def _CheckMemOp(self, ea):
'''
the itype value are defined in .\idasdk64\include\allins.hpp
op.type definition is in .\idasdk64\include\ua.hpp
const optype_t // Description Data field
o_void = 0, // No Operand ----------
o_reg = 1, // General Register (al,ax,es,ds...) reg
o_mem = 2, // Direct Memory Reference (DATA) addr
o_phrase = 3, // Memory Ref [Base Reg + Index Reg] phrase
o_displ = 4, // Memory Reg [Base Reg + Index Reg + Displacement] phrase+addr
o_imm = 5, // Immediate Value value
o_far = 6, // Immediate Far Address (CODE) addr
o_near = 7, // Immediate Near Address (CODE) addr
o_idpspec0 = 8, // IDP specific type
'''
inst = idautils.DecodeInstruction(ea)
if inst == None:
return
if inst.itype in [160,159]:
# retn 159, retf 160
self.ftable["returnpoints"].append(ea)
elif inst.itype in [122,6,209]:
# mov 122 add 6 sub 209, write memory happened at first opr
if 2<= inst[0].type <=7:
#considered as memory write
if idc.SegName(inst[0].addr) == '.idata':
self.ftable["memop"].append((ea,1,1,0,0))
else:
self.ftable["memop"].append((ea,1,0,0,0))
elif inst.itype in [27,210]:
#cmp 27 test 210
if (2<= inst[0].type <=7 and inst[0].type != 5) or (2<= inst[1].type <=7 and inst[1].type != 5):
#mem cmp
self.ftable["memop"].append((ea,0,0,1,0))
elif inst.itype in [44,34]:
#inc 44 dec 34;
self.ftable["memop"].append((ea,0,0,0,1))
elif inst.itype in [16]:
# call 13
if inst[0].type == 3 or inst[0].type == 4:
self.ftable["dynamiccall"].append(ea)
评论列表
文章目录
