Back to contest rules
2024 Plugin Contest Winners & Submissions
This year we received 20 submissions from old and new friends. As always, we are grateful to all the participants for their hard work and interesting ideas.
Winners
Congratulations to our winners!
Full list of submissions (in alphabetical order)
aiDAPal
IDA Pro plugin that uses a locally running LLM that has been fine-tuned for Hex-Rays pseudocode to assist with code analysis.
Our review:
AiDApal integrates a self-hosted, fine-tuned LLM for Hex-Rays pseudocode to assist with code analysis. It provides pseudocode explanations, and variable renaming, and supports configurable models and servers. While results can be verbose, the plugin offers a digestible overview of complex functions and excels at variable renaming. Performance depends heavily on hardware, and while the generation speed is slow, the plugin demonstrates great potential for future development. It's a promising step forward in applying AI to reverse engineering workflows.
Assemport
This is a small plugin in Python that exports each individual function in an assembly file. You can then process the export automatically, for example by transferring each individual file to an AI that analyzes it.
Our review:
A simple plugin that exports all functions in IDB, each in a separate assembly file.
Exporting and analyzing functions is not as trivial as it might seem at first glance: a function can have many chunks, and the same chunk can be owned by several functions. The plugin simply outputs the first function chunk and ignores the others.
Community_base
You can think of this script as padding between the user-created scripts and the IDA Python API. If you develop scripts with this script as a base, then if (when) Hex-Rays change something in their API, instead of fixing EVERY script out there the community can fix this script and all the user-created scripts (that depend on this script) will work again.
Our review:
Overall, we think the main value of this script is showing how to do a wide array of things using the IDA Python API and documenting some of its quirks by working around them. We love the type annotations. Clearly, a lot of effort went into writing community_base, and it would be helpful for rapid prototyping of IDA Python projects.
We think with more development it will be reliable for third parties (for inspiration, see projects like `sark`). We're looking forward to seeing the shape this project will take in the future.
Delphi Helper
DelphiHelper is a Python IDA Pro plugin aiming to help the analysis of x86/x86_64 binaries written in the Delphi programming language.
Our review:
The plugin helps analyze Windows binaries built with Delphi. It can parse and format RTTI structures and rename standard methods. If the PE resources are loaded, it can also parse the compiled Delphi forms (DFM), show and label event handlers, and extract binary resources (e.g. images). IDR signatures for recent Delphi versions are supported too.
Overall, it is a great addition for those dealing with Delphi binaries.
Graffiti
Graffiti is a plugin that helps you create a customized call graph directly from IDA.
Our review:
This plugin will help you keep track of cross-references and links between parts of a binary. It will allow you to build an overview of a subsystem and jump around in it. It also integrates with a wide suite of IDE and developer tools.
hexhinlay
Inlay hints for Hex-Rays decompiler.
Our review:
The plugin enriches the decompiler output by prefixing each function call parameter with its name. This is quite useful for code that calls unusual library functions, as one doesn't have to refer back and forth to the exact definition of the callee prototype. The plugin is straightforward to install and works nicely.
hrtng
IDA Pro plugin with a rich set of features: decryption, deobfuscation, patching, lib code recognition, and various pseudocode transformations. It ships with an automated control flow unflattening pass, a more robust function construction algorithm, and a manual vtable resolution feature. Quite impressed.
Our review:
hrtng offers a range of useful IDA extensions. Every Feature is well documented with a video, some features are dispatched automatically, and other features are placed in context menus. We were especially impressed by the fully automated unflattening pass that seamlessly handled most of the samples we tried.
Malware analysts will find these features useful and can be found exclusively in IDA.
IDA-Notepad-Plus
This plugin replaces the built-in notepad window in IDA, which is not so user-friendly, and adds many practical features. The notepad in IDA is shared globally, but my idea is to provide a separate notepad space for each function.
Our review:
The plugin can create multiple notebooks, for example, a notebook per function, and it can also make notes for highlighted items in IDA windows.
Each note is stored in a separate file in a special subdirectory besides IDB.
There is a special "Sync" mode: automatic switching to the appropriate notebook depending on the current function in the pseudocode window.
The user can jump to an address by selecting it in the notebook.
idalib Rust bindings
The bindings allow IDA Pro 9.0 users to write standalone tools based on the IDA SDK in Rust in an idiomatic way.
Our review:
High-level Rust bindings for the IDA public API, allowing seamless use of IDA Pro in a native Rust manner—without the UI.
Simply write a Rust program that uses IDA Pro's powerful analysis: query any information about a binary, generate pseudocode for any function, and continue your investigation with your own tools and so on.
This is very useful for batch and offline analysis. While not covered in the entire IDA Pro public API yet, it provides enough functionality to develop capable analytic tools.
IDAscope
IDAScope is a Neovim plugin that integrates IDA Pro with Telescope, allowing efficient exploration and analysis of functions within IDA Pro directly from Neovim.
Our review:
IDAScope integrates NeoVim with IDA, allowing one to fuzzy search functions by name and see their pseudocode/assembly without leaving the editor. It also allows you to export decompiled code as a `.c` file.
Once you figure out the NeoVim + IDA plugin setup, it delivers what it promises. Additionally, the Python side is pretty small and self-contained, requiring no additional dependency, which is good.
Overall, this is a pretty cool plugin that allows one to explore a target quickly from the terminal.
IDAxLM
IDAxLM is an IDA Pro plugin for engineering and consuming large language model prompts.
The author has previously submitted IDAClu, which won 1st place in 2024.
Our review:
IDAxLM integrates cloud-based LLMs into IDA Pro to assist with reverse-engineering tasks. It supports multiple models (OpenAI, Mistral, Groq), allows custom prompts, and provides contextual function analysis. Features include adding model output as comments or function names, generating code equivalents (e.g., Python), and a pricing calculator for API usage. While its rich feature set offers impressive flexibility, it may feel overwhelming for users seeking simplicity. Installation is straightforward, and the documentation is solid, though the plugin's complexity and evolving nature suggest it’s best suited for users who enjoy exploring highly configurable tools.
instrlen
The Instrlen plugin is a tool for IDA Pro that allows for setting the length of an instruction to a custom value.
Our review:
The plugin allows changing the effective length of instruction in the database, separately from the actual length as decoded by the CPU.
This is useful in binaries with obfuscated code that jumps into the middle of existing instructions.
However, currently the adjustments need to be made manually for each instruction which can be time consuming.
LabSync
LabSync is an IDA plugin that can be used to partially synchronize IDBs between different users working on reversing the same binaries.
Our review:
LabSync is a plugin designed to streamline collaboration among reverse engineers. It synchronizes annotations such as function names, prototypes, and local types across users' IDBs. The plugin leverages straightforward logic and git-backed repositories, resulting in a robust and low-overhead system. This tool enhances efficiency and ensures that all team members are working with the most up-to-date information.
Mnemocrypt
ML tool to find crypto functions in binaries.
Our review:
Mnemocrypt uses a random forest classifier to detect and partially identify cryptographic functions in x86 executables. It provides clear, fast results with confidence scores and a simple coloring convention for quick analysis. Designed with efficiency in mind, the plugin processes large files swiftly and is easy to install and use. However, it's limited to x86 32-bit executables due to its training dataset, making it more of a research tool than a practical, real-world solution. With clean code and strong documentation, it's a promising academic project showcasing thoughtful design and implementation.
Navcolor
The Navcolor plugin is a tool for IDA Pro that enhances the functionality of the navigation band by displaying the color of the function. This allows you to easily identify functions and navigate through the disassembly.
Our review:
IDA allows setting a specific color per function. This is reflected in the disassembly and the Functions list.
The Navcolor plugin enhances the navigation band by displaying the color of the functions.
It also provides a quick way to change a function's color (normally done via function properties). A simple but useful plugin if you use function coloring in your analysis.
RevEng.AI
IDA Pro Plugin for RevEng.AI Toolkit.
Our review:
RevEng.AI is a powerful frontend for an AI-driven binary analysis platform, designed to assist with reverse engineering and malware analysis. The plugin allows users to upload binaries for cloud-based analysis, providing insights like packer identification, maliciousness scores, and vulnerabilities, along with metadata visualization in a polished web portal. It also supports function renaming based on similarity data and AI-generated function summaries (with credits). Fast and easy to install, the plugin offers a clean, professional design and a wide range of features, making it ideal for independent researchers. Expanding architecture support and offering a free testing tier could further enhance its appeal.
Shannon
Loader for Shannon baseband images in IDA Pro.
Our review:
A rare example of a loader. Installation is simple and quick, and it creates memory segments while performing some preprocessing of known structures. For certain versions, it can also detect RTOS task functions, making it a useful tool that saves time when analyzing Shannon baseband images.
Unknown Cyber
Integrate Unknown Cyber technologies seamlessly with IDA.
Our review:
Unknown-Cyber-Inc offers a plugin for accessing their cloud-based API, which focuses on similarity matching and YARA rule generation. The plugin allows users to upload binaries for analysis and view results, including procedure comparisons and similar function searches, through a straightforward interface. While uploading binaries to the cloud may not be ideal for all users, the installation is simple, the documentation is clear, and the code quality is excellent. It’s a practical tool for those comfortable with cloud-based workflows who need access to advanced backend functionality.
Xrefer
The plugin provides a custom navigation interface within IDA. [...] XRefer can provide cluster based labels for functions, aiming to accelerate the manual static analysis process.
Our review:
This plugin was straightforward to install. The only hiccups we had were finding a JRE to use, but that is because our tester was on macOS. The plugin's README describes the (transitive) dependency on Java, though, so that is good.
The biggest caveat to our review is that we have barely scratched the surface of how this plugin is actually intended to be used. Specifically, it can import a bunch of information (e.g. API traces, presumably recorded at runtime), and it can also integrate with LLMs.
We ran the plugin on two PE binaries: the first was 1.3 MiB, and the second was 12 MiB. The baseline analysis took 1 minute and 19 minutes, respectively. We inspected the code and it seems to default to analyzing the first 10,000 call chains, or something like this. We're not sure that this number is configurable. We think a user using this on larger binaries should be cognizant of this limit.
After the analysis is finished, it shows a cool, text-based window on the right with a form of terminal UI. One thing that stood out to us was this menu, where items are expandable. The green entries are top-level, and the pink entries are sub-level. What we like about this is that they have some good/smart categorization of a number of cross-references up front.
YaraVM
A processor module and a loader for IDA Pro, enabling you to load and analyze compiled Yara rules.
Our review:
The loader and processor module are provided for disassembling compiled Yara rules. The metadata is parsed and formatted and functions are renamed.
- Small and easy to install
- Good sample of a small bytecode VM disassembler
*The 2024 Hex-Rays IDA Plugin Contest winners participated as private individuals, and their submissions were evaluated solely on their merits. Hex-Rays has no business relationship with the winners’ employer. The outcome of this contest does not establish or imply any affiliation between Hex-Rays and the winners’ employer, nor does it constitute an endorsement of their products or services.