def define(ea):
if BaseClassDescriptor.isDefined(ea):
return
td = TypeDescriptor(BaseClassDescriptor.__typeDescriptorPtr(ea))
attrs = BaseClassDescriptor.__attributes(ea)
if attrs != 0 and attrs != 0x40:
print '%08X: Suspicious attributes value: %08X' % (ea, attrs)
# raise RttiError('%08X: Suspicious attributes value: %08X' % (ea, attrs))
isV2 = (attrs & 0x40) != 0
if isV2:
strid = idaapi.get_struc_id('_s__RTTIBaseClassDescriptor2')
else:
strid = idaapi.get_struc_id('_s__RTTIBaseClassDescriptor')
size = idaapi.get_struc_size(strid)
idaapi.do_unknown_range(ea, size, idaapi.DOUNK_DELNAMES)
idaapi.doStruct(ea, size, strid)
pmd = BaseClassDescriptor.__where(ea)
name = '??_R1'
name += mangleNumber(pmd.mdisp)
name += mangleNumber(pmd.pdisp)
name += mangleNumber(pmd.vdisp)
name += mangleNumber(attrs)
name += td.baseMangledName + '8'
idaapi.set_name(ea, name, 0)
if isV2:
ClassHierarchyDescriptor.define(BaseClassDescriptor.__v2ChdPtr(ea))
def define(ea):
if CompleteObjectLocator.isDefined(ea):
return
if not CompleteObjectLocator.isValid(ea):
raise RttiError("%08X: doesn't look like a correct CompleteObjectLocator" % (ea))
# Ensure referenced structs are defined.
# An exception will be thrown if something goes wrong.
tdPtr = idaapi.get_full_long(ea + 12)
td = TypeDescriptor(tdPtr)
chdPtr = idaapi.get_full_long(ea + 16)
chd = ClassHierarchyDescriptor(chdPtr)
strid = idaapi.get_struc_id("_s__RTTICompleteObjectLocator")
size = idaapi.get_struc_size(strid)
idaapi.do_unknown_range(ea, size, idaapi.DOUNK_DELNAMES)
idaapi.doStruct(ea, size, strid)
if chd.isMultipleInheritance:
if chd.isVirtualInheritance:
print "%08X: Cannot handle virtual inheritance yet." % (ea)
else:
# '??_R4' + td.baseMangledName + '6B' + baseClassTd.baseMangledName + '@'
# '??_7' + ...
print "%08X: Cannot handle multiple inheritance yet." % (ea)
else:
idaapi.set_name(ea, "??_R4" + td.baseMangledName + "6B@", 0)
def define(ea):
if CompleteObjectLocator.isDefined(ea):
return
if not CompleteObjectLocator.isValid(ea):
raise RttiError(
"%08X: doesn't look like a correct CompleteObjectLocator" %
(ea))
# Ensure referenced structs are defined.
# An exception will be thrown if something goes wrong.
tdPtr = idaapi.get_full_long(ea + 12)
td = TypeDescriptor(tdPtr)
chdPtr = idaapi.get_full_long(ea + 16)
chd = ClassHierarchyDescriptor(chdPtr)
strid = idaapi.get_struc_id('_s__RTTICompleteObjectLocator')
size = idaapi.get_struc_size(strid)
idaapi.do_unknown_range(ea, size, idaapi.DOUNK_DELNAMES)
idaapi.doStruct(ea, size, strid)
if chd.isMultipleInheritance:
if chd.isVirtualInheritance:
print '%08X: Cannot handle virtual inheritance yet.' % (ea)
else:
# '??_R4' + td.baseMangledName + '6B' + baseClassTd.baseMangledName + '@'
# '??_7' + ...
print '%08X: Cannot handle multiple inheritance yet.' % (ea)
else:
idaapi.set_name(ea, '??_R4' + td.baseMangledName + '6B@', 0)
def define(ea):
if BaseClassDescriptor.isDefined(ea):
return
td = TypeDescriptor(BaseClassDescriptor.__typeDescriptorPtr(ea))
attrs = BaseClassDescriptor.__attributes(ea)
if attrs != 0 and attrs != 0x40:
print "%08X: Suspicious attributes value: %08X" % (ea, attrs)
# raise RttiError('%08X: Suspicious attributes value: %08X' % (ea, attrs))
isV2 = (attrs & 0x40) != 0
if isV2:
strid = idaapi.get_struc_id("_s__RTTIBaseClassDescriptor2")
else:
strid = idaapi.get_struc_id("_s__RTTIBaseClassDescriptor")
size = idaapi.get_struc_size(strid)
idaapi.do_unknown_range(ea, size, idaapi.DOUNK_DELNAMES)
idaapi.doStruct(ea, size, strid)
pmd = BaseClassDescriptor.__where(ea)
name = "??_R1"
name += mangleNumber(pmd.mdisp)
name += mangleNumber(pmd.pdisp)
name += mangleNumber(pmd.vdisp)
name += mangleNumber(attrs)
name += td.baseMangledName + "8"
idaapi.set_name(ea, name, 0)
if isV2:
ClassHierarchyDescriptor.define(BaseClassDescriptor.__v2ChdPtr(ea))
def apply_struct(ea, sid, size):
if size == -1:
size = idc.GetStrucSize(sid)
idc.MakeUnknown(ea, size, idc.DOUNK_DELNAMES)
idaapi.doStruct(ea, size, sid)
return size
def apply_struct(ea, name, size):
sid = idc.GetStrucIdByName(name)
if (size == -1):
size = idc.GetStrucSize(sid)
idc.MakeUnknown(ea, size, idc.DOUNK_DELNAMES)
idaapi.doStruct(ea, size, sid)
return size
def define(ea):
if TypeDescriptor.isDefined(ea):
return
if not TypeDescriptor.isValid(ea):
raise RttiError("%08X: This doesn't look like a TypeDescriptor." % ea)
# FIXME: 64-bit compatibility
mangledName = getAsciiz(ea + 8)
# Define data in DB
structLength = 8 + len(mangledName) + 1
idaapi.do_unknown_range(ea, structLength, idaapi.DOUNK_DELNAMES)
idaapi.doStruct(ea, structLength, idaapi.get_struc_id("_TypeDescriptor"))
idaapi.set_name(ea, TypeDescriptor.makeName(ea), 0)
def __init__(self, ea, vtable):
filepath = GetIdbPath()[:-4]
fp = open(r"{filepath}.txt".format(filepath=filepath), 'a')
# fp.write(filepath)
print "Create file"
do_unknown_range(ea, self.size, DOUNK_DELNAMES)
if doStruct(ea, self.size, self.tid):
# Get adress of type descriptor from CompleteLocator
# print "Complete Object Locator at: 0x%x" % ea
offset = get_member_by_name(self.struc, "pTypeDescriptor").soff
typeDescriptor = get_32bit(ea + offset) + u.x64_imagebase()
# print "Looking for type Descriptor at: 0x%x" % typeDescriptor
rtd = RTTITypeDescriptor(typeDescriptor)
if rtd.class_name:
# print "Type Descriptor at: 0x%x" % typeDescriptor
offset = get_member_by_name(self.struc,
"pClassDescriptor").soff
classHierarchyDes = get_32bit(ea + offset) + u.x64_imagebase()
rchd = RTTIClassHierarchyDescriptor(classHierarchyDes)
# filter out None entries
rchd.bases = filter(lambda x: x, rchd.bases)
classes[strip(rtd.class_name)] = [strip(b) for b in rchd.bases]
MakeNameEx(vtable, "vtable__" + strip(rtd.class_name),
SN_NOWARN)
tempStr = hex(vtable).rstrip('L') + '\t' + strip(
rtd.class_name) + '\t' + str(GuessType(
Dword(vtable + 4))) + '\n'
if ('std' not in tempStr[:15] and 'ATL' not in tempStr[:15]):
fp.write(tempStr)
else:
# if the RTTITypeDescriptor doesn't have a valid name for us to
# read, then this wasn't a valid RTTICompleteObjectLocator
MakeUnknown(ea, self.size, DOUNK_SIMPLE)
fp.close()
def __init__(self, ea, vtable):
do_unknown_range(ea, self.size, DOUNK_DELNAMES)
if doStruct(ea, self.size, self.tid):
# Get adress of type descriptor from CompleteLocator
print "Complete Object Locator at: 0x%x" % ea
offset = get_member_by_name(self.struc, "pTypeDescriptor").soff
typeDescriptor = get_32bit(ea + offset) + u.x64_imagebase()
print "Looking for type Descriptor at: 0x%x" % typeDescriptor
rtd = RTTITypeDescriptor(typeDescriptor)
if rtd.class_name:
print "Type Descriptor at: 0x%x" % typeDescriptor
offset = get_member_by_name(self.struc,
"pClassDescriptor").soff
classHierarchyDes = get_32bit(ea + offset) + u.x64_imagebase()
rchd = RTTIClassHierarchyDescriptor(classHierarchyDes)
# filter out None entries
rchd.bases = filter(lambda x: x, rchd.bases)
className = strip(rtd.class_name)
classes[className] = [strip(b) for b in rchd.bases]
vtables[className] = vtable
MakeNameEx(vtable, "vtable__" + className, SN_NOWARN)
else:
# if the RTTITypeDescriptor doesn't have a valid name for us to
# read, then this wasn't a valid RTTICompleteObjectLocator
MakeUnknown(ea, self.size, DOUNK_SIMPLE)
def define(ea):
if TypeDescriptor.isDefined(ea):
return
if not TypeDescriptor.isValid(ea):
raise RttiError("%08X: This doesn't look like a TypeDescriptor." %
ea)
# FIXME: 64-bit compatibility
mangledName = getAsciiz(ea + 8)
# Define data in DB
structLength = 8 + len(mangledName) + 1
idaapi.do_unknown_range(ea, structLength, idaapi.DOUNK_DELNAMES)
idaapi.doStruct(ea, structLength,
idaapi.get_struc_id("_TypeDescriptor"))
idaapi.set_name(ea, TypeDescriptor.makeName(ea), 0)
def define(ea):
if ClassHierarchyDescriptor.isDefined(ea):
return
if not ClassHierarchyDescriptor.isValid(ea):
raise RttiError("%08X: Doesn't look like a correct ClassHierarchyDescriptor" % ea)
strid = idaapi.get_struc_id("_s__RTTIClassHierarchyDescriptor")
size = idaapi.get_struc_size(strid)
idaapi.do_unknown_range(ea, size, idaapi.DOUNK_DELNAMES)
idaapi.doStruct(ea, size, strid)
bca = BaseClassArray(
ClassHierarchyDescriptor.__baseClassArrayPtr(ea), ClassHierarchyDescriptor.__baseClassCount(ea)
)
# Entry 0 describes the class itself => I can find out the class name.
idaapi.set_name(ea, "??_R3" + bca[0].typeDescriptor.baseMangledName + "8", 0)
def load_file(li, neflags, format):
"""
Load the file into database
@param li: a file-like object which can be used to access the input data
@param neflags: options selected by the user, see loader.hpp
@return: 0-failure, 1-ok
"""
# Select the PC processor module
idaapi.set_processor_type("metapc", SETPROC_ALL | SETPROC_FATAL)
# read MBR into buffer
li.seek(0, os.SEEK_SET)
buf = li.read(li.size())
seg = idaapi.segment_t()
start = 0x7C00
size = len(buf)
end = start + size
# Create the segment
seg.startEA = start
seg.endEA = end
seg.bitness = 0 # 16-bit
idaapi.add_segm_ex(seg, "seg0", "CODE", 0)
# Copy the bytes
idaapi.mem2base(buf, start, end)
# add entry point
idaapi.add_entry(start, start, "start", 1)
strid = add_struct_def()
idaapi.set_name(start + 0x1BE, "MBR_PARTITION_TABLE", idaapi.SN_CHECK)
str_size = idaapi.get_struc_size(strid)
idaapi.doStruct(start + 0x1BE, str_size, strid)
idaapi.set_name(510, "MBR_SIGN", idaapi.SN_CHECK)
# Mark for analysis
AutoMark(start, AU_CODE)
return 1
def assign_struct_to_address(address, struct_name):
idc.ApplyType(address, get_Tinfo_from_name(struct_name))
struct_id = idaapi.get_struc_id(struct_name)
if struct_id != 0xffffffffffffffff:
struct_size = idaapi.get_struc_size(struct_id)
for i in range(struct_size):
idc.MakeUnkn(address+i, 0)
return idaapi.doStruct(address, struct_size, struct_id)
return False
def define(ea):
if ClassHierarchyDescriptor.isDefined(ea):
return
if not ClassHierarchyDescriptor.isValid(ea):
raise RttiError(
"%08X: Doesn't look like a correct ClassHierarchyDescriptor" %
ea)
strid = idaapi.get_struc_id('_s__RTTIClassHierarchyDescriptor')
size = idaapi.get_struc_size(strid)
idaapi.do_unknown_range(ea, size, idaapi.DOUNK_DELNAMES)
idaapi.doStruct(ea, size, strid)
bca = BaseClassArray(ClassHierarchyDescriptor.__baseClassArrayPtr(ea),
ClassHierarchyDescriptor.__baseClassCount(ea))
# Entry 0 describes the class itself => I can find out the class name.
idaapi.set_name(ea,
'??_R3' + bca[0].typeDescriptor.baseMangledName + '8',
0)
def __init__(self, ea):
print "Processing Class Hierarchy Descriptor at 0x%x" % ea
do_unknown_range(ea, get_struc_size(self.tid), DOUNK_DELNAMES)
if doStruct(ea, get_struc_size(self.tid), self.tid):
baseClasses = get_32bit(ea + get_member_by_name(
self.struc, "pBaseClassArray").soff) + u.x64_imagebase()
nb_classes = get_32bit(
ea + get_member_by_name(self.struc, "numBaseClasses").soff)
print "Baseclasses array at 0x%x" % baseClasses
# Skip the first base class as it is itself (could check)
self.bases = []
for i in range(1, nb_classes):
baseClass = get_32bit(baseClasses + i * 4) + u.x64_imagebase()
print "base class 0x%x" % baseClass
doDwrd(baseClasses + i * 4, 4)
op_offset(baseClasses + i * 4, -1, u.REF_OFF | REFINFO_RVA, -1,
0, 0)
doStruct(baseClass, RTTIBaseClassDescriptor.size,
RTTIBaseClassDescriptor.tid)
typeDescriptor = get_32bit(baseClass) + u.x64_imagebase()
self.bases.append(
RTTITypeDescriptor(typeDescriptor).class_name)
def forceStruct(ea, name): """ forceStruct: ea, name Does all the necessary things to force IDA to convert the memory starting at address 'ea' into a struct of type 'name'. Returns the address after the struct. """ sid = idaapi.get_struc_id(name) ssize = idaapi.get_struc_size(sid) idaapi.do_unknown_range(ea, ssize, DOUNK_DELNAMES) x = idaapi.doStruct(ea, ssize, sid) return ea + ssize
def MakeStructEx(ea=None, size=-1, strname="", strid=None):
'''
Convierte una dirección de memoria en un item de una estructura
@param ea: dirección a establecer
@param size: tamaño de la estructura en bytes.
@param strname: nombre de la estructura
@return: 1-todo bien, 0-mierda
'''
if strid is None:
strid = idaapi.get_struc_id(strname)
if size == -1:
size = idaapi.get_struc_size(strid)
return idaapi.doStruct(ea, size, strid)
def __init__(self, ea):
name = ea + get_member_by_name(self.struc, "name").soff
strlen = u.get_strlen(name)
if strlen is None:
# not a real vtable
return
self.size = self.size + strlen
mangled = get_ascii_contents(name, strlen, 0)
if mangled is None:
# not a real function name
return
print "Mangled: " + mangled
demangled = demangle_name('??_R0' + mangled[1:], 0)
if demangled:
do_unknown_range(ea, self.size, DOUNK_DELNAMES)
if doStruct(ea, self.size, self.tid):
print " Made td at 0x%x: %s" % (ea, demangled)
self.class_name = demangled
return
print " FAIL :("
return
import sark
import idaapi
import idautils
anim = sark.structure.get_struct('DrawData')
while idaapi.is_debugger_on():
dataseg = sark.Segment(name='dataseg').ea
anim_offset = sark.Line(ea=dataseg + idautils.cpu.di).ea
anim_addr = dataseg + anim_offset
idaapi.doStruct(anim_offset, 0x24, anim)
idaapi.jumpto(anim_offset)
idaapi.continue_process()
idaapi.wait_for_next_event(2, 10000)
while (1):
ea = callback2(ea)
if ea == 0:
break
ea = search_ea(addr_to_bhex(ea), "", None)[0]
create_cmdref()
sid = idc.GetStrucIdByName("cmd_ref")
i = 0
names = []
for ea in references:
nameptr = ida_bytes.get_dword(ea)
name = get_string(nameptr)
names.append(name)
idc.MakeUnknown(ea, 0x10, idc.DOUNK_DELNAMES)
idaapi.doStruct(ea, 0x10, sid)
MakeComm(ea, str(i))
i += 1
create_cmdptr()
sid = idc.GetStrucIdByName("cmd_ptr")
ea = search_ea("00 00 FC 3A 00 00", "", None)[1] + 2
offsets = []
badoffsets = {}
x = 0
z = 0
for i in range(0, 0x20000, 0x8):
vea = ea + i
MakeUnkn(vea, 0x8)
idv = ida_bytes.get_dword(vea)
if idv == 0x660066:
import sark
import idaapi
import idautils
anim = sark.structure.get_struct('AnimationFrame')
while idaapi.is_debugger_on():
dataseg = sark.Segment(name='dataseg').ea
anim_offset = idaapi.get_word(sark.Line(ea=dataseg + idautils.cpu.di + 2).ea)
anim_addr = dataseg + anim_offset
idaapi.doStruct(anim_addr, 6, anim)
idaapi.jumpto(sark.Segment(name='dataseg').ea + anim_offset)
idaapi.continue_process()
idaapi.wait_for_next_event(2, 10000)
import sark
import idautils
import idaapi
import csv
dataseg = sark.Segment(name="dataseg")
with open('c:/Users/Joe/applied_structs.csv', 'r') as csvfile:
for row in csv.reader(csvfile):
struct_id = idaapi.get_struc_id(row[1])
size = idaapi.get_struc_size(struct_id)
idaapi.doStruct(int(row[0]) + dataseg.ea, size, struct_id)
def make_data(self, object_version, address):
size = 0
try:
size = object_version.get_size()
except KeyError:
pass
flags = None
try:
flags = object_version.get_object_flags()
except KeyError:
pass
if size == 0:
idc.MakeUnkn(address, idc.DOUNK_EXPAND)
else:
if flags is not None:
if idc.isASCII(flags):
try:
str_type = object_version.get_string_type()
YaToolIDATools.check_and_set_str_type(str_type)
except KeyError:
pass
idc.MakeStr(address, address + size)
idc.SetFlags(address, flags)
if idc.isStruct(flags):
found = False
for xref_offset_operand, xref_id_attr in object_version.get_xrefed_id_map(
).iteritems():
(xref_offset, xref_operand) = xref_offset_operand
for xref_hash, xref_attrs in xref_id_attr:
if xref_hash in self.struc_ids:
struc_id = self.struc_ids[xref_hash]
if DEBUG_EXPORTER:
logger.debug(
"making unknown from 0x%08X to 0x%08X"
% (address, address + size))
idaapi.do_unknown_range(
address, size, idc.DOUNK_DELNAMES)
# idc.MakeUnkn(address, DOUNK_SIMPLE | idc.DOUNK_DELNAMES)
# for i in xrange(1, size):
# MakeName(address + i, "")
# idc.MakeUnkn(address + i, DOUNK_SIMPLE | idc.DOUNK_DELNAMES)
# idc.MakeStructEx uses idaapi.doStruct (but asks for name while
# we already have the struc id)
if DEBUG_EXPORTER:
logger.debug(
"Making struc at %s : %s (sizeof(%s)=0x%08X, size=0x%08X, flags=0x%08X"
% (self.yatools.address_to_hex_string(
address),
self.yatools.address_to_hex_string(
struc_id),
idaapi.get_struc_name(struc_id),
idc.GetStrucSize(struc_id), size,
flags))
idc.SetCharPrm(idc.INF_AUTO, True)
idc.Wait()
if idaapi.doStruct(address, size,
struc_id) == 0:
if DEBUG_EXPORTER:
logger.warning("Making struc failed")
idc.SetCharPrm(idc.INF_AUTO, False)
# idc.SetFlags(address, flags)
found = True
else:
logger.error(
"bad struc flags : idc.isStruct is true but no xref available for object %s"
% self.hash_provider.hash_to_string(
object_version.get_id()))
if not found:
logger.error(
"bad struc flags : idc.isStruct is true "
"but no struc available for object %s (%s)" %
(self.hash_provider.hash_to_string(
object_version.get_id()),
object_version.get_name()))
else:
idc.MakeData(address, flags & (idc.DT_TYPE | idc.MS_0TYPE),
size, 0)
else:
idc.MakeData(address, idc.FF_BYTE, size, 0)
self.make_name(object_version, address, False)
self.set_type(object_version, address)
import idaapi
import idautils
anim = sark.structure.get_struct('TroggSpearImage')
end_of_frame = sark.structure.get_struct("EndOfAnimFrame")
dataseg = sark.Segment(name='dataseg').ea
# anim_offset = idaapi.get_word(sark.Line(ea=dataseg + idautils.cpu.di + 2).ea)
current_position = sark.Line().ea
# current_byte = idaapi.get_byte(current_position)
done = False
while not done:
current_byte = idaapi.get_byte(current_position)
if current_byte == 0xff:
print("applying EndOfAnimFrame")
idaapi.doStruct(current_position, 2, end_of_frame)
next_byte = idaapi.get_byte(current_position + 1)
if next_byte == 0xff:
done = True
current_position += 2
elif current_byte < 0x80:
# print(current_byte)
print("applying AnimationFrame")
test = idaapi.doStruct(current_position, 6, anim)
# print(test)
current_position += 6
# print(hex(current_position-dataseg))
else:
done = True
print "> parsing .secinfo entries:\n"
sid = GetStrucIdByName('MAP_ENTRY')
ssize = idc.GetStrucSize(sid)
# for v 2.44.7 19-Jul-2016
SEC_INFO_LINKED_LIST = 0x200B6A3C
ea = SEC_INFO_LINKED_LIST
entries = []
while True:
idc.MakeUnknown(ea, ssize, idc.DOUNK_DELNAMES)
idaapi.doStruct(ea, ssize, sid)
buf = idc.GetManyBytes(ea, ssize)
entry = MapEntry.from_buffer_copy(buf)
entries.append(entry)
entry.dump()
if entry.next == 0:
break
ea = entry.next
print "\n> setting-up segments:\n"
for entry in [e for e in entries if e.size != 0]:
make_segment(entry.base, entry.size, entry.name())
func_with_count = sark.structure.get_struct("PartialFuncWithCount")
partial_func_param1 = sark.structure.get_struct("PartialFuncParam1Func")
set_image_width = sark.structure.get_struct("PartialFuncSetImageWidth")
dataseg = sark.Segment(name='dataseg').ea
# anim_offset = idaapi.get_word(sark.Line(ea=dataseg + idautils.cpu.di + 2).ea)
current_position = sark.Line().ea
# current_byte = idaapi.get_byte(current_position)
done = False
print("running")
while not done:
current_byte = idaapi.get_byte(current_position)
if current_byte == 0xff:
print("applying EndOfAnimFrame")
idaapi.doStruct(current_position, 2, end_of_frame)
next_byte = idaapi.get_byte(current_position + 1)
if next_byte == 0xff:
done = True
current_position += 2
elif current_byte < 0x80:
# print(current_byte)
print("applying AnimationFrame")
test = idaapi.doStruct(current_position, 6, anim)
# print(test)
current_position += 6
# print(hex(current_position-dataseg))
elif current_byte == 0x92:
print("applying Play sound")
idaapi.doStruct(current_position, 2, play_sound)
current_position += 2
import sark
import idautils
import idaapi
import csv
dataseg = sark.Segment(name="dataseg")
with open('c:/Users/Joe/applied_structs.csv', 'r') as csvfile:
for row in csv.reader(csvfile):
struct_id = idaapi.get_struc_id(row[1])
size = idaapi.get_struc_size(struct_id)
idaapi.doStruct(int(row[0]) + dataseg.ea,size, struct_id)
