def apply_labels(fun_names):
new_sub = 0
new_som = 0
new_oth = 0
named_overwrittens = []
for f_ea, name in fun_names.iteritems():
name = re.sub('[^a-zA-Z0-9_]+', '', name)
curr_name = idaapi.get_func_name(f_ea)
if curr_name.startswith("sub_"):
new_sub += 1
elif "_something" in curr_name:
new_som += 1
else:
new_oth += 1
named_overwrittens.append(curr_name)
#so we don't overwrite these
continue
# stats counting aside, make sure we don't overwrite non-sub
# functions from e.g. our IDC assignments
if not curr_name.startswith("sub_") and not "_something" in curr_name:
continue
ret = idc.LocByName(name)
count = 1
while (ret != 0xffffffff):
count += 1
ret = idc.LocByName(name + "__" + "%d" % count)
idc.MakeName(f_ea, name + ("__%d" % count) * (count > 1))
def memToLvl(address, levelId = None):
refTableAddr = idc.LocByName("levelReferenceTable")
if refTableAddr == BADADDR:
print("Can't get level reference table address. Make sure its name is levelReferenceTable.")
return
if levelId == None:
endTableAddr = idc.LocByName("levelEndTable")
if endTableAddr == BADADDR:
print("Can't get level end table address. Make sure its name is levelEndTable.")
return
lvl0StartAddr = idc.Dword(refTableAddr)
lvl1StartAddr = idc.Dword(refTableAddr + 4)
lvl0EndAddr = idc.Dword(endTableAddr)
lvl1EndAddr = idc.Dword(endTableAddr + 4)
if address >= lvl0StartAddr and address <= lvl0EndAddr:
fileRelativeAddr = address - lvl0StartAddr
idc.Message("Fix.lvl relative address: 0x" + format(fileRelativeAddr, '02X') + "\n")
return
if address >= lvl1StartAddr and address <= lvl1EndAddr:
fileRelativeAddr = address - lvl1StartAddr
idc.Message("Actual level relative address: 0x" + format(fileRelativeAddr, '02X') + "\n")
return
idc.Message("ERROR: This address does not belong to any level file.")
else:
lvlStartAddr = idc.Dword(refTableAddr + levelId * 4)
fileRelativeAddr = address - lvlStartAddr
idc.Message("Address relative to file: 0x" + format(fileRelativeAddr, '02X') + "\n")
def get_ea_by_name(self, name):
'''
Get the address of a location by name.
@name - Location name
Returns the address of the named location, or idc.BADADDR on failure.
'''
# This allows support of the function offset style names (e.g., main+0C)
# TODO: Is there something in the IDA API that does this already??
if '+' in name:
(func_name, offset) = name.split('+')
base_ea = idc.LocByName(func_name)
if base_ea != idc.BADADDR:
try:
ea = base_ea + int(offset, 16)
except:
ea = idc.BADADDR
else:
ea = idc.LocByName(name)
if ea == idc.BADADDR:
try:
ea = int(name, 0)
except:
ea = idc.BADADDR
return ea
def search_reg():
global mod_addr_min
global mod_addr_max
code_reg = idc.LocByName('g_code_reg')
meta_reg = idc.LocByName('g_meta_reg')
print('searching metareg')
if meta_reg == idc.BADADDR:
meta_reg = search_meta_reg(mod_addr_min + 56, mod_addr_max - 256)
if meta_reg == idc.BADADDR:
print('Failed to search metareg')
raise
print('%08X: g_meta_reg' % meta_reg)
idc.MakeName(meta_reg, 'g_meta_reg')
if code_reg == idc.BADADDR:
print('searching codereg')
code_reg = search_code_reg(meta_reg - 256, meta_reg - 16)
if code_reg == idc.BADADDR:
print('Failed to search codereg')
raise
print('%08X: g_code_reg' % code_reg)
idc.MakeName(code_reg, 'g_code_reg')
#if code_reg == idc.BADADDR or meta_reg == idc.BADADDR:
# return analyze_reg()
return code_reg, meta_reg
def find_main_arena():
main_arena = idc.LocByName("main_arena") # from libc6-dbg
if main_arena != idc.BADADDR:
return main_arena
ea = idc.SegStart(idc.LocByName("_IO_2_1_stdin_"))
end_ea = idc.SegEnd(ea)
# &main_arena->next
offsets = {
4: [1088, 1096], # 32 bits
8: [2152, 2160] # 64 bits
}
if ea == idc.BADADDR or end_ea == idc.BADADDR:
return None
get_ptr = config.get_ptr
while ea < end_ea:
ptr = get_ptr(ea) # ptr to main_arena
if idaapi.is_loaded(ptr) and ptr < ea and get_ptr(
ptr) == 0: # flags=0x0
if (ea - ptr) in offsets[config.ptr_size]:
return ptr
ea += config.ptr_size
return None
def GetBranchList(self, start=None, end=None):
self.branch_list = list()
current = start
if self.arc == ARCHITECTURE['MIPS']:
o_iasm = mips_iasm.MIPS_IAsm()
branch_obj = o_iasm.mips_asm_class['branch']
jump_obj = o_iasm.mips_asm_class['jump']
while current <= end:
method = 'do_' + idc.GetMnem(current)
if hasattr(branch_obj, method) or hasattr(jump_obj, method):
if self.isNearAddr(idc.GetOpType(current, 0)):
opr = idc.LocByName(idc.GetOpnd(current, 0))
if opr in self.func_ref_list:
self.branch_list.append(hex(opr))
elif self.isNearAddr(idc.GetOpType(current, 1)):
opr = idc.LocByName(idc.GetOpnd(current, 1))
if opr in self.func_ref_list:
self.branch_list.append(hex(opr))
elif self.isNearAddr(idc.GetOpType(current, 2)):
opr = idc.LocByName(idc.GetOpnd(current, 2))
if opr in self.func_ref_list:
self.branch_list.append(hex(opr))
current = idc.NextHead(current, end)
self.branch_list = list(set(self.branch_list))
self.branch_list.sort()
return self.branch_list
def GetBranchList(self, start=None, end=None): branch_list = list() current = start if self.arc == ARCHITECTURE['MIPS']: branch_obj = self.asm.mips_asm_class['branch'] jump_obj = self.asm.mips_asm_class['jump'] while current <= end: method = 'do_' + idc.GetMnem(current) if hasattr(branch_obj, method) or hasattr(jump_obj, method): if idc.GetOpType(current, 0) == ASM_TYPE['Imm_Near_Addr']: opr = idc.LocByName(idc.GetOpnd(current, 0)) if opr in self.func_ref_list: branch_list.append(hex(opr)) elif idc.GetOpType(current, 1) == ASM_TYPE['Imm_Near_Addr']: opr = idc.LocByName(idc.GetOpnd(current, 1)) if opr in self.func_ref_list: branch_list.append(hex(opr)) elif idc.GetOpType(current, 2) == ASM_TYPE['Imm_Near_Addr']: opr = idc.LocByName(idc.GetOpnd(current, 2)) if opr in self.func_ref_list: branch_list.append(hex(opr)) current = idc.NextHead(current, end) branch_list = list(set(branch_list)) branch_list.sort() return branch_list
def jumps_to(f, t):
f_ea = idc.LocByName(f)
t_ea = idc.LocByName(t)
for start, end in idautils.Chunks(f_ea):
ea = start
while (ea < end):
i = idautils.DecodeInstruction(ea)
#Functions have data chunks in them, these are offsets and dwords. skipping 4 ahead seems like a safe choice.
if type(i) == type(None):
ea += 4
continue
#detect if instruction is a jump to t_ea
m = idc.GetMnem(ea)
if idc.GetMnem(ea) == "LDR" and idc.GetOpnd(
ea, 0) == "PC" and t in idc.GetOpnd(ea, 1):
return True
elif idc.GetMnem(ea) == "BX" and idc.GetOpnd(ea, 0) == t:
return True
try:
ea += i.size
except:
print "0x%08x" % ea
print "DecodeInstruction failed!"
print i.size
return False
def findroot(TargetFunc):
global rootpath
global rootfunc
global m_rootpath
global depth
global dstfunc
depth += 1
if (depth >= 10):
rootfunc.append(TargetFunc)
rootpath.append(
"It's difficult to reverse because depth is too deep!!Try: " +
TargetFunc)
return
for xref in idautils.XrefsTo(idc.LocByName(TargetFunc)):
if (idc.GetFunctionName(xref.frm) == ""): #if root function
for storcheck in idautils.XrefsTo(idc.LocByName(TargetFunc)):
if (storcheck.type == 17): #not root function
return
if m_rootpath not in rootpath:
if (depth > 7):
m_rootpath = dstfunc + "<--" + TargetFunc
rootfunc.append(idc.GetFunctionName(xref.to))
rootpath.append(m_rootpath)
return
else:
g_rootpath = m_rootpath
m_rootpath += "<--" + idc.GetFunctionName(xref.frm)
findroot(idc.GetFunctionName(xref.frm))
depth -= 1
m_rootpath = g_rootpath
def get_ea_by_name(name):
"""
Get the address of a location by name.
@name - Location name
Returns the address of the named location, or idc.BADADDR on failure.
"""
# This allows support of the function offset style names (e.g., main+0C)
# TODO: Is there something in the IDA API that does this already??
# TODO: AppCall maybe? http://www.hexblog.com/?p=112 -fireundubh
ea = idc.BADADDR
if '+' in name:
(func_name, offset) = name.split('+')
base_ea = idc.LocByName(func_name)
if base_ea != idc.BADADDR:
try:
ea = base_ea + int(offset, 16)
except:
ea = idc.BADADDR
else:
ea = idc.LocByName(name)
if ea == idc.BADADDR:
try:
ea = int(name, 0)
except:
ea = idc.BADADDR
return ea
def get_jlocs(self, sw):
jlocs = []
ncases = sw.ncases if sw.jcases == 0 else sw.jcases
for i in range(ncases):
addr = idc.Dword(sw.jumps+i*4)
name = idaapi.get_name(idc.BADADDR, addr)
comm = idc.GetCommentEx(idc.LocByName(name), 1)
comm = comm[comm.find('case'):] if comm is not None and comm.startswith('jumptable') else comm
jlocs.append((name, idc.LocByName(name), comm))
return jlocs
def addNodes(self):
for node in self.result:
name = idc.GetFunctionName(node)
if not name:
continue
if name not in self.added:
try:
self.nodes[idc.LocByName(name)] = self.AddNode((idc.LocByName(name), name))
self.added.append(name)
except:
print "Error adding node", sys.exc_info()[1]
def addEdges(self):
for ea in self.result:
refs = GetCodeRefsFrom(ea)
for ref in refs:
name = idc.GetFunctionName(ref)
name2 = idc.GetFunctionName(ea)
try:
if name in self.added:
self.AddEdge(self.nodes[idc.LocByName(name2)], self.nodes[idc.LocByName(name)])
self.added.append((ea, ref))
except:
print "Error", sys.exc_info()[1]
def handler(self):
if 1:
b1 = 'sn00gle-fl00gle-p00dlekins'
dst = idautils.cpu.esp + 0x100
dstsize = 0x102
idc.DbgWrite(dst, '\x00'*dstsize)
buf = dst - len(b1)-10
idc.DbgWrite(buf, b1+'\x00')
gen_perm_ea = idc.LocByName('generate_perm')
mix_ea = idc.LocByName('mix_things')
pass1_ea = idc.LocByName('PASSWORD1')
pass1_len = read_u32(idc.LocByName('PASSWORD1_LEN'))
finalsize = pass1_len
finaldest = idautils.cpu.esp - 2*finalsize
idc.DbgWrite(finaldest, '\x00'*(finalsize+1))
self.call(gen_perm_ea, dst, buf, len(b1))
yield
print(hex(dst), hex(pass1_ea), hex(finaldest), hex(pass1_len))
#self.done = 1
#return
self.call(mix_ea, dst, pass1_ea, finaldest, pass1_len)
yield
with open('./final.data', 'wb') as f:
f.write(idc.DbgRead(finaldest, pass1_len))
else:
stride = 0x24
nseg = read_u32(self.rx_seg_count)
base_addr = self.rx_seg_desc
print('HANDLER', nseg)
for i in range(nseg):
seg_addr = base_addr + stride * i
for data in self.decode_seg(seg_addr, False):
yield
nseg = read_u32(self.rw_seg_count)
base_addr = self.rw_seg_desc
for i in range(nseg):
seg_addr = base_addr + stride * i
for data in self.decode_seg(seg_addr, True):
yield
print('dumping handler')
json.dump(self.segs, open('./dump.json', 'w'))
self.done = 1
def Call(self, function, arguments=[], retaddr=0, block_until_return=True):
'''
Call a given function. Arguments must already be configured.
This should not be used to call functions hooked with IDASimulator or it likely won't work.
@function - The name or address of the function to call.
@arguments - A list of function arguments.
@retaddr - The address to return to.
@block_until_return - If set to True, this method will not return until the function does.
If set to False, this method will return immediately after calling the function.
Returns the return value of the function on success.
Returns None on failure, or if block_until_return is False.
'''
retval = None
# Process should already be paused, but just in case...
idc.PauseProcess()
# If a function name was specified, get its address
if isinstance(function, type('')):
function = idc.LocByName('.' + function)
if function == idc.BADADDR:
function = idc.LocByName(function)
if function != idc.BADADDR:
if not retaddr:
retaddr = self.cpu.ProgramCounter()
# Set the specified function arguments
self.cpu.SetArguments(arguments)
# Do any arch-specific initialization before the function call
self.cpu.PreFunctionCall(function)
# Set up the return address and point the program counter to the start of the target function
self.cpu.ReturnAddress(value=retaddr)
self.cpu.ProgramCounter(value=function)
idc.Jump(function)
if block_until_return:
# Resume process and wait for the target function to return
idc.StepUntilRet()
idc.GetDebuggerEvent(idc.WFNE_CONT | idc.WFNE_SUSP, -1)
idc.Jump(retaddr)
retval = self.cpu.ReturnValue()
else:
idc.ResumeProcess()
return retval
def AuditApiCall(funcname, auditfunc):
print funcname
func = idc.LocByName(funcname)
print funcname + " func addr "
print hex(func)
count = 0
if(func != BADADDR):
for xref in idautils.XrefsTo(func,0):
print xref.type,idautils.XrefTypeName(xref.type)
print 'from',hex(xref.frm)
print 'to',hex(xref.to)
####audit func#####
####not from an const####
func_start = idc.GetFunctionAttr(xref.frm, idc.FUNCATTR_START)
func_end = idc.GetFunctionAttr(xref.frm, idc.FUNCATTR_END)
local_size = idc.GetFunctionAttr(xref.frm, idc.FUNCATTR_FRSIZE)
###Data offset eg: lis r10, VOS_sprintf@h
### addi r10, r10, VOS_sprintf@l
if(xref.type == 1):
print "disass is "+idc.GetDisasm(xref.frm)
if("add" in idc.GetDisasm(xref.frm)):
caller = TraceApiCall(xref.frm)
auditfunc(caller)
break
else:
caller= xref.frm
def get_virtual_func_address(name, tinfo=None, offset=None):
"""
:param name: method name
:param tinfo: class tinfo
:param offset: virtual table offset
:return: address of the method
"""
address = idc.LocByName(name)
if address != idaapi.BADADDR:
return address
address = demangled_names.get(name, idaapi.BADADDR)
if address != idaapi.BADADDR:
return address + idaapi.get_imagebase()
if tinfo is None or offset is None:
return
offset *= 8
udt_member = idaapi.udt_member_t()
while tinfo.is_struct():
address = demangled_names.get(tinfo.dstr() + '::' + name,
idaapi.BADADDR)
if address != idaapi.BADADDR:
return address + idaapi.get_imagebase()
udt_member.offset = offset
tinfo.find_udt_member(idaapi.STRMEM_OFFSET, udt_member)
tinfo = udt_member.type
offset = offset - udt_member.offset
def bulk_function():
functionPtrs = ""
for func_name in get_selected_funcs():
functionPtrDef = copy_function(idc.LocByName(func_name))
functionPtrs = functionPtrs + functionPtrDef + "\n"
copy_to_clip(functionPtrs)
idaapi.msg(functionPtrs)
def __init__(self, ea=UseCurrentAddress, name=None):
if name is not None and ea != self.UseCurrentAddress:
raise ValueError(
("Either supply a name or an address (ea). "
"Not both. (ea={!r}, name={!r})").format(ea, name))
elif name is not None:
ea = idc.LocByName(name)
if ea == idc.BADADDR:
raise exceptions.SarkNoFunction(
"The supplied name does not belong to an existing function. "
"(name = {!r})".format(name))
elif ea == self.UseCurrentAddress:
ea = idc.here()
elif ea is None:
raise ValueError(
"`None` is not a valid address. To use the current screen ea, "
"use `Function(ea=Function.UseCurrentAddress)` or supply no `ea`."
)
elif isinstance(ea, Line):
ea = ea.ea
self._func = get_func(ea)
self._comments = Comments(self)
def LocatePointerLists():
seg = idc.FirstSeg()
initArrayAddr = 0
while seg != idc.BADADDR:
seg = idc.NextSeg(seg)
segName = idc.SegName(seg)
if segName == ".init_array":
initArrayAddr = idc.SegStart(seg)
break
# find Il2CppCodeRegistrationOffset from init_array
Il2CppCodeRegistrationOffset = initArrayAddr + 30 * (BITS / 8)
print "find Il2CppCodeRegistrationOffset %x" % Il2CppCodeRegistrationOffset
Il2CppCodeRegistrationCpp = GetVarFromAddr(Il2CppCodeRegistrationOffset)
print "Il2CppCodeRegistrationCpp: %x" % Il2CppCodeRegistrationCpp
idc.MakeName(Il2CppCodeRegistrationCpp, "Il2CppCodeRegistrationCpp")
#Il2CppCodegenRegistration = 0
#for r in idautils.XrefsFrom(Il2CppCodeRegistrationAddr + 0x14, 0):
# Il2CppCodegenRegistration = hex(r.to)
#g_CodeRegistration = 0
#for r in idautils.XrefsFrom(Il2CppCodegenRegistration + 0x18, 0):
# g_CodeRegistration = hex(r.to)
opndValue = idc.GetOperandValue(Il2CppCodeRegistrationCpp + 0x8, 1)
offset = GetVarFromAddr(opndValue)
_GLOBAL_OFFSET_TABLE_ = idc.LocByName("_GLOBAL_OFFSET_TABLE_")
print "_GLOBAL_OFFSET_TABLE_ %x" % _GLOBAL_OFFSET_TABLE_
Il2CppCodegenRegistration = (_GLOBAL_OFFSET_TABLE_ + offset) & 0xFFFFFFFF
idc.MakeName(Il2CppCodegenRegistration, "Il2CppCodegenRegistration")
print "Il2CppCodegenRegistration %x" % Il2CppCodegenRegistration
opndValue = idc.GetOperandValue(Il2CppCodegenRegistration + 0xC, 1)
offset = GetVarFromAddr(opndValue)
g_CodeRegistration = (_GLOBAL_OFFSET_TABLE_ + offset) & 0xFFFFFFFF
idc.MakeName(g_CodeRegistration, "g_CodeRegistration")
print "g_CodeRegistration %x" % g_CodeRegistration
g_MethodPointers = GetVarFromAddr(g_CodeRegistration + 0x4)
idc.MakeName(g_MethodPointers, "g_MethodPointers")
print "g_MethodPointers %x" % g_MethodPointers
opndValue = idc.GetOperandValue(Il2CppCodegenRegistration + 0x04, 1)
offset = GetVarFromAddr(opndValue)
g_MetadataRegistration = GetVarFromAddr((_GLOBAL_OFFSET_TABLE_ + offset)
& 0xFFFFFFFF)
idc.MakeName(g_MetadataRegistration, "g_MetadataRegistration")
print "g_MetadataRegistration %x" % g_MetadataRegistration
g_MetadataUsages = GetVarFromAddr(g_MetadataRegistration + 0x3C)
idc.MakeName(g_MetadataUsages, "g_MetadataUsages")
print "g_MetadataUsages %x" % g_MetadataUsages
return (g_MethodPointers, g_MetadataUsages)
def get_function_para(func_name):
func_args = []
code_buf = []
ea = idc.LocByName(func_name)
if ea != idc.BADADDR:
f = idaapi.get_func(ea)
if f is not None:
try:
cfunc = idaapi.decompile(f)
if cfunc != None:
#
sv = cfunc.get_pseudocode()
for sline in sv:
code_line = idaapi.tag_remove(sline.line)
code_buf.append(code_line)
#print('find: %s(' %func_name, end='')
for arg in cfunc.arguments:
func_args.append(arg.name)
#print(arg.name+', ', end='')
#print(')')
except Exception as e:
print(e)
#code_str = '\n'.join(code_buf)
return func_args, code_buf
def run(segments, args, addresses, interpreter=None, **kwargs):
if args.name:
ea = idc.LocByName(args.name)
occurrences = [ea] if ea != idc.BADADDR else []
else:
occurrences = list(utils.ida_find_all(args.bytes))
frm = set()
for ea in occurrences:
froms = [ref.frm for ref in idautils.XrefsTo(ea)]
if args.function_start:
froms = [function_start.get_function_start(segments, ea)
for ea in froms]
frm.update(frm for frm in froms if frm != idc.BADADDR)
retval = set()
retval.update(addresses)
if getattr(args, 'or'):
retval.update(frm)
elif getattr(args, 'and'):
retval.intersection_update(frm)
return list(retval)
def parse_mpu():
"""
NOTE: to find this symbol, run find_mcr.py and look for the MPU config instructions.
Backtrace that function to a wrapper; backtrace that one to the MPU initialization function,
which calls the wrapper in a loop using values from an array. That array is MPU_region_configs.
"""
mpu_struct_addr = idc.LocByName("MPU_region_configs")
if mpu_struct_addr == 0xFFFFFFFF:
print "NOTE: to find this symbol, run find_mcr.py and look for the MPU config instructions.\nBacktrace that function to a wrapper; backtrace that one to the MPU initialization function,\nwhich calls the wrapper in a loop using values from an array. That array is MPU_region_configs."
return
while(1):
r = Region(mpu_struct_addr)
if r.num == 0xFF:
print "Delimiter found!"
break
else:
r.pprint()
mpu_struct_addr += 40
new_region = Region()
new_region.set_DRNR(14)
new_region.set_DRBAR(0x404E6000) # mo_call_establishment_trace_setup_msg
new_region.set_size(0b01011) # 256*(2**4) aka 0x1000 aka 4096 bytes
new_region.set_en(1) # enabled
new_region.set_TEX_C_B(0b001,0,0) # non-cacheble
new_region.set_XN(0) # no XN bit
new_region.set_AP(0b011) # RW
new_region.set_S(1) # shareable
new_region.pprint()
def GetDataXrefString(ea):
name = idc.GetFunctionName(ea)
ea = idc.LocByName(name)
f_start = ea
f_end = idc.GetFunctionAttr(ea, idc.FUNCATTR_END)
ret = []
for chunk in idautils.Chunks(ea):
astart = chunk[0]
aend = chunk[1]
for head in idautils.Heads(astart, aend):
# If the element is an instruction
if idc.isCode(idc.GetFlags(head)):
refs = list(idautils.DataRefsFrom(head))
for ref in refs:
s = idc.GetString(ref, -1, idc.ASCSTR_C)
if not s or len(s) <= 4:
s = idc.GetString(ref, -1, idc.ASCSTR_UNICODE)
if s:
if len(s) > 4:
ret.append(repr(s))
if len(ret) > 0:
return "\n\n" + "\n".join(ret)
else:
return ""
def _find_system_calls(self, start_ea, end_ea):
system_calls = []
system_load = MIPSInstruction("la", "$t9", "system")
stack_arg_zero = MIPSInstruction("addiu", "$a0", "$sp")
for xref in idautils.XrefsTo(idc.LocByName('system')):
ea = xref.frm
if ea >= start_ea and ea <= end_ea and idc.GetMnem(ea)[0] in [
'j', 'b'
]:
a0_ea = self._find_next_instruction_ea(ea + self.INSIZE,
stack_arg_zero,
ea + self.INSIZE)
if a0_ea == idc.BADADDR:
a0_ea = self._find_prev_instruction_ea(
ea, stack_arg_zero,
ea - (self.SEARCH_DEPTH * self.INSIZE))
if a0_ea != idc.BADADDR:
control_ea = self._find_prev_instruction_ea(
ea - self.INSIZE, system_load,
ea - (self.SEARCH_DEPTH * self.INSIZE))
if control_ea != idc.BADADDR:
system_calls.append(
ROPGadget(self._get_instruction(control_ea),
self._get_instruction(ea),
self._get_instruction(a0_ea),
description="System call",
base=self.base))
ea += self.INSIZE
else:
break
return system_calls
def DeepSearch(self, function_name, line, max_deep, current_deep=0):
data = {}
opcode_offset = 0
function_start = idc.LocByName(function_name)
function_end = idc.GetFunctionAttr(function_start, idc.FUNCATTR_END)
while function_start + opcode_offset < function_end:
opcode_index = function_start + opcode_offset
dline = idc.GetDisasm(opcode_index)
if idc.GetMnem(opcode_index) == "call":
if current_deep >= max_deep:
return
elif idc.GetOpnd(opcode_index, 0)[:4] == "sub_":
deep = self.DeepSearchWithRgx(idc.GetOpnd(opcode_index,
0), line,
max_deep, current_deep + 1)
if deep:
data.update(deep)
if dline == line:
data["%x" % opcode_index] = dline
opcode_offset += idc.ItemSize(opcode_index)
return data
def MakeEnum(enumName, offsetArray):
print("enum class %s\r\n{" % enumName)
for offset in offsetArray:
if len(offset[0]) == 0:
print("")
continue
if type(offset[1]) is str:
print(" %s = %s," % (offset[0], offset[1]))
continue
'''
fncValue = offset[1] if offset[1] != -1 else 0x0
'''
# print " %s = 0x%08x,%s" % (offset[0], fncValue, ' // Unknown' if fncValue == 0x0 else '')
fncValue = offset[1] if offset[1] != -1 else 0x0
locByName = idc.LocByName(offset[0])
isMismatch = locByName != fncValue
if locByName == BADADDR:
locByName = fncValue
print(" %s = 0x%08x,%s" %
(offset[0], locByName,
'// Possible mismatch' if isMismatch else ''))
print("};\r\n")
def main():
#jayutils.configLogger(__name__, logging.DEBUG)
jayutils.configLogger(__name__, logging.INFO)
logger = jayutils.getLogger('')
logger.debug('Starting up in main')
#name = idc.AskStr('CreateThread', 'Enter function to find args for')
#argNum = idc.AskLong(6)
filePath = jayutils.getInputFilepath()
if filePath is None:
self.logger.info('No input file provided. Stopping')
return
vw = jayutils.loadWorkspace(filePath)
logger.debug('Loaded workspace')
tracker = ArgTracker(vw)
import idautils
funcEa = idc.LocByName('CreateThread')
if funcEa == idc.BADADDR:
logger.info('CreateThread not found. Returning now')
return
for xref in idautils.XrefsTo(funcEa):
argsList = tracker.getPushArgs(xref.frm, 6)
for argDict in argsList:
print '-' * 60
pc, value = argDict[3]
print '0x%08x: 0x%08x: 0x%08x' % (xref.frm, pc, value)
def do_diff(original_string, modified_string):
original_list = original_string.split()
modified_list = modified_string.split()
if len(original_list) != len(modified_list):
print '[!] Differing number of words when splitting original and modified text.'
print '[!] Unable to handle this, exiting'
return None
modification_dict = {}
for i in range(0, len(original_list)):
if original_list[i].strip() != modified_list[i].strip():
(original_name,
modified_name) = get_modified_name(original_list[i],
modified_list[i])
if original_name and modified_name:
if original_name not in modification_dict:
modification_dict[original_name] = modified_name
else:
existing_name = modification_dict[original_name]
if existing_name != modified_name:
print '[!] Multiple modifications to the same name %s and %s' % (
original_name, modified_name)
else:
print '[!] Unable to match name %s and %s' % (original_name,
modified_name)
#print original_list[i], modified_list[i]
new_modification_dict = {}
for original, modified in modification_dict.iteritems():
if idc.LocByName(original) != idaapi.BADADDR:
#print '%s --> %s' % (original, modified)
new_modification_dict[original] = modified
return new_modification_dict
def OnCommand(self, n, cmd):
if cmd == self.show_all_toggle_cmd:
if self.min_xrefs == self.MIN_XREFS:
self.min_xrefs = 0
if self.min_xrefs != self.MIN_XREFS:
self.min_xrefs = self.MIN_XREFS
if self.must_have_loop == self.MUST_HAVE_LOOP:
self.must_have_loop = False
else:
self.must_have_loop = self.MUST_HAVE_LOOP
elif cmd == self.rename_cmd:
if idc.AskYN(
0,
"Are you sure you want to rename all 'sub_XXXXXX' functions to 'leaf_XXXXXX'?"
) == 1:
for item in self.items:
# Is this a leaf function?
if item[-1] == True:
current_name = item[0]
if current_name.startswith('sub_'):
new_name = current_name.replace('sub_', 'leaf_')
idc.MakeName(idc.LocByName(current_name), new_name)
self.populate_items()
return 0
