def define(ea): if BaseClassDescriptor.isDefined(ea): return td = TypeDescriptor(BaseClassDescriptor.__typeDescriptorPtr(ea)) attrs = BaseClassDescriptor.__attributes(ea) if attrs != 0 and attrs != 0x40: print '%08X: Suspicious attributes value: %08X' % (ea, attrs) # raise RttiError('%08X: Suspicious attributes value: %08X' % (ea, attrs)) isV2 = (attrs & 0x40) != 0 if isV2: strid = idaapi.get_struc_id('_s__RTTIBaseClassDescriptor2') else: strid = idaapi.get_struc_id('_s__RTTIBaseClassDescriptor') size = idaapi.get_struc_size(strid) idaapi.do_unknown_range(ea, size, idaapi.DOUNK_DELNAMES) idaapi.doStruct(ea, size, strid) pmd = BaseClassDescriptor.__where(ea) name = '??_R1' name += mangleNumber(pmd.mdisp) name += mangleNumber(pmd.pdisp) name += mangleNumber(pmd.vdisp) name += mangleNumber(attrs) name += td.baseMangledName + '8' idaapi.set_name(ea, name, 0) if isV2: ClassHierarchyDescriptor.define(BaseClassDescriptor.__v2ChdPtr(ea))
def define(ea): if CompleteObjectLocator.isDefined(ea): return if not CompleteObjectLocator.isValid(ea): raise RttiError("%08X: doesn't look like a correct CompleteObjectLocator" % (ea)) # Ensure referenced structs are defined. # An exception will be thrown if something goes wrong. tdPtr = idaapi.get_full_long(ea + 12) td = TypeDescriptor(tdPtr) chdPtr = idaapi.get_full_long(ea + 16) chd = ClassHierarchyDescriptor(chdPtr) strid = idaapi.get_struc_id("_s__RTTICompleteObjectLocator") size = idaapi.get_struc_size(strid) idaapi.do_unknown_range(ea, size, idaapi.DOUNK_DELNAMES) idaapi.doStruct(ea, size, strid) if chd.isMultipleInheritance: if chd.isVirtualInheritance: print "%08X: Cannot handle virtual inheritance yet." % (ea) else: # '??_R4' + td.baseMangledName + '6B' + baseClassTd.baseMangledName + '@' # '??_7' + ... print "%08X: Cannot handle multiple inheritance yet." % (ea) else: idaapi.set_name(ea, "??_R4" + td.baseMangledName + "6B@", 0)
def define(ea): if CompleteObjectLocator.isDefined(ea): return if not CompleteObjectLocator.isValid(ea): raise RttiError( "%08X: doesn't look like a correct CompleteObjectLocator" % (ea)) # Ensure referenced structs are defined. # An exception will be thrown if something goes wrong. tdPtr = idaapi.get_full_long(ea + 12) td = TypeDescriptor(tdPtr) chdPtr = idaapi.get_full_long(ea + 16) chd = ClassHierarchyDescriptor(chdPtr) strid = idaapi.get_struc_id('_s__RTTICompleteObjectLocator') size = idaapi.get_struc_size(strid) idaapi.do_unknown_range(ea, size, idaapi.DOUNK_DELNAMES) idaapi.doStruct(ea, size, strid) if chd.isMultipleInheritance: if chd.isVirtualInheritance: print '%08X: Cannot handle virtual inheritance yet.' % (ea) else: # '??_R4' + td.baseMangledName + '6B' + baseClassTd.baseMangledName + '@' # '??_7' + ... print '%08X: Cannot handle multiple inheritance yet.' % (ea) else: idaapi.set_name(ea, '??_R4' + td.baseMangledName + '6B@', 0)
def define(ea): if BaseClassDescriptor.isDefined(ea): return td = TypeDescriptor(BaseClassDescriptor.__typeDescriptorPtr(ea)) attrs = BaseClassDescriptor.__attributes(ea) if attrs != 0 and attrs != 0x40: print "%08X: Suspicious attributes value: %08X" % (ea, attrs) # raise RttiError('%08X: Suspicious attributes value: %08X' % (ea, attrs)) isV2 = (attrs & 0x40) != 0 if isV2: strid = idaapi.get_struc_id("_s__RTTIBaseClassDescriptor2") else: strid = idaapi.get_struc_id("_s__RTTIBaseClassDescriptor") size = idaapi.get_struc_size(strid) idaapi.do_unknown_range(ea, size, idaapi.DOUNK_DELNAMES) idaapi.doStruct(ea, size, strid) pmd = BaseClassDescriptor.__where(ea) name = "??_R1" name += mangleNumber(pmd.mdisp) name += mangleNumber(pmd.pdisp) name += mangleNumber(pmd.vdisp) name += mangleNumber(attrs) name += td.baseMangledName + "8" idaapi.set_name(ea, name, 0) if isV2: ClassHierarchyDescriptor.define(BaseClassDescriptor.__v2ChdPtr(ea))
def apply_struct(ea, sid, size): if size == -1: size = idc.GetStrucSize(sid) idc.MakeUnknown(ea, size, idc.DOUNK_DELNAMES) idaapi.doStruct(ea, size, sid) return size
def apply_struct(ea, name, size): sid = idc.GetStrucIdByName(name) if (size == -1): size = idc.GetStrucSize(sid) idc.MakeUnknown(ea, size, idc.DOUNK_DELNAMES) idaapi.doStruct(ea, size, sid) return size
def define(ea): if TypeDescriptor.isDefined(ea): return if not TypeDescriptor.isValid(ea): raise RttiError("%08X: This doesn't look like a TypeDescriptor." % ea) # FIXME: 64-bit compatibility mangledName = getAsciiz(ea + 8) # Define data in DB structLength = 8 + len(mangledName) + 1 idaapi.do_unknown_range(ea, structLength, idaapi.DOUNK_DELNAMES) idaapi.doStruct(ea, structLength, idaapi.get_struc_id("_TypeDescriptor")) idaapi.set_name(ea, TypeDescriptor.makeName(ea), 0)
def __init__(self, ea, vtable): filepath = GetIdbPath()[:-4] fp = open(r"{filepath}.txt".format(filepath=filepath), 'a') # fp.write(filepath) print "Create file" do_unknown_range(ea, self.size, DOUNK_DELNAMES) if doStruct(ea, self.size, self.tid): # Get adress of type descriptor from CompleteLocator # print "Complete Object Locator at: 0x%x" % ea offset = get_member_by_name(self.struc, "pTypeDescriptor").soff typeDescriptor = get_32bit(ea + offset) + u.x64_imagebase() # print "Looking for type Descriptor at: 0x%x" % typeDescriptor rtd = RTTITypeDescriptor(typeDescriptor) if rtd.class_name: # print "Type Descriptor at: 0x%x" % typeDescriptor offset = get_member_by_name(self.struc, "pClassDescriptor").soff classHierarchyDes = get_32bit(ea + offset) + u.x64_imagebase() rchd = RTTIClassHierarchyDescriptor(classHierarchyDes) # filter out None entries rchd.bases = filter(lambda x: x, rchd.bases) classes[strip(rtd.class_name)] = [strip(b) for b in rchd.bases] MakeNameEx(vtable, "vtable__" + strip(rtd.class_name), SN_NOWARN) tempStr = hex(vtable).rstrip('L') + '\t' + strip( rtd.class_name) + '\t' + str(GuessType( Dword(vtable + 4))) + '\n' if ('std' not in tempStr[:15] and 'ATL' not in tempStr[:15]): fp.write(tempStr) else: # if the RTTITypeDescriptor doesn't have a valid name for us to # read, then this wasn't a valid RTTICompleteObjectLocator MakeUnknown(ea, self.size, DOUNK_SIMPLE) fp.close()
def __init__(self, ea, vtable): do_unknown_range(ea, self.size, DOUNK_DELNAMES) if doStruct(ea, self.size, self.tid): # Get adress of type descriptor from CompleteLocator print "Complete Object Locator at: 0x%x" % ea offset = get_member_by_name(self.struc, "pTypeDescriptor").soff typeDescriptor = get_32bit(ea + offset) + u.x64_imagebase() print "Looking for type Descriptor at: 0x%x" % typeDescriptor rtd = RTTITypeDescriptor(typeDescriptor) if rtd.class_name: print "Type Descriptor at: 0x%x" % typeDescriptor offset = get_member_by_name(self.struc, "pClassDescriptor").soff classHierarchyDes = get_32bit(ea + offset) + u.x64_imagebase() rchd = RTTIClassHierarchyDescriptor(classHierarchyDes) # filter out None entries rchd.bases = filter(lambda x: x, rchd.bases) className = strip(rtd.class_name) classes[className] = [strip(b) for b in rchd.bases] vtables[className] = vtable MakeNameEx(vtable, "vtable__" + className, SN_NOWARN) else: # if the RTTITypeDescriptor doesn't have a valid name for us to # read, then this wasn't a valid RTTICompleteObjectLocator MakeUnknown(ea, self.size, DOUNK_SIMPLE)
def define(ea): if ClassHierarchyDescriptor.isDefined(ea): return if not ClassHierarchyDescriptor.isValid(ea): raise RttiError("%08X: Doesn't look like a correct ClassHierarchyDescriptor" % ea) strid = idaapi.get_struc_id("_s__RTTIClassHierarchyDescriptor") size = idaapi.get_struc_size(strid) idaapi.do_unknown_range(ea, size, idaapi.DOUNK_DELNAMES) idaapi.doStruct(ea, size, strid) bca = BaseClassArray( ClassHierarchyDescriptor.__baseClassArrayPtr(ea), ClassHierarchyDescriptor.__baseClassCount(ea) ) # Entry 0 describes the class itself => I can find out the class name. idaapi.set_name(ea, "??_R3" + bca[0].typeDescriptor.baseMangledName + "8", 0)
def load_file(li, neflags, format): """ Load the file into database @param li: a file-like object which can be used to access the input data @param neflags: options selected by the user, see loader.hpp @return: 0-failure, 1-ok """ # Select the PC processor module idaapi.set_processor_type("metapc", SETPROC_ALL | SETPROC_FATAL) # read MBR into buffer li.seek(0, os.SEEK_SET) buf = li.read(li.size()) seg = idaapi.segment_t() start = 0x7C00 size = len(buf) end = start + size # Create the segment seg.startEA = start seg.endEA = end seg.bitness = 0 # 16-bit idaapi.add_segm_ex(seg, "seg0", "CODE", 0) # Copy the bytes idaapi.mem2base(buf, start, end) # add entry point idaapi.add_entry(start, start, "start", 1) strid = add_struct_def() idaapi.set_name(start + 0x1BE, "MBR_PARTITION_TABLE", idaapi.SN_CHECK) str_size = idaapi.get_struc_size(strid) idaapi.doStruct(start + 0x1BE, str_size, strid) idaapi.set_name(510, "MBR_SIGN", idaapi.SN_CHECK) # Mark for analysis AutoMark(start, AU_CODE) return 1
def assign_struct_to_address(address, struct_name): idc.ApplyType(address, get_Tinfo_from_name(struct_name)) struct_id = idaapi.get_struc_id(struct_name) if struct_id != 0xffffffffffffffff: struct_size = idaapi.get_struc_size(struct_id) for i in range(struct_size): idc.MakeUnkn(address+i, 0) return idaapi.doStruct(address, struct_size, struct_id) return False
def define(ea): if ClassHierarchyDescriptor.isDefined(ea): return if not ClassHierarchyDescriptor.isValid(ea): raise RttiError( "%08X: Doesn't look like a correct ClassHierarchyDescriptor" % ea) strid = idaapi.get_struc_id('_s__RTTIClassHierarchyDescriptor') size = idaapi.get_struc_size(strid) idaapi.do_unknown_range(ea, size, idaapi.DOUNK_DELNAMES) idaapi.doStruct(ea, size, strid) bca = BaseClassArray(ClassHierarchyDescriptor.__baseClassArrayPtr(ea), ClassHierarchyDescriptor.__baseClassCount(ea)) # Entry 0 describes the class itself => I can find out the class name. idaapi.set_name(ea, '??_R3' + bca[0].typeDescriptor.baseMangledName + '8', 0)
def __init__(self, ea): print "Processing Class Hierarchy Descriptor at 0x%x" % ea do_unknown_range(ea, get_struc_size(self.tid), DOUNK_DELNAMES) if doStruct(ea, get_struc_size(self.tid), self.tid): baseClasses = get_32bit(ea + get_member_by_name( self.struc, "pBaseClassArray").soff) + u.x64_imagebase() nb_classes = get_32bit( ea + get_member_by_name(self.struc, "numBaseClasses").soff) print "Baseclasses array at 0x%x" % baseClasses # Skip the first base class as it is itself (could check) self.bases = [] for i in range(1, nb_classes): baseClass = get_32bit(baseClasses + i * 4) + u.x64_imagebase() print "base class 0x%x" % baseClass doDwrd(baseClasses + i * 4, 4) op_offset(baseClasses + i * 4, -1, u.REF_OFF | REFINFO_RVA, -1, 0, 0) doStruct(baseClass, RTTIBaseClassDescriptor.size, RTTIBaseClassDescriptor.tid) typeDescriptor = get_32bit(baseClass) + u.x64_imagebase() self.bases.append( RTTITypeDescriptor(typeDescriptor).class_name)
def forceStruct(ea, name): """ forceStruct: ea, name Does all the necessary things to force IDA to convert the memory starting at address 'ea' into a struct of type 'name'. Returns the address after the struct. """ sid = idaapi.get_struc_id(name) ssize = idaapi.get_struc_size(sid) idaapi.do_unknown_range(ea, ssize, DOUNK_DELNAMES) x = idaapi.doStruct(ea, ssize, sid) return ea + ssize
def MakeStructEx(ea=None, size=-1, strname="", strid=None): ''' Convierte una dirección de memoria en un item de una estructura @param ea: dirección a establecer @param size: tamaño de la estructura en bytes. @param strname: nombre de la estructura @return: 1-todo bien, 0-mierda ''' if strid is None: strid = idaapi.get_struc_id(strname) if size == -1: size = idaapi.get_struc_size(strid) return idaapi.doStruct(ea, size, strid)
def __init__(self, ea): name = ea + get_member_by_name(self.struc, "name").soff strlen = u.get_strlen(name) if strlen is None: # not a real vtable return self.size = self.size + strlen mangled = get_ascii_contents(name, strlen, 0) if mangled is None: # not a real function name return print "Mangled: " + mangled demangled = demangle_name('??_R0' + mangled[1:], 0) if demangled: do_unknown_range(ea, self.size, DOUNK_DELNAMES) if doStruct(ea, self.size, self.tid): print " Made td at 0x%x: %s" % (ea, demangled) self.class_name = demangled return print " FAIL :(" return
import sark import idaapi import idautils anim = sark.structure.get_struct('DrawData') while idaapi.is_debugger_on(): dataseg = sark.Segment(name='dataseg').ea anim_offset = sark.Line(ea=dataseg + idautils.cpu.di).ea anim_addr = dataseg + anim_offset idaapi.doStruct(anim_offset, 0x24, anim) idaapi.jumpto(anim_offset) idaapi.continue_process() idaapi.wait_for_next_event(2, 10000)
while (1): ea = callback2(ea) if ea == 0: break ea = search_ea(addr_to_bhex(ea), "", None)[0] create_cmdref() sid = idc.GetStrucIdByName("cmd_ref") i = 0 names = [] for ea in references: nameptr = ida_bytes.get_dword(ea) name = get_string(nameptr) names.append(name) idc.MakeUnknown(ea, 0x10, idc.DOUNK_DELNAMES) idaapi.doStruct(ea, 0x10, sid) MakeComm(ea, str(i)) i += 1 create_cmdptr() sid = idc.GetStrucIdByName("cmd_ptr") ea = search_ea("00 00 FC 3A 00 00", "", None)[1] + 2 offsets = [] badoffsets = {} x = 0 z = 0 for i in range(0, 0x20000, 0x8): vea = ea + i MakeUnkn(vea, 0x8) idv = ida_bytes.get_dword(vea) if idv == 0x660066:
import sark import idaapi import idautils anim = sark.structure.get_struct('AnimationFrame') while idaapi.is_debugger_on(): dataseg = sark.Segment(name='dataseg').ea anim_offset = idaapi.get_word(sark.Line(ea=dataseg + idautils.cpu.di + 2).ea) anim_addr = dataseg + anim_offset idaapi.doStruct(anim_addr, 6, anim) idaapi.jumpto(sark.Segment(name='dataseg').ea + anim_offset) idaapi.continue_process() idaapi.wait_for_next_event(2, 10000)
import sark import idautils import idaapi import csv dataseg = sark.Segment(name="dataseg") with open('c:/Users/Joe/applied_structs.csv', 'r') as csvfile: for row in csv.reader(csvfile): struct_id = idaapi.get_struc_id(row[1]) size = idaapi.get_struc_size(struct_id) idaapi.doStruct(int(row[0]) + dataseg.ea, size, struct_id)
def make_data(self, object_version, address): size = 0 try: size = object_version.get_size() except KeyError: pass flags = None try: flags = object_version.get_object_flags() except KeyError: pass if size == 0: idc.MakeUnkn(address, idc.DOUNK_EXPAND) else: if flags is not None: if idc.isASCII(flags): try: str_type = object_version.get_string_type() YaToolIDATools.check_and_set_str_type(str_type) except KeyError: pass idc.MakeStr(address, address + size) idc.SetFlags(address, flags) if idc.isStruct(flags): found = False for xref_offset_operand, xref_id_attr in object_version.get_xrefed_id_map( ).iteritems(): (xref_offset, xref_operand) = xref_offset_operand for xref_hash, xref_attrs in xref_id_attr: if xref_hash in self.struc_ids: struc_id = self.struc_ids[xref_hash] if DEBUG_EXPORTER: logger.debug( "making unknown from 0x%08X to 0x%08X" % (address, address + size)) idaapi.do_unknown_range( address, size, idc.DOUNK_DELNAMES) # idc.MakeUnkn(address, DOUNK_SIMPLE | idc.DOUNK_DELNAMES) # for i in xrange(1, size): # MakeName(address + i, "") # idc.MakeUnkn(address + i, DOUNK_SIMPLE | idc.DOUNK_DELNAMES) # idc.MakeStructEx uses idaapi.doStruct (but asks for name while # we already have the struc id) if DEBUG_EXPORTER: logger.debug( "Making struc at %s : %s (sizeof(%s)=0x%08X, size=0x%08X, flags=0x%08X" % (self.yatools.address_to_hex_string( address), self.yatools.address_to_hex_string( struc_id), idaapi.get_struc_name(struc_id), idc.GetStrucSize(struc_id), size, flags)) idc.SetCharPrm(idc.INF_AUTO, True) idc.Wait() if idaapi.doStruct(address, size, struc_id) == 0: if DEBUG_EXPORTER: logger.warning("Making struc failed") idc.SetCharPrm(idc.INF_AUTO, False) # idc.SetFlags(address, flags) found = True else: logger.error( "bad struc flags : idc.isStruct is true but no xref available for object %s" % self.hash_provider.hash_to_string( object_version.get_id())) if not found: logger.error( "bad struc flags : idc.isStruct is true " "but no struc available for object %s (%s)" % (self.hash_provider.hash_to_string( object_version.get_id()), object_version.get_name())) else: idc.MakeData(address, flags & (idc.DT_TYPE | idc.MS_0TYPE), size, 0) else: idc.MakeData(address, idc.FF_BYTE, size, 0) self.make_name(object_version, address, False) self.set_type(object_version, address)
import idaapi import idautils anim = sark.structure.get_struct('TroggSpearImage') end_of_frame = sark.structure.get_struct("EndOfAnimFrame") dataseg = sark.Segment(name='dataseg').ea # anim_offset = idaapi.get_word(sark.Line(ea=dataseg + idautils.cpu.di + 2).ea) current_position = sark.Line().ea # current_byte = idaapi.get_byte(current_position) done = False while not done: current_byte = idaapi.get_byte(current_position) if current_byte == 0xff: print("applying EndOfAnimFrame") idaapi.doStruct(current_position, 2, end_of_frame) next_byte = idaapi.get_byte(current_position + 1) if next_byte == 0xff: done = True current_position += 2 elif current_byte < 0x80: # print(current_byte) print("applying AnimationFrame") test = idaapi.doStruct(current_position, 6, anim) # print(test) current_position += 6 # print(hex(current_position-dataseg)) else: done = True
print "> parsing .secinfo entries:\n" sid = GetStrucIdByName('MAP_ENTRY') ssize = idc.GetStrucSize(sid) # for v 2.44.7 19-Jul-2016 SEC_INFO_LINKED_LIST = 0x200B6A3C ea = SEC_INFO_LINKED_LIST entries = [] while True: idc.MakeUnknown(ea, ssize, idc.DOUNK_DELNAMES) idaapi.doStruct(ea, ssize, sid) buf = idc.GetManyBytes(ea, ssize) entry = MapEntry.from_buffer_copy(buf) entries.append(entry) entry.dump() if entry.next == 0: break ea = entry.next print "\n> setting-up segments:\n" for entry in [e for e in entries if e.size != 0]: make_segment(entry.base, entry.size, entry.name())
func_with_count = sark.structure.get_struct("PartialFuncWithCount") partial_func_param1 = sark.structure.get_struct("PartialFuncParam1Func") set_image_width = sark.structure.get_struct("PartialFuncSetImageWidth") dataseg = sark.Segment(name='dataseg').ea # anim_offset = idaapi.get_word(sark.Line(ea=dataseg + idautils.cpu.di + 2).ea) current_position = sark.Line().ea # current_byte = idaapi.get_byte(current_position) done = False print("running") while not done: current_byte = idaapi.get_byte(current_position) if current_byte == 0xff: print("applying EndOfAnimFrame") idaapi.doStruct(current_position, 2, end_of_frame) next_byte = idaapi.get_byte(current_position + 1) if next_byte == 0xff: done = True current_position += 2 elif current_byte < 0x80: # print(current_byte) print("applying AnimationFrame") test = idaapi.doStruct(current_position, 6, anim) # print(test) current_position += 6 # print(hex(current_position-dataseg)) elif current_byte == 0x92: print("applying Play sound") idaapi.doStruct(current_position, 2, play_sound) current_position += 2
import sark import idautils import idaapi import csv dataseg = sark.Segment(name="dataseg") with open('c:/Users/Joe/applied_structs.csv', 'r') as csvfile: for row in csv.reader(csvfile): struct_id = idaapi.get_struc_id(row[1]) size = idaapi.get_struc_size(struct_id) idaapi.doStruct(int(row[0]) + dataseg.ea,size, struct_id)