这些是我在 IDA 脚本中的第一步,所以请多多关照。
我想创建某种脚本,每次找到以下指令时:
MOV R1, #0x4D080
自动替换为
NOP
我可以静态地进行(十六进制编辑),但我正在寻找一种在动态调试期间即时进行的方法。
有任何想法吗?
在 IDA 中自动查找和 nop 指令
逆向工程
艾达
修补
补丁反转
2021-06-17 01:14:27
1个回答
实际上,您可以执行以下操作:
假设您知道此指令的位置和位置以及它可以出现的位置:
#I didn't check this code, use carefully, beware errors
#You can use idc.FindBinary instead of text search if you know
#how your assembly instruction is encoded
import idautils
import idc
#static nopification of ARM address
def static_nopify_arm(ea):
nop = [0xe1, 0xa0, 0x00, 0x00] # it is a nop encoding taken from wikipedia
for i in range(len(nop)):
idc.PatchByte(ea + i, nop[i])
#searches assembly command by its text
#generally bad idea, but should work
#start and end means search area boundaries
def static_search_text_and_nopify(asmline, start, end):
for h in idautils.Heads(start, end):
disasm = idc.GetDisasm(h)
if asmline == disasm:
static_nopify_arm(h)
#The same with dynamic (memory during debugging)
#Dynamic nopification of ARM address
def dynamic_nopify_arm(ea):
nop = [0xe1, 0xa0, 0x00, 0x00] # it is a nop encoding taken from wikipedia
for i in range(len(nop)):
#I'm not sure that it will work, may be you should do something with memory protection
idc.PatchDbgByte(ea + i, nop[i])
#searches assembly command by its text
#generally bad idea, but should work
#start and end means search area boundaries
#Code should be recognized by IDA as code before running the function
def dynamic_search_text_and_nopify(asmline, start, end):
for h in idautils.Heads(start, end):
disasm = idc.GetDisasm(h)
if asmline == disasm:
dynamic_nopify_arm(h)