def find_mnem(target_ea, target_mnem, backward=False, threshold=0x100): assert target_ea is not None ea = target_ea addr = None visited = set() while True: mnem = ida_ua.ua_mnem(ea) if not ida_ua.can_decode(ea) or not mnem: break if mnem == target_mnem: addr = ea break visited.add(ea) if backward: next_ea = ida_xref.get_first_cref_to(ea) if next_ea < target_ea - 0x100: break while next_ea != idc.BADADDR and next_ea in visited: next_ea = ida_xref.get_next_cref_to(ea, next_ea) else: next_ea = ida_xref.get_first_cref_from(ea) if next_ea > target_ea + 0x100: break while next_ea != idc.BADADDR and next_ea in visited: next_ea = ida_xref.get_next_cref_from(ea, next_ea) ea = next_ea return addr
def main(): # Get current ea ea = ida_kernwin.get_screen_ea() # Get segment class seg = ida_segment.getseg(ea) # Loop from segment start to end func_ea = seg.start_ea # Get a function at the start of the segment (if any) func = ida_funcs.get_func(func_ea) if func is None: # No function there, try to get the next one func = ida_funcs.get_next_func(func_ea) seg_end = seg.end_ea while func is not None and func.start_ea < seg_end: funcea = func.start_ea print("Function %s at 0x%x" % (ida_funcs.get_func_name(funcea), funcea)) ref = ida_xref.get_first_cref_to(funcea) while ref != ida_idaapi.BADADDR: print(" called from %s(0x%x)" % (ida_funcs.get_func_name(ref), ref)) ref = ida_xref.get_next_cref_to(funcea, ref) func = ida_funcs.get_next_func(funcea)
def __get_relative_node(self, src_node, key_name): src_node_addr = src_node.get_addr() next_node_addr = ida_xref.get_first_cref_to(src_node_addr) print('[Debug]next_addr 0x%x' % next_node_addr) if next_node_addr == idaapi.BADADDR: return if next_node_addr != idc.PrevHead(src_node_addr): new_tree_node = TreeNode(ida_funcs.get_func_name(next_node_addr), next_node_addr) new_tree_node.add_parent(src_node) src_node.add_child(new_tree_node) print('[*]Add node %s 0x%x' % (new_tree_node.get_name(), new_tree_node.get_addr())) self.__get_relative_node(new_tree_node, key_name) next_node_addr = ida_xref.get_next_cref_to(src_node_addr, next_node_addr) print('[Debug]next_addr 0x%x' % next_node_addr) while next_node_addr != idaapi.BADADDR: if next_node_addr == idc.PrevHead(src_node_addr): continue new_tree_node = TreeNode(ida_funcs.get_func_name(next_node_addr), next_node_addr) new_tree_node.add_parent(src_node) src_node.add_child(new_tree_node) print('[*]Add node %s 0x%x' % (new_tree_node.get_name(), new_tree_node.get_addr())) self.__get_relative_node(new_tree_node, key_name) next_node_addr = ida_xref.get_next_cref_to(src_node_addr, next_node_addr) print('[Debug]next_addr 0x%x' % next_node_addr) return
def propagate_function_type(ea: int, func_type: FUNCTION_TYPE): print(f"propagate func {hex(ea)}, type {func_type}") if visited.get(ea) is not None: return if func_type == FUNCTION_TYPE.NULLSUB: ida_name.set_name(ea, f"nullsub_{hex(ea)[2:]}") elif func_type == FUNCTION_TYPE.IDENTITY: ida_name.set_name(ea, f"identity_{hex(ea)[2:]}") elif func_type == FUNCTION_TYPE.GETVALUE: ida_name.set_name(ea, f"getvalue_{hex(ea)[2:]}") visited[ea] = True cref = ida_xref.get_first_cref_to(ea) while cref != idaapi.BADADDR: cref_func = ida_funcs.get_func(cref) #function is not defined or function has been visited if cref_func is None or visited.get(cref_func.start_ea) is not None: cref = ida_xref.get_next_cref_to(ea, cref) continue cref_func_type = infer_function_type(cref_func.start_ea, func_type) if cref_func_type == FUNCTION_TYPE.OTHER: cref = ida_xref.get_next_cref_to(ea, cref) visited[cref_func.start_ea] = True continue propagate_function_type(cref_func.start_ea, cref_func_type) cref = ida_xref.get_next_cref_to(ea, cref)
def get_all_ref(self, addr): """ 获取所有引用到addr的地址 """ xref_t = [] addr_t = ida_xref.get_first_cref_to(addr) while addr_t != ida_idaapi.BADADDR: xref_t.append(addr_t) addr_t = ida_xref.get_next_cref_to(addr, addr_t) return xref_t
def proceed_backward(self, ea, reg_name, end_ea, end_cnt, offset=None): # initialize prev code points values = set() xref = ida_xref.get_first_cref_to(ea) while xref and xref != idc.BADADDR: tmp_values = self.find_reg_value_helper(xref, reg_name, end_ea, end_cnt, offset) if tmp_values: tmp_values = list(map(lambda x: x & 0xFFFFFFFF, tmp_values)) values.update(tmp_values) xref = ida_xref.get_next_cref_to(ea, xref) self.values[(ea, reg_name)] = values return values
procs = { 0x18: "Create", 0x1C: "Destroy", 0x20: "Icon", 0x24: "Paint", 0x28: "Size", 0x2C: "Input", 0x30: "Focus", 0x34: "Scroll", 0x38: "Data", 0x3C: "Help" } if res[0] == 1: regfunc = res[1] regcall = ida_xref.get_first_cref_to(regfunc) while regcall != ida_idaapi.BADADDR: insn = ida_ua.insn_t() ida_ua.decode_insn(insn, regcall) for i in range(20): if insn.get_canon_mnem() == 'mov' and insn.Op1.type == 4: if insn.Op1.addr in procs: ida_offset.op_plain_offset(insn.ea, 1, code_ea) target = code_ea + insn.Op2.value ida_funcs.add_func(target, ida_idaapi.BADADDR) ida_name.set_name( target, procs[insn.Op1.addr] + "_" + hex(regcall)[2:]) ida_ua.decode_prev_insn(insn, insn.ea) regcall = ida_xref.get_next_cref_to(regfunc, regcall)
def get_code_xrefs(ea): xref = ida_xref.get_first_cref_to(ea) while xref != BADADDR: yield xref xref = ida_xref.get_next_cref_to(ea, xref)