def codeify(self, ea=idc.BADADDR): func_count = 0 code_count = 0 if ea == idc.BADADDR: ea = self.get_start_ea(self.CODE) if ea == idc.BADADDR: ea = idc.FirstSeg() print "\nLooking for undefined code starting at: %s:0x%X" % ( idc.SegName(ea), ea) if self.get_start_ea(self.DATA) == idc.BADADDR: print "WARNING: No data segments defined! I don't know where the code segment ends and the data segment begins." while ea != idc.BADADDR: try: if idc.GetSegmentAttr(ea, idc.SEGATTR_TYPE) == self.CODE: if idc.GetFunctionName(ea) != '': ea = idc.FindFuncEnd(ea) continue else: if idc.MakeFunction(ea): func_count += 1 elif idc.MakeCode(ea): code_count += 1 except: pass ea = idc.NextAddr(ea) print "Created %d new functions and %d new code blocks\n" % ( func_count, code_count)
def find_module_ptr(self): str_ptr = idc.FindBinary(0, idc.SEARCH_DOWN | idc.SEARCH_CASE, '"SceUIDModuleClass"') if str_ptr == idc.BADADDR: raise RuntimeError("failed to apply str_ptr heuristic") log("stage 1: str_ptr at 0x{:08X}".format(str_ptr)) haystack = " ".join(chunk(p32(str_ptr).encode("hex"), 2)) cls_ptr = idc.FindBinary(0, idc.SEARCH_DOWN | idc.SEARCH_CASE, haystack) if cls_ptr == idc.BADADDR: raise RuntimeError("failed to apply cls_ptr heuristic") cls_ptr -= 0xC log("stage 2: cls_ptr at 0x{:08X}".format(cls_ptr)) haystack = " ".join(chunk(p32(cls_ptr).encode("hex"), 2)) ea = 0 while True: ea = idc.FindBinary(ea, idc.SEARCH_DOWN | idc.SEARCH_CASE, haystack) if ea == idc.BADADDR: raise RuntimeError( "failed to find the last module using the heuristic") ptr = idc.Dword(ea + 0x20) name = c_str(ptr, 0x20) if name == "SceKrm": self.last_module_ptr = ea + 4 log("stage 3: last_module_ptr at 0x{:08X}".format( self.last_module_ptr)) break ea = idc.NextAddr(ea)
def codeify(self, ea=idc.BADADDR): func_count = 0 code_count = 0 if ea == idc.BADADDR: ea = self.get_start_ea(self.CODE) if ea == idc.BADADDR: ea = idc.FirstSeg() self.say("\nLooking for undefined code starting at: %s:0x%X" % (idc.SegName(ea), ea)) while ea != idc.BADADDR: try: if idc.GetSegmentAttr(ea, idc.SEGATTR_TYPE) == self.CODE: if idc.GetFunctionName(ea) != '': ea = idc.FindFuncEnd(ea) continue else: if idc.MakeFunction(ea): func_count += 1 elif idc.MakeCode(ea): code_count += 1 except: pass ea = idc.NextAddr(ea) self.say("Created %d new functions and %d new code blocks\n" % (func_count, code_count))
def findend(ea): ea0 = ea while True: ea = idc.NextAddr(ea) if XrefsTo(ea): break if idaapi.get_full_flags(ea) & idc.FF_ANYNAME: break return ea - ea0
def fix_code(start_address, end_address): # Todo: There might be some data in the range of codes. offset = start_address while offset <= end_address: offset = idc.NextAddr(offset) flags = idc.GetFlags(offset) if not idc.isCode(flags): # Todo: Check should use MakeCode or MakeFunction # idc.MakeCode(offset) idc.MakeFunction(offset)
def hasCookie(self): end = idc.GetFunctionAttr(self.addr, idc.FUNCATTR_END) start = idc.GetFunctionAttr(self.addr, idc.FUNCATTR_START) count = 0 while ((start != end) and (start != idc.BADADDR)): line = idc.GetDisasm(start) if line.startswith('xor'): if 'ebp' in line: return True start = idc.NextAddr(start) count += 1 # security cookie check is usually at beginning of function (unless some crazy-ass prologue) if (count > 20): return False return False
def datify(self): ea = self.get_start_ea(self.DATA) if ea == idc.BADADDR: ea = idc.FirstSeg() print "Converting remaining data to DWORDs...", while ea != idc.BADADDR: flags = idc.GetFlags(ea) if idc.isUnknown(flags) or idc.isByte(flags): idc.MakeDword(ea) idc.OpOff(ea, 0, 0) ea = idc.NextAddr(ea) print "done."
def Addrs(*args): """ Enumerate all addresses @param <range>: see getrange @return: list of all addresses in range """ (first, last) = getrange(args) # note: problem when using range(...) for ea>=2^31 # TODO: problem when last == BADADDR ea = first while ea != BADADDR and ea < last: yield ea ea = idc.NextAddr(ea)
def datify(self): ea = self.get_start_ea(self.DATA) if ea == idc.BADADDR: ea = idc.FirstSeg() self.say("Converting remaining data to DWORDs...", ) while ea != idc.BADADDR: flags = idc.GetFlags(ea) if (idc.isUnknown(flags) or idc.isByte(flags)) and ((ea % 4) == 0): idc.MakeDword(ea) idc.OpOff(ea, 0, 0) ea = idc.NextAddr(ea) self.say("done.") self._fix_data_offsets()
def _colorize_block(self, block_ea, color=idc.DEFCOLOR): if self.block_table.has_key(block_ea): ea = self.block_table[block_ea].startEA while ea < self.block_table[block_ea].endEA: idc.SetColor(ea, idc.CIC_ITEM, color) ea = idc.NextAddr(ea)
dism_addr = list(idautils.FuncItems(here())) print type(dism_addr) print dism_addr for line in dism_addr: print hex(line), idc.GetDisasm(line) #获取下一个指令的地址 idc.NextHead(ea) #获取上一条指令的地址 idc.PrevHead(ea) #获取下一个地址 idc.NextAddr(ea) #获取上一个地址 idc.PrevAddr(ea) #遍历所有的动态调用 for func in idautils.Functions(): flags = idc.GetFunctionFlags(func) if flags & FUNC_LIB or flags & FUNC_THUNK: continue dism_addr = list(idautils.FuncItems(func)) for line in dism_addr: m = idc.GetMnem(line) if m == 'call' or m == 'jmp': op = idc.GetOpType(line, 0) if op == o_reg: