you0708 / ida Goto Github PK

IDA related stuff

License: Apache License 2.0

Python 4.73% HTML 95.27%

ida's Issues

[NOT ISSUE] New numbers for TEA algorithm

I have analyzed a sample of malware-related code and found two numbers related to the TEA algoritm. Those are the numbers and some URLs where you can see more context:


0xb54cda56 
0x61c88647

https://blog.csdn.net/nxjbill/article/details/78160167
https://stackoverflow.com/questions/38994306/what-is-the-meaning-of-0x61c88647-constant-in-threadlocal-java
https://github.com/gp0/cod4stats/blob/master/src/codmpdatadec.c
http://machbbs.com/52pojie/28773

Unfortunately I cannot confirm the exact variation of the algorithm that uses these constants.

Here you can see asm source code https://pastebin.com/eLm8bw31

Fix for "can't rename byte as 'xxx' because the name is already used in the program."

In IDA labels/names must be unique (unlike Ghidra).
If you try to use the same name again you will get a dialog box and a message like:

can't rename byte as 'CRC32_m_tab_le' because the name is already used in the program.

The easy fix is to change line #39 from "idc.set_name(ea, const["name"])" to "idc.set_name(ea, const["name"], ida_name.SN_FORCE)".
The "SN_FORCE" flag will automatically serialize the name for you. So the naming sequence in this example will be "ms_pst_crc32_table", "ms_pst_crc32_table_1", "ms_pst_crc32_table_2", and so on.

P.S. Also check out this plugin. It's not as easy as Python but it might have some patterns this one doesn't:
https://sourceforge.net/projects/idasignsrch/

我发现一段代码逻辑有点乱

ida/idapython_tools/findcrypt/findcrypt.py

Line 64 in 977a8cd

else:

你好，
这里为什么没有像之前一样直接匹配后面的是否相等呢。
并且我不明白这两个else 是跟哪个if 配对的

imports aren't being accessed properly

some of the ida imports aren't being explicitly accessed.

diff --git a/idapython_tools/findcrypt/findcrypt.py b/idapython_tools/findcrypt/findcrypt.py
index 4f84071..97c88c6 100644
--- a/idapython_tools/findcrypt/findcrypt.py
+++ b/idapython_tools/findcrypt/findcrypt.py
@@ -33,7 +33,7 @@ def main():
             for const in non_sparse_consts:
                 if bbbb != const["byte_array"][:4]:
                     continue
-                if map(lambda x:ord(x), get_bytes(ea, len(const["byte_array"]))) == const["byte_array"]:
+                if map(lambda x:ord(x), idc.get_bytes(ea, len(const["byte_array"]))) == const["byte_array"]:
                     print(("0x%0" + str(digits) + "X: found const array %s (used in %s)") % (ea, const["name"], const["algorithm"]))
                     idc.set_name(ea, const["name"])
                     if const["size"] == "B":
@@ -42,14 +42,14 @@ def main():
                         idc.create_dword(ea)
                     elif const["size"] == "Q":
                         idc.create_qword(ea)
-                    make_array(ea, len(const["array"]))
+                    idc.make_array(ea, len(const["array"]))
                     ea += len(const["byte_array"]) - 4
                     break
             ea += 4

         ea = start
-        if get_segm_attr(ea, SEGATTR_TYPE) == 2:
-            while ea < get_segm_end(start):
+        if idc.get_segm_attr(ea, idc.SEGATTR_TYPE) == 2:
+            while ea < idc.get_segm_end(start):
                 d = ida_bytes.get_dword(ea)
                 for const in sparse_consts:
                     if d != const["array"][0]:`

you0708 / ida Goto Github PK

ida's Issues

[NOT ISSUE] New numbers for TEA algorithm

Fix for "can't rename byte as 'xxx' because the name is already used in the program."

我发现一段代码逻辑有点乱

imports aren't being accessed properly

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent