This year, we have examined the plugins of 8 contestants, for a grand total of 10 plugins of overall very high quality, which bring many interesting additional features and, dare we say, dimensions to IDA.

Among those, we had to choose three.

…well, in fact we were having a hard time figuring out exactly which one should win the third place, so we decided to award a third prize to two of them.

Here’s the final ranking:

Congratulations to the winners!

Below is the full list of submissions:

Command Palette by Milan BohacekCommand Palette is: A blazing fast way of running commands in IDA. It eliminates all unnecessary keypresses / mouse clicks needed to run any command available in IDA. It is inspired by command palette from Sublime Text. Our comments: Command palette is a well-designed utility that, depending on your workflow, might make your life much simpler. It is written in Python, and is trivial to install & use. Download command_palette.py

Hexlight by Milan BohacekHexlight is: A plugin that highlights matching curly brace in the pseudocode view and lets you jump from one brace to the other. Our comments: Another clever, easy-to-use, great usability improvement by Milan! Download hexrays_hlight.py

Ponce by Alberto Garcia Illera, Francisco Oca (Salesforce)Ponce is: …an IDA Pro plugin that provides users the ability to perform taint analysis and symbolic execution over binaries in an easy and intuitive fashion. With Ponce you are one click away from getting all the power from cutting edge symbolic execution. Entirely written in C/C++ Our comments: Ponce currently suffers from the following significant limitations in our point of view: only works on Windows

building it is not exactly a walk in the park Yet, we have decided to make it this year’s winner, because it bridges the impressive Triton engine with IDA, bringing concolic testing at your fingertips, in a rather well thought out, natural manner. Although most of the heavy lifting is in fact performed by Triton (and Z3), the integration within IDA is (mostly) cleverly done. There are a few issues that we’re sure will be ironed out over time, but it is already very much usable. Download ponce.zip (Windows-only at the moment) Get Ponce from github Blog entry: Introducing Ponce

Labeless by Aliaksandr TrafimchukLabeless provides: Labeless is a plugin system for dynamic, seamless and realtime synchronization between IDA Database and debug backend. It consists of two parts: IDA plugin and debug backend’s plugin. Labeless significantly reduces time that researcher spends on transferring already reversed\documented code information from IDA (static) to debugger (dynamic). It saves time, preventing from doing the same job twice. Also, you can document and add data to the IDB on the fly and your changes will be automatically propagated to debug backend, even if you will restart the virtual machine or instance of debug backend will crash. So, you will never lose your research. This solution is highly upgradable. You can implement any helper scripts in Python on debug backend’s side and then just call them from IDA with one line of code, parsing the results and automatically propagating changes to IDB. Our comments: Labeless is fairly easy to use (with good documentation), and helps bridge the gap between IDA and other popular reversing/debugging tools such as Olly Dbg. It seems pretty stable, too, since it works with (at least) 6.8, 6.9 and 6.95 versions of IDA. On the ‘cons’ side, there were some issued with the build for idaq64. Still, overall a pretty useful addition to IDA. Download labeless_release_full_1.1.0.8.7z Get labeless from github

CGEN by Yifan LuCGEN for IDA Pro is: …an extension of CGEN (which is an attempt at modeling CPUs in Scheme and then automatically generating simulators, assemblers, etc) to generate IDA Pro modules. Our comments: This project was written with the specific goal of implementing a processor module for the Toshiba MeP. Although the goal was achieved, the project has not been extended to support the other CPU descriptions available from CGEN yet. Unfortunately, development on CGEN seems to have ceased upstream, but this remains a very interesting idea. Perhaps a similar idea could be used to generate processor modules from LLVM, which is an active project. Download cgen.zip Get CGEN from github

Keypatch by Nguyen Anh Quynh & Thanh NguyenKeypatch is: …a plugin of IDA Pro for Keystone Assembler Engine. See this introduction for the motivation behind Keypatch, and this slides for how it is implemented. Keypatch offers 3 tools inside. Patcher & Fill Range: these allow you to type in assembly to directly patch your binary.

Assembler: this interactive tool let you enter assembly & get back instruction encoding. Our comments: The Keypatch plugin provides a good alternative to IDA’s “Patch program>Assemble” feature. Since the plugin is based on the Keystone Assembler Engine, which is itself based on LLVM, it provides support for many architectures, such as x86, ARM, MIPS, SPARC, PPC, and Hexagon. The Keypatch Patcher updates on-the-fly the instruction encoding as you type, which makes it useful not only for patching but also for quickly testing assembly code syntax (3 are currently supported (AT&T, Intel, and NASM)). The source code is well-written and easy to understand, the plugin is simple to install and use, and works out-of-the-box. It also features very high quality documentation and tutorials (available on their website.) Download 2.0.1.zip Get Keypatch from github

sk3wldbg by Chris Eagle sk3wldbg is: …the Sk3wlDbg plugin for IDA Pro. It’s purpose is to provide a front end for using the Unicorn Engine to emulate machine code that you are viewing with IDA. The plugin installs as an IDA debugger which you may select whenever you open an IDA database containing code supported by Unicorn. Currently supported architectures include: x86

x86-64

ARM

ARM64

MIPS

MIPS64

SPARC

SPARC64

M68K Our comments: Sk3wlDbg is an IDA debugger backend that uses the Unicorn Engine, based on QEMU, to emulate machine code. The idea is similar to that of x86emu, but this plugin leverages the work from QEMU to provide support for many architectures, such as x86, ARM, MIPS, and SPARC. Sk3wlDbg simplifies the process of stepping through obfuscated code or testing the outcome of small snippets of code; in that it is no longer necessary to configure or open an external QEMU process. Although the idea is great, we found the plugin still has a rather long way to go before reaching production quality (as the author himself puts it: THIS CODE IS VERY RAW AND PROBABLY VERY BUGGY!) Let’s hope Chris finds the time to iron out the remaining issues — some of which are severe, such as occasionally crashing IDA (which is why we couldn’t let it make it to the top 3.) Download sk3wldbg.zip Get sk3wldbg from github

AutoRE by Aliaksandr TrafimchukAutoRE is: IDA PRO auto-renaming plugin with tagging support. Our comments: AutoRE will automatically rename functions that have only one API call, making it easier to identify functions that are likely just wrappers around an API function. It is a good idea and well executed, but the plugin is very lightweight compared to the other plugins this year, and we have also had similar plugins submitted in the past. Download auto_re.zip Get AutoRE from github

VMAttack by Anatoli KalyschVMAttack is: an IDA PRO Plugin which enables the reverse engineer to use additional analysis features designed to counter virtualization-based obfuscation. For now the focus is on stack based virtual machines, but will be broadened to support more architectures in the future. The plugin supports static and dynamic analysis capabilities which use IDA API features in conjunction with the plugins own analysis capabilities to provide automatic, semi-automatic and manual analysis functionality. The main goal of this plugin is to assist the reverse engineer in undoing the virtualization-based obfuscation and to automate the reversing process where possible. Our comments: This plugin is quite impressive in terms of the amount of functionality it brings to the table. It is robust, configurable, and provides a very good balance between static/dynamic analysis techniques. Like IDA itself, it will likely be most effective in the hands of a talented reverse-engineer, and aside from minor clumsiness in the UI it works quite well. Download vm_attack.zip Get VMAttack from github