-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathsig.py
156 lines (105 loc) · 3.13 KB
/
sig.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
# PopPySig
# Author: sub1to
from ida import *
import subprocess
def copy2clip(txt):
cmd='echo|set /p="'+txt.strip()+'"|clip'
return subprocess.check_call(cmd, shell=True)
def is_a_function(ea):
if not idc.isCode(idc.GetFlags(ea)):
return False
name = idc.GetFunctionName(ea)
if name == "":
return False
start = idc.LocByName(name)
if start == BADADDR or start != ea:
return False
#substr
name = name[0: 7]
if name == "nullsub":
return False
name = name[0: 6]
if name == "NATIVE":
return False
return True
def find_vtable_length(ea):
name = idc.GetTrueName(ea)
i = 0
while True:
new_name = idc.GetTrueName(ea + i * 8)
if new_name != name and new_name != "":
break
if idc.Qword(ea) == 0:
break
i += 1
return i - 1
def is_pattern_unique(pattern):
ea = idc.FindBinary(0, idc.SEARCH_DOWN | idc.SEARCH_CASE, pattern)
if ea == BADADDR:
return -1
if idc.FindBinary(ea + 1, idc.SEARCH_DOWN | idc.SEARCH_CASE, pattern) != BADADDR:
return 0
return 1
def add_bytes_to_sig(sig, ea, count):
for i in xrange(0, count):
sig = "%s%02x " % (sig, idc.Byte(ea + i))
return sig
def add_padding_to_sig(sig, count):
for i in xrange(0, count):
sig += "? "
return sig
def add_instruction_to_sig(sig, ea):
opcnt = op_count(ea)
size = idaapi.get_item_end(ea) - ea
offb = 0
idaapi.decode_insn(ea)
for i in xrange(0, opcnt):
if idaapi.cmd.Operands[i].type == idaapi.o_void:
continue
offb = idaapi.cmd.Operands[i].offb
if offb > 0:
break
if offb == 0:
sig = add_bytes_to_sig(sig, ea, size)
return sig, ea + size
sig = add_bytes_to_sig(sig, ea, offb)
sig = add_padding_to_sig(sig, size - offb)
return sig, ea + size
def create_pattern(ea):
sig = ""
sig, ea = add_instruction_to_sig(sig, ea)
while not is_pattern_unique(sig):
sig, ea = add_instruction_to_sig(sig, ea)
while sig[-1] == ' ' or sig[-1] == '?':
sig = sig[:-1]
return sig
def sig():
ea = idc.ScreenEA()
if ea == BADADDR:
print "Invalid cursor position"
return
res = create_pattern(ea)
copy2clip(res)
print "%x: %s" % (ea, res)
def scan(pattern):
ea = idc.FindBinary(0, idc.SEARCH_DOWN | idc.SEARCH_CASE, pattern)
print "Found match at %x +%x" % (ea, ea - idaapi.get_imagebase())
def fullscan(pattern):
ea = 0
while True:
ea = idc.FindBinary(ea + 1, idc.SEARCH_DOWN | idc.SEARCH_CASE, pattern)
if ea == BADADDR:
break
print "Found match at %x +%x" % (ea, ea - idaapi.get_imagebase())
def offset(o = None):
if o is None:
ea = idc.ScreenEA()
if ea == BADADDR:
print "Invalid cursor position"
return
res = ea - idaapi.get_imagebase()
copy2clip("%x" % res)
print "%x: +%x" % (ea, res)
else:
print "%x" % (idaapi.get_imagebase() + int(o, 16))
idaapi.jumpto(idaapi.get_imagebase() + int(o, 16))