def get_ea_by_name(self, name): """ Get the address of a location by name. @name - Location name Returns the address of the named location, or idc.BADADDR on failure. """ # This allows support of the function offset style names (e.g., main+0C) ea = 0 if '+' in name: (func_name, offset) = name.split('+') base_ea = ida_shims.get_name_ea_simple(func_name) if base_ea != idc.BADADDR: try: ea = base_ea + int(offset, 16) except: ea = idc.BADADDR else: ea = ida_shims.get_name_ea_simple(name) if ea == idc.BADADDR: try: ea = int(name, 0) except: ea = idc.BADADDR return ea
def OnCommand(self, n, cmd): if cmd == self.show_all_toggle_cmd: if self.min_xrefs == self.MIN_XREFS: self.min_xrefs = 0 if self.min_xrefs != self.MIN_XREFS: self.min_xrefs = self.MIN_XREFS if self.must_have_loop == self.MUST_HAVE_LOOP: self.must_have_loop = False else: self.must_have_loop = self.MUST_HAVE_LOOP elif cmd == self.rename_cmd: response = ida_shims.ask_yn( 0, "Are you sure you want to rename all 'sub_XXXXXX' functions " "to 'leaf_XXXXXX'?") if response: for item in self.items: # Is this a leaf function? if item[-1] is True: current_name = item[0] if current_name.startswith('sub_'): new_name = current_name.replace('sub_', 'leaf_') ida_shims.set_name( ida_shims.get_name_ea_simple(current_name), new_name) self.populate_items() return 0
def _find_system_calls(self, start_ea, end_ea): system_calls = [] system_load = MIPSInstruction("la", "$t9", "system") stack_arg_zero = MIPSInstruction("addiu", "$a0", "$sp") for xref in idautils.XrefsTo(ida_shims.get_name_ea_simple('system')): ea = xref.frm mnem = ida_shims.print_insn_mnem(ea) if mnem and ea >= start_ea and \ ea <= end_ea and mnem[0] in ['j', 'b']: a0_ea = self._find_next_instruction_ea( ea+self.INSIZE, stack_arg_zero, ea+self.INSIZE) if a0_ea == idc.BADADDR: a0_ea = self._find_prev_instruction_ea( ea, stack_arg_zero, ea-(self.SEARCH_DEPTH*self.INSIZE)) if a0_ea != idc.BADADDR: control_ea = self._find_prev_instruction_ea( ea-self.INSIZE, system_load, ea-(self.SEARCH_DEPTH*self.INSIZE)) if control_ea != idc.BADADDR: system_calls.append( ROPGadget( self._get_instruction(control_ea), self._get_instruction(ea), self._get_instruction(a0_ea), description="System call", base=self.base)) ea += self.INSIZE else: break return system_calls
def apply(self, extsigs): count = 0 start = time.time() # This applies formal matches first, then fuzzy matches for (match, fuzzy) in self.match(extsigs): # Keeps track of all function names that we've identified candidate # functions for rename = {} for (curfunc, newfunc) in match.items(): if newfunc not in rename: rename[newfunc.name] = [] # Attempt to rename this function rename[newfunc.name].append(curfunc.ea) bm = {} duplicates = set() # Search for unique matching code blocks inside this function for nblock in newfunc.blocks: nblock = RizzoBlockDescriptor(nblock) for cblock in curfunc.blocks: cblock = RizzoBlockDescriptor(cblock) if cblock.match(nblock, fuzzy): if cblock in bm: del bm[cblock] duplicates.add(cblock) elif cblock not in duplicates: bm[cblock] = nblock # Rename known function calls from each unique code block for (cblock, nblock) in bm.items(): for n in range(0, len(cblock.functions)): ea = ida_shims.get_name_ea_simple(cblock.functions[n]) if ea != idc.BADADDR: if nblock.functions[n] in rename: rename[nblock.functions[n]].append(ea) else: rename[nblock.functions[n]] = [ea] # Rename the identified functions for (name, candidates) in rename.items(): if candidates: winner = \ collections.Counter(candidates).most_common(1)[0][0] count += self.rename(winner, name) end = time.time() print("Renamed %d functions in %.2f seconds." % (count, (end - start)))
def rename(self, ea, name): # Don't rely on the name in curfunc, it could have already been renamed curname = ida_shims.get_name(ea) # Don't rename if the name is a special identifier, or if the ea has # already been named if curname.startswith('sub_') and \ name.split('_')[0] not in \ ['sub', 'loc', 'unk', 'dword', 'word', 'byte']: # Don't rename if the name already exists in the IDB if ida_shims.get_name_ea_simple(name) == idc.BADADDR: if ida_shims.set_name(ea, name): ida_shims.set_func_flags( ea, (ida_shims.get_func_flags(ea) | idc.FUNC_LIB)) return 1 return 0
def __init__(self, ea): self.ea = ea self.dword = ida_shims.get_wide_dword(self.ea) self.type = None self.value = None string = ida_shims.get_strlit_contents(self.dword) name = ida_shims.get_func_name(self.dword) if ida_shims.get_name_ea_simple(name) != self.dword: name = '' if name: self.type = int self.value = name elif string: self.type = str self.value = string
def pointify(self): counter = 0 print("Renaming pointers...", end=' ') for (name_ea, name) in idautils.Names(): for xref in idautils.XrefsTo(name_ea): xref_name = ida_shims.get_name(xref.frm) if xref_name and xref_name.startswith("off_"): i = 0 new_name = name + "_ptr" while ida_shims.get_name_ea_simple( new_name) != idc.BADADDR: new_name = name + "_ptr%d" % i i += 1 if ida_shims.set_name(xref.frm, new_name): counter += 1 #else: # print "Failed to create name '%s'!" % new_name print("renamed %d pointers" % counter)
def _profile_function(self): current_ea = ida_shims.get_screen_ea() current_function = ida_shims.get_func_name(current_ea) current_function_ea = ida_shims.get_name_ea_simple(current_function) if current_function: self.function = current_function ea = ida_shims.get_func_attr(current_function_ea, idc.FUNCATTR_START) end_ea = ida_shims.get_func_attr(current_function_ea, idc.FUNCATTR_END) self.highlighted = ida_shims.get_highlighted_identifier() while ea < end_ea and ea != idc.BADADDR and self.highlighted: i = 0 match = False optype = self.READ insn = ida_shims.decode_insn(ea) mnem = ida_shims.print_insn_mnem(ea) if self.highlighted in mnem: match = True elif idaapi.is_call_insn(ea): for xref in idautils.XrefsFrom(ea): if xref.type != 21: name = ida_shims.get_name(xref.to) if name and self.highlighted in name: match = True break else: while True: opnd = ida_shims.print_operand(ea, i) if opnd: if self.highlighted in opnd: canon_feature = ida_shims.get_canon_feature(insn) match = True if canon_feature & self.OPND_WRITE_FLAGS[i]: optype = self.WRITE i += 1 else: break if not match: comment = idc.GetCommentEx(ea, 0) if comment and self.highlighted in comment: match = True else: comment = idc.GetCommentEx(ea, 1) if comment and self.highlighted in comment: match = True else: comment = None if match: if ea > current_ea: direction = self.DOWN elif ea < current_ea: direction = self.UP else: direction = self.THIS self.xrefs[ea] = { 'offset': ida_shims.get_func_off_str(ea), 'mnem': mnem, 'type': optype, 'direction': direction, 'text': idc.GetDisasm(ea), } ea = ida_shims.next_head(ea)
def OnSelectLine(self, n): ida_shims.jumpto(ida_shims.get_name_ea_simple(self.items[n][0]))