📚
OpenRCE
is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.
About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
sp
's Blog
Created: Friday, July 21 2006 07:35.06 CDT
Modified: Friday, July 21 2006 07:35.06 CDT
This is an imported entry.
View original
.
Printer Friendly ...
A higher level API for IdaRub
Author:
sp
# Views:
1545
Im still dreaming of IdaHaskell for the sheer expressiveness that language provides. Alas, I fear IdaHaskell will remain a dream for years to come. Using IdaRub it is fortunately possible to make a big step towards the expressiveness of Haskell. I have started to develop a higher level API for IdaRub that allows you to do things in fewer lines of code.
Here are a few examples.
Heres how you get a list of all instructions used in a file:
p file.map{|f| f.map{|i| i.instruction}}.flatten.uniq.sort
Want to find all functions that start with a jmp instruction? Here you go:
p file.map{|f| [f.name, f[0].instruction]}.select{|x| x[1] == jmp}
Or what about listing all functions ordered by the number of functions that call them?
p file.map{|f| [f.name, f[0].crefs_to.length]}.sort{|x,y| y[1] <=> x[1]}
If you want to have a sorted list of all bytes used in the first function youd do this:
p (file[0].start .. file[0].end).map{|x| x.byte}.uniq.sort{|x,y| x-y}.map{|x| "%02X" % x}
If you want a list of all unicode string references in the file containing an asterisk the following one-liner would do the job:
p file.string_list.select{|x| x.type == 3 && x.offset.unicode =~ /*/}.map{|x| [x.offset.offset, x.offset.unicode]}
I could go on and on and on. The number of one-liners to do neat stuff is nearly endless. Its not quite Haskell yet but Im reasonably happy.
Theres also a
new instruction counter script
that makes use of the high level API. The new script is noticibly smaller and prettier to look at. Furthermore you will notice that all output is directed through the new idap function. This function prints to stdout if the script is started from the console (remote mode) or to the output window inside IDA if the script is started from within IDA (local mode).
Right now the high-level API is merely a quick one-day hack. Nevertheless you can already do pretty cool stuff with it. You might want to
check it out
.
If you wish to comment on this blog entry, please do so on the
original site
it was imported from.
There are
31,328
total registered users.
Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12
Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...
Recent Blog Comments
nieo
on:
Mar/22
IAT Patcher - new tool for ...
djnemo
on:
Nov/17
Kernel debugger vs user mod...
acel
on:
Nov/14
Kernel debugger vs user mod...
pedram
on:
Dec/21
frida.github.io: scriptable...
capadleman
on:
Jun/19
Using NtCreateThreadEx for ...
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit
Printer Friendly ...
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}