140 lines
		
	
	
		
			3.8 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			140 lines
		
	
	
		
			3.8 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| #include <idc.idc>
 | |
| 
 | |
| /* makesig.idc: IDA script to automatically create and wildcard a function signature.
 | |
|  * Copyright 2014, Asher Baker
 | |
|  * 
 | |
|  * This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.
 | |
|  * 
 | |
|  * Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:
 | |
|  * 
 | |
|  * 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.
 | |
|  * 
 | |
|  * 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.
 | |
|  * 
 | |
|  * 3. This notice may not be removed or altered from any source distribution.
 | |
|  */
 | |
| 
 | |
| static main()
 | |
| {
 | |
| 	Wait(); // We won't work until autoanalysis is complete
 | |
| 
 | |
| 	SetStatus(IDA_STATUS_WORK);
 | |
| 	
 | |
| 	auto pAddress = ScreenEA();
 | |
| 	pAddress = GetFunctionAttr(pAddress, FUNCATTR_START);
 | |
| 	if (pAddress == BADADDR) {
 | |
| 		Warning("Make sure you are in a function!");							
 | |
| 		SetStatus(IDA_STATUS_READY);
 | |
| 		return;
 | |
| 	}
 | |
| 	
 | |
| 	auto name = Name(pAddress);
 | |
| 	auto sig = "", found = 0;
 | |
| 	auto pFunctionEnd = GetFunctionAttr(pAddress, FUNCATTR_END);
 | |
| 	
 | |
| 	while (pAddress != BADADDR) {
 | |
| 		auto pInfo = DecodeInstruction(pAddress);
 | |
| 		if (!pInfo) {
 | |
| 			Warning("Something went terribly wrong D:");       
 | |
| 			SetStatus(IDA_STATUS_READY);
 | |
| 			return;
 | |
| 		}
 | |
| 		
 | |
| 		// isCode(GetFlags(pAddress)) == Opcode
 | |
| 		// isTail(GetFlags(pAddress)) == Operand
 | |
| 		// ((GetFlags(pAddress) & MS_CODE) == FF_IMMD) == :iiam:
 | |
| 		
 | |
| 		if (pInfo.n == 1 && (pInfo.Op0.type == o_near || pInfo.Op0.type == o_far)) {
 | |
| 			if (Byte(pAddress) == 0x0F) { // Two-byte instruction
 | |
| 				sig = sig + sprintf("0F %02X ", Byte(pAddress + 1)) + PrintWildcards(GetDTSize(pInfo.Op0.dtyp));
 | |
| 			} else {
 | |
| 				sig = sig + sprintf("%02X ", Byte(pAddress)) + PrintWildcards(GetDTSize(pInfo.Op0.dtyp));
 | |
| 			}
 | |
| 		} else { // unknown, just wildcard addresses
 | |
| 			auto i = 0;
 | |
| 			for (i = 0; i < pInfo.size; i++) {
 | |
| 				auto pLoc = pAddress + i;
 | |
| 				if (GetFixupTgtType(pLoc) == FIXUP_OFF32) {
 | |
| 					sig = sig + PrintWildcards(4);
 | |
| 					i = i + 3;
 | |
| 				} else {
 | |
| 					sig = sig + sprintf("%02X ", Byte(pLoc));
 | |
| 				}
 | |
| 			}
 | |
| 		}
 | |
| 		
 | |
| 		if (IsGoodSig(sig)) {
 | |
| 			found = 1;
 | |
| 			break;
 | |
| 		}
 | |
| 		
 | |
| 		pAddress = NextHead(pAddress, pFunctionEnd);
 | |
| 	}
 | |
| 
 | |
| 	if (found == 0) {
 | |
| 		Warning("Ran out of bytes to create unique signature.");       
 | |
| 		SetStatus(IDA_STATUS_READY);
 | |
| 		return;
 | |
| 	}
 | |
| 
 | |
| 	auto len = strlen(sig) - 1, smsig = "\\x";
 | |
| 	for (i = 0; i < len; i++) {
 | |
| 		auto c = substr(sig, i, i + 1);
 | |
| 		if (c == " ") {
 | |
| 			smsig = smsig + "\\x";
 | |
| 		} else if (c == "?") {
 | |
| 			smsig = smsig + "2A";
 | |
| 		} else {
 | |
| 			smsig = smsig + c;
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	Message("Signature for %s:\n%s\n%s\n", name, sig, smsig);
 | |
| 	
 | |
| 	SetStatus(IDA_STATUS_READY);
 | |
| 	return;
 | |
| }
 | |
| 
 | |
| static GetDTSize(dtyp)
 | |
| {
 | |
| 	if (dtyp == dt_byte) {
 | |
| 		return 1;
 | |
| 	} else if (dtyp == dt_word) {
 | |
| 		return 2;
 | |
| 	} else if (dtyp == dt_dword) {
 | |
| 		return 4;
 | |
| 	} else if (dtyp == dt_float) {
 | |
| 		return 4;
 | |
| 	} else if (dtyp == dt_double) {
 | |
| 		return 8;
 | |
| 	} else {
 | |
| 		Warning("Unknown type size (%d)", dtyp);
 | |
| 		return -1;
 | |
| 	}
 | |
| }
 | |
| 
 | |
| static PrintWildcards(count)
 | |
| {
 | |
| 	auto i = 0, string = "";
 | |
| 	for (i = 0; i < count; i++) {
 | |
| 		string = string + "? ";
 | |
| 	}
 | |
| 
 | |
| 	return string;
 | |
| }
 | |
| 
 | |
| static IsGoodSig(sig)
 | |
| {
 | |
| 
 | |
| 	auto count = 0, addr;
 | |
| 	addr = FindBinary(addr, SEARCH_DOWN|SEARCH_NEXT, sig);
 | |
| 	while (count <= 2 && addr != BADADDR) {
 | |
| 		count = count + 1;
 | |
| 		addr = FindBinary(addr, SEARCH_DOWN|SEARCH_NEXT, sig);
 | |
| 	}
 | |
| 
 | |
| 	//Message("%s(%d)\n", sig, count);
 | |
| 
 | |
| 	return (count == 1);
 | |
| }
 |