IDA Pro 64 Bit Plugin

[mendax47]

I Can't Found The .p64 Plugin For IDA Pro. Only .plw (32) Bit Are Available... However If I rename the .plw to .p64 and then open the 64bit ida it givems me a fatal error...

[mrexodia]

I don't have any plans supporting IDA.

…

On Sun, 5 Feb 2017 at 16:59 mendax47 ***@***.***> wrote: I Can't Found The .p64 Plugin For IDA Pro. Only .plw (32) Bit Are Available... However If I rename the .plw to .p64 and then open the 64bit ida it givems me a fatal error... — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#22>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACWCmUnK37pMXkNwG9Y-LtiVsjga46m_ks5rZfHIgaJpZM4L3iNW> .

[Mattiwatti]

1. In Visual Studio, click the Debug/Release dropdown selector and go to configuration manager.
2. Set the solution to Release Win32 (not x64), scroll down to ScyllaHideIDAProPlugin, click Release -> <New...>
3. Make a new configuration named Release64, copying settings from Release, and uncheck 'create new solution configurations'. OK your way out.
4. Right click the ScyllaHideIDAProPlugin project and go to Properties -> General. Make sure the dropdown boxes above are set to your new Release64 Win32 configuration.
5. Set the output directory to $(SolutionDir)build\Release\$(PlatformName)\
6. Set the target extension to .p64
7. On the left, go to C++ -> Preprocessor, and add __VC__=1;BUILD_IDA_64BIT=1; in front of whatever is there. You can do the same for Release non-64 with only __VC__=1 since it should really be set but isn't.
8. Now you'll get a compiler error because no one has compiled or tested this code in years. #if 0 around it and figure out how to fix it if you actually need that code.
9. The plugin now runs and doesn't crash IDA. I haven't tested it further.

[Mattiwatti]

Oh and the IDA SDK that comes with the repository is ancient (v6.3), I suggest replacing it with 6.8 or 6.95. I used the 6.95 SDK for the above.

[greenozon]

@Mattiwatti
I'd like to add new subproject ScyllaHideIDAProX64Plugin -
namely for 64 bit IDA plugin (.p64) as well as update SDK (say to version 6.8), test it all and validate the test app passes the TCs
It'll contain all the pre-requisites for this IDA plugin as well specific code (in case of need)

[Mattiwatti]

Sure, but if 6.8 is the best you can do, I've just hit you with a pre-emptive strike of SDK v6.95 (it is backwards compatible with IDA 6.8, assuming you don't use any 6.95-exclusive functionality obviously). Also, don't expect me to be able to help you with it ;) IDA is an amazing tool for static analysis, but I've never used it for debugging in my life.

[greenozon]

OK, great
thank you
I'm not using any 6.95 features, so we are safe here, for sure
No worries, I'm experienced user (at least I think so :) ) so I'll take care of upcoming issues myself

the criteria that things are up & running as I see it are as follows:

1. build up the p64 plugin
2. setup things
3. test it on the x64 test exe from this project

compare the output before and after.
if the output will be positive I guess this could be treated as a mission successful

[greenozon]

OK, I"m ready with the code (a new project into existing project tree), but I really don't know how should I submit this new PR (as I've already forked the repo and having there an open PR)
ideally I need a new branch, right? could you hint me how this is done here, @github? thanks

[nihuai]

@greenozon Hello, does the plug-in support the latest IDA

[greenozon]

Hi, if you mean the v7 - the answer is NO
why? SDK was changed heavily, so investigation is required,
for the moment both plugin are for IDA versions < 7

I'm attaching also the before and after pics with detection string

and after -

[Mattiwatti]

OK, I"m ready with the code (a new project into existing project tree), but I really don't know how should I submit this new PR (as I've already forked the repo and having there an open PR) ideally I need a new branch, right? could you hint me how this is done here, @github? thanks

You can create a new branch 'from scratch' using your existing fork like this:
git clone https://github.com/greenozon/ScyllaHide.git ScyllaHide-IDA-x64
cd ScyllaHide-IDA-x64
git remote add upstream https://github.com/x64dbg/ScyllaHide.git
git pull upstream vs13

The last two steps add this repository as a remote named upstream and make your vs13 branch even with it.

I would do git push origin vs13 at this point to make the public Github side of your vs13 branch up to date with upstream, but that's not necessary per se, just usually more convenient.

Now all that's left is
git checkout -b IDA-x64
to create a new branch. Commit your changes and
git push origin IDA-x64
when you're done. The branch will automatically show up on your fork's Github page and you can create a PR from there.

You don't need to create a separate folder for every branch: if you want you can just git checkout vs13 (followed by pull from upstream + push to origin if needed) and git checkout -b <newbranchname>. But this is the most fool-proof method I would say ;)

[mrexodia]

Just got a nice email from Ilfak so I removed the latest SDK:

[Mattiwatti]

Nice. Sorry for working on a plugin that supports your software guys, we'll make sure not to do it again in the future.

[grimaz]

On exelab.ru someone announced paid request for ScyllaHide IDA 7.x support. So, it may be a nice bonus.