banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

"Learning Notes of 'Starting from Zero to Learn IDA Reverse Engineering' - 13 (Introduction to IDAPython)"

#逆向881
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This article provides instructions on how to install and use the ipyida plugin for IDA, a popular disassembler and debugger for binary files. It includes examples of basic IDA Python commands and functions, such as getting the current instruction address and segment, listing historical commands, and retrieving function names. The article also provides references for further learning and resources.

Install ipyida

Installation reference for ipyida: How to Install Plugins in IDA - lca

How to use ipython

After installation, select the ipyida plugin from the "Edit-Plugins" menu, and the interface will open as follows:

image

Press "?" to display the help information. Press "esc" to exit the help information interface. Press the tab key to automatically complete the command. For example, if you enter "imp" and press tab, it will complete "import". After "import", enter a space and press tab to list the modules to be imported.

image

After importing the module, you can append "?" after the module to display the module information.

idaapi?
idaapi?? # Display more detailed information

image

Enter "%hist" to list the command history, and "%history -n" to display the command history and line numbers.

image

"%edit" opens the text editor, and "%edit x-y" opens the text editor and writes the commands within the specified range.

Basic usage of IDA Python

IDA Python consists of the following three independent modules:

  • idc
  • idaapi
  • idautils

IDA Python is case-sensitive and uses camel case naming convention.

idc.here()

image

Get the current instruction address

idc.GetDisasm()

image

Get the current assembly instruction

idc.SegName()

image

Get the current segment

idc.MinEA&idc.MaxEx

image

Get the lowest and highest addresses of the program

ea = idc.here()
next_str = idc.NextHead(ea)
pre_instr = idc.prev_head(ea)

image

image

Get the address of the previous (next) assembly instruction

SceenEA

Represents the position of the current cursor in the disassembly view

Need to import the module import idaapi

image

If you use the ScreenEa function, an error will occur. This may be related to the Python version. The following is an error in Python 3.

To run the script command, first create a script (under the Python 3 environment)

image

Then use "File-Run File" to load and run the script. The running result is as follows:

image

The command idc.GetDisasm(start_ea) outputs the instruction at the current cursor position (under the Python 3 environment)

image

If you move the cursor to another position, ea will re-find the position and value of the cursor.

The first or second operand of the instruction can be output using the idc.GetOpnd() function.

image

Get the function name at the current cursor position


import idc
import idaapi

ea = idc.ScreenEA()
func = idaapi.get_func(ea)
funcname = idc.GetFunctionName(func.startEA)

print funcname

image

Get the current function name

import idc
import idautils

ea = idc.ScreenEA()

start = idc.SegStart(ea)
end = idc.SegEnd(ea)

for funcea in idautils.Functions(start,end):
	name = idc.GetFunctionName(funcea)
	print name

image

Get all function names in the block

E = list(idautils.FuncItems(ea))
for e in E:
	print "%X"%e,idc.GetDisasm(e)

image

Output all instructions of the function

image

Compare with the instructions in the disassembly view

Move the cursor to WndProc to view the references

image

Move the cursor to the "CARTEL_BUENO" function and press the X key to display that the "wndproc" function calls the "CARTEL_BUENO" function.

image

Use the coderefs() function to get the function names that call it.

image

image

Get references to CARTEL_BUENO.

References:

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.