FindInfunc.py (Little script to search for a pattern within a function)

It is very common, when involved on the reversing of a big function in IDA, to need to look for some specific instruction, basic block, or even some particular string within the function.
I know we can use Marks (CTRL+M) for this task but, to use that feature, we’d need to be previously there to set a mark (ALT+M).

Sometimes, we want to jump to some piece of code where we’ve never been before. We can not use the “Text Search” command for this task because it will search for the pattern through the whole binary. Well, we can in fact, but its not going to be so optimal.

For that problem i’ve coded a little IDAPython script who searchs for an string within the limits
of a defined function. I wanted to share it with you as another example of the IDA + Python customization
posibilities.

from idautils import *
from idaapi import *

function_start = ScreenEA()
function_end   = FindFuncEnd(function_start)
matches = ""

pattern = AskStr("","Search for:")
for head in Heads(function_start, function_end):
 if isCode(GetFlags(head)):
 code = "%s %s %s" %(GetMnem(head),GetOpnd(head,0),GetOpnd(head,1) )
 if pattern in code:
 matches += "0x%x - %s\n" % (head ,code)
print "Results:"
print matches

Hope this is useful for you.

~ by aLS -- on January 1, 2010.

3 Responses to “FindInfunc.py (Little script to search for a pattern within a function)”

  1. […] i finished the FindInFunc script (you can read my previous post about it here), i faced that situation for the Nth time and i finally managed to get an easy hack to get it […]

  2. Thanks Brother for your share, nice info, and so usefull for me..
    script mlm,script binary

  3. Hey man! Im very glad you find it useful. That is the main reason of having this blog in fact.

    Hope to see you around soon.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: