def get_inverted(func_ea): # Returns set of relative virtual addresses which are tied to IF and swapped internal_name = _ARRAY_STORAGE_PREFIX + hex( int(func_ea - idaapi.get_imagebase())) internal_id = idc.get_array_id(internal_name) array = idc.get_array_element(idc.AR_STR, internal_id, 0) return set(map(int, array.split()))
def load_long_str_from_idb(array_name): id = idc.get_array_id(array_name) if id == -1: return None max_idx = idc.get_last_index(idc.AR_STR, id) result = [idc.get_array_element(idc.AR_STR, id, idx) for idx in range(max_idx + 1)] return b"".join(result).decode("utf-8")
def save_long_str_to_idb(array_name, value): """ Overwrites old array completely in process """ id = idc.get_array_id(array_name) if id != -1: idc.delete_array(id) id = idc.create_array(array_name) r = [] for idx in xrange(len(value) / 1024 + 1): s = value[idx * 1024:(idx + 1) * 1024] r.append(s) idc.set_array_string(id, idx, s)
def load_long_str_from_idb(array_name): id = idc.get_array_id(array_name) if id == -1: return None max_idx = idc.get_last_index(idc.AR_STR, id) result = [] for idx in range(max_idx + 1): e = idc.get_array_element(idc.AR_STR, id, idx) if type(e) == int: e = e.to_bytes((e.bit_length() + 7) // 8, 'little') result.append(e) return b"".join(result).decode("utf-8")
def invert(func_ea, if_ea): # Store information about swaps (affected through actions) iv_rva = if_ea - idaapi.get_imagebase() func_rva = func_ea - idaapi.get_imagebase() internal_name = _ARRAY_STORAGE_PREFIX + hex(int(func_rva)) internal_id = idc.get_array_id(internal_name) if internal_id == -1: internal_id = idc.create_array(internal_name) idc.set_array_string(internal_id, 0, str(iv_rva)) else: inverted = get_inverted(func_ea) try: inverted.remove(iv_rva) if not inverted: idc.delete_array(internal_id) except KeyError: inverted.add(iv_rva) idc.set_array_string(internal_id, 0, " ".join(map(str, inverted)))
def has_inverted(func_ea): # Find if function has any swapped THEN-ELSE branches internal_name = _ARRAY_STORAGE_PREFIX + hex( int(func_ea - idaapi.get_imagebase())) internal_id = idc.get_array_id(internal_name) return internal_id != -1
def __init__(self, func_ea): self.__name = InversionInfo.ARRAY_NAME + hex(int(func_ea)) self.__id = idc.get_array_id(self.__name)