Esempio n. 1
    def codeType(self, ea):
        """Query IDA for the code type at the given address.

            ea (int): effective code address

        Return Value:
            The current code type at the given address
        return idc.GetReg(ea, 'T')
Esempio n. 2
 def nextarm(self, ea, ui=True):
     # type: (int) -> str
     Finds the next ARM item, which has a Segment register value 'T' of 0
     :param ea: address to start searching from
     :param ui: if True, jump to address automatically
     :return: the address (in str) of the next ARM instruction
     # don't count this item
     ea += Data.Data(ea).getSize()
     output = idaapi.BADADDR
     while ea < self.end_ea:
         d = Data.Data(ea)
         # detect next code32
         if idc.GetReg(ea, 'T') == 0:
             output = ea
         ea += d.getSize()
     return '%07X' % output
Esempio n. 3
def extendThumbFuncToLastPop(func_ea, lastInsn_ea, verbose=True):
    Looks for another POP {..., PC}. Stops at the start of a new function, or at the start of
    labeled data. Otherwise, it makes sure the code is disassembled, and is thumb, and it extends the
    range of the function to the found POP {..., PC}.
    A corner case not accounted by this algorithm, is if the data is in the middle of code, but
    is jumped over.
    :param func_ea: addr to function to fix
    :param lastInsn_ea: address to the last instruction within the function, as registered in the IDB.
    :return: whether a fix ocurred or not
    ea = lastPop_ea = lastInsn_ea
    while not idc.Name(ea) or not idc.isData(idc.GetFlags(ea)):
        if idc.GetReg(ea, 'T') == 0:
            idc.SetRegEx(ea, 'T', 1, idc.SR_user)

        # if idc.isData(idc.GetFlags(ea)):
        #     # if not thumb, make thumb
        #     idc.del_items(ea, 0, 2)
        #     idc.MakeCode(ea)

        if Instruction.isInsn(ea):
            insn = Instruction.Insn(ea)
            # update last POP {..., PC} detected
            if insn.itype == idaapi.ARM_pop and ((insn.getPushPopFlags() &
                                                  (1 << 15)) != 0):
                lastPop_ea = ea
            # stop condition, assuming no  PUSH {..., LR} in current function
            if insn.itype == idaapi.ARM_push and ((insn.getPushPopFlags() &
                                                   (1 << 14)) != 0):

        ea += idaapi.get_item_size(ea)

    # extend last function to last pop detected
    if lastPop_ea != lastInsn_ea:
        if verbose:
            print('%07X: End -> %07X <%s>' %
                  (func_ea, lastPop_ea, Data.Data(lastPop_ea).getDisasm()))
        idc.SetFunctionEnd(func_ea, lastPop_ea + 2)
        return True
    return False
def GetFuncInputSurrogate(func):

    info = idaapi.get_inf_structure()
    arch = info.procName.lower()

    function_ea = func.startEA
    f_name = GetFunctionName(func)
    function = dict()
    function['name'] = f_name
    function['id'] = function_ea
    # ignore call-graph at this moment
    function['call'] = list()
    function['sea'] = function_ea
    function['see'] = idc.FindFuncEnd(function_ea)
    function['blocks'] = list()
    # basic bloc content
    for bblock in idaapi.FlowChart(idaapi.get_func(function_ea)):

        sblock = dict()
        sblock['id'] =
        sblock['sea'] = bblock.startEA
        if (arch == 'arm'):
            sblock['sea'] += idc.GetReg(bblock.startEA, 'T')
        sblock['eea'] = bblock.endEA
        sblock['name'] = 'loc_' + format(bblock.startEA, 'x').upper()
        dat = {}
        sblock['dat'] = dat
        s = idc.GetManyBytes(bblock.startEA, bblock.endEA - bblock.startEA)
        if (s != None):
            sblock['bytes'] = "".join("{:02x}".format(ord(c)) for c in s)

        tlines = []
        for head in idautils.Heads(bblock.startEA, bblock.endEA):
            tline = []
                str(hex(head)).rstrip("L").upper().replace("0X", "0x"))
            mnem = idc.GetMnem(head)
            if mnem == "":
            for i in range(5):
                opd = idc.GetOpnd(head, i)
                if opd == "":

            refdata = list(idautils.DataRefsFrom(head))
            if (len(refdata) > 0):
                for ref in refdata:
                    dat[head] = binascii.hexlify(
                        struct.pack("<Q", idc.Qword(ref)))

        sblock['src'] = tlines

        # flow chart
        bcalls = list()
        for succ_block in bblock.succs():
        sblock['call'] = bcalls

    return function
Esempio n. 5
 def is_thumb(address):
     return idc.GetReg(address, 'T') == 1
Esempio n. 6
def assemble32(line, ea):
    return idaapi.assemble(ea, idc.GetReg(ea, "cs"), ea, True, line)
def fix_callgraph(msgsend, segname, class_param, sel_param):
    fix_callgraph: msgsend, segname, class_param, sel_param

    Given the msgsend flavour address as a parameter, looks
    for the parameters (class and selector, identified by
    class_param and sel_param) and creates a new segment where
    it places a set of dummy calls named as classname_methodname
    (we use method instead of selector most of the time).

    t1 = time.time()
    if not msgsend:
        print 'ERROR: msgSend not found'

    total = 0
    resolved = 0
    call_table = dict()

    for xref in idautils.XrefsTo(msgsend, idaapi.XREF_ALL):
        total += 1
        ea_call = xref.frm
        func_start = idc.GetFunctionAttr(ea_call, idc.FUNCATTR_START)
        if not func_start or func_start == idc.BADADDR:
        ea = ea_call
        method_name_ea = trace_param(ea, func_start, idc.o_reg, sel_param)
        if method_name_ea and idc.isASCII(idc.GetFlags(method_name_ea)):
            method_name = idc.GetString(method_name_ea, -1, idc.ASCSTR_C)
            if not method_name:
                method_name = '_unk_method'
            method_name = '_unk_method'

        class_name_ea = trace_param(ea, func_start, idc.o_reg, class_param)
        if class_name_ea:
            class_name = idc.Name(class_name_ea)
            if not class_name:
                class_name = '_unk_class'
            class_name = '_unk_class'

        if method_name == '_unk_method' and class_name == '_unk_class':

        # Using this name convention, if the class and method
        # are identified by IDA, the patched call will point to
        # the REAL call and not one of our dummy functions
        class_name = class_name.replace('_OBJC_CLASS_$_', '')
        class_name = class_name.replace('_OBJC_METACLASS_$_', '')
        new_name = '_[' + class_name + '_' + method_name + ']'
        print '%08x: %s' % (ea_call, new_name)
        call_table[ea_call] = new_name
        resolved += 1

    print '\nFinal stats:\n\t%d total calls, %d resolved' % (total, resolved)
    print '\tAnalysis took %.2f seconds' % (time.time() - t1)

    if resolved == 0:
        print 'Nothing to patch.'

    print 'Adding new segment to store new nullsubs'

    # segment size = opcode ret (4 bytes) * num_calls
    seg_size = resolved * 4
    seg_start = idc.MaxEA() + 4
    idaapi.add_segm(0, seg_start, seg_start + seg_size, segname, 'CODE')

    print 'Patching database...'
    seg_ptr = seg_start
    for ea, new_name in call_table.items():
        if idc.LocByName(new_name) != idc.BADADDR:
            offset = idc.LocByName(new_name) - ea
            # create code and name it
            idc.PatchDword(seg_ptr, 0xE12FFF1E) # BX LR
            idc.MakeName(seg_ptr, new_name)
            idc.MakeFunction(seg_ptr, seg_ptr + 4)
            idc.MakeRptCmt(seg_ptr, new_name)
            offset = seg_ptr - ea
            seg_ptr += 4

        # patch the msgsend call
        if idc.GetReg(ea, "T") == 1:
            if offset > 0 and offset & 0xFF800000:
                print 'Offset too far for Thumb (%08x) Stopping [%08x]' % (offset, ea)

            off1 = (offset & 0x7FF000) >> 12
            off2 = (offset & 0xFFF) / 2
            w1 = (0xF000 | off1)
            w2 = (0xE800 | off2) - 1
            idc.PatchWord(ea, w1)
            idc.PatchWord(ea + 2, w2)
            if offset > 0 and offset & 0xFF000000:
                print 'Offset too far (%08x) Stopping [%08x]' % (offset, ea)
            dw = (0xFA000000 | (offset - 8 >> 2))
            if dw < 0:
                dw = dw & 0xFAFFFFFF
            idc.PatchDword(ea, dw)
Esempio n. 8
def _get_ida_func_surrogate(func, arch):
    func_surrogate = dict()
    func_surrogate['name'] = idc.GetFunctionName(func.startEA)
    func_surrogate['id'] = func.startEA
    # ignore call-graph at this moment
    func_surrogate['call'] = list()
    func_surrogate['sea'] = func.startEA
    func_surrogate['see'] = idc.FindFuncEnd(func.startEA)
    # api is optional
    func_surrogate['api'] = _get_api(func.startEA)[1]
    func_surrogate['blocks'] = list()

    # comments
    func_surrogate['comments'] = []

    for bb in idaapi.FlowChart(idaapi.get_func(func.startEA)):

        block = dict()
        block['id'] =
        block['sea'] = bb.startEA
        if arch is 'arm':
            # for arm; the last bit indicates thumb mode.
            block['sea'] += idc.GetReg(bb.startEA, 'T')
        block['eea'] = bb.endEA
        block['name'] = 'loc_' + format(bb.startEA, 'x').upper()
        dat = {}
        block['dat'] = dat
        s = idc.GetManyBytes(bb.startEA, bb.endEA - bb.startEA)
        if s is not None:
            block['bytes'] = "".join("{:02x}".format(ord(c)) for c in s)


        instructions = list()
        for head in idautils.Heads(bb.startEA, bb.endEA):
            ins = list()
            ins.append(str(hex(head)).rstrip("L").upper().replace("0X", "0x"))
            opr = idc.GetMnem(head)
            if opr == "":
            for i in range(5):
                opd = idc.GetOpnd(head, i)
                if opd == "":

            refs = list(idautils.DataRefsFrom(head))
            for ref in refs:
                dat[head] = binascii.hexlify(struct.pack("<Q", idc.Qword(ref)))

        block['src'] = instructions

        # flow chart
        block_calls = list()
        for success_block in bb.succs():
        block['call'] = block_calls
    return func_surrogate
Esempio n. 9
def InsIsThumb(i):
    return idc.GetReg(i, "T") == 1