The following conventions are used in the function descriptions:
‘ea’ is a linear address
‘success’ is 0 if a function fails, 1 otherwise
‘void’ means that function returns no meaningful value (always 0)
‘anyvalue’ means that function may return value of any type
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 idc.here() idc.get_screen_ea() ida_ida.inf_get_max_ea() ida_ida.inf_get_min_ea() idc.get_inf_attr(INF_MAX_EA) idc.get_inf_attr(INF_MIN_EA) idc.next_head(ea) idc.prev_head(ea) idc.read_selection_start() idc.read_selection_end() idaapi.get_imagebase() idaapi.BADADDR == myea
数据相关的主要使用ida_bytes
1 2 3 4 5 6 7 8 9 10 11 12 ida_bytes.get_bytes(ea,size) ida_bytes.get_byte(ea) ida_bytes.get_word(ea) ida_bytes.get_dword(ea) ida_bytes.get_qword(ea) ida_bytes.patch_byte(ea,value) ida_bytes.patch_word(ea,value) ida_bytes.patch_Dword(ea,value) ida_bytes.patch_Qword(ea,value)
反汇编·
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 idc.GetDisasm(ea) idc.generate_disasm_line(ea, flag) idc.print_insn_mnem(ea) idc.print_operand(ea, index) idc.get_operand_type(ea, index) idc.get_operand_value(ea, index)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 idc.get_segm_name(ea) idc.get_segm_start(ea) idc.get_segm_end(ea) idc.get_first_seg() idc.get_next_seg(ea) idautil.Segments() print (' ' .join(idc.get_segm_name(seg) for seg in idautils.Segments()))
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 idc.get_func_name(ea) idc.get_prev_func(ea) idc.get_next_func(ea) idc.get_func_off_str(ea) idautils.Functions() print (' ' .join(idc.get_func_name(func) for func in idautils.Functions()))func = idaapi.get_func(ea) print (func.start_ea, func.end_ea)
1 2 3 idc.find_binary(ea, flag, str ) idc.find_data(ea, flag) idc.find_code(ea, flag)
这里解释下常用的flag
flag
value
function
SEARCH_UP
0
向上搜索
SEARCH_DOWN
1
向下搜索
SEARCH_NEXT
2
仅对find_binary()
生效,从ea的下一个地址开始搜索
SEARCH_CASE
4
大小写敏感
一点小技巧是可以用|
使用多个flag
常用脚本·
来源
1 2 3 4 5 6 7 8 9 10 11 12 13 14 import idautilsimport idcfunc_addr = [] func_name = [] for i in idautils.Functions(): func_addr.append(i) func_name.append(idc.get_func_name(i)) for i in func_addr: print (f"{hex (i)} , " ,end='' ) print ('' )for i in func_name: print (f"\"{i} \", " ,end='' )
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 import idcimport ida_bytesdef my_nop (addr, endaddr ): while addr < endaddr: ida_bytes.patch_byte(addr, 0x90 ) addr += 1 pattern = ["74 15 75 13 8D 44 24 FC 83 F0 22 3B 04 24 74 0A E8 1F 00 00 00 74 04" , "74 0A 75 08 E8 10 00 00 00 EB 04 E8" , "48 81 EC 08 03 00 00" ] for i in range (len (pattern)): cur_addr = 0x406300 end_addr = 0x406E2C while cur_addr < end_addr: cur_addr = idc.find_binary(cur_addr, idc.SEARCH_DOWN, pattern[i]) print ("patch address: " + hex (cur_addr)) if cur_addr == idc.BADADDR: break else : my_nop(cur_addr, cur_addr + len (pattern[i].split(' ' ))) cur_addr = idc.next_head(cur_addr)