我们从Python开源项目中,提取了以下9个代码示例,用于说明如何使用idc.GetManyBytes()。
def add_initial_state_action(self): from_addr = self.initial_state_from_field.text() to_addr = self.initial_state_to_field.text() if from_addr == "" or to_addr == "": print "One of the two fields from/to is empty" return try: from_addr = int(from_addr, 16) to_addr = int(to_addr, 16) if to_addr <= from_addr: print "'To' address must be strictly superior than 'from'" else: raw = base64.b64encode(idc.GetManyBytes(from_addr, to_addr-from_addr+1)) self.initial_state_list.addItem("%x -> %x: %s" % (from_addr, to_addr, raw)) except ValueError: print "From or To cannot be converted to address"
def chunk_from_path(path): assert_ida_available() import idc chunk = chunk_t() for i in xrange(len(path)): body = chunk.body.add() body.typeid = body.INSTRUCTION inst = body.instruction inst.thread_id = 0 addr = path[i] inst.address = addr inst.opcode = idc.GetManyBytes(addr, idc.NextHead(addr)-addr) try: next_a = path[i+1] inf1 = inst.concrete_infos.add() inf1.next_address = next_a inf1.typeid = inf1.NEXT_ADDRESS except IndexError: pass inf2 = inst.concrete_infos.add() inf2.typeid = inf2.NOT_RETRIEVED return chunk
def get_data(start, size): ''' read the given amount of data from the given start address. better than `idc.GetManyBytes` as it fills in missing bytes with NULLs. Args: start (int): start address. size (int): number of bytes to read. Returns: bytes: `size` bytes, filled with NULL when byte not available from database. ''' # best case, works pretty often. buf = idc.GetManyBytes(start, size) if buf: return buf # but may fail, when there's no byte defined. buf = [] for ea in range(start, start+size): b = idc.GetManyBytes(ea, 1) if b: buf.append(b) else: buf.append(b'\x00') return b''.join(buf)
def _get_blocks_codes_per_func_iter(): """ Iterative function to generate all blocks and opcodes :return: N/A """ all_blocks = {} all_codes = {} all_opcodes = [] for func in idautils.Functions(): # blocks_in_func contains # <idaapi.BasicBlock object at 0x0545F3F0>, ... blocks_in_func = idaapi.FlowChart(idaapi.get_func(func)) blocks = [] for block in blocks_in_func: # IDA BUG! block.startEA == block.endEA?? # Should be in the range "block.startEA <= block < block.endEA" if block.startEA != block.endEA: blocks.append((block.startEA, block.endEA)) for head in idautils.Heads(block.startEA, block.endEA): ibytes = idc.GetManyBytes(head, idc.ItemEnd(head) - head) spd = idc.GetSpd(head) all_codes[head] = insn.Instruction(head, ibytes, spd) # IDA BUG! all_codes[head].bytes == 0?? # The size of the code should be positive if all_codes[head].bytes != 0: all_opcodes.append((all_codes[head].addr, all_codes[head].addr + len(all_codes[head].bytes))) all_blocks[func] = blocks yield (all_blocks, all_opcodes)
def bytes_at(ea, num): """Returns num of bytes at the given address.""" return idc.GetManyBytes(ea, num)
def get_segment_buffer(segstart): ''' fetch the bytes of the section that starts at the given address. if the entire section cannot be accessed, try smaller regions until it works. ''' segend = idaapi.getseg(segstart).endEA buf = None segsize = segend - segstart while buf is None: buf = idc.GetManyBytes(segstart, segsize) if buf is None: segsize -= 0x1000 return buf
def decode_here_clicked(self): inst = idc.here() if not idc.isCode(idc.GetFlags(inst)): print "Not code instruction" else: raw = idc.GetManyBytes(inst, idc.NextHead(inst)-inst) s = to_hex(raw) self.decode_ir(s)
def _getOriginData(self, address, size): res = [] for offset in xrange(0, size, 64): tmp = GetManyBytes(address + offset, 64) if tmp == None: res.extend([pack("<Q", Qword(address + offset + i)) for i in range(0, 64, 8)]) else: res.append(tmp) res = "".join(res) return res[:size]
def get_code_and_blocks(ea): """Extracts the control flow graph for the function at the given address. Returns a dictionary with the instructions (ea->insn.Instruction) and a list of the basic blocs (bbl.BasicBlock).""" code = {} blocks = {} ida_blocks = set(idaapi.FlowChart(idaapi.get_func(ea))) for bb in ida_blocks: # XXX: it seems that it's not a bug but inter-function jumps! if bb.startEA == bb.endEA: # skip that .. it's IDA's bug #print "skipping block %x : %x in func %x"%(bb.startEA, bb.endEA, ea) continue blocks[bb.startEA] = bbl.BasicBlock(bb.startEA, bb.endEA, {}) for head in idautils.Heads(bb.startEA, bb.endEA): ibytes = idc.GetManyBytes(head, idc.ItemEnd(head) - head) spd = idc.GetSpd(head) code[head] = insn.Instruction(head, ibytes, spd) blocks[bb.startEA].instrs.append(code[head]) next_head = idc.NextHead(head, bb.endEA) if idaapi.isFlow(idc.GetFlags(next_head)): code[head].succ.add(next_head) for suc_bb in (s for s in bb.succs() if s.startEA != s.endEA): #assume head is the last instruction of the block code[head].succ.add(suc_bb.startEA) for bb in (b for b in ida_blocks if b.startEA != b.endEA): for suc_bb in (s for s in bb.succs() if s.startEA != s.endEA): # a jump with zero offset (like, jz 0) gives two succs to the same bb if blocks[suc_bb.startEA] not in blocks[bb.startEA].successors: blocks[bb.startEA].successors.append(blocks[suc_bb.startEA]) blocks[bb.startEA].successors.sort(key=lambda x: x.begin, reverse=True) #FIXME: find a better way .. for block in blocks.itervalues(): if block.instrs[0].addr == ea: #print "found the entry!:", block.instrs block.instrs[0].f_entry = True block.type |= bbl.BasicBlock.ENTRY break else: print "BUG: could not find function entry in instrs!!" #print "blocks:", blocks return code, blocks.values() #XXX: good test function in 0x070016E7 (BIB.dll)
