def main():
ibt = IdaBackTracer()
for ibt.api in ibt.send_api:
adr = idc.LocByName(ibt.api)
if ibt.api in ibt.xrefs:
ibt.xrefs[ibt.api] = []
ibt.xrefs[ibt.api] = CodeRefsTo(adr, 1)
for ibt.api, ref in ibt.xrefs.iteritems():
for address in list(ref):
if ibt.api == "WSASendTo":
arg_adr = ibt.get_arg(address, 2)
print idc.GetDisasm(address)
print idc.GetDisasm(arg_adr)
print GetOpnd(arg_adr, 0)
# TODO: Add trace function for none reg arguments like push 0, push [eax], push [0x40000000]
if GetOpnd(arg_adr, 0) in ibt.registers:
ibt.trace_reg(arg_adr, GetOpnd(arg_adr, 0))
#print '%d st occurance of %s in %s : %s'%(count[ibt.api], ibt.api, hex(adr),idc.GetDisasm(adr))
#print 'send buffer is %d arg of %s : %s' % (2, format(buffer,'%x'), idc.GetDisasm(buffer))
#ibt.trace_reg(buffer,GetOpnd(buffer, 0))
python类LocByName()的实例源码
def getMajorDispatchTableAddress():
"""find quicktime major dispatch table"""
res = idc.LocByName('theQuickTimeDispatcher')
res = nextMnemonic(res, 'lea', idc.GetFunctionAttr(res, idc.FUNCATTR_END))
assert res != idc.BADADDR
return idc.GetOperandValue(res, 1)
def get_virtual_func_address(name, tinfo=None, offset=None):
"""
:param name: method name
:param tinfo: class tinfo
:param offset: virtual table offset
:return: address of the method
"""
address = idc.LocByName(name)
if address != idaapi.BADADDR:
return address
address = demangled_names.get(name, idaapi.BADADDR)
if address != idaapi.BADADDR:
return address + idaapi.get_imagebase()
if tinfo is None or offset is None:
return
offset *= 8
udt_member = idaapi.udt_member_t()
while tinfo.is_struct():
address = demangled_names.get(tinfo.dstr() + '::' + name, idaapi.BADADDR)
if address != idaapi.BADADDR:
return address + idaapi.get_imagebase()
udt_member.offset = offset
tinfo.find_udt_member(idaapi.STRMEM_OFFSET, udt_member)
tinfo = udt_member.type
offset = offset - udt_member.offset
def update(self, name, tinfo):
self.name = name
self.tinfo = tinfo
self.name_modified = False
self.tinfo_modified = False
self.base_address = idc.LocByName(self.name)
if self.base_address != idaapi.BADADDR:
self.base_address -= idaapi.get_imagebase()
def check_init(self, adr):
call_list, heap_flag = self.traverseCalls(adr)
if heap_flag:
return True
for funcName in call_list:
funcAddr = LocByName(funcName)
return self.check_init(funcAddr)
return False
def serialize(self):
s = str(self.target_field.text())
if self.radio_addr.isChecked():
try:
int(s, 16)
except ValueError:
print "Bad address given"
return None
elif self.radio_routine.isChecked():
addr = idc.LocByName(s)
if addr == idc.BADADDR:
print "Bad function name given"
return None
return specific_parameters_t()
def run(self):
# -- GUI stuff
self.result_widget.set_actions_visible_and_enabled(False)
self.set_progress_visible(True)
# -----------
# Refill the configuration file
if self.configuration.ksteps != 0 and self.config_widget.radio_path_routine.isChecked():
self.k = self.configuration.ksteps # Use the ksteps given if making the path on the whole routine
self.result_widget.webview.append("### Opaque predicates Detection ###\n")
self.configuration.analysis_name = "static opaque"
self.configuration.additional_parameters.typeid = self.configuration.additional_parameters.STANDARD
target_val = str(self.config_widget.target_field.text())
start_tps = time.time()
if self.config_widget.radio_addr.isChecked():
addr = utils.to_addr(target_val)
self.process_routine(idaapi.get_func(addr).startEA, pred_addr=addr)
elif self.config_widget.radio_routine.isChecked():
addr = idc.LocByName(target_val)
if addr == idc.BADADDR:
addr = utils.to_addr(target_val)
self.process_routine(addr)
elif self.config_widget.radio_program.isChecked():
self.process_program()
else:
pass
self.exec_time_total = time.time() - start_tps - self.exec_time_dep
self.analyse_finished = True
self.broker.terminate()
# -- GUI stuff
self.result_widget.set_actions_visible_and_enabled(True)
self.set_progress_visible(False)
# ------------
self.analysis_terminated()
def copy_function(addr):
func_addr = idc.LocByName(idaapi.get_func_name(addr))
if func_addr == idaapi.BADADDR:
idaapi.msg("0x%08X does not belong to a defined function\n" % addr)
return
callTypes = ["__cdecl", "__fastcall", "__stdcall", "__thiscall", "__usercall"]
funcDef = str(idaapi.decompile(func_addr)).split('\n', 1)[0]
hasCallType = any(call_type in funcDef for call_type in callTypes)
parenthesesStart = funcDef.find('(')
parenthesesEnd = funcDef.rfind(')')
funcNameStart = funcDef[0 : parenthesesStart].rfind(' ')
funcNameEnd = parenthesesStart
returnTypeStart = 0
returnTypeEnd = funcNameStart
callType = ""
if hasCallType:
callTypeStart = funcDef[0 : funcNameStart].rfind(' ')
callType = funcDef[callTypeStart + 1 : funcNameStart]
returnTypeEnd = callTypeStart
if callType == "__cdecl":
callType = ""
returnType = funcDef[returnTypeStart : returnTypeEnd]
funcName = funcDef[funcNameStart + 1 : parenthesesStart]
args = funcDef[parenthesesStart + 1 : parenthesesEnd]
finalString = "{0} ({1}* {2})({3}) = ({0}({1}*)({3}))({4});".format(
returnType, callType, funcName, args, "0x%08X" % func_addr
)
return finalString
def bulk_function():
functionPtrs = ""
for func_name in get_selected_funcs():
functionPtrDef = copy_function(idc.LocByName(func_name))
functionPtrs = functionPtrs + functionPtrDef + "\n"
copy_to_clip(functionPtrs)
idaapi.msg(functionPtrs)
def name_handlers(ea_from, ea_to):
global COUNT
addr = ea_from
print "from: 0x%08x to: 0x%08x" % (addr, ea_to)
while (addr < ea_to):
func_to_name_ea = idc.Dword(addr) & 0xFFFFFFFE
log_msg_ptr = idc.Dword(addr + 12)
log_msg = idc.GetString(log_msg_ptr)
#is that a function already?
#There were 0 cases of this for our case
if not idaapi.get_func(func_to_name_ea):
print "There is no function at 0x%08x!" % func_to_name_ea
idc.MakeFunction(func_to_name_ea)
if "sms_Decode" in idc.GetFunctionName(func_to_name_ea) or "mm_Decode" in idc.GetFunctionName(func_to_name_ea) or "cc_Decode" in idc.GetFunctionName(func_to_name_ea) or "gmm_Decode" in idc.GetFunctionName(func_to_name_ea):
print "Already named appropriately, don't overwrite"
else:
print "Naming %s based on %s as %s" % (idc.GetFunctionName(func_to_name_ea), log_msg, create_name(log_msg))
COUNT += 1
name = create_name(log_msg)
# TODO: enable below naming
ret = idc.LocByName(name)
count = 1
while (ret != 0xffffffff):
count += 1
ret = idc.LocByName(name + "__" + "%d" % count)
idc.MakeName(func_to_name_ea, name + ("__%d" % count)*(count > 1))
addr += 16
def apply_labels(fun_names):
new_sub = 0
new_som = 0
new_oth = 0
named_overwrittens = []
for f_ea, name in fun_names.iteritems():
name = re.sub('[^a-zA-Z0-9_]+', '', name)
curr_name = idaapi.get_func_name(f_ea)
if curr_name.startswith("sub_"):
new_sub += 1
elif "_something" in curr_name:
new_som += 1
else:
new_oth += 1
named_overwrittens.append(curr_name)
#so we don't overwrite these
continue
# stats counting aside, make sure we don't overwrite non-sub
# functions from e.g. our IDC assignments
if not curr_name.startswith("sub_") and not "_something" in curr_name:
continue
ret = idc.LocByName(name)
count = 1
while (ret != 0xffffffff):
count += 1
ret = idc.LocByName(name + "__" + "%d" % count)
idc.MakeName(f_ea, name + ("__%d" % count)*(count > 1))
def parse_mpu():
"""
NOTE: to find this symbol, run find_mcr.py and look for the MPU config instructions.
Backtrace that function to a wrapper; backtrace that one to the MPU initialization function,
which calls the wrapper in a loop using values from an array. That array is MPU_region_configs.
"""
mpu_struct_addr = idc.LocByName("MPU_region_configs")
if mpu_struct_addr == 0xFFFFFFFF:
print "NOTE: to find this symbol, run find_mcr.py and look for the MPU config instructions.\nBacktrace that function to a wrapper; backtrace that one to the MPU initialization function,\nwhich calls the wrapper in a loop using values from an array. That array is MPU_region_configs."
return
while(1):
r = Region(mpu_struct_addr)
if r.num == 0xFF:
print "Delimiter found!"
break
else:
r.pprint()
mpu_struct_addr += 40
new_region = Region()
new_region.set_DRNR(14)
new_region.set_DRBAR(0x404E6000) # mo_call_establishment_trace_setup_msg
new_region.set_size(0b01011) # 256*(2**4) aka 0x1000 aka 4096 bytes
new_region.set_en(1) # enabled
new_region.set_TEX_C_B(0b001,0,0) # non-cacheble
new_region.set_XN(0) # no XN bit
new_region.set_AP(0b011) # RW
new_region.set_S(1) # shareable
new_region.pprint()
