def floss_make_decompiler_comment(self, ea, str):
cfunc = idaapi.decompile(ea)
tl = idaapi.treeloc_t()
tl.ea = ea
tl.itp = idaapi.ITP_SEMI
cfunc.set_user_cmt(tl, str)
cfunc.save_user_cmts()
def import_pseudocomments_to_fun(f_ea, d):
if d == {}:
#print "skipping %x, empty" % f_ea
return
print "Attempting to decompile %x" % f_ea
try:
ct = idaapi.decompile(f_ea)
except idaapi.DecompilationFailure:
print "error during decompilation (IDA API)"
return
# i dont know when this happens, but for 404E1404, which is not really a function
# this is triggered
if not ct or ct.user_cmts == None:
print "failed obtaining user cmts at %x" % f_ea
return
user_cmts = ct.user_cmts
it = idaapi.user_cmts_begin(user_cmts)
for i in d.iterkeys():
t = idaapi.treeloc_t()
t.ea = d[i]["ea"]
t.itp = d[i]["itp"]
c = idaapi.citem_cmt_t(d[i]["comment"])
idaapi.user_cmts_insert(user_cmts, t, c)
def set_hexray_cmmts(ea,text):
cfunc = idaapi.decompile(ea)
tl = idaapi.treeloc_t()
tl.ea = ea
tl.itp = idaapi.ITP_SEMI
cfunc.set_user_cmt(tl,text)
cfunc.save_user_cmts()
def add_comment(cfunc, s, ea):
idc.MakeComm(ea, s)
tl = idaapi.treeloc_t()
tl.ea = ea
tl.itp = idaapi.ITP_SEMI
cfunc.set_user_cmt(tl, s)
cfunc.save_user_cmts()
def get_decode_xrefs():
"""
Find all cross-refernces to 0x132549a in our REvil malware sample.
Decode the string and annotate the IDA database, this will make analysis a lot
easier
"""
for xref in idautils.XrefsTo(0x132549a):
# first of all, we need to find the arguments to this function, the signature is:
# BYTE* __cdecl decode_string(char* base, int keyOffset, int keyLen, int dataLen, BYTE* pOut);
args = get_decode_args(xref.frm)
if args:
base, key_offset, key_len, data_len = args
# get the data from the image, data = [keyBytes][encryptedData]
data = ida_bytes.get_bytes(base + key_offset,
key_len + data_len)
str = data_to_str(decode_string(data, key_len, data_len))
print("0x%08x: %s" % (xref.frm, str))
# put a comment in the code
cfunc = idaapi.decompile(xref.frm)
if cfunc is not None:
tl = idaapi.treeloc_t()
tl.ea = xref.frm
tl.itp = idaapi.ITP_SEMI
cfunc.set_user_cmt(tl, str)
cfunc.save_user_cmts()
idaapi.set_cmt(int(xref.frm), str, True)
else:
# We could not get the arguments, likely because it may be a register and not an immediate
# value, so we'd need to go back further and find what value that register was assigned with.
# Would be easier to just tell user, and let him decode it manually (HexRays has the actual args)
print("0x%08x: Could not decode arguments" % xref.frm)
def set_hexrays_comment(address, text):
cfunc = idaapi.decompile(address)
tl = idaapi.treeloc_t()
tl.ea = address
tl.itp = idaapi.ITP_SEMI
cfunc.set_user_cmt(tl, text)
cfunc.save_user_cmts()
def import_pseudocomments_to_fun(f_ea, d):
if d == {}:
#print "skipping %x, empty" % f_ea
return
print "Attempting to decompile %x" % f_ea
try:
ct = idaapi.decompile(f_ea)
except idaapi.DecompilationFailure:
print "error during decompilation (IDA API)"
return
# i dont know when this happens, but for 404E1404, which is not really a function
# this is triggered
if not ct or ct.user_cmts == None:
print "failed obtaining user cmts at %x" % f_ea
return
user_cmts = ct.user_cmts
it = idaapi.user_cmts_begin(user_cmts)
for i in d.iterkeys():
t = idaapi.treeloc_t()
t.ea = d[i]["ea"]
t.itp = d[i]["itp"]
c = idaapi.citem_cmt_t(d[i]["comment"])
idaapi.user_cmts_insert(user_cmts, t, c)
def add_comment(cfunc, s, ea):
idc.MakeComm(ea, s)
tl = idaapi.treeloc_t()
tl.ea = ea
tl.itp = idaapi.ITP_SEMI
cfunc.set_user_cmt(tl, s)
cfunc.save_user_cmts()
def __call__(self):
cmts = idaapi.user_cmts_new()
for (tl_ea, tl_itp), cmt in self.cmts:
tl = idaapi.treeloc_t()
tl.ea = tl_ea
tl.itp = tl_itp
cmts.insert(tl, idaapi.citem_cmt_t(cmt))
idaapi.save_user_cmts(self.ea, cmts)
refresh_pseudocode_view()
def set_decomplier_cmt(ea, cmt):
cfunc = idaapi.decompile(ea)
tl = idaapi.treeloc_t()
tl.ea = ea
tl.itp = idaapi.ITP_SEMI
if cfunc:
cfunc.set_user_cmt(tl, cmt)
cfunc.save_user_cmts()
else:
error("Decompile failed: {:#x}".formart(ea))
def setComments(info, decStr):
#Set Comment for Decompile (hexray)
cfunc = idaapi.decompile(info['addr'])
tl = idaapi.treeloc_t()
tl.ea = info['addr'] + 7
tl.itp = idaapi.ITP_SEMI
cfunc.set_user_cmt(tl, decStr)
cfunc.save_user_cmts()
#Set Comment for Disasemble (IDA)
idaapi.set_cmt(info['addr'], decStr, None)
def decode_at_ea(addr, offset, keyLen, dataLen):
""" use for manually decoding with IDA and will put a comment at screen_ea """
data = ida_bytes.get_bytes(addr + offset, keyLen + dataLen)
cmt = data_to_str(decode_string(data, keyLen, dataLen))
print("%s" % cmt)
ea = idc.get_screen_ea()
idaapi.set_cmt(ea, cmt, True) # disassembly comment
cfunc = idaapi.decompile(ea)
if cfunc is not None:
# decompiled comment
tl = idaapi.treeloc_t()
tl.ea = ea
tl.itp = idaapi.ITP_SEMI
cfunc.set_user_cmt(tl, cmt)
cfunc.save_user_cmts()
def set_ida_comment(addr, cmt, decompiled=False):
func = ida_funcs.get_func(addr)
if not func:
l.info(f"No function found at {addr}")
return False
rpt = 1
# function comment
if addr == func.start_ea:
idc.set_func_cmt(addr, cmt, rpt)
return True
# a comment in decompilation
elif decompiled:
try:
cfunc = idaapi.decompile(addr)
except Exception:
ida_bytes.set_cmt(addr, cmt, rpt)
return True
eamap = cfunc.get_eamap()
decomp_obj_addr = eamap[addr][0].ea
tl = idaapi.treeloc_t()
# try to set a comment using the cfunc obj and normal address
for a in [addr, decomp_obj_addr]:
tl.ea = a
for itp in range(idaapi.ITP_SEMI, idaapi.ITP_COLON):
tl.itp = itp
cfunc.set_user_cmt(tl, cmt)
cfunc.save_user_cmts()
cfunc.refresh_func_ctext()
# attempt to set until it does not fail (orphan itself)
if not cfunc.has_orphan_cmts():
cfunc.save_user_cmts()
return True
cfunc.del_orphan_cmts()
return False
# a comment in disassembly
else:
ida_bytes.set_cmt(addr, cmt, rpt)
return True
def comment_stl(self):
idaapi.msg('[%s] start to add comments\n' % (self.plg_name))
current_ea = idc.here()
if current_ea == idaapi.BADADDR:
idaapi.warning('[%s] invalid address!\n' % (self.plg_name))
return
current_function_begin, current_function_end = self.get_current_function_range(
current_ea)
if current_function_begin == idaapi.BADADDR or current_function_end == idaapi.BADADDR:
idaapi.warning('[%s] failed to get_current_function_range!\n' %
(self.plg_name))
return
stl_names = self.get_groomed_stl_functionnames()
if len(stl_names) == 0:
idaapi.warning('[%s] not found any stl usages!\n' %
(self.plg_name))
return
comments_count = 0
for functionAddr in stl_names:
xrefs = idautils.CodeRefsTo(functionAddr, False)
for xref in xrefs:
if xref >= current_function_begin and xref <= current_function_end:
comment = stl_names[functionAddr]
idaapi.msg('[%s] add a comment on %s (%s)\n' %
(self.plg_name, hex(xref), comment))
cfunc = idaapi.decompile(xref)
tl = idaapi.treeloc_t()
tl.ea = xref
tl.itp = idaapi.ITP_BLOCK1
cfunc.set_user_cmt(tl, comment)
cfunc.save_user_cmts()
idaapi.decompile(current_function_begin)
comments_count += 1
idaapi.msg('[%s] finished. %d commented\n' %
(self.plg_name, comments_count))
if comments_count > 0:
idaapi.msg('[%s] now, press F5!\n' % (self.plg_name))
return
def addDecompilerComment(self, loc, comment):
cfunc = idaapi.decompile(loc)
eamap = cfunc.get_eamap()
decompObjAddr = eamap[loc][0].ea
tl = idaapi.treeloc_t()
tl.ea = decompObjAddr
commentSet = False
for itp in range(idaapi.ITP_SEMI, idaapi.ITP_COLON):
tl.itp = itp
cfunc.set_user_cmt(tl, comment)
cfunc.save_user_cmts()
unused = cfunc.__str__()
if not cfunc.has_orphan_cmts():
commentSet = True
cfunc.save_user_cmts()
break
cfunc.del_orphan_cmts()
if not commentSet:
print("pseudo comment error at %08x" % loc)
def save_strings(self):
sc = idautils.Strings()
for s in sc:
for Xref in XrefsTo(s.ea, flags=0):
self.data[Xref.frm] = []
for Xref in XrefsTo(s.ea, flags=0):
ea = Xref.frm
cfunc = idaapi.decompile(ea)
tl = idaapi.treeloc_t()
tl.ea = ea
tl.itp = idaapi.ITP_SEMI
if "offset" in GetOpnd(ea, 0):
self.variable = GetOpnd(ea, 0).split(" ")
self.variable = self.variable[1]
elif "offset" in GetOpnd(ea, 1):
self.variable = GetOpnd(ea, 1).split(" ")
self.variable = self.variable[1]
else:
self.variable = ""
try:
self.data[Xref.frm].append(str(unicode(s)))
#MakeComm(Xref.frm, str(unicode(s)))
IP = re.search("\d+[.]\d+[.]\d+[.]\d+", str(unicode(s)))
URL = re.search("www[.]\w+[.]\w+", str(unicode(s)))
except:
pass
if not IP == None:
result = GeoIP(IP.group())
print("Address : " + str(hex(ea)) + " " + IP.group() +
" -> " + result)
MakeComm(Xref.frm, str(IP.group() + " -> " + result))
print("[*] Assembly Code Commented successfully")
try:
cfunc.set_user_cmt(
tl, self.variable + " : " +
str(IP.group() + " -> " + result))
cfunc.save_user_cmts()
print("[*] Pseudocode Commented successfully")
except AttributeError:
print("[*] Don't have pseudocode")
pass
elif not URL == None:
try:
IP_data = socket.gethostbyname(URL.group().replace(
"http://", ""))
IP_data = GeoIP(IP_data)
except:
IP_data = "Not found"
print("Address : " + str(hex(ea)) + " " + URL.group() +
" -> " + IP_data)
MakeComm(Xref.frm, str(URL.group() + " -> " + IP_data))
print("[*] Assembly Code Commented successfully")
try:
cfunc.set_user_cmt(
tl, self.variable + " : " +
str(URL.group() + " -> " + IP_data))
cfunc.save_user_cmts()
print("[*] Pseudocode Commented successfully")
except AttributeError:
print("[*] Don't have pseudocode")
pass
else:
try:
cfunc.set_user_cmt(
tl, self.variable + " : " + str(unicode(s)))
cfunc.save_user_cmts()
print("[*] Pseudocode Commented successfully")
except AttributeError:
print("[*] Don't have pseudocode")
pass
except ValueError:
result = " "
return result
IP = ""
URL = ""
a = {}
sc = idautils.Strings()
for s in sc:
for Xref in XrefsTo(s.ea, flags=0):
a[Xref.frm] = []
for Xref in XrefsTo(s.ea, flags=0):
ea = Xref.frm
cfunc = idaapi.decompile(ea)
tl = idaapi.treeloc_t()
tl.ea = ea
tl.itp = idaapi.ITP_SEMI
if (GetOpnd(ea, 0).find("offset") != -1):
variable = GetOpnd(ea, 0).split(" ")
variable = variable[1]
if (GetOpnd(ea, 1).find("offset") != -1):
variable = GetOpnd(ea, 1).split(" ")
variable = variable[1]
try:
a[Xref.frm].append(str(unicode(s)))
#MakeComm(Xref.frm, str(unicode(s)))
IP = re.search("\d+[.]\d+[.]\d+[.]\d+", str(unicode(s)))
URL = re.search("www[.]\w+[.]\w+", str(unicode(s)))
except:
pass
