banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

"Learning Notes of 'Starting from Zero to Learn IDA Reverse Engineering' - 13 (Introduction to IDAPython)"

#逆向881
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This article provides instructions on how to install and use the ipyida plugin for IDA, as well as basic usage of IDA Python. It includes information on how to navigate the interface, import modules, and retrieve information about the current instruction, segment, and function. It also provides examples of how to use IDA Python to analyze binary code.

Install ipyida

The installation of ipyida can be referenced at: How to install plugins in IDA - lca

How to use ipython

After installation, select the ipyida plugin from the "Edit-Plugins" menu, and the interface will appear as follows:

image

Press "?" to display the help information, press "esc" to exit the help information interface, and press the tab key to automatically complete the command. For example, typing "imp" and pressing tab will complete "import". After importing, typing a space and pressing tab will list the modules that need to be imported.

image

After importing the module, you can use "?" after the module to display module information.

idaapi?
idaapi?? # Display more detailed information

image

Type "%hist" to list the command history, and "%history -n" to display the command history and line numbers.

image

"%edit" opens the text editor, and "%edit x-y" opens the text editor and writes the commands within the specified range.

Basic usage of IDA Python

IDA Python consists of the following three independent modules:

  • idc
  • idaapi
  • idautils

IDA Python is case-sensitive and uses camel case naming convention.

idc.here()

image

Get the current instruction address

idc.GetDisasm()

image

Get the current assembly instruction

idc.SegName()

image

Get the current segment

idc.MinEA&idc.MaxEx

image

Get the lowest and highest addresses of the program

ea = idc.here()
next_str = idc.NextHead(ea)
pre_instr = idc.prev_head(ea)

image

image

Get the address of the previous (next) assembly instruction

SceenEA

Represents the position of the current cursor in the disassembly view

Need to import the module import idaapi

image

If the ScreenEa function is used, an error will occur. This may be related to the Python version. The following is an error in Python 3.

To run the script command, first create a script (under the Python 3 environment)

image

Then use "File-Run File" to load and run the script. The running result is as follows:

image

The command idc.GetDisasm(start_ea) outputs the instruction at the current cursor position (under the Python 3 environment)

image

If the cursor is moved to another position, ea will re-find the position and value of the cursor.

The first or second operand of the instruction can be output using the idc.GetOpnd() function.

image

Get the function name at the current cursor position


import idc
import idaapi

ea = idc.ScreenEA()
func = idaapi.get_func(ea)
funcname = idc.GetFunctionName(func.startEA)

print funcname

image

Get the current function name

import idc
import idautils

ea = idc.ScreenEA()

start = idc.SegStart(ea)
end = idc.SegEnd(ea)

for funcea in idautils.Functions(start,end):
	name = idc.GetFunctionName(funcea)
	print name

image

Get all function names in the block

E = list(idautils.FuncItems(ea))
for e in E:
	print "%X"%e,idc.GetDisasm(e)

image

Output all instructions of the function

image

Compare with the instructions in the disassembly view

Move the cursor to WndProc to view the references

image

Move the cursor to the "CARTEL_BUENO" function and press the X key to display that the "wndproc" function calls the "CARTEL_BUENO" function.

image

Use the coderefs() function to get the function names that call it.

image

image

Get the references of CARTEL_BUENO.

References:

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.