Locked FindFunc: IDA PRO plugin to find code functions

[itsMe]

This is the hidden content, please

• Sign In
• or
• Sign Up

FindFunc is an IDA PRO plugin to find code functions that contain a certain assembly or byte pattern, reference a certain name or string, or conform to various other constraints. This is not a competitor to tools like Diaphora or BinNavi, but it is ideal to find a known function in a new binary for cases where classical bindiffing fails.

Filtering with Rules

The main functionality of FindFunc is letting the user specify a set of “Rules” or constraints that a code function in IDA PRO has to satisfy. FF will then find and list all functions that satisfy ALL rules (so currently all Rules are in an AND-conjunction). Exception: Rules can be “inverted” to be negative matches. Such rules thus conform to “AND NOT”.

FF will schedule the rules in a smart order to minimize processing time. Feature overview:

    Currently, 6 Rules are available, see below
    Code matching respects Addressing-Size-Prefix and Operand-Size-Prefix
    Aware of function chunks
    Smart scheduling of rules for performance
    Saving/Loading rules from/to file in simple ascii format
    Several independent Tabs for experimentation
    Copying rules between Tabs via clipboard (same format as a file format)
    Advanced copying of instruction bytes (all, opcodes only, all except immediate)

Button “Search Functions” clears existing results and starts a fresh search, “Refine Results” considers only results of the previous search.

Advanced Binary Copying

A secondary feature of FF is the option to copy binary representation of instructions with the following options:

    copy all -> copy all bytes to the clipboard
    copy without immediate -> blank out (AA ?? BB) any immediate values in the instruction bytes
    opcode only -> will blank out everything except the actual opcode(s) of the instruction (and prefixes)

This is the hidden content, please

• Sign In
• or
• Sign Up