def define_functions():
ea = 0x10000000
unknown = idc.FindUnexplored(ea, idc.SEARCH_DOWN)
while unknown != idc.BADADDR and unknown < 0x11000000:
insn = idc.Dword(unknown)
if insn & 0xF0000000 == 0xE0000000 and unknown & 3 == 0 and idc.MakeCode(
unknown) == 4:
print "Trying %x" % unknown
if idc.MakeFunction(unknown):
print "Success"
else:
unknown += 4
unknown = idc.FindUnexplored(unknown, idc.SEARCH_DOWN)
else:
unknown += 4
unknown = idc.FindUnexplored(unknown, idc.SEARCH_DOWN)
def map_shared_bridges(dsc_file, adrfind):
""" finds branch islands in a given dyld_shared_cache file,
maps them to IDA's db and extract its addresses """
dsc_file.seek(0, 2)
filesize = dsc_file.tell()
dsc_file.seek(0)
ACCESS_READ = 1
a = mmap.mmap(dsc_file.fileno(), length=filesize, access=ACCESS_READ)
reexp = re.compile(
"\xcf\xfa\xed\xfe.{340,360}dyld_shared_cache_branch_islands")
print "[+] scanning dsc for BRANCH ISLANDS"
# this list will hold all our branch_islands segments
branch_islands_segments = []
jmp_to_code = collections.defaultdict(list)
for ma in reexp.finditer(a):
print "[+] WRITING BRANCH ISLAND: 0x%08X" % (ma.start())
fif = FileInFile(dsc_file, ma.start())
m = MachO_patched(fif)
if _IN_IDA:
for seg in m.segments:
for sec in seg.sections:
idc.AddSegEx(sec.addr, sec.addr + sec.size, 0, 0,
idaapi.saRelPara, idaapi.scPub,
idc.ADDSEG_FILLGAP)
name = "branch_islands_%X%s%s" % (ma.start(), seg.segname,
sec.sectname)
idc.RenameSeg(sec.addr, name)
idc.SetSegClass(sec.addr, "CODE")
idc.SetSegAddressing(sec.addr, 2)
dsc_file.seek(sec.offset)
memcpy(sec.addr, dsc_file.read(sec.size))
branch_islands_segments.append(sec.addr)
# make code
codeea = sec.addr
print "Going through the code!"
while codeea < (sec.addr + sec.size):
res = idc.MakeCode(codeea)
if not res:
print "[!] EA:0x%X ERR while making code" % codeea
codeea += 4
continue
d = idc.GetDisasm(codeea)
# if it's a "B 0x4dd13550"
if d.startswith("B "):
addr = d.split()[1]
if addr.startswith("0x"):
branchaddr = int(addr, 16)
jmp_to_code[branchaddr].append(codeea)
# idc.MakeRptCmt(codeea, "0x%X was taken!" % branchaddr)
codeea = idc.FindUnexplored(codeea, idc.SEARCH_DOWN)
label_and_fix_branch_islands(dsc_file, adrfind, jmp_to_code)
import idautils
import idc
for ea in idautils.Segments():
segend = idc.GetSegmentAttr(ea, idc.SEGATTR_END)
start = ea
while start < segend:
idc.MakeCode(start)
start = idc.FindUnexplored(start + 1, idc.SEARCH_DOWN)
idc.GenerateFile(idc.OFILE_ASM, idc.GetInputFile() + ".asm", 0, idc.BADADDR, 0)
idc.Exit(0)
# Here it is. Run it with idal -c -A -S./script.py ./test.bin
print hex(ea), idc.GetDisasm(ea)
addr = idc.FindCode(ea, SEARCH_DOWN | SEARCH_NEXT)
print hex(addr), idc.GetDisasm(addr)
# idc.FindData(ea, flag) 该函数用于寻找被标记为数据的下一个地址.
# 0x1000020b6L movzx eax, word ptr [r12+2]
# 0x100001cccL db 8 dup(0CCh)
ea = here()
print hex(ea), idc.GetDisasm(ea)
addr = idc.FindData(ea, SEARCH_UP | SEARCH_NEXT)
print hex(addr), idc.GetDisasm(addr)
# idc.FindUnexplored(ea, flag) 该函数用于查找IDA未识别为代码或者数据的字节地址. 未知类型需要通过观察或者脚本进一步分析
ea = here()
print hex(ea), idc.GetDisasm(ea)
addr = idc.FindUnexplored(ea, SEARCH_DOWN)
print hex(addr), idc.GetDisasm(addr)
# idc.FindExplored(ea, flag) 用于查找IDA标识为代码或者数据的地址
ea = here()
addr = idc.FindExplored(ea, SEARCH_UP)
print hex(addr), idc.GetDisasm(addr)
for xref in idautils.XrefsTo(addr, 1):
print hex(xref.frm), idc.GetDisasm(xref.frm)
# idc.FindImmediate(ea, flag, value) 用于寻找确定的数值 例如rand()函数使用的随机种子
addr = idc.FindImmediate(MinEA(), SEARCH_DOWN, 0x343FD)
print "0x%x %s %x" % (addr[0], idc.GetDisasm(addr[0]), addr[1])
# 查找所有的指定立即数
def find_a():
ea = ida_ida.inf_get_min_ea()
while ea < max_addr:
ea = idc.FindUnexplored(ea, idc.SEARCH_DOWN)
ida_funcs.add_func(ea)