This is a python port of James Koppel's Referee IDA plugin with some updates:
https://github.com/jkoppel/project-ironfist/tree/master/tools/Revitalize/Referee
It's much easier to reverse-engineer a structure when you can find every place its members are used. If you wish to reengineer the binary and modify a structure, finding every use is essential. Referee makes both of these tasks easier by marking accesses of structures in decompiled functions.
- IDA 7.0 or higher
- Hex-Rays Decompiler 1.6 or higher
Copy the plugin into the IDA "plugins" folder
Referee will automatically run whenever a function is decompiled. It is recommended that you decompile the entire binary for maximum information. This can be done by going to File > Produce file > Create C file...
and letting it complete. You can see the cross-references that Referee adds by opening a structure in the Structures window, highlighting a field of a structure, and pressing "X."
Referee does not do type inference; you will still need to give types to your functions for it to find structure uses.
- If you annotate a function to remove a struct-member usage, decompiling the function again will remove the corresponding xrefs.
- Referee only tracks accesses to structure members, not pointer-passing.
- Configuring debug output:
logging.getLogger('referee').setLevel(logging.DEBUG)