def find_macho_valid(base_ea):
ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN, 0xFACF)
if ea_list[0] == ida_idaapi.BADADDR:
ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN, 0xFEEDFACF)
if ea_list[0] != ida_idaapi.BADADDR:
func_ea = ida_funcs.get_func(ea_list[0]).start_ea
print("\t[+] _macho_valid = 0x%x" % (func_ea))
idc.set_name(func_ea, "_macho_valid", idc.SN_CHECK)
return func_ea
return ida_idaapi.BADADDR
def find_target_early_init(base_ea):
ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN, 0x4A41)
if ea_list[0] != ida_idaapi.BADADDR:
func_ea = ida_funcs.get_func(ea_list[0]).start_ea
print("\t[+] _target_early_init = 0x%x" % (func_ea))
idc.set_name(func_ea, "_target_early_init", idc.SN_CHECK)
tei_ea = func_ea
str_ea = ida_search.find_text(tei_ea, 1, 1, "All pre",
ida_search.SEARCH_DOWN)
if str_ea != ida_idaapi.BADADDR:
f_ea = idaapi.get_func(str_ea).start_ea
if tei_ea != f_ea:
print("\t[-] _platform_not_supported = not found")
return tei_ea
bl_ea = str_ea + 8
dst = idc.print_operand(bl_ea, 0)
pns_ea = idc.get_name_ea_simple(dst)
print("\t[+] _platform_not_supported = 0x%x" % (pns_ea))
idc.set_name(pns_ea, "_platform_not_supported", idc.SN_CHECK)
return tei_ea
print("\t[-] _target_early_init = not found")
return ida_idaapi.BADADDR
def find_img4decodeinit(base_ea):
cur_ea = base_ea
while true:
ea_list = ida_search.find_imm(cur_ea, ida_search.SEARCH_DOWN, 0x494D)
if ea_list[0] == ida_idaapi.BADADDR:
ea_list = ida_search.find_imm(cur_ea, ida_search.SEARCH_DOWN,
0x494D0000)
if ea_list[0] != ida_idaapi.BADADDR:
ea = ea_list[0]
func = ida_funcs.get_func(ea)
func_ea = 0
if not func:
func_ea = ida_search.find_binary(ea, base_ea, "?? ?? BD A9",
16, ida_search.SEARCH_UP)
if func_ea != ida_idaapi.BADADDR:
ida_funcs.add_func(func_ea)
else:
print("\t[-] _Img4DecodeInit = not found")
return ida_idaapi.BADADDR
else:
func_ea = func.start_ea
ea_func_list = list(idautils.XrefsTo(func_ea))
if not ea_func_list:
cur_ea = ea + 4
continue
if ea_func_list[0].frm != ida_idaapi.BADADDR:
try:
i4d_ea = ida_funcs.get_func(ea_func_list[0].frm).start_ea
print("\t[+] _Img4DecodeInit = 0x%x" % (i4d_ea))
idc.set_name(i4d_ea, "_Img4DecodeInit", idc.SN_CHECK)
return i4d_ea
except:
break
cur_ea = ea + 4
print("\t[-] _Img4DecodeInit = not found")
return ida_idaapi.BADADDR
def find_image4_validate_property_callback_interposer(base_ea):
ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN, 0x424E)
if ea_list[0] == ida_idaapi.BADADDR:
ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN,
0x424E0000)
if ea_list[0] != ida_idaapi.BADADDR:
func_ea = ida_funcs.get_func(ea_list[0]).start_ea
print("\t[+] _image4_validate_property_callback_interposer = 0x%x" %
(func_ea))
idc.set_name(func_ea, "_image4_validate_property_callback_interposer",
idc.SN_CHECK)
return func_ea
print("\t[-] _image4_validate_property_callback_interposer = not found")
return ida_idaapi.BADADDR
def find_immediate(expression):
if isinstance(expression, str):
expression = eval(expression)
ea, imm = ida_search.find_imm(0, idc.SEARCH_DOWN, expression)
while ea != idc.BADADDR:
yield ea
ea, imm = idc.find_imm(ea + 1, idc.SEARCH_DOWN,
expression)
def find_image4_load(base_ea):
ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN, 0x4D650000)
if ea_list[0] != ida_idaapi.BADADDR:
func_ea = ida_funcs.get_func(ea_list[0]).start_ea
print "\t[+] _image4_load = 0x%x" % (func_ea)
idc.set_name(func_ea, "_image4_load", idc.SN_CHECK)
return func_ea
return ida_idaapi.BADADDR
def find_macho_valid(base_ea):
ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN, 0xFACF)
if ea_list[0] != 0xffffffffffffffff:
func_ea = ida_funcs.get_func(ea_list[0]).start_ea
print("\t[+] _macho_valid = 0x%x" % (func_ea))
idc.MakeName(func_ea, "_macho_valid")
return func_ea
return 0xffffffffffffffff
def find_wdf_callback_through_immediate(mnemonic, operand, val):
for i in range(10):
addr, operand_ = ida_search.find_imm(ida_ida.inf_get_min_ea(),
idc.SEARCH_DOWN | idc.SEARCH_NEXT,
val)
if addr != idc.BADADDR:
#print hex(addr), idc.GetDisasm(addr), "Operand ", operand_
if operand_ == operand and idc.print_insn_mnem(addr) == mnemonic:
return addr
else:
break
return None
def find_img4decodeinit(base_ea):
ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN, 0x494D0000)
if ea_list[0] != ida_idaapi.BADADDR:
func_ea = ida_funcs.get_func(ea_list[0]).start_ea
ea_func_list = list(idautils.XrefsTo(func_ea))
if ea_func_list[0].frm != ida_idaapi.BADADDR:
i4d_ea = ida_funcs.get_func(ea_func_list[0].frm).start_ea
print "\t[+] _Img4DecodeInit = 0x%x" % (i4d_ea)
idc.set_name(i4d_ea, "_Img4DecodeInit", idc.SN_CHECK)
return i4d_ea
return ida_idaapi.BADADDR
def find_crypt_info():
info = {'addr': [], 'xor_key': ''}
# Find the decryption routines
addr = 0
while True:
# Search for magic value in the decryption functions
addr, _ = ida_search.find_imm(addr + 1, SEARCH_DOWN, 0x3C6EF35F)
if addr == 0xffffffff:
break
info['addr'].append(ida_funcs.get_func(addr).startEA)
inst_addr = addr
# Find xor key
info['xor_key'] = find_xor_key(inst_addr)
return info
def find_crypt_info():
info = {
'addr': [],
'xor_key': ''
}
# Find the decryption routines
addr = 0
while True:
# Search for magic value in the decryption functions
addr, _ = ida_search.find_imm(addr + 1, SEARCH_DOWN, 0x3C6EF35F)
if addr == 0xffffffff:
break
info['addr'].append(ida_funcs.get_func(addr).startEA)
inst_addr = addr
# Find xor key
info['xor_key'] = find_xor_key(inst_addr)
return info
def find_stack_chk_fail(base_ea):
ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN, 0x7CC8)
if ea_list[0] != ida_idaapi.BADADDR:
func_ea = ida_funcs.get_func(ea_list[0]).start_ea
print("\t[+] _stack_chk_fail = 0x%x" % (func_ea))
idc.set_name(func_ea, "_stack_chk_fail", idc.SN_CHECK)
return func_ea
else:
str_ea = ida_search.find_text(base_ea, 1, 1, "__stack_chk_fail",
ida_search.SEARCH_DOWN)
if str_ea != ida_idaapi.BADADDR:
for xref in idautils.XrefsTo(str_ea):
func = idaapi.get_func(xref.frm)
print("\t[+] _stack_chk_fail = 0x%x" % (func.start_ea))
idc.set_name(func.start_ea, "_stack_chk_fail", idc.SN_CHECK)
return func.start_ea
return ida_idaapi.BADADDR
def findImmediate(self, range_start, range_end, value):
"""Return all of the places (in the range) in which the immediate value was found.
Args:
range_start (int): ea of the range's start
range_end (int): ea of the range's end
value (int): value of the searched immediate
Return Value:
collection of ea's in which the value was found
"""
search_pos = range_start
while search_pos < range_end:
match_ea, garbage = ida_search.find_imm(search_pos, idc.SEARCH_DOWN, value)
search_pos = match_ea + 1
# Filter out mismatches
if match_ea == idc.BADADDR:
break
# return the correct result to the caller
yield match_ea
