ida_regfinder

Attributes

`SWIG_PYTHON_LEGACY_BOOL`
`cvar`

Classes

`reg_value_def_t`
`reg_value_info_t`

Functions

`find_reg_value`(→ uint64 *)	Find register value using the register tracker.
`find_sp_value`(→ int64 *)	Find a value of the SP based register using the register tracker.
`find_reg_value_info`(→ bool)	Find register value using the register tracker.
`find_nearest_rvi`(→ int)	Find the value of any of the two registers using the register tracker. First, this function tries to find the registers in the basic block of EA, and if it could not do this, then it tries to find in the entire function.
`invalidate_regfinder_cache`(→ None)	The control flow from FROM to TO has removed (CREF==fl_U) or added (CREF!=fl_U). Try to update the register tracker cache after this change. If TO == BADADDR then clear the entire cache.
`invalidate_regfinder_xrefs_cache`(→ None)	The data reference to TO has added (DREF!=dr_O) or removed (DREF==dr_O). Update the regtracker xrefs cache after this change. If TO == BADADDR then clear the entire xrefs cache.

Module Contents

ida_regfinder.SWIG_PYTHON_LEGACY_BOOL

class ida_regfinder.reg_value_def_t(*args)

Bases: object

thisown

val: uint64: the value

def_ea: ida_idaapi.ea_t: the instruction address

def_itype: uint16: the instruction code (processor specific)

flags: uint16: additional info about the value

SHORT_INSN: like ‘addi reg, imm’

PC_BASED: the value depends on DEF_EA only for numbers

LIKE_GOT: the value is like GOT only for numbers

is_short_insn(*args) → bool

This function has the following signatures:

is_short_insn() -> bool

is_short_insn(insn: const insn_t &) -> bool

# 0: is_short_insn() -> bool

# 1: is_short_insn(insn: const insn_t &) -> bool

is_pc_based() → bool

is_like_got() → bool

NOVAL: without a value

UVAL: as a number

SPVAL: as a SP delta

ABORTED: as an ABORTED value

dstr(how: reg_value_def_t::dstr_val_t, pm: procmod_t = None) → str: Return the string representation.

ida_regfinder.cvar

class ida_regfinder.reg_value_info_t

Bases: object

thisown

clear() → None: Undefine the value.

empty() → bool: Return ‘true’ if we know nothing about a value.

swap(r: reg_value_info_t) → None

static make_dead_end(dead_end_ea: ida_idaapi.ea_t) → reg_value_info_t: Return the undefined value because of a dead end.

static make_aborted(bblk_ea: ida_idaapi.ea_t, aborting_depth: int = -1) → reg_value_info_t: Return the value after aborting.

static make_badinsn(insn_ea: ida_idaapi.ea_t) → reg_value_info_t: Return the unknown value after a bad insn.

static make_unkinsn(insn: insn_t const &) → reg_value_info_t: Return the unknown value after executing the insn.

static make_unkfunc(func_ea: ida_idaapi.ea_t) → reg_value_info_t: Return the unknown value from the function start.

static make_unkloop(bblk_ea: ida_idaapi.ea_t) → reg_value_info_t: Return the unknown value if it changes in a loop.

static make_unkmult(bblk_ea: ida_idaapi.ea_t) → reg_value_info_t: Return the unknown value if the register has incompatible values.

static make_unkxref(bblk_ea: ida_idaapi.ea_t) → reg_value_info_t: Return the unknown value if there are too many xrefs.

static make_unkvals(bblk_ea: ida_idaapi.ea_t) → reg_value_info_t: Return the unknown value if the register has too many values.

static make_num(*args) → reg_value_info_t

This function has the following signatures:

make_num(rval: int, insn: const insn_t &, val_flags: uint16=0) -> reg_value_info_t

make_num(rval: int, val_ea: ida_idaapi.ea_t, val_flags: uint16=0) -> reg_value_info_t

# 0: make_num(rval: int, insn: const insn_t &, val_flags: uint16=0) -> reg_value_info_t

Return the value that is the RVAL number.

# 1: make_num(rval: int, val_ea: ida_idaapi.ea_t, val_flags: uint16=0) -> reg_value_info_t

Return the value that is the RVAL number.

static make_initial_sp(func_ea: ida_idaapi.ea_t) → reg_value_info_t: Return the value that is the initial stack pointer.

is_dead_end() → bool: Return ‘true’ if the value is undefined because of a dead end.

aborted() → bool: Return ‘true’ if the tracking process was aborted.

is_special() → bool: Return ‘true’ if the value requires special handling.

is_badinsn() → bool: Return ‘true’ if the value is unknown because of a bad insn.

is_unkinsn() → bool: Return ‘true’ if the value is unknown after executing the insn.

is_unkfunc() → bool: Return ‘true’ if the value is unknown from the function start.

is_unkloop() → bool: Return ‘true’ if the value is unknown because it changes in a loop.

is_unkmult() → bool: Return ‘true’ if the value is unknown because the register has incompatible values (a number and SP delta).

is_unkxref() → bool: Return ‘true’ if the value is unknown because there are too many xrefs.

is_unkvals() → bool: Return ‘true’ if the value is unknown because the register has too many values.

is_unknown() → bool: Return ‘true’ if the value is unknown.

is_num() → bool: Return ‘true’ if the value is a constant.

is_spd() → bool: Return ‘true’ if the value depends on the stack pointer.

is_known() → bool: Return ‘true’ if the value is known (i.e. it is a number or SP delta).

get_num() → bool: Return the number if the value is a constant.

get_spd() → bool: Return the SP delta if the value depends on the stack pointer.

get_def_ea() → ida_idaapi.ea_t: Return the defining address.

get_def_itype() → uint16: Return the defining instruction code (processor specific).

get_aborting_depth() → int: Return the aborting depth if the value is ABORTED.

is_value_unique() → bool: Check that the value is unique.

have_all_vals_flag(val_flags: uint16) → bool: Check the given flag for each value.

has_any_vals_flag(val_flags: uint16) → bool

is_all_vals_pc_based() → bool

is_any_vals_pc_based() → bool

is_all_vals_like_got() → bool

is_any_vals_like_got() → bool

set_all_vals_flag(val_flags: uint16) → None: Set the given flag for each value.

set_all_vals_pc_based() → None

set_all_vals_got_based() → None

set_dead_end(dead_end_ea: ida_idaapi.ea_t) → None: Set the value to be undefined because of a dead end.

set_badinsn(insn_ea: ida_idaapi.ea_t) → None: Set the value to be unknown after a bad insn.

set_unkinsn(insn: insn_t const &) → None: Set the value to be unknown after executing the insn.

set_unkfunc(func_ea: ida_idaapi.ea_t) → None: Set the value to be unknown from the function start.

set_unkloop(bblk_ea: ida_idaapi.ea_t) → None: Set the value to be unknown because it changes in a loop.

set_unkmult(bblk_ea: ida_idaapi.ea_t) → None: Set the value to be unknown because the register has incompatible values.

set_unkxref(bblk_ea: ida_idaapi.ea_t) → None: Set the value to be unknown because there are too many xrefs.

set_unkvals(bblk_ea: ida_idaapi.ea_t) → None: Set the value to be unknown because the register has too many values.

set_aborted(bblk_ea: ida_idaapi.ea_t, aborting_depth: int = -1) → None: Set the value after aborting.

set_num(*args) → None

This function has the following signatures:

set_num(rval: int, insn: const insn_t &, val_flags: uint16=0) -> None

set_num(rvals: uvalvec_t *, insn: const insn_t &) -> None

set_num(rval: int, val_ea: ida_idaapi.ea_t, val_flags: uint16=0) -> None

# 0: set_num(rval: int, insn: const insn_t &, val_flags: uint16=0) -> None

Set the value to be a number after executing an insn.

# 1: set_num(rvals: uvalvec_t *, insn: const insn_t &) -> None

Set the value to be numbers after executing an insn.

# 2: set_num(rval: int, val_ea: ida_idaapi.ea_t, val_flags: uint16=0) -> None

Set the value to be a number before an address.

EQUAL: L==R.

CONTAINS: L contains R (i.e. RL is empty)

CONTAINED: L is contained in R (i.e. LR is empty)

NOT_COMPARABLE: LR is not empty and RL is not empty.

vals_union(r: reg_value_info_t) → reg_value_info_t::set_compare_res_t

Add values from R into THIS ignoring duplicates.

Returns:: EQUAL: THIS is not changed
Returns:: CONTAINS: THIS is not changed
Returns:: CONTAINED: THIS is a copy of R
Returns:: NOT_COMPARABLE: values from R are added to THIS

extend(pm: procmod_t, width: int, is_signed: bool) → None: Sign-, or zero-extend the number or SP delta value to full size. The initial value is considered to be of size WIDTH.

trunc_uval(pm: procmod_t) → None: Truncate the number to the application bitness.

ADD

SUB

OR

AND

XOR

AND_NOT

SLL

SLR

SAR

MOVT

NEG

NOT

add(r: reg_value_info_t, insn: insn_t const &) → None: Add R to the value, save INSN as a defining instruction.

sub(r: reg_value_info_t, insn: insn_t const &) → None: Subtract R from the value, save INSN as a defining instruction.

bor(r: reg_value_info_t, insn: insn_t const &) → None: Make bitwise OR of R to the value, save INSN as a defining instruction.

band(r: reg_value_info_t, insn: insn_t const &) → None: Make bitwise AND of R to the value, save INSN as a defining instruction.

bxor(r: reg_value_info_t, insn: insn_t const &) → None: Make bitwise eXclusive OR of R to the value, save INSN as a defining instruction.

bandnot(r: reg_value_info_t, insn: insn_t const &) → None: Make bitwise AND of the inverse of R to the value, save INSN as a defining instruction.

sll(r: reg_value_info_t, insn: insn_t const &) → None: Shift the value left by R, save INSN as a defining instruction.

slr(r: reg_value_info_t, insn: insn_t const &) → None: Shift logically the value right by R, save INSN as a defining instruction.

sar(r: reg_value_info_t, insn: insn_t const &) → None: Shift arithmetically the value right by R, save INSN as a defining instruction.

movt(r: reg_value_info_t, insn: insn_t const &) → None: Replace the top 16 bits with bottom 16 bits of R, leaving the bottom 16 bits untouched, save INSN as a defining instruction.

neg(insn: insn_t const &) → None: Negate the value, save INSN as a defining instruction.

bnot(insn: insn_t const &) → None: Make bitwise inverse of the value, save INSN as a defining instruction.

add_num(*args) → None

This function has the following signatures:

add_num(r: int, insn: const insn_t &) -> None

add_num(r: int) -> None

# 0: add_num(r: int, insn: const insn_t &) -> None

Add R to the value, save INSN as a defining instruction.

# 1: add_num(r: int) -> None

Add R to the value, do not change the defining instructions.

shift_left(r: int) → None: Shift the value left by R, do not change the defining instructions.

shift_right(r: int) → None: Shift the value right by R, do not change the defining instructions.

ida_regfinder.find_reg_value(ea: ida_idaapi.ea_t, reg: int) → uint64 *

Find register value using the register tracker.

Parameters:

ea – the address to find a value at
reg – the register to find

Returns:

0: no value (the value is varying or the find depth is not enough to find a value)

Returns:

1: the found value is in VAL

Returns:

-1: the processor module does not support a register tracker

ida_regfinder.find_sp_value(ea: ida_idaapi.ea_t, reg: int = -1) → int64 *

Find a value of the SP based register using the register tracker.

Parameters:

ea – the address to find a value at
reg – the register to find. by default the SP register is used.

Returns:

0: no value (the value is varying or the find depth is not enough to find a value)

Returns:

1: the found value is in VAL

Returns:

-1: the processor module does not support a register tracker

ida_regfinder.find_reg_value_info(rvi: reg_value_info_t, ea: ida_idaapi.ea_t, reg: int, max_depth: int = 0) → bool

Find register value using the register tracker.

Parameters:

rvi – the found value with additional attributes
ea – the address to find a value at
reg – the register to find
max_depth – the number of basic blocks to look before aborting the search and returning the unknown value. 0 means the value of REGTRACK_MAX_DEPTH from ida.cfg for ordinal registers or REGTRACK_FUNC_MAX_DEPTH for the function-wide registers, -1 means the value of REGTRACK_FUNC_MAX_DEPTH from ida.cfg.

Returns:

‘false’: the processor module does not support a register tracker

Returns:

‘true’: the found value is in RVI

ida_regfinder.find_nearest_rvi(rvi: reg_value_info_t, ea: ida_idaapi.ea_t, reg: int const [2]) → int

Find the value of any of the two registers using the register tracker. First, this function tries to find the registers in the basic block of EA, and if it could not do this, then it tries to find in the entire function.

Parameters:

rvi – the found value with additional attributes
ea – the address to find a value at
reg – the registers to find

Returns:

the index of the found register or -1

ida_regfinder.invalidate_regfinder_cache(*args) → None: The control flow from FROM to TO has removed (CREF==fl_U) or added (CREF!=fl_U). Try to update the register tracker cache after this change. If TO == BADADDR then clear the entire cache.

ida_regfinder.invalidate_regfinder_xrefs_cache(*args) → None: The data reference to TO has added (DREF!=dr_O) or removed (DREF==dr_O). Update the regtracker xrefs cache after this change. If TO == BADADDR then clear the entire xrefs cache.