def get_guid(address): """get GUID located by address""" guid = list() guid.append(idc.get_wide_dword(address)) guid.append(idc.get_wide_word(address + 4)) guid.append(idc.get_wide_word(address + 6)) for addr in range(address + 8, address + 16, 1): guid.append(idc.get_wide_byte(addr)) return guid
def GetDyn(): phoff = idc.get_wide_dword(ida_ida.inf_get_min_ea() + 0x1c) + ida_ida.inf_get_min_ea() phnum = idc.get_wide_word(ida_ida.inf_get_min_ea() + 0x2c) phentsize = idc.get_wide_word(ida_ida.inf_get_min_ea() + 0x2a) for i in range(phnum): p_type = idc.get_wide_dword(phoff + phentsize * i) if p_type == 2: # PY_DYNAMIC dyn_addr = idc.get_wide_dword(phoff + phentsize * i + 8) return dyn_addr
def get_data_guids(self): ''' rename GUIDs in idb ''' EFI_GUID = 'EFI_GUID *' EFI_GUID_ID = idc.get_struc_id('EFI_GUID') segments = ['.text', '.data'] for segment in segments: seg_start, seg_end = 0, 0 for seg in idautils.Segments(): if idc.get_segm_name(seg) == segment: seg_start = idc.get_segm_start(seg) seg_end = idc.get_segm_end(seg) break ea = seg_start while (ea <= seg_end - 15): prot_name = '' if idc.get_name(ea, ida_name.GN_VISIBLE).find('unk_') != -1: find = False cur_guid = [] cur_guid.append(idc.get_wide_dword(ea)) cur_guid.append(idc.get_wide_word(ea + 4)) cur_guid.append(idc.get_wide_word(ea + 6)) for addr in range(ea + 8, ea + 16, 1): cur_guid.append(idc.get_wide_byte(addr)) if cur_guid == [0] * 11: ea += 1 continue for guid_place in [ 'ami_guids', 'asrock_guids', 'dell_guids', 'edk_guids', 'edk2_guids', 'lenovo_guids' ]: for name in self.Protocols[guid_place]: if self.Protocols[guid_place][name] == cur_guid: prot_name = name + '_' + \ '{addr:#x}'.format(addr=ea) record = { 'address': ea, 'service': 'unknown', 'guid': cur_guid, 'protocol_name': name, 'protocol_place': guid_place } find = True break if find: break if find and (idc.get_name(ea, ida_name.GN_VISIBLE) != prot_name): idc.SetType(ea, EFI_GUID) self.apply_struct(ea, 16, EFI_GUID_ID) idc.set_name(ea, prot_name) self.Protocols['data'].append(record) ea += 1
def get_data_guids(self): """rename GUIDs in idb""" EFI_GUID = "EFI_GUID" EFI_GUID_ID = idc.get_struc_id("EFI_GUID") segments = [".text", ".data"] for segment in segments: seg_start, seg_end = 0, 0 for seg in idautils.Segments(): if idc.get_segm_name(seg) == segment: seg_start = idc.get_segm_start(seg) seg_end = idc.get_segm_end(seg) break ea = seg_start while ea <= seg_end - 15: prot_name = str() if "unk" in idc.get_name(ea, ida_name.GN_VISIBLE): find = False cur_guid = list() cur_guid.append(idc.get_wide_dword(ea)) cur_guid.append(idc.get_wide_word(ea + 4)) cur_guid.append(idc.get_wide_word(ea + 6)) for addr in range(ea + 8, ea + 16, 1): cur_guid.append(idc.get_wide_byte(addr)) if cur_guid == [0] * 11: ea += 1 continue for guid_place in [ "ami_guids", "asrock_guids", "dell_guids", "edk_guids", "edk2_guids", "lenovo_guids", ]: for name in self.Protocols[guid_place]: if self.Protocols[guid_place][name] == cur_guid: prot_name = f"{name}_{ea:016X}" record = { "address": ea, "service": "unknown", "guid": cur_guid, "protocol_name": name, "protocol_place": guid_place, } find = True break if find: break if find and (idc.get_name(ea, ida_name.GN_VISIBLE) != prot_name): idc.SetType(ea, EFI_GUID) self.apply_struct(ea, 16, EFI_GUID_ID) idc.set_name(ea, prot_name) self.Protocols["data"].append(record) ea += 1
def get_cmmt(ea,offset): addr = idc.get_wide_word(offset)+0x400000 text = idc.get_strlit_contents(addr) if text is not None: text = str(text,encoding="utf-8") print("0x%x %s addr:0x%x "%(offset,text,addr)) set_cmmts(ea,text)
def run(self, arg): arch = idc.get_wide_word(ida_ida.inf_get_min_ea() + 0x12) if arch == 0x3E: # EM_X86_64 PltResolver64() elif arch == 0x3: # EM_386 PltResolver32() else: print('[-] Only support EM_X86_64 and EM_386') return 1
def activate(self, ctx): print(ctx) arch = idc.get_wide_word(ida_ida.inf_get_min_ea() + 0x12) if arch == 0x3E: # EM_X86_64 PltResolver64(self.debug_mode) elif arch == 0x3: # EM_386 PltResolver32(self.debug_mode) else: print('[-] Only support EM_X86_64 and EM_386') return 1
def find_bl_targets(text_start, text_end): targets = set() for pc in range(text_start, text_end, 4): d = idc.get_wide_word(pc) if (d & 0xfc000000) == 0x94000000: imm = d & 0x3ffffff if imm & 0x2000000: imm |= ~0x1ffffff if 0 <= imm <= 2: continue target = pc + imm * 4 if target >= text_start and target < text_end: targets.add(target) return targets
def load(self, addr, dtyp): if addr is Unknown: return Unknown if not is_mapped_data(addr): return Unknown if dtyp == idaapi.dt_qword: return idc.get_qword(addr) elif dtyp == idaapi.dt_dword: return idc.get_wide_dword(addr) elif dtyp == idaapi.dt_word: return idc.get_wide_word(addr) elif dtyp == idaapi.dt_byte: return idc.get_wide_byte(addr) return Unknown
def read_word(ea, wordsize=WORD_SIZE): """Get the word at the given address. Words are read using Byte(), Word(), Dword(), or Qword(), as appropriate. Addresses are checked using is_mapped(). If the address isn't mapped, then None is returned. """ if not is_mapped(ea, wordsize): return None if wordsize == 1: return idc.get_wide_byte(ea) if wordsize == 2: return idc.get_wide_word(ea) if wordsize == 4: return idc.get_wide_dword(ea) if wordsize == 8: return idc.get_qword(ea) raise ValueError('Invalid argument: wordsize={}'.format(wordsize))
def resolve_calls_through_register(ea): next_instr_addr = idc.get_wide_dword(ea + 1) # Check if that's just a parameter passing through stack if ea & 0xFFFF0000 != next_instr_addr & 0xFFFF0000: return if next_instr_addr - ea > 0x100: return if idc.get_wide_byte(ea + 6) & 0xF0 in [0x20, 0xE0]: call_param = 0x9000 + idc.get_wide_byte(ea + 6) ^ 0x30 else: call_param = idc.get_wide_word(ea + 6) ^ 0x30 fill_with_nops(ea, next_instr_addr) idc.patch_byte(ea, 0xFF) idc.patch_word(ea + 1, call_param) idc.create_insn(ea) return True
def getWordValue(self, addr): return idc.get_wide_word(addr)
def cmd_get_word(self, addr): return str(idc.get_wide_word(int(addr, 0)))
def load_file(li, neflags, format): li.seek(0) magic = li.read(3) version = ord(li.read(1)) size = struct.unpack("<L", li.read(4))[0] selector = 0 offset = 0 set_processor_type("SWF-AS3", SETPROC_LOADER) if (magic == "CWS"): compressed = li.read(size-8) data = zlib.decompress(compressed) set_selector(selector, 0) add_segm(selector, offset, size, None, None, ADDSEG_QUIET) set_segm_addressing(getseg(offset), 1) put_bytes(0, "F") put_bytes(1, "W") put_bytes(2, "S") put_bytes(3, chr(version)) put_bytes(4, struct.pack("<L", size)) put_bytes(8, data) else: li.file2base(offset, offset, size, idaapi.FILEREG_PATCHABLE) end = 0xC + read_rect_size(li) set_selector(selector, 0) add_segm(selector, offset, end, "Header", "UNDEF") set_segm_addressing(getseg(offset), 1) while (offset < size): try: selector += 1 offset = end tag_code_and_length = idc.get_wide_word(offset) tag_type = tag_code_and_length >> 6 length = tag_code_and_length & 0x3F if (length == 0x3F): length = idc.get_wide_dword(offset + 2) end = offset + 6 + length else: end = offset + 2 + length set_selector(selector, 0) if (tag_type in types): if (types[tag_type] in code): add_segm(selector, offset, end, types[tag_type], "CODE") else: add_segm(selector, offset, end, types[tag_type], "DATA") set_segm_addressing(getseg(offset), 1) if (types[tag_type] == "End"): break else: add_segm(selector, offset, end, "Tag%02X" % tag_type, "DATA") set_segm_addressing(getseg(offset), 1) except: break disable_auto(0 , size) return 1