you0708 / ida Goto Github PK

View Code? Open in Web Editor NEW

256.0 12.0 72.0 590 KB

IDA related stuff

License: Apache License 2.0

Python 4.73% HTML 95.27%

ida's Introduction

IDA

A place for IDA related stuff.

idapython_tools

My tiny IDAPython tools.

FindCrypt

A Python implementation of FindCrypt plugin.

695 to 7

IDAPython API name converter.

FindGUID

GUID resolver.

Hide Junk Code

An IDAPython script to hide junk code. Run hide_junk_code.py on IDA.

theme

IDA's color theme for IDA 6... Should be updated.

License

Apache License 2.0. See LICENSE.

ida's People

Contributors

Stargazers

Watchers

ida's Issues

我发现一段代码逻辑有点乱

ida/idapython_tools/findcrypt/findcrypt.py

Line 64 in 977a8cd

else:

你好，
这里为什么没有像之前一样直接匹配后面的是否相等呢。
并且我不明白这两个else 是跟哪个if 配对的

Fix for "can't rename byte as 'xxx' because the name is already used in the program."

In IDA labels/names must be unique (unlike Ghidra).
If you try to use the same name again you will get a dialog box and a message like:

can't rename byte as 'CRC32_m_tab_le' because the name is already used in the program.

The easy fix is to change line #39 from "idc.set_name(ea, const["name"])" to "idc.set_name(ea, const["name"], ida_name.SN_FORCE)".
The "SN_FORCE" flag will automatically serialize the name for you. So the naming sequence in this example will be "ms_pst_crc32_table", "ms_pst_crc32_table_1", "ms_pst_crc32_table_2", and so on.

P.S. Also check out this plugin. It's not as easy as Python but it might have some patterns this one doesn't:
https://sourceforge.net/projects/idasignsrch/

imports aren't being accessed properly

some of the ida imports aren't being explicitly accessed.

diff --git a/idapython_tools/findcrypt/findcrypt.py b/idapython_tools/findcrypt/findcrypt.py
index 4f84071..97c88c6 100644
--- a/idapython_tools/findcrypt/findcrypt.py
+++ b/idapython_tools/findcrypt/findcrypt.py
@@ -33,7 +33,7 @@ def main():
             for const in non_sparse_consts:
                 if bbbb != const["byte_array"][:4]:
                     continue
-                if map(lambda x:ord(x), get_bytes(ea, len(const["byte_array"]))) == const["byte_array"]:
+                if map(lambda x:ord(x), idc.get_bytes(ea, len(const["byte_array"]))) == const["byte_array"]:
                     print(("0x%0" + str(digits) + "X: found const array %s (used in %s)") % (ea, const["name"], const["algorithm"]))
                     idc.set_name(ea, const["name"])
                     if const["size"] == "B":
@@ -42,14 +42,14 @@ def main():
                         idc.create_dword(ea)
                     elif const["size"] == "Q":
                         idc.create_qword(ea)
-                    make_array(ea, len(const["array"]))
+                    idc.make_array(ea, len(const["array"]))
                     ea += len(const["byte_array"]) - 4
                     break
             ea += 4

         ea = start
-        if get_segm_attr(ea, SEGATTR_TYPE) == 2:
-            while ea < get_segm_end(start):
+        if idc.get_segm_attr(ea, idc.SEGATTR_TYPE) == 2:
+            while ea < idc.get_segm_end(start):
                 d = ida_bytes.get_dword(ea)
                 for const in sparse_consts:
                     if d != const["array"][0]:`

[NOT ISSUE] New numbers for TEA algorithm

I have analyzed a sample of malware-related code and found two numbers related to the TEA algoritm. Those are the numbers and some URLs where you can see more context:


0xb54cda56 
0x61c88647

https://blog.csdn.net/nxjbill/article/details/78160167
https://stackoverflow.com/questions/38994306/what-is-the-meaning-of-0x61c88647-constant-in-threadlocal-java
https://github.com/gp0/cod4stats/blob/master/src/codmpdatadec.c
http://machbbs.com/52pojie/28773

Unfortunately I cannot confirm the exact variation of the algorithm that uses these constants.

Here you can see asm source code https://pastebin.com/eLm8bw31