我们从Python开源项目中,提取了以下10个代码示例,用于说明如何使用idc.GetOperandValue()。
def create_call_map(self, ftype): assert_ida_available() import idc import idautils seg_mapping = {idc.SegName(x): (idc.SegStart(x), idc.SegEnd(x)) for x in idautils.Segments()} imports = seg_mapping[".idata"] if ftype == PE else seg_mapping['.plt'] start, stop = seg_mapping[".text"] current = start while current <= stop: inst = current if idc.GetMnem(inst) in ["call", "jmp"]: value = idc.GetOperandValue(inst, 0) name = idc.GetOpnd(inst, 0) if imports[0] <= value <= imports[1]: entry = self.config.call_map.add() entry.address = inst entry.name = name current = idc.NextHead(current, stop)
def detect_start_and_stop(self): # FIXME:Duplicate code with core (or something similar) start, stop = 0, 0 if self.core.ftype == "PE": start, stop = self.core.fun_mapping["start"] else: if "main" in self.core.fun_mapping: start, stop = self.core.fun_mapping["main"] elif "start" in self.core.fun_mapping: if "__libc_start_main" in self.core.fun_mapping: instrs = list(idautils.FuncItems(self.core.fun_mapping["start"][0])) instrs.reverse() for inst in instrs: arg1 = idc.GetOperandValue(inst, 0) if idc.GetMnem(inst) == "push": start, stop = arg1, self.core.fun_mapping["start"][1] break else: start, stop = self.core.fun_mapping["start"] else: start, stop = idc.BeginEA(), 0 self.start, self.stop = start, stop
def get_cursor_func_ref(): current_tform = idaapi.get_current_tform() tform_type = idaapi.get_tform_type(current_tform) # get the hexrays vdui (if available) vu = idaapi.get_tform_vdui(current_tform) if vu: cursor_addr = vu.item.get_ea() elif tform_type == idaapi.BWN_DISASM: cursor_addr = idaapi.get_screen_ea() op_addr = idc.GetOperandValue(cursor_addr, idaapi.get_opnum()) op_func = idaapi.get_func(op_addr) if op_func and op_func.startEA == op_addr: return op_addr else: return idaapi.BADADDR cursor_func = idaapi.get_func(cursor_addr) if cursor_func and cursor_func.startEA == cursor_addr: return cursor_addr return idaapi.BADADDR
def getMinorDispatchTableAddress(ea): """find address of last lea in function""" start = idc.GetFunctionAttr(ea, idc.FUNCATTR_START) end = idc.PrevHead( idc.GetFunctionAttr(ea, idc.FUNCATTR_END), start) res = prevMnemonic(end, 'lea', start) assert res != idc.BADADDR return idc.GetOperandValue(res, 1)
def getMajorDispatchTableAddress(): """find quicktime major dispatch table""" res = idc.LocByName('theQuickTimeDispatcher') res = nextMnemonic(res, 'lea', idc.GetFunctionAttr(res, idc.FUNCATTR_END)) assert res != idc.BADADDR return idc.GetOperandValue(res, 1)
def getDispatchCode(ea): # get dispatch code out of an instruction first, second = (idc.GetOpnd(ea, 0), idc.GetOperandValue(ea, 1)) if first == 'eax': return second raise ValueError("Search resulted in address %08x, but instruction '%s' does fulfill requested constraints"% (ea, idc.GetMnem(ea)))
def set_start_stop(self, ftype): assert_ida_available() import idc import idaapi import idautils fun_mapping = {idc.GetFunctionName(x): (idaapi.get_func(x).startEA, idaapi.get_func(x).endEA-1) for x in idautils.Functions()} start = idc.BeginEA() stop = 0 if ftype == PE: start, stop = fun_mapping["start"] else: if not idc.isCode(idc.GetFlags(start)): if idc.MakeCode(start) == 0: print "Fail to decode instr !" idaapi.autoWait() if idc.GetFunctionName(start) == "": if idc.MakeFunction(start) == 0: print "Fail to create function !" idaapi.autoWait() fun_mapping = {idc.GetFunctionName(x): (idaapi.get_func(x).startEA, idaapi.get_func(x).endEA-1) for x in idautils.Functions()} if "main" in fun_mapping: start, stop = fun_mapping["main"] elif "start" in fun_mapping: if "__libc_start_main" in fun_mapping: instrs = list(idautils.FuncItems(fun_mapping["start"][0])) instrs.reverse() for inst in instrs: arg1 = idc.GetOperandValue(inst, 0) if idc.GetMnem(inst) == "push": start, stop = arg1, fun_mapping["start"][1] break else: start, stop = fun_mapping["start"] self.config.start, self.config.stop = start, stop
def get_operand_value(addr): """Returns the value of the second operand to the instruction at `addr` masked to be a 32 bit value""" return idc.GetOperandValue(addr, 1) & 0xffffffff
def get_args(addr): """ Retreives the passed arguments to the decryption function. We are only interested in the key and offset to the encrypted string. addr: (int) Address at which the decryption function was called. Returns: key: (int) The key used to decrypt the string. enc_str: (list) Byte array of encrypted string. ins_addr: (int) Address at which the encrypted byte array is referenced. """ found = False foundstr = False foundkey = False while not found: addr = idc.PrevHead(addr) if idc.GetMnem(addr) == "mov" and "r8d" in idc.GetOpnd(addr,0): #print "[+] Found key: 0x%08x at 0x%016x" % (idc.GetOperandValue(addr,1)& 0xffffffff, addr) key = idc.GetOperandValue(addr,1) & 0xffffffff foundkey = True if idc.GetMnem(addr) == "lea" and "rdx" in idc.GetOpnd(addr,0): #print "[+] Found str: 0x%016x at 0x%016x" % (idc.GetOperandValue(addr,1), addr) enc_str_addr = idc.GetOperandValue(addr,1) enc_str = get_encoded_string(enc_str_addr) ins_addr = addr foundstr = True if foundkey and foundstr: found = True return key, enc_str, ins_addr
