Introducing IPyIDA: A Python plugin on your reverse‑engineering toolkit

IDA Professional from Hex-Rays might be the most well-liked instrument at this time for reverse-engineering software program. For ESET researchers, this instrument is a favourite disassembler and has impressed the event of the IPyIDA plugin that embeds an IPython kernel into IDA Professional. Below steady improvement since 2014, we’re happy to announce the discharge of model 2.0. IPyIDA serves the same objective as one other plugin known as IDA IPython, however with a twist: whereas IDA IPython solely helps Home windows, IPyIDA helps macOS, Linux, and Home windows.

If you’re already conversant in IDA Professional and IPython, then skip to the final part of this text on IPyIDA. If you’re unfamiliar with IPython, then skip to the center part. Lastly, in case you would respect a short introduction to IDA Professional, then learn on.

What’s IDA Professional?

IDA Professional is a disassembler that interprets machine code to meeting code. After loading a file, IDA Professional disassembles it and shops the evaluation in database information. IDA Professional gives varied home windows into the database, every uniquely serving to the researcher discover and higher perceive the code of curiosity.

Let’s have a look at just a few of those home windows by loading the MathLibrary.dll file, which will be constructed with Microsoft’s tutorial on making a DLL file.

Output window

The Output window shows messages in regards to the standing of the evaluation of a file, error messages for user-requested operations, and the output from some plugins. Determine 1 reveals the Output window after first loading MathLibrary.dll.

On the backside of this window is an enter discipline that accepts instructions. Determine 2 reveals the 2 default command language suppliers shipped with IDA since model 7.3: IDC for instructions written in a C-like language native to IDA and the IDAPython plugin for instructions written in Python.

Determine 2. The enter discipline to sort Python instructions in IDA

IDA View window

The IDA View window, also referred to as the disassembly window, has two show codecs: graph view and textual content view. Graph view visualizes this system stream by dividing features into blocks with a single entry and a single exit level. Determine 3 reveals graph view.

Determine 3. The IDA disassembly graph view

Textual content view offers a linear view of the disassembly that shows digital addresses, meeting code, and feedback. Determine 4 reveals textual content view.

Determine 4. The IDA disassembly textual content view

Along with these and the various different home windows that IDA gives, IDA permits you to write customized plugins that reach its options and remedy sensible reverse-engineering issues. Let’s flip to IPython and a few engaging options it gives reverse engineers who use Python scripts in IDA.

A look at IPython

Whereas IDAPython serves the fundamental wants for working Python scripts and instructions in IDA, Python fanatics have been gripped by IPython fever. IPython is a toolkit that provides a extra interactive expertise with Python. IPython makes use of a two-process mannequin consisting of a kernel and a shopper. The kernel is a course of that receives instructions from the shopper, executes them, and returns the outcomes. The shopper will be any interactive console similar to Jupyter Console, Jupyter Qt Console, or Jupyter Pocket book.

The interactive nature of those shoppers comes from the host of options that they add to the basic Python shell. Determine 5 reveals utilizing a multiline code block to outline a operate in IPython.

Determine 5. Utilizing a multiline code block to outline a operate in IPython

Discover the syntax highlighting of integers, key phrases, built-in features, and strings.

By urgent the Tab key, IPython gives an inventory of related attributes, objects, or features that may full the code. Determine 6 reveals tab completion itemizing features related to a string object.

Determine 6. Tab completion in IPython

Tab completion is richer if Jedi is put in.

IPython additionally gives magic features, that are features which might be sometimes known as with a % or %% prefix and take arguments with a command-line-style syntax. Determine 7 reveals the %timeit magic operate, which occasions the execution of a Python expression.

Determine 7. A magic operate in IPython

Through the use of the ! character in the beginning of a command line, the IPython console passes the command to the underlying system shell to be run. For instance, a preferred command is pip, which installs and manages packages from the Python Package deal Index (PyPi). Determine 8 reveals the !pip command being run from IPython.

Determine 8. Working system shell instructions from IPython

IPython gives many extra interactive options that may be explored within the official documentation.

IPyIDA: Bringing IPython to IDA

With the discharge of IPyIDA 2.0, writing Python scripts in IDA is extra pleasant due to the next benefits:

Assist for IDA on Home windows, Linux, and macOS
An set up script for straightforward setup, even in a digital setting
A Jupyter Qt Console working in an IDA window
An IPython kernel that may hook up with entrance ends, like Jupyter Console, from outdoors IDA.
A Jupyter kernel proxy to help opening a Jupyter Pocket book that connects again to the IPython kernel with the %open_notebook magic operate

Determine 9 reveals the method of opening a Jupyter Pocket book from IPyIDA.

Determine 9. The %open_notebook magic operate in IPyIDA

Determine 10 reveals a Jupyter Console working in a terminal session outdoors IDA connecting to the IPython kernel in IDA.

Determine 10. A Jupyter Console outdoors IDA connecting again to the IPython kernel in IDA

The selection of the Jupyter Qt Console for IPyIDA brings extra interactive options to the normal IPython console, similar to inline graphics, saving and printing of the present session, and full syntax highlighting. These are illustrated within the official documentation for the Jupyter Qt Console.

IPyIDA even gives its personal interactive options impressed by IDA. Determine 11 reveals that Ctrl-clicking (Cmd-clicking on macOS) on addresses or variable names within the IPython console jumps the view to the digital deal with within the disassembly window.

Determine 11. Ctrl-clicking a variable or deal with in IPyIDA jumps to the deal with in IDA’s disassembly window

Determine 12 reveals a hex dump for a byte array with non-ASCII content material.

Determine 12. IPyIDA shows hex dumps

If you’re new to IDA Professional, IPyIDA is a large support to changing into conversant in the IDA API. If you’re a veteran, IPyIDA makes Python scripting a lot simpler, and thus the time spent reverse engineering hopefully extra centered and fruitful.