"""
What is this register used for?
Hmm.. I'll just rename it to veryuniquename, do a textual search, and find all references!
Ok.. Waiting for the search to end.. any minute now.. Done!
Now I just need to understand which of the search result is relevant to the current usage frame of the register.
Shouldn't be too hard, right?
"""
If this happened to you (perhaps more than once), you are in for a treat!
Just Shift-X, and your troubles will go away!
You may also re(g)name the register in the usage frame. Just Shift-N, and follow instructions!
Also - instead of changing the types of all the usages to a certain type, just Shift-T once.
And last but not least - if you want to set an offset (like doing Ctrl-R) to all usages of this register, just press Shift-R.
Note: Sometimes there is already another plugin using Shift-T. Remove that plugin - you never used it before anyway :-).
This plugin uses sark to interact with the IDA scripts in a comfortable way, and cachetools to cache the frame scan which makes this a whole of a lot faster.
[For python2]
pip install sark
pip install cachetools
[For python3]
If using python3 variant of IDA, you should instead run:
pip3 install -U git+https://github.com/tmr232/Sark.git#egg=Sark
pip3 install cachetools
git clone https://github.com/shemesh999/oregami
The sark codebase offers many plugins. One of them is: https://github.com/tmr232/Sark/blob/master/plugins/plugin_loader.py
We recommend copying it to your plugins directory and then run IDA once with administrator privilages (so it can create the plugins.list files).
After doing so, you can add new plugins by adding the path to them to one of the plugins.list files created (eg. one is created in the cfg
folder of IDA)
Now, add to one of the plugins.list files:
FULLPATH\oregami\oregami_plugin.py
FULLPATH\oregami\regname_plugin.py
FULLPATH\oregami\typeregter_plugin.py
FULLPATH\oregami\offreg_plugin.py
Restart IDA, and the plugins should work.
Alternatively:
Copy all files (including internal oregami folder, excluding setup.py) to the IDA plugins directory.
Besides being used as plugins, oregami can be used also to write your own scripts!
For this, you should first install using included setup.py file. Meaning that you should call:
'python setup.py develop', and from then on you may use the internal classes and functions.
Note that we recommend using 'develop' and not 'install', so that if you pull a new version of oregami, it will work out of the box.
For example:
-- script.py --
def find_func_usage(func_ea, reg='r0'):
"""
Find and print all usages of a register, including the information of the specific operands
it is in, and what operation it does in the operand.
"""
import oregami
rf = oregami.RegFrame(func_ea, reg)
for insn in rf.get_instructions():
print('Addr:{:x}'.format(insn.ea))
for opnd in insn.operands:
if opnd.uf_is_external:
continue
print('--opnd_idx:{} - {}'.format(opnd.n, oregami.UsageBits(opnd.op_flags)))Let's assume the following sequence of opcodes:
ROM:01000010 e_lis r10, 0x4004 # 0x40040000 # Load Immediate Shifted
ROM:01000014 e_add16i r10, r10, 0x1337 # 0x40041337 # Add Immediate
ROM:01000020 se_mr r30, r31 # Move Register
ROM:01000022 cmplw r11, r10 # Compare Logical Word
ROM:01000026 se_bge loc_1000036 # Branch if greater than or equal
ROM:01000028
ROM:01000028 loc_1000028: # CODE XREF: sub_0100000+144↓j
ROM:01000028 e_stmw r30, 0(r11) # Store Multiple Word
ROM:0100002C e_add16i r11