In my code, I am using idc.GetOpnd(ea,0) and idc.GetOpnd(ea,1) to get the 2 operands of an instruction. However, if its a call (or jmp) instruction, I am getting symbols like _perror and loc_8083BA9.
Using IDAPython, is it possible to remove all the symbols and deal only with memory locations.
Two options:
LocByName to resolve names to addressesGetOperandValue instead of GetOpnd to get the value of the operand instead of its display string.handler is a stack address. Therefore it does not have a real memory address. 136298879 is the proper address of aNoCertificateP, just print it out in hex to see the familiar representation. –
Heterophyte handler= dword ptr -58h. So is it possible to replace handler with -58h. So in the original operand, I get something like [esp+5Ch-58h]. I think this can be done by parsing each operand and replace vars with their corresponding values. However, parsing each operand is very costly, is there any 'smart' way to accomplish this. Thanks –
Graybill © 2022 - 2024 — McMap. All rights reserved.
GetOperandValueworks fine forcallandjmpinstructions. However, for something like thismov [esp+5Ch+handler],offset aNoCertificateP, I am gettingmov 4,136298879. which is not desired. In this case, I just want to resolvehandlerandoffset aNoCertificatePto their respective memory locations. Is that possible to do? – Graybill