def tst():
reset()
midap.here(idc.MinEA()).write(s.get_code())
idc.MakeFunction(idc.MinEA())
# tst()
python类MakeFunction()的实例源码
def tst():
reset()
midap.here(idc.MinEA()).write(s.get_code())
idc.MakeFunction(idc.MinEA())
def do_rename(l):
splitted = l.split()
straddr = splitted[0]
strname = splitted[1].replace("\r", "").replace("\n", "")
if straddr.find(":") != -1: #assuming form segment:offset
#removing segment, offset should be unique, if it isn't so, we should handle it differently
straddr = straddr.split(":")[1]
eaaddr = int(straddr, 16)
idc.MakeCode(eaaddr)
idc.MakeFunction(eaaddr)
idc.MakeNameEx(int(straddr, 16), strname, idc.SN_NOWARN)
def check_address(address):
# Checks if given address contains virtual table. Returns True if more than 2 function pointers found
# Also if table's addresses point to code in executable section, than tries to make functions at that addresses
functions_count = 0
while True:
func_address = idaapi.get_64bit(address) if Const.EA64 else idaapi.get_32bit(address)
# print "[INFO] Address 0x{0:08X}".format(func_address)
if Helper.is_code_ea(func_address) or Helper.is_imported_ea(func_address):
functions_count += 1
address += Const.EA_SIZE
else:
segment = idaapi.getseg(func_address)
if segment and segment.perm & idaapi.SEGPERM_EXEC:
idc.MakeUnknown(func_address, 1, idaapi.DOUNK_SIMPLE)
if idc.MakeFunction(func_address):
functions_count += 1
address += Const.EA_SIZE
continue
break
idaapi.autoWait()
return functions_count
def set_start_stop(self, ftype):
assert_ida_available()
import idc
import idaapi
import idautils
fun_mapping = {idc.GetFunctionName(x): (idaapi.get_func(x).startEA, idaapi.get_func(x).endEA-1)
for x in idautils.Functions()}
start = idc.BeginEA()
stop = 0
if ftype == PE:
start, stop = fun_mapping["start"]
else:
if not idc.isCode(idc.GetFlags(start)):
if idc.MakeCode(start) == 0:
print "Fail to decode instr !"
idaapi.autoWait()
if idc.GetFunctionName(start) == "":
if idc.MakeFunction(start) == 0:
print "Fail to create function !"
idaapi.autoWait()
fun_mapping = {idc.GetFunctionName(x): (idaapi.get_func(x).startEA, idaapi.get_func(x).endEA-1)
for x in idautils.Functions()}
if "main" in fun_mapping:
start, stop = fun_mapping["main"]
elif "start" in fun_mapping:
if "__libc_start_main" in fun_mapping:
instrs = list(idautils.FuncItems(fun_mapping["start"][0]))
instrs.reverse()
for inst in instrs:
arg1 = idc.GetOperandValue(inst, 0)
if idc.GetMnem(inst) == "push":
start, stop = arg1, fun_mapping["start"][1]
break
else:
start, stop = fun_mapping["start"]
self.config.start, self.config.stop = start, stop
def name_handlers(ea_from, ea_to):
global COUNT
addr = ea_from
print "from: 0x%08x to: 0x%08x" % (addr, ea_to)
while (addr < ea_to):
func_to_name_ea = idc.Dword(addr) & 0xFFFFFFFE
log_msg_ptr = idc.Dword(addr + 12)
log_msg = idc.GetString(log_msg_ptr)
#is that a function already?
#There were 0 cases of this for our case
if not idaapi.get_func(func_to_name_ea):
print "There is no function at 0x%08x!" % func_to_name_ea
idc.MakeFunction(func_to_name_ea)
if "sms_Decode" in idc.GetFunctionName(func_to_name_ea) or "mm_Decode" in idc.GetFunctionName(func_to_name_ea) or "cc_Decode" in idc.GetFunctionName(func_to_name_ea) or "gmm_Decode" in idc.GetFunctionName(func_to_name_ea):
print "Already named appropriately, don't overwrite"
else:
print "Naming %s based on %s as %s" % (idc.GetFunctionName(func_to_name_ea), log_msg, create_name(log_msg))
COUNT += 1
name = create_name(log_msg)
# TODO: enable below naming
ret = idc.LocByName(name)
count = 1
while (ret != 0xffffffff):
count += 1
ret = idc.LocByName(name + "__" + "%d" % count)
idc.MakeName(func_to_name_ea, name + ("__%d" % count)*(count > 1))
addr += 16
def main():
base_addr = 0
ea = 0
idc.MakeFunction(ea)
# heuristic
while(true):
mnemonic = idc.GetMnem(ea)
if "LDR" in mnemonic:
base_str = idc.GetOpnd(ea, 1)
base_addr = int(base_str.split("=")[1], 16)
break
ea += 4
print("[+] rebasing to address 0x%x" % (base_addr))
idc.rebase_program(base_addr, idc.MSF_FIXONCE)
idaapi.autoWait()
segment_start = base_addr
segment_end = idc.GetSegmentAttr(segment_start, idc.SEGATTR_END)
ea = segment_start
print("[+] searching and defining functions")
while ea != idc.BADADDR:
ea = idc.FindBinary(ea, idc.SEARCH_DOWN, "BF A9", 16)
if ea != idc.BADADDR:
ea = ea - 2
if (ea % 4) == 0 and idc.GetFlags(ea) < 0x200:
# print("[+] defining a function at 0x%x" % (ea))
idc.MakeFunction(ea)
ea = ea + 4
idc.AnalyzeArea(segment_start, segment_end)
idaapi.autoWait()
def def_functions(s_start):
num_added_functions = 0
s_addr = s_start
s_end = idc.GetSegmentAttr(s_start, SEGATTR_END) #idc.SegEnd(segm)
print "0x%08x 0x%08x" % (s_start, s_end)
while (s_addr < s_end):
print "Testing address 0x%08x" % s_addr
#optimization assumes that function chunks are consecutive (no "function-in-function" monkey business)
if (idaapi.get_func(s_addr)):
next_func = idc.NextFunction(s_addr)
ea = s_addr
for c in idautils.Chunks(s_addr):
#only use chunks in lookahead that do not jump over the next function and that are not smaller than where we are atm.
if (c[1] > ea) and (c[1] <= next_func):
ea = c[1]
if ea == s_addr:
s_addr += 2
else:
s_addr = ea
#s_addr += 4
continue
else:
#This is not a good optimization, there WILL be data refs to function start addresses sometimes.
'''
if sum(1 for _ in (CodeRefsTo(s_addr, 1))) != 0:
s_addr += 4
continue
'''
#also add STMFD
if ((idc.GetMnem(s_addr) == "STM") and ("SP!" in idc.GetOpnd(s_addr, 0)) and ("LR" in idc.GetOpnd(s_addr, 1))) or (((idc.GetMnem(s_addr) == "PUSH") or (idc.GetMnem(s_addr) == "PUSH.W") or (idc.GetMnem(s_addr) == "STR.W") ) and ("LR" in idc.GetOpnd(s_addr, 0))):
print "Found function at 0x%08x" % s_addr
idc.MakeFunction(s_addr)
f = idaapi.get_func(s_addr)
if (type(f) == type(None)):
print "Failed to create function! Undefined instructions?"
s_addr += 2
else:
num_added_functions += 1
ea = -1
for c in idautils.Chunks(s_addr):
if c[1] > ea:
ea = c[1]
if ea != -1:
s_addr = ea
#failed?
else:
s_addr += 2
else:
s_addr += 2
print "finished segment"
return num_added_functions
