Written by shakuganz

Basic IDA IDC Scripting

Today’s topic will be regarding IDA IDC scripting. Previously I have written a post on IDA Python scripting. You can find that post here. However, since IDA Python script is only available for IDA Pro, those of you who only owns IDA Freeware can only use IDC for scripting in IDA. To download IDA Freeware, click this link to go to the website.

IDC is a scripting language in IDA which is similar to the C programming language which you all are familiar with. However, as you know, C programming is not very ideal for fast scripting as it is more complex. Therefore, if you have IDA Pro, go for Python Scripting instead.

Before we start off, this is the link to all the IDC in-built functions available. This post will only be the basics which I used them for scripting.

auto:

For variable declaration in IDC, we can use auto which is similar to C++. This allows the intepreter to automatically assign a type for it. It will be useful if you do not know what is its type.

auto a = ScreenEA()

print():

Similar to Python print message method, IDC’s printing message also uses print() to print message.

print(“Hello!”)

long ScreenEA():

This is a build in function which allows you to get the address of where the current cursor is. However, note that this function returns a long value, which is decimal base. Hence, to obtain the same value you see in your IDA, you have to convert it into hex base. Example of usage:

Code:

print(ScreenEA())

Result:

4198400

long next_head(long addr, long maxAddr):

Gets the address of the next defined instruction or data based on the address, addr, you input as argument to next_head(). maxAddr should contain the maximum address you allow it to search. A usage example below.

Code:

auto addr = ScreenEA()

auto newAdd = next_head(addr, 90000000)

print(newAdd)

Result:

34324354

long prev_head(long addr, long minAddr):

Similar to next_head(), the function does the opposite which it gets the address of the previous defined instruction or data based on the address you input as argument to prev_head(). Example below.

Code:

auto addr = ScreenEA()

auto newAdd = prev_head(addr, 90000000)

print(newAdd)

Result:

34324350

long get_operand_value(long addr, long operandNum):

This in-built function helps you to obtain the value of the operand based on the address you have input as parameter.

operandNum: number of the operand

  1. n = 0, get the 1st operand.
  2. n = 1, get the 2nd operand.

In-code:

mov eax, 3h

Code:

get_operand_value(ScreenEA(), 1)

Result:

3

string get_func_name(long addr):

This in-built function helps to get the function name of the assembly instruction which the address you input as parameter. Remember if you would like to search for that function in IDA using hotkey Ctrl+P, you need to change function name with substring “:” to “__”.

Code:

get_func_name(ScreenEA())

Result:

main

long get_first_dref_to(long addr):

This in-built function allows you to obtain the first reference (xref to. Same result as pressing hotkey Ctrl+X in IDA) to the address in addr you have input. Let’s say if there are a list of references to the address you have input as get_first_dref_to()‘s parameter, this function will return the first reference to it.

Code:

auto xref_addr_first = get_first_dref_to(ScreenEA());

print(xref_addr_first);

Result:

234356234

long get_next_dref_to(long addr, long current_ref_addr):

This in-built function will return the next reference address to the address you have input in the addr parameter. This get_next_dref_to() helps you to traverse a list of references to that addr address you have input as the parameter.

Below is a good example of how to traverse the list of references to get the addresses. You can use a while loop to traverse the list of references. Once there is no more reference in the list to traverse, it will return -1 value.

Code:

auto originalPos = ScreenEA();

auto xref_addr_first = get_first_dref_to(originalPos);

while(1)

{

auto next_xref_addr = get_next_dref_to(originalPos , xref_addr_first);

// check if it has reached the end of the list of references

if(next_xref_addr == -1)

break;

print(next_xref_addr);

}

Result:

234356453

234356993

234359243

I hope this article will be helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂

Advertisement

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.