Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   IDA script function. (https://forum.exetools.com/showthread.php?t=16194)

Git 09-21-2014 17:43

IDA script function.
In IDA, there is a menu item under Search called "not function". I have looked for an IDC script function to do the same and I can't find anything similar. FindUnexplored() does not do what I want, I need to find the next occurence od code which has not yet been defined as a function. Any ideas please?


Storm Shadow 09-21-2014 19:40

in the python api there is
find_not_func(ea, sflag)
Dont think there is the same for IDC.
You proberly have to get all functions and then FindFuncEnd(ea) + 1

edit here are the sflags!!

FindUnexplored(ea, SEARCH_DOWN) should do the same thing. but as you said i dont maybe a bug ?

Git 09-21-2014 22:29

Thanks. FindUnexplored will find bytes that have not yet been defined as code or data. I am searching for bytes defined as code but not yet collected into a functions, so I think it is working as designed. As you say, I may have to find each func and look at the byte past the end. I can then also squash all those case data tables that didn't get found too :)


Storm Shadow 09-22-2014 02:37

This duplicates the window Search >> not Function


ea = find_not_func(0, SEARCH_DOWN)
jumpto(ea, -1, 0x0001)


Git 09-22-2014 21:23

Well, you finally gave me the push I needed to dabble in python scripts for the first time. I ended up with this :


from idaapi import *

ea = get_screen_ea()
seg = getseg(ea)
i = 0
while seg.name == 0xff00003e :
  adr = find_not_func(0, SEARCH_DOWN)
  jumpto(adr, -1, 0x0001)
  add_func(adr, BADADDR)
  i = i + 1
print "Finished, %d funcs created" % i

I had a disassembly with a lot of unconverted funcs. I knew there would be side effects doing it with a script but it seemed to have worked. As you can see, looping while in a specific segment (code) is a complete bodge. I couldn't find any form of seg.name == "CODE" or ".text" etc, or seg.type that it liked, except for the direct indetifier which is, I think, specific to an app?.

Next ones to tackle are

1) all those damned case/switch tables IDA leaves outside the func so it then gives each case address a global name. Really is one of my pet hates.

2) why can't it convert a huge pile of UNICODE strings to actual strings instead of leaving each one mis-identified as a table of offsets, which in turn put a load of nonsense address labels all over the place, often in code and quite often splitting an asm statement :(

How do other people deal with those last 2 problems?


0xd4d 09-23-2014 23:05


1. I just manually fix it when I enter an interesting function. Copy real end address then ALT+P.

2. Change low/high suspicious limit in options to some invalid address (eg. 0), then mark all unicode strings that haven't been fully detected and press c. Choose "analyze", choose "Yes, convert to code" and it should fix your unicode strings. You can use a regular expression and search for them:

"dd offset [^ ]+00" (dd offset loc_490021)

"dd offset [^ ]+\+" (dd offset aSomeString_7+18Bh)

Could take a couple of minutes to fix all unicode strings depending on the size of your exe.

Git 09-24-2014 01:58

I do something very like (1), but I'm a bit obsessive and have to do all functions :). It still annoys me that it has to be done manually at all, the analyzer should sort it out. For (2) I've made a script to do something similar and it seems to be working, but I don't find area selection easy in IDA, especially as I have a tremor. Again, you would think the analyzer could pick that stuff up easily.


All times are GMT +8. The time now is 00:29.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2021, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX