If you want a carriage return, you must include it in your
format string. Message provides the only debugging capability that IDC possesses, as no
IDC debugger is available. Additional user interface functions are available that interact with
a user through various dialog boxes. AskFile, AskYN, and AskStr, can be used to display a
file selection dialog box, a simple yes/no dialog box, and a simple one-line text input dialog
box, respectively. Finally, ScreenEA() reads the address of the current cursor line, while
Jump(addr)moves the cursor (and the display) to make addr the current address in the disassembly
view.
Scripts can prove useful in a wide variety of situations. Halvar??™s BugScam vulnerability
scanner is implemented as a set of IDC scripts. One situation in which scripts come in
very handy is for decoding data or code within a binary that may have been obfuscated
in someway. Scripts are useful in this case to mimic the behavior of the program in order
to avoid the need to run the program. Such scripts can be used to modify the database in
much the same way that the program would modify itself if it were actually running. The
following script demonstrates the implementation of a decoding loop using IDC to
modify a database:
//x86 decoding loop | //IDC Decoding loop
mov ecx, 377 | auto i, addr, val;
mov esi, 8049D2Eh | addr = 0x08049D2E;
mov edi, esi | for (i = 0; i < 377; i++) {
loc_8049D01: | val = Byte(addr);
lodsb | val = val ^ 0x4B;
xor al, 4Bh | PatchByte(addr, val);
stosb | addr++;
loop loc_8049D01 | }
Figure 13-5 IDC command execution
Chapter 13: Advanced Static Analysis with IDA Pro
329
PART IV
IDA Pro Plug-In Modules and the IDA SDK
IDC is not suitable for all situations.
Pages:
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589