IDA (kudos to Santamarta).
  • bniemczyk: a collection of reversing tools for IDA.
  • tuts4you:  several plugins from tuts 4 you community.
  • flare-ida: IDA utilities from FLARE team.
  • newgre: three IDA plugins from
  • IDApalace: plugins from
  • IDA ClassInformer: IDA plugin to fix/extract/view RTTI information.
  • IDAPython: IDA plugin that integrates Python, allowing scripts to run in IDA Pro.
  • Diaphora: a program diffing plugin for, at the moment, IDA Pro.
  • idapathfinder: an IDA plugin to graph all paths between two functions.
  • IDAScript: a wrapper around IDA that makes it easy to automate the execution of IDA scripts against target files from the command line.
  • Hex-Rays: sample plugins from IDA official website. Useful information can be found at the hexblog as well.
  • IDACyber: a plugin for the Interactive Disassembler which is capable of visualizing the currently loaded IDB’s data (useful for identifying structures and patterns of binary blobs where extended information such as a header is not available).
  • HeapViewer: An IDA Pro plugin to examine the heap, focused on exploit development.

Disassemble firmware completely (rebuild functions in IDA)

The first steps after acquiring the firmware of an embedded system are mainly to:

  1. determine the processor of the device,
  2. disassemble the firmware image,
  3. reconstruct the firmware: rebuild functions, determine the base address, collect information from strings, rebuild symbols etc.

Regarding the processor identification, there is Skochinsky’s presentation which is actually amazing. For disassembling the binary image there is IDA. In order to proper reconstruct the firmware however, several techniques must be applied on the file. For example, one must determine the base address of the firmware i.e. the starting location of the firmware in order to have accurate interpretations of segments referenced by immediate addresses. The “load technique” is usually used for this step, given that there exist immediate address references in the disassembly. We will talk in future tutorials about this technique.

Today, we will present a simple trick how to rebuild functions and thus fix the disassemble code in IDA. The script below (kudos to Santamarta) simply instructs IDA to explore the remaining unexplored functions in the firmware. The example firmware in our case is based on ARM ISA. In addition, the prologue signature of the already IDA automatically identified functions is a STMFD instruction that pushes the current register values to the stack. The registers pushed to the stack are different between each STMFD instruction but the two most significant bytes of the instruction remain the same (“E9 2D”). This is verified also from the ARM instruction encoding standard. Hence, by editing Santamarta’s script to target this signature (+corrected for endianness), the script is applied to the loaded in IDA firmware. Consequently, a significant part of the firmware binary image is explored since more functions are identified.

/* Ruben Santamarta */
/* Fix functions - Schneider NOE 110 firmware */
/* Edited by Harrys Kon Feb. 2015*/
/* FixARMfunctions.idc*/
#include <idc.idc>
static main() {
 auto ae;
 auto funct;
 auto minea;
 auto prolog;
 auto j;
 auto fun_array;
 minea = MinEA();
 fun_array = CreateArray("ProGos");
 if (fun_array == -1) 
   fun_array = GetArrayId("ProGos");
 SetArrayString(fun_array,0,"2D E9"); 
 for (j=0;j<1;j++){
   ae = minea;
   prolog = GetArrayElement(AR_STR,fun_array,j);
   while (1) {
     funct = FindBinary ( ae, SEARCH_DOWN, prolog); 
     if (funct == BADADDR )
     funct = funct - 2;
     MakeCode (funct);
     MakeFunction (funct, BADADDR); 
     ae = funct + 4;