def floss_make_decompiler_comment(self, ea, str): cfunc = idaapi.decompile(ea) tl = idaapi.treeloc_t() tl.ea = ea tl.itp = idaapi.ITP_SEMI cfunc.set_user_cmt(tl, str) cfunc.save_user_cmts()
def import_pseudocomments_to_fun(f_ea, d): if d == {}: #print "skipping %x, empty" % f_ea return print "Attempting to decompile %x" % f_ea try: ct = idaapi.decompile(f_ea) except idaapi.DecompilationFailure: print "error during decompilation (IDA API)" return # i dont know when this happens, but for 404E1404, which is not really a function # this is triggered if not ct or ct.user_cmts == None: print "failed obtaining user cmts at %x" % f_ea return user_cmts = ct.user_cmts it = idaapi.user_cmts_begin(user_cmts) for i in d.iterkeys(): t = idaapi.treeloc_t() t.ea = d[i]["ea"] t.itp = d[i]["itp"] c = idaapi.citem_cmt_t(d[i]["comment"]) idaapi.user_cmts_insert(user_cmts, t, c)
def set_hexray_cmmts(ea,text): cfunc = idaapi.decompile(ea) tl = idaapi.treeloc_t() tl.ea = ea tl.itp = idaapi.ITP_SEMI cfunc.set_user_cmt(tl,text) cfunc.save_user_cmts()
def add_comment(cfunc, s, ea): idc.MakeComm(ea, s) tl = idaapi.treeloc_t() tl.ea = ea tl.itp = idaapi.ITP_SEMI cfunc.set_user_cmt(tl, s) cfunc.save_user_cmts()
def get_decode_xrefs(): """ Find all cross-refernces to 0x132549a in our REvil malware sample. Decode the string and annotate the IDA database, this will make analysis a lot easier """ for xref in idautils.XrefsTo(0x132549a): # first of all, we need to find the arguments to this function, the signature is: # BYTE* __cdecl decode_string(char* base, int keyOffset, int keyLen, int dataLen, BYTE* pOut); args = get_decode_args(xref.frm) if args: base, key_offset, key_len, data_len = args # get the data from the image, data = [keyBytes][encryptedData] data = ida_bytes.get_bytes(base + key_offset, key_len + data_len) str = data_to_str(decode_string(data, key_len, data_len)) print("0x%08x: %s" % (xref.frm, str)) # put a comment in the code cfunc = idaapi.decompile(xref.frm) if cfunc is not None: tl = idaapi.treeloc_t() tl.ea = xref.frm tl.itp = idaapi.ITP_SEMI cfunc.set_user_cmt(tl, str) cfunc.save_user_cmts() idaapi.set_cmt(int(xref.frm), str, True) else: # We could not get the arguments, likely because it may be a register and not an immediate # value, so we'd need to go back further and find what value that register was assigned with. # Would be easier to just tell user, and let him decode it manually (HexRays has the actual args) print("0x%08x: Could not decode arguments" % xref.frm)
def set_hexrays_comment(address, text): cfunc = idaapi.decompile(address) tl = idaapi.treeloc_t() tl.ea = address tl.itp = idaapi.ITP_SEMI cfunc.set_user_cmt(tl, text) cfunc.save_user_cmts()
def __call__(self): cmts = idaapi.user_cmts_new() for (tl_ea, tl_itp), cmt in self.cmts: tl = idaapi.treeloc_t() tl.ea = tl_ea tl.itp = tl_itp cmts.insert(tl, idaapi.citem_cmt_t(cmt)) idaapi.save_user_cmts(self.ea, cmts) refresh_pseudocode_view()
def set_decomplier_cmt(ea, cmt): cfunc = idaapi.decompile(ea) tl = idaapi.treeloc_t() tl.ea = ea tl.itp = idaapi.ITP_SEMI if cfunc: cfunc.set_user_cmt(tl, cmt) cfunc.save_user_cmts() else: error("Decompile failed: {:#x}".formart(ea))
def setComments(info, decStr): #Set Comment for Decompile (hexray) cfunc = idaapi.decompile(info['addr']) tl = idaapi.treeloc_t() tl.ea = info['addr'] + 7 tl.itp = idaapi.ITP_SEMI cfunc.set_user_cmt(tl, decStr) cfunc.save_user_cmts() #Set Comment for Disasemble (IDA) idaapi.set_cmt(info['addr'], decStr, None)
def decode_at_ea(addr, offset, keyLen, dataLen): """ use for manually decoding with IDA and will put a comment at screen_ea """ data = ida_bytes.get_bytes(addr + offset, keyLen + dataLen) cmt = data_to_str(decode_string(data, keyLen, dataLen)) print("%s" % cmt) ea = idc.get_screen_ea() idaapi.set_cmt(ea, cmt, True) # disassembly comment cfunc = idaapi.decompile(ea) if cfunc is not None: # decompiled comment tl = idaapi.treeloc_t() tl.ea = ea tl.itp = idaapi.ITP_SEMI cfunc.set_user_cmt(tl, cmt) cfunc.save_user_cmts()
def set_ida_comment(addr, cmt, decompiled=False): func = ida_funcs.get_func(addr) if not func: l.info(f"No function found at {addr}") return False rpt = 1 # function comment if addr == func.start_ea: idc.set_func_cmt(addr, cmt, rpt) return True # a comment in decompilation elif decompiled: try: cfunc = idaapi.decompile(addr) except Exception: ida_bytes.set_cmt(addr, cmt, rpt) return True eamap = cfunc.get_eamap() decomp_obj_addr = eamap[addr][0].ea tl = idaapi.treeloc_t() # try to set a comment using the cfunc obj and normal address for a in [addr, decomp_obj_addr]: tl.ea = a for itp in range(idaapi.ITP_SEMI, idaapi.ITP_COLON): tl.itp = itp cfunc.set_user_cmt(tl, cmt) cfunc.save_user_cmts() cfunc.refresh_func_ctext() # attempt to set until it does not fail (orphan itself) if not cfunc.has_orphan_cmts(): cfunc.save_user_cmts() return True cfunc.del_orphan_cmts() return False # a comment in disassembly else: ida_bytes.set_cmt(addr, cmt, rpt) return True
def comment_stl(self): idaapi.msg('[%s] start to add comments\n' % (self.plg_name)) current_ea = idc.here() if current_ea == idaapi.BADADDR: idaapi.warning('[%s] invalid address!\n' % (self.plg_name)) return current_function_begin, current_function_end = self.get_current_function_range( current_ea) if current_function_begin == idaapi.BADADDR or current_function_end == idaapi.BADADDR: idaapi.warning('[%s] failed to get_current_function_range!\n' % (self.plg_name)) return stl_names = self.get_groomed_stl_functionnames() if len(stl_names) == 0: idaapi.warning('[%s] not found any stl usages!\n' % (self.plg_name)) return comments_count = 0 for functionAddr in stl_names: xrefs = idautils.CodeRefsTo(functionAddr, False) for xref in xrefs: if xref >= current_function_begin and xref <= current_function_end: comment = stl_names[functionAddr] idaapi.msg('[%s] add a comment on %s (%s)\n' % (self.plg_name, hex(xref), comment)) cfunc = idaapi.decompile(xref) tl = idaapi.treeloc_t() tl.ea = xref tl.itp = idaapi.ITP_BLOCK1 cfunc.set_user_cmt(tl, comment) cfunc.save_user_cmts() idaapi.decompile(current_function_begin) comments_count += 1 idaapi.msg('[%s] finished. %d commented\n' % (self.plg_name, comments_count)) if comments_count > 0: idaapi.msg('[%s] now, press F5!\n' % (self.plg_name)) return
def addDecompilerComment(self, loc, comment): cfunc = idaapi.decompile(loc) eamap = cfunc.get_eamap() decompObjAddr = eamap[loc][0].ea tl = idaapi.treeloc_t() tl.ea = decompObjAddr commentSet = False for itp in range(idaapi.ITP_SEMI, idaapi.ITP_COLON): tl.itp = itp cfunc.set_user_cmt(tl, comment) cfunc.save_user_cmts() unused = cfunc.__str__() if not cfunc.has_orphan_cmts(): commentSet = True cfunc.save_user_cmts() break cfunc.del_orphan_cmts() if not commentSet: print("pseudo comment error at %08x" % loc)
def save_strings(self): sc = idautils.Strings() for s in sc: for Xref in XrefsTo(s.ea, flags=0): self.data[Xref.frm] = [] for Xref in XrefsTo(s.ea, flags=0): ea = Xref.frm cfunc = idaapi.decompile(ea) tl = idaapi.treeloc_t() tl.ea = ea tl.itp = idaapi.ITP_SEMI if "offset" in GetOpnd(ea, 0): self.variable = GetOpnd(ea, 0).split(" ") self.variable = self.variable[1] elif "offset" in GetOpnd(ea, 1): self.variable = GetOpnd(ea, 1).split(" ") self.variable = self.variable[1] else: self.variable = "" try: self.data[Xref.frm].append(str(unicode(s))) #MakeComm(Xref.frm, str(unicode(s))) IP = re.search("\d+[.]\d+[.]\d+[.]\d+", str(unicode(s))) URL = re.search("www[.]\w+[.]\w+", str(unicode(s))) except: pass if not IP == None: result = GeoIP(IP.group()) print("Address : " + str(hex(ea)) + " " + IP.group() + " -> " + result) MakeComm(Xref.frm, str(IP.group() + " -> " + result)) print("[*] Assembly Code Commented successfully") try: cfunc.set_user_cmt( tl, self.variable + " : " + str(IP.group() + " -> " + result)) cfunc.save_user_cmts() print("[*] Pseudocode Commented successfully") except AttributeError: print("[*] Don't have pseudocode") pass elif not URL == None: try: IP_data = socket.gethostbyname(URL.group().replace( "http://", "")) IP_data = GeoIP(IP_data) except: IP_data = "Not found" print("Address : " + str(hex(ea)) + " " + URL.group() + " -> " + IP_data) MakeComm(Xref.frm, str(URL.group() + " -> " + IP_data)) print("[*] Assembly Code Commented successfully") try: cfunc.set_user_cmt( tl, self.variable + " : " + str(URL.group() + " -> " + IP_data)) cfunc.save_user_cmts() print("[*] Pseudocode Commented successfully") except AttributeError: print("[*] Don't have pseudocode") pass else: try: cfunc.set_user_cmt( tl, self.variable + " : " + str(unicode(s))) cfunc.save_user_cmts() print("[*] Pseudocode Commented successfully") except AttributeError: print("[*] Don't have pseudocode") pass
except ValueError: result = " " return result IP = "" URL = "" a = {} sc = idautils.Strings() for s in sc: for Xref in XrefsTo(s.ea, flags=0): a[Xref.frm] = [] for Xref in XrefsTo(s.ea, flags=0): ea = Xref.frm cfunc = idaapi.decompile(ea) tl = idaapi.treeloc_t() tl.ea = ea tl.itp = idaapi.ITP_SEMI if (GetOpnd(ea, 0).find("offset") != -1): variable = GetOpnd(ea, 0).split(" ") variable = variable[1] if (GetOpnd(ea, 1).find("offset") != -1): variable = GetOpnd(ea, 1).split(" ") variable = variable[1] try: a[Xref.frm].append(str(unicode(s))) #MakeComm(Xref.frm, str(unicode(s))) IP = re.search("\d+[.]\d+[.]\d+[.]\d+", str(unicode(s))) URL = re.search("www[.]\w+[.]\w+", str(unicode(s))) except: pass