Esempio n. 1
0
def decomp(src, dst, length):
    # print("decomp 0x%X 0x%X (0x%x)"%(src, dst, length))
    end = dst + length
    while True:
        meta = ida_bytes.get_byte(src)
        src += 1
        l = meta & 7
        if l == 0:
            l = ida_bytes.get_byte(src)
            src += 1
        l2 = meta >> 4
        if l2 == 0:
            l2 = ida_bytes.get_byte(src)
            src += 1
        # print("meta: 0x%x l: 0x%X l2: 0x%x"%(meta,l,l2))
        # copy l byte
        memcpy(src, dst, l - 1)
        src += l - 1
        dst += l - 1
        if meta & 8:
            off = ida_bytes.get_byte(src)
            src += 1
            for i in range(l2 + 2):
                memcpy(dst - off, dst, 1)
                dst += 1
        else:
            memclr(dst, l2)
            dst += l2
        if dst >= end:
            assert dst == end, "Decompress failed"
            # print('decomp end %0x %0x'%(dst, end))
            break
Esempio n. 2
0
def readPASSTR(ea):
    out = ""
    len = ida_bytes.get_byte(ea)
    ea += 1
    for i in range(len):
        out += chr(ida_bytes.get_byte(ea + i))
    return out
Esempio n. 3
0
    def apply(self):
        """
        Apply patches to found opaque branch
        :return: None
        """

        for src, dst in self._flow_patches_map.items():
            ir_block: IRBlock = self._ir_cfg.get_block(src)

            asm_instr = ir_block.assignblks[ir_block.dst_linenb].instr

            if asm_instr.name not in conditional_branch:
                log(f"Unsupported asm pattern at {hex(src)}", code='!')
                continue

            patch_addr = asm_instr.offset

            opcode1 = ida_bytes.get_byte(patch_addr)

            # Fast and Furious
            if opcode1 == 0x0F:
                ida_bytes.patch_bytes(
                    patch_addr,
                    b"\xe9" + pack("<I",
                                   (dst - (patch_addr + 5)) & (2**32 - 1)))
            elif ((opcode1 & 0xe0) == 0xe0) or ((opcode1 & 0x70) == 0x70):
                ida_bytes.patch_byte(patch_addr, 0xeb)
                ida_bytes.patch_byte(patch_addr + 1,
                                     (dst - (patch_addr + 2)) & 0xFF)
            else:
                log(f"Unknown first part of opcode at {hex(patch_addr)}",
                    code='!')
                continue

            log(f"Apply patch JCC -> JMP at {hex(patch_addr)}")
Esempio n. 4
0
    def __add_bytes(self, bytes_ea, bytes_count):
        sginature_str = ''
        for i in range(0, bytes_count):
            sginature_str = sginature_str + '%02X ' % ida_bytes.get_byte(
                bytes_ea + i)

        return sginature_str
Esempio n. 5
0
 def on_mb_click(self, event, addr, size, mouse_offs):
     button = event.button()
     if button == Qt.MiddleButton:
         mouse = addr + mouse_offs
         c = get_byte(mouse)
         head, name, size = self._get_item_info(mouse)
         funcname = self._get_func_name(mouse)
         self.ann = [(mouse, qRgb(c, 0xFF,
                                  self.hl_color), "Address: %X" % (mouse),
                      qRgb(c, 0xFF, self.hl_color)),
                     (None, None, "  Item: %s" % (name),
                      qRgb(c, 0xFF, self.hl_color)),
                     (None, None, "  Head: %X" % (head),
                      qRgb(c, 0xFF, self.hl_color)),
                     (None, None, "  Size: %d" % (size),
                      qRgb(c, 0xFF, self.hl_color))]
         if funcname:
             self.ann.append((None, None, "  Function: %s" % (funcname),
                              qRgb(c, 0xFF, self.hl_color)))
         self.last_sel = (head, size)
     elif button == Qt.MiddleButton:
         pass
     elif button == Qt.RightButton:
         self.switch ^= 1
         msg('Highlighting %s\n' % self.mode[self.switch])
Esempio n. 6
0
 def on_mb_click(self, event, addr, size, mouse_offs):
     button = event.button()
     if button == Qt.MiddleButton:
         self._set_xor_key()
     elif button == Qt.RightButton:
         key = get_byte(addr + mouse_offs)
         self._set_xor_key(key)
     return
def get_bytes_str(start_ea, end_ea):
    size = end_ea - start_ea

    bytes = []
    for ea in range(start_ea, end_ea):
        b = '{:02x}'.format(ida_bytes.get_byte(ea))
        bytes.append(b)

    return ' '.join(bytes)
Esempio n. 8
0
def GetName(Ad):
    name=bytes()
    while(1):
        ascii=ida_bytes.get_byte(Ad)
        if(ascii==0):
            break
        Ad=Ad+1
        name=name+chr(ascii)
    return name
 def calc_item_size(self, ea, maxsize):
     if ida_struct.is_member_id(ea):
         return 1
     # get the opcode and see if it has an imm
     n = 5 if (ida_bytes.get_byte(ea) & 3) == 0 else 1
     # string too big?
     if n > maxsize:
         return 0
     # ok, accept
     return n
Esempio n. 10
0
def main():
    print('[*] start debfuscation')

    for s in get_code_segments():
        print('[*] try to deobfuscate {} section'.format(
            ida_segment.get_segm_name(s)))

        if s.use32():
            junk_patterns = junk_patterns_x86
        elif s.use64():
            junk_patterns = junk_patterns_x64
        else:
            print('[!] unsupported arch')

        print('[*] replace junk code to nop')
        for pattern, pattern_len in junk_patterns:
            addr_from = idc.find_binary(s.start_ea, ida_search.SEARCH_DOWN,
                                        pattern)
            while addr_from != idaapi.BADADDR and addr_from < s.end_ea:
                ida_bytes.patch_bytes(addr_from, '\x90' * pattern_len)
                addr_from = idc.find_binary(addr_from + pattern_len,
                                            ida_search.SEARCH_DOWN, pattern)

        print('[*] hide nop code')
        addr_from = ida_search.find_text(
            s.start_ea, 0, 0, 'nop',
            ida_search.SEARCH_CASE | ida_search.SEARCH_DOWN)
        while addr_from != idaapi.BADADDR and addr_from < s.end_ea:
            func_offset = idc.get_func_off_str(addr_from)
            if type(func_offset) == str and func_offset.find('+') == -1:
                addr_from = ida_search.find_text(
                    idc.next_head(addr_from), 0, 0, 'nop',
                    ida_search.SEARCH_CASE | ida_search.SEARCH_DOWN)
            else:
                i = 0
                while True:
                    if ida_bytes.get_byte(addr_from + i) == 0x90:
                        i += 1
                    else:
                        break
                if i >= 3:
                    idc.add_hidden_range(addr_from, addr_from + i, 'nop', None,
                                         None, 0xFFFFFFFF)
                    print("%08X" % addr_from)
                addr_from = ida_search.find_text(
                    idc.next_head(addr_from + i), 0, 0, 'nop',
                    ida_search.SEARCH_CASE | ida_search.SEARCH_DOWN)

        #print('[*] renanlyze')
        #idc.del_items(s.start_ea, size=s.size())
        #time.sleep(1)
        #idc.plan_and_wait(s.start_ea, s.end_ea)
    print('[*] done')
Esempio n. 11
0
def callback2(ea):
    print("Found ref to cmd string at 0x%08X" % ea)
    ref=ida_bytes.get_dword(ea)&0xFFFF0000
    for i in range(0,0x1000*4,0x10):
        value=ida_bytes.get_dword(ea+i)
        if value&0xFFFF0000 != ref:
            valbyte=ida_bytes.get_byte(ea+i)
            if valbyte==ord('$') or valbyte==ord('!') or valbyte==ord('+') or valbyte==ord('^') or valbyte==ord('*'):
                return ea+i
            break
        logger.debug("cmd_ref:%x" % (ea+i))
        references.append(ea+i)
    return 0
    def calc_item_size(self, ea, maxsize):
        # Custom data types may be used in structure definitions. If this case
        # ea is a member id. Check for this situation and return 1
        if ida_struct.is_member_id(ea):
            return 1

        # get the length byte
        n = ida_bytes.get_byte(ea)

        # string too big?
        if n > maxsize:
            return 0
        # ok, accept the string
        return n + 1
Esempio n. 13
0
def get_string(ea, length=idc.BADADDR):
    end_ea = ea + length
    ret = []

    while ea < end_ea:
        # break if current ea is already assigned
        if not idc.is_loaded(ea):
            break

        byte = ida_bytes.get_byte(ea)
        if byte == 0:  # NULL terminate
            break

        ret.append(byte)
        ea += 1

    return bytes(ret)
Esempio n. 14
0
def main():
    print("[*] Start patching to XOR encoded blocks")
    ea = ida_kernwin.ask_addr(BADADDR, "What address is encoded block by xor?")
    xor_key = ida_kernwin.ask_long(0x00, "Waht is key for xor?(0-255)")

    valid_check(ea, xor_key)

    print hex(ea)
    print hex(xor_key)

    while True:
        b = ida_bytes.get_byte(ea)
        if b == 0:
            break
        ida_bytes.patch_byte(ea, b ^ xor_key)
        ea += 1

    print("[*] Finished patching to XOR encoded blocks")
Esempio n. 15
0
 def on_get_annotations(self, address, size, mouse_offs):
     item_ea = get_item_head(address + mouse_offs)
     cursor_ea = address + mouse_offs
     name = get_name(item_ea)
     if len(name):
         name = "(%s)" % name
     else:
         name = ""
     ann = [
         (item_ea, self.red[0], "Item: %X" % (item_ea), self.colormap[-1]),
         (None, None,
          "  Size: %d %s" % (get_item_size(get_item_head(cursor_ea)), name),
          self.colormap[-3]),
         (cursor_ea, self.colormap[-1], "Cursor: %X" % (cursor_ea),
          self.colormap[-1]),
         (None, None, "  %s" % generate_disasm_line(
             cursor_ea, GENDSM_FORCE_CODE | GENDSM_REMOVE_TAGS),
          self.colormap[-3]),
         (None, None, "  Value: %02X" % get_byte(cursor_ea),
          self.colormap[-3]),
     ]
     return ann
Esempio n. 16
0
def decomp2(src, dst, length):
    # print("decomp 0x%X 0x%X (0x%x)"%(src, dst, length))
    meta = ida_bytes.get_byte(src)
    src += 1
    end = dst + length
    while True:
        l = meta & 3
        if l == 0:
            l = ida_bytes.get_byte(src)
            src += 1

        l2 = meta >> 4
        if l2 == 0:
            l2 = ida_bytes.get_byte(src)
            src += 1
        # print("meta: 0x%x l: 0x%X l2: 0x%x"%(meta,l,l2))
        # copy l byte
        memcpy(src, dst, l - 1)
        src += l - 1
        dst += l - 1

        if l2:
            off = ida_bytes.get_byte(src)
            src += 1
            meta_val = meta & 0xC
            src_ptr = dst - off
            if meta_val == 12:
                meta_val = ida_bytes.get_byte(src)
                src += 1
                src_ptr -= 256 * meta_val

            else:
                src_ptr -= 64 * meta_val

            l2 += 2
            memcpy(src_ptr, dst, l2)
            dst += l2

        meta = ida_bytes.get_byte(src)
        src += 1

        if dst >= end:
            assert dst == end, "Decompress failed"
            # print('decomp end %0x %0x'%(dst, end))
            break
Esempio n. 17
0
            secondOp = SecondOperand(popcntSize)
            inst = DecodeInstruction(popcntAddr)
            if inst.Op2.dtype != idaapi.dt_qword:
                if inst.Op2.dtype == idaapi.dt_dword:
                    secondOp.is64bit = False
                else:
                    raise RuntimeError("Parsing error: unsupported data type")

            if inst.Op2.type == o_reg:
                secondOp.isPtr = False
                secondOp.base = inst.Op2.reg
            elif inst.Op2.type == o_phrase or inst.Op2.type == o_displ:
                if inst.Op2.specflag1 and inst.Op2.phrase != 4:
                    extendedBase = 0
                    extendedIndex = 0
                    rex = ida_bytes.get_byte(popcntAddr + 1)
                    if rex != 0x0f:
                        if rex >> 4 == 4:
                            extendedBase = rex & 1
                            extendedIndex = (rex >> 1) & 1
                        else:
                            raise RuntimeError("Parsing error: bad rex prefix")

                    sib = inst.Op2.specflag2
                    #print(rex)
                    #print extendedBase, extendedIndex
                    #print(sib)
                    base = (sib & 7) | (extendedBase << 3)
                    if base == 12 and not extendedIndex:
                        secondOp.base = base
                    else:
Esempio n. 18
0
 def get_byte(self, offset):
     """Read byte from IDB"""
     self.ret = ida_bytes.get_byte(offset)
     return self.ret
Esempio n. 19
0
 def on_mb_click(self, button, addr, mouse_offs):
     if button == Qt.MiddleButton:
         self._set_xor_key()
     elif button == Qt.RightButton:
         key = get_byte(addr + mouse_offs)
         self._set_xor_key(key)
Esempio n. 20
0
def get_int8(ea):
    return struct.unpack("b", struct.pack("B", ida_bytes.get_byte(ea)))[0]
Esempio n. 21
0
 def get_tooltip(self, addr, mouse_offs):
     return "%X:\nCursor 0x%02X\nKey: 0x%02X" % (
         addr + mouse_offs, get_byte(addr + mouse_offs), self.key)
Esempio n. 22
0
def get_decryption_data(xref_address):
	encrypted_buffer_address = ""
	little_endian_iv = 0
	buffer_size = 0

	push_counter = 0

	instructions = reversed(list(Heads(xref_address - LIMIT, xref_address)))
	for instr_address in instructions:
		# If the values have not been found
		if not encrypted_buffer_address or little_endian_iv == 0 or buffer_size == 0:
			# If the instruction is a "mov" plus the register in the destination operand is "ecx"
			# and the buffer address has not been found yet, we get this value
			if GetMnem(instr_address) == "mov" and GetOpnd(instr_address, 0) == "ecx" and not encrypted_buffer_address:
 				# If the operand of the source instruction is an offset, it is the address
				if "offset" in GetOpnd(instr_address, 1):
					encrypted_buffer_address = get_value_from_instruction(instr_address)
 				# If not, we look for the value in a recirsive way
				else:
					encrypted_buffer_address = get_value_from_register(instr_address, GetOpnd(instr_address, 1))
			# If the instruction is a "pop" we decrement the "push" counter
			elif GetMnem(instr_address) == "pop":
				push_counter = push_counter - 1
			# If the instruction is a "push" we increment the "push" counter and gets the values of the IV and the buffer_size
			elif GetMnem(instr_address) == "push":
				push_counter = push_counter + 1
				# If the push counter is equal 0 (it must be a pop prior this instruction), it is the size of the buffer
				if push_counter == 0 and buffer_size == 0:
 					operand = GetOpnd(instr_address, 0)
 					# If the operand of the instruction is a digit or an hex value, it is the size (if this value has not been found yet)
 					if check_if_hex(operand) or operand.isdigit:
 						buffer_size = get_value_from_instruction(instr_address)
 					# If not, we look for the value in a recirsive way
 					else:
 						buffer_size = get_value_from_register(instr_address, GetOpnd(instr_address, 0))
				# If the push counter is equal 1, it is the IV (if this value has not been found yet)
 				elif push_counter == 1 and little_endian_iv == 0:
					operand = GetOpnd(instr_address, 0)
 					# If the operand of the instruction is a an hex value, it is the IV
					if check_if_hex(operand):
						little_endian_iv = get_value_from_instruction(instr_address)
 					# If not, we look for the value in a recirsive way
					else:
						little_endian_iv = get_value_from_register(instr_address, GetOpnd(instr_address, 0))
			elif GetMnem(instr_address) == "lea" and GetOpnd(instr_address, 0) == "edx" and buffer_size == 0:
				buffer_size = ida_bytes.get_byte(instr_address + 2) + 1
			# If the instruction is a "mov" plus the register in the destination operand is "edx"
			# and the buffer size has not been found yet, we get this value
			elif GetMnem(instr_address) == "mov" and GetOpnd(instr_address, 0) == "edx" and buffer_size == 0:
				operand = GetOpnd(instr_address, 0)
 				# If the operand of the instruction is a digit or an hex value, it is the size
				if check_if_hex(operand) or operand.isdigit:
					buffer_size = get_value_from_instruction(instr_address)
 				# If not, we look for the value in a recirsive way
				else:
					buffer_size = get_value_from_register(instr_address, GetOpnd(instr_address, 1))
			# If the buffer size could not be obtained, we set it to 1, since it is real value in the binary
			elif GetMnem(instr_address) == "inc" and GetOpnd(instr_address, 0) == "edx" and buffer_size == 0:
				buffer_size = 1
		# If all values has been found, we stop the search
		else:
			break

	decryption_data = {
		"encrypted_buffer_address": str(encrypted_buffer_address),
		"little_endian_iv": str(little_endian_iv),
		"buffer_size": str(buffer_size)
	}

	return decryption_data
Esempio n. 23
0
def makePASSTR(ea):
    len = ida_bytes.get_byte(ea)
    ida_bytes.create_strlit(ea, len + 1, ida_bytes.STRTYPE_PASCAL)
    return len
Esempio n. 24
0
def load_file(f, neflags, format):
    f.seek(0)

    ida_idp.set_processor_type("metapc", ida_idp.SETPROC_LOADER)
    MGROUPStart = 0
    magic = f.read(2)

    if magic == MZ_HEADER_MAGIC:
        f.seek(0x22)
        MGROUPStart = DW(f) * 16
        f.seek(MGROUPStart)
        magic = f.read(2)

    headerSize = DW(f)
    segmentDataAlignment = DW(f)
    nextExeOff = DD(f)
    SegDataOff = DD(f)

    f.file2base(MGROUPStart, 0, SegDataOff, True)
    ida_segment.add_segm(0, 0, 0x50, "HEADER", "MODULE")
    f.seek(MGROUPStart + 2)

    headerSize = rnDW(f, "headerSize", MGROUPStart)
    segmentDataAlignment = rnDW(f, "segmentDataAlignment", MGROUPStart)
    nextExeOff = rnDD(f, "nextExeOff", MGROUPStart)
    SegDataOff = rnDD(f, "SegDataOff", MGROUPStart)

    ResDataOff = rnDD(f, "ResDataOff", MGROUPStart)
    flags = rnDW(f, "flags", MGROUPStart)
    version = rnDB(f, "version", MGROUPStart)
    revision = rnDB(f, "revision", MGROUPStart)
    AutoDataSegNo = rnDW(f, "AutoDataSegNo", MGROUPStart)
    HeapSize = rnDW(f, "HeapSize", MGROUPStart)
    StackSize = rnDW(f, "StackSize", MGROUPStart)
    StartProc = rnDD(f, "StartProc", MGROUPStart)
    LoadProc = rnDD(f, "LoadProc", MGROUPStart)
    FreeProc = rnDD(f, "FreeProc", MGROUPStart)
    nSegments = rnDW(f, "nSegments", MGROUPStart)
    pSegTable = rnDW(f, "pSegTable", MGROUPStart)
    cbResTab = rnDW(f, "cbResTab", MGROUPStart)
    pResTab = rnDW(f, "pResTab", MGROUPStart)
    cbEntTab = rnDW(f, "cbEntTab", MGROUPStart)
    pEntTab = rnDW(f, "pEntTab", MGROUPStart)
    cbNamTab = rnDW(f, "cbNamTab", MGROUPStart)
    pNamTab = rnDW(f, "pNamTab", MGROUPStart)
    cbStrTab = rnDW(f, "cbStrTab", MGROUPStart)
    pStrTab = rnDW(f, "pStrTab", MGROUPStart)
    cbNRNamTab = rnDW(f, "cbNRNamTab", MGROUPStart)
    pNRNamTab = rnDW(f, "pNRNamTab", MGROUPStart)

    ida_segment.add_segm(0, pSegTable,
                         pSegTable + (nSegments * SEG_STRUCT_SIZE), "SEGTABLE",
                         "MODULE")
    ida_segment.add_segm(0, pResTab, pResTab + cbResTab, "RESOURCES", "MODULE")
    ida_segment.add_segm(0, pEntTab, pEntTab + cbEntTab, "ENTTABLE", "MODULE")
    ida_segment.add_segm(0, pNamTab, pNamTab + cbNamTab, "ENTNAME", "MODULE")
    ida_segment.add_segm(0, pStrTab, pStrTab + cbStrTab, "IMPORTS", "MODULE")
    ida_segment.add_segm(0, pNRNamTab, pNRNamTab + cbNRNamTab, "NRENTNAME",
                         "MODULE")

    #parse segtable
    segentsid = defSEGENT()
    base = SegDataOff // 16

    importCount = 0
    for i in range(nSegments):
        segEntStart = pSegTable + i * SEG_STRUCT_SIZE
        ida_bytes.create_struct(segEntStart, SEG_STRUCT_SIZE, segentsid)
        segStart = ida_bytes.get_word(segEntStart + 2)
        segLen = ida_bytes.get_word(segEntStart + 4)
        segImports = ida_bytes.get_word(segEntStart + 6)
        importCount += segImports
        f.file2base(MGROUPStart + SegDataOff + segStart * 16,
                    SegDataOff + segStart * 16,
                    SegDataOff + (segStart + segLen) * 16, True)

        segBase = (base + segStart) * 16
        #segmentDef = ida_segment.segment_t()
        #segmentDef.start_ea = segBase
        #segmentDef.end_ea = (base+segStart+segLen)*16
        #ida_segment.set_selector()
        print(base + segStart)
        ida_segment.add_segm(base + segStart, segBase,
                             (base + segStart + segLen) * 16, "", "", 0)
        sel = ida_segment.find_selector(base + segStart)
        seg = ida_segment.getseg(segBase)
        ida_segment.set_segm_addressing(seg, 0)
        segtable[i] = seg
        segimportstable[i] = segImports
        if i + 1 == AutoDataSegNo:
            ida_segment.set_segm_name(seg, "DATA", 0)
            ida_segment.set_segm_class(seg, "DATA", 0)
            dataSel = sel
        else:
            ida_segment.set_segm_name(seg, "TEXT", 0)
            ida_segment.set_segm_class(seg, "CODE", 0)
            if AutoDataSegNo == 0:
                dataSel = sel
    ida_segregs.set_default_dataseg(dataSel)

    #parse enttable
    pENT = pEntTab
    currord = 1
    while pENT < pEntTab + cbEntTab:
        bundleCount = ida_bytes.get_byte(pENT)
        bundleFlags = ida_bytes.get_byte(pENT + 1)
        if bundleCount == 0 and bundleFlags == 0:
            break
        pENT += 2
        for i in range(bundleCount):
            if bundleFlags == 0xFF:
                ordFlags = ida_bytes.get_byte(pENT)
                if ordFlags & 0x80:
                    toexport.append(currord)
                segNo = ida_bytes.get_byte(pENT + 3)
                segOff = ida_bytes.get_word(pENT + 4)

                enttable[currord] = (segtable[segNo - 1].start_ea // 16,
                                     segOff)
                pENT += 6
            else:
                ordFlags = ida_bytes.get_byte(pENT)
                if ordFlags & 0x80:
                    toexport.append(currord)
                segOff = ida_bytes.get_word(pENT + 1)
                enttable[currord] = (segtable[bundleFlags - 1].start_ea // 16,
                                     segOff)
                pENT += 3

            currord += 1

    modulename = readPASSTR(pNamTab)

    make_entry(StartProc, modulename + "_start")
    make_entry(LoadProc, modulename + "_load")
    make_entry(FreeProc, modulename + "_free")

    #export named ordinals
    namedordtable = loadExportsF(f)

    for i in toexport:
        if i in namedordtable:
            name = namedordtable[i]
        else:
            name = "Ordinal" + str(i)
        (base, off) = enttable[i]
        addr = base * 16 + off
        ida_entry.add_entry(i, addr, name, 1)

    #process imports

    ida_segment.add_segm(0xF000, 0xF0000, 0xF0000 + importCount * 2, "IMPORTS",
                         "XTRN", 0)

    import_ea = 0xF0000

    for seg in segtable:
        segend = segtable[seg].end_ea
        f.seek(MGROUPStart + segend)

        for i in range(segimportstable[seg]):
            count = DB(f)
            mode = DB(f)
            relocStart = DW(f)
            module = DW(f)
            proc = DW(f)

            if (module == 0xFFFF):
                (base, off) = enttable[proc]
            else:
                modulestr = readPASSTR(pStrTab + module)
                if (proc & 0x8000) != 0:  # read by ord
                    ordinal = proc & 0x7FFF
                    procname = modulestr + "_Ordinal" + str(ordinal)
                    if not modulestr in importedmodules:
                        if os.path.isfile(modulestr + ".EXE"):
                            importedmodules[modulestr] = loadExports(
                                modulestr + ".EXE")
                        else:
                            filename = ida_kernwin.ask_file(
                                0, modulestr + ".EXE",
                                "Select file to name exports")
                            if filename is not None and os.path.isfile(
                                    filename):
                                importedmodules[modulestr] = loadExports(
                                    filename)
                            else:
                                importedmodules[modulestr] = None
                    if modulestr in importedmodules and (
                            importedmodules[modulestr] is not None
                    ) and ordinal in importedmodules[modulestr]:
                        procname = importedmodules[modulestr][ordinal]
                else:
                    procname = readPASSTR(pStrTab + proc)
                ida_bytes.create_data(import_ea, ida_bytes.FF_WORD, 2,
                                      ida_idaapi.BADADDR)
                ida_name.force_name(import_ea, procname)
                ida_bytes.set_cmt(import_ea, "Imported from " + modulestr, 1)
                base = 0xF000
                off = import_ea - 0xF0000
                import_ea += 2

            for xx in range(count):
                next = ida_bytes.get_word(segtable[seg].start_ea + relocStart)
                if mode == 0x20:
                    ida_bytes.put_word(segtable[seg].start_ea + relocStart + 2,
                                       base)
                    ida_bytes.put_word(segtable[seg].start_ea + relocStart,
                                       off)
                elif mode == 0x10:
                    ida_bytes.put_word(segtable[seg].start_ea + relocStart,
                                       off)
                elif mode == 0x0:
                    ida_bytes.put_word(segtable[seg].start_ea + relocStart,
                                       base)
                relocStart = next

            #print "import %d: seg %d mode %s count %d relocStart %s module %s proc %s" % (i, seg, hex(mode), count, hex(relocStart), modulestr, hex(proc))

    return 1
Esempio n. 25
0
 def on_get_tooltip(self, addr, size, mouse_offs):
     return "0x%02X" % get_byte(addr + mouse_offs)
Esempio n. 26
0
def MemCopy( dest, src, length ) :
    for i in xrange(0, length):
        #if (i < 20):
        #	print "set byte at %#x to %#x" % (dest+i, idc.Byte(src+i))
        ida_bytes.patch_byte(dest+i,ida_bytes.get_byte(src+i))
Esempio n. 27
0
def range_xor(start_addr, end_addr, xor_num):
    for the_addr in range(start_addr, end_addr + 1):
        the_byte = get_byte(the_addr)
        patch_byte(the_addr, the_byte ^ xor_num)