当前位置：网站首页>[software reverse automation] complete collection of reverse tools

2.1、 brief introduction ：
IDAPython Integrated Python Interpreter , Provides Python function , Using this plug-in, you can also write and implement IDC All of scripting languages Python Script
advantage ： Have Python Strong data processing ability and all Python modular , have IDA SDK Most of the functions , And IDC comparison , Using it, you can write more powerful scripts
IDAPython It consists of three independent modules ：
idc, It's encapsulation IDA Of IDC Function compatibility module
idautils, This is a IDA An advanced practical function module in
idaapi, It allows access to lower level data

2.2、 Use ：
Default installed IDA Built in IDAPython plug-in unit , So we just need to choose through the menu bar File→Script file, Then select the one you want to perform Python The script can be run
The interface that can be called is located in idaapi、idautils and idc Of the three modules
file ：https://www.hex-rays.com/products/ida/support/idapython_docs/https://www.hex-rays.com/products/ida/support/idapython_docs/

3、 ... and 、PythonGdb

3.1、 brief introduction ：
Gdb It supports custom script assisted debugging , But because the syntax of custom script is relatively old , With the help of Python, It can make the data more beautiful , You can turn repetitive work into a command , It can debug faster bug

3.2、 Use ：
Breakpoint function
class OnBreakpoint(gdb.Breakpoint):
        def __init__(self, loc, callback):
                if isinstance(loc, int):
                        loc = '*'+hex(loc)
                super(OnBreakpoint, self).__init__(loc, gdb.BP_BREAKPOINT, internal=False)
                self.callback = callback
def stop(self):
                self.callback()
                return False
Register and memory operations
def get_reg(reg):
        return int(gdb.parse_and_eval("$"+reg))
        def set_reg(reg, value):
        return gdb.execute("set $"+reg+" "+str(value))
def read_mem(address, length):
        inferior = gdb.selected_inferior()
        return inferior.read_memory(address, length)
def write_mem(address, value):
        inferior = gdb.selected_inferior()
        return inferior.write_memory(address, value)
file :
PythonGdbTutorial - GDB Wiki (sourceware.org)https://sourceware.org/gdb/wiki/PythonGdbTutorial

Four 、pydbg

4.1、 brief introduction ：
be based on Python The realization of a Windows Debugger framework , Can realize the right Windows Automatic debugging of next program .
Use PyDbg Just build a callback function in user mode , When a debug event is received , The callback function performs the operations we define . After the operation is completed , Then return the permission to the debugger , Reply to the debugged process

4.2、 Use ：
One pydbg The template is as follows , adopt bp_set Breakpoints can be set at any point in the program , And add the corresponding processing function
from pydbg import *
from pydbg.defines import *
def handler1(dbg):
        # some code here
        return DBG_CONTINUE
def main():
        target = './reverse0.exe'
        dbg = pydbg()
        dbg.load(target, create_new_console=True)
        #set a break point
        dbg.bp_set(0x00415fad, handler=handler1)
        dbg.run()
main()

5、 ... and 、Angr

5.1、 brief introduction ：
It is a multi architecture binary analysis platform , Have the ability to execute dynamic symbols of binary files and a variety of static analysis capabilities
file
README - angr Documentationhttps://docs.angr.io/

5.2、 Use ：
Angr Script steps ：
（1） Use angr.Project Load the binary program to be analyzed
Usually, options auto_load_libs Set to false, send angr Do not load dynamic link library ：
p = angr.Project('./vul', load_options={"auto_load_libs": False})
（2） Establish an initialization state of the program
Use factory.entry_state Create an initialization state directly at the program entry point
If the program needs to pass symbolic input , You also need to create the initialization state , Symbolization ：
argv1 = claripy.BVS("argv1", 100 * 8)
initial_state = p.factory.entry_state(args=["./program", argv1])
You can also use factory.black_state Establish a state at any specified address of the program . Can pass memory.store Symbolize part of the memory in the state ：
s = p.factory.blank_state(addr=0x401084)
s.memory.store(0x402159, s.solver.BVS("ans", 8*40))
（3） Dynamic symbol execution starts from the initialization state , Use explore Explore the path , adopt find Parameter specifies the address to arrive ,avoid Parameter specifies the address not to arrive ：
sm = proj.factory.simulation_manager(initial_state)
sm.explore(find=0x400830, avoid=0x400850)
（4） After finding it , Through the constraint solver flag：
found = sm.found[0]
flag = found.solver.eval(argv1, cast_to=bytes)