IDAPython

Building IDAPython on Windows

elias IDAPython, Reverse Engineering

Introduction


If you use IDAPython a lot, I am sure you started reading its source code or felt the need to add missing functionality. In this article, we will show you how to build IDAPython on Windows.

On Linux/macOS, the process is straightforward as per the BUILDING.txt.

In this article:

Make sure you already installed the latest IDA for Windows and grabbed yourself a copy of the SDK.

Let’s get started.

 

Setting up VS 2019 Community Edition


IDA SDK’s default configuration is targeted towards VS 2019. Just to keep this article simple, let’s stick with that.

Grab VS2019 from here https://visualstudio.microsoft.com/vs/older-downloads/

When you install it, make sure you leave all the default installation location (in the C:\Program Files (x86), etc.)

 

Setting up Cygwin 64


Download Cygwin 64 and install the following components:

  • make from the Devel category.
  • unzip from the Archive category.

 

Setting up Python 3.x


Download Python 3.x AMD64 (say 3.4 to 3.11) and select custom install:

  • Install to C:(X = major, Y = minor)
  • Make sure you select the following options:
    • for all users
    • pip
    • Precompile standard library
    • Optional: “Download debugging symbols”

After Python is installed, install the six module:

C:\PythonXY\Scripts\pip install six

 

Setting up SWIG


In this section, we will build SWIG for Windows from scratch. We need a special patched version of SWIG (version 4.0.1, with support for -py3-limited-api) and we cannot use the pre-built binaries.

Whether you are using a Linux distro (for example Ubuntu 20) or WSL on Windows 10/11, all the steps below still apply.

Depending on your Linux setup, you may have already installed the needed packages. Just to be on the safe side, you need the following:

sudo apt update
sudo apt install wget build-essential mingw-w64 byacc bison automake autotools-dev patchelf -y

If mingw-64 failed to install:
sudo apt-add-repository ppa:mingw-w64/ppa && sudo apt-get update && sudo apt-get install mingw-w64

Clone IDAPython’s patched SWIG

git clone --branch py3-stable-abi https://github.com/idapython/swig.git swig-py3-stable-abi

Download PCRE library and build it

Download PCRE directly into SWIG’s source directory:

wget https://master.dl.sourceforge.net/project/pcre/pcre/8.10/pcre-8.10.tar.bz2

Then edit the PCRE build script in SWIG to specify the host compiler:

Open ./Tools/pcre-build.sh and change this line:

cd pcre && ./configure --prefix=$pcre_install_dir --disable-shared $* || bail "PCRE configure failed"

To:

cd pcre && ./configure --host=x86_64-w64-mingw32 --prefix=$pcre_install_dir --disable-shared $* || bail "PCRE configure failed"

(we only added the --host switch)

Now just run the PCRE build script again:

./Tools/pcre-build.sh

You are now ready to build SWIG.

Building SWIG

First run ./autogen.sh, then run the configure script with the --host switch, while also specifying static linking:

LDFLAGS="-static -static-libgcc -static-libstdc++" \
./configure --host=x86_64-w64-mingw32 --prefix=/tmp/swig4-win

Now you can run make and make install as usual.

Alternatively, you can download the pre-build version from here.

Copy the SWIG Windows binaries from /tmp/swig4-win to your Windows machine. Let’s put them in C:\idasdk\swig4.

 

Setting up the IDA SDK

  • Download the IDA SDK and unzip to a folder, for example c:\idasdk.
  • If you have the Decompiler installed, then copy the Decompiler headers from <ida_install>/plugins/hexrays_sdk/include/hexrays.hpp to c:\idasdk\include.

Initialize the SDK’s config files

We need to configure various configurations. Open the “Developer Command Prompt for VS 2019”.

If Cygwin was not in the path, then typing ‘make’ will cause an error. If that’s the case, just add it to the PATH:

set PATH=c:\cygwin64\bin;%PATH%

(Keep that command prompt open for the remainder of this article.)

From c:\idasdk, type the following commands:

cd c:\idasdk
set __NT__=1
set __X64__=1

Now let’s generate the various config files:

  • ida64 debug build: cmd /c "set __EA64__=1 && make env"
  • ida64 optimized build: cmd /c "set __EA64__=1 && set NDEBUG=1 && make env"
  • ida debug build: make env
  • ida optimized build: cmd /c "set NDEBUG=1 && make env

If you have done everything right, you should have these files in c:\idasdk:

  • vs19paths.cfg
  • x64_win_vc_32.cfg
  • x64_win_vc_32_opt.cfg
  • x64_win_vc_64.cfg
  • x64_win_vc_64_opt.cfg

To test if everything is okay, let’s try building the hello plugin:

cd c:\idasdk\plugins\hello
make

Last but not least, let’s put the IDA binaries in the correct place in accordance with the SDK make system. Assuming that IDA was installed in C:\Tools\IDA82:

xcopy /s c:\Tools\IDA82 c:\idasdk\bin

Now, anything we build will go to c:\idasdk\bin\[plugins|loaders|procs]:

  • plugins: for plugin binaries
  • loaders: for loader modules
  • procs: for processor modules

 

Building IDAPython


Okay, now we are ready to build IDAPython!

Clone IDAPython

Navigate to c:\idasdk\plugins and clone IDAPython there:

git clone https://github.com/idapython/src.git idapython

Building IDAPython

Now we have all the prerequisit steps completed, let’s build IDAPython:

set PYTHON_VERSION_MAJOR=X
set PYTHON_VERSION_MINOR=Y

C:\PythonXY\python.exe build.py --with-hexrays --swig-home c:\ida\swig4 --ida-install c:\idasdk\bin --debug
  • Replace X and Y with the proper values
  • If you don’t have the Decompiler then omit the --with-hexrays switch
  • Similarily, drop the --debug for optimized builds.
  • Run build.py --help for more information

Be patient, this can take between 5 and 30 minutes to complete the first time.

That’s it!


I know, this has been tedious but I hope it is helpful.

Contributions and suggestions to IDAPython. We are happy to discuss and merge your changes as applicable.

Using Z3 with IDA to simplify arithmetic operations in functions

elias IDAPython, Reverse Engineering, Z3

I have been meaning to learn about SMT based program analysis for a long time and recently I started learning about the topic. There are so many frameworks, articles and tutorials out there that I shall explore as time goes by.

Since I am still learning, I do not claim that the following material is rocket science or advanced by any means, instead, it is very basic and should be approachable enough by absolute beginners to Z3 (a theorem prover from Microsoft Research). All I know so far comes from reading Dennis Yurichev‘s e-book “Quick introduction into SAT/SMT solvers and symbolic execution” in addition to the Z3Py introductory material by Eric (https://github.com/ericpony/z3py-tutorial).

In last week’s blog post, I illustrated how to write a basic emulator to evaluate a function’s return value without running it. In today’s blog post, I am going to show how to convert thousands of arithmetic operations from x86 assembly code into simplified Z3 expressions. Continue reading

Writing a simple x86 emulator with IDAPython

elias IDAPython, Reverse Engineering , ,

Often times, when I stumble upon IDAPython scripts, I notice that they are using inefficient / incorrect IDAPython APIs to disassemble or decode instructions (for instance using idc.GetMnem() or idc.GetDisasm()). Therefore, in this blog post, I am going to illustrate how to use IDA’s instruction decoding functions from IDAPython in order to write a very simple x86 emulator. The goal is to demonstrate the correct use of instruction decoding IDAPython APIs. By the end of this post, you should be able to solve similar problems using IDAPython. Continue reading