OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Friday, September 1 2006 12:46.15 CDT Modified: Friday, September 1 2006 14:06.39 CDT

Printer Friendly ...

IDAPython 0.8.0 patch

Author: PSUJobu

# Views: 1654

Pedram asked for an article, but since I don't feel this is article-worthy... ;-)

I started a topic on the IDA Pro bulletin board about an IDAPython loader module. Though I have not had the time to finish that little experiment, I tried out the few unknowns (I have written loader modules before, and know what I need to do).

Question #1: Can you call mem2base() from outside of a loader? Answer: IDAPython does not wrap mem2base()

Building IDAPython

So, I figured out how to build IDAPython and how Gergo wanted the directory structure set up:



<some_dir>/

    idapython

    idasdk-versions/

        4.9/

    swigsdk-versions/

        4.9/

I added cygwin/bin to my PATH, opened an NT command prompt, and ran vcvars32.bat from my Visual C++ install.  Then you do 'make dist IDAVERSION=4.9' and voila - I had a plugin.  Well, not quite.  I had to edit the makefile to force the SYSTEM to be WindowsNT, since Cygwin 'uname' reports 'CygwinNT', and I had to tweak the paths and add a new environment variable FIND to provide the complete path.  Gergo obviously has some "environmental" differences.  C'est la vie.

Modifying IDAPython

Actually, I really only had to modify the IDA SDK - the version beneath swigsdk-versions/4.9.  In loader.hpp, I moved #ifdef's around to export mem2base() to Python via SWIG.  Rebuild, and "Bam!" - IDAPython kicked up a notch...

...until you try to call idaapi.mem2base() with the logical arguments - a Python string and three integers.  You get a TypeError exception because of the first argument.  Apparently Python strings do not match 'void', which is how SWIG translates the "const void *" argument.

In the end, I changed "const void *" to "const char *" and everyone was happy.

Question #1 (again): Can you call mem2base() from outside of a loader?  Answer: Yes!

Other Possibilities

Why not expose file2base()?  I didn't look into it, but it should be possible.  I only cared about Python strings, since I want to decompress firmware from a source file and disassemble that rather than the compressed stuff.  Python with its "batteries included" mentality already supports a bunch of compression routines, so it is a ready-made solution to my problem.

The same "const void *" to "const char *" change would probably allow patch_many_bytes() to be exposed, too.

Disclaimer

I did not complete the experiment, so I didn't even bother checking segment creation from IDAPython (not that I doubt that those APIs are exposed).  I created a segment by hand in an existing IDB and used Alt+8 to write the two lines of Python required to generate some bogus data and write it into the new segment.

YMMV!

Files

I put the patch to IDAPython's 4.9.patch in my repository.  You need to apply the patch to 0.8.0 and rebuild.  I do not want to supply the binary for several reasons:

1. That's Gergely's "job" - I have no desire to take over IDAPython.  :)

2. Datarescue frowns upon distribution of plugin binaries for anything but the latest IDA Pro revision. Perhaps the SDK freeze makes this a non-issue (for 4.9+), but I would prefer not to help any illicit users of IDA Pro.  It is an excellent tool and well worth the money, IMHO.

3. See #1 - I had enough trouble creating a patch for a patch (timestamp differences cause bogus differences)

Of course, you could just wait for Gergely to release the update.  I only provided the info to demonstrate the ease of enhancing IDAPython.  Despite the lengthy posting, the bulk of the time to make this change was spent figuring out the build environment.  The real work (after this was): edit the SWIG version of the IDA SDK, rebuild, and test.  Were it not for my inexperience with SWIG, it would have taken about 2 minutes...

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit