Spirotot/f.py

## f.py
#!/usr/bin/env python2
import angr
from simuvex import SimIRSB
from IPython.frontend.terminal.embed import InteractiveShellEmbed
import sys


class AngrIDA(object):
    def __init__(self, input_file=None):
        try:
            import idaapi
            from idc import Byte, SegEnd, GetInputFilePath, SetColor, CIC_ITEM
            from idc import GetMnem, MakeComm, GetOpnd
            from idautils import Segments, DecodeInstruction
            self.input_file_path = GetInputFilePath()
        except:
            self.input_file_path = input_file
        self.project = angr.Project(self.input_file_path,
                                    load_options={"auto_load_libs": True})

        entry_state = self.project.factory.entry_state()

        self.pg = self.project.factory.path_group()

        # https://reverseengineering.stackexchange.com/questions/12053/ida-generic-approach-to-determine-if-an-instruction-reads-from-or-writes-to-m
        while len(self.pg.active) > 0:
            self.pg.step()
            for path in self.pg.active:
                print(path.previous_run)
                if type(path.previous_run) is SimIRSB:
                    inst_addrs = [addr for addr in path.previous_run.imark_addrs()]
                    for addr in inst_addrs:
                        state = self.get_final_state_for_imark(path, addr)
                        mnem = GetMnem(addr)
                        print(mnem)
                        if mnem == 'call':
                            comment_string = ''
                            for i in xrange(5):
                                op = GetOpnd(addr, i)
                                print('\t{0}'.format(op))
                                if hasattr(state.regs, op):
                                    val = getattr(state.regs, op)
                                    comment_string += '{0}: {1}\n'.format(op, val)
                            MakeComm(addr, comment_string)
                    '''
                        for op in GetOpnd(addr, 0):
                            print('{0}'.format(op))
                    for stmt in path.previous_run.statements:
                        print('\t{0}'.format(stmt))
                        print('\t{0}'.format(hex(stmt.imark.addr)))
                        print('\t\t{0}'.format(stmt.state.regs.rip))
                        print('\t\t{0}'.format(stmt.state.regs.rax))
                    '''


    def get_final_state_for_imark(self, path, imark_addr):
        for stmt in path.previous_run.statements:
            if stmt.imark.addr == imark_addr:
                state = stmt.state

        return state

        '''
        for path in self.pg.deadended:
            for trace in path.history_iterator:
                print(trace)
                for stmt in trace.irsb:
                    print(dir(trace.irsb))
                    print('\t{0}'.format(stmt))
        '''
        '''jj^Lj

        cfg = self.project.analyses.CFGAccurate(context_sensitivity_level=2,
                                                keep_state=2)

        cdg = self.project.analyses.CDG(cfg)

        # ddg = p.analyses.DDG(cfg)

        # dfg = p.analyses.DFG()

        vfg = self.project.analyses.VFG(cfg=cfg)

        vsa = self.project.analyses.VSA_DDG(start_address=0x40056a, keep_data=True)

        # ddg.pp()

        # target_node = cfg.get_any_node(0x4005cd)
        cl = angr.analyses.code_location.CodeLocation(0x4005cd, -1)

        bs = self.project.analyses.BackwardSlice(cfg, cdg=cdg, ddg=vsa,
                                                 targets=[cl])

        annocfg = bs.annotated_cfg()

        print(annocfg.dbg_repr())

        color = 0xc0c020
        # for addr, stmnt in annocfg._run_statement_whitelist.items():
        #    SetColor(addr, CIC_ITEM, color)
        '''


if __name__ == '__main__':
    a = AngrIDA(sys.argv[1])
    InteractiveShellEmbed()()
	#!/usr/bin/env python2
	import angr
	from simuvex import SimIRSB
	from IPython.frontend.terminal.embed import InteractiveShellEmbed
	import sys


	class AngrIDA(object):
	def __init__(self, input_file=None):
	try:
	import idaapi
	from idc import Byte, SegEnd, GetInputFilePath, SetColor, CIC_ITEM
	from idc import GetMnem, MakeComm, GetOpnd
	from idautils import Segments, DecodeInstruction
	self.input_file_path = GetInputFilePath()
	except:
	self.input_file_path = input_file
	self.project = angr.Project(self.input_file_path,
	load_options={"auto_load_libs": True})

	entry_state = self.project.factory.entry_state()

	self.pg = self.project.factory.path_group()

	# https://reverseengineering.stackexchange.com/questions/12053/ida-generic-approach-to-determine-if-an-instruction-reads-from-or-writes-to-m
	while len(self.pg.active) > 0:
	self.pg.step()
	for path in self.pg.active:
	print(path.previous_run)
	if type(path.previous_run) is SimIRSB:
	inst_addrs = [addr for addr in path.previous_run.imark_addrs()]
	for addr in inst_addrs:
	state = self.get_final_state_for_imark(path, addr)
	mnem = GetMnem(addr)
	print(mnem)
	if mnem == 'call':
	comment_string = ''
	for i in xrange(5):
	op = GetOpnd(addr, i)
	print('\t{0}'.format(op))
	if hasattr(state.regs, op):
	val = getattr(state.regs, op)
	comment_string += '{0}: {1}\n'.format(op, val)
	MakeComm(addr, comment_string)
	'''
	for op in GetOpnd(addr, 0):
	print('{0}'.format(op))
	for stmt in path.previous_run.statements:
	print('\t{0}'.format(stmt))
	print('\t{0}'.format(hex(stmt.imark.addr)))
	print('\t\t{0}'.format(stmt.state.regs.rip))
	print('\t\t{0}'.format(stmt.state.regs.rax))
	'''


	def get_final_state_for_imark(self, path, imark_addr):
	for stmt in path.previous_run.statements:
	if stmt.imark.addr == imark_addr:
	state = stmt.state

	return state

	'''
	for path in self.pg.deadended:
	for trace in path.history_iterator:
	print(trace)
	for stmt in trace.irsb:
	print(dir(trace.irsb))
	print('\t{0}'.format(stmt))
	'''
	'''jj^Lj

	cfg = self.project.analyses.CFGAccurate(context_sensitivity_level=2,
	keep_state=2)

	cdg = self.project.analyses.CDG(cfg)

	# ddg = p.analyses.DDG(cfg)

	# dfg = p.analyses.DFG()

	vfg = self.project.analyses.VFG(cfg=cfg)

	vsa = self.project.analyses.VSA_DDG(start_address=0x40056a, keep_data=True)

	# ddg.pp()

	# target_node = cfg.get_any_node(0x4005cd)
	cl = angr.analyses.code_location.CodeLocation(0x4005cd, -1)

	bs = self.project.analyses.BackwardSlice(cfg, cdg=cdg, ddg=vsa,
	targets=[cl])

	annocfg = bs.annotated_cfg()

	print(annocfg.dbg_repr())

	color = 0xc0c020
	# for addr, stmnt in annocfg._run_statement_whitelist.items():
	# SetColor(addr, CIC_ITEM, color)
	'''



	if __name__ == '__main__':
	a = AngrIDA(sys.argv[1])
	InteractiveShellEmbed()()