IDA Pro 配置

本文最后更新于 2025年4月27日

最近 IDA Pro 9.1 发布了，趁此机会重新配置一下 IDA。

前置条件

Windows 11
python 3.11.9

下载、安装与激活

下载

magnet:?xt=urn:btih:f24cfadb8a66b343bf1ff4f0c1386a5f6991c818&dn=ida91

安装

略

激活

将下面的 python 代码保存为文件，放到 IDA Pro 的安装目录下，然后运行即可。

▶

激活代码

import json
import hashlib
import os

# originally made by irabbit
license = {
    "header": {"version": 1},
    "payload": {
        "name": "Glass",
        "email": "Glass",
        "licenses": [
            {
                "description": "license",
                "edition_id": "ida-pro",
                "id": "48-2137-ACAB-99",
                "license_type": "named",
                "product": "IDA",
                "seats": 1,
                "start_date": "2025-03-13 00:00:00",
                "end_date": "2033-12-31 23:59:59",  # This can't be more than 10 years!
                "issued_on": "2025-03-13 00:00:00",
                "owner": "",
                "product_id": "IDAPRO",
                "add_ons": [
                    # {
                    #     "id": "48-1337-DEAD-01",
                    #     "code": "HEXX86L",
                    #     "owner": "48-0000-0000-00",
                    #     "start_date": "2024-08-10 00:00:00",
                    #     "end_date": "2033-12-31 23:59:59",
                    # },
                    # {
                    #     "id": "48-1337-DEAD-02",
                    #     "code": "HEXX64L",
                    #     "owner": "48-0000-0000-00",
                    #     "start_date": "2024-08-10 00:00:00",
                    #     "end_date": "2033-12-31 23:59:59",
                    # },
                ],
                "features": [],
            }
        ],
    },
}


def add_every_addon(license):
    platforms = [
        "W",  # Windows
        "L",  # Linux
        "M",  # macOS
    ]
    addons = [
        "HEXX86",
        "HEXX64",
        "HEXARM",
        "HEXARM64",
        "HEXMIPS",
        "HEXMIPS64",
        "HEXPPC",
        "HEXPPC64",
        "HEXRV64",
        "HEXARC",
        "HEXARC64",
        # Probably cloud?
        # "HEXCX86",
        # "HEXCX64",
        # "HEXCARM",
        # "HEXCARM64",
        # "HEXCMIPS",
        # "HEXCMIPS64",
        # "HEXCPPC",
        # "HEXCPPC64",
        # "HEXCRV",
        # "HEXCRV64",
        # "HEXCARC",
        # "HEXCARC64",
    ]

    i = 0
    for addon in addons:
        i += 1
        license["payload"]["licenses"][0]["add_ons"].append(
            {
                "id": f"48-1337-DEAD-{i:02}",
                "code": addon,
                "owner": license["payload"]["licenses"][0]["id"],
                "start_date": "2024-08-10 00:00:00",
                "end_date": "2033-12-31 23:59:59",
            }
        )
    # for addon in addons:
    #     for platform in platforms:
    #         i += 1
    #         license["payload"]["licenses"][0]["add_ons"].append(
    #             {
    #                 "id": f"48-1337-DEAD-{i:02}",
    #                 "code": addon + platform,
    #                 "owner": license["payload"]["licenses"][0]["id"],
    #                 "start_date": "2024-08-10 00:00:00",
    #                 "end_date": "2033-12-31 23:59:59",
    #             }
    #         )


add_every_addon(license)


def json_stringify_alphabetical(obj):
    return json.dumps(obj, sort_keys=True, separators=(",", ":"))


def buf_to_bigint(buf):
    return int.from_bytes(buf, byteorder="little")


def bigint_to_buf(i):
    return i.to_bytes((i.bit_length() + 7) // 8, byteorder="little")


# Yup, you only have to patch 5c -> cb in libida64.so
pub_modulus_hexrays = buf_to_bigint(
    bytes.fromhex(
        "edfd425cf978546e8911225884436c57140525650bcf6ebfe80edbc5fb1de68f4c66c29cb22eb668788afcb0abbb718044584b810f8970cddf227385f75d5dddd91d4f18937a08aa83b28c49d12dc92e7505bb38809e91bd0fbd2f2e6ab1d2e33c0c55d5bddd478ee8bf845fcef3c82b9d2929ecb71f4d1b3db96e3a8e7aaf93"
    )
)
pub_modulus_patched = buf_to_bigint(
    bytes.fromhex(
        "edfd42cbf978546e8911225884436c57140525650bcf6ebfe80edbc5fb1de68f4c66c29cb22eb668788afcb0abbb718044584b810f8970cddf227385f75d5dddd91d4f18937a08aa83b28c49d12dc92e7505bb38809e91bd0fbd2f2e6ab1d2e33c0c55d5bddd478ee8bf845fcef3c82b9d2929ecb71f4d1b3db96e3a8e7aaf93"
    )
)

private_key = buf_to_bigint(
    bytes.fromhex(
        "77c86abbb7f3bb134436797b68ff47beb1a5457816608dbfb72641814dd464dd640d711d5732d3017a1c4e63d835822f00a4eab619a2c4791cf33f9f57f9c2ae4d9eed9981e79ac9b8f8a411f68f25b9f0c05d04d11e22a3a0d8d4672b56a61f1532282ff4e4e74759e832b70e98b9d102d07e9fb9ba8d15810b144970029874"
    )
)


def decrypt(message):
    decrypted = pow(buf_to_bigint(message), exponent, pub_modulus_patched)
    decrypted = bigint_to_buf(decrypted)
    return decrypted[::-1]


def encrypt(message):
    encrypted = pow(buf_to_bigint(message[::-1]), private_key, pub_modulus_patched)
    encrypted = bigint_to_buf(encrypted)
    return encrypted


exponent = 0x13


def sign_hexlic(payload: dict) -> str:
    data = {"payload": payload}
    data_str = json_stringify_alphabetical(data)

    buffer = bytearray(128)
    # first 33 bytes are random
    for i in range(33):
        buffer[i] = 0x42

    # compute sha256 of the data
    sha256 = hashlib.sha256()
    sha256.update(data_str.encode())
    digest = sha256.digest()

    # copy the sha256 digest to the buffer
    for i in range(32):
        buffer[33 + i] = digest[i]

    # encrypt the buffer
    encrypted = encrypt(buffer)

    return encrypted.hex().upper()


def generate_patched_dll(filename):
    if not os.path.exists(filename):
        print(f"Didn't find {filename}, skipping patch generation")
        return

    with open(filename, "rb") as f:
        data = f.read()

        if data.find(bytes.fromhex("EDFD42CBF978")) != -1:
            print(f"{filename} looks to be already patched :)")
            return

        if data.find(bytes.fromhex("EDFD425CF978")) == -1:
            print(f"{filename} doesn't contain the original modulus.")
            return

        data = data.replace(
            bytes.fromhex("EDFD425CF978"), bytes.fromhex("EDFD42CBF978")
        )

        patched_filename = f"{filename}.patched"
        with open(patched_filename, "wb") as f:
            f.write(data)

        print(
            f"Generated modulus patch to {patched_filename}! To apply the patch, replace the original file with the patched file")


# message = bytes.fromhex(license["signature"])
# print(decrypt(message).hex())
# print(encrypt(decrypt(message)).hex())

license["signature"] = sign_hexlic(license["payload"])

serialized = json_stringify_alphabetical(license)

# write to ida.hexlic
filename = "idapro.hexlic"

with open(filename, "w") as f:
    f.write(serialized)

print(f"Saved new license to {filename}!")

generate_patched_dll("ida32.dll")
generate_patched_dll("ida.dll")
generate_patched_dll("libida32.so")
generate_patched_dll("libida.so")
generate_patched_dll("libida32.dylib")
generate_patched_dll("libida.dylib")

然后用生成的 ida.dll.patched 和 ida32.dll.patched 替换掉 IDA Pro 的安装目录下的 ida.dll 和 ida32.dll 即可。

基本配置

字符串相关

打开 Strings 子界面：View -> Open subviews -> Strings

Strings 界面中右键 -> Setup
根据需要设置

Options -> General -> String

编码问题
IDA 默认为英文环境，会自动忽略除 ASCII 码以外的字符，导致中文无法被解析。
解决办法：启动程序时带上 -dCULTURE=all 参数；依据需要修改 Options -> General -> Strings -> Default 8-bit string 为 UTF-8 或者 936 (直接输入 CodePage 即可)，再在 Strings 窗口右键 -> Rebuild。

sig

FLIRTDB
sig-database
clone 到 sig/pc 目录下
下载磁链的 misc/signatures-bundles-9.1.metadata.zip，解压到 sig 目录下

使用时点击 plugins -> IDA Feeds 或 Shift + F5

自行创建静态库 sig

使用 tools/flair/pcf.exe 和 sigmake.exe

先获取 pat 文件：

1	`pcf <static_lib_path> <output_pat_path>`

再把 pat 文件转换为 sig 文件：

1	`sigmake <pat_path> <output_sig_path>`

可能有 collision，查看 exc 文件：

;--------- (delete these lines to allow sigmake to read this file)
; add '+' at the start of a line to select a module
; add '-' if you are not sure about the selection
; do nothing if you want to exclude all modules

_gzgetc 26 E38D 558BEC8B550885D2744E817A104F1C000075458B426485C0740583F8FB75398B
_gzgetc_ 26 E38D 558BEC8B550885D2744E817A104F1C000075458B426485C0740583F8FB75398B

_gzopen 00 0000 558BECFF750C6AFFFF7508E8........83C40C5DC3......................
_gzopen64 00 0000 558BECFF750C6AFFFF7508E8........83C40C5DC3......................

在想要包含的行前加上 +，然后把带分号的行删去，例如：

+_gzgetc 26 E38D 558BEC8B550885D2744E817A104F1C000075458B426485C0740583F8FB75398B
_gzgetc_ 26 E38D 558BEC8B550885D2744E817A104F1C000075458B426485C0740583F8FB75398B

+_gzopen 00 0000 558BECFF750C6AFFFF7508E8........83C40C5DC3......................
_gzopen64 00 0000 558BECFF750C6AFFFF7508E8........83C40C5DC3......................

最后重新运行 sigmake 命令即可。

pdb

在环境变量中添加条目：_NT_SYMBOL_PATH，值为放置下载的 pdb 文件的目录
加载某些 dll 时可能会自动提示下载，或者在调试界面手动下载 (Load Debug Symbols)

插件

IDA Pro 插件目录：安装目录下的 plugins 文件夹

名称	功能	备注
IDAscope	加密算法识别、查看函数调用 api、yara
HexRaysCodeXplorer	c++ 自动类型重建以及对象浏览
D810	去混淆，反 ollvm	可能导致反汇编出错
findcrypt-yara	加密算法识别
findcrypt3	加密算法识别	ida9.1 不可用
signsrch-py	加密算法识别
findhash	加密算法识别	慢
class informer	反编译 C++ 时恢复类信息
KeyPatch	patch 指令
Patching	patch
auto-enum	恢复 api 的 enum 参数
Hrtng	去混淆、lib 函数识别、解密
deREferencing	显示栈和寄存器指向的内容	调试使用
LazyIDA	快速 dump 数据
StrConv	字符串转换	自己写的，打个广告 (逃
DelphiHelper	加载 idr 的数据库、构造窗体控件树、VMT Parse	delphi 专用

IDAscope

把 idascope 文件夹、 idascope.py 和 requirements.txt 放到 plugins 目录下，运行 pip install -r requirements.txt
打开 idascope 文件夹里的 config.py 文件，修改 “idascope\root\dir” 为 IDA 插件的根目录

HexRaysCodeXplorer

从这里下载适配 IDA Pro 9 的 HexRaysCodeXplorer64.dll
把 HexRaysCodeXplorer64.dll 放到 plugins 目录下

D810

把 d810 文件夹和 d810.py 放到 plugins 目录下
pip3 install z3-solver

findcrypt-yara

把 findcrypt3.rules 文件夹和 findcrypt3.py 放到 plugins 目录下
pip3 install yara-python

findcrypt3

~~下载 bin 目录下最新的 findcrypt3.dll 和 findcrypt364.dll ，放到 plugins 目录下~~

signsrch-py

把 signsrch.py 和 signsrch.xml 放到 plugins 目录下
修改 signsrch.py 的 87 行为 ignored = ["be", "le"][idaapi.inf_is_be()]

findhash

把 findhash.py 和 findhash.xml 放到 plugins 目录下
修改 findhash.py 的 199 行为 is_64bits = idaapi.inf_is_64bit()

class informer

把 ClassInformer64.dll 放到 plugins 目录下

KeyPatch

从这里下载适配 IDA Pro 9 的 keypatch.py
把 keypatch.py 放到 plugins 目录下
pip3 install keystone-engine
pip3 install six (可能不需要)

Patching

下载 release 中的 patching\win32.zip ，解压到 plugins 目录

auto-enum

把 plugins 目录下的所有内容放到 plugins 目录下

Hrtng

下载 release 的 hrtng-2.4.30.7z ，转到 plugins\windows\9.1 ，把 hrtng.dll 放到 plugins 目录下；根目录下的 literal.txt 和 apilist.txt 放到 plugins 目录下
似乎不会在 Edit -> Plugins 中显示

deREferencing

把 deREferencing 文件夹和 deREferencing.py 放到 plugins 目录下

LazyIDA

把 LazyIDA.py 放到 plugins 目录下

StrConv

把 str_conv.py 放到 plugins 目录下
需要先调整默认编码

DelphiHelper

把 DelphiHelper.py 和 DelphiHelper 文件夹放到 plugins 目录下
按照提示，下载 idr 数据库并解压到 plugins/DelphiHelper/IDR_KB 下

-plugins
    -DelphiHelper
        -IDR_KB
            -IDR
                -kb2005.bin
                -......
            -IDR64
                -syskb2012.bin
                -......
    -DelphiHelper.py