rehints / hexrayscodexplorer Goto Github PK

As I use function Object Explorer in x64 PE I got 2 issue

First : The IDA crash when I click on the context menu, as I see the debug log, I figureout it error in the format string at line 271 - tmp.cat_sprnt(" 0x%x: %s", rtd, name); in ObjectExplorer.cpp, I reformat the output to - tmp.cat_sprnt(_T(" 0x%I64X: %s"), rtd, name); and recompile then the plugin work ok.

Second : I see the vtable reference in PE file compile with vs2013 x64 use LEA instruction insteal of MOV intruction as in x32

lea     rcx, off_14000E2A8

so the code at line 77 in ObjectExplorer.cpp will not work

BOOL get_vtbl_info(ea_t ea_address, VTBL_info_t &vtbl_info) {
.......................................

                    if((*((PUINT) disasm_line) == 0x20766F6D /*"mov "*/) && (strstr(disasm_line+4, " offset ") != NULL))
                    {
                        is_move_xref = TRUE;
                        break;
                    }
......................................
} 

Thanks for aweasome plugin !

Wont load on IDA 6.95 on OSX (10.12). Did I miss something obvious? :)

Log:
dlopen(/Applications/IDA Pro 6.95/idaq64.app/Contents/MacOS/plugins/HexRaysCodeXplorer.pmc64): dlopen(/Applications/IDA Pro 6.95/idaq64.app/Contents/MacOS/plugins/HexRaysCodeXplorer.pmc64, 2): Symbol not found: __ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE5c_strEv
Referenced from: /Applications/IDA Pro 6.95/idaq64.app/Contents/MacOS/plugins/HexRaysCodeXplorer.pmc64
Expected in: /usr/lib/libstdc++.6.dylib
in /Applications/IDA Pro 6.95/idaq64.app/Contents/MacOS/plugins/HexRaysCodeXplorer.pmc64

build failed

1>------ Build started: Project: HexRaysCodeXplorer, Configuration: Release x64 ------
1>Debug.cpp
1>C:\Program Files\IDA 7.0\plugins\hexrays_sdk\include\hexrays.hpp(11): fatal error C1083: Cannot open include file: 'pro.h': No such file or directory
1>CtreeExtractor.cpp
1>C:\Program Files\IDA 7.0\plugins\hexrays_sdk\include\hexrays.hpp(11): fatal error C1083: Cannot open include file: 'pro.h': No such file or directory
1>GCCObjectFormatParser.cpp
1>C:\Program Files\IDA 7.0\plugins\hexrays_sdk\include\hexrays.hpp(11): fatal error C1083: Cannot open include file: 'pro.h': No such file or directory
1>GCCTypeInfo.cpp
1>C:\Program Files\IDA 7.0\plugins\hexrays_sdk\include\hexrays.hpp(11): fatal error C1083: Cannot open include file: 'pro.h': No such file or directory
1>GCCVtableInfo.cpp
1>C:\Program Files\IDA 7.0\plugins\hexrays_sdk\include\hexrays.hpp(11): fatal error C1083: Cannot open include file: 'pro.h': No such file or directory
1>IObjectFormatParser.cpp
1>MSVCObjectFormatParser.cpp
1>C:\Program Files\IDA 7.0\plugins\hexrays_sdk\include\hexrays.hpp(11): fatal error C1083: Cannot open include file: 'pro.h': No such file or directory
1>ObjectExplorer.cpp
1>C:\Program Files\IDA 7.0\plugins\hexrays_sdk\include\hexrays.hpp(11): fatal error C1083: Cannot open include file: 'pro.h': No such file or directory
1>CodeXplorer.cpp
1>C:\Program Files\IDA 7.0\plugins\hexrays_sdk\include\hexrays.hpp(11): fatal error C1083: Cannot open include file: 'pro.h': No such file or directory
1>CtreeGraphBuilder.cpp
1>C:\Program Files\IDA 7.0\plugins\hexrays_sdk\include\hexrays.hpp(11): fatal error C1083: Cannot open include file: 'pro.h': No such file or directory
1>TypeReconstructor.cpp
1>C:\Program Files\IDA 7.0\plugins\hexrays_sdk\include\hexrays.hpp(11): fatal error C1083: Cannot open include file: 'pro.h': No such file or directory
1>TypeExtractor.cpp
1>C:\Program Files\IDA 7.0\plugins\hexrays_sdk\include\hexrays.hpp(11): fatal error C1083: Cannot open include file: 'pro.h': No such file or directory
1>Utility.cpp
1>C:\Program Files\IDA 7.0\plugins\hexrays_sdk\include\hexrays.hpp(11): fatal error C1083: Cannot open include file: 'pro.h': No such file or directory
1>Generating Code...
1>Done building project "HexRaysCodeXplorer.vcxproj" -- FAILED.

I get an access violation for what I believe is cross-thread issue maybe. It says that it had an violation accessing memory or writing to memory that it shouldn't have. I narrowed down the error with building my own version (IDA 6.8 SDK) to the process_rtti() function in ObjectExplorer.cpp.

I made a quick and dirty patch to fix my issue for now, but I'm not familiar with the framework and would prefer someone that knows what they are doing to look into it. The crash happens within the cat_sprint function in qstring.

Line 291

    std::stringstream s_Stream;

    s_Stream << "0x" << rtd << std::hex << ":  " << name;

    /* qstring tmp;

    tmp.cat_sprnt(" 0x%x:  %s", rtd, name);*/

    rtti_list.push_back(s_Stream.str().c_str());

build ok with ida 7.0 sdk on vs 2017.
but i can` see the contents when click display ctree graph.
back ground color and font color is too similar.
is there any color adjust setting?

http://prntscr.com/myk89w

-- snip --

Edit:
My apologies, I did find the old versions of HRCX on GitHub, whihc version works with IDAPro 6.8?
https://github.com/REhints/HexRaysCodeXplorer/tree/master/bin

With the latest IDA 6.9, when I attempt to to reconstruct a variable, IDA crashes.

I traced this back to TypeReconstructor.cpp:627. For one reason or another, lvar_t * lvar = vu.item.get_lvar(); returns nullptr, which is passed into make_pointer and subsequently crashes IDA.

I am testing this on IDA64 with version 6.9.

The context menu in the decompiler output menu only shows up when reverse engineering 64-bit binaries. Is this a lack of support inside the plugin or should I do some other troubleshooting?

Additionally, when I setup to build it (thinking maybe I just needed a different build of the plugin) I get the following linker error:

Severity	Code	Description	Project	File	Line	Suppression State
Error	LNK1104	cannot open file 'C:\Program Files\IDA 7.1\plugins\HexRaysCodeXplorer64.dll'	HexRaysCodeXplorer	D:\misc\HexRaysCodeXplorer-master\HexRaysCodeXplorer-master\src\HexRaysCodeXplorer\LINK	1	

Where I have the following set in the prop sheet:

    <IDADIR>C:\Program Files\IDA 7.1</IDADIR>
    <IDASDK>D:\idasdk71\idasdk71</IDASDK>

Help with either of these issues is appreciated.

I'm running IDA 7.0.170914, Windows x64.
I have a valid HexRays license (I think?) since I can see Psuedo Code and the console area outputs:
Hex-Rays Decompiler plugin has been loaded (v7.0.0.170914)

However this plugin does not load, any ideas?

I've used the latest version from here

Hi, I build the latest HexRaysCodeXplorer from GitHub and test the plugin with a sample test:
https://github.com/trietptm/HexRaysCodeXplorer/blob/master/tests/Box_1.exe
https://github.com/trietptm/HexRaysCodeXplorer/blob/master/tests/Box_1.cpp

I see that HexRaysCodeXplorer's REconstruct Type doesn't reconstruct the struct well here and it only recognize 1 element of the correct struct.

Hi I just wanna know what am missing you are explaining everything except how to install or idk where to start if this is for professional it won't hurt to add how to get started don't be so proud with what you know cause there's always someone know more and at some point you started at some point

Thanks
Ali Bayati

The problem occurs here.

Opening the Graph View twice can result in IDA crashing.

Steps to reproduce:

1. Go in Pseudocode view
2. Click on Graph View. A ctree graph tab is opened.
   3 Go back in Pseudocode view
3. Click on Graph View. A second ctree graph tab is opened, the first one contains both graph and the second is empty.
4. Close the first ctree graph tab (the one with both graphs).
5. Click on the second ctree graph tab. IDA crashes.

I compiled the linux shared libs with both EA=0 and EA=1, copied HexRaysCodeXplorer64.so HexRaysCodeXplorer.so to the ida-7.1/plugins/ and then restarted IDA. The HexRaysCodeXplorer plugin did not show up. I also tried to add the the plugin entry in ida-7.1/plugins/plugins.cfg and it did not work either. Please advise. Thanks.

Hello,

I have downloaded the src and recompiled with Visual Studio 2015 for IDA 6.95 but when I load the plugin into the plugins/ folder, it does not seem to load CodeXplorer. Does not show up in the plugins submenu.
I have tried running your precompiled v2.0 and v1.7 binaries for IDA 6.8 and 6.9 as well with the same results.
Windows 10 x64
IDA 6.95
IDASDK 6.95
x86 Decompiler 2.4.0.160808

When compiling I also got errors for missing CallGraphBuilder.cpp and JsonParser.cpp. Where are these files located? They are not in the SDK or in your source distribution. To allow compilation, I have removed these two files from the vcxproj file.

Thanks.

Hello, sir,

Thanks for good plugin, today I'm trying to use with IDA 6.95. features such as display treee etc works well. but REconstruct Type feature will crash the IDA.

I'm using version 2.0 on win7 x64.

Tested both with IDA 32 and IDA64.

The example was attached.

Steps to reproduce:

1. rename attachment to ext name of zip, extract the file
2. open idb
3. f5 in the default open function.
4. reconstruct type on variable v4

The files are missing from the master branch but are referenced in multiple files
including the .vcxproj file.
CodeXplorer.cpp
GCCObjectFormatParser.cpp
GCCTypeInfo.cpp
GCCVtableInfo.cpp
HexRaysCodeXplorer.vcxproj

That is, of course, assuming the project is supposed to build off the master branch.
Just clone the master to some directory other than your regular development directory
and try to build.

Thanks.

I download hexrayscodexplorer1.6 plw and p64 to ida plugin direcotory. It has this error:
LoadLibrary(C:\tool\IDAPro6.6\plugins\HexRaysCodeXplorer.p64) error: (can't find specified program)。
C:\tool\IDAPro6.6\plugins\HexRaysCodeXplorer.p64: can't load file

but if I use hexrayscodexplorer 1.5 , It can work.

method_name got a new value, but struc_member_name is not updated.

I have the IDA Pro (64-bit) program installed and wanted to installed this as an extension is that possible? How would I find the <PATH_TO_IDA> info for my makefile stuff?

I'm trying to load the plugin against the latest version of the linux IDA, the compiled version refuses to load completely, and the source fails to load with:

oiajsd@ouipreqwouiperwquiopreqw:~/tools/HexRaysCodeXplorer/src/HexRaysCodeXplorer$ IDA_DIR=/home/oiajsd/ida-7.2/ IDA_SDK=/home/oiajsd/idasdk72 EA64=0 make -f makefile.lnx

• IDA_DIR=/home/oiajsd/ida-7.2/
• IDA_SDK=/home/oiajsd/idasdk72
• EA64=0
• make -f makefile.lnx
  rm -f ./CodeXplorer.o ./CtreeGraphBuilder.o ./ObjectExplorer.o ./TypeReconstructor.o ./CtreeExtractor.o ./TypeExtractor.o ./Utility.o ./MSVCObjectFormatParser.o ./IObjectFormatParser.o ./GCCObjectFormatParser.o ./GCCVtableInfo.o ./GCCTypeInfo.o ./Debug.o HexRaysCodeXplorer.so
  g++ -m64 -fPIC -D__LINUX__ -D__PLUGIN__ -std=c++11 -D__X64__ -D_GLIBCXX_USE_CXX11_ABI=0 -I/home/oiajsd/idasdk72/include -I/home/oiajsd/ida-7.2//plugins/hexrays_sdk/include -c CodeXplorer.cpp -o CodeXplorer.o
  CodeXplorer.cpp: In function ‘bool display_ctree_graph(void*)’:
  CodeXplorer.cpp:348:36: error: ‘WOPN_MENU’ was not declared in this scope
  display_widget(widget, WOPN_TAB | WOPN_MENU);
  ^~~~~~~~~
  CodeXplorer.cpp:348:36: note: suggested alternative: ‘WOPN_TAB’
  display_widget(widget, WOPN_TAB | WOPN_MENU);
  ^~~~~~~~~
  WOPN_TAB
  makefile.lnx:50: recipe for target 'CodeXplorer.o' failed
  make: *** [CodeXplorer.o] Error 1
  oiajsd@ouipreqwouiperwquiopreqw:~/tools/HexRaysCodeXplorer/src/HexRaysCodeXplorer$

Is anyway I can compile this for the latest version? Am I missing something? I did make sure the SDK was compiled

Thank you

Hey can you please:

1. add Ida 7 support
2. add automatically analyze of struct? like solve this Ida line: *(&v15 + some_var - 77) = *(&v15 + some_var - 76) - *(&v15 + some_var - 77); to a normal strucr?

Crashes seems to be in line vu.refresh_ctext(); of file CodeXploerer.cpp, have reproduced this problem on Mac and Windows with latest ida 6.9.

Hello,
I'm a Linux user, I'd like to use the version you compiled for 6.95 but I'm quite confused by the labelling of versions : which one is the more recent ? Contest version ? Black Hat ?

Also, I tried to compile the current source code for IDA 6.95 but got crashes (or it didn't work after fixing th e NULL derefs). Are you using the code from github to compile the binaries ?

Just a small nit when reconstructing types. It's hard to compare memory traces to undefined field_%d variables as measurements are usually done in hex. I may submit a PR for this...

Personally I think there shouldn't be an option and that the default should be hex.

https://github.com/REhints/HexRaysCodeXplorer/blob/master/src/HexRaysCodeXplorer/TypeReconstructor.cpp#L547-L548

Hi,
the new HexRaysCodeXplorer's microcode view shortcut conflicts with a builtin from Hex-Rays:

Conflicting shortcut: M; Candidate actions:
	codexplorer::microcode_view (Microcode View)
	hx:Enum (Enu&m)

Maybe Ctrl-Shift-M would be better ?

Several keyboard buttons including the arrow keys will cause the Object Explorer window to open. I think the issue is here:
https://github.com/REhints/HexRaysCodeXplorer/blob/master/src/HexRaysCodeXplorer/CodeXplorer.cpp#L425

Because all of the keycodes are not defined in the above location (only two,) I'm guessing that whenever a keyboard button is pressed where lookup_key_code returns zero, this condition evaluates true and opens the window:

https://github.com/REhints/HexRaysCodeXplorer/blob/master/src/HexRaysCodeXplorer/CodeXplorer.cpp#L395

build.zip
Dear developers:
I have build the plugin from the latest code, but it seems didn't work on windows 10 17093, IDA Pro 7.0, I can't find the load info of this plugin when IDA start. I would appreciate if anyone could help, thanks~

Here is my build plugin:
https://mega.nz/#!akxDmDYJ!BjtFQNCeCGCQlx6NaQX-G6ThWVpTrjKNEO1cq4RJq5E

Hello,
have you already working on IDA 7 support?
If not, I might try to have a look.

Raphaël

Building latest master with Visual Studio 2017 (SDK 10.0.17134.0) with IDA Pro and Hex-Rays x64 7.2. Builds fine (after adding defines as per issue #74 ) with IDA SDK 7.3, but doesn't load:

LoadLibrary(C:\Program Files\IDA 7.2\plugins\HexRaysCodeXplorer.dll) error: The specified procedure could not be found.
C:\Program Files\IDA 7.2\plugins\HexRaysCodeXplorer.dll: can't load file

Any ideas?

HI,
I cloned the codes and tried to compile it in VS2017 with IDA 7.2. It threw many errors related to "WOPN_ONTOP" and "WOPN_MENU" being undeclared identifiers.

I added the following lines to "Common.h"
#define WOPN_ONTOP 0x08
#define WOPN_MENU 0x10

I hope this can help someone else that faced similar errors.

Oops wrong issue.

I'd be glad to compile it myself, but I obviously have no sources.

Commit from Dec 2015 says .plw was updated for IDA 6.9 in Linux, but plugin does not appear after copying to $IDA/plugins

When i ran make IDA_DIR=/home/ysg/idafree-7.0 IDA_SDK=/home/ysg/idafree-7.0/idasdk70 EA64=0 make -f makefile.lnx on Linux , i ran into this problem.

I used the IDAFree 7.0 Version

rm -f ./CodeXplorer.o ./CtreeGraphBuilder.o ./ObjectExplorer.o ./TypeReconstructor.o ./CtreeExtractor.o ./TypeExtractor.o ./Utility.o ./MSVCObjectFormatParser.o ./IObjectFormatParser.o ./GCCObjectFormatParser.o ./GCCVtableInfo.o ./GCCTypeInfo.o ./Debug.o HexRaysCodeXplorer.so
g++ -m64 -fPIC -D__LINUX__ -D__PLUGIN__ -std=c++11 -D__X64__ -D_GLIBCXX_USE_CXX11_ABI=0 -I/home/ysg/idafree-7.0/idasdk70/include -I/home/ysg/idafree-7.0/plugins/hexrays_sdk/include -c CodeXplorer.cpp -o CodeXplorer.o
In file included from CodeXplorer.cpp:26:0:
Common.h:57:10: fatal error: hexrays.hpp: No such file or directory
 #include <hexrays.hpp>
          ^~~~~~~~~~~~~
compilation terminated.
makefile.lnx:50: recipe for target 'CodeXplorer.o' failed
make: *** [CodeXplorer.o] Error 1

I haven't checked yet the source code but, do you think the plugin may support Linux?

sorry. nevermind)

Hi, I had the following build errors. I found the same question before but can I simply delete the lines from .vcxproj file?

1> CallGraphBuilder.cpp
1>c1xx : fatal error C1083: Cannot open source file: 'CallGraphBuilder.cpp': No such file or directory
...
1> JsonParser.cpp
1>c1xx : fatal error C1083: Cannot open source file: 'JsonParser.cpp': No such file or directory

I get several errors:
At ObjectExplorer.cpp:634,

custom_viewer_handlers_t cvh = custom_viewer_handlers_t();
cvh.keyboard = ct_object_explorer_keyboard;

custom_viewer_handlers_t is simply not defined anywhere.

Also, at three locations
set_custom_viewer_handlers(si->cv, NULL, si); throws an error function does not take 3 arguments.

My build system is Visual Studio with IDA SDK 6.8, but this seems to a problem with the codebase.

I am running IDA 7.1 x64 on Windows.

I compiled HexRaysCodeXplorer and the resulting DLL is present in the /plugins/ directory.

However it seems the DLL is not loaded.
No new entry is present in Edit->Plugins, nor does the decompile tab get new items when right clicking.
Also no message concerning HexRaysCodeXplorer is visible in the Messages window.

I would like to point out that identifiers like "__H_FUNCCTREEDUMPER__" and "__H_OBJECTEXPLORER__" do not fit to the expected naming convention of the C++ language standard.
Would you like to adjust your selection for unique names?

Having the next code:

int __stdcall PsGetNextJob(PVOID Object)
{
_KTHREAD *ETHREAD; // esi@1
signed int v2; // ecx@1
int v3; // edi@3
int v5; // [sp+10h] [bp-4h]@1

v5 = 0;
ETHREAD = KeGetCurrentThread();
--ETHREAD->SpecialApcDisable;
...
}

Calling Object Explorer in --ETHREAD->SpecialApcDisable; crashes IDA.

I'm wondering if it's possible to reconstruct a type from multiple functions. For example, this function assigns the vtable but it does not use all fields.

Before reconstruct type:

After reconstruct type:

That works perfectly. However, it only creates the fields that are specifically used here.

Many more fields of this type are only used in other functions. Reconstruct type seems to just load the existing struct instead of adding newly discovered fields, resulting in weird gap_F8[44] fields. (v2 is a NetConnection *)

Does your plugin or IDA itself provide an easy way to solve this?

Both versions of the plugin are actually the same file.

IDA crashes when calling "Reconstruct Type" on variable declaration or function names.

For example I have this code in IDA:
void *v4; // eax@1
v4 = operator new(4u);

Calling "Reconstruct Type" on *v4 will crash IDA.

Reading the slide-deck, this is capable of compiling as a 64-bit plugin -- could those bins be committed to the repo so that people don't need to build it for themselves?

Right now when vtable is created with function pointers if you press "Y" you see that the type is empty.
Please consider setting type of each pointer in vtable struct to it's corresponding function type. This will allow decompiler to use correct number of parameters in each virtuall function call, since not always correct number of args i guessed correctly.

How can Debuging the plw with vs2013?