Skip to content

Instantly share code, notes, and snippets.

@daaximus

daaximus/nop_flush_rsb.py

Created April 24, 2023 01:43
Show Gist options
  • Save daaximus/52022860047c3583d6d681695220edfb to your computer and use it in GitHub Desktop.
Save daaximus/52022860047c3583d6d681695220edfb to your computer and use it in GitHub Desktop.
Download ZIP
IDA Python Script (7.7) to nop FLUSH_RSB sequences
Raw
nop_flush_rsb.py
import idaapi
import idc
import idautils
import ida_auto
import ida_bytes
def is_call_instruction(ea):
return 'call' in idc.generate_disasm_line(ea, idc.GENDSM_FORCE_CODE)
def is_rsp_add_instruction(ea):
return 'add rsp, 8' == idc.generate_disasm_line(ea, idc.GENDSM_FORCE_CODE)
def is_flush_rsb_sequence(ea):
if is_rsp_add_instruction(ea):
next_ea = idc.next_head(ea)
if is_call_instruction(next_ea):
print(idc.generate_disasm_line(ea, idc.GENDSM_FORCE_CODE))
print(idc.generate_disasm_line(next_ea, idc.GENDSM_FORCE_CODE))
return True
return False
def nop_instruction(ea):
ida_bytes.patch_byte(ea, 0x90)
def find_and_nop_flush_rsb_sequences():
for ea in idautils.Heads():
if ida_bytes.is_code(ida_bytes.get_full_flags(ea)):
if is_flush_rsb_sequence(ea):
print("Patching flush RSB sequence at address: 0x{:x}".format(ea))
ea_size = idc.get_item_size(ea)
for i in range(ea_size):
nop_instruction(ea + i)
next_ea = idc.next_head(ea)
next_ea_size = idc.get_item_size(next_ea)
for i in range(next_ea_size):
nop_instruction(next_ea + i)
def main():
find_and_nop_flush_rsb_sequences()
ida_auto.auto_wait()
print("Patching complete.")
if __name__ == '__main__':
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment