def main(argv=None): if argv is None: argv = sys.argv[:] try: seg = prompt_for_segment() except BadInputError: logger.error('bad input, exiting...') return -1 with open(seg.path, 'rb') as f: buf = f.read() seglen = len(buf) if seglen % 0x1000 != 0: seglen = seglen + (0x1000 - (seglen % 0x1000)) if not idc.AddSeg(seg.addr, seg.addr + seglen, 0, 1, 0, idaapi.scPub): logger.error('failed to add segment: 0x%x', seg.addr) return -1 if not idc.RenameSeg(seg.addr, seg.name): logger.warning('failed to rename segment: %s', seg.name) if not idc.SetSegClass(seg.addr, 'CODE'): logger.warning('failed to set segment class CODE: %s', seg.name) if not idc.SegAlign(seg.addr, idc.saRelPara): logger.warning('failed to align segment: %s', seg.name) idaapi.patch_many_bytes(seg.addr, buf)
def formbook_patch_encrypted_bytecode(): text_segm = ida_segment.get_segm_by_name('.text') if not text_segm: return idaapi.BADADDR seg_start = text_segm.startEA seg_end = text_segm.endEA fb_decrypt = FormBookDecryption() rc4_key = "faddefad156c45629c95d5f429363b0653ad5c1d".decode('hex') # same as rc4_final from formbook_decrypt_hashes_and_strings() for i in [(0x40, 0x48), (0x41, 0x49), (0x42, 0x4a), (0x43, 0x4b), (0x44, 0x4c)]: egg_pattern = ''.join('{:02x} '.format(x) for x in [i[0], 0x90, 0x90, 0x90, i[1]]) encrypted_start = idaapi.find_binary(seg_start, seg_end, egg_pattern, 16, idaapi.SEARCH_DOWN) if encrypted_start != idaapi.BADADDR: encrypted_end = idaapi.find_binary(encrypted_start + 5, seg_end, "90 90 90 90", 16, idaapi.SEARCH_DOWN) if encrypted_end != idaapi.BADADDR: encrypted_start += 5 patch_length = encrypted_end - encrypted_start if idaapi.visit_patched_bytes(encrypted_start, encrypted_end, callback_on_patched_bytes) == 0: encrypted_buff = idaapi.get_bytes(encrypted_start, patch_length) decrypted_buff = fb_decrypt.decrypt_func2(encrypted_buff, rc4_key) print('Patching encrypted bytecode at 0x{:x} ({:d} bytes)'.format(encrypted_start, patch_length)) idaapi.patch_many_bytes(encrypted_start, decrypted_buff) else: print('Encrypted bytecode at 0x{:x} ({:d} bytes) is already patched'.format(encrypted_start, patch_length))
def make_segment(self, offset, size, class_name="DATA", name="pe_map", data=None): """Create a new section in the IDB""" idc.AddSeg(offset, offset + size, 0, 1, 0, idaapi.scPub) idc.RenameSeg(offset, str(name)) idc.SetSegClass(offset, str(class_name)) #idc.SegAlign(offset, idc.saRelPara) if data: idaapi.patch_many_bytes(offset, bytes(data)) self.ret = None return self.ret
def load_file(li, neflags, fmt): # Assume BCM20734 == cortex-m3 idaapi.set_processor_type('arm:armv7-m', idaapi.SETPROC_ALL | idaapi.SETPROC_FATAL) parser = FwParser(li) fw_index = parser.active_fw if len(parser.fw) > 1: msg = ['SPI dump has more than one PatchRAM image.\n\nEnter the index of the one to load:'] for i in range(len(parser.fw)): if parser.fw_present(i): msg.append('%i @ 0x%08x %s' % (i, parser.fw_offsets[i], '[active]' if i == parser.active_fw else '')) fw_index = ida_kernwin.asklong(parser.active_fw, '\n'.join(msg)) # Create known memory regions make_seg([0x0, 0xC8000], 1) make_seg([0x260000, 0x26C000], 1) make_seg([0xD0000, 0xE0000]) make_seg([0x200000, 0x248000]) load_bin_file(0x0, "Choose ROM 1 (@0x000000)") load_bin_file(0x260000, "Choose ROM 2 (@0x260000)") load_bin_file(0xD0000, "Choose RAM_LO (@0x0D0000)") load_bin_file(0x200000, "Choose RAM_HI (@0x200000)") # The PatchRAM changes will show up as patched bytes load_rampatch = 0 if ram_loaded == 0: load_rampatch = ida_kernwin.askbuttons_c('Yes', 'No', 'Not sure', 1,'Do you want to patch ROM 1 and RAM regions with the provided PatchRAM?\n\n') if load_rampatch == 1: print('Patching ROM1, RAM_LO and RAM_HI:') parser.process({0x08 : lambda r: idaapi.patch_many_bytes(r.addr, r.data), 0x0a : lambda r: idaapi.patch_many_bytes(r.addr, r.data)}, fw_index) print('ROM 1, RAM_LO and RAM_HI regions were patched.') elif ram_loaded == 1: print('Patching ROM1:') parser.process({0x08 : lambda r: idaapi.patch_many_bytes(r.addr, r.data)}, fw_index) print('Only one RAM region loaded. ROM 1 was patched.') elif ram_loaded == 2: load_rampatch = ida_kernwin.askbuttons_c('Yes', 'No', 'Not sure', 0,'RAM_LO and RAM_HI were loaded.\n\nDo you want to patch them with the provided PatchRAM?\n\n') if load_rampatch == -1 or load_rampatch == 0: print('Patching ROM1:') parser.process({0x08 : lambda r: idaapi.patch_many_bytes(r.addr, r.data)}, fw_index) print('RAM_LO and RAM_HI loaded. ROM 1 was patched.') elif load_rampatch == 1: print('Patching ROM1, RAM_LO and RAM_HI:') parser.process({0x08 : lambda r: idaapi.patch_many_bytes(r.addr, r.data), 0x0a : lambda r: idaapi.patch_many_bytes(r.addr, r.data)}, fw_index) print('RAM_LO and RAM_HI loaded. ROM 1 and both RAM regions were patched.') # Code is THUMB only idc.SetReg(0x0, 't', 1) return 1
def patchIDB(self,buff): for i in buff: # process file contents i=i.strip() # strip new line jumpaddr,datastr=self.extractStackData(i) # extract jump address and four double words from each line for rawbytes in datastr: # process each double word idc.jumpto(jumpaddr) # jump to segment address temp = self.convertRawHexData(rawbytes) # process word string into bytes idaapi.patch_many_bytes(jumpaddr,temp) # patch bytes at jumpaddr self.setComment("Address: 0x%x \tStack Value: %s" % (jumpaddr,rawbytes)) # create a comment at each double word in segment jumpaddr +=4 # increment jumpaddr by 4 bytes
def OnEditLine(self, n): # Empty list if n == -1: return # Multiselect START_SEL/END_SEL protocol if n == -2 or n ==-3: return ea = self.items_data[n][0] fpos = self.items_data[n][1] patch_buf = self.items_data[n][3] orig_buf = self.items_data[n][4] addr_str = "%#x" % ea fpos_str = "%#x" % fpos if fpos != -1 else "N/A" patch_str = self.items[n][3] org_str = self.items[n][4] # Create the form f = PatchEditForm(addr_str, fpos_str, patch_str, org_str) # Execute the form ok = f.Execute() if ok == 1: # Convert hex bytes to binary buf = f.strPatch.value buf = buf.replace(' ','') # remove spaces buf = buf.replace('\\x','') # remove '\x' prefixes buf = buf.replace('0x','') # remove '0x' prefixes try: buf = binascii.unhexlify(buf) # convert to bytes except Exception as e: idaapi.warning("Invalid input: %s" % e) f.Free() return # Restore original bytes first idaapi.put_many_bytes(ea, struct.pack("B"*len(orig_buf), *orig_buf)) # Now apply newly patched bytes idaapi.patch_many_bytes(ea, buf) # Refresh all IDA views self.refreshitems() # Dispose the form f.Free()
def OnEditLine(self, n): # Empty list if n == -1: return # Multiselect START_SEL/END_SEL protocol if n == -2 or n ==-3: return ea = self.items_data[n][0] fpos = self.items_data[n][1] patch_buf = self.items_data[n][3] orig_buf = self.items_data[n][4] addr_str = "%#x" % ea fpos_str = "%#x" % fpos if fpos != -1 else "N/A" patch_str = self.items[n][3] org_str = self.items[n][4] # Create the form f = PatchEditForm(addr_str, fpos_str, patch_str, org_str) # Execute the form ok = f.Execute() if ok == 1: # Convert hex bytes to binary buf = f.strPatch.value buf = buf.replace(' ','') # remove spaces buf = buf.replace('\\x','') # remove '\x' prefixes buf = buf.replace('0x','') # remove '0x' prefixes try: buf = binascii.unhexlify(buf) # convert to bytes except Exception, e: idaapi.warning("Invalid input: %s" % e) f.Free() return # Restore original bytes first idaapi.put_many_bytes(ea, struct.pack("B"*len(orig_buf), *orig_buf)) # Now apply newly patched bytes idaapi.patch_many_bytes(ea, buf) # Refresh all IDA views self.refreshitems() idaapi.refresh_idaview_anyway()
def show_edit_form(self): selection, start_ea, end_ea = idaapi.read_selection() if not selection: start_ea = idaapi.get_screen_ea() end_ea = start_ea + 1 if start_ea != idaapi.BADADDR and end_ea != idaapi.BADADDR: if end_ea > start_ea: buf_len = end_ea - start_ea buf = get_many_bytes(start_ea, buf_len) or "\xFF"*buf_len buf_str = " ".join(["%02X" % ord(x) for x in buf]) fpos = idaapi.get_fileregion_offset(start_ea) addr_str = "%#X" % start_ea fpos_str = "%#x" % fpos if fpos != -1 else "N/A" f = PatchEditForm(addr_str, fpos_str, buf_str, buf_str) # Execute the form ok = f.Execute() if ok == 1: # Convert hex bytes to binary buf = f.strPatch.value buf = buf.replace(' ','') # remove spaces buf = buf.replace('\\x','') # remove '\x' prefixes buf = buf.replace('0x','') # remove '0x' prefixes try: buf = binascii.unhexlify(buf) # convert to bytes except Exception, e: idaapi.warning("Invalid input: %s" % e) f.Free() return # Now apply newly patched bytes idaapi.patch_many_bytes(start_ea, buf) # Refresh all IDA views self.patch_view.refreshitems() idaapi.refresh_idaview_anyway() # Dispose the form f.Free()
def show_edit_form(self): selection, start_ea, end_ea = idaapi.read_selection() if not selection: start_ea = idaapi.get_screen_ea() end_ea = start_ea + 1 buf_len = end_ea - start_ea buf = idaapi.get_many_bytes(start_ea, buf_len) or "\xFF"*buf_len buf_str = " ".join(["%02X" % x for x in buf]) fpos = idaapi.get_fileregion_offset(start_ea) addr_str = "%#X" % start_ea fpos_str = "%#x" % fpos if fpos != -1 else "N/A" f = PatchEditForm(addr_str, fpos_str, buf_str, buf_str) # Execute the form ok = f.Execute() if ok == 1: # Convert hex bytes to binary buf = f.strPatch.value buf = buf.replace(' ','') # remove spaces buf = buf.replace('\\x','') # remove '\x' prefixes buf = buf.replace('0x','') # remove '0x' prefixes try: buf = binascii.unhexlify(buf) # convert to bytes except Exception as e: idaapi.warning("Invalid input: %s" % e) f.Free() return # Now apply newly patched bytes idaapi.patch_many_bytes(start_ea, buf) # Refresh all IDA views self.patch_view.Refresh() # Dispose the form f.Free()
def patch_decoded(decoded_strings, define=True): ''' Description: Patches the bytes at each encoded string location with the decoded string value. Assumes null termination. Input: decoded_strings - A list of successfully decoded strings. define - When True, defines a string in the IDB Output: Makes a string in IDA at the string's start_location ''' for decoded_string in sorted(decoded_strings, key=lambda string: string.string_location): if decoded_string.string_location in [INVALID, UNUSED, idc.BADADDR]: continue idaapi.patch_many_bytes(decoded_string.startEA, decoded_string.as_bytes) if define: define_string(decoded_string)
def show_xor_with_key_form(): selection, start_ea, end_ea = idaapi.read_selection() if not selection: start_ea = idaapi.get_screen_ea() # Create the form f = XorWithKeyForm(start_ea) # Execute the form ok = f.Execute() if ok == 1: start_ea = f.intStartEA.value target_length = f.intLength.value key = f.rString.value if target_length < 0: slog("target lenth is wrong " + str(target_length)) return if idaapi.IDA_SDK_VERSION >= 700: buf = ida_bytes.get_bytes(start_ea, target_length) else: buf = ida_bytes.get_many_bytes(start_ea, target_length) if buf is None: slog("Failed to get bytes") return lbuf = list(buf) lkey = list(key) for i in range(target_length): lbuf[i] = chr(ord(lbuf[i]) ^ ord(lkey[i % len(lkey)])) # Now apply newly patched bytes buf = "".join(lbuf) idaapi.patch_many_bytes(start_ea, buf) # Dispose the form f.Free()
def patch(self, fill_char=None, define=True): """ Patches the original encoded string with the decoded string. :param str fill_char: Character to use to fill left over space if decoded data is shorter than its encoded data. (defaults to leaving the original data) :param bool define: Whether to define the string after patching. """ if self.decoded_data in (INVALID, UNUSED): return if self.string_location in (INVALID, UNUSED, idc.BADADDR): return decoded_data = self.as_bytes if fill_char: decoded_data += fill_char * (len(self.encoded_data) - len(decoded_data)) try: idaapi.patch_many_bytes(self.startEA, decoded_data) if define: self.define() except TypeError: append_debug("String type for decoded string from location 0x{:08x}.".format(self.startEA))
def write_data(ea, blob, reanalyze=True): """ Write bytes to idb """ if reanalyze: idc.MakeUnknown(ea, len(blob), 0) idaapi.patch_many_bytes(ea, blob) if reanalyze: idc.MakeCode(ea)
def activate(self, ctx): if self.action in ACTION_CONVERT: # convert selection, start, end = idaapi.read_selection() if selection: size = end - start elif ItemSize(ScreenEA()) > 1: start = ScreenEA() size = ItemSize(start) end = start + size else: return False data = idaapi.get_many_bytes(start, size) name = Name(start) if not name: name = "data" if data: print "\n[+] Dump 0x%X - 0x%X (%u bytes) :" % (start, end, size) if self.action == ACTION_CONVERT[0]: # escaped string print '"%s"' % "".join("\\x%02X" % ord(b) for b in data) elif self.action == ACTION_CONVERT[1]: # hex string print "".join("%02X" % ord(b) for b in data) elif self.action == ACTION_CONVERT[2]: # C array output = "unsigned char %s[%d] = {" % (name, size) for i in range(size): if i % 16 == 0: output += "\n " output += "0x%02X, " % ord(data[i]) output = output[:-2] + "\n};" print output elif self.action == ACTION_CONVERT[3]: # C array word data += "\x00" array_size = (size + 1) / 2 output = "unsigned short %s[%d] = {" % (name, array_size) for i in range(0, size, 2): if i % 16 == 0: output += "\n " output += "0x%04X, " % u16(data[i:i+2]) output = output[:-2] + "\n};" print output elif self.action == ACTION_CONVERT[4]: # C array dword data += "\x00" * 3 array_size = (size + 3) / 4 output = "unsigned int %s[%d] = {" % (name, array_size) for i in range(0, size, 4): if i % 32 == 0: output += "\n " output += "0x%08X, " % u32(data[i:i+4]) output = output[:-2] + "\n};" print output elif self.action == ACTION_CONVERT[5]: # C array qword data += "\x00" * 7 array_size = (size + 7) / 8 output = "unsigned long %s[%d] = {" % (name, array_size) for i in range(0, size, 8): if i % 32 == 0: output += "\n " output += "%#018X, " % u64(data[i:i+8]) output = output[:-2] + "\n};" print output.replace("0X", "0x") elif self.action == ACTION_CONVERT[6]: # python list print "[%s]" % ", ".join("0x%02X" % ord(b) for b in data) elif self.action == ACTION_CONVERT[7]: # python list word data += "\x00" print "[%s]" % ", ".join("0x%04X" % u16(data[i:i+2]) for i in range(0, size, 2)) elif self.action == ACTION_CONVERT[8]: # python list dword data += "\x00" * 3 print "[%s]" % ", ".join("0x%08X" % u32(data[i:i+4]) for i in range(0, size, 4)) elif self.action == ACTION_CONVERT[9]: # python list qword data += "\x00" * 7 print "[%s]" % ", ".join("%#018X" % u64(data[i:i+8]) for i in range(0, size, 8)).replace("0X", "0x") elif self.action == ACTION_XORDATA: selection, start, end = idaapi.read_selection() if not selection: if ItemSize(ScreenEA()) > 1: start = ScreenEA() end = start + ItemSize(start) else: return False data = idaapi.get_many_bytes(start, end - start) x = AskLong(0, "Xor with...") if x: x &= 0xFF print "\n[+] Xor 0x%X - 0x%X (%u bytes) with 0x%02X:" % (start, end, end - start, x) print repr("".join(chr(ord(b) ^ x) for b in data)) elif self.action == ACTION_FILLNOP: selection, start, end = idaapi.read_selection() if selection: idaapi.patch_many_bytes(start, "\x90" * (end - start)) print "\n[+] Fill 0x%X - 0x%X (%u bytes) with NOPs" % (start, end, end - start) elif self.action == ACTION_SCANVUL: print "\n[+] Finding Format String Vulnerability..." found = [] for addr in idautils.Functions(): name = GetFunctionName(addr) if "printf" in name and "v" not in name and SegName(addr) in (".text", ".plt", ".idata"): xrefs = idautils.CodeRefsTo(addr, False) for xref in xrefs: vul = self.check_fmt_function(name, xref) if vul: found.append(vul) if found: print "[!] Done! %d possible vulnerabilities found." % len(found) ch = VulnChoose("Vulnerability", found, None, False) ch.Show() else: print "[-] No format string vulnerabilities found." else: return 0 return 1
pc = triton.getSymbolicRegisterValue(triton.REG.RIP) rax_ast = triton.buildSymbolicRegister(triton.REG.RAX) rax_ast = triton.getFullAst(rax_ast) rax_ast = triton.simplify(rax_ast, True) start = time.time() print("[+] computing Arybo representation...") e = atools.tritonast2arybo(rax_ast, use_exprs=True, use_esf=False) print("[+] got Arybo expression, evalute it...") e = aexprs.eval_expr(e, use_esf=False) end = time.time() diff = end - start print("[*] Arybo evaluation computed in %0.4fs" % diff) app = e.vectorial_decomp([rdi.v]) exp = atools.identify(app, "rdi") print("[*] Identified expression: rax = %s" % aexprs.prettyprint(exp)) asm = easm.asm_binary(exp, ("rax", 64), {"rdi": ("rdi", 64)}, "x86_64-unknown-unknwon") print("[*] Assembled expression: %s" % asm.encode("hex")) func_size = func.endEA - 1 - func.startEA if len(asm) > func_size: printf("[-] Final assembly does not fit in the original function!") asm_nop = asm + "\x90" * (func_size - len(asm)) func_start = int(func.startEA) func_end = int(func.endEA) idaapi.patch_many_bytes(func_start, asm_nop) idaapi.do_unknown_range(func_start, func_end, 0) idaapi.auto_make_code(func_start) idaapi.auto_make_proc(func_start)
def show_import_form(self): selection, start_ea, end_ea = idaapi.read_selection() if not selection: start_ea = idaapi.get_screen_ea() end_ea = start_ea + 1 # Create the form f = DataImportForm(start_ea, end_ea); # Execute the form ok = f.Execute() if ok == 1: start_ea = f.intStartEA.value end_ea = f.intEndEA.value if f.rFile.selected: imp_file = f.impFile.value try: f_imp_file = open(imp_file,'rb') except Exception as e: idaapi.warning("File I/O error({0}): {1}".format(e.errno, e.strerror)) return else: buf = f_imp_file.read() f_imp_file.close() else: buf = f.strPatch.value # Hex values, unlike string literal, needs additional processing if f.rHex.selected: buf = buf.replace(' ','') # remove spaces buf = buf.replace('\\x','') # remove '\x' prefixes buf = buf.replace('0x','') # remove '0x' prefixes try: buf = binascii.unhexlify(buf) # convert to bytes except Exception as e: idaapi.warning("Invalid input: %s" % e) f.Free() return if not len(buf): idaapi.warning("There was nothing to import.") return # Trim to selection if needed: if f.cSize.checked: buf_size = end_ea - start_ea buf = buf[0:buf_size] # Now apply newly patched bytes idaapi.patch_many_bytes(start_ea, buf) # Refresh all IDA views self.patch_view.Refresh() # Dispose the form f.Free()
def write(ea, data, original=False): return idaapi.patch_many_bytes( ea, data) if original else idaapi.put_many_bytes(ea, data)
except Exception, e: idaapi.warning("Invalid input: %s" % e) f.Free() return if not len(buf): idaapi.warning("There was nothing to import.") return # Trim to selection if needed: if f.cSize.checked: buf_size = end_ea - start_ea buf = buf[0:buf_size] # Now apply newly patched bytes idaapi.patch_many_bytes(start_ea, buf) # Refresh all IDA views self.patch_view.refreshitems() idaapi.refresh_idaview_anyway() # Dispose the form f.Free() #-------------------------------------------------------------------------- # Patch Notify Hook #-------------------------------------------------------------------------- patched_bytes_dict = {} # Dummy function
def relocate_segment(source, destination, size): buf = idaapi.get_many_bytes(source, size) idaapi.patch_many_bytes(destination, buf)
def fun(addr, bs): idaapi.patch_many_bytes(addr, bs)
def write(ea, data, original=False): return idaapi.patch_many_bytes(ea, data) if original else idaapi.put_many_bytes(ea, data)
def activate(self, ctx): if self.action in ACTION_CONVERT: # convert selection, start, end = idaapi.read_selection() if selection: size = end - start elif ItemSize(ScreenEA()) > 1: start = ScreenEA() size = ItemSize(start) end = start + size else: return False data = idaapi.get_many_bytes(start, size) name = Name(start) if not name: name = "data" if data: print("\n[+] Dump 0x%X - 0x%X (%u bytes) :" % (start, end, size)) if self.action == ACTION_CONVERT[0]: # escaped string print('"%s"' % "".join("\\x%02X" % ord(b) for b in data)) elif self.action == ACTION_CONVERT[1]: # hex string print("".join("%02X" % ord(b) for b in data)) elif self.action == ACTION_CONVERT[2]: # C array output = "unsigned char %s[%d] = {" % (name, size) for i in range(size): if i % 16 == 0: output += "\n " output += "0x%02X, " % ord(data[i]) output = output[:-2] + "\n};" print(output) elif self.action == ACTION_CONVERT[3]: # C array word data += "\x00" array_size = (size + 1) / 2 output = "unsigned short %s[%d] = {" % (name, array_size) for i in range(0, size, 2): if i % 16 == 0: output += "\n " output += "0x%04X, " % u16(data[i:i+2]) output = output[:-2] + "\n};" print(output) elif self.action == ACTION_CONVERT[4]: # C array dword data += "\x00" * 3 array_size = (size + 3) / 4 output = "unsigned int %s[%d] = {" % (name, array_size) for i in range(0, size, 4): if i % 32 == 0: output += "\n " output += "0x%08X, " % u32(data[i:i+4]) output = output[:-2] + "\n};" print(output) elif self.action == ACTION_CONVERT[5]: # C array qword data += "\x00" * 7 array_size = (size + 7) / 8 output = "unsigned long %s[%d] = {" % (name, array_size) for i in range(0, size, 8): if i % 32 == 0: output += "\n " output += "%#018X, " % u64(data[i:i+8]) output = output[:-2] + "\n};" print(output.replace("0X", "0x")) elif self.action == ACTION_CONVERT[6]: # python list print("[%s]" % ", ".join("0x%02X" % ord(b) for b in data)) elif self.action == ACTION_CONVERT[7]: # python list word data += "\x00" print("[%s]" % ", ".join("0x%04X" % u16(data[i:i+2]) for i in range(0, size, 2))) elif self.action == ACTION_CONVERT[8]: # python list dword data += "\x00" * 3 print("[%s]" % ", ".join("0x%08X" % u32(data[i:i+4]) for i in range(0, size, 4))) elif self.action == ACTION_CONVERT[9]: # python list qword data += "\x00" * 7 print("[%s]" % ", ".join("%#018X" % u64(data[i:i+8]) for i in range(0, size, 8)).replace("0X", "0x")) elif self.action == ACTION_XORDATA: selection, start, end = idaapi.read_selection() if not selection: if ItemSize(ScreenEA()) > 1: start = ScreenEA() end = start + ItemSize(start) else: return False data = idaapi.get_many_bytes(start, end - start) x = AskLong(0, "Xor with...") if x: x &= 0xFF print("\n[+] Xor 0x%X - 0x%X (%u bytes) with 0x%02X:" % (start, end, end - start, x)) print(repr("".join(chr(ord(b) ^ x) for b in data))) elif self.action == ACTION_FILLNOP: selection, start, end = idaapi.read_selection() if selection: idaapi.patch_many_bytes(start, "\x90" * (end - start)) print("\n[+] Fill 0x%X - 0x%X (%u bytes) with NOPs" % (start, end, end - start)) elif self.action == ACTION_SCANVUL: print("\n[+] Finding Format String Vulnerability...") found = [] for addr in idautils.Functions(): name = GetFunctionName(addr) if "printf" in name and "v" not in name and SegName(addr) in (".text", ".plt", ".idata"): xrefs = idautils.CodeRefsTo(addr, False) for xref in xrefs: vul = self.check_fmt_function(name, xref) if vul: found.append(vul) if found: print("[!] Done! %d possible vulnerabilities found." % len(found)) ch = VulnChoose("Vulnerability", found, None, False) ch.Show() else: print("[-] No format string vulnerabilities found.") else: return 0 return 1
def write_memory(start, data, destructive=False): if destructive: idaapi.put_many_bytes(start, data) else: idaapi.patch_many_bytes(start, data)
except Exception, e: idaapi.warning("Invalid input: %s" % e) f.Free() return if not len(buf): idaapi.warning("There was nothing to import.") return # Trim to selection if needed: if f.cSize.checked: buf_size = end_ea - start_ea buf = buf[0:buf_size] # Now apply newly patched bytes idaapi.patch_many_bytes(start_ea, buf) # Refresh all IDA views self.patch_view.Refresh() # Dispose the form f.Free() #-------------------------------------------------------------------------- # Plugin #-------------------------------------------------------------------------- class idapatcher_t(plugin_t): flags = idaapi.PLUGIN_UNL comment = "Enhances manipulation and application of patched bytes."