Log in

View Full Version : IDA Pro IDC API Question

cr0w
June 3rd, 2012, 19:00
Does anyone know if IDAPython API (or IDC) allows us to convert a local byte variable to a byte array? I cannot seem to find any API calls that will do it. For example, say we have var_1, which is a byte. I want to make it a byte array of size 6. In IDA, we simply right click and adjust the size in the stack frame.

So far in script, I can get the variable and offset, and I can get the current size as well, using GetFrame, GetMemberOffset, and GetMemberSize. If I have already converted one to an array, GetMemberSize returns the correct size. However, there is no SetMemberSize function.

A few ways I've tried:

MakeArray - nothing seems to happen, and I'm not even sure where this would make it. You pass it ea, or the linear offset. This wouldn't apply to a functions stack frame.

SetMemberType - tried this thinking I could just set the type with nitems = 6, but with no luck.

Suggestions?
Kayaker
June 3rd, 2012, 19:35
Does this help?

http://zairon.wordpress.com/2008/02/15/idc-script-and-stack-frame-variables-length/
disavowed
June 3rd, 2012, 23:22
SetMemberType(
GetFrame(...),
...,
FF_DATA | FF_BYTE,
-1,
6);

The important thing is that you need to make sure that there is room for all 6 bytes in the stack. If this will cause an overlap with an existing variable, the call above will fail. (You'd need to delete the overlapping member first.)
cr0w
June 4th, 2012, 17:29
I ran across that wordpress blog posting while looking into the issue, and while it mentioned how to find the size of variables and whatnot, I still wasn't able to figure out how to adjust the variables.

Hopefully the suggestion to delete other member variables first will work - when I tried SetMemberType previously I wasn't deleting the other variables, which may have led to the issue. I also ran into an issue with using -1 for the typeid in SetMemberType - the script failed to run and tossed an error (not sure what the exact error was). I think it ran ok when I used 0 (although it didn't actually do anything...). Will try later and see what happens.
cr0w
June 5th, 2012, 09:14
Sure enough, SetMemberType did the trick once I deleted the other variables that it collided with when changing to an array. DelStrucMember takes care of the deletion. Using -1 for typeid also worked and didn't toss errors this time. I guess the turn to array function in GUI is slightly different since it automatically deletes the colliding variables, whereas IDC requires that portion manually.

Thanks for the help!
disavowed
June 7th, 2012, 22:55
Another happy customer