Source: http://www.0xebfe.net/blog/2013/01/13/how-to-create-an-anonymous-ida-pro-database-dot-idb/

Probably it’s not secret for you that every .IDB files contains header with your license information.

There are two “netnodes” in every .IDB file that reveals your identity. Basically “netnode” is block with some data, check: idasdk\include\netnode.hpp for more info.

So there are two netnodes:

”$ user1” - contains plaint text info about your license.
”$ original user” - contains encrypted info about your license.

Actually you can freely delete “$ user1” netnode without any consequences, because IDA doesn’t check it at all. But “$ original user” netnode has strategic meaning for IDA PRO. This netnode contains RSA-1024 encrypted license information, same info that you have in “ida.key” file. When you open .IDB database IDA reads “$ original user” value, decrypts it with public RSA-1024 key and checks your license against MD5 hashes of blacklisted “pirated” licenses.

So what we can do? We can’t delete it, because IDA checks this netnode on every opening. We can’t generate own value, because we don’t have private RSA key. But we can copy this value from another .IDB file :)

I googled and found this .IDB file from Trustwavehere

So let’s dump “$ original user” netnode in source .IDB file with following python script:

netnode_dumper.py
1

2

3

import idaapi

import binascii

print(binascii.hexlify(idaapi.netnode('$ original user', 0, False).supval(0)))

After that insert dumped value into this script and run it in IDA in destination .IDB:

netnode_updater.py
1

2

3

4

5

import idaapi

import binascii

dumped_netnode_value ='111insert_your_hex_value_here111'

idaapi.netnode('$ user1', 0, False).kill() # deleting netnode with plain text info

idaapi.netnode('$ original user', 0, False).supset(0, binascii.unhexlify(dumped_netnode_value))

Save, re-open database. Let’s check:

Yep, we have .IDB file from Trustwave now :)

And when IDA shows you this message:

or “Sorry, this database has been created by a pirate version of IDA”.

This means that “$ original user” netnode contains banned license info. But you still can copy this value from legit .IDB with hex editor.

 

[转]How to create an anonymous IDA PRO database (.IDB)的更多相关文章

  1. How to create an anonymous IDA PRO database (.IDB)

    Source: http://www.0xebfe.net/blog/2013/01/13/how-to-create-an-anonymous-ida-pro-database-dot-idb/ P ...

  2. IDA Pro使用技巧

    DA Pro基本简介 IDA加载完程序后,3个立即可见的窗口分别为IDA-View,Named,和消息输出窗口(output Window). IDA图形视图会有执行流,Yes箭头默认为绿色,No箭头 ...

  3. IDA Pro Disassembler 6.8.15.413 (Windows, Linux, Mac)

    IDA: What's new in 6.8 Highlights This is mainly a maintenance release, so our focus was on fixing b ...

  4. IDA Pro基本简介

    IDA Pro基本简介 IDA加载完程序后,3个立即可见的窗口分别为IDA-View,Named,和消息输出窗口(output Window). IDA图形视图会有执行流,Yes箭头默认为绿色,No箭 ...

  5. IDA Pro使用技巧及大杂烩

    IDA Pro使用技巧及大杂烩 IDA Pro基本简介 IDA加载完程序后,3个立即可见的窗口分别为IDA-View,Named,和消息输出窗口(output Window). IDA图形视图会有执行 ...

  6. 路由器逆向分析------在Linux上安装IDA Pro

    本文博客地址:http://blog.csdn.net/qq1084283172/article/details/69665905 01.在Linux系统上安装Linux版本的IDA Pro Linu ...

  7. 安卓动态调试七种武器之孔雀翎 – Ida Pro

    安卓动态调试七种武器之孔雀翎 – Ida Pro 作者:蒸米@阿里聚安全 0x00 序 随着移动安全越来越火,各种调试工具也都层出不穷,但因为环境和需求的不同,并没有工具是万能的.另外工具是死的,人是 ...

  8. 计算机病毒实践汇总六:IDA Pro基础

    在尝试学习分析的过程中,判断结论不一定准确,只是一些我自己的思考和探索.敬请批评指正! 1. IDA使用 (1)搜索.下载并执行IDA Pro,对可执行程序lab05-01.dll进行装载,分别以图形 ...

  9. Ubuntu下安装IDA pro

    预备 由于IDA pro只能装在32位环境下,如果是64位Ubuntu,需要运行如下命令安装32位的必备库. sudo dpkg --add-architecture i386 sudo apt-ge ...

随机推荐

  1. C#如何设置session过期时间

    1.操作系统  步骤:开始——〉管理工具——〉Internet信息服务(IIS)管理器——〉网站——〉默认网站——〉  右键“属性”——〉主目录——〉配置——〉选项——〉启用会话状态——〉会话超时(在 ...

  2. R语言数据分析系列六

    R语言数据分析系列六 -- by comaple.zhang 上一节讲了R语言作图,本节来讲讲当你拿到一个数据集的时候怎样下手分析,数据分析的第一步.探索性数据分析. 统计量,即统计学里面关注的数据集 ...

  3. UVA - 10014 - Simple calculations (经典的数学推导题!!)

    UVA - 10014 Simple calculations Time Limit: 3000MS Memory Limit: Unknown 64bit IO Format: %lld & ...

  4. linux_shell_获取日期相关

    shell里直接调用系统变量 获取当天日期`date +%Y%m%d` 获取昨天日期`date -d yesterday +%Y%m%d` 获取前天日期`date -d -2day +%Y%m%d` ...

  5. [CLR via C#]1.1 将源代码编译成托管代码

    原文:[CLR via C#]1.1 将源代码编译成托管代码 1. 公共语言运行时(Common Language Runtime,CLR)是一种可由多种编程语言使用的"运行时". ...

  6. Xutils呼叫流源代码文件下载方法

    //我主要是好奇Xutils哪里回调onLoading(),查找等了很久也没找到,果然easy查找只是把它写下来 前言: 1.代码摘要只有主线,提供一般流程 2.为了易于理解,码变量名,而是类名的驼峰 ...

  7. ExtJs--15--Ext.is*各种类型推断的方法,简单看源代码就能够明确了

    /** * Returns true if the passed value is empty, false otherwise. The value is deemed to be empty if ...

  8. 多种语言socket编程集锦—win32

    原文 http://www.blogjava.net/huyi2006/articles/263831.html 借此地方整理以下socket编程的多种语言的实现,socket可以跨平台的通信,因此多 ...

  9. 查询DBlink创建

    DBlink创建 查询 博客分类: Oracle   当用户要跨本地数据库,访问另外一个数据库表中的数据时,本地数据库中必须创建了远程数据库的dblink,通过dblink本地数据库可以像访问本地数据 ...

  10. 第5章1节《MonkeyRunner源码剖析》Monkey原理分析-启动运行: 官方简介(原创)

    天地会珠海分舵注:本来这一系列是准备出一本书的,详情请见早前博文“寻求合作伙伴编写<深入理解 MonkeyRunner>书籍“.但因为诸多原因,没有如愿.所以这里把草稿分享出来,所以错误在 ...