synacktiv / bip Goto Github PK

Hello,

On IDA 7.5 with python3 visit_call_printk is failing to setup comments with error TypeError: in method 'cfuncptr_t_set_user_cmt', argument 3 of type 'char const *'.

This is due to BipData.get_cstring(ea + 2) returning bytes instead of str.
Replacing s = BipData.get_cstring(ea + 2) with s = str(BipData.get_cstring(ea + 2)) fixes this issue.

Thanks for this project that will save me (and surely others) a lot of time. :)

Hi,

Is there any way I can get the deduced return type of a decompiled function object (HxCFunc)?
The only solution I came up with so far was stripping the first word from the function's text (i.e. f.cstr.split()[0]), but there's probably a better way to do so.
Did I miss anything?

Thanks in advance 🙏

IDA contiguously causing internal error after running following pattern of IDAPython script:

from idautils import *
from idaapi import *
from idc import *
from bip.base import *
from bip.hexrays import *
import os
import re

cnt = 0
for segea in Segments():
    for funcea in Functions(segea, get_segm_end(segea)):
        cnt += 1
        if cnt != 0 and (cnt % 1000) == 0:
            print("[+] search %d functions..." % cnt)
        
        f = BipFunction(funcea)
        if f.can_decompile == False or len(f.callers) != 0:
            continue

        hf = f.hxcfunc
        cstr = hf.cstr
        args = hf.args
# ...        
# doing some hack( ex: vuln pattern search using regex... )

I usually dealing with BIG binary contiains over 20000~ functions( ex: vmware-vmx.exe, win32kbase.sys, hvix64.exe... ). I can't find a root cause of this because there's no error windows poped and no message on Output window except following:

.....
XXXXXX: restored microcode from idb
XXXXXX: restored pseudocode from idb
.....

IDA version: 7.5.201028 Windows x64 (64-bit address size)
Bip Version: v1.0

Hi,

When dealing with objects of type BipElt or BipFunction, we have the is_user_name property.
However, when working with objects of type HxLvar, the semantically identical property is called has_user_name instead.
In addition, BipElt and BipFunction provide some useful utility methods such as is_ida_name, is_dummy_name, etc. that are not exposed for HxLvar objects.

Is it possible to create a more consistent API between objects of different types?
Thanks!

Hi again,

Is it possible to add the class methods get_by_prefix and get_by_regex to BipElt as well? I have a script in which I rename some global variables according to some naming convention and I want to be able to iterate over them in a concise manner.

If needed, I can open a PR for this myself.

Thanks 🙏

Hi,

I'm trying to set the prototype for a function located at 0x31320. I'm using the from_c and set_at methods of BipType, but I'm still unable to set the type successfully. Am I doing something wrong or is it a current limitation of Bip itself?

pv = BipType.from_c("EFI_STATUS (*)(EFI_HANDLE, void *, void *, UINTN *)")

pv.set_at(0x31320)
---------------------------------------------------------------------------
RuntimeError                              Traceback (most recent call last)
<ipython-input-66-cd6f4f1c5d54> in <module>
----> 1 pv.set_at(0x31320)

C:/Users/carlsbad/AppData/Roaming/Hex-Rays/IDA Pro/plugins\bip\base\biptype.py in set_at(self, ea, flags)
    145         """
    146         if not apply_tinfo(ea, self._get_tinfo_copy(), flags):
--> 147             raise RuntimeError("Unable to set type {} at address {}".format(self.str, ea))
    148 
    149     @staticmethod

RuntimeError: Unable to set type EFI_STATUS (__fastcall *)(EFI_HANDLE, void *, void *, UINTN *) at address 201504

Thanks! 🙏

While trying to develop and test Bip plugins it seems you must close IDA and start a new instance to have changes to BipPlugin subclasses take effect, this makes development and fixing bugs cumbersome.

Can a function be added to BipPluginManager that will reload a given plugin(or all plugins)?

Hiya. I'm the dever of the ida-minsc plugin and just heard about your project. I'm glad to see that people are comming to a realization about how much IDAPython sucks. Anyways, just wanted to point out some things about ida's instruction operands since they appear next in your todo for the operand module, and they're super-undocumented because I believe they're each specific to the processor module that's used for disassembling

Grabbing the operand semantics are generally pretty straightforward on the risc architectures as they're in one of the attributes of the op_t. These indexes (such as in op_t.reg) are referencing the list in idaapi.ph_get_regnames(), or whatever wrapper you prefer using. For numerical registers (such as ST(4), etc), the value in op_t.reg typically represent just the numerical part of the register.

Intel

• idaapi.o_phrase|idaapi.o_displ: op_t.specflag1 contains an enumeration essentially, and op_t.specflag2 contains masks for your different components. In at&t syntax, your phrases/displ look like offset(base, index, scale). I have the values for specflag1 listed at https://github.com/arizvisa/ida-minsc/blob/master/base/instruction.py#L1428. But for identifying the different components, specflag2 & 7 will contain the base-register, and specflag2 & 0x38 is for the index register. The 2-bits for specflag2 & 0xc0 represent the scale (1, 2, 4, 8). op_t.addrthen simply the offset.

AArch

• idaapi.o_phrase : Rn is in op_t.reg, op_t.addr contains the offset.
• idaapi.o_idpspec0 (trap) : op_t.value is your simply your index.
• idaapi.o_idpspec1 (list) : op_t.specval is essentially a bitmask of flags where each index corresponds to whether a register is included in the list or not. Each index of the integer maps to the register names.
• idaapi.o_idpspec4 (extlist) : op_t.value contains an enumeration that specifies D8, or D8-D9, etc.
• idaapi.o_idpspec5+1 (condition): It seems that op.value, op.reg, and op.n are relevant, but I haven't fully done this one yet.

If you discover any others, I'd be interested in hearing about them and I'm sure the Sark author will as well.

Hi again,

In many cases I want to perform an analysis that searches the AST for nodes that meet certain criteria. To accomplish this, I often use the visit_cnode_filterlist method. However, since visit_cnode_filterlist does not return any value, I find it difficult to determine if the search yielded any results. To sidestep this limitation, I usually use the following two constructs:

1. Raising an exception to signal the termination of the search:

class StopCNodeVisit(Exception):
    pass

def callback(cnode):
	if ...: # Some condition involving cnode
		raise StopCNodeVisit()

try:
	hxcfunc.visit_cnode_filterlist(callback, [...])
except StopCNodeVisit:
	print('Element was found')
else:
	print('Element was not found')

2. Using closures:

def search_ast():
	found = False
	def callback(cnode):
		if ...: # Some condition involving cnode
			found = True
	hxcfunc.visit_cnode_filterlist(callback, [...])
	if found:
		print('Element was found')
	else:
		print('Element was not found')

Both solutions are pretty ugly and serve as temporary workarounds at best. The documentation for visit_cnode_filterlist states that: "If this callback return False the visit is stopped". Is there any reason visit_cnode_filterlist doesn't propagate this value to the caller?

Thanks in advance 🙏