Introduction to IDAPython
• Brief intro to IDAPython
• How to install
– Searching disassembly patterns
– Searching system calls in the binary
Automatic Reversing with IDA
• To do automatic reversing ?
– you need to write scripts
• IDA supports multiple interfaces
– Plugins (C++)
– IDC (C-like scripting)
– IDAPython (Python)
Brief intro to IDAPython
• Most things you can do w/ your hands
– can be done w/ IDAPython
How to install
• COPY ‘python’ directory
– to %IDA_DIR%
• PUT ‘python.plw’
– to %IDA_DIR%/plugins
• ex) C:Program FilesIDA52plugins
How to execute
1. Press ‘ALT+9’ in IDA
2. Choose Python file you’d like to execute
Results would be printed in the log window
– walking the functions
### Walk the functions
# Get the segment's starting address
ea = ScreenEA()
# Loop through all the functions
for function_ea in Functions(SegStart(ea), SegEnd(ea)):
# Print the address and the function name.
print hex(function_ea), GetFunctionName(function_ea)
– walking the instructions
# For each of the segments
for seg_ea in Segments():
# For each of the defined elements
for head in Heads(seg_ea, SegEnd(seg_ea)):
# If it's an instruction
# Get the Disasm and print it
disasm = GetDisasm(head)
- Find ‘CALL’ instructions
from idautils import *
seg_ea = SegByName(".text")
# For each instruction
for addr in Heads(seg_ea, SegEnd(seg_ea)):
# Get disassembly
disasmStr = GetDisasm(addr)
if disasmStr.startswith( "int ") == True:
# Print if it is a system call
print "0x%08x [%s]" % (addr, disasmStr)
• What is obfuscation?
– To transform binary into something
• which has the same executing behavior
• which has very different outer representation
– To disrupt disassemblers
• How to obfuscate the binary
– Simple obfuscation methods
• What happens due to these obfuscation?
– IDA failed to analyze the binary properly
• which means ..
• YOU CANNOT USE CFG LAYOUT
• YOU CANNOT EASILY FOLLOW THE CONTROL
• Let’s learn deobfuscation w/ an example
load reversing500 in IDA
move to 0x08049891, and see ‘PUSH/RET’
see the instructions of 0x08049891
– For full deobfuscation
• execute ‘deobfuscation_full.py’
Exercises (more applications)
• 1. To list all string copy functions?
– such as strcpy(), strncpy(), strcat(), and etc.
– YES ,this is for finding Stack Overflow vulns.
• 2. To examine all malloc() calls?
– whose arg. is determined dynamically
– YES ,this is for finding Heap Overflow vulns.
• 3. Memory/Register Computation Back Tracer
• “Introduction to IDAPython”
by Ero Carrera