def getProc_addr(idx, ctx):
import ida_bytes
obj = ctx.get_obj("fcnPtr")
print "%x" % obj.addr
name = ctx.get_obj("fcnName")
name_str = ida_bytes.get_strlit_contents(name.addr, -1, -1)
ida_name.set_name(obj.addr, name_str)
def main():
for segstart, segend, segname in enum_segments():
if segname not in ('.rdata', 'UPX1'):
continue
print(segname)
for src, dst, size in find_pointers(segstart, segend):
if idc.get_segm_name(dst) not in (".text", "UPX0"):
continue
if is_code(dst):
continue
print("new function pointer: 0x%x -> 0x%x" % (src, dst))
ida_auto.auto_make_code(dst)
ida_auto.auto_make_proc(dst)
ida_bytes.del_items(src, size)
ida_bytes.create_data(src,
idc.FF_QWORD if size == 8 else idc.FF_DWORD,
size, idc.BADADDR)
# this doesn't seem to always work :-(
idc.op_plain_offset(src, -1, 0)
ida_name.set_name(src, "j_%s_%x" % (src, dst))
def restore_x(unique_name, start=here()):
if MD5_hash_data_file and os.path.isfile(MD5_hash_data_file):
with open(MD5_hash_data_file, "rb") as ifile:
received_data = pickle.loads(ifile.read())
saved_data = received_data
# (start_addr, end_addr, names, comms, bpts)
if unique_name in saved_data:
current_data = saved_data[unique_name]
# restore names
names = current_data[2]
for name in names:
# names: (rel_addr, name)
ida_name.set_name(start + name[0], name[1])
# restore comments
# comms: (rel_addr, TYPE, comment)
comms = current_data[3]
for comm in comms:
# 1:MakeComm and 2:MakeRptCmt
if comm[1] == 1:
MakeComm(start + comm[0], comm[2])
else:
MakeRptCmt(start + comm[0], comm[2])
# restore breakpoints
# bpts: (rel_addr, size, type)
bpts = current_data[4]
for bpt in bpts:
ida_dbg.add_bpt(start + bpt[0], bpt[1], bpt[2])
def __call__(self):
flags = ida_name.SN_LOCAL if self.local_name else 0
ida_name.set_name(
self.ea, self.new_name, flags | ida_name.SN_NOWARN
)
ida_kernwin.request_refresh(ida_kernwin.IWID_DISASMS)
HexRaysEvent.refresh_pseudocode_view(self.ea)
def __call__(self):
flags = ida_name.SN_LOCAL if self.local_name else 0
ida_name.set_name(self.ea, Event.encode(self.new_name),
flags | ida_name.SN_NOWARN)
ida_kernwin.request_refresh(ida_kernwin.IWID_DISASMS)
if ida_hexrays.init_hexrays_plugin():
HexRaysEvent.refresh_pseudocode_view()
def PrefixRange(start, end, prefix) :
x = start
while x < end:
n = ida_funcs.get_func_name(x)
if n.startswith("sub_"):
nn = prefix + n
print "Renaming %s to %s\n" % (n, nn)
ida_name.set_name(x,nn)
x = NextFunction(x)
def auto_rename_single(ca, addr, force=False):
cfunc = ida_hexrays.decompile(addr, flags=ida_hexrays.DECOMP_NO_CACHE if force else 0)
if not cfunc:
return
ca.reset()
ca.apply_to(cfunc.body, None)
if ca.results:
ida_name.set_name(addr, ca.results[-1], ida_name.SN_AUTO | ida_name.SN_NOCHECK | ida_name.SN_NOWARN)
def force_variable(ea, type, name):
t = ida_typeinf.tinfo_t()
ida_typeinf.parse_decl(t, None, '{} a;'.format(type), 0)
ida_bytes.del_items(
ea, ida_bytes.DELIT_EXPAND | ida_bytes.DELIT_DELNAMES
| ida_bytes.DELIT_NOCMT, t.get_size())
ida_name.set_name(ea, name, ida_name.SN_CHECK)
idc.apply_type(ea, idc.parse_decl('{} a;'.format(type), 0),
idc.TINFO_DEFINITE)
def restore_x(unique_name=None, start=None):
ea = ida_kernwin.get_screen_ea()
# signature
if not unique_name:
if not start:
seg = ida_segment.getseg(ea)
start = seg.start_ea
sig_bytes = ida_bytes.get_bytes(start, SIGNATURE_SIZE)
sig_hash = hashlib.md5(sig_bytes).hexdigest()
unique_name = sig_hash
if not start:
seg = ida_segment.getseg(ea)
start = seg.start_ea
if MD5_hash_data_file and os.path.isfile(MD5_hash_data_file):
with open(MD5_hash_data_file, "rb") as ifile:
received_data = pickle.loads(ifile.read())
saved_data = received_data
print("dumpDyn::restore\n\
Name: {}\n\
Restore address: {}\n".format(unique_name, hex(start)))
# (start_addr, end_addr, names, comms, bpts, funcs)
if unique_name in saved_data:
current_data = saved_data[unique_name]
# restore names
names = current_data[2]
for name in names:
# names: (rel_addr, name, is_code)
ida_name.set_name(start + name[0], name[1])
flags = ida_bytes.get_flags(start + name[0])
if name[2] and not ida_bytes.is_code(flags):
ida_auto.auto_make_code(start + name[0])
# restore comments
# comms: (rel_addr, TYPE, comment)
comms = current_data[3]
for comm in comms:
# 0:MakeComm and 1:MakeRptCmt
ida_bytes.set_cmt(start + comm[0], comm[2], comm[1])
# restore breakpoints
# bpts: (rel_addr, size, type)
bpts = current_data[4]
for bpt in bpts:
ida_dbg.add_bpt(start + bpt[0], bpt[1], bpt[2])
# restore functions
funcs_addr = current_data[5]
for addr in funcs_addr:
ida_auto.auto_make_proc(start + addr) # make code & func
def mark_string(ea, name=None):
strlen = len(idc.get_strlit_contents(ea, -1) or '')
ida_bytes.del_items(
ea, ida_bytes.DELIT_EXPAND | ida_bytes.DELIT_DELNAMES
| ida_bytes.DELIT_NOCMT, strlen + 1)
ida_bytes.create_strlit(ea, strlen + 1, idc.get_inf_attr(idc.INF_STRTYPE))
if name:
ida_name.set_name(ea, name, ida_name.SN_CHECK)
idc.apply_type(ea, idc.parse_decl('char const a[]', 0), idc.TINFO_DEFINITE)
return get_cstring(ea)
def apply_kallsyms(kallsyms):
for address, name in kallsyms:
if name[0] != 'A':
new_name = str(name[1:])
if not _is_uname(new_name):
new_name = '_' + new_name
if _is_uname(new_name):
if not set_name(address, new_name):
del_items(address)
set_name(address, new_name)
def find_image4_load(base_ea):
ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN, 0x4D650000)
if ea_list[0] != idaapi.BADADDR:
func_ea = ida_funcs.get_func(ea_list[0]).start_ea
print("\t[+] _image4_load = 0x%x" % (func_ea))
ida_name.set_name(func_ea, "_image4_load")
return func_ea
return idaapi.BADADDR
def find_load_kernelcache(ea):
ea_list = list(idautils.XrefsTo(ea))
if ea_list[0].frm != idaapi.BADADDR:
func_ea = ida_funcs.get_func(ea_list[0].frm).start_ea
print("\t[+] _load_kernelcache = 0x%x" % (func_ea))
ida_name.set_name(func_ea, "_load_kernelcache")
return func_ea
return idaapi.BADADDR
def auto_rename_single(ca, addr):
cfunc = ida_hexrays.decompile(addr)
if not cfunc:
return
ca.reset()
ca.apply_to(cfunc.body, None)
if ca.results:
ida_name.set_name(
addr, ca.results[-1],
ida_name.SN_AUTO | ida_name.SN_NOCHECK | ida_name.SN_NOWARN)
def find_update_device_tree(base_ea):
udt_ea = ida_search.find_text(base_ea, 1, 1, "development-cert",
ida_search.SEARCH_DOWN)
if udt_ea != idaapi.BADADDR:
for xref in idautils.XrefsTo(udt_ea):
func = ida_funcs.get_func(xref.frm)
print("\t[+] _UpdateDeviceTree = 0x%x" % (func.start_ea))
ida_name.set_name(func.start_ea, "_UpdateDeviceTree")
return func.start_ea
return idaapi.BADADDR
def find_panic(base_ea):
pk_ea = ida_search.find_text(base_ea, 1, 1, "double panic in ",
ida_search.SEARCH_DOWN)
if pk_ea != idaapi.BADADDR:
for xref in idautils.XrefsTo(pk_ea):
func = ida_funcs.get_func(xref.frm)
print("\t[+] _panic = 0x%x" % (func.start_ea))
ida_name.set_name(func.start_ea, "_panic")
return func.start_ea
return idaapi.BADADDR
def __call__(self):
flags = ida_name.SN_LOCAL if self.local_name else 0
try:
ida_name.set_name(self.ea, (self.new_name),
flags | ida_name.SN_NOWARN)
except:
raise Exception(
repr((self.ea, (self.new_name), flags | ida_name.SN_NOWARN)))
ida_kernwin.request_refresh(ida_kernwin.IWID_DISASMS)
HexRaysEvent.refresh_pseudocode_view(self.ea)
def find_do_printf(base_ea):
str_ea = ida_search.find_text(base_ea, 1, 1, "<ptr>",
ida_search.SEARCH_DOWN)
if str_ea != idaapi.BADADDR:
for xref in idautils.XrefsTo(str_ea):
func = ida_funcs.get_func(xref.frm)
print("\t[+] _do_printf = 0x%x" % (func.start_ea))
ida_name.set_name(func.start_ea, "_do_printf")
return func.start_ea
return idaapi.BADADDR
def load(infos):
for info in infos:
ida_name.set_name(info['address'], info['name'])
type = info.get('type', None)
# TODO this code is kind of mashed together... not sure of the
# right way.
tid = ida_struct.get_struc_id(type) if type else BADADDR
if type:
ida_bytes.create_struct(info['address'], info['sz'], tid)
ida_bytes.create_data(
info['address'], info['flags'], info['sz'], tid)
def find_aes_crypto_cmd(base_ea):
aes_ea = ida_search.find_text(base_ea, 1, 1, "aes_crypto_cmd",
ida_search.SEARCH_DOWN)
if aes_ea != idaapi.BADADDR:
for xref in idautils.XrefsTo(aes_ea):
func = ida_funcs.get_func(xref.frm)
print("\t[+] _aes_crypto_cmd = 0x%x" % (func.start_ea))
ida_name.set_name(func.start_ea, "_aes_crypto_cmd")
return func.start_ea
return idaapi.BADADDR
def find_pmgr_binning_mode_get_value(base_ea):
str_ea = ida_search.find_text(base_ea, 1, 1, "Invalid low",
ida_search.SEARCH_DOWN)
if str_ea != idaapi.BADADDR:
for xref in idautils.XrefsTo(str_ea):
func = ida_funcs.get_func(xref.frm)
print("\t[+] _pmgr_binning_mode_get_value = 0x%x" %
(func.start_ea))
ida_name.set_name(func.start_ea, "_pmgr_binning_mode_get_value")
return func.start_ea
return idaapi.BADADDR
def load(infos):
for info in infos:
ida_name.set_name(info['address'], info['name'])
# TODO this code is kind of mashed together... not sure of the
# right way.
tid = ida_struct.get_struc_id(
info['type']) if info['type'] else BADADDR
if info['type']:
print(info['type'], hex(tid))
ida_bytes.create_struct(info['address'], info['sz'], tid)
ida_bytes.create_data(info['address'], info['flags'], info['sz'],
tid)
def force_array(ea, type, name, count=None):
t = ida_typeinf.tinfo_t()
ida_typeinf.parse_decl(t, None, '{} a;'.format(type), 0)
ida_bytes.del_items(
ea, ida_bytes.DELIT_EXPAND | ida_bytes.DELIT_DELNAMES
| ida_bytes.DELIT_NOCMT,
t.get_size() * (1 if count is None else count))
ida_name.set_name(ea, name, ida_name.SN_CHECK)
idc.apply_type(
ea,
idc.parse_decl(
'{} a[{}];'.format(type, '' if count is None else str(count)), 0),
idc.TINFO_DEFINITE)
def sync_ask_rename():
"""
Dialog asking renaming confirmation to the user
"""
rename_flag = 0
if force or idc.ask_yn(
rename_flag, "Replace %s by %s" %
(get_name(), name["data"])) == 1:
logger.debug("[x] renaming %s @ 0x%x as %s", get_name(),
name["address"], name["data"])
ida_name.set_name(name["address"],
name["data"].encode('ascii', 'ignore'),
ida_name.SN_AUTO)
def find_do_go(base_ea):
str_ea = ida_search.find_text(base_ea, 1, 1, "Memory image not valid",
ida_search.SEARCH_DOWN)
if str_ea != idaapi.BADADDR:
for xref in idautils.XrefsTo(str_ea):
func = ida_funcs.get_func(xref.frm)
if func is None:
return idaapi.BADADDR
print("\t[+] _do_go = 0x%x" % (func.start_ea))
ida_name.set_name(func.start_ea, "_do_go")
return func.start_ea
return idaapi.BADADDR
def find_img4decodeinit(base_ea):
ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN, 0x494D0000)
if ea_list[0] != idaapi.BADADDR:
func_ea = ida_funcs.get_func(ea_list[0]).start_ea
ea_func_list = list(idautils.XrefsTo(func_ea))
if ea_func_list[0].frm != idaapi.BADADDR:
i4d_ea = ida_funcs.get_func(ea_func_list[0].frm).start_ea
print("\t[+] _Img4DecodeInit = 0x%x" % (i4d_ea))
ida_name.set_name(i4d_ea, "_Img4DecodeInit")
return i4d_ea
return idaapi.BADADDR
def mark_string(ea, name=None):
strlen = len(idc.GetString(ea, -1))
if strlen == 0:
raise Exception(
'tried marking {} as string, but it isn\'t (len 0)'.format(
hex(ea)))
ida_bytes.del_items(
ea, ida_bytes.DELIT_EXPAND | ida_bytes.DELIT_DELNAMES
| ida_bytes.DELIT_NOCMT, strlen + 1)
ida_bytes.create_strlit(ea, strlen + 1, idc.get_inf_attr(idc.INF_STRTYPE))
if name:
ida_name.set_name(ea, name, ida_name.SN_CHECK)
idc.apply_type(ea, idc.parse_decl('char const a[]', 0), idc.TINFO_DEFINITE)
return idc.GetString(ea, -1)
def __init__(self, name_funcs=[]):
ida_dbg.DBG_Hooks.__init__(self) # important
for ea, func_name in name_funcs:
log("Renaming 0x%08x to \"%s\"" % (ea, func_name))
ida_name.set_name(ea, func_name)
for func_name, func_proto in [
("ref4", "int ref4(int *);"),
("ref8", "int ref8(long long int *);"),
]:
log("Setting '%s's prototype" % func_name)
func_ea = ida_name.get_name_ea(ida_idaapi.BADADDR, func_name)
assert (ida_typeinf.apply_cdecl(None, func_ea, func_proto))
def find_macho_valid(base_ea):
ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN, 0xFACF)
if ea_list[0] == idaapi.BADADDR:
ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN,
0xFEEDFACF)
if ea_list[0] != idaapi.BADADDR:
func_ea = ida_funcs.get_func(ea_list[0]).start_ea
print("\t[+] _macho_valid = 0x%x" % (func_ea))
ida_name.set_name(func_ea, "_macho_valid")
return func_ea
return idaapi.BADADDR
def main():
for segstart, segend, segname in enum_segments():
for head in idautils.Heads(segstart, segend):
if not is_code(head):
continue
# pattern:
#
# lea rax, unk_6BDF88
# mov [rsp+0], rax
# mov qword ptr [rsp+8], 40h
if ida_ua.ua_mnem(head) != "lea":
continue
next_head = ida_bytes.next_head(head, idc.BADADDR)
if ida_ua.ua_mnem(next_head) != "mov":
continue
next_head2 = ida_bytes.next_head(next_head, idc.BADADDR)
if ida_ua.ua_mnem(next_head2) != "mov":
continue
dst = idc.get_operand_value(head, 1)
if idc.get_segm_name(dst) not in (".rdata", "UPX1"):
continue
size = idc.get_operand_value(next_head2, 1)
if size > 0x100:
continue
if size <= 2:
continue
buf = ida_bytes.get_bytes(dst, size)
if not buf:
continue
if b"\x00" in buf:
continue
try:
s = buf.decode("ascii")
except UnicodeDecodeError:
continue
print("string pointer: 0x%x -> 0x%x: %s" % (head, dst, s))
ida_bytes.del_items(dst, 1)
ida_bytes.create_data(dst, idc.FF_BYTE, 1, idc.BADADDR)
ida_bytes.set_cmt(dst, s, True)
ida_name.set_name(dst, "s_%x" % (dst))
def sync_ask_rename():
"""
Dialog asking renaming confirmation to the user
"""
rename_flag = 0
if force or idc.ask_yn(rename_flag, "Replace %s by %s" %
(get_name(), name["data"])) == 1:
logger.debug("[x] renaming %s @ 0x%x as %s",
get_name(),
name["address"],
name["data"])
ida_name.set_name(
name["address"], name["data"].encode(
'ascii', 'ignore'),
ida_name.SN_AUTO)