How do you spell “I love you” in Greek?…
In IDA Pro you can create unicode strings. They are displayed nicely in the listing as long as they use the Latin script:
But any unicode string with Kanji characters, Cyrillic, or any other non-trivial script the listing looks gibberish:
This is not much better than a hexadecimal dump. Alas, IDA can not display non-Latin unicode characters in the listing.
I created a sample program to illustrate the point. It displays “I love you” in many languages. Please note that the language selection is somewhat arbitrary 🙂 Some of the phrases were found in forums. Many phrases were copied from this great site.
Here is how the program looks on the screen:
(please tell me if you find any errors in the text)
What our plugin will do: it will retrieve the current unicode string from the database and display it on the screen. Very simple, isn’t it? Since IDA API can not be used, we will have to create our own window with an edit control and will display the string there. We will use regular Windows functions like CreateWindow and SetWindowText to display the string. The plugin and its source code can be downloaded here.
Here is the result of the plugin:
When we move the cursor from one string to another, the window contents are refreshed:
In the ideal world the string contents would be displayed right in the listing and our plugin would not be necessary. This is a possible future improvement for IDA but it is quite laborious to add true unicode support (please do not hold your breath).
The same idea can be used for many other things. A plugin could display, for example, PE files resources and render bitmaps or dialog boxes in a dedicated window. We could also use a window to display graphs or charts of any type. Or we could open a window and display the result of our own analysis, say, in the spectral form 🙂
While this plugin uses bare Windows API, I’m sure that the MFC library as well as .Net (or Java based interface) can be used too. There are so many things one can do with a plugin!
Here are the source files and binaries: