IDAPython Development Study 0

字数统计: 816字   |   阅读时长≈ 4分

I have an idea about optimizing the Cython pseudo-code through IDAPython. So firstly lets learn about it and the IDA microcode as well.

IDAPython Development Study 0

IDA microcode intro

IDA插件开发1 - Hex-Rays SDK - 知乎 (zhihu.com)

Microcode in pictures – Hex Rays (hex-rays.com)

us-18-Guilfanov-Decompiler-Internals-Microcode-wp.pdf (blackhat.com)

7 Days to Lift: A Mission in Microcode | RET2 Systems Blog

Some notes about the IDA Microcode (intermediate language). (github.com)

https://panda0s.top/2021/08/19/Microcode-%E6%8F%92%E4%BB%B6%E5%AD%A6%E4%B9%A0

IDA Ctree

Hex-Rays CTREE API Scripting: Automated Contextual Function Renaming — Möbius Strip Reverse Engineering (msreverseengineering.com)

Notes on CTREE usage with IDAPython (github.com)

[原创]Hex-Rays 反编译插件编写简介-软件逆向-看雪论坛-安全社区|安全招聘|bbs.pediy.com (kanxue.com)

finding ctype_t constants

1
2
3
4
5
import ida_hexrays
for x in dir(ida_hexrays):
        if x.startswith("cot_") or x.startswith("cit_"):
                att = getattr(ida_hexrays, x)
                print("{} ({})".format(x, att))
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
cit_asm (82)
cit_block (71)
cit_break (78)
cit_continue (79)
cit_do (76)
cit_empty (70)
cit_end (83)
cit_expr (72)
cit_for (74)
cit_goto (81)
cit_if (73)
cit_return (80)
cit_switch (77)
cit_while (75)
cot_add (35)
cot_asg (2)
cot_asgadd (6)
cot_asgband (5)
cot_asgbor (3)
cot_asgmul (8)
cot_asgsdiv (12)
cot_asgshl (11)
cot_asgsmod (14)
cot_asgsshr (9)
cot_asgsub (7)
cot_asgudiv (13)
cot_asgumod (15)
cot_asgushr (10)
cot_asgxor (4)
cot_band (21)
cot_bnot (50)
cot_bor (19)
cot_call (57)
cot_cast (48)
cot_comma (1)
cot_empty (0)
cot_eq (22)
cot_fadd (42)
cot_fdiv (45)
cot_fmul (44)
cot_fneg (46)
cot_fnum (62)
cot_fsub (43)
cot_helper (68)
cot_idx (58)
cot_insn (66)
cot_land (18)
cot_last (69)
cot_lnot (49)
cot_lor (17)
cot_memptr (60)
cot_memref (59)
cot_mul (37)
cot_ne (23)
cot_neg (47)
cot_num (61)
cot_obj (64)
cot_postdec (54)
cot_postinc (53)
cot_predec (56)
cot_preinc (55)
cot_ptr (51)
cot_ref (52)
cot_sdiv (38)
cot_sge (24)
cot_sgt (28)
cot_shl (34)
cot_sizeof (67)
cot_sle (26)
cot_slt (30)
cot_smod (40)
cot_sshr (32)
cot_str (63)
cot_sub (36)
cot_tern (16)
cot_type (69)
cot_udiv (39)
cot_uge (25)
cot_ugt (29)
cot_ule (27)
cot_ult (31)
cot_umod (41)
cot_ushr (33)
cot_var (65)
cot_xor (20)

Deobfuscating OLLVM through microcode

使用IDA microcode去除ollvm混淆(上) - 先知社区 (aliyun.com)

Useful plugins

HexRaysDeob

RolfRolles/HexRaysDeob: Hex-Rays microcode API plugin for breaking an obfuscating compiler (github.com)

HexRaysCodeXplorer

REhints/HexRaysCodeXplorer: Hex-Rays Decompiler plugin for better code navigation (github.com)

IDABeautify

P4nda0s/IDABeautify: An IDA plugin for making pseudocode better. (github.com)

Lucid - An Interactive Hex-Rays Microcode Explorer

gaasedelen/lucid: An Interactive Hex-Rays Microcode Explorer (github.com)

HRDevHelper

patois/HRDevHelper: Context-sensitive HexRays decompiler plugin that visualizes the ctree of decompiled functions. (github.com)

How to use microcode for optimizations?

How to achieve?

  1. New Bing can easily understand my code snippets,so I guess we can use GPT to do the same. But it involves a large amount of money.
  2. Intermediate language

Obstacles

  • A large sum of compiler optimizations can be witnessed in Cython.

PyImport_AddModule

Intermediate Language

1
2
3
4
5
__Pyx_PrintOne
	-- tup_pack arg_tuple, 1, o
	-- print stream, arg_tuple, 1
	or
	-- 
1
2
tup_pack arg_tuple, 1, _pyx_kp_s_Hello_Cython

Compiling IDA SDK

vs2019 编译ida7.4插件_大帅锅1的博客-CSDN博客

VS2010 + IDA SDK 搭建IDA Plugin开发环境_weixin_30795127的博客-CSDN博客

VS2010 + IDASDK6.2搭建IDA Plugin开发环境 | obaby@mars (h4ck.org.cn)

References

idapython/ImportExportViewer.py at master · EiNSTeiN-/idapython · GitHub

GDATAAdvancedAnalytics/IDA-Python (github.com)

7 Days to Lift: A Mission in Microcode | RET2 Systems Blog

us-18-Guilfanov-Decompiler-Internals-Microcode-wp.pdf (blackhat.com)

Some notes about the IDA Microcode (intermediate language). (github.com)

Hex-Rays CTREE API Scripting: Automated Contextual Function Renaming — Möbius Strip Reverse Engineering (msreverseengineering.com)

idapython/vds3.py at master · zachriggle/idapython · GitHub

【IDAPython CTree】反编译代码操作练习 - 求索 (gentlecp.com)

https://blog.gentlecp.com/article/12309.html

对一批二进制文件执行IDA Python脚本 - go2sleep - 博客园 (cnblogs.com)

Code Snippet 2 - IDAPython script renaming the dword variables. (github.com)

flare-ida/stack_strings_helper.py at master · mandiant/flare-ida (github.com)

FLARE IDA Pro Script Series: Simplifying Graphs in IDA | Mandiant

Using IDAPython to Make Your Life Easier: Part 4 (paloaltonetworks.com)

Using IDA Python to analyze Trickbot – cyber.wtf

使用IDA microcode去除ollvm混淆(上) - 先知社区 (aliyun.com)

idapython - How to create and change variables at address in IDA Python? - Reverse Engineering Stack Exchange

Solving Ad-hoc Problems with Hex-Rays API - REAL security (real-sec.com)

flare-ida/find_get_proc_address.py at master · mandiant/flare-ida · GitHub

IDA插件开发1 - Hex-Rays SDK - 知乎 (zhihu.com)

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

A junior undergraduate
studying in the college of cyber science and engineering
in Sichuan University
in Sichuan , China.
Pronouns:He/him.
A core member of 0x401 CTF team
majorly focus on Reverse Engineering chanllenges.