-
Notifications
You must be signed in to change notification settings - Fork 90
/
Copy pathreconstruct_procedure_x86.py
50 lines (38 loc) · 1.19 KB
/
reconstruct_procedure_x86.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
"""
This simple script for IDA will look for function prolog sequence for x86 binaries
i.e. (in Intel syntax)
push ebp
mov ebp, esp
And will make IDA treat it as a procedure.
@_hugsy_
"""
import idc
import idaapi
import sys
import idautils
hilight_color = 0x009900
prolog_sequence = "55 89 e5"
ea = idc.ScreenEA()
addr = idc.SegStart(ea)
print "[!] Analyzing from %#x" % addr
while True:
res = idc.FindBinary(addr, idaapi.BIN_SEARCH_FORWARD, prolog_sequence, 16)
if res == idaapi.BADADDR:
break
func = idc.GetFuncOffset(res)
if func is not None:
print "[*] %#x already matching function %s" % (res, func)
else:
print "[+] Matching at %#x" % res
idc.Jump(res)
col = idc.GetColor(res, idc.CIC_ITEM)
idc.SetColor(res, idc.CIC_ITEM, hilight_color)
idc.SetColor(res + 1, idc.CIC_ITEM, hilight_color)
ret = idc.AskYN(0, "Would you like to create a function at %#x ?" % res)
if ret == 1:
idc.MakeFunction(res)
print "[+] Creating function at %#x" % res
idc.SetColor(res, idc.CIC_ITEM, col)
idc.SetColor(res + 1, idc.CIC_ITEM, col)
addr = res + len(prolog_sequence)
print "[!] EOT"