Beispiel #1
0
def get_func_details(func_ea):
    xfunc = ida_hexrays.decompile(func_ea)
    if xfunc is None:
        return None
    func_details = idaapi.func_type_data_t()
    xfunc.type.get_func_details(func_details)
    return func_details
Beispiel #2
0
def process_sscanf_callers(instr, sscanf):
    func = ida_hexrays.decompile(instr)

    # Error prone, better would be to filter func.body.treeitems
    node = func.body.find_closest_addr(instr)
    if node is None:
        return
    if node.op != ida_hexrays.cot_call:
        return
    node = node.to_specific_type
    if node.x.op != ida_hexrays.cot_obj:
        return
    if node.x.obj_ea != sscanf:
        return

    num_args = len(list(node.a)) - 2

    parent = func.body.find_parent_of(node)
    if parent is None:
        # Should never happen ?
        return

    grandparent = func.body.find_parent_of(parent)

    comparand = None
    if parent.op == ida_hexrays.cit_expr and grandparent.op == ida_hexrays.cit_block:
        pass
    else:
        if parent.op == ida_hexrays.cot_asg:
            parent.to_specific_type.x

        if parent.op == ida_hexrays.cot_eq:
            parent = parent.to_specific_type
            if parent.y.op != ida_hexrays.cot_num:
                print(
                    'Not supporting comparisons against anything but an num node'
                )
                return

            else:
                comparand = parent.y.n._value

        elif parent.op == ida_hexrays.cit_if:
            comparand = 'nonzero'

    if comparand is None:
        print(
            "The sscanf call at 0x%08x is worth looking at, no comparisons were found despite %d arguments"
            % (instr, num_args))

    elif comparand == 'nonzero':
        print(
            "The sscanf call at 0x%08x is worth looking at, there is only a comparison against being non-zero and there are %d arguments"
            % (instr, num_args))

    else:
        if comparand < num_args:
            print(
                "The sscanf call at 0x%08x is worth looking at, there is a comparison against %d but there are %d arguments"
                % (instr, comparand, num_args))
def parse_table(ea):
    table = u64(idc.get_bytes(ea, 8))
    addr = table

    func_table = []
    while True:
        pm4type, opcode, handler = read_entry(addr)
        if handler == 0:
            break
        # get gnm name and packet count
        gnm_name, packet_count = parse_function(handler)
        # decompile the handler
        func = ida_hexrays.decompile(handler)
        lines = func.get_pseudocode()
        code_lines = []
        for sline in lines:
            line = ida_lines.tag_remove(sline.line)
            code_lines.append(line)

        print('{}\t{} {} {:X} {:08X}'.format(gnm_name, packet_count, pm4type,
                                             opcode, handler))
        if not gnm_name:
            gnm_name = 'sub_{:X}'.format(handler)
        func_table.append(
            (gnm_name, packet_count, pm4type, opcode, handler, code_lines))
        addr += 16
    return func_table
Beispiel #4
0
    def from_addr(cls, ea=None):
        """
            Class method which return a :class:`HxCFunc` object corresponding
            to the function at a particular address.

            This may raise a :class:`~bip.base.BipDecompileError` if the
            decompilation failed or if the address provided is not in a
            function.
            
            :param int ea: An address inside the function for which we want
                an :class:`HxCFunc`. If ``None`` the screen address will be
                used.
            :return: A :class:`HxCFunc` object.
        """
        if ea is None:
            ea = ida_kernwin.get_screen_ea()
        try:
            idaobj = ida_hexrays.decompile(ea)
        except ida_hexrays.DecompilationFailure:
            # IDA could not decompile the function
            raise bbase.BipDecompileError(
                "Hexrays failed to decompile function at 0x{:X}".format(ea))
        if idaobj is None:
            raise bbase.BipDecompileError(
                "Decompilation failed for {}: address was probably not in a function ?"
                .format(ea))
        return cls(idaobj)
Beispiel #5
0
def find_item(ea, q, parents=False, flags=0):
    """find item within AST of decompiled function

    arguments:
    ea:         address belonging to a function
    q:          lambda/function: f(cfunc_t, citem_t) returning a bool
    parents:    False -> discard cexpr_t parent nodes
                True  -> maintain citem_t parent nodes

    returns list of query_result_t objects
    """

    f = ida_funcs.get_func(ea)
    if f:
        cfunc = None
        hf = hx.hexrays_failure_t()
        try:
            cfunc = hx.decompile(f, hf, flags)
        except Exception as e:
            print("%s %x: unable to decompile: '%s'" % (SCRIPT_NAME, ea, hf))
            print("\t (%s)" % e)
            return list()

        if cfunc:
            return find_child_item(cfunc, cfunc.body, q, parents)
    return list()
Beispiel #6
0
def apply_jni_func_sig():
    """ Apply the standard JNIEnv* and jobject signature to a function.
    """
    print("Function: {}".format(idc.get_func_name(here())))

    func = ida_hexrays.decompile(here())
    func_type = func.type
    funcdata = ida_typeinf.func_type_data_t()
    func_type.get_func_details(funcdata)

    jnienv = ida_typeinf.tinfo_t()
    jnienv.get_named_type(ida_typeinf.get_idati(), "JNIEnv")
    jnienv_ptr = ida_typeinf.tinfo_t()
    jnienv_ptr.create_ptr(jnienv)

    jobject = ida_typeinf.tinfo_t()
    jobject.get_named_type(ida_typeinf.get_idati(), "jobject")

    funcdata[0].type = jnienv_ptr
    funcdata[0].name = "env"
    funcdata[1].type = jobject
    funcdata[1].name = "thiz"
    new_tinfo = ida_typeinf.tinfo_t()
    new_tinfo.create_func(funcdata)
    ida_typeinf.apply_tinfo(here(), new_tinfo, ida_typeinf.TINFO_DEFINITE)
 def run(self, arg):
     for function in idautils.Functions():
         values = {}
         #function = ida_kernwin.get_screen_ea()
         function_start = idc.get_func_attr(function, idc.FUNCATTR_START)
         function_end = idc.get_func_attr(function, idc.FUNCATTR_END)
         function_name = idc.get_func_name(function)
         if "func" in function_name:
             try:
                 values[function_name] = []
                 for z in re.findall("= (0[xX][0-9a-fA-F]+)",str(ida_hexrays.decompile(function))):
                             values[function_name].append(binascii.hexlify(struct.pack('<Q', int(int(z.replace("0x", ""), base=16)))).decode("windows-1252").replace("00",""))
                             
                            
             except idaapi.DecompilationFailure:
                 pass
                             
             lenght = int(len(values[function_name]) / 2)
             string = self.to_decimal(values[function_name][0:lenght])
             key = self.to_decimal(values[function_name][lenght::])
             str_decrypted = ""
             for i in range(0, len(string)):
                 str_decrypted += chr(string[i] ^ key[i % len(key)])
                 #idaapi.msg(f"{string[i]} ^ {key[i % len(key)]}\n")
             if str_decrypted != "":    
                 #idaapi.msg(str_decrypted+"\n")
                  idc.set_func_cmt(function_start, str_decrypted, 0)
                  rowPosition = self.plg.table.rowCount()
                  self.plg.table.insertRow(rowPosition)
                  self.plg.table.setItem(rowPosition, 0, QtWidgets.QTableWidgetItem(function_name))
                  self.plg.table.setItem(rowPosition, 1, QtWidgets.QTableWidgetItem(str_decrypted))
Beispiel #8
0
def get_func_stack_var_info(func_addr) -> typing.Dict[int, StackVariable]:
    try:
        decompilation = ida_hexrays.decompile(func_addr)
    except ida_hexrays.DecompilationFailure:
        l.debug(
            "Decompiling too many functions too fast! Slow down and try that operation again."
        )
        return {}

    stack_var_info = {}

    for var in decompilation.lvars:
        if not var.is_stk_var():
            continue

        size = var.width
        name = var.name

        ida_offset = var.location.stkoff() - decompilation.get_stkoff_delta()
        bs_offset = ida_to_angr_stack_offset(func_addr, ida_offset)
        type_str = str(var.type())
        stack_var_info[bs_offset] = StackVariable(ida_offset,
                                                  StackOffsetType.IDA, name,
                                                  type_str, size, func_addr)

    return stack_var_info
Beispiel #9
0
def alive_copy_unimplemented(check_active, ctx):
    if check_active == 1:
        return 0;
        
    decompiled = ida_hexrays.decompile(here())
    result = "EXPORT " + str(decompiled.type) + " { NOT_IMPLEMENTED; }"
    result = fix_type_string(result)
    copy_to_clip(result)
    print "Alive Function copied to clipboard!"
Beispiel #10
0
 def refresh_pseudocode(self, vu):
     if self.another_decompile_ea:
         logging.debug("decompile again")
         ea = self.another_decompile_ea
         ida_hexrays.mark_cfunc_dirty(ea, False)
         cfunc = ida_hexrays.decompile(ea)
         self.another_decompile_ea = None
         vu.switch_to(cfunc, True)
     return 0
Beispiel #11
0
def auto_rename_single(ca, addr, force=False):
    cfunc = ida_hexrays.decompile(addr, flags=ida_hexrays.DECOMP_NO_CACHE if force else 0)
    if not cfunc:
        return

    ca.reset()
    ca.apply_to(cfunc.body, None)
    if ca.results:
        ida_name.set_name(addr, ca.results[-1], ida_name.SN_AUTO | ida_name.SN_NOCHECK | ida_name.SN_NOWARN)
Beispiel #12
0
def decompile_func(ea, outfile):
    ida_kernwin.msg("Decompiling at: %X..." % ea)
    cf = ida_hexrays.decompile(ea)
    if cf:
        ida_kernwin.msg("OK\n")
        outfile.write(str(cf) + "\n")
    else:
        ida_kernwin.msg("failed!\n")
        outfile.write("decompilation failure at %X!\n" % ea)
Beispiel #13
0
def _on_refresh_pseudocode(vu):
    global _ANOTHER_DECOMPILER_EA
    if not _ANOTHER_DECOMPILER_EA:
        return
    log.debug("decompile again")
    ea = _ANOTHER_DECOMPILER_EA
    ida_hexrays.mark_cfunc_dirty(ea, False)
    cfunc = ida_hexrays.decompile(ea)
    _ANOTHER_DECOMPILER_EA = None
    vu.switch_to(cfunc, True)
Beispiel #14
0
def apply_everywhere():
    hr_remove()
    for segea in idautils.Segments():
        for funcea in idautils.Functions(segea, idc.SegEnd(segea)):
            print("Handling %s" % idc.GetFunctionName(funcea))
            try:
                cfunc = ida_hexrays.decompile(funcea)
                apply_on_fn(cfunc)
            except ida_hexrays.DecompilationFailure as e:
                print("Failed to decompile!")
    hr_install()
def ast_a_function(address):
    try:
        vfun = hexray.decompile(address)
        #without this print the vfun has an empty ctree associated.
        b = str(vfun)
        itemstruct = {}
        #itemstruct['src']=b
        body = vfun.body
        str(body)
        treenodes = [x for x in vfun.treeitems]
        for x in treenodes:
            index = int(x.index)
            treeitem = {}
            treeitem['op_name'] = hexray.get_ctype_name(x.op)
            x = x.to_specific_type
            op = x.op
            if op == hexray.cot_call:
                #se e' una chiamata a funzione ci mettiamo il nome della funzione
                #treeitem['opcall']=idaapi.get_func_name(x.obj_ea)
                pass
            elif op == hexray.cot_ptr:
                pass
            elif op == hexray.cot_memptr:
                pass
            elif op == hexray.cot_memref:
                pass
            elif op == hexray.cot_obj:
                treeitem['name'] = idaapi.get_func_name(x.obj_ea)
            elif op == hexray.cot_var:
                treeitem['size'] = x.refwidth
                #treeitem['varname'] = str(dir(x))
                pass
            elif op == hexray.cot_num:
                #typeInfo = idaapi.tinfo_t()
                treeitem['value'] = str(x.numval())

                #treeitem['size'] = x.refwidth
                #treeitem['formatname'] = str(x.n.nf.type_name)
                pass
            elif op == hexray.cot_helper:
                pass
            elif op == hexray.cot_str:
                pass

            try:
                treeitem['parent_index'] = int(
                    vfun.body.find_parent_of(x).index)
            except:
                treeitem['parent_index'] = None

            itemstruct[index] = treeitem
        return itemstruct
    except Exception as e:
        return None
Beispiel #16
0
def auto_rename_single(ca, addr):
    cfunc = ida_hexrays.decompile(addr)
    if not cfunc:
        return

    ca.reset()
    ca.apply_to(cfunc.body, None)
    if ca.results:
        ida_name.set_name(
            addr, ca.results[-1],
            ida_name.SN_AUTO | ida_name.SN_NOCHECK | ida_name.SN_NOWARN)
Beispiel #17
0
def find_item(ea, item, findall=True, parents=False):
    """find item within AST of decompiled function

    arguments:
    ea:         address belonging to a function
    item:       lambda/function: f(cfunc_t, citem_t) returning a bool
    findall:    False -> find cexpr_t only (faster but doesn't find cinsn_t items)
                True  -> find citem_t elements, which includes cexpr_t and cinsn_t
    parents:    False -> discard cexpr_t parent nodes
                True  -> maintain citem_t parent nodes

    returns list of citem_t items
    """

    class citem_finder_t(hr.ctree_visitor_t):
        def __init__(self, cfunc, i, parents):
            hr.ctree_visitor_t.__init__(self,
                hr.CV_PARENTS if parents else hr.CV_FAST)

            self.findall = findall
            self.cfunc = cfunc
            self.item = i
            self.found = list()
            return

        def process(self, i):
            """process cinsn_t and cexpr_t elements alike"""

            cfunc = self.cfunc
            if self.item(cfunc, i):
                self.found.append(i)
                if not self.findall:
                    return 1
            return 0

        def visit_insn(self, i):
            return self.process(i)

        def visit_expr(self, e):
            return self.process(e)

    try:
        cfunc = hr.decompile(ea)
    except:
        print("%x: unable to decompile." % ea)
        return list()

    if cfunc:
        itfinder = citem_finder_t(cfunc, item, parents)
        itfinder.apply_to(cfunc.body, None)
        return itfinder.found
    return list()
Beispiel #18
0
 def decompile(self):
     ida_hexrays.init_hexrays_plugin()
     cfuncs = []
     for function in idautils.Functions():
         try:
             cfunc = ida_hexrays.decompile(function)
             log_file.write("CFUNC: %s\n" % (cfunc))
             cfuncs.append(cfunc)
         except Exception as e:
             log_file.write("ERROR: %s - %s\n" %
                            (e, idc.get_func_name(function)))
             #traceback.print_exc(file=log_file)
     return cfuncs
Beispiel #19
0
def get_hexrays_vars(ea, stack_size):
    # can be used to get member size, type, etc.
    hexrays_types[idc.get_func_name(ea)] = {}
    for var in ida_hexrays.decompile(ea).get_lvars():
        if not var.name:
            continue
        if var.width>=8:
            ownertype = "pointer"
        else:
            ownertype = "scalar"
        # print(dir(var.tif))
        offset = -stack_size + var.get_stkoff()
        hexrays_types[idc.get_func_name(ea)][offset] = var.width, ownertype
Beispiel #20
0
def alive_copy_decompiled(check_active, ctx):
    if check_active == 1:
        return 0;
        
    addr = here()
    
    for i in xrange(len(ctx.chooser_selection)):
        idx = ctx.chooser_selection.at(i)
        addr = ida_name.get_nlist_ea(idx)
        
    result = "EXPORT " + str(ida_hexrays.decompile(addr))
    result = fix_type_string(result)
    copy_to_clip(result)
    print "Alive Function copied to clipboard!"
Beispiel #21
0
def decompiled_code(address: int, _visited=None) -> Optional[ida_hexrays.cfuncptr_t]:
    """
    Generates IDA object representing the decompiled code for the given address.

    :param address: Start address of the function.

    :returns: cfuncptr_t object or None on failure.
    """
    if _visited is None:
        _visited = set()

    attempted_before = address in _visited
    _visited.add(address)

    # This requires Hexrays decompiler, load it and make sure it's available before continuing.
    if not ida_hexrays.init_hexrays_plugin():
        idc.load_and_run_plugin("hexrays", 0) or idc.load_and_run_plugin("hexx64", 0)
    if not ida_hexrays.init_hexrays_plugin():
        logger.debug("Unable to load Hexrays decompiler.")
        return None
    fail_obj = ida_hexrays.hexrays_failure_t()
    code = ida_hexrays.decompile(address, fail_obj)
    if code and not fail_obj.code:
        return code

    if not fail_obj:
        logger.warning(f"Unable to decompile function at {hex(address)}")
        return None

    # Cannot possibly recover from call analysis failure.
    if fail_obj.code == -12:
        logger.warning(f"Unable to decompile function at {hex(address)}: call analysis failed")
        return None

    # We may be able to still recover from this by first trying to decompile
    # the called function that caused the failure.
    # If we've attempted this before, ensure we don't try a third time
    # and cause an infinite loop.
    if not attempted_before:
        failed_address = fail_obj.errea
        if ida_ua.ua_mnem(failed_address) == "call":
            call_address = idc.get_operand_value(failed_address, 0)
            if decompiled_code(_visited=_visited) is not None:
                return decompiled_code(address, visited=_visited)

    # TODO: Observed this message pops up with fail_obj.code == 0... unsure if that is actually an error.
    logger.debug(f"Unable to decompile function at {hex(address)}: {fail_obj.code}")
    return None
Beispiel #22
0
def find_item(ea, q, parents=False):
    """find item within AST of decompiled function

    arguments:
    ea:         address belonging to a function
    q:          lambda/function: f(cfunc_t, citem_t) returning a bool
    parents:    False -> discard cexpr_t parent nodes
                True  -> maintain citem_t parent nodes

    returns list of tb_result_t objects
    """
    class citem_finder_t(hr.ctree_visitor_t):
        def __init__(self, cfunc, q, parents):
            hr.ctree_visitor_t.__init__(
                self, hr.CV_PARENTS if parents else hr.CV_FAST)

            self.cfunc = cfunc
            self.query = q
            self.found = list()
            return

        def process(self, i):
            """process cinsn_t and cexpr_t elements alike"""

            if self.query(self.cfunc, i):
                self.found.append(tb_result_t(i))
            return 0

        def visit_insn(self, i):
            return self.process(i)

        def visit_expr(self, e):
            return self.process(e)

    try:
        f = ida_funcs.get_func(ea)
        if f:
            cfunc = hr.decompile(f)
    except:
        print("%x: unable to decompile." % ea)
        return list()

    if cfunc:
        itfinder = citem_finder_t(cfunc, q, parents)
        itfinder.apply_to(cfunc.body, None)
        return itfinder.found
    return list()
    def __call__(self):
        # FIXME: Hey-Rays bindings are broken
        # iflags = ida_hexrays.user_iflags_new()
        # for (cl_ea, cl_op), f in self.iflags:
        #     cl = ida_hexrays.citem_locator_t(cl_ea, cl_op)
        #     iflags.insert(cl, f)
        # ida_hexrays.save_user_iflags(self.ea, iflags)

        ida_hexrays.save_user_iflags(self.ea, ida_hexrays.user_iflags_new())
        HexRaysEvent.refresh_pseudocode_view()

        cfunc = ida_hexrays.decompile(self.ea)
        for (cl_ea, cl_op), f in self.iflags:
            cl = ida_hexrays.citem_locator_t(cl_ea, cl_op)
            cfunc.set_user_iflags(cl, f)
        cfunc.save_user_iflags()
        HexRaysEvent.refresh_pseudocode_view()
Beispiel #24
0
    def get_items_for_ea(self, ea):

        frm = [x.frm for x in idautils.XrefsTo(self.__ea)]

        items = []
        for ea in frm:
            try:
                cfunc = ida_hexrays.decompile(ea)

                self.functions.append(cfunc.entry_ea)
                self.items.append((ea, ida_funcs.get_func_name(cfunc.entry_ea) or "", self.get_decompiled_line(cfunc, ea)))

            except Exception as e:
                print('could not decompile: %s' % (str(e), ))
                raise

        return
Beispiel #25
0
def find_expr(ea, expr, findall=True, parents=False):
    """find expression within AST of decompiled function
    
    arguments:
    ea:         address belonging to a function
    expr:       lambda/function: f(cfunc_t, citem_t) returning a bool
    findall:    False -> find cexpr_t only (faster but doesn't find cinsn_t items)
                True  -> find citem_t elements, which includes cexpr_t and cinsn_t
    parents:    False -> discard cexpr_t parent nodes
                True  -> maintain citem_t parent nodes

    returns list of cexpr_t items
    """
    class expr_finder_t(hr.ctree_visitor_t):
        def __init__(self, cfunc, expr, parents):
            hr.ctree_visitor_t.__init__(
                self, hr.CV_PARENTS if parents else hr.CV_FAST)

            self.findall = findall
            self.cfunc = cfunc
            self.expr = expr
            self.found = list()
            return

        def visit_expr(self, e):
            """process cexpr_t elements"""

            if self.expr(self.cfunc, e):
                self.found.append(e)
                #print("dbg %x" % e.ea)
                if not self.findall:
                    return 1
            return 0

    try:
        cfunc = hr.decompile(ea)
    except:
        print("%x: unable to decompile." % ea)
        return list()

    if cfunc:
        expfinder = expr_finder_t(cfunc, expr, parents)
        expfinder.apply_to_exprs(cfunc.body, None)
        return expfinder.found
    return list()
Beispiel #26
0
    def get_decompiled_func():
        f = ida_funcs.get_func(ida_kernwin.get_screen_ea())
        if f is None:
            Util.clear_output_window()
            print("[SPIRIT] Please position the cursor within a function")
            return True

        cfunc = ida_hexrays.decompile(f)
        if cfunc is None:
            Util.clear_output_window()
            print("[SPIRIT] Failed to decompile!")
            return True

        sb = cfunc.get_pseudocode()
        function_arr = []
        for line in sb:
            function_arr.append(ida_lines.tag_remove(line.line))
        return function_arr
Beispiel #27
0
def analyzeSingleFunction(startAddr, endAddr, searchString, paramIndex):
    #print"Analyzing Function Name: {}".format(GetFunctionName(startAddr))

    curAddr = startAddr

    # If some trace statements within this function don't match others, name the function with the
    # name used most often, which this dict will keep track of
    possibleNameList = dict()

    try:
        c = ida_hexrays.decompile(startAddr)
    except ida_hexrays.DecompilationFailure:
        print("Decompilation failure trying to decompile function at addr {}".
              format(hex(startAddr)))
        return ""

    for singleLine in findFuncCalls(str(c), searchString):
        leftJustifiedLine = singleLine.lstrip()
        if (leftJustifiedLine.startswith(searchString + "(")):
            #print leftJustifiedLine
            possibleName = analyzeSingleCall(leftJustifiedLine, paramIndex)

            if possibleName in possibleNameList:
                possibleNameList[
                    possibleName] = possibleNameList[possibleName] + 1
            else:
                possibleNameList[possibleName] = 1

    if (len(possibleNameList) == 0):
        print "No function names discovered for {}".format(
            GetFunctionName(startAddr))
        return ""

    print "All possible function names discovered for {}:\n\t{}".format(
        GetFunctionName(startAddr), "\n\t".join(possibleNameList))

    numUses = 0
    for fName in possibleNameList:
        if (possibleNameList[fName] > numUses):
            numUses = possibleNameList[fName]
            retVal = fName

    return fName
Beispiel #28
0
def get_func_type(funcea):
    """
    Try to get decompiled func type.
    If can't decompile func, try to get tinfo from funcea,
    And if funcaa doesn't have associated tinfo, try to guess type at funcea
    @return: tuple(type, fnames)
    """
    if not is_func(funcea):
        log.warn("%08X is not a func", funcea)
        return None
    funcea = get_func_start(funcea)
    try:
        xfunc = ida_hexrays.decompile(funcea)
        return xfunc.type.serialize()[:-1]
    except ida_hexrays.DecompilationFailure as ex:
        log.warn(
            "Couldn't decompile func at %08X: %s, getting or guessing func type from ea", funcea, ex
        )
        return get_or_guess_tinfo(funcea)
Beispiel #29
0
def post_func_type_change(pfn):
    ea = pfn.start_ea
    xrefs = idautils.XrefsTo(ea, ida_xref.XREF_USER)
    xrefs = list(filter(lambda x: x.type == ida_xref.dr_I and x.user == 1, xrefs))
    args_list = []
    if len(xrefs) == 0:
        return None, []
    try:
        xfunc = ida_hexrays.decompile(ea)
        func_ptr_typeinf = utils.get_typeinf_ptr(xfunc.type)
        for xref in xrefs:
            member, old_name, struct = ida_struct.get_member_by_id(xref.frm)
            if member is not None and struct is not None:
                args_list.append(
                    [struct, member, 0, func_ptr_typeinf, idaapi.TINFO_DEFINITE]
                )
    except Exception:
        pass
    return ida_struct.set_member_tinfo, args_list
Beispiel #30
0
def decompile_func(ea):
    if not init_hexrays_plugin():
        #print 'no here'
        return ''

    f = get_func(ea)
    if f is None:
        return ''

    cfunc = ida_hexrays.decompile(f)
    if cfunc is None:
        # Failed to decompile
        return ''

    lines = []
    sv = cfunc.get_pseudocode()
    for sline in sv:
        line = tag_remove(sline.line)
        lines.append(line)
    return lines
Beispiel #31
0
import ida_loader
import ida_hexrays
import ida_idp
import ida_entry

ida_auto.auto_wait()
ALL_DECOMPILERS = {
    ida_idp.PLFM_386 : ("hexrays", "hexx64"),
    ida_idp.PLFM_ARM : ("hexarm", "hexarm64"),
    ida_idp.PLFM_PPC : ("hexppc", "hexppc64"),
}
pair = ALL_DECOMPILERS.get(ida_idp.ph.id, None)
if pair:
    decompiler = pair[1 if ida_ida.cvar.inf.is_64bit() else 0]
    if ida_loader.load_plugin(decompiler) and ida_hexrays.init_hexrays_plugin():
        eqty = ida_entry.get_entry_qty()
        if eqty:
            ea = ida_entry.get_entry(ida_entry.get_entry_ordinal(0))
            print("Decompiling at: %X" % ea)
            cf = ida_hexrays.decompile(ea)
            if cf:
                print(cf)
            else:
                print("Decompilation failed")
        else:
            print("No known entrypoint. Cannot decompile.")
    else:
        print("Couldn't load or initialize decompiler: \"%s\"" % decompiler)
else:
    print("No known decompilers for architecture with ID: %d" % ida_idp.ph.id)