def get_bad_addresses(verbose=True):
""" gets all the unmapped addressed from IDA's database """
ret = []
curEa = idc.MinEA()
while True:
if verbose:
print "[+] getting more bad addresses 0x%08X" % (curEa)
# the regex "(DC[DQ]| B.*) +0x" will retrieve the following:
# 1. DCD 0x...
# 2. DCQ 0x...
# 3. B 0x.....
# 4. BL 0x....
curEa = get_next_bad_addr(curEa, "(DC[DQ]| B.*) +0x")
if curEa == idc.BADADDR:
break
if verbose:
print "[+] found bad address at 0x%08X" % (curEa)
dcd = idc.GetDisasm(curEa)
res = re.findall("0x\w{8,}", dcd)
for r in res:
ret.append(int(r, 16))
if verbose:
print "[+] found %d bad addresses" % len(ret)
return ret
python类MinEA()的实例源码
def reset():
idc.MakeUnknown(idc.MinEA(), 0x1000, 0)
for i in range(0x1000):
idc.PatchByte(idc.MinEA() + i, 0)
def tst():
reset()
midap.here(idc.MinEA()).write(s.get_code())
idc.MakeFunction(idc.MinEA())
# tst()
def reset():
idc.MakeUnknown(idc.MinEA(), 0x1000, 0)
for i in range(0x1000):
idc.PatchByte(idc.MinEA() + i, 0)
def tst():
reset()
midap.here(idc.MinEA()).write(s.get_code())
idc.MakeFunction(idc.MinEA())
def renamed(self, *args):
g_logger.debug("[IDB Hook] Something is renamed")
ea, new_name, is_local_name = args
if ea >= idc.MinEA() and ea <= idc.MaxEA():
if is_local_name:
g_logger.warning("Local names are unimplemented")
pass
else:
if not SkelUtils.name_blacklist(new_name):
self.skel_conn.push_name(ea, new_name)
else:
g_logger.warning("ea outside program...")
return idaapi.IDP_Hooks.renamed(self, *args)
def sample_source():
global full_hash
full_hash = ""
c = 0
for addr in idautils.Functions(idc.MinEA(),idc.MaxEA()):
fname = idc.GetFunctionName(addr)
full_hash += normalize_fname(fname)+":"+calc_hash(addr)+":"+shexst(addr)+"|"
c = c+1
if c > 1000:
print "Too many subs. Plz run:"
print "SRC SAMPLE : open('lame_ipc.txt','wb').write(full_hash)"
print "DST SAMPLE : src_data = open('lame_ipc.txt','rb').read(full_hash)"
else:
print 'src_data = "' + full_hash + '"'
return
def sample_dest():
global src_data
if src_data is None:
print "run the src_data = ... first"
return
src_hashes = {}
for i in src_data.split("|"):
z = i.split(":")
if len(z) < 2:
continue
if src_hashes.has_key(z[1]):
src_hashes[z[1]] = "baadf00d"
else:
src_hashes[z[1]] = z[0]
dst_hashes = {}
for addr in idautils.Functions(idc.MinEA(),idc.MaxEA()):
fname = idc.GetFunctionName(addr)
z = calc_hash(addr)
if dst_hashes.has_key(z):
dst_hashes[z] = "baadf00d"
else:
dst_hashes[z] = addr
c = 0
for tmp in dst_hashes:
if dst_hashes[tmp] == "baadf00d":
continue
if src_hashes.has_key(tmp):
if src_hashes[tmp] != "baadf00d":
idc.MakeNameEx(dst_hashes[tmp],"SHARED_"+src_hashes[tmp], SN_NOWARN)
c = c+1
print "%d subs have been renamed" % (c)
return
def main():
if _IN_IDA:
# # get dyld_shared_cache path from IDA's openFile dialog
print "[+] Please choose the original dyld_shared_cache_arm64"
dsc_path = idc.AskFile(0, "*.*", "dyld shared cache file")
else:
dsc_path = sys.argv[1]
if not dsc_path or not os.path.exists(dsc_path):
raise RuntimeError("Couldn't find the dyld shared cache file..")
print "[+] about to parse %s.." % (dsc_path)
dsc_file = open(dsc_path, "rb")
adrfind = AddrFinder(dsc_file, cache_symbols=False)
map_shared_bridges(dsc_file, adrfind)
if _IN_IDA:
addresses = sorted(set(get_bad_addresses()))
else:
addresses = sorted(set(eval(open("addrs.txt", "rb").read())))
segments, exports = get_segments_and_exports_for_addresses(addresses, adrfind)
# segments = join_neighbors(segments, threshold=0x1000)
if _IN_IDA:
map_segments(segments, dsc_file)
map_exports(exports)
idaapi.analyze_area(idc.MinEA(), idc.MaxEA())
