def go(ea):
'''slightly less typing for idc.Jump'''
if not contains(ea):
left,right=range()
logging.warn("Jumping to an invalid location %x. (valid range is %x - %x)",ea,left,right)
idaapi.jumpto(ea)
return ea
def goto(shift=False):
print("GhIDA:: [DEBUG] goto called")
symbol = None
ret = ida_kernwin.get_highlight(ida_kernwin.get_current_viewer())
if ret and ret[1]:
symbol = ret[0]
if not symbol:
return False
address = gl.get_address_for_symbol(symbol)
if not address:
return False
print("OnDblClick, shift=%d, selection:%s, address:%s" %
(shift, symbol, address))
# Update IDA DISASM view
idaapi.jumpto(address)
# Update IDA DECOMP view
ea = gl.convert_address(address)
print("GhIDA:: [DEBUG] update view to %s" % ea)
DECOMP_VIEW.switch_to_address(ea)
return True
def jump(custom_viewer, line):
(pl, x, y) = idaapi.get_custom_viewer_place(custom_viewer, False)
pl2 = idaapi.place_t_as_simpleline_place_t(pl.clone())
oldline = pl2.n
pl2.n = line
idaapi.jumpto(custom_viewer, pl2, x, y)
return oldline
def on_click(self, event):
if event.dblclick and event.xdata:
addr = self.calc_addr_fcn(int(event.xdata))
if addr:
idaapi.jumpto(addr)
else:
idaapi.warning("Unable to calculate the address")
def JumpToTop():
curr_ea = idaapi.get_screen_ea()
curr_func = idaapi.get_func(curr_ea)
if not curr_func:
return
begin = curr_func.startEA
idaapi.jumpto(begin)
def auto_map_lvars(self, vdui=None, start_ea=None):
func = None
if start_ea is None:
func = idaapi.get_func(idaapi.get_screen_ea())
start_ea = func.startEA
if vdui is None:
vdui = idaapi.get_tform_vdui(idaapi.get_current_tform())
if vdui is None:
idaapi.jumpto(start_ea)
vdui = idaapi.get_tform_vdui(idaapi.get_current_tform())
if func is None:
func = idaapi.get_func(start_ea)
self.de = idaapi.decompile(func)
mapped_vars = False
did_stuff = False
self.assignments, overall_refs = self.analyze_fn()
if self.map_vars_used_only_once(vdui, overall_refs):
did_stuff = True
mapped_vars = True
elif self.map_lvars(vdui):
did_stuff = True
mapped_vars = True
if mapped_vars:
vdui.refresh_view(True)
elif did_stuff:
vdui.refresh_ctext()
return did_stuff
def handle(self, event, *args):
hx_view = args[0]
item = hx_view.item
if item.citype == idaapi.VDI_EXPR and item.e.op in (idaapi.cot_memptr, idaapi.cot_memref):
# Look if we double clicked on expression that is member pointer. Then get tinfo_t of the structure.
# After that remove pointer and get member name with the same offset
if item.e.x.op == idaapi.cot_memref and item.e.x.x.op == idaapi.cot_memptr:
vtable_tinfo = item.e.x.type.get_pointed_object()
method_offset = item.e.m
class_tinfo = item.e.x.x.x.type.get_pointed_object()
vtable_offset = item.e.x.x.m
elif item.e.x.op == idaapi.cot_memptr:
vtable_tinfo = item.e.x.type
if vtable_tinfo.is_ptr():
vtable_tinfo = vtable_tinfo.get_pointed_object()
method_offset = item.e.m
class_tinfo = item.e.x.x.type.get_pointed_object()
vtable_offset = item.e.x.m
else:
func_offset = item.e.m
struct_tinfo = item.e.x.type.get_pointed_object()
func_ea = helper.choose_virtual_func_address(helper.get_member_name(struct_tinfo, func_offset))
if func_ea:
idaapi.jumpto(func_ea)
return 0
func_name = helper.get_member_name(vtable_tinfo, method_offset)
func_ea = helper.choose_virtual_func_address(func_name, class_tinfo, vtable_offset)
if func_ea:
idaapi.open_pseudocode(func_ea, 0)
return 1
def item_selection_changed(self):
local_item = None
remote_item = None
if not self.tree.selectedItems():
return
item = self.tree.selectedItems()[0]
if item.parent() is None:
local_item = item
else:
local_item = item.parent()
remote_item = item
if local_item:
idaapi.jumpto(self.get_obj(local_item.api_id)['offset'])
if remote_item:
# TODO: change graph to a "loading..." message
q = network.QueryWorker("GET",
"collab/annotations/",
json=True,
params={
"type": "assembly",
"instance": remote_item.api_id
})
q.start(self.handle_display_change)
def JumpToBottom():
curr_ea = idaapi.get_screen_ea()
curr_func = idaapi.get_func(curr_ea)
if not curr_func:
return
begin = idaapi.prevaddr(curr_func.endEA)
idaapi.jumpto(begin)
def nextimmref(self, ea, ui=True):
"""
Finds the next occurrance of an immediate value being a reference, like
ldr r2, [r2,#(dword_809EEF4+0x1F8 - 0x809f0e4)]
:param ea: ea to start searching from
:param ui: if True, jump to address automatically
:return: hex formatted ea of next name
"""
# don't count this item
ea = Data.Data(ea).ea + Data.Data(ea).getSize()
output = idaapi.BADADDR
while ea < self.end_ea:
d = Data.Data(ea)
if d.isCode() and '#' in d.getOrigDisasm():
disasm = d.getOrigDisasm()
# check out the xrefs from the data, see if it references to them
xrefs = d.getXRefsFrom()
for xref in xrefs[0]:
if Data.Data(xref).getName() in disasm:
output = ea
break
for xref in xrefs[1]:
if Data.Data(xref).getName() in disasm:
output = ea
break
if output != idaapi.BADADDR:
break
ea += d.getSize()
if ui: idaapi.jumpto(ea)
return '%07X' % output
def OnDblClick(self, shift):
symbol = self.get_current_word()
if symbol is not None:
ea = self.resolve_expr(symbol)
if ea and idaapi.is_loaded(ea):
idaapi.jumpto(ea)
return True
return False
def jumpto(addr):
"""
Changes the pseudocode view to the function address provided.
@param addr: Address of function to jump to
@return:
"""
idaapi.jumpto(addr)
def activate(self, ctx):
selection = idaapi.read_selection()
valid_selection = selection[0]
if (valid_selection):
addr = idc.DbgDword(selection[1])
idaapi.jumpto(addr)
else:
idaapi.msg("Invalid selection!\n")
def jump_to(a):
global qira_address
if a is not None:
if (a != qira_address) and (a != BADADDR):
set_qira_address(a)
idaapi.jumpto(qira_address, -1, 0)
else:
idaapi.jumpto(qira_address, -1, 0)
def jump_to(a):
global qira_address
if a is not None:
if (a != qira_address) and (a != BADADDR):
set_qira_address(a)
idaapi.jumpto(qira_address, -1, 0)
else:
idaapi.jumpto(qira_address, -1, 0)
def _ui_entry_double_click(self, index):
"""
Handle double click event on the coverage table view.
A double click on the coverage table view will jump the user to
the corresponding function in the IDA disassembly view.
"""
idaapi.jumpto(self._model.row2func[index.row()])
def _dblclick(self, item):
'''
Handles double click event.
'''
try:
idaapi.jumpto(int(item.text(1), 16))
except:
pass
def actionS(ea=None, pointerRange=None):
# Mainly for search-type actions or analysis
if not ea: ea = here()
# if not pointerRange:
# global ptrRange
# try:
# print('@input ptrRange=(%07X, %07X)' % (ptrRange[0], ptrRange[1]))
# except Exception:
# print('[input ptrRange]')
# pointerRange = ptrRange
def nextOneWordArr():
d = Data.Data(ea)
while (d.ea < pointerRange[1]):
content = d.getContent()
# case: byte array that's 4 elements. Likely a word
if type(content) == list and len(content) == 4 and (d.getSize() / len(content) == 1):
break
d = Data.Data(d.ea + d.getSize())
if d.ea >= pointerRange[1]:
print(False)
else:
print('%07X' % d.ea)
idc.jumpto(d.ea)
# output = next.unkptr(here(), end_ea=env['gameFiles'][mt.ea2gf(here())][1], pointerRange=pointerRange, showLabel=False)
# output = next.red(here(), end_ea=env['gameFiles'][mt.ea2gf(here())][1])
# output = next.ascii(here())
# if output == idaapi.BADADDR:
# print(False)
# global v, cur
# idaapi.jumpto(v[cur])
# print('%07X [%d/%d]' % (v[cur], cur, len(v)))
# cur += 1
# ops.tillName(here(), lambda ea: idc.SetRegEx(ea, "T", 0, idc.SR_user))
# pt.misc.getLZ77CompressedSize(pointerOf(here()) - (1<<31))
def nextCompressedData(ea, end_ea=None):
if not end_ea:
end_ea = idc.SegEnd(ea)
while ea < end_ea:
if mt.getLZ77CompressedSize(ea) >= 0:
return ea
ea += 1
return -1
out = nextCompressedData(ea+1)
print('%07X' % (out))
idaapi.jumpto(out)
def identify_local_pointers(range):
from FixTools import fixTools as fix
from utils.ida import ops
# identify local pointers in data, this accounts for IDA update behavior when collapsing back
fix.resolvePointers(range, range)
for item_ea in ops.next_item_ea(range[0], range[1] - range[0]):
idaapi.jumpto(item_ea)
fix.collapseUnknowns(*range)
def jump_to_line(ea, line, col):
idc.Jump(ea)
viewer = idaapi.get_current_viewer()
(pl, x, y) = idaapi.get_custom_viewer_place(viewer, False)
pl2 = idaapi.place_t_as_simpleline_place_t(pl.clone())
pl2.n = line
x = col
y = 10
idaapi.jumpto(viewer, pl2, x, y)
def jump(self, data):
j = data['address'].split(" : ")
ea = idaapi.get_name_ea(idc.BADADDR, j[0])
ln = int(j[1])
print "JUMPTO", j, ea, ln
ui = idaapi.open_pseudocode(ea, False)
(pl, x, y) = idaapi.get_custom_viewer_place(ui.ct, False)
pl2 = idaapi.place_t_as_simpleline_place_t(pl.clone())
pl2.n = ln
idaapi.jumpto(ui.ct, pl2, 0, y)
def go(ea):
'''slightly less typing for idc.Jump'''
if isinstance(ea, basestring):
ea = search.byName(None, ea)
if not contains(ea):
left, right = range()
logging.warn(
"Jumping to an invalid location %x. (valid range is %x - %x)", ea,
left, right)
idaapi.jumpto(ea)
return ea
def _ui_entry_double_click(self, index):
"""
Handle double click event on the coverage table view.
"""
# a double click on the table view will jump the user to the clicked
# function in the disassembly view
try:
idaapi.jumpto(self._model.row2func[index.row()].address)
except KeyError as e:
pass
def OnDblClick(self, shift):
symbol = self.get_current_word()
if symbol is not None:
if symbol.isupper() and symbol.replace("*", "") in dbg.registers:
self.modify_value()
return True
else:
ea = self.resolve_expr(symbol)
if ea and idaapi.is_loaded(ea):
idaapi.jumpto(ea)
return True
return False
def req_loc(self, hash):
offset, base = hash['offset'], hash.get('base')
ea = self.rebase(base, offset)
if not ea:
return
if(self.color):
self.cb_color(ea)
idaapi.jumpto(ea)
self.cb_curline(ea)
self.gm.center()
def req_loc(self, hash):
offset, base = hash["offset"], hash.get("base")
ea = self.rebase(base, offset)
if not ea:
return
if self.color:
self.cb_color(ea)
idaapi.jumpto(ea)
self.cb_curline(ea)
self.gm.center()
def req_loc(self, hash):
offset, base = hash['offset'], hash.get('base')
ea = self.rebase(base, offset)
if not ea:
return
if self.color:
self.cb_color(ea)
idaapi.jumpto(ea)
self.cb_curline(ea)
self.gm.center()
def open_function(self):
addresses = self.addresses
if len(addresses) > 1:
address = Helper.choose_virtual_func_address(self.name)
elif len(addresses) == 1:
address = addresses[0]
else:
return
if idaapi.decompile(address):
idaapi.open_pseudocode(address, 0)
else:
idaapi.jumpto(address)
def OnSelectLine(self, n):
self.selcount += 1
func_addr = int(self.items[n][0], 16)
func_name = self.items[n][1]
t_addrs = self.function_to_addrs[func_addr]
idaapi.msg("%d tainted instructions in %s\n" % \
(len(t_addrs), func_name))
for tainted_addr in t_addrs:
idaapi.set_item_color(tainted_addr, TAINTED)
idaapi.jumpto(func_addr)
def nextbin(self, ea, ui=True):
"""
Finds the next big blob of data. The heuristic is it has to be at least sizeLimitHeuristic in size
UI jumps to start_ea automatically.
:param ea: ea to search from
:param ui: if True, jump to address automatically
:return: tuple hex format of the bin range and the size: (%07X, %07X, 0x$X)
"""
sizeLimitHeuristic = 0x1000
# don't count this item
ea = Data.Data(ea).ea + Data.Data(ea).getSize()
# range params
start_ea = idaapi.BADADDR
end_ea = idaapi.BADADDR
size = 0
# state machine of finding range
st_start = 0
st_traverse = 1
st_end = 2
state = st_start
while ea < self.end_ea:
d = Data.Data(ea)
if not d.isCode():
if state == st_start:
start_ea = ea
size = 0
state = st_traverse
if state == st_traverse:
size += d.getSize()
if state == st_end:
raise(Exception('entered invalid state'))
if d.isCode():
# only end if valid size
if state == st_traverse:
if size >= sizeLimitHeuristic:
state = st_end
else:
state = st_start
if state == st_end:
end_ea = ea
break
ea += d.getSize()
idaapi.jumpto(start_ea)
return '0x%07X, 0x%07X, 0x%X' % (start_ea, end_ea, size)
def run(self, arg):
idaapi.msg("ESigPlugin run")
e_main_ea = get_E_main()
if e_main_ea != 0:
e_sig = E_Sigs(e_main_ea)
e_sig.set_E_main_name()
e_sig.load_flirt_sigs()
e_sig.handle_dll_calls()
idaapi.jumpto(e_main_ea)
print("e sig finish")
else:
idaapi.msg(
"Can not find E language main function, the file may not be compiled by E compiler."
)
def jump_to(self, qea):
if qea is not None:
if (qea != self.qira_address) and (qea != idc.BADADDR):
self.set_qira_address(qea)
idaapi.jumpto(self.qira_address, -1, 0x0001)
else:
idaapi.jumpto(self.qira_address, -1, 0x0001)
# debugging
if DEBUG:
idaapi.msg(
"[%s] jump_to: qira_address [0x%x], ea [0x%x]\n" %
(self.wanted_name, self.qira_address, qea,))
else:
idaapi.msg("[%s] Cannot jump_to: None\n")
def mouseDoubleClickEvent(self, event: Any) -> None:
event.accept()
index = self.indexAt(event.pos())
if not index.isValid():
return
data = self.get_index_data(index)
if not data:
super(QtWidgets.QTableView, self).mouseDoubleClickEvent(event)
return
col = index.column()
if self.func_model.isFollowable(col):
self.hilight_addr(data)
jumpto(data)
super(QtWidgets.QTableView, self).mouseDoubleClickEvent(event)
def main():
global debughook
#ida7 debug 中有bug,弹AskStr会卡死
#基本流程
#1.需要手动调整下面三个参数
target1 = "libnative-lib.so"
start_off_in_target = 0x00004664
end_off_in_target = 0x00046DA
#2.需要在Debugger->Tracing->Tracing option 关闭Trace over debugger segments,并在这个页面输入Trace File路径
#脚本会在开始和结束下断点,点击continue运行.开始trace,命中结束断点trace自动结束,trace结果保存在设置的Trace File路径中
unhook()
skip_functions = []
modules_info = []
start_ea = 0
end_ea = []
so_modules = [target1]
for module in idc._get_modules():
module_name = os.path.basename(module.name)
# print("enum: %s" % module_name)
for so_module in so_modules:
if re.search(so_module, module_name, re.IGNORECASE):
print("modules_info append %08X %s %08X" % (module.base, module.name, module.size))
if module_name == target1:
# module.size = 98304
modules_info.append({"base": module.base, "size": module.size, "name": module.name})
start_ea = (module.base + start_off_in_target) #encode_func_2
end_ea = [((module.base + end_off_in_target))]
break
#
#
#
#
if start_ea: # start address
set_breakpoint(start_ea)
if end_ea: # end address
for ea in end_ea:
set_breakpoint(ea)
if skip_functions:
print("skip_functions")
for skip_function in skip_functions:
print ("%08X" % skip_function)
debughook = MyDbgHook(modules_info, skip_functions, start_ea, end_ea)
idaapi.jumpto(start_ea)
starthook()
pass
def say_address(buddy):
address = get_random_address()
address_text = Span('0x{address:X}'.format(address=address), color='black', text_decoration='underline')
buddy.interact(
ask_go_cancel(random_address_saying().format(address_text)),
go=lambda *_: (idaapi.jumpto(address), buddy.exit()),
cancel=lambda *_: buddy.exit())
def searchClickedIndex_Slot(self, value, local_comment_data=None):
a = idaapi.jumpto(value)
# Highlight the current line in IDA views
idc.SetColor(value, idc.CIC_ITEM, 0x90EE90)
if local_comment_data:
# Add the flow-max information (e.g, call hit 42 times)
idaapi.add_long_cmt(value, 1, local_comment_data)
self.selectRow(value)
def _statedo(self, n, rd_f, wr_f):
entries = None
for i in range(n):
entries = rd_f()
if not entries: return
buf = []
for data in entries:
buf.append(
(data[0], read_data(data[0], len(data[1])))
)
write_data(data[0], data[1])
#Apply to the other stack in reverse order
wr_f(buf[::-1])
#Jump to the first entry if an operation was performed
if entries:
idaapi.jumpto(entries[0][0])
return entries
def jumpto(ea):
if is_hexrays_v7():
idc.jumpto(ea)
else:
idaapi.jumpto(ea)
def goof(ea):
'''goes to the specified offset'''
idaapi.jumpto(baseaddress()+ea)
return ea
def OnSelectLine(self, n):
self.selcount += 1
idaapi.jumpto(int(self.items[n][0], 16))
def OnEditLine(self, n):
idaapi.jumpto(self.items[n])
def on_double_click(self, value, attrs):
idaapi.jumpto(value)
return False
def OnSelectLine(self, n): idaapi.jumpto(self.items_data[n].FileItemStructOffset) pass
def jumpto(self, addr):
return idaapi.jumpto(addr)
vtbl_ptr = ctypes.cast(newobj, ctypes.POINTER(ctypes.c_void_p)).contents.value
#Lets get our module base address using ctypes/win32 api
mod_base = kernel32.GetModuleHandleA(binary_path)
#Get the base address of the binary loaded in IDA
base = idaapi.get_imagebase()
#Get the delta of the actual module load address vs what the binary is currently loaded at in IDA
delta = mod_base - base
#Now rebase, we do this so our vtable ptr is accurate in the IDA display
rebase_program(delta, 0x0008)
#Bring focus to the vtable
idaapi.jumpto(vtbl_ptr)
#Name it after the interface name
MakeName(vtbl_ptr, interface_name + '_vtable')
#Now skip down the vtable past the stuff inherited from IDispatch etc.
#Not 100% sure this will always be the same....
first_method = vtbl_ptr + (4 * 6)
#Now lets iterate through the methods, _methods_ returns a tuple of tuples
#which ultimately contain a dispid (http://msdn.microsoft.com/en-us/library/windows/desktop/ms221242(v=vs.85).aspx)
#to function name mapping, as far as I have been able to tell dispid matches up directly to the offset within the vtable
for method in newobj._methods_:
#Walk down the vtable, which is basically first_method + method_dispid * 4 (bytes)
#Dword() method derefs the pointer, to get our actual method address
cur_meth = int(Dword(first_method + int(method[4][0]) * 4))
def jump_to(a):
if (qira_address != a):
set_qira_address(a)
idaapi.jumpto(qira_address, -1, 0)
else:
idaapi.jumpto(qira_address, -1, 0)
def show_trace_point(self, p):
idaapi.jumpto(p.addr)
import sark
import idaapi
import idautils
anim = sark.structure.get_struct('AnimationFrame')
while idaapi.is_debugger_on():
dataseg = sark.Segment(name='dataseg').ea
anim_offset = idaapi.get_word(sark.Line(ea=dataseg + idautils.cpu.di + 2).ea)
anim_addr = dataseg + anim_offset
idaapi.doStruct(anim_addr, 6, anim)
idaapi.jumpto(sark.Segment(name='dataseg').ea + anim_offset)
idaapi.continue_process()
idaapi.wait_for_next_event(2, 10000)
def OnDblClick(self, node_id):
# On double-click, jump to the clicked address.
idaapi.jumpto(self[node_id])
return True
def OnSelectLine(self, n):
item = self.items[int(n)]
idaapi.jumpto(self.item_relations[item[1]])
import sark
import idaapi
import idautils
anim = sark.structure.get_struct('DrawData')
while idaapi.is_debugger_on():
dataseg = sark.Segment(name='dataseg').ea
anim_offset = sark.Line(ea=dataseg + idautils.cpu.di).ea
anim_addr = dataseg + anim_offset
idaapi.doStruct(anim_offset, 0x24, anim)
idaapi.jumpto(anim_offset)
idaapi.continue_process()
idaapi.wait_for_next_event(2, 10000)
def OnSelectLine(self, n):
idaapi.jumpto(self.items_data[n][0])
def OnSelectLine(self, n):
idaapi.jumpto(int(self.items[n][1], 16))