def init(self): if not ida_hexrays.init_hexrays_plugin(): print("D-810 need Hex-Rays decompiler. Skipping") return idaapi.PLUGIN_SKIP kv = ida_kernwin.get_kernel_version().split(".") if (int(kv[0]) < 7) or (int(kv[1]) < 5): print("D-810 need IDA version >= 7.5. Skipping") return idaapi.PLUGIN_SKIP print("D-810 initialized (version {0})".format(D810_VERSION)) return idaapi.PLUGIN_OK
def hook(self): if self._available is None: if not ida_hexrays.init_hexrays_plugin(): self._plugin.logger.info("Hex-Rays SDK is not available") self._available = False else: ida_hexrays.install_hexrays_callback(self._hxe_callback) self._available = True if self._available: self._installed = True
def run(self, arg): new_idx = (self.current_idx + 1) % len( hx_switch_plugin_t.hx_alternatives) plugin_id = hx_switch_plugin_t.hx_alternatives[self.current_idx] new_plugin_id = hx_switch_plugin_t.hx_alternatives[new_idx] print '[+] Switching to [%d]: %s' % (new_idx, repr(new_plugin_id)) ptr = ida_plugins.find_plugin(plugin_id) if not ptr: print '[!] Unable to locate the plugin description block' return False # Close all pseudocode views, otherwise IDA will crash on unload self.hx_hook.close_hx_views() # Temporarily unhook, avoid messing with `hexdsp` self.hx_hook.unhook() # Set unload flag ptr.contents.flags |= idaapi.PLUGIN_UNL # Replace the "run plugin" function with a dummy, so no more nags ptr.contents.run = hx_switch_plugin_t.plugin_t_run_dummy # Call the plugin and cue IDA to unload it ida_plugins.run_plugin(ptr, 0) # Load the new plugin ida_plugins.find_plugin(new_plugin_id, True) # Sometimes `ida_hexrays` forget to re-initialize, causing crash on # switching decompilers and closing database ida_hexrays.init_hexrays_plugin() # Hook again to record views self.hx_hook.hook() self.current_idx = new_idx return True
def init(self): if ida_hexrays.init_hexrays_plugin(): i = hexrays_callback_info() ida_kernwin.register_action( ida_kernwin.action_desc_t( inverter_actname, "Invert then/else", invert_action_handler_t(i), "I")) self.vds3_hooks = vds3_hooks_t(i) self.vds3_hooks.hook() return ida_idaapi.PLUGIN_KEEP # keep us in the memory
def init(self): self.vds5_hooks = None if not ida_hexrays.init_hexrays_plugin(): idaapi.msg("hexrays-graph: hexrays is not available.") return idaapi.PLUGIN_SKIP ida_kernwin.register_action( ida_kernwin.action_desc_t(ACTION_NAME, "Hex-Rays show C graph (IDAPython)", display_graph_ah_t(), ACTION_SHORTCUT)) self.vds5_hooks = vds5_hooks_t() self.vds5_hooks.hook() return idaapi.PLUGIN_KEEP
def init(self): if not ida_hexrays.init_hexrays_plugin(): print("pyhexraysdeob: no decompiler, skipping") return ida_idaapi.PLUGIN_SKIP print("Hex-rays version %s has been detected, %s ready to use" % (ida_hexrays.get_hexrays_version(), self.wanted_name)) import sys modules_path = os.path.join(my_dirname, "pyhexraysdeob_modules") if not modules_path in sys.path: sys.path.append(modules_path) return ida_idaapi.PLUGIN_OK
def init(self): result = idaapi.PLUGIN_SKIP if ida_hexrays.init_hexrays_plugin(): try: self.config = load_cfg() except: ida_kernwin.warning(( "%s failed parsing %s.\n" "If fixing this config file manually doesn't help, please delete the file and re-run the plugin.\n\n" "The plugin will now terminate." % (PLUGIN_NAME, get_cfg_filename()))) else: result = idaapi.PLUGIN_KEEP return result
def init(self): print('IDABuddy init') if not ida_hexrays.init_hexrays_plugin(): db_error('Failed to initialize Hex-Rays SDK') return ida_idaapi.PLUGIN_SKIP # actions registration block register(MakeItConst) self.hx_hook = BuddyHooks() self.hx_hook.hook() return ida_idaapi.PLUGIN_KEEP
def load_decompiler(): ALL_DECOMPILERS = { ida_idp.PLFM_386: ("hexrays", "hexx64"), ida_idp.PLFM_ARM: ("hexarm", "hexarm64"), ida_idp.PLFM_PPC: ("hexppc", "hexppc64"), } pair = ALL_DECOMPILERS.get(ida_idp.ph.id, None) if pair: decompiler = pair[1 if ida_ida.cvar.inf.is_64bit() else 0] if ida_loader.load_plugin( decompiler) and ida_hexrays.init_hexrays_plugin(): return True else: print("Couldn't load or initialize decompiler: \"%s\"" % decompiler) else: print("No known decompilers for architecture with ID: %d" % ida_idp.ph.id)
def main(): show_banner() print "Unregistering old action..." ida_kernwin.unregister_action(ACTION_NAME) if ida_hexrays.init_hexrays_plugin(): ida_kernwin.register_action( ida_kernwin.action_desc_t(ACTION_NAME, "Keep sanity (stack strings)", stack_strings_ah_t(), None)) print "Registered new action" idaapi.install_hexrays_callback(cb) else: print "[x] No decompiler found!" return
def init(self): """ This is called by IDA when it is loading the plugin. """ # only bother to load the plugin for relevant sessions if not is_amd64_idb(): return ida_idaapi.PLUGIN_SKIP # ensure the x64 decompiler is loaded ida_loader.load_plugin("hexx64") assert ida_hexrays.init_hexrays_plugin( ), "Missing Hexx64 Decompiler..." # initialize the AVX lifter self.avx_lifter = AVXLifter() self.avx_lifter.install() sys.modules["__main__"].lifter = self.avx_lifter # mark the plugin as loaded self.loaded = True return ida_idaapi.PLUGIN_KEEP
def main(): if not ida_hexrays.init_hexrays_plugin(): return False print("Hex-rays version %s has been detected" % ida_hexrays.get_hexrays_version()) f = ida_funcs.get_func(ida_kernwin.get_screen_ea()) if f is None: print("Please position the cursor within a function") return True cfunc = ida_hexrays.decompile(f) if cfunc is None: print("Failed to decompile!") return True sv = cfunc.get_pseudocode() for sline in sv: print(ida_lines.tag_remove(sline.line)) return True
def init_hexrays(): ALL_DECOMPILERS = { ida_idp.PLFM_386: "hexrays", ida_idp.PLFM_ARM: "hexarm", ida_idp.PLFM_PPC: "hexppc", ida_idp.PLFM_MIPS: "hexmips", } cpu = ida_idp.ph.id decompiler = ALL_DECOMPILERS.get(cpu, None) if not decompiler: print("No known decompilers for architecture with ID: %d" % ida_idp.ph.id) return False if ida_ida.inf_is_64bit(): if cpu == ida_idp.PLFM_386: decompiler = "hexx64" else: decompiler += "64" if ida_loader.load_plugin( decompiler) and ida_hexrays.init_hexrays_plugin(): return True else: print('Couldn\'t load or initialize decompiler: "%s"' % decompiler) return False
def init(self): return idaapi.PLUGIN_KEEP if ida_hexrays.init_hexrays_plugin( ) else idaapi.PLUGIN_SKIP
def main(): ida_auto.auto_wait() ALL_DECOMPILERS = { ida_idp.PLFM_386: ("hexrays", "hexx64"), ida_idp.PLFM_ARM: ("hexarm", "hexarm64"), ida_idp.PLFM_PPC: ("hexppc", "hexppc64"), } pair = ALL_DECOMPILERS.get(ida_idp.ph.id, None) if pair: decompiler = pair[1 if ida_ida.cvar.inf.is_64bit() else 0] if ida_loader.load_plugin( decompiler) and ida_hexrays.init_hexrays_plugin(): eqty = ida_entry.get_entry_qty() if eqty: decompiled = [] # For all entrypoints for i in xrange(0, eqty): # Get current ea ea = ida_entry.get_entry(ida_entry.get_entry_ordinal(i)) # Get segment class seg = getseg(ea) # Loop from segment start to end func_ea = seg.startEA # Get a function at the start of the segment (if any) func = get_func(func_ea) if func is None: # No function there, try to get the next one func = get_next_func(func_ea) seg_end = seg.end_ea while func is not None and func.start_ea < seg_end: funcea = func.start_ea # Skip function if already decompiled if get_func_name(funcea) not in decompiled: decompiled.append(get_func_name(funcea)) print "Function %s at 0x%X" % ( get_func_name(funcea), funcea) print("Decompiling at: 0x%X" % funcea) try: cf = ida_hexrays.decompile(funcea) if cf: print(cf) else: print("Decompilation failed") except: print('') func = get_next_func(funcea) else: print("No known entrypoint. Cannot decompile.") else: print("Couldn't load or initialize decompiler: \"%s\"" % decompiler) else: print("No known decompilers for architecture with ID: %d" % ida_idp.ph.id) print decompiled
def init(self): if ida_hexrays.init_hexrays_plugin(): self.optimizer = sample_optimizer_t() self.optimizer.install() print("Installed sample optimizer for 'x | ~x'") return ida_idaapi.PLUGIN_KEEP # keep us in the memory
# we're inside a literal. if c == delim: delim = None # literal ended elif c == '"' or c == "'": delim = c # string/char literal started elif c.isspace(): end = l.lstrip() nptr = my_tag_skipcodes(end, out) dbg("end: '%s', nptr: '%s'" % (end, nptr)) # do not concatenate idents if not is_cident_char(last) or not is_cident_char(nptr[0]): l = end c = l[0] if l else '' dbg("new l: '%s'" % l) last = l[0] if l else '' sl.line = "".join(out) class vds6_hooks_t(ida_hexrays.Hexrays_Hooks): def func_printed(self, cfunc): for sl in cfunc.get_pseudocode(): remove_spaces(sl); return 0 if ida_hexrays.init_hexrays_plugin(): vds6_hooks = vds6_hooks_t() vds6_hooks.hook() else: print('remove spaces: hexrays is not available.')
import ida_auto import ida_loader import ida_hexrays import ida_idp import ida_entry ida_auto.auto_wait() ALL_DECOMPILERS = { ida_idp.PLFM_386 : ("hexrays", "hexx64"), ida_idp.PLFM_ARM : ("hexarm", "hexarm64"), ida_idp.PLFM_PPC : ("hexppc", "hexppc64"), } pair = ALL_DECOMPILERS.get(ida_idp.ph.id, None) if pair: decompiler = pair[1 if ida_ida.cvar.inf.is_64bit() else 0] if ida_loader.load_plugin(decompiler) and ida_hexrays.init_hexrays_plugin(): eqty = ida_entry.get_entry_qty() if eqty: ea = ida_entry.get_entry(ida_entry.get_entry_ordinal(0)) print("Decompiling at: %X" % ea) cf = ida_hexrays.decompile(ea) if cf: print(cf) else: print("Decompilation failed") else: print("No known entrypoint. Cannot decompile.") else: print("Couldn't load or initialize decompiler: \"%s\"" % decompiler) else: print("No known decompilers for architecture with ID: %d" % ida_idp.ph.id)
def plugin_loaded(self, plugin_info): if plugin_info.name == "Hex-Rays Decompiler": if ida_hexrays.init_hexrays_plugin(): self.hexrays_support = True ida_hexrays.install_hexrays_callback(self.hxe_callback) print("[AMIE] Hex-Rays decompiler is supported")
def update_vtable_struct( functions_ea, vtable_struct, class_name, this_type=None, get_next_func_callback=get_vtable_line, vtable_head=None, ignore_list=None, add_dummy_member=False, pure_virtual_name=None, parent_name=None, add_func_this=True, force_rename_vtable_head=False, # rename vtable head even if it is already named by IDA # if it's not named, then it will be renamed anyway ): # pylint: disable=too-many-arguments,too-many-locals,too-many-branches # TODO: refactor if this_type is None: this_type = utils.get_typeinf_ptr(class_name) if not add_func_this: this_type = None func_ea, next_func = get_next_func_callback( functions_ea, ignore_list=ignore_list, pure_virtual_name=pure_virtual_name, ) dummy_i = 1 offset = 0 while func_ea is not None: new_func_name, _ = update_func_name_with_class(func_ea, class_name) func_ptr = None if ida_hexrays.init_hexrays_plugin(): fix_userpurge(func_ea, idc.TINFO_DEFINITE) update_func_this(func_ea, this_type, idc.TINFO_DEFINITE) func_ptr = utils.get_typeinf_ptr(utils.get_func_tinfo(func_ea)) else: func_ptr = make_funcptr_pt(func_ea, this_type) # TODO: maybe try to get or guess type? if add_dummy_member: utils.add_to_struct(vtable_struct, "dummy_%d" % dummy_i, func_ptr) dummy_i += 1 offset += utils.WORD_LEN ptr_member = utils.add_to_struct( vtable_struct, new_func_name, func_ptr, offset, overwrite=True, is_offs=True ) if ptr_member is None: log.error( "Couldn't add %s(%s) to vtable struct 0x%X at offset 0x%X", new_func_name, str(func_ptr), vtable_struct.id, offset, ) offset += utils.WORD_LEN if not ida_xref.add_dref(ptr_member.id, func_ea, ida_xref.XREF_USER | ida_xref.dr_I): log.warn( "Couldn't create xref between member %s and func %s", ida_struct.get_member_name(ptr_member.id), idc.get_name(func_ea), ) func_ea, next_func = get_next_func_callback( next_func, ignore_list=ignore_list, pure_virtual_name=pure_virtual_name, ) vtable_size = ida_struct.get_struc_size(vtable_struct) if vtable_head is None: vtable_head = functions_ea # ida_bytes.del_items(vtable_head, ida_bytes.DELIT_SIMPLE, vtable_size) ida_bytes.create_struct(vtable_head, vtable_size, vtable_struct.id) if not idc.hasUserName(idc.get_full_flags(vtable_head)) or force_rename_vtable_head: if parent_name is None and this_type: parent = utils.deref_struct_from_tinfo(this_type) parent_name = ida_struct.get_struc_name(parent.id) if parent_name == class_name: parent_name = None idc.set_name( vtable_head, get_vtable_instance_name(class_name, parent_name), ida_name.SN_CHECK | ida_name.SN_FORCE, )
import ida_hexrays import ida_idp import ida_entry ida_auto.auto_wait() ALL_DECOMPILERS = { ida_idp.PLFM_386: ("hexrays", "hexx64"), ida_idp.PLFM_ARM: ("hexarm", "hexarm64"), ida_idp.PLFM_PPC: ("hexppc", "hexppc64"), ida_idp.PLFM_MIPS: ("hexmips", "hexmips64"), } pair = ALL_DECOMPILERS.get(ida_idp.ph.id, None) if pair: decompiler = pair[1 if ida_ida.cvar.inf.is_64bit() else 0] if ida_loader.load_plugin( decompiler) and ida_hexrays.init_hexrays_plugin(): eqty = ida_entry.get_entry_qty() if eqty: ea = ida_entry.get_entry(ida_entry.get_entry_ordinal(0)) print("Decompiling at: %X" % ea) cf = ida_hexrays.decompile(ea) if cf: print(cf) else: print("Decompilation failed") else: print("No known entrypoint. Cannot decompile.") else: print("Couldn't load or initialize decompiler: \"%s\"" % decompiler) else: print("No known decompilers for architecture with ID: %d" % ida_idp.ph.id)
def update_vtable_struct( functions_ea, vtable_struct, class_name, this_type=None, get_next_func_callback=get_vtable_line, vtable_head=None, ignore_list=None, add_dummy_member=False, pure_virtual_name=None, parent_name=None, add_func_this=True, ): is_first_member = True if this_type is None: this_type = utils.get_typeinf_ptr(class_name) if not add_func_this: this_type = None func, next_func = get_next_func_callback( functions_ea, ignore_list=ignore_list, pure_virtual_name=pure_virtual_name ) dummy_i = 1 while func is not None: new_func_name, is_name_changed = update_func_name_with_class(func, class_name) func_ptr = None if ida_hexrays.init_hexrays_plugin(): if is_name_changed: func_type = update_func_this(func, this_type) else: func_type = update_func_this(func, None) if func_type is not None: func_ptr = utils.get_typeinf_ptr(func_type) else: func_ptr = make_funcptr_pt(func, this_type) if add_dummy_member: utils.add_to_struct(vtable_struct, f"dummy_{dummy_i}", func_ptr) dummy_i += 1 if is_first_member: # We did an hack for vtables contained in union vtable with one dummy member ptr_member = utils.add_to_struct( vtable_struct, new_func_name, func_ptr, 0, overwrite=True ) is_first_member = False else: ptr_member = utils.add_to_struct( vtable_struct, new_func_name, func_ptr, is_offset=True ) if ptr_member is None: logging.exception( "Couldn't add %s(%s) to %d", new_func_name, str(func_ptr), vtable_struct.id, ) ida_xref.add_dref(ptr_member.id, func, ida_xref.XREF_USER | ida_xref.dr_I) func, next_func = get_next_func_callback( next_func, ignore_list=ignore_list, pure_virtual_name=pure_virtual_name ) vtable_size = ida_struct.get_struc_size(vtable_struct) if vtable_head is None: vtable_head = functions_ea ida_bytes.del_items(vtable_head, ida_bytes.DELIT_SIMPLE, vtable_size) ida_bytes.create_struct(vtable_head, vtable_size, vtable_struct.id) if parent_name is None and this_type: parent = utils.deref_struct_from_tinfo(this_type) parent_name = ida_struct.get_struc_name(parent.id) if parent_name == class_name: parent_name = None utils.set_name_retry(vtable_head, get_vtable_instance_name(class_name, parent_name))
def is_compatible(): """Checks whether script is compatible with current IDA and decompiler versions.""" min_ida_ver = "7.2" return is_ida_version(min_ida_ver) and ida_hexrays.init_hexrays_plugin()
def _init_hx(): from ida_hexrays import init_hexrays_plugin init_hexrays_plugin()
def init(self): if ida_hexrays.init_hexrays_plugin(): self.optimizer = goto_optimizer_t() self.optimizer.install() return ida_idaapi.PLUGIN_KEEP # keep us in the memory
def init(self): if ida_hexrays.init_hexrays_plugin(): self.vds6_hooks = vds6_hooks_t() self.vds6_hooks.hook() return ida_idaapi.PLUGIN_KEEP # keep us in the memory
if c == delim: delim = None # literal ended elif c == '"' or c == "'": delim = c # string/char literal started elif c.isspace(): end = l.lstrip() nptr = my_tag_skipcodes(end, out) dbg("end: '%s', nptr: '%s'" % (end, nptr)) # do not concatenate idents if not is_cident_char(last) or not is_cident_char(nptr[0]): l = end c = l[0] if l else '' dbg("new l: '%s'" % l) last = l[0] if l else '' sl.line = "".join(out) class vds6_hooks_t(ida_hexrays.Hexrays_Hooks): def func_printed(self, cfunc): for sl in cfunc.get_pseudocode(): remove_spaces(sl) return 0 if ida_hexrays.init_hexrays_plugin(): vds6_hooks = vds6_hooks_t() vds6_hooks.hook() else: print('remove spaces: hexrays is not available.')
for i in range(0, nimps): name = idaapi.get_import_module_name(i) if not name: continue if "ntdll" in name: idaapi.enum_import_names(i, imp_cb) if nt_power_information is not None: break output_filename = basename(ida_nalt.get_input_file_path()) \ + ida_nalt.get_root_filename() + ".dec" if nt_power_information: ida_auto.auto_wait() if ida_loader.load_plugin("hexx64") and ida_hexrays.init_hexrays_plugin(): code_xrefs = idautils.CodeRefsTo(nt_power_information, 1) for cx in code_xrefs: cf = ida_hexrays.decompile(cx) if cf: with open(output_filename, "a") as fd: fd.write(str(cf) + '\n') else: with open(output_filename, "a") as fd: fd.write("[!] Decompilation failed\n") else: with open(output_filename, "a") as fd: fd.write("[!] Decompiler loading failed\n") else: with open(output_filename, "a") as fd: fd.write("[+] NtPowerInformation import was not found\n")