def react_operator(idx, ctx): print '%x' % (idx.ea) fcn_object = ctx.get_obj("function") """next line was working on ELF""" demangled = ida_name.demangle_name( ida_name.get_name(fcn_object.addr)[1:], 0) """next line was working on MACH-O""" #demangled = ida_name.demangle_name(ida_name.get_name(fcn_object.addr), 0) print demangled if "operator<<" in demangled: arg2 = ctx.get_expr('arg2')[0] arg1 = ctx.get_expr('arg1')[0] arg1_repr = get_string_repr(arg1, ctx) arg2_repr = get_string_repr(arg2, ctx) var = ctx.get_var("res") #varname = ctx.get_var_name(var.idx) varexp = make_var_expr(var.idx, var.typ, var.mba) #varexp = make_var_expr(var2.idx, var2.typ, var2.mba, arg=True) arglist = ida_hexrays.carglist_t() arglist.push_back(arg2) helper = ida_hexrays.call_helper(ida_hexrays.dummy_ptrtype(4, False), arglist, "{} << ".format(arg1_repr)) insn = make_cexpr_insn(idx.ea, make_asgn_expr(varexp, helper)) idx.cleanup() idaapi.qswap(idx, insn) # del original inst because we swapped them on previous line del insn
def inverse_if(cif): idaapi.qswap(cif.ithen, cif.ielse) cit_if_condition = cif.expr if cit_if_condition.op == idaapi.cot_lnot: new_if_condition = idaapi.cexpr_t(cit_if_condition.x) else: new_if_condition = idaapi.cexpr_t(idaapi.lnot(cit_if_condition)) new_if_condition.thisown = False cif.expr = new_if_condition del cit_if_condition
def replacer_strlen_global(idx, ctx): var = ctx.get_var("res") varname = ctx.get_var_name(var.idx) obj = ctx.get_obj("strlenarg") varexp = make_var_expr(var.idx, var.typ, var.mba) arg1 = make_obj_expr(obj.addr, obj.type, arg=True) arglist = ida_hexrays.carglist_t() arglist.push_back(arg1) val = ida_hexrays.call_helper(ida_hexrays.dummy_ptrtype(4, False), arglist, "strlen_inlined") insn = make_cexpr_insn(idx.ea, make_asgn_expr(varexp, val)) idx.cleanup() idaapi.qswap(idx, insn) # del original inst because we swapped them on previous line del insn
def replace_item(self, item, new_item, is_forced=False): tmc = TreeModificationContext(self, item) if not is_forced and not self.is_replacing_possible(tmc): return if new_item.ea == idaapi.BADADDR and item.ea != idaapi.BADADDR: new_item.ea = item.ea if new_item.label_num == -1 and item.label_num != -1: new_item.label_num = item.label_num try: idaapi.qswap(item, new_item) self.is_tree_modified = True except Exception as e: print("[!] Got an exception during ctree instr replacing")
def invert_if(self, cfunc, insn): if insn.opname != 'if': return False cif = insn.details if not cif.ithen or not cif.ielse: return False idaapi.qswap(cif.ithen, cif.ielse) cond = idaapi.cexpr_t(cif.expr) notcond = idaapi.lnot(cond) cif.expr.swap(notcond) return True
def invert_if(self, cfunc, insn): if insn.opname != 'if': return False cif = insn.details if not cif.ithen or not cif.ielse: return False idaapi.qswap(cif.ithen, cif.ielse) cond = idaapi.cexpr_t(cif.expr) notcond = idaapi.lnot(cond) cond.thisown = 0 # the new wrapper 'notcond' now holds the reference to the cexpr_t cif.expr.swap(notcond) return True
def handle_string_destr(idx, ctx): print '%x' % (idx.ea) var = ctx.get_var('len') var2 = ctx.get_var('ptr') print var off1 = get_var_offset(ctx.fcn, var.idx) off2 = get_var_offset(ctx.fcn, var2.idx) print off1 - off2 if off1 - off2 == 20: print "[+] Found string destructor" varexp = make_var_expr(var2.idx, var2.typ, var2.mba, arg=True) arglist = ida_hexrays.carglist_t() arglist.push_back(varexp) val = ida_hexrays.call_helper(ida_hexrays.dummy_ptrtype(4, False), arglist, "std::string::destructor") insn = make_cexpr_insn(idx.ea, val) idx.cleanup() idaapi.qswap(idx, insn) del insn
def invert_if(self, cfunc, insn): if insn.opname != 'if': return False cif = insn.details if not cif.ithen or not cif.ielse: return False idaapi.qswap(cif.ithen, cif.ielse) # Make a copy of 'cif.expr': 'lnot' might destroy its toplevel # cexpr_t and return a pointer to its direct child (but we'll want to # 'swap' it later, the 'cif.expr' cexpr_t object must remain valid.) cond = idaapi.cexpr_t(cif.expr) notcond = idaapi.lnot(cond) cif.expr.swap(notcond) return True
def react_operator2(idx, ctx): print '%x' % (idx.ea) fcn_object = ctx.get_obj("function") """next line was working on ELF""" demangled = ida_name.demangle_name( ida_name.get_name(fcn_object.addr)[1:], 0) """next line was working on MACH-O""" #demangled = ida_name.demangle_name(ida_name.get_name(fcn_object.addr), 0) print demangled if "operator<<" in demangled: arg1 = ctx.get_expr('arg1')[0] arg1_repr = get_string_repr(arg1, ctx) arg2 = ctx.get_expr('arg2')[0] #varexp = make_var_expr(var2.idx, var2.typ, var2.mba, arg=True) arglist = ida_hexrays.carglist_t() arglist.push_back(arg2) val = ida_hexrays.call_helper(ida_hexrays.dummy_ptrtype(4, False), arglist, "{} << ".format(arg1_repr)) insn = make_cexpr_insn(idx.ea, val) idx.cleanup() idaapi.qswap(idx, insn) del insn
def inverse_if(cif): inverse_if_condition(cif) idaapi.qswap(cif.ithen, cif.ielse)
def replace_dword_in_struct(idx, ctx): print '%x' % idx.ea struct_expr = ctx.get_expr('struct_part')[0] var = ctx.get_var("struct_var") values = ctx.get_expr('values')[0] offset = struct_expr.m vals = [] N = extract_number(values) typename = struct_expr.x.type.dstr() s_id = ida_struct.get_struc_id(typename) if s_id == idc.BADADDR: return sptr = ida_struct.get_struc(s_id) is_suits = True fields = [] inner_offset = 0 while inner_offset < 4: memb = ida_struct.get_member(sptr, offset + inner_offset) if memb is None: print "Not enought members!" is_suits = False break size = ida_struct.get_member_size(memb) if inner_offset + size > 4: print "Size fail!(%d bytes lenft but member size is %d)" % ( 4 - inner_offset, size) is_suits = False break if size == 1: val = N & 0xff N = N >> 8 elif size == 2: val = N & 0xffff N = N >> 16 else: print "Unkn size" is_suits = False break fields.append((inner_offset, val)) inner_offset += size if is_suits is False: print "Not suitable!" return inslist = [] for i in fields: ins = make_asgn_refvar_number(idx.ea, var, offset + i[0], i[1]) inslist.append(ins) ######### # Not foldable ######### blk = make_cblk(inslist) cblk = make_cblock_insn(idx.ea, blk) idx.cleanup() idaapi.qswap(idx, cblk) del cblk ########################## # Foldable - not working - IDA crashes at exit idk why;[ ########################## #fake_cond = make_helper_expr("fold") #blk = make_cblk(inslist) #cblk = make_cblock_insn(idx.ea, blk) #cif = make_if(idx.ea, fake_cond, cblk) #idx.cleanup() #idaapi.qswap(idx, cif) #del cif return True