Article directory
reference article
Introduction to IDAPython
IDAPython has powerful functions, which are very useful when using IDA to analyze programs, and can simplify many operations such as feature code matching and modification of spent instructions
To learn IDAPython, you need to know a little basic knowledge of the Python language and query the IDAPython documentation
IDAPython official documentation: IDAPython documentation
Search directly in the search box to match related items
Common functions
Function to get interface address
-
idc.here()
Gets the address of the instruction currently selected by the cursor
-
idc.get_screen_ea()
has the same function as idc.here() -
ida_ida.inf_get_min_ea()
obtains the minimum address of the program -
ida_ida.inf_get_max_ea()
Get the maximum address of the program -
idc.read_selection_start()
Get the starting address of the selected block
-
idc.read_selection_end()
Get the end address of the selected block -
idc.BADADDR
This is a constant, defined as 4294967295 (0xffffffff), used to represent an inaccessible empty address (similar to a pointer whose value is equal to NULL), used to determine whether the address exists
Numeric get function
- idc.get_wide_byte(addr)
- idc.get_wide_word(addr)
- idc.get_wide_dword(addr)
- idc.get_qword(addr)
Numeric judgment function
- ida_bytes.is_byte(addr)
- ida_bytes.is_word(addr)
- ida_bytes.is_dword(addr)
- ida_bytes.is_qword(addr)
patch operation function
- ida_bytes.patch_byte(addr,value)
- ida_bytes.patch_word(addr,value)
- ida_bytes.patch_dword(addr,value)
- ida_bytes.patch_qword(addr,value)
Instance of removing flower instruction
NKCTF2023 Reverse earlier
This question has multiple identical flower instructions
.text:00401527 33 C0 xor eax, eax
.text:00401529 85 C0 test eax, eax
.text:0040152B 74 03 jz short near ptr loc_40152F+1
.text:0040152B
.text:0040152D 75 00 jnz short $+2
.text:0040152D
.text:0040152F
.text:0040152F loc_40152F:
.text:0040152F
.text:0040152F E8 8B F4 FF 15 call near ptr 164009BFh
Obviously, eax is set to zero after xor eax and eax. At this time, the result of the test instruction must be 0,
so the jz instruction must be executed instead of jnz (the jnz instruction means to jump to the address of the instruction + 2) that
is to say It must jump to 0x00401530, and it is impossible to jump to 0x0040152f.
We can manually remove it, cancel the definition, nop, and re-identify it as a code. Let's
try the IDAPython script:
import idc
import idautils
import ida_bytes
pattern = "33 C0 85 C0 74 03 75 00 E8" # 匹配花指令字节码
cur_addr = 0x401000 # 程序起始地址
while cur_addr != idc.BADADDR: # 遍历程序可访问地址
cur_addr = idc.find_binary(cur_addr,SEARCH_DOWN,pattern)
# 匹配花指令所在地址,第一个参数是起始地址,第二个参数是搜索方式,这里是向下(低地址向高地址搜索),第三个是格式字符串
if cur_addr == idc.BADADDR: # 如果未匹配到
break;
else:
print("patch address: ",hex(cur_addr)) # 打印起始地址
for i in range(9): # 开始patch
ida_bytes.patch_byte(cur_addr,0x90)
cur_addr += 1
It can be seen that all the same flower instructions have been removed
Subsequent content will be supplemented with learning