Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-21-2014, 17:43
Git's Avatar
Git Git is offline
Old Git
 
Join Date: Mar 2002
Location: Torino
Posts: 1,115
Rept. Given: 220
Rept. Rcvd 265 Times in 157 Posts
Thanks Given: 108
Thanks Rcvd at 216 Times in 124 Posts
Git Reputation: 200-299 Git Reputation: 200-299 Git Reputation: 200-299
IDA script function.

In IDA, there is a menu item under Search called "not function". I have looked for an IDC script function to do the same and I can't find anything similar. FindUnexplored() does not do what I want, I need to find the next occurence od code which has not yet been defined as a function. Any ideas please?

Git
Reply With Quote
  #2  
Old 09-21-2014, 19:40
Storm Shadow's Avatar
Storm Shadow Storm Shadow is offline
Family
 
Join Date: Jun 2014
Posts: 281
Rept. Given: 186
Rept. Rcvd 191 Times in 78 Posts
Thanks Given: 138
Thanks Rcvd at 245 Times in 97 Posts
Storm Shadow Reputation: 100-199 Storm Shadow Reputation: 100-199
in the python api there is
find_not_func(ea, sflag)
https://www.hex-rays.com/products/ida/support/idapython_docs/idaapi-module.html#find_not_func
Dont think there is the same for IDC.
You proberly have to get all functions and then FindFuncEnd(ea) + 1

edit here are the sflags!!
https://www.hex-rays.com/products/ida/support/idadoc/284.shtml

FindUnexplored(ea, SEARCH_DOWN) should do the same thing. but as you said i dont maybe a bug ?
__________________
The devil whispered in my ear, "you're not strong enough to withstand the storm."

Today I whispered in the devils ear, "I am the storm."

Last edited by Storm Shadow; 09-21-2014 at 19:54.
Reply With Quote
  #3  
Old 09-21-2014, 22:29
Git's Avatar
Git Git is offline
Old Git
 
Join Date: Mar 2002
Location: Torino
Posts: 1,115
Rept. Given: 220
Rept. Rcvd 265 Times in 157 Posts
Thanks Given: 108
Thanks Rcvd at 216 Times in 124 Posts
Git Reputation: 200-299 Git Reputation: 200-299 Git Reputation: 200-299
Thanks. FindUnexplored will find bytes that have not yet been defined as code or data. I am searching for bytes defined as code but not yet collected into a functions, so I think it is working as designed. As you say, I may have to find each func and look at the byte past the end. I can then also squash all those case data tables that didn't get found too

Git
Reply With Quote
The Following User Gave Reputation+1 to Git For This Useful Post:
Storm Shadow (09-22-2014)
  #4  
Old 09-22-2014, 02:37
Storm Shadow's Avatar
Storm Shadow Storm Shadow is offline
Family
 
Join Date: Jun 2014
Posts: 281
Rept. Given: 186
Rept. Rcvd 191 Times in 78 Posts
Thanks Given: 138
Thanks Rcvd at 245 Times in 97 Posts
Storm Shadow Reputation: 100-199 Storm Shadow Reputation: 100-199
This duplicates the window Search >> not Function

Code:
ea = find_not_func(0, SEARCH_DOWN)
jumpto(ea, -1, 0x0001)
__________________
The devil whispered in my ear, "you're not strong enough to withstand the storm."

Today I whispered in the devils ear, "I am the storm."
Reply With Quote
  #5  
Old 09-22-2014, 21:23
Git's Avatar
Git Git is offline
Old Git
 
Join Date: Mar 2002
Location: Torino
Posts: 1,115
Rept. Given: 220
Rept. Rcvd 265 Times in 157 Posts
Thanks Given: 108
Thanks Rcvd at 216 Times in 124 Posts
Git Reputation: 200-299 Git Reputation: 200-299 Git Reputation: 200-299
Well, you finally gave me the push I needed to dabble in python scripts for the first time. I ended up with this :

Code:
from idaapi import *

ea = get_screen_ea()
seg = getseg(ea)
i = 0
while seg.name == 0xff00003e :
  adr = find_not_func(0, SEARCH_DOWN)
  jumpto(adr, -1, 0x0001)
  add_func(adr, BADADDR)
  i = i + 1
  
print "Finished, %d funcs created" % i
I had a disassembly with a lot of unconverted funcs. I knew there would be side effects doing it with a script but it seemed to have worked. As you can see, looping while in a specific segment (code) is a complete bodge. I couldn't find any form of seg.name == "CODE" or ".text" etc, or seg.type that it liked, except for the direct indetifier which is, I think, specific to an app?.

Next ones to tackle are

1) all those damned case/switch tables IDA leaves outside the func so it then gives each case address a global name. Really is one of my pet hates.

2) why can't it convert a huge pile of UNICODE strings to actual strings instead of leaving each one mis-identified as a table of offsets, which in turn put a load of nonsense address labels all over the place, often in code and quite often splitting an asm statement

How do other people deal with those last 2 problems?

Git
Reply With Quote
The Following User Gave Reputation+1 to Git For This Useful Post:
Storm Shadow (09-23-2014)
  #6  
Old 09-23-2014, 23:05
0xd4d 0xd4d is offline
Lo*eXeTools*rd
 
Join Date: Mar 2012
Posts: 78
Rept. Given: 12
Rept. Rcvd 308 Times in 44 Posts
Thanks Given: 2
Thanks Rcvd at 175 Times in 24 Posts
0xd4d Reputation: 300-399 0xd4d Reputation: 300-399 0xd4d Reputation: 300-399 0xd4d Reputation: 300-399
@git:

1. I just manually fix it when I enter an interesting function. Copy real end address then ALT+P.

2. Change low/high suspicious limit in options to some invalid address (eg. 0), then mark all unicode strings that haven't been fully detected and press c. Choose "analyze", choose "Yes, convert to code" and it should fix your unicode strings. You can use a regular expression and search for them:

"dd offset [^ ]+00" (dd offset loc_490021)

"dd offset [^ ]+\+" (dd offset aSomeString_7+18Bh)

Could take a couple of minutes to fix all unicode strings depending on the size of your exe.
Reply With Quote
  #7  
Old 09-24-2014, 01:58
Git's Avatar
Git Git is offline
Old Git
 
Join Date: Mar 2002
Location: Torino
Posts: 1,115
Rept. Given: 220
Rept. Rcvd 265 Times in 157 Posts
Thanks Given: 108
Thanks Rcvd at 216 Times in 124 Posts
Git Reputation: 200-299 Git Reputation: 200-299 Git Reputation: 200-299
I do something very like (1), but I'm a bit obsessive and have to do all functions . It still annoys me that it has to be done manually at all, the analyzer should sort it out. For (2) I've made a script to do something similar and it seems to be working, but I don't find area selection easy in IDA, especially as I have a tremor. Again, you would think the analyzer could pick that stuff up easily.

Git
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IDA Script Function rename for Delphi VCL (x32 - x64) Coldzer0 Community Tools 0 05-12-2018 21:51
GMP function Git General Discussion 4 06-16-2011 21:33
FUNCTION CHUNKs Git General Discussion 4 09-07-2005 19:35


All times are GMT +8. The time now is 16:59.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )