![]() |
#1
|
||||
|
||||
IDA script function.
In IDA, there is a menu item under Search called "not function". I have looked for an IDC script function to do the same and I can't find anything similar. FindUnexplored() does not do what I want, I need to find the next occurence od code which has not yet been defined as a function. Any ideas please?
Git |
#2
|
||||
|
||||
in the python api there is
find_not_func(ea, sflag) https://www.hex-rays.com/products/ida/support/idapython_docs/idaapi-module.html#find_not_func Dont think there is the same for IDC. You proberly have to get all functions and then FindFuncEnd(ea) + 1 edit here are the sflags!! https://www.hex-rays.com/products/ida/support/idadoc/284.shtml FindUnexplored(ea, SEARCH_DOWN) should do the same thing. but as you said i dont maybe a bug ?
__________________
The devil whispered in my ear, "you're not strong enough to withstand the storm." Today I whispered in the devils ear, "I am the storm." Last edited by Storm Shadow; 09-21-2014 at 19:54. |
#3
|
||||
|
||||
Thanks. FindUnexplored will find bytes that have not yet been defined as code or data. I am searching for bytes defined as code but not yet collected into a functions, so I think it is working as designed. As you say, I may have to find each func and look at the byte past the end. I can then also squash all those case data tables that didn't get found too
![]() Git |
The Following User Gave Reputation+1 to Git For This Useful Post: | ||
Storm Shadow (09-22-2014) |
#4
|
||||
|
||||
This duplicates the window Search >> not Function
Code:
ea = find_not_func(0, SEARCH_DOWN) jumpto(ea, -1, 0x0001) ![]()
__________________
The devil whispered in my ear, "you're not strong enough to withstand the storm." Today I whispered in the devils ear, "I am the storm." |
#5
|
||||
|
||||
Well, you finally gave me the push I needed to dabble in python scripts for the first time. I ended up with this :
Code:
from idaapi import * ea = get_screen_ea() seg = getseg(ea) i = 0 while seg.name == 0xff00003e : adr = find_not_func(0, SEARCH_DOWN) jumpto(adr, -1, 0x0001) add_func(adr, BADADDR) i = i + 1 print "Finished, %d funcs created" % i Next ones to tackle are 1) all those damned case/switch tables IDA leaves outside the func so it then gives each case address a global name. Really is one of my pet hates. 2) why can't it convert a huge pile of UNICODE strings to actual strings instead of leaving each one mis-identified as a table of offsets, which in turn put a load of nonsense address labels all over the place, often in code and quite often splitting an asm statement ![]() How do other people deal with those last 2 problems? Git |
The Following User Gave Reputation+1 to Git For This Useful Post: | ||
Storm Shadow (09-23-2014) |
#6
|
|||
|
|||
@git:
1. I just manually fix it when I enter an interesting function. Copy real end address then ALT+P. 2. Change low/high suspicious limit in options to some invalid address (eg. 0), then mark all unicode strings that haven't been fully detected and press c. Choose "analyze", choose "Yes, convert to code" and it should fix your unicode strings. You can use a regular expression and search for them: "dd offset [^ ]+00" (dd offset loc_490021) "dd offset [^ ]+\+" (dd offset aSomeString_7+18Bh) Could take a couple of minutes to fix all unicode strings depending on the size of your exe. |
#7
|
||||
|
||||
I do something very like (1), but I'm a bit obsessive and have to do all functions
![]() Git |
![]() |
Thread Tools | |
Display Modes | |
|
|
![]() |
||||
Thread | Thread Starter | Forum | Replies | Last Post |
IDA Script Function rename for Delphi VCL (x32 - x64) | Coldzer0 | Community Tools | 0 | 05-12-2018 21:51 |
GMP function | Git | General Discussion | 4 | 06-16-2011 21:33 |
FUNCTION CHUNKs | Git | General Discussion | 4 | 09-07-2005 19:35 |