5

In my code, I am using idc.GetOpnd(ea,0) and idc.GetOpnd(ea,1) to get the 2 operands of an instruction. However, if its a call (or jmp) instruction, I am getting symbols like _perror and loc_8083BA9.

Using IDAPython, is it possible to remove all the symbols and deal only with memory locations.

Maggie
  • 5,923
  • 8
  • 41
  • 56

1 Answers1

8

Two options:

  1. Use LocByName to resolve names to addresses
  2. Use GetOperandValue instead of GetOpnd to get the value of the operand instead of its display string.
nneonneo
  • 171,345
  • 36
  • 312
  • 383
  • Thank you for the answer. `GetOperandValue` works fine for `call` and `jmp` instructions. However, for something like this `mov [esp+5Ch+handler],offset aNoCertificateP`, I am getting `mov 4,136298879`. which is not desired. In this case, I just want to resolve `handler` and `offset aNoCertificateP` to their respective memory locations. Is that possible to do? – Maggie May 06 '15 at 16:11
  • In your example `handler` is a stack address. Therefore it does not have a real memory address. 136298879 is the proper address of aNoCertificateP, just print it out in hex to see the familiar representation. – nneonneo May 06 '15 at 16:14
  • Thanks again, In my example, handler is `handler= dword ptr -58h`. So is it possible to replace `handler` with `-58h`. So in the original operand, I get something like `[esp+5Ch-58h]`. I think this can be done by parsing each operand and replace `vars` with their corresponding values. However, parsing each operand is very costly, is there any 'smart' way to accomplish this. Thanks – Maggie May 06 '15 at 16:21