def highlight(self):
for ea in idautils.Heads():
flags = ida_shims.get_full_flags(ea)
if ida_shims.is_code(flags) and idaapi.is_call_insn(ea):
current_color = idaapi.get_item_color(ea)
if current_color == self.COLOR:
idaapi.set_item_color(ea, idc.DEFCOLOR)
elif current_color == idc.DEFCOLOR:
idaapi.set_item_color(ea, self.COLOR)
def stringify(self):
n = 0
ea = self.get_start_ea(self.DATA)
if ea == idc.BADADDR:
ea = ida_shims.get_first_seg()
print "Looking for possible strings starting at: 0x%X..." % ea,
for s in idautils.Strings():
if s.ea > ea:
if not ida_shims.is_strlit(ida_shims.get_full_flags(s.ea)) \
and ida_shims.create_strlit(s.ea, 0):
n += 1
print "created %d new ASCII strings" % n
def datify(self):
ea = self.get_start_ea(self.DATA)
if ea == idc.BADADDR:
ea = ida_shims.get_first_seg()
print("Converting remaining data to DWORDs...", end=' ')
while ea != idc.BADADDR:
flags = ida_shims.get_full_flags(ea)
if (ida_shims.is_unknown(flags) or ida_shims.is_byte(flags)) and \
((ea % 4) == 0):
ida_shims.create_dword(ea)
ida_shims.op_plain_offset(ea, 0, 0)
ea = ida_shims.next_addr(ea)
print("done.")
self._fix_data_offsets()
def block(self, block):
'''
Returns a tuple:
([formal, block, signatures], [fuzzy, block, signatures],
set([unique, immediate, values]), [called, function, names])
'''
formal = []
fuzzy = []
functions = []
immediates = []
ea = ida_shims.start_ea(block)
while ea < ida_shims.end_ea(block):
insn = ida_shims.decode_insn(ea)
# Get a list of all data/code refs from the current instruction
drefs = [x for x in idautils.DataRefsFrom(ea)]
crefs = [x for x in idautils.CodeRefsFrom(ea, False)]
# Add all instruction mnemonics to the formal block hash
formal.append(ida_shims.print_insn_mnem(ea))
# If this is a call instruction, be sure to note the name of the
# function being called. This is used to apply call-based
# signatures to functions.
#
# For fuzzy signatures, we can't use the actual name or EA of the
# function, but rather just want to note that a function call was
# made.
#
# Formal signatures already have the call instruction mnemonic,
# which is more specific than just saying that a call was made.
if idaapi.is_call_insn(ea):
for cref in crefs:
func_name = ida_shims.get_name(cref)
if func_name:
functions.append(func_name)
fuzzy.append("funcref")
# If there are data references from the instruction, check to see
# if any of them are strings. These are looked up in the
# pre-generated strings dictionary.
#
# String values are easily identifiable, and are used as part of
# both the fuzzy and the formal signatures.
#
# It is more difficult to determine if non-string values are
# constants or not; for both fuzzy and formal signatures, just use
# "data" to indicate that some data was referenced.
elif drefs:
for dref in drefs:
if self.strings.has_key(dref):
formal.append(self.strings[dref].value)
fuzzy.append(self.strings[dref].value)
else:
formal.append("dataref")
fuzzy.append("dataref")
# If there are no data or code references from the instruction, use
# every operand as part of the formal signature.
#
# Fuzzy signatures are only concerned with interesting immediate
# values, that is, values that are greater than 65,535, are not
# memory addresses, and are not displayed as negative values.
elif not drefs and not crefs:
ops = ida_shims.get_operands(insn)
for n in range(0, len(ops)):
opnd_text = ida_shims.print_operand(ea, n)
formal.append(opnd_text)
if ops[n].type == idaapi.o_imm and \
not opnd_text.startswith('-'):
if ops[n].value >= 0xFFFF:
if ida_shims.get_full_flags(ops[n].value) == 0:
fuzzy.append(str(ops[n].value))
immediates.append(ops[n].value)
ea = ida_shims.next_head(ea)
return (self.sighash(''.join(formal)), self.sighash(''.join(fuzzy)),
immediates, functions)