首页
社区
课程
招聘
[原创]IDA9-protobuf插件修复
发表于: 2024-8-19 18:04 3404

[原创]IDA9-protobuf插件修复

2024-8-19 18:04
3404

工具还原

IDApython插件Protobuf-finder(https://github.com/Accenture/protobuf-finder)
是一款逆向protobuf程序比较好用的工具,可以还原.proto文件
但是IDA9删除了ida_bytes.bin_search()

1
2
3
4
5
6
7
8
9
10
11
12
def bin_search(*args) -> "ea_t":
    bin_search(start_ea, end_ea, image, imask, step, flags) -> ea_t
    Search for a set of bytes in the program
 
    @param start_ea: linear address, start of range to search
    @param end_ea: linear address, end of range to search (exclusive)
    @param image: the set of bytes to search for
    @param imask: a bitfield representing the mask in 'image' (can be None)
    @param step: either BIN_SEARCH_FORWARD, or BIN_SEARCH_BACKWARD
    @param flags: combination of BIN_SEARCH_* flags
    @return: the address of a match, or ida_idaapi.BADADDR  if not found
return _ida_bytes.bin_search(*args)

更改为了ida_bytes.bin_search3()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
def bin_search3(*args) -> "ea_t":
    bin_search3(start_ea, end_ea, data, flags) -> ea_t
    @param start_ea: ea_t
    @param end_ea: ea_t
    @param data: compiled_binpat_vec_t const &
    @param flags: int
 
    bin_search3(start_ea, end_ea, image, mask, len, flags) -> ea_t
 
    @param start_ea: ea_t
    @param end_ea: ea_t
    @param image: uchar const *
    @param mask: uchar const *
    @param len: size_t
    @param flags: int
 
return _ida_bytes.bin_search3(*args)

有两种继承,第二种跟之前的比较像,但是我尝试许久,没修改成功,但是第一种修改成功了
修改如下

1
import ida_nalt

图片描述

1
2
3
pattern = ida_bytes.compiled_binpat_vec_t()
ida_bytes.parse_binpat_str(pattern,0x0,'2E 70 72 6F 74 6F',16,ida_nalt.BPU_2B)
r,_ =ida_bytes.bin_search3(0x0,0xffff,pattern,1)

图片描述
还原如下
图片描述

总结

善用github搜索


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

最后于 2024-8-19 18:08 被OYyunshen编辑 ,原因:
收藏
免费 2
支持
分享
最新回复 (3)
雪    币: 926
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
2
# r = ida_bytes.bin_search(searchStartAddr,ida_ida.MAXADDR,bytes([0x2E, 0x70, 0x72, 0x6F, 0x74,0x6F]),bytes([0xFF,0xFF,0xFF,0xFF,0xFF,0xFF]),1,1)
import ida_nalt
pattern = ida_bytes.compiled_binpat_vec_t()
ida_bytes.parse_binpat_str(pattern, 0x0, '2E 70 72 6F 74 6F', 16, ida_nalt.BPU_2B)
r, _ = ida_bytes.bin_search3(searchStartAddr, ida_ida.MAXADDR, pattern, 1)


2024-8-19 21:59
0
雪    币: 10025
活跃值: (6997)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
pbtk多香啊
2024-8-20 03:22
0
雪    币:
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
4
# r = ida_bytes.bin_search(searchStartAddr,ida_ida.MAXADDR,bytes([0x2E, 0x70, 0x72, 0x6F, 0x74,0x6F]),bytes([0xFF,0xFF,0xFF,0xFF,0xFF,0xFF]),1,1)
import ida_nalt
pattern = ida_bytes.compiled_binpat_vec_t()
ida_bytes.parse_binpat_str(pattern, 0x0, '2E 70 72 6F 74 6F', 16, ida_nalt.BPU_2B)
r, _ = ida_bytes.bin_search(searchStartAddr, ida_ida.MAXADDR, pattern, 1)

最新版本 bin_search3 直接替换成bin_search了


2024-11-11 21:17
0
游客
登录 | 注册 方可回帖
返回
//