Introducing IPyIDA: A Python plugin in your reverse‑engineering toolkit

IDA Professional from Hex-Rays might be the preferred device immediately for reverse-engineering software program. For ESET researchers, this device is a favourite disassembler and has impressed the event of the IPyIDA plugin that embeds an IPython kernel into IDA Professional. Below steady improvement since 2014, we’re happy to announce the discharge of model 2.0. IPyIDA serves the same goal as one other plugin known as IDA IPython, however with a twist: whereas IDA IPython solely helps Home windows, IPyIDA helps macOS, Linux, and Home windows.

In case you are already conversant in IDA Professional and IPython, then skip to the final part of this text on IPyIDA. In case you are unfamiliar with IPython, then skip to the center part. Lastly, when you would recognize a quick introduction to IDA Professional, then learn on.

What’s IDA Professional?

IDA Professional is a disassembler that interprets machine code to meeting code. After loading a file, IDA Professional disassembles it and shops the evaluation in database information. IDA Professional supplies varied home windows into the database, every uniquely serving to the researcher discover and higher perceive the code of curiosity.

Let’s have a look at a number of of those home windows by loading the MathLibrary.dll file, which could be constructed with Microsoft’s tutorial on making a DLL file.

Output window

The Output window shows messages in regards to the standing of the evaluation of a file, error messages for user-requested operations, and the output from some plugins. Determine 1 exhibits the Output window after first loading MathLibrary.dll.

On the backside of this window is an enter area that accepts instructions. Determine 2 exhibits the 2 default command language suppliers shipped with IDA since model 7.3: IDC for instructions written in a C-like language native to IDA and the IDAPython plugin for instructions written in Python.

Determine 2. The enter area to kind Python instructions in IDA

IDA View window

The IDA View window, often known as the disassembly window, has two show codecs: graph view and textual content view. Graph view visualizes this system stream by dividing features into blocks with a single entry and a single exit level. Determine 3 exhibits graph view.

Determine 3. The IDA disassembly graph view

Textual content view provides a linear view of the disassembly that shows digital addresses, meeting code, and feedback. Determine 4 exhibits textual content view.

Determine 4. The IDA disassembly textual content view

Along with these and the various different home windows that IDA supplies, IDA permits you to write customized plugins that reach its options and resolve sensible reverse-engineering issues. Let’s flip to IPython and a few enticing options it gives reverse engineers who use Python scripts in IDA.

A look at IPython

Whereas IDAPython serves the essential wants for operating Python scripts and instructions in IDA, Python lovers have been gripped by IPython fever. IPython is a toolkit that provides a extra interactive expertise with Python. IPython makes use of a two-process mannequin consisting of a kernel and a shopper. The kernel is a course of that receives instructions from the shopper, executes them, and returns the outcomes. The shopper could be any interactive console akin to Jupyter Console, Jupyter Qt Console, or Jupyter Pocket book.

The interactive nature of those purchasers comes from the host of options that they add to the traditional Python shell. Determine 5 exhibits utilizing a multiline code block to outline a operate in IPython.

Determine 5. Utilizing a multiline code block to outline a operate in IPython

Discover the syntax highlighting of integers, key phrases, built-in features, and strings.

By urgent the Tab key, IPython supplies a listing of related attributes, objects, or features that may full the code. Determine 6 exhibits tab completion itemizing features related to a string object.

Determine 6. Tab completion in IPython

Tab completion is richer if Jedi is put in.

IPython additionally supplies magic features, that are features which might be usually known as with a % or %% prefix and take arguments with a command-line-style syntax. Determine 7 exhibits the %timeit magic operate, which occasions the execution of a Python expression.

Determine 7. A magic operate in IPython

By utilizing the ! character firstly of a command line, the IPython console passes the command to the underlying system shell to be run. For instance, a preferred command is pip, which installs and manages packages from the Python Package deal Index (PyPi). Determine 8 exhibits the !pip command being run from IPython.

Determine 8. Operating system shell instructions from IPython

IPython supplies many extra interactive options that may be explored within the official documentation.

IPyIDA: Bringing IPython to IDA

With the discharge of IPyIDA 2.0, writing Python scripts in IDA is extra pleasant due to the next benefits:

• Assist for IDA on Home windows, Linux, and macOS
• An set up script for straightforward setup, even in a digital setting
• A Jupyter Qt Console operating in an IDA window
• An IPython kernel that may connect with entrance ends, like Jupyter Console, from outdoors IDA.
• A Jupyter kernel proxy to help opening a Jupyter Pocket book that connects again to the IPython kernel with the %open_notebook magic operate

Determine 9 exhibits the method of opening a Jupyter Pocket book from IPyIDA.

Determine 9. The %open_notebook magic operate in IPyIDA

Determine 10 exhibits a Jupyter Console operating in a terminal session outdoors IDA connecting to the IPython kernel in IDA.

Determine 10. A Jupyter Console outdoors IDA connecting again to the IPython kernel in IDA

The selection of the Jupyter Qt Console for IPyIDA brings extra interactive options to the standard IPython console, akin to inline graphics, saving and printing of the present session, and full syntax highlighting. These are illustrated within the official documentation for the Jupyter Qt Console.

IPyIDA even supplies its personal interactive options impressed by IDA. Determine 11 exhibits that Ctrl-clicking (Cmd-clicking on macOS) on addresses or variable names within the IPython console jumps the view to the digital tackle within the disassembly window.

Determine 11. Ctrl-clicking a variable or tackle in IPyIDA jumps to the tackle in IDA’s disassembly window

Determine 12 exhibits a hex dump for a byte array with non-ASCII content material.

Determine 12. IPyIDA shows hex dumps

In case you are new to IDA Professional, IPyIDA is a large assist to changing into conversant in the IDA API. In case you are a veteran, IPyIDA makes Python scripting a lot simpler, and thus the time spent reverse engineering hopefully extra centered and fruitful.