IDAPython and IDALib script reference for reverse engineering. Activate when the user needs to write IDAPython scripts in IDA, use IDALib for headless analysis, operate on IDB databases, debug with IDA, manipulate memory/registers, traverse functions/blocks/instructions, work with Hex-Rays decompiler API, handle obfuscation, or batch-process binaries.
IDAPython script snippets for IDA interactive use and IDALib headless analysis. Use as reference when generating IDAPython code.
idc.get_reg_value('rax')
idaapi.set_reg_val("rax", 1234)
idc.read_dbg_byte(addr)
idc.read_dbg_memory(addr, size)
idc.read_dbg_dword(addr)
idc.read_dbg_qword(addr)
idc.patch_dbg_byte(addr, val)
idc.add_bpt(0x409437) # add breakpoint
idaapi.get_imagebase() # get image base address
idc.get_qword(addr)
idc.patch_qword(addr, val)
idc.patch_dword(addr, val)
idc.patch_word(addr, val)
idc.patch_byte(addr, val)
idc.get_db_byte(addr)
idc.get_bytes(addr, size)
idaapi.get_dword(addr)
idc.get_strlit_contents # read string literal
GetDisasm(addr) # get disassembly text
idc.next_head(ea) # get next instruction address
idc.create_insn(addr) # c, Make Code
ida_bytes.create_strlit # create string, same as 'A' key
ida_funcs.add_func(addr) # p, create function
idc.del_items(addr) # U, undefine
idc.get_name_ea(0, '_sub_6051') # get address by function name
ida_funcs.get_func(ea) # get function descriptor
# enumerate all functions
for func in idautils.Functions():
print("0x%x, %s" % (func, idc.get_func_name(func)))
import ida_bytes
import ida_idaapi
import ida_funcs
import idc
# find_bytes_list("90 90 90 90 90")
# find_bytes_list("55 ??")
# returns list of matching addresses
def find_bytes_list(bytes_pattern):
ea = -1
result = []
while True:
ea = idc.find_bytes(bytes_pattern, ea + 1)
if ea == ida_idaapi.BADADDR:
break
result.append(ea)
return result
# test check_passwd(char *passwd) -> int
passwd = ida_idd.Appcall.byref("MyFirstGuess")
res = ida_idd.Appcall.check_passwd(passwd)
if res.value == 0:
print("Good passwd !")