1. Introduction to IDAPython
Byoungyoung Lee
POSTECH
PLUS 038
override@postech.ac.kr

2. Overview
• Brief intro to IDAPython
• How to install
• Examples
– Searching disassembly patterns
– Searching system calls in the binary
– Deobfuscation

3. Automatic Reversing with IDA
• To do automatic reversing ?
– you need to write scripts
• IDA supports multiple interfaces
– Plugins (C++)
– IDC (C-like scripting)
– IDAPython (Python)

4. Brief intro to IDAPython
• Most things you can do w/ your hands
– can be done w/ IDAPython

5. How to install
• COPY ‘python’ directory
– to %IDA_DIR%
• PUT ‘python.plw’
– to %IDA_DIR%/plugins
• ex) C:Program FilesIDA52plugins

6. How to execute
1. Press ‘ALT+9’ in IDA
2. Choose Python file you’d like to execute
 Results would be printed in the log window

7. Simple example
– walking the functions
# walkFunctions.py
### Walk the functions
# Get the segment's starting address
ea = ScreenEA()
# Loop through all the functions
for function_ea in Functions(SegStart(ea), SegEnd(ea)):
# Print the address and the function name.
print hex(function_ea), GetFunctionName(function_ea)

8. Simple example
– walking the instructions
# walkInstructions.py
# For each of the segments
for seg_ea in Segments():
# For each of the defined elements
for head in Heads(seg_ea, SegEnd(seg_ea)):
# If it's an instruction
if isCode(GetFlags(head)):
# Get the Disasm and print it
disasm = GetDisasm(head)
print disasm

9. Application
- Find ‘CALL’ instructions
# searchSystemCalls.py
from idautils import *
seg_ea = SegByName(".text")
# For each instruction
for addr in Heads(seg_ea, SegEnd(seg_ea)):
# Get disassembly
disasmStr = GetDisasm(addr)
if disasmStr.startswith( "int ") == True:
# Print if it is a system call
print "0x%08x [%s]" % (addr, disasmStr)

10. Deobfuscation
• What is obfuscation?
– To transform binary into something
• which has the same executing behavior
• which has very different outer representation
– To disrupt disassemblers

11. Deobfuscation
• How to obfuscate the binary
– Simple obfuscation methods
JMP X
=
PUSH X
RET
JMP X
=
XOR
JZ
original
ECX, ECX
X
obfuscated

12. Deobfuscation
• What happens due to these obfuscation?
– IDA failed to analyze the binary properly
• which means ..
• YOU CANNOT USE CFG LAYOUT
• YOU CANNOT EASILY FOLLOW THE CONTROL
FLOW

13. Deobfuscation
• Let’s learn deobfuscation w/ an example
– 1.
– 2.
– 3.
– 4.
load reversing500 in IDA
move to 0x08049891, and see ‘PUSH/RET’
execute ‘deobfuscation_simple.py’
see the instructions of 0x08049891
– For full deobfuscation
• execute ‘deobfuscation_full.py’

14. Exercises (more applications)
• 1. To list all string copy functions?
– such as strcpy(), strncpy(), strcat(), and etc.
– YES ,this is for finding Stack Overflow vulns.
• 2. To examine all malloc() calls?
– whose arg. is determined dynamically
– YES ,this is for finding Heap Overflow vulns.
• 3. Memory/Register Computation Back Tracer

15. Reference
• “Introduction to IDAPython”
by Ero Carrera