idapython scripts, including feature as below:
- Integrete IDA pro and gdb through idapython.
- Identify the suspicious functions in binary by static analysis.
- Improve to analyze CGC format.
-
On Windows:
- Change
port
iniddaa/idapython/rpcserver.py
to yours. - Copy the file in idapython to the directory of IDA plugin.
- You can execute install.bat if you installed IDA pro at
C:\Program Files (x86)\IDA 6.8\
.
- Change
-
On Linux:
git clone https://github.com/0xddaa/iddaa.git ~/tools/iddaa
echo "source ~/tools/iddaa/gdbscript/gdbinit" >> ~/.gdbinit
- Change
HOST
andPORT
iniddaa/gdbscript/rpc.py
to yours.
- Use symbols named in IDA pro
- View the pseudo code that decompiled by IDA Pro
- Set the breakpoints that be marked in IDA Pro
- Remote idapython script execute
- Revise syscall
- Revise correct comment in IDA pro becuase CGC use different syscall number.
- Automatic function naming
- All CGC binary is static linked, stripped, and never use glibc.
Rename the function if identified the possible pattern.
- All CGC binary is static linked, stripped, and never use glibc.
There are obvious delay if using xmlrpc to execute idapython.
Some functions, such as idaapi.decompile
, will let IDA pro be stucked with no reason.
If you know the solution, please tell me. Orz
You can use this command in gdb:
get_ida_symbols
Get all symbols named in IDA pro.get_pseudo_code [function]
Get the pseudo code of specified function.get_local_type
Get all local types defined in IDA pro.get_breakpoints
Get breakpoints that be marked in IDA Pro and set breakpoints automatically.idapython <files>
Execute file in ida pro and get result.idc|idaapi|idautils <code>
The RPC wrapper of idapython. Show the cheatsheet withidapython cheatsheet
.idapython cheatsheet
Show some common used fucntion in idapython.
idc MakeComm(addr, comment)
----------------------------------------
Add comment at specified address.
Ex: idc MakeComm(0x804ddaa, 'Soy Sauce')
idc SetColor(addr, what, color)
----------------------------------------
Set color for specified area
Ex: idc SetColor(0x0804ddaa, 1, 0xaabbcc) // address only
idc SetColor(0x0804ddaa, 2, 0xaabbcc) // entire function
idc SetColor(0x0804ddaa, 3, 0xaabbcc) // entire segment
deprecated IDACGC is better.
- Revise syscall
- Press
Shift + R
to revise the syscall comment - Execute
CGCHelper.revise_syscall(True)
in console if you want to change the function name together
- Press