def main():
print('[*] start debfuscation')
for s in get_code_segments():
print('[*] try to deobfuscate {} section'.format(
ida_segment.get_segm_name(s)))
if s.use32():
junk_patterns = junk_patterns_x86
elif s.use64():
junk_patterns = junk_patterns_x64
else:
print('[!] unsupported arch')
print('[*] replace junk code to nop')
for pattern, pattern_len in junk_patterns:
addr_from = idc.find_binary(s.start_ea, ida_search.SEARCH_DOWN,
pattern)
while addr_from != idaapi.BADADDR and addr_from < s.end_ea:
ida_bytes.patch_bytes(addr_from, '\x90' * pattern_len)
addr_from = idc.find_binary(addr_from + pattern_len,
ida_search.SEARCH_DOWN, pattern)
print('[*] hide nop code')
addr_from = ida_search.find_text(
s.start_ea, 0, 0, 'nop',
ida_search.SEARCH_CASE | ida_search.SEARCH_DOWN)
while addr_from != idaapi.BADADDR and addr_from < s.end_ea:
func_offset = idc.get_func_off_str(addr_from)
if type(func_offset) == str and func_offset.find('+') == -1:
addr_from = ida_search.find_text(
idc.next_head(addr_from), 0, 0, 'nop',
ida_search.SEARCH_CASE | ida_search.SEARCH_DOWN)
else:
i = 0
while True:
if ida_bytes.get_byte(addr_from + i) == 0x90:
i += 1
else:
break
if i >= 3:
idc.add_hidden_range(addr_from, addr_from + i, 'nop', None,
None, 0xFFFFFFFF)
print("%08X" % addr_from)
addr_from = ida_search.find_text(
idc.next_head(addr_from + i), 0, 0, 'nop',
ida_search.SEARCH_CASE | ida_search.SEARCH_DOWN)
#print('[*] renanlyze')
#idc.del_items(s.start_ea, size=s.size())
#time.sleep(1)
#idc.plan_and_wait(s.start_ea, s.end_ea)
print('[*] done')
def find_main_task(base_ea):
du_ea = ida_search.find_text(base_ea, 1, 1, "debug-uarts",
ida_search.SEARCH_DOWN)
if du_ea != ida_idaapi.BADADDR:
for xref in idautils.XrefsTo(du_ea):
func = idaapi.get_func(xref.frm)
mt_ea = 0
if not func:
mt_ea = ida_search.find_binary(xref.frm, base_ea, prologues[0],
16, ida_search.SEARCH_UP)
if mt_ea == ida_idaapi.BADADDR:
mt_ea = ida_search.find_binary(xref.frm, base_ea,
"FF ?? ?? D1", 16,
ida_search.SEARCH_UP)
else:
mt_ea = func.start_ea
print("\t[+] _main_task = 0x%x" % (mt_ea))
idc.set_name(mt_ea, "_main_task", idc.SN_CHECK)
return mt_ea
print("\t[-] _main_task = not found")
return ida_idaapi.BADADDR
def find_load_kernelcache_object(base, ea):
if ea != ida_idaapi.BADADDR:
ea_list = list(idautils.XrefsTo(ea))
if ea_list[0].frm != ida_idaapi.BADADDR:
func_ea = ida_funcs.get_func(ea_list[0].frm).start_ea
print("\t[+] _load_kernelcache_object = 0x%x" % (func_ea))
idc.set_name(func_ea, "_load_kernelcache_object", idc.SN_CHECK)
return func_ea
print("\t[-] _load_kernelcache_object = not found")
return ida_idaapi.BADADDR
else:
str_ea = ida_search.find_text(base, 1, 1, "Kernelcache too large",
ida_search.SEARCH_DOWN)
if str_ea != ida_idaapi.BADADDR:
for xref in idautils.XrefsTo(str_ea):
func = idaapi.get_func(xref.frm)
print("\t[+] _load_kernelcache_object = 0x%x" %
(func.start_ea))
idc.set_name(func.start_ea, "_load_kernelcache_object",
idc.SN_CHECK)
return func.start_ea
print("\t[-] _load_kernelcache_object = not found")
return ida_idaapi.BADADDR
def find_do_printf(base_ea, base_end_ea):
str_ea = ida_search.find_text(base_ea, 1, 1, "<ptr>",
ida_search.SEARCH_DOWN)
if str_ea != ida_idaapi.BADADDR:
for xref in idautils.XrefsTo(str_ea):
func = idaapi.get_func(xref.frm)
if not func:
break
print("\t[+] _do_printf = 0x%x" % (func.start_ea))
idc.set_name(func.start_ea, "_do_printf", idc.SN_CHECK)
return func.start_ea
cmp_ea = ida_search.find_binary(base_ea, base_end_ea, "3F 94 00 71", 16,
ida_search.SEARCH_DOWN)
if cmp_ea != ida_idaapi.BADADDR:
func = idaapi.get_func(cmp_ea)
if not func:
print("\t[-] _do_printf = not found")
return ida_idaapi.BADADDR
print("\t[+] _do_printf = 0x%x" % (func.start_ea))
idc.set_name(func.start_ea, "_do_printf", idc.SN_CHECK)
return func.start_ea
print("\t[-] _do_printf = not found")
return ida_idaapi.BADADDR
def find_target_early_init(base_ea):
ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN, 0x4A41)
if ea_list[0] != ida_idaapi.BADADDR:
func_ea = ida_funcs.get_func(ea_list[0]).start_ea
print("\t[+] _target_early_init = 0x%x" % (func_ea))
idc.set_name(func_ea, "_target_early_init", idc.SN_CHECK)
tei_ea = func_ea
str_ea = ida_search.find_text(tei_ea, 1, 1, "All pre",
ida_search.SEARCH_DOWN)
if str_ea != ida_idaapi.BADADDR:
f_ea = idaapi.get_func(str_ea).start_ea
if tei_ea != f_ea:
print("\t[-] _platform_not_supported = not found")
return tei_ea
bl_ea = str_ea + 8
dst = idc.print_operand(bl_ea, 0)
pns_ea = idc.get_name_ea_simple(dst)
print("\t[+] _platform_not_supported = 0x%x" % (pns_ea))
idc.set_name(pns_ea, "_platform_not_supported", idc.SN_CHECK)
return tei_ea
print("\t[-] _target_early_init = not found")
return ida_idaapi.BADADDR
def find_string_ref(string: str, base_ea):
panic_ea = BADADDR
pk_ea = ida_search.find_text(base_ea, 1, 1, "double panic in ",
ida_search.SEARCH_DOWN)
if bad(pk_ea):
print("\t[-] Panic string not found")
return BADADDR
if pk_ea < base_ea: # String is in func
panic_ea = idaapi.get_func(pk_ea)
for xref in idautils.XrefsTo(pk_ea):
func = idaapi.get_func(xref.frm)
if not func:
continue
panic_ea = func.start_ea
if bad(pk_ea):
print("\t[-] _panic = not found")
return BADADDR
print(f'\t[+] _panic = 0x{panic_ea}')
set_name(panic_ea, "_panic", SN_CHECK)
return panic_ea
def find_main_task(base_ea):
du_ea = ida_search.find_text(base_ea, 1, 1, "debug-uarts", ida_search.SEARCH_DOWN)
if du_ea != ida_idaapi.BADADDR:
for xref in idautils.XrefsTo(du_ea):
func = idaapi.get_func(xref.frm)
print("\t[+] _main_task = 0x%x" % (func.start_ea))
idc.set_name(func.start_ea, "_main_task", idc.SN_CHECK)
return func.start_ea
return ida_idaapi.BADADDR
def find_aes_crypto_cmd(base_ea):
aes_ea = ida_search.find_text(base_ea, 1, 1, "aes_crypto_cmd", ida_search.SEARCH_DOWN)
if aes_ea != ida_idaapi.BADADDR:
for xref in idautils.XrefsTo(aes_ea):
func = idaapi.get_func(xref.frm)
print("\t[+] _aes_crypto_cmd = 0x%x" % (func.start_ea))
idc.set_name(func.start_ea, "_aes_crypto_cmd", idc.SN_CHECK)
return func.start_ea
return ida_idaapi.BADADDR
def find_panic(base_ea):
pk_ea = ida_search.find_text(base_ea, 1, 1, "double panic in ",
ida_search.SEARCH_DOWN)
if pk_ea != idaapi.BADADDR:
for xref in idautils.XrefsTo(pk_ea):
func = ida_funcs.get_func(xref.frm)
print("\t[+] _panic = 0x%x" % (func.start_ea))
ida_name.set_name(func.start_ea, "_panic")
return func.start_ea
return idaapi.BADADDR
def find_pmgr_binning_mode_get_value(base_ea):
str_ea = ida_search.find_text(base_ea, 1, 1, "Invalid low", ida_search.SEARCH_DOWN)
if str_ea != ida_idaapi.BADADDR:
for xref in idautils.XrefsTo(str_ea):
func = idaapi.get_func(xref.frm)
print("\t[+] _pmgr_binning_mode_get_value = 0x%x" % (func.start_ea))
idc.set_name(func.start_ea, "_pmgr_binning_mode_get_value", idc.SN_CHECK)
return func.start_ea
return ida_idaapi.BADADDR
def find_update_device_tree(base_ea):
udt_ea = ida_search.find_text(base_ea, 1, 1, "development-cert",
ida_search.SEARCH_DOWN)
if udt_ea != idaapi.BADADDR:
for xref in idautils.XrefsTo(udt_ea):
func = ida_funcs.get_func(xref.frm)
print("\t[+] _UpdateDeviceTree = 0x%x" % (func.start_ea))
ida_name.set_name(func.start_ea, "_UpdateDeviceTree")
return func.start_ea
return idaapi.BADADDR
def find_do_printf(base_ea):
str_ea = ida_search.find_text(base_ea, 1, 1, "<ptr>", ida_search.SEARCH_DOWN)
if str_ea != ida_idaapi.BADADDR:
for xref in idautils.XrefsTo(str_ea):
func = idaapi.get_func(xref.frm)
print("\t[+] _do_printf = 0x%x" % (func.start_ea))
idc.set_name(func.start_ea, "_do_printf", idc.SN_CHECK)
return func.start_ea
return ida_idaapi.BADADDR
def find_do_printf(base_ea):
pk_ea = ida_search.find_text(base_ea, 1, 1, "<ptr>",
ida_search.SEARCH_DOWN)
if pk_ea != 0xffffffffffffffff:
for xref in idautils.XrefsTo(pk_ea):
func = idaapi.get_func(xref.frm)
print "\t[+] _do_printf = 0x%x" % (func.startEA)
idc.MakeName(func.startEA, "_do_printf")
return func.startEA
return 0xffffffffffffffff
def find_record_memory_range(base_ea):
rmr_ea = ida_search.find_text(base_ea, 1, 1, "chosen/memory-map",
ida_search.SEARCH_DOWN)
if rmr_ea != ida_idaapi.BADADDR:
for xref in idautils.XrefsTo(rmr_ea):
func = idaapi.get_func(xref.frm)
print("\t[+] _record_memory_range = 0x%x" % (func.start_ea))
idc.set_name(func.start_ea, "_record_memory_range", idc.SN_CHECK)
return func.start_ea
return ida_idaapi.BADADDR
def find_panic(base_ea):
pk_ea = ida_search.find_text(base_ea, 1, 1, "double panic in ",
ida_search.SEARCH_DOWN)
if pk_ea != 0xffffffffffffffff:
for xref in idautils.XrefsTo(pk_ea):
func = idaapi.get_func(xref.frm)
print("\t[+] _panic = 0x%x" % (func.startEA))
idc.MakeName(func.startEA, "_panic")
return func.startEA
return 0xffffffffffffffff
def find_aes_crypto_cmd(base_ea):
aes_ea = ida_search.find_text(base_ea, 1, 1, "aes_crypto_cmd",
ida_search.SEARCH_DOWN)
if aes_ea != 0xffffffffffffffff:
for xref in idautils.XrefsTo(aes_ea):
func = idaapi.get_func(xref.frm)
print("\t[+] _aes_crypto_cmd = 0x%x" % (func.startEA))
idc.MakeName(func.startEA, "_aes_crypto_cmd")
return func.startEA
return 0xffffffffffffffff
def find_update_device_tree(base_ea):
udt_ea = ida_search.find_text(base_ea, 1, 1, "development-cert",
ida_search.SEARCH_DOWN)
if udt_ea != 0xffffffffffffffff:
for xref in idautils.XrefsTo(udt_ea):
func = idaapi.get_func(xref.frm)
print("\t[+] _UpdateDeviceTree = 0x%x" % (func.startEA))
idc.MakeName(func.startEA, "_UpdateDeviceTree")
return func.startEA
return 0xffffffffffffffff
def find_do_go(base_ea):
str_ea = ida_search.find_text(base_ea, 1, 1, "Memory image not valid",
ida_search.SEARCH_DOWN)
if str_ea != 0xffffffffffffffff:
for xref in idautils.XrefsTo(str_ea):
func = idaapi.get_func(xref.frm)
print("\t[+] _do_go = 0x%x" % (func.startEA))
idc.MakeName(func.startEA, "_do_go")
return func.startEA
return 0xffffffffffffffff
def find_platform_get_usb_product_id(base_ea):
pk_ea = ida_search.find_text(base_ea, 1, 1,
"Apple Mobile Device (DFU Mode)",
ida_search.SEARCH_DOWN)
if pk_ea != 0xffffffffffffffff:
for xref in idautils.XrefsTo(pk_ea):
func = idaapi.get_func(xref.frm)
print "\t[+] _platform_get_usb_product_id = 0x%x" % (func.startEA)
idc.MakeName(func.startEA, "_platform_get_usb_product_id")
return func.startEA
return 0xffffffffffffffff
def find_do_go(base_ea):
str_ea = ida_search.find_text(base_ea, 1, 1, "Memory image not valid",
ida_search.SEARCH_DOWN)
if str_ea != idaapi.BADADDR:
for xref in idautils.XrefsTo(str_ea):
func = ida_funcs.get_func(xref.frm)
if func is None:
return idaapi.BADADDR
print("\t[+] _do_go = 0x%x" % (func.start_ea))
ida_name.set_name(func.start_ea, "_do_go")
return func.start_ea
return idaapi.BADADDR
def find_stack_chk_fail(base_ea):
ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN, 0x7CC8)
if ea_list[0] != ida_idaapi.BADADDR:
func_ea = ida_funcs.get_func(ea_list[0]).start_ea
print("\t[+] _stack_chk_fail = 0x%x" % (func_ea))
idc.set_name(func_ea, "_stack_chk_fail", idc.SN_CHECK)
return func_ea
else:
str_ea = ida_search.find_text(base_ea, 1, 1, "__stack_chk_fail",
ida_search.SEARCH_DOWN)
if str_ea != ida_idaapi.BADADDR:
for xref in idautils.XrefsTo(str_ea):
func = idaapi.get_func(xref.frm)
print("\t[+] _stack_chk_fail = 0x%x" % (func.start_ea))
idc.set_name(func.start_ea, "_stack_chk_fail", idc.SN_CHECK)
return func.start_ea
return ida_idaapi.BADADDR
return None
def p15_write_to_human(num, reg, c1, c2, cst):
if c1 < 0 or c1 > 15:
return None
try:
return p15_write[c1][c2][cst]
except KeyError:
return None
seg = idaapi.getseg(here())
ea = seg.startEA
while True:
ea = find_text(ea, 0, 0, "m(rc|cr).*p15,.*,.*,.*,.*",
SEARCH_DOWN | SEARCH_REGEX)
if ea == BADADDR or ea > seg.endEA:
break
disass = GetDisasm(ea).lower()
m = regex.match(disass)
if m is None:
print "regex error : " + disass
ea += 4
continue
clean = map(lambda x: x.strip(), m.groups())
rw, num, reg, c1, c2, cst = clean
if reg == "sp":
reg = "13"
else:
reg = reg[1:]
if rw == 'cr':
def search_text(text, start, end, direction):
direc = ida_search.SEARCH_UP if direction == SearchDirection.UP else ida_search.SEARCH_DOWN
return ida_search.find_text(start, 1, 1, text, direc)
def __hash__(self):
return hash(self.__key())
outputPath = 'C:\ida output\output_popcnt_parser.txt'
outputInfoPath = 'C:\ida output\output_popcnt_parser_info.txt'
if os.path.exists(outputPath):
os.remove(outputPath)
output = open(outputPath, 'w')
if os.path.exists(outputInfoPath):
os.remove(outputInfoPath)
output_info = open(outputInfoPath, 'w')
imagebase = idaapi.get_imagebase()
popcntAddr = ida_search.find_text(0, 0, 0, "popcnt", SEARCH_DOWN)
db = {}
counter = 0
while popcntAddr != BADADDR:
try:
popcntSize = get_item_size(popcntAddr)
print(counter,
hex(popcntAddr).rstrip("L"),
GetDisasm(popcntAddr),
hex(ctypes.c_longlong(get_operand_value(popcntAddr,
1)).value).rstrip("L"),
hex(popcntSize).rstrip("L"),
file=output_info)
###Second operand parsing
if get_operand_type(popcntAddr, 0) == o_reg: