Search Results for 'idapython'


2 POSTS

  1. 2010.01.17 I'll make some-simple-little-tutorials of idapython (1)
  2. 2010.01.10 RefreshDebuggerMemory and dbg_bpt() in IDAPython

I'll make some-simple-little-tutorials of idapython

Posted 2010.01.17 22:51 by beistlab
Hey, I got drunk again. (by about 5000cc beer)

I know I've not given any post in a long time. Yeah, I was too busy (and still.) By the way, I'm digging something on idapython these days and I found a really nice bug in a very popular application in korea through idapython. Sounds like beist is going to be a big brother of 1984? ;) no, never.

But unlikely... right, I can't publish it to the internet. (Yeah, you should know about the law in here :P But please don't take a picture of north korea == south korea. Lol)

Anyway It'd be good to make an article about how to write idapython script. I've done with many (simple) functions in idapython that would be help for you. I'll keep my blog updated, but I wanna get some sleep right now.. See you around.

'보안 관련 정보' 카테고리의 다른 글

use-after-free 버그  (0) 2010.01.31
HackerSpace 이야기  (39) 2010.01.30
I'll make some-simple-little-tutorials of idapython  (1) 2010.01.17
RefreshDebuggerMemory and dbg_bpt() in IDAPython  (0) 2010.01.10
SEHOP 깨기 by sysdream  (3) 2010.01.05
IDA 5.6 Appcall 테스트 완료  (0) 2010.01.05

Tag : 1984, idapython

  1. Commonwealth

    | 2012.11.24 14:56 신고 | PERMALINK | EDIT | REPLY |

    나는 아주 이쪽으로 즐길입니다. 그 좋은 주제. 그것은 몇 가지 문제를 해결하기 위해 절 그다지 도움이됩니다. 그 기회가 너무 빠른 너무 환상적이고 일하는 스타일입니다. 난 당신이 모두 도움이 될 것 같아요. 감사

Write your message and submit

RefreshDebuggerMemory and dbg_bpt() in IDAPython

Posted 2010.01.10 13:41 by beistlab
Saturday is gone already. I really wanted to drink guinness, but it was too cold to go out. Then, I grabbed Hoegaarden instead of my favorite. (I also like Hoegaarden though) By the way, I had a problem accessing memory in dbg_bpt() in IDAPython. Before we start to get into my trouble, I need to introduce some basic functions in IDAPython.

GetRegValue(name): Get register value
Dword(ea): Get value of program double word (4 bytes)

So, you easily picture that we can access a value of any register through this code:

r = GetRegValue("ESP")
value = Dword(r)
print "ESP: %x VALUE: %x" % (r, value)

Basically, there is no problem in the above script in IDAPython. But it won't work with dbg_bpt(). If memory you'd like to access is updated before getting to dbg_bpt(), you'll have memory that is not updated.

I tried several ways to find a proper way. autoWait(), PauseProcess() and even time.sleep(). But It didn't work at all. So, I decided to modify my code sequential, not callback style, using GetDebuggerEvent() function.

When I was done with my new code, I found an interesting function called "RefreshDebuggerMemory()" in IDAPython reference, and gave it a shot again, Guess what? You can really easily view updated memory now, for example,

def dbg_bpt(self, tid, ea):
  RefreshDebuggerMemory()
  r = GetRegValue("ESP")
  value = Dword(r)
  print "ESP: %x VALUE: %x" % (r, value)

RefreshDebuggerMemory(): Refresh debugger memory Upon this call IDA will forget all cached information about the debugged process.

I know I'm still poor at IDAPython, but getting good. :)

'보안 관련 정보' 카테고리의 다른 글

HackerSpace 이야기  (39) 2010.01.30
I'll make some-simple-little-tutorials of idapython  (1) 2010.01.17
RefreshDebuggerMemory and dbg_bpt() in IDAPython  (0) 2010.01.10
SEHOP 깨기 by sysdream  (3) 2010.01.05
IDA 5.6 Appcall 테스트 완료  (0) 2010.01.05
[Fuzzer] Sulley in f(x)  (13) 2010.01.04

Tag : dbg_bpt, idapython, RefreshDebuggerMemory

Write your message and submit