Python idc.Dword() Examples

The following are 8 code examples of idc.Dword(). You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may also want to check out all available functions/classes of the module idc , or try the search function

Example #1

Source File: ida_utilities.py From ida_kernelcache with MIT License

6 votes

def read_word(ea, wordsize=WORD_SIZE):
    """Get the word at the given address.

    Words are read using Byte(), Word(), Dword(), or Qword(), as appropriate. Addresses are checked
    using is_mapped(). If the address isn't mapped, then None is returned.
    """
    if not is_mapped(ea, wordsize):
        return None
    if wordsize == 1:
        return idc.Byte(ea)
    if wordsize == 2:
        return idc.Word(ea)
    if wordsize == 4:
        return idc.Dword(ea)
    if wordsize == 8:
        return idc.Qword(ea)
    raise ValueError('Invalid argument: wordsize={}'.format(wordsize))

Example #2

Source File: OL_OSX_decryptor.py From malware-research with BSD 2-Clause "Simplified" License

6 votes

def decrypt_data(xref, cfunc, xref_args):
    print("%s: " % hex(int(xref)), end='')
    args = convert_args_to_long(xref_args)
    if args:
        try:
            key = idaapi.get_many_bytes(args[2], args[3] if idc.Dword(args[3]) == 0xffffffff else idc.Dword(args[3]))
            data = idaapi.get_many_bytes(args[0], args[1] if idc.Dword(args[1]) == 0xffffffff else idc.Dword(args[1]))
        except TypeError:
            print("Couldn't retrieve the cipher or the key.")
            print(xref_args)
        else:
            key = null_pad(key, 0x20)
            if args[4] == 1:
                data = custom_b64decode(data)
            plain = PKCS7_unpad(AES.new(key, AES.MODE_CBC, "\x00"*16).decrypt(data))
            #add_comment(cfunc, plain, xref)
            print(plain)
    else:
        print("Not all args are numbers")
        print(xref_args)

Example #3

Source File: vxhunter_ida.py From vxhunter with BSD 2-Clause "Simplified" License

6 votes

def get_prev_ascii_string_address(address):
        """

        :param address: must be current ascii string start address.
        :return:
        """
        prev_string_start_address = address
        # string table interval should less than 5 bytes.
        if idc.Dword(address - 5) == 0:
            return None
        else:
            prev_string_start_address -= 5
            # TODO: Need handle short string.
            while idaapi.get_byte(prev_string_start_address) != 0:
                prev_string_start_address -= 1
            return prev_string_start_address + 1

Example #4

Source File: vxhunter_ida.py From vxhunter with BSD 2-Clause "Simplified" License

6 votes

def get_next_ascii_string_address(address):
        """

        :param address: must be current ascii string start address.
        :return:
        """
        next_string_start_address = address
        # find current string end address
        while idaapi.get_byte(next_string_start_address) != 0:
            next_string_start_address += 1

        # string table interval should less than 5 bytes.
        # TODO: need handle short string.
        if idc.Dword(next_string_start_address + 1) == 0:
            return None

        while idaapi.get_byte(next_string_start_address) == 0:
            next_string_start_address += 1

        return next_string_start_address

Example #5

Source File: objc2_xrefs_helper.py From flare-ida with Apache License 2.0

6 votes

def walk_methods(self,objc_selrefs,objc_msgrefs,objc_const):
        Message("Walking methods starting at virtual address: 0x%x\n" % self.method_list_va)
        class_methods_va=self.method_list_va
        #deref the method list struct to get method count:
        count=Dword(class_methods_va+DWORD_SIZE)

        method_size=self.ObjCMethod.OBJC_METHOD_SIZE #sizeof(struct _objc_method)

        #skip first two dwords in the method_list struct
        class_methods_start=class_methods_va+self.METHOD_LIST_OFFSET
        
        class_methods_end=class_methods_start+(method_size*count)

        for va in range(class_methods_start,class_methods_end,method_size):
            #Parse this method struct and create a method object
            #If possible, the method will patch the IDB to replace references to its selector
            #with a reference to its implementation
            objc_method=self.ObjCMethod(va,self.segment_map)

            self.append(objc_method)

Example #6

Source File: shellcode_hash_search.py From flare-ida with Apache License 2.0

6 votes

def lookForDwordArray(self, start, end):
        logger.debug("Starting to look between: %08x:%08x", start, end)
        for i in range(end-start):
            loc = start + i
            if using_ida7api:
                val = idaapi.get_dword(loc)
            else:
                val = idc.Dword(loc)

            for h in self.params.hashTypes:
                hits = self.dbstore.getSymbolByTypeHash(h.hashType, val)
                for sym in hits:
                    logger.info("0x%08x: %s", loc, str(sym))
                    self.addHit(loc, sym)
                    self.markupLine(loc, sym)

###################################################################
#
###################################################################

Example #7

Source File: switch_jumps.py From idataco with GNU General Public License v3.0

5 votes

def get_jlocs(self, sw):
        jlocs = []
        ncases = sw.ncases if sw.jcases == 0 else sw.jcases
        for i in range(ncases):
            addr = idc.Dword(sw.jumps+i*4)
            name = idaapi.get_name(idc.BADADDR, addr)
            comm = idc.GetCommentEx(idc.LocByName(name), 1)
            comm = comm[comm.find('case'):] if comm is not None and comm.startswith('jumptable') else comm
            jlocs.append((name, idc.LocByName(name), comm))
        return jlocs

Example #8

Source File: vxhunter_ida.py From vxhunter with BSD 2-Clause "Simplified" License

4 votes

def fix_vxworks_idb(load_address, vx_version, symbol_table_start, symbol_table_end):
        current_image_base = idaapi.get_imagebase()
        symbol_interval = 16
        if vx_version == 6:
            symbol_interval = 20
        symbol_table_start += load_address
        symbol_table_end += load_address
        ea = symbol_table_start
        shift_address = load_address - current_image_base
        while shift_address >= 0x70000000:
            idaapi.rebase_program(0x70000000, 0x0008)
            shift_address -= 0x70000000
        idaapi.rebase_program(shift_address, 0x0008)
        while ea < symbol_table_end:
            # for VxWorks 6 unknown symbol format
            if idc.Byte(ea + symbol_table_end - 2) == 3:
                ea += symbol_interval
                continue
            offset = 4
            if idaapi.IDA_SDK_VERSION >= 700:
                idc.create_strlit(idc.Dword(ea + offset), idc.BADADDR)
            else:
                idc.MakeStr(idc.Dword(ea + offset), idc.BADADDR)
            sName = idc.GetString(idc.Dword(ea + offset), -1, idc.ASCSTR_C)
            print("Found %s in symbol table" % sName)
            if sName:
                sName_dst = idc.Dword(ea + offset + 4)
                if vx_version == 6:
                    sName_type = idc.Dword(ea + offset + 12)
                else:
                    sName_type = idc.Dword(ea + offset + 8)
                idc.MakeName(sName_dst, sName)
                if sName_type in need_create_function:
                    # flags = idc.GetFlags(ea)
                    print("Start fix Function %s at %s" % (sName, hex(sName_dst)))
                    idc.MakeCode(sName_dst)  # might not need
                    idc.MakeFunction(sName_dst, idc.BADADDR)
            ea += symbol_interval
        print("Fix function by symbol table finish.")
        print("Start IDA auto analysis, depending on the size of the firmware this might take a few minutes.")
        idaapi.autoWait()