Ejemplo n.º 1
    def resolveCallingAddressBackwards(self, func, target, start, end):
        start is callingAddr
        end is curFun.start
        pc = start
        pc = idc.prev_head(pc, 0)
        while pc > end:
            opcode = idc.GetMnem(pc)
            opTarget = idc.print_operand(pc, 0)
            # print hex(pc)
            # print opcode
            # print target
            # print '\n'

            value = None
            if opcode in self.collectRegMnem and opTarget == target:
                return None

            if opcode in self.assignRegMnem and opTarget == target:
                if opcode == 'MOV':
                    nextTarget = idc.print_operand(pc, 1)
                    return self.resolveCallingAddressBackwards(func, nextTarget, pc, end)
                elif opcode == 'LDR':
                    dataref = list(idautils.DataRefsFrom(pc))[0]
                    value = idc.print_operand(dataref, 0)

                    return value
            pc = idc.prev_head(pc, 0)
        return None
Ejemplo n.º 2
def find_all_ioctls():
    From the currently selected address attempts to traverse all blocks inside the current function to find all immediate values which
    are used for a comparison/sub immediately before a jz. Returns a list of address, second operand pairs.

    ioctls = []
    # Find the currently selected function and get a list of all of it's basic blocks
    addr = idc.get_screen_ea()
    f = idaapi.get_func(addr)
    fc = idaapi.FlowChart(f, flags=idaapi.FC_PREDS)
    for block in fc:
        # grab the last two instructions in the block
        last_inst = idc.prev_head(block.end_ea)
        penultimate_inst = idc.prev_head(last_inst)
        # If the penultimate instruction is cmp or sub against an immediate value immediately preceding a 'jz'
        # then it's a decent guess that it's an IOCTL code (if this is a dispatch function)
        if idc.print_insn_mnem(penultimate_inst) in [
                'cmp', 'sub'
        ] and idc.get_operand_type(penultimate_inst, 1) == 5:
            if idc.print_insn_mnem(last_inst) == 'jz':
                value = get_operand_value(penultimate_inst)
                ioctls.append((penultimate_inst, value))
                ioctl_tracker.add_ioctl(penultimate_inst, value)
    return ioctls
Ejemplo n.º 3
 def get_protocols(self):
     """found UEFI protocols information in idb"""
     for service_name in self.gBServices:
         for address in self.gBServices[service_name]:
             ea, found = address, False
             if self.arch == 'x86':
                 for _ in range(1, 25):
                     ea = idc.prev_head(ea)
                     if (idc.get_operand_value(ea, 0) > self.base
                             and idc.print_insn_mnem(ea) == 'push'):
                         found = True
             if self.arch == 'x64':
                 for _ in range(1, 16):
                     ea = idc.prev_head(ea)
                     if (idc.get_operand_value(ea, 1) > self.base
                             and idc.print_insn_mnem(ea) == 'lea'):
                         found = True
             if not found:
             for xref in idautils.DataRefsFrom(ea):
                 if idc.print_insn_mnem(xref):
                 if not check_guid(xref):
                 cur_guid = get_guid(xref)
                 record = {
                     'address': xref,
                     'service': service_name,
                     'guid': cur_guid,
                 if not self.Protocols['all'].count(record):
Ejemplo n.º 4
def main():
    print("[*] loading crypto constants")
    for const in non_sparse_consts:
        const["byte_array"] = convert_to_byte_array(const)

    for start in idautils.Segments():
        print("[*] searching for crypto constants in %s" % idc.get_segm_name(start))
        ea = start
        while ea < idc.get_segm_end(start):
            bbbb = list(struct.unpack("BBBB", idc.get_bytes(ea, 4)))
            for const in non_sparse_consts:
                if bbbb != const["byte_array"][:4]:
                if map(lambda x:ord(x), idc.get_bytes(ea, len(const["byte_array"]))) == const["byte_array"]:
                    print(("0x%0" + str(digits) + "X: found const array %s (used in %s)") % (ea, const["name"], const["algorithm"]))
                    idc.set_name(ea, const["name"])
                    if const["size"] == "B":
                    elif const["size"] == "L":
                    elif const["size"] == "Q":
                    idc.make_array(ea, len(const["array"]))
                    ea += len(const["byte_array"]) - 4
            ea += 4

        ea = start
        if idc.get_segm_attr(ea, idc.SEGATTR_TYPE) == 2:
            while ea < idc.get_segm_end(start):
                d = ida_bytes.get_dword(ea)
                for const in sparse_consts:
                    if d != const["array"][0]:
                    tmp = ea + 4
                    for val in const["array"][1:]:
                        for i in range(8):
                            if ida_bytes.get_dword(tmp + i) == val:
                                tmp = tmp + i + 4
                        print(("0x%0" + str(digits) + "X: found sparse constants for %s") % (ea, const["algorithm"]))
                        cmt = idc.get_cmt(idc.prev_head(ea), 0)
                        if cmt:
                            idc.set_cmt(idc.prev_head(ea), cmt + ' ' + const["name"], 0)
                            idc.set_cmt(idc.prev_head(ea), const["name"], 0)
                        ea = tmp
                ea += 1
    print("[*] finished")
Ejemplo n.º 5
def trace_rep_mov(stack_var, loc, func_ea, state):
    Helper function to trace back a rep mov
    loc = idc.prev_head(loc)
    while loc != func_ea:
        mnem = idc.print_insn_mnem(loc)
        if mnem == 'lea' and idc.print_operand(loc, 0) == 'edi':
            if stack_var == get_operand_value_replacement(loc, 1, state):
                return trace_register('esi', loc, func_ea, state)
            return None
        loc = idc.prev_head(loc)
    return None
Ejemplo n.º 6
def get_stacked_bytes(dec_func_addr):
    func_stacked_bytes_addr_dict = {}
    xrefs = idautils.CodeRefsTo(dec_func_addr, 0)

    for xref in xrefs:
        prev_addr = idc.prev_head(xref)
        prev_addr_2 = idc.prev_head(prev_addr)

        if idc.print_insn_mnem(prev_addr_2) == "call":
            func_name = idc.print_operand(prev_addr_2, 0)
            func_addr = idc.get_name_ea_simple(func_name)
            func_stacked_bytes_addr_dict[xref] = func_addr

    # enc_mod_addr = list(set(enc_mod_addr)) # [Debug] Get unique functions only

    for xref, stacked_bytes_addr in func_stacked_bytes_addr_dict.items():
        print(f"Address: {hex(stacked_bytes_addr)}")
        func_ea = idc.get_func_attr(stacked_bytes_addr, idc.FUNCATTR_START)
        bytes_collected = bytearray()  # Collected stack string store here

        for ins in idautils.FuncItems(func_ea):
            if ida_bytes.is_code(ida_bytes.get_full_flags(ins)):
                if idc.print_insn_mnem(ins) == "mov":
                    if idc.get_operand_type(ins, 1) == idc.o_imm:
                        # disasm = idc.GetDisasm(ins) # [Debug]
                        hex_str_len = len(
                            idc.print_operand(ins, 1).lstrip("0").rstrip("h"))
                        const_hex_byte = idc.print_operand(
                            ins, 1).lstrip("0").rstrip("h")

                        if hex_str_len != 8:  # Skip if const hex byte less than 8
                            append_zero = "0" * (8 - hex_str_len)
                            const_hex_byte = append_zero + const_hex_byte
                            # print(struct.pack("<I", int(const_hex_byte, 16))) # [Debug]

                        # else:
                        # print(struct.pack("<I", int(const_hex_byte, 16))) # [Debug]
                        bytes_collected += struct.pack("<I",
                                                       int(const_hex_byte, 16))

        if len(bytes_collected) >= 1:
            cmt_str = ""
            if dec_func_addr == 0x10001253:  # fn_name_addr
                cmt_str = decode_fnname(bytes_collected[4:])
            elif dec_func_addr == 0x1000122B:  # mod_name_addr
                cmt_str = decode_modname(bytes_collected[4:])
            idc.set_cmt(xref, cmt_str, 1)  # Comment near xref decoder function
            print(f"[-] {hex(stacked_bytes_addr)} addr error")
Ejemplo n.º 7
def ret_vals(bbl):
    iaddr = idc.prev_head(bbl.end_ea)
    while idc.next_head(iaddr) != bbl.start_ea:
        if is_eax_written(iaddr) and is_nothing_read(iaddr):
            return [idc.get_operand_value(iaddr, 1)]
        if is_eax_read(iaddr):
            return []
        iaddr = idc.prev_head(iaddr)

    ret = []
    for bb in bbl.preds():
        ret = ret + ret_vals(bb)

    return ret
Ejemplo n.º 8
def get_con2_var_or_num(i_cnt, cur_addr):
    :param i_cnt: the register of the virtual call
    :param cur_addr: the current address in the memory
    :return: "success" string and the address of the vtable's location. if it fails it sends the reason and -1
    start_addr = idc.get_func_attr(cur_addr, idc.FUNCATTR_START)
    virt_call_addr = cur_addr
    cur_addr = idc.prev_head(cur_addr)
    dct_arch = get_arch_dct()
    if dct_arch == -1:
        return 'Wrong Architechture', "-1", cur_addr

    while cur_addr >= start_addr:
        if idc.print_insn_mnem(
                cur_addr)[:3] == dct_arch["opcode"] and idc.print_operand(
                    cur_addr, 0) == i_cnt:  # TODO lea ?
            opnd2 = idc.print_operand(cur_addr, 1)
            place = opnd2.find(dct_arch["separator"])
            if place != -1:  # if the function is not the first in the vtable
                register = opnd2[opnd2.find('[') + 1:place]
                if opnd2.find('*') == -1:
                    offset = opnd2[place +
                    offset = "*"
                return register, offset, cur_addr
                offset = "0"
                if opnd2.find(']') != -1:
                    register = opnd2[opnd2.find('[') + 1:opnd2.find(']')]
                    register = opnd2
                return register, offset, cur_addr
        elif idc.print_insn_mnem(cur_addr)[:4] == "call":
            intr_func_name = idc.print_operand(cur_addr, 0)
            # In case the code has CFG -> ignores the function call before the virtual calls
            if "guard_check_icall_fptr" not in intr_func_name:
                if "nullsub" not in intr_func_name:
                    # intr_func_name = idc.Demangle(intr_func_name, idc.GetLongPrm(idc.INF_SHORT_DN))
                        "Warning! At address 0x%08x: The vtable assignment might be in another function (Maybe %s),"
                        " could not place BP." %
                        (virt_call_addr, intr_func_name))
                cur_addr = start_addr
        cur_addr = idc.prev_head(cur_addr)
    return "out of the function", "-1", cur_addr

    return '', 0, cur_addr
Ejemplo n.º 9
    def get_branch_type(self):
        if self.bbl == None:
            return -1

        addr = self.addr
        while addr != self.bbl.end_ea:
            mnem = idc.print_insn_mnem(addr).lower()
            if mnem.startswith("call"):
                if op_type[idc.get_operand_type(addr,0)] != "o_near" and\
                    op_type[idc.get_operand_type(addr,0)] != "o_far":
                    return ICALL
                    return CALL
            addr = idc.next_head(addr)

        addr = idc.prev_head(self.bbl.end_ea)
        mnem = idc.print_insn_mnem(addr).lower()
        if mnem in u_jumps or mnem in c_jumps:
            if op_type[idc.get_operand_type(addr,0)] != "o_near" and\
                op_type[idc.get_operand_type(addr,0)] != "o_far":
                return IJMP
                if mnem in u_jumps:
                    return JMP
                    return CJMP
        elif self.bbl.type >= 2 and self.bbl.type <= 5:
            return RET

        return NA
Ejemplo n.º 10
    def find_ehfuncinfo_addr(self):
        for eh_addr in self.frmhdlr_xref:
            addr_ = eh_addr
            for i in range(0, self.MAX_SEARCH):
                addr_ = idc.prev_head(addr_)
                mnem = idc.print_insn_mnem(addr_)

                ### locate the ehfuncInfo address
                if mnem == 'mov' and idc.get_operand_type(
                        addr_, 0) == o_reg and idc.get_operand_type(
                            addr_, 1) == o_imm:
                    op1 = idc.print_operand(addr_, 0)
                    op2 = idc.print_operand(addr_, 1)

                    ## eh function info address
                    eh_func_info_addr = get_operand_value(addr_, 1)

                    #print(hex(addr_), mnem, op1, op2,hex(eh_func_info_addr))

                    ### locate the ptryBlockMapAddr
                    for ad in idautils.XrefsTo(addr_, flags=0):
                        seh_init_addr = ad.frm
                        "[+] seh_frame_addr: {} ehFuncInfo_struct_addr: {}\n------------------------------------------------------------------"
                        .format(hex(addr_), hex(eh_func_info_addr)))

                    ### locate the xref of the _cxxframehandler ehfuncinfo
                    self.parse_func_info_entry(seh_init_addr, addr_,
Ejemplo n.º 11
def getMinorDispatchTableAddress(ea):
    """find address of last lea in function"""
    start = idc.get_func_attr(ea, idc.FUNCATTR_START)
    end = idc.prev_head(idc.get_func_attr(ea, idc.FUNCATTR_END), start)
    res = prevMnemonic(end, 'lea', start)
    assert res != idc.BADADDR
    return idc.get_operand_value(res, 1)
Ejemplo n.º 12
def is_eax_set(bbl):
    iaddr = idc.prev_head(bbl.end_ea)
    while idc.next_head(iaddr) != bbl.start_ea:
        if is_eax_written(iaddr):
            return True
        if is_eax_read(iaddr):
            return False
        iaddr = idc.prev_head(iaddr)

    ret = True
    for bb in bbl.preds():
        ret = ret & is_eax_set(bb)
        if ret == False:
    return ret
Ejemplo n.º 13
def replace_sym_const(ea, api):
    for arg_n in api_list[api].keys():
        # Calling Convention: cdecl, stdcall
        push_cnt = 0
        ea_search = ea
        while push_cnt < arg_n:
            ea_search = idc.prev_head(ea_search)
            op = idc.print_insn_mnem(ea_search)
            if op == "push":
                push_cnt += 1

        operand = idc.print_operand(ea_search, 0)
        if operand.isdigit():
            operand = int(idc.print_operand(ea_search, 0))

        enum_name = api + "_" + str(arg_n)
        const = api_list[api][arg_n][operand]

        enum_id = ida_enum.get_enum(enum_name)
        if enum_id == BADADDR:
            # add new enum
            enum_qty = ida_enum.get_enum_qty()
            enum_id = ida_enum.add_enum(enum_qty, enum_name, 0)

        symbolic_id = ida_enum.get_enum_member_by_name(const)
        if symbolic_id == BADADDR:
            # add new enum member
            ida_enum.add_enum_member(enum_id, const, operand, 0xffffffff)

        ida_bytes.op_enum(ea_search, 0, enum_id, 0)
Ejemplo n.º 14
    def track_register(self, ea, target_dest_reg):

        f_start = idc.get_func_attr(ea, idc.FUNCATTR_START)
        f_end = idc.get_func_attr(ea, idc.FUNCATTR_END)

        curr_ea = ea
        dst = None
        src = None

        target = target_dest_reg.lower()
        target_dest_reg = target_dest_reg.lower()

        target_value = None
        target_ea = idc.BADADDR
        target_type = None
        previous_call = None

        ret_dict = {}

        while curr_ea != idc.BADADDR:
            #instruction = idc.GetDisasm(curr_ea)

            # print "0x%08x %s" % (curr_ea, instruction)

            # looking for the previous place this register was assigned a value
            mnem = idc.print_insn_mnem(curr_ea).lower()
            dst = idc.print_operand(curr_ea, 0).lower()
            src = idc.print_operand(curr_ea, 1).lower()

            if dst == target and self.is_set_argument_instr(mnem):
                target = src
                target_value = src
                target_ea = curr_ea
                # print "            new target set %s (type=%d)" % (target, idc.get_operand_type(curr_ea, 1))
                if target.startswith("="):

            if dst == target == "r0" and self.is_call_instr(mnem):
                target_value = "<return from previous call>"
                previous_call = curr_ea
            # step to previous instruction
            curr_ea = idc.prev_head(curr_ea - 1, f_start)

        if target_value:
            # print ">>> 0x%08x, %s is set to %s @ 0x%08x" % (ea, target_dest_reg, target_value, target_ea)
            ret_dict = {
                "target": target_dest_reg,
                "value": target_value,
                "target_ea": target_ea,
                "ea": ea

            if previous_call:
                ret_dict["previous_call"] = previous_call

            return ret_dict

        # fall through if nothing is found
        return {}
def AEG_GuessArgs(addr):
    _iter_addr = addr
    ret = []
    while 1:
        _iter_addr = idc.prev_head(_iter_addr)
        _iter_instr = AEG_Instruction(_iter_addr)
        _op = _iter_instr.GetOperator()
        if _op in ('jmp', 'call', 'ret', 'retn', 'leave'):
        elif 'j' in _op:
        elif _op == 'mov':
            _opnd0 = _iter_instr.GetOperand(0)
            if INFO_BITS == 32:
                ## mov [esp+xx] , xxx
                if 'esp' in _opnd0 and ']' in _opnd0:
                if 'di' in _opnd0 or 'si' in _opnd0 or 'dx' in _opnd0 or 'cx' in _opnd0:
        elif _op == 'push':
        elif 'lea' == _op:
            ## lea rsi, xxx
            _opnd0 = _iter_instr.GetOperand(0)
            if 'si' in _opnd0 or 'di' in _opnd0:

    return ret
Ejemplo n.º 16
def decrypt_all_strings(decrypt_string_func_ea):
    for ref in idautils.CodeRefsTo(decrypt_string_func_ea, 1):
        # this function can be better. I hate it rn but oh well

        prev_instruction_ea = 0x472DAC if ref == translate_ea(
            0x1db3) else idc.prev_head(ref)

        if idc.print_insn_mnem(
                prev_instruction_ea) == 'push' or idc.print_insn_mnem(
                    prev_instruction_ea) == 'lea':
            encrypted_blob_ea = idc.get_operand_value(
                1) if ref == translate_ea(0x1db3) else idc.get_operand_value(
                    prev_instruction_ea, 0)
            length = int.from_bytes(idaapi.get_bytes(encrypted_blob_ea - 4, 4),
            #print(hex(prev_instruction_ea) + " and " + hex(encrypted_blob_ea) + " and " + hex(length))
            encrypted_blob = [
                x for x in idaapi.get_bytes(encrypted_blob_ea, length)
            encrypted_blob = decrypt_config(encrypted_blob, length)
            string = ''
            for each in encrypted_blob:
                if each != 0:
                    string += chr(each)
                encrypted_blob_ea)] = string
def resolve_all_APIs(resolve_ea, mode):
    if resolve_ea is None:
        print('resolve fails..')

    for ref in idautils.CodeRefsTo(resolve_ea, 1):
        # only 1 ref

        curr_ea = ref
        while True:
            prev_instruction_ea = idc.prev_head(curr_ea)
            if mode == 1:
                if idc.print_insn_mnem(prev_instruction_ea) == 'push':
                    hash_val = idc.get_operand_value(prev_instruction_ea, 0)
                    if hash_val in export_hashes:
                        print(hex(ref) + ' : ' + export_hashes[hash_val])
                        idc.set_cmt(ref, export_hashes[hash_val], 0)
                if idc.print_insn_mnem(prev_instruction_ea) == 'mov':
                    hash_val = idc.get_operand_value(prev_instruction_ea, 1)
                    if hash_val in export_hashes:
                        print(hex(ref) + ' : ' + export_hashes[hash_val])
                        idc.set_cmt(ref, export_hashes[hash_val], 0)
            curr_ea = prev_instruction_ea
Ejemplo n.º 18
def trace_register_family(reg, loc, func_ea, state=None):
    Trace a provided register to the location in which any member of its register family is set. If it is set using a
    mov operation, the value is either an o_imm type (return the immediate value) or an o_mem type, that means the
    referenced location MAY a pointer to the actual data, which we need to acquire. We validate this by ensuring the
    acquired value is within the loaded memory range of the application. Otherwise we return idc.BADADDR.

    If the register is set using an lea operation, it is likely done so using a stack variable (which we validate)
    and then trace back to determine how the stack variable is set.

    :param reg: The referenced register which a location is loaded into
    :param loc: The starting offset for tracing back from
    :param func_ea: Starting function offset
    :param state: the current TraceState (a new state will be created if one is not provided)

    :return: The acquired location, or idc.BADADDR
    if state is None:
        state = TraceState()
    reg_fam = unsafe_get_reg_fam(reg)
    if reg_fam:
        loc = idc.prev_head(loc)
        while loc != func_ea:
            opnd = idc.print_operand(loc, 0)
            op_type_1 = idc.get_operand_type(loc, 1)
            opval_1 = idc.get_operand_value(loc, 1)
            mnem = idc.print_insn_mnem(loc)
            if 'mov' in mnem and opnd in reg_fam:
                if op_type_1 == idc.o_imm:
                    return opval_1
                elif op_type_1 == idc.o_mem:
                    poss_loc = idc.get_wide_dword(opval_1)
                    if idaapi.cvar.inf.minEA <= poss_loc < idaapi.cvar.inf.maxEA:
                        return poss_loc
                        return opval_1
                    return idc.BADADDR
            elif mnem == 'lea' and op_type_1 == idc.o_displ and opnd in reg_fam:
                stack_var = get_operand_value_replacement(loc, 1, state)
                return trace_stack_var(stack_var, loc, func_ea, state)
            elif is_64_bit() and mnem == 'lea' and opnd in reg_fam:
                if op_type_1 == idc.o_mem:
                    return opval_1
            loc = idc.prev_head(loc)
    return idc.BADADDR
Ejemplo n.º 19
def trace_register_family_x64(reg, loc, func_ea, state=None):
    Shouldn't be any different than trace_register_family except for continuing a trace if a register is loaded into
    the target register. However, using it in trace_register_family was not behaving properly, so keeping it separate
    for now. Also unsure of what the repercussions would be of adding that into the existing trace_register_family.

    :param reg: The referenced register which a location is loaded into
    :param loc: The starting offset for tracing back from
    :param func_ea: Starting function offset
    :param state: the current TraceState

    :return: The acquired location, or idc.BADADDR
    if state is None:
        state = TraceState()
    reg_fam = unsafe_get_reg_fam(reg)
    if reg_fam:
        loc = idc.prev_head(loc)
        while loc != func_ea:
            opnd = idc.print_operand(loc, 0)
            op_type_1 = idc.get_operand_type(loc, 1)
            opval_1 = idc.get_operand_value(loc, 1)
            mnem = idc.print_insn_mnem(loc)
            if "mov" in mnem and opnd in reg_fam:
                if op_type_1 == idc.o_imm:
                    return opval_1
                elif op_type_1 == idc.o_mem:
                    poss_loc = idc.get_wide_dword(opval_1)
                    if idaapi.cvar.inf.minEA <= poss_loc < idaapi.cvar.inf.maxEA:
                        return poss_loc
                        return opval_1
                elif op_type_1 == idc.o_reg:
                    return trace_register_family_x64(idc.print_operand(loc, 1),
                                                     loc, func_ea, state)
                    return idc.BADADDR
            elif mnem == "lea" and op_type_1 == idc.o_displ and opnd in reg_fam:
                stack_var = get_operand_value_replacement(loc, 1, state)
                return trace_stack_var(stack_var, loc, func_ea, state)
            elif is_64_bit() and mnem == "lea" and opnd in reg_fam:
                if op_type_1 == idc.o_mem:
                    return opval_1
            loc = idc.prev_head(loc)
    return idc.BADADDR
Ejemplo n.º 20
def get_bb_ends(address):
    Get end addresses of all bbs in function containing address.
    :param address: address in function
    :return: list of bb end addresses
    function = idaapi.get_func(address)
    flowchart = idaapi.FlowChart(function)
    return [idc.prev_head(bb.end_ea) for bb in flowchart]
Ejemplo n.º 21
def get_bb_ends(address):
    Get end addresses of all bbs in function containing address.
    :param address: address in function
    :return: list of bb end addresses
    function = idaapi.get_func(address)
    flowchart = idaapi.FlowChart(function)
    return [idc.prev_head(bb.end_ea) for bb in flowchart]
Ejemplo n.º 22
def trace_stack_var(stack_var, loc, func_ea, state=None):
    Trace a provided stack variable to the location in which it is set. If it is set using a mov operation, the
    value may be set from a register, which we then need to call back to trace_register in order to acquire the
    value. Otherwise it is either an o_imm type (return the immediate value) or an o_mem type, that means the
    referenced location MAY a pointer to the actual data, which we need to acquire. We validate this by ensuring
    the acquired value is within the loaded memory range of the application. Otherwise we return idc.BADADDR.

    :param stack_var: The stack variable which a location is loaded into
    :param loc: The starting offset for tracing back from
    :param func_ea: Starting function offset
    :param state: the current TraceState

    :return: The acquired location, or idc.BADADDR
    if state is None:
        state = TraceState()
    loc = idc.prev_head(loc)
    while loc != func_ea:
        op_type_1 = idc.get_operand_type(loc, 1)
        opval_1 = idc.get_operand_value(loc, 1)
        mnem = idc.print_insn_mnem(loc)
        dis = idc.GetDisasm(loc)
        if mnem == "mov" and stack_var == get_operand_value_replacement(
                loc, 0, state):
            if op_type_1 == idc.o_reg:
                return trace_register(idc.print_operand(loc, 1), loc, func_ea,
            elif op_type_1 == idc.o_imm:
                return opval_1
            elif op_type_1 == idc.o_mem:
                poss_loc = idc.get_wide_dword(opval_1)
                if idaapi.cvar.inf.minEA <= poss_loc < idaapi.cvar.inf.maxEA:
                    return poss_loc
                    return opval_1
                return idc.BADADDR
        elif any(x in dis for x in MOVS):
            result = trace_rep_mov(stack_var, loc, func_ea, state)
            if result:
                return result
        loc = idc.prev_head(loc)
    return idc.BADADDR
Ejemplo n.º 23
def hand_register(line, start_ea, reg_target):
    current = line
    while (current >= start_ea):
        current = idc.prev_head(current)
        if (idc.print_insn_mnem(current) == 'jmp'):
            return hand_block(line, current, reg_target)
        if (idc.print_operand(current, 0)
                == reg_target) and (idc.print_insn_mnem(current)
                                    in ['mov', 'lea']):
            return idc.print_operand(current, 1)
Ejemplo n.º 24
 def func_bound(self):
     if self.func == None:
         return (IDA_ERROR, IDA_ERROR)
     fend = idc.prev_head(self.func.end_ea)
     if self.addr == fend:
         if idc.print_insn_mnem(self.addr) in u_jumps:
             return (RESOLVE_NAME, RESOLVE_NAME)
             return (IDA_ERROR, IDA_ERROR)
     return (self.func.start_ea, fend)
Ejemplo n.º 25
 def set_types(self):
     handle (EFI_BOOT_SERVICES *) type
     and (EFI_SYSTEM_TABLE *) for x64 images
     RAX = 0
     O_REG = 1
     O_MEM = 2
     empty = True
     for service in self.gBServices:
         for address in self.gBServices[service]:
             ea = address
             num_of_attempts = 10
             for _ in range(num_of_attempts):
                 ea = idc.prev_head(ea)
                 if (idc.print_insn_mnem(ea) == 'mov'
                         and idc.get_operand_type(ea, 1) == O_MEM):
                     if (idc.get_operand_type(ea, 0) == O_REG
                             and idc.get_operand_value(ea, 0) == RAX):
                         gvar = idc.get_operand_value(ea, 1)
                         gvar_type = idc.get_type(gvar)
                         if (EFI_SYSTEM_TABLE *)
                         if ((gvar_type != 'EFI_SYSTEM_TABLE *') and \
                             (idc.print_operand(address, 0).find('rax') == 1)
                             if self._find_est(gvar, ea, address):
                                     '[ {0} ] Type ({type}) successfully applied'
                                 empty = False
                         otherwise it (EFI_BOOT_SERVICES *)
                         if (gvar_type != 'EFI_BOOT_SERVICES *'
                                 and gvar_type != 'EFI_SYSTEM_TABLE *'):
                             if idc.SetType(gvar, EFI_BOOT_SERVICES):
                                 empty = False
                                     '[ {0} ] Type ({type}) successfully applied'
     if empty:
         print(' * list is empty')
Ejemplo n.º 26
def find_function_starts(location, start_mnem_bytes=None):
        Identifies all possible function starts since the most recent function or Align.

        location - The EA to search before
        start_mnem_bytes - Try to start functions on a particular instruction
                           Instructions are entered as space separated bytes (i.e. '55' for 'push ebp')
                           The specified pattern will be used first, then the defaults will be used
                           If no pattern is specified, the defaults will be used, which prefers 'push ebp'

        starts - A list of function end EAs sorted: start_mnem_bytes, push ebp, (push esp, push esi, push edi)
    # foreach target bytes:
    #  step instructions up
    #  if instruction matches the target bytes, add to the corresponding output list
    #  if we hit a function or an align, quit
    # return starts in the order:
    #  start_nmem_bytes
    #  push ebp
    #  others, sorted ascending

    min_location = None
    ea = location
    while min_location is None:
        ea = idc.prev_head(ea)
        if idaapi.get_func(ea) or idc.is_align(idc.get_full_flags(ea)):
            min_location = ea
        elif ea == idc.BADADDR:
            min_location = idaapi.getseg(location).start_ea
    min_location = max(min_location, idaapi.getseg(location).start_ea)

    targets = ['55', '54', '56', '57']
    if start_mnem_bytes:
        targets.insert(0, start_mnem_bytes)

    starts = {}
    for target in targets:
        function_starts = []
        ea = find_binary_instruction_start(location - 1, idc.SEARCH_UP, target,
        while ea != idc.BADADDR:
            if ea < min_location:
            ea = find_binary_instruction_start(ea - 1, idc.SEARCH_UP, target,
        starts[target] = function_starts

    return (starts[start_mnem_bytes] if start_mnem_bytes else []) + starts['55'] + \
           sorted(itertools.chain.from_iterable(starts[target] for target in targets[-3:]))
Ejemplo n.º 27
 def imp_cb(ea, name, ord):
     if name in funcs:
         for xref in idautils.XrefsTo(ea):
             call_addr = xref.frm
             caller_name = idc.get_func_name(call_addr)
             prev = idc.prev_head(call_addr)
             for _ in range(10):
                 if idc.get_cmt(prev, 0) == 'Tag' and idc.get_operand_type(
                         prev, 1) == 5:
                     tag_raw = idc.get_operand_value(prev, 1)
                     tag = ''
                     for i in range(3, -1, -1):
                         tag += chr((tag_raw >> 8 * i) & 0xFF)
                     if tag in tags.keys():
                         tags[tag] = set([caller_name])
                 prev = idc.prev_head(prev)
     return True
Ejemplo n.º 28
def find_function_starts_near(location, start_mnem_bytes=None):
        Identifies the nearest possible function starts since the most recent function or Align.

        location - The EA to search before
        start_mnem_bytes - Try to start functions on a particular instruction
                           Instructions are entered as space separated bytes (i.e. '55' for 'push ebp')
                           The specified pattern will be used first, then the defaults will be used
                           If no pattern is specified, the defaults will be used, which prefers 'push ebp'

        starts - A list of function end EAs sorted: start_mnem_bytes, push ebp, (push esp, push esi, push edi)
    # foreach target bytes:
    #  step instructions up
    #  if instruction matches the target bytes, add to output list
    #   then move on to the next target bytes
    #  if we hit a function or an align, quit
    # return starts in the order
    #  start_nmem_bytes
    #  push ebp
    #  others, sorted descending

    min_location = None
    ea = location
    while min_location is None:
        ea = idc.prev_head(ea)
        if idaapi.get_func(ea) or idc.is_align(idc.get_full_flags(ea)):
            min_location = ea
        elif ea == idc.BADADDR:
            min_location = idaapi.getseg(location).start_ea
    min_location = max(min_location, idaapi.getseg(location).start_ea)

    targets = ['55', '54', '56', '57']
    if start_mnem_bytes:
        targets.insert(0, start_mnem_bytes)

    starts = {}
    for target in targets:
        ea = find_binary_instruction_start(location - 1, idc.SEARCH_UP, target,
        if ea != idc.BADADDR:
            starts[target] = ea

    return [
        start for start in (
            [starts.get(start_mnem_bytes, None),
             starts.get('55', None)] +
            sorted([starts.get(target, None) for target in targets[-3:]],
                   reverse=True)) if start
Ejemplo n.º 29
def find_arg_ea(ea_call, arg_name):
    """ Return ea of argument by looking backwards from library function

    ea_call -- effective address of call
    arg_name -- the argument name to look for
    # the search for previous instruction/data will stop at the specified
    # address (inclusive)
    prev_instr = idc.prev_head(ea_call, ea_call - PREVIOUS_INSTR_DELTA)
    while prev_instr > (ea_call - ARG_SEARCH_THRESHOLD) and \
            prev_instr != idaapi.BADADDR:
        # False indicates not to look for repeatable comments
        comment = idc.get_cmt(prev_instr, False)
        if comment == arg_name:
            return prev_instr
        prev_instr = idc.prev_head(prev_instr,
                                   prev_instr - PREVIOUS_INSTR_DELTA)
    raise ArgumentNotFoundException(
        '  Argument {} not found within threshold'.format(arg_name))
Ejemplo n.º 30
 def set_types(self):
     handle (EFI_BOOT_SERVICES *) type
     RAX = 0
     O_REG = 1
     O_MEM = 2
     empty = True
     for service in self.gBServices:
         for address in self.gBServices[service]:
             ea = address
             num_of_attempts = 10
             for _ in range(num_of_attempts):
                 ea = idc.prev_head(ea)
                 if (idc.GetMnem(ea) == "mov"
                         and idc.get_operand_type(ea, 1) == O_MEM):
                     if (idc.get_operand_type(ea, 0) == O_REG
                             and idc.get_operand_value(ea, 0) == RAX):
                         gBs_var = idc.get_operand_value(ea, 1)
                         gBs_var_type = idc.get_type(gBs_var)
                         if (gBs_var_type == "EFI_BOOT_SERVICES *"):
                             empty = False
                             print("[{0}] EFI_BOOT_SERVICES->{1}".format(
                             print("\t [address] {0}".format(
                             print("\t [message] type already applied")
                         if idc.SetType(gBs_var, EFI_BOOT_SERVICES):
                             empty = False
                             print("[{0}] EFI_BOOT_SERVICES->{1}".format(
                             print("\t [address] {0}".format(
                             print("\t [message] type successfully applied")
                             empty = False
                             print("[{0}] EFI_BOOT_SERVICES->{1}".format(
                             print("\t [address] {0}".format(
                             print("\t [message] type not applied")
     if empty:
         print(" * list is empty")
Ejemplo n.º 31
def find_function_arg_with_operand_value(addr, mnemonic, register, value,
    00000000000167FC mov     [rsp+20h], rax
    idc.get_operand_value(0x167FC, 0) ==> 0x20

    for _ in range(20):  # looks up to 20 instructions behind
        addr = idc.prev_head(addr)
        if idc.print_insn_mnem(addr) == mnemonic and register in idc.print_operand(addr, idx_operand)\
                and idc.get_operand_value(addr, idx_operand) == value:
            return addr
    return None
Ejemplo n.º 32
 def get_protocols(self):
     found UEFI protocols information in idb
     for service_name in self.gBServices:
         for address in self.gBServices[service_name]:
             ea, found = address, False
             if self.arch == "x86":
                 for i in range(1, 25):
                     ea = idc.prev_head(ea)
                     if (idc.get_operand_value(ea, 0) > self.base
                             and idc.GetMnem(ea) == "push"):
                         found = True
             if self.arch == "x64":
                 for i in range(1, 16):
                     ea = idc.prev_head(ea)
                     if (idc.get_operand_value(ea, 1) > self.base
                             and idc.GetMnem(ea) == "lea"):
                         found = True
             if not found:
             for xref in idautils.DataRefsFrom(ea):
                 if (idc.GetMnem(xref) == ""):
                     cur_guid = utils.get_guid(xref)
                     if cur_guid != [0] * 11:
                         record = {
                             "address": xref,
                             "service": service_name,
                             "guid": cur_guid,
                         record["address"] = xref
                         record["service"] = service_name
                         record["guid"] = cur_guid
                         if not self.Protocols["All"].count(record):
Ejemplo n.º 33
def symbolic_exec():
    from miasm2.ir.symbexec import SymbolicExecutionEngine
    from miasm2.core.bin_stream_ida import bin_stream_ida

    from utils import guess_machine

    start, end = idc.SelStart(), idc.SelEnd()

    bs = bin_stream_ida()
    machine = guess_machine(addr=start)

    mdis = machine.dis_engine(bs)

    if start == idc.BADADDR and end == idc.BADADDR:
        start = idc.ScreenEA()
        end = idc.next_head(start) # Get next instruction address

    mdis.dont_dis = [end]
    asmcfg = mdis.dis_multiblock(start)
    ira = machine.ira(loc_db=mdis.loc_db)
    ircfg = ira.new_ircfg_from_asmcfg(asmcfg)

    print "Run symbolic execution..."
    sb = SymbolicExecutionEngine(ira, machine.mn.regs.regs_init)
    sb.run_at(ircfg, start)
    modified = {}

    for dst, src in sb.modified(init_state=machine.mn.regs.regs_init):
        modified[dst] = src

    view = symbolicexec_t()
    if not view.Create(modified, machine, mdis.loc_db,
                       "Symbolic Execution - 0x%x to 0x%x"
                       % (start, idc.prev_head(end))):
