IDA 插件加载对32和64位的判断
在 plugins 存在 python.dll, python64.dll
显然python.dl 用于32 位,python64.dll用于 64 位
那么怎么区分的么?
ida.dll 导出函数 init_plugins 会被ida主程序调用
sub_10155F20 函数会对plugins 目录下的dll 文件进行扫描
memmove(v27, "*.dll", 5ui64);
get_ida_subdirs((__int64)&v25, (__int64)"plugins", 0);
sub_1014D8D0(
0i64,
0i64,
(__int64)v11,
(__int64)v14,
(int (__fastcall *)(const CHAR *, __int64))sub_10155CE0,
(__int64)v1);
{
v9 = enumerate_files(0i64, 0i64, a3, a4, (unsigned int (__fastcall *)(char *, __int64))sub_1014D850, (__int64)&Memory);
v9 = a5(v13, a6); // 调用回调
回调 函数 a5 是 sub_100ED820
}
sub_100ED820 调用 sub_100EDAA0
v9 = a5(v13, a6); // 在此处断下
__int64 __fastcall sub_100ED820(char *a1, __int64 a2)
{
__int64 v2; // rbx
char *v3; // rdi
__int64 result; // rax
v2 = a2;
v3 = a1;
if ( sub_100EDAA0(a1) )
result = 0i64; // 64 bit 跳过
else
// 32 位加入列表
result = (*(__int64 (__fastcall **)(char *, _QWORD))v2)(v3, *(_QWORD *)(v2 + 8));
return result;
}
bool __fastcall sub_100EDAA0(char *a1) // is_64_dll
{
char *v1; // rax
char *v2; // rdi
char *v4; // rax
unsigned __int64 v5; // rbx
v1 = qbasename(a1);
v2 = v1;
if ( !v1 )
return 1;
v4 = get_file_ext(v1);
v5 = (unsigned __int64)v4;
return !v4
|| !stricmp(v4, "dll")
&& v5 >= (unsigned __int64)(v2 + 3)
&& *(_BYTE *)(v5 - 2) == '4'
&& *(_BYTE *)(v5 - 3) == '6';
}
-------------- ida64.dll 分析 -----------------
memmove((void *)Dst, "*64.dll", 7ui64);
sub_100F3360 返回0 加入列表
char __fastcall sub_100F3360(char *a1)
{
__int64 v1; // rax
__int64 v2; // rdi
const char *v4; // rax
unsigned __int64 v5; // rbx
v1 = qbasename(a1);
v2 = v1;
if ( !v1 )
return 1;
v4 = (const char *)get_file_ext(v1);
v5 = (unsigned __int64)v4;
if ( !v4 )
return 1;
if ( stricmp(v4, "dll") )
return 0;
if ( v5 < v2 + 3 || *(_BYTE *)(v5 - 2) != '4' || *(_BYTE *)(v5 - 3) != '6' )
return 1; // 必须带64
return 0;
}
