def analyze_str_ptr(start_ea, end_ea):
str_cnt = 0
start_time = time.time()
# First, find string references. strings referenced by pointers are highly
# likely string.
ea = start_ea
while ea != idc.BADADDR and ea < end_ea:
status, ea = is_assigned(ea)
if status:
continue
str_ptr = ida_bytes.get_dword(ea)
if idc.get_str_type(str_ptr) is not None or check_string(str_ptr, 8):
# even already assigned strings may not have reference.
ida_offset.op_offset(ea, 0, idc.REF_OFF32)
if idc.get_str_type(str_ptr) is None:
create_string(str_ptr)
str_cnt += 1
if str_cnt % 10000 == 0:
print("%x: %d strings has been found. (%0.3f secs)" %
(ea, str_cnt, time.time() - start_time))
ea = next_addr_aligned(ea, 4)
print("Created %d strings. (%0.3f secs)" %
(str_cnt, time.time() - start_time))
def handle_operand(self, insn, op, isRead):
flags = ida_bytes.get_flags(insn.ea)
is_offs = ida_bytes.is_off(flags, op.n)
dref_flag = ida_xref.dr_R if isRead else ida_xref.dr_W
def_arg = ida_bytes.is_defarg(flags, op.n)
optype = op.type
itype = insn.itype
# create code xrefs
if optype == ida_ua.o_imm:
makeoff = False
if itype in [self.itype_ncall, self.itype_call]:
insn.add_cref(op.value, op.offb, ida_xref.fl_CN)
makeoff = True
#elif itype == self.itype_mov: # e.g., mov #addr, PC
# insn.add_cref(op.value, op.offb, ida_xref.fl_JN)
# makeoff = True
if makeoff and not def_arg:
otype = ida_offset.get_default_reftype(insn.ea)
ida_offset.op_offset(insn.ea, op.n, otype, ida_idaapi.BADADDR, insn.cs)
is_offs = True
if is_offs:
insn.add_off_drefs(op, ida_xref.dr_O, 0)
elif optype == ida_ua.o_near:
if insn.itype in [self.itype_ncall, self.itype_call]:
fl = ida_xref.fl_CN
else:
fl = ida_xref.fl_JN
insn.add_cref(op.addr, op.offb, fl)
# create data xrefs
elif optype == ida_ua.o_mem:
insn.create_op_data(op.addr, op.offb, op.dtype)
insn.add_dref(op.addr, op.offb, dref_flag)
'''
def run_scatterload(debug=False):
# Newly identified region may have additional scatter load procedure. Thus,
# we continuously proceed until no changes left.
is_changed = True
while is_changed:
is_changed = False
tables = find_scatter_table()
scatter_funcs = find_scatter_funcs()
for start, end in tables.items():
print("Processing table: 0x%x to 0x%x" % (start, end))
while start < end:
ida_bytes.create_dword(start, 16)
ida_offset.op_offset(start, 0, idc.REF_OFF32)
src = ida_bytes.get_dword(start)
dst = ida_bytes.get_dword(start + 4)
size = ida_bytes.get_dword(start + 8)
how = ida_bytes.get_dword(start + 12)
if how not in scatter_funcs:
print("%x: no addr 0x%x in scatter_funcs" % (start, how))
start += 16
continue
func_name = scatter_funcs[how]
start += 16
print("%s: 0x%x -> 0x%x (0x%x bytes)" %
(func_name, src, dst, size))
if func_name != "__scatterload_zeroinit":
if not idc.is_loaded(src) or size == 0:
print("0x%x is not loaded." % (src))
continue
if debug:
# only show information above
continue
if func_name == "__scatterload_copy":
if add_segment(dst, size, "CODE"):
memcpy(src, dst, size)
is_changed = True
elif func_name == "__scatterload_decompress":
if add_segment(dst, size, "DATA"):
decomp(src, dst, size)
is_changed = True
# some old firmware images have this.
elif func_name == "__scatterload_decompress2":
if add_segment(dst, size, "DATA"):
decomp2(src, dst, size)
is_changed = True
elif func_name == "__scatterload_zeroinit":
# No need to further proceed for zero init.
if add_segment(dst, size, "DATA"):
memclr(dst, size)
ida_auto.auto_wait()
def markDataPtr(self, src, dest, aggressive=True):
"""Mark a data pointer from src to dest.
Args:
src (int): effective address for the pointer's location
dest (int): effective address for the pointed data address
aggressive (bool, optional): True iff should redefine the src (True by default)
"""
if aggressive:
ida_bytes.del_items(src, 0, self.addressSize())
if self.makeAddress(src):
idc.add_dref(src, dest, idc.XREF_USER | idc.dr_O)
ida_offset.op_offset(src, 0, idc.REF_OFF32)
def markCodePtr(self, src, dest, aggressive=True):
"""Mark a code pointer from src to dest.
Args:
src (int): effective address for the pointer's location
dest (int): effective address for the pointed code address
aggressive (bool, optional): True iff should redefine the src & dest (True by default)
"""
clean_dest = self.cleanPtr(dest)
if aggressive:
ida_bytes.del_items(src, 0, self.addressSize())
if self.makeAddress(src):
idc.add_dref(src, clean_dest, idc.XREF_USER | idc.dr_O)
idc.add_cref(src, clean_dest, idc.XREF_USER | idc.dr_O)
ida_offset.op_offset(src, 0, idc.REF_OFF32)
if aggressive:
ida_bytes.del_items(dest, 0, self.addressSize())
idc.create_insn(self.cleanPtr(dest))
def analyze_funcname(ea, func_ptr):
# check at least 10 items.
name_pptr = find_funcname_ptr(ea, 10)
if not name_pptr:
return False
ida_offset.op_offset(ea, 0, idc.REF_OFF32)
ida_offset.op_offset(name_pptr, 0, idc.REF_OFF32)
func_name = idc.get_func_name(func_ptr)
if not func_name.startswith("sub_"):
# already function name has been assigned
return False
name_ptr = ida_bytes.get_dword(name_pptr)
func_name = get_string(name_ptr)
if isinstance(func_name, bytes):
func_name = func_name.decode()
set_funcname(func_ptr, func_name)
return True
import idc
import idautils
import ida_offset
reftype = ida_offset.get_default_reftype(next(idautils.Segments()))
for segea in idautils.Segments():
for head in idautils.Heads(idc.get_segm_start(segea),
idc.get_segm_end(segea)):
if not ida_bytes.is_code(ida_bytes.get_full_flags(head)):
continue
for i in range(2):
if idc.get_segm_start(idc.get_operand_value(head,
i)) == idc.BADADDR:
continue
ida_offset.op_offset(head, i, reftype)
print("ok")
def name_vector(address, name):
del_items(address, True)
create_data(address, word_flag(), 2, ida_netnode.BADNODE)
op_offset(address, 0, 0)
set_name(address, name)