Skip to content

A higher level API for IdaRub

I'm still dreaming of IdaHaskell for the sheer expressiveness that language provides. Alas, I fear IdaHaskell will remain a dream for years to come. Using IdaRub it is fortunately possible to make a big step towards the expressiveness of Haskell. I have started to develop a higher level API for IdaRub that allows you to do things in fewer lines of code.

Here are a few examples.

Here's how you get a list of all instructions used in a file:

p file.map{|f| f.map{|i| i.instruction}}.flatten.uniq.sort

Want to find all functions that start with a 'jmp' instruction? Here you go:

p file.map{|f| [f.name, f[0].instruction]}.select{|x| x[1] == 'jmp'}

Or what about listing all functions ordered by the number of functions that call them?

p file.map{|f| [f.name, f[0].crefs_to.length]}.sort{|x,y| y[1] <=> x[1]}

If you want to have a sorted list of all bytes used in the first function you'd do this:

p (file[0].start .. file[0].end).map{|x| x.byte}.uniq.sort{|x,y| x-y}.map{|x| "%02X" % x}

If you want a list of all unicode string references in the file containing an asterisk the following one-liner would do the job:

p file.string_list.select{|x| x.type == 3 && x.offset.unicode =~ /*/}.map{|x| [x.offset.offset, x.offset.unicode]}

I could go on and on and on. The number of one-liners to do neat stuff is nearly endless. It's not quite Haskell yet but I'm reasonably happy.

There's also a new instruction counter script that makes use of the high level API. The new script is noticibly smaller and prettier to look at. Furthermore you will notice that all output is directed through the new idap function. This function prints to stdout if the script is started from the console (remote mode) or to the output window inside IDA if the script is started from within IDA (local mode).

Right now the high-level API is merely a quick one-day hack. Nevertheless you can already do pretty cool stuff with it. You might want to check it out.

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
BBCode format allowed
Form options

Submitted comments will be subject to moderation before being displayed.