AngrIDA 1st draft

f.py

#!/usr/bin/env python2
import angr
from simuvex import SimIRSB
from IPython.frontend.terminal.embed import InteractiveShellEmbed
import sys 


class AngrIDA(object):
    def __init__(self, input_file=None):
        try:
            import idaapi
            from idc import Byte, SegEnd, GetInputFilePath, SetColor, CIC_ITEM
            from idc import GetMnem, MakeComm, GetOpnd
            from idautils import Segments, DecodeInstruction
            self.input_file_path = GetInputFilePath()
        except:
            self.input_file_path = input_file
        self.project = angr.Project(self.input_file_path,
                                    load_options={"auto_load_libs": True})

        entry_state = self.project.factory.entry_state()

        self.pg = self.project.factory.path_group()

        # https://reverseengineering.stackexchange.com/questions/12053/ida-generic-approach-to-determine-if-an-instruction-reads-from-or-writes-to-m
        while len(self.pg.active) > 0:
            self.pg.step()
            for path in self.pg.active:
                print(path.previous_run)
                if type(path.previous_run) is SimIRSB:
                    inst_addrs = [addr for addr in path.previous_run.imark_addrs()]
                    for addr in inst_addrs:
                        state = self.get_final_state_for_imark(path, addr)
                        mnem = GetMnem(addr)
                        print(mnem)
                        if mnem == 'call':
                            comment_string = ''
                            for i in xrange(5):
                                op = GetOpnd(addr, i)
                                print('\t{0}'.format(op))
                                if hasattr(state.regs, op):
                                    val = getattr(state.regs, op) 
                                    comment_string += '{0}: {1}\n'.format(op, val)
                            MakeComm(addr, comment_string)
                    ''' 
                        for op in GetOpnd(addr, 0):
                            print('{0}'.format(op))
                    for stmt in path.previous_run.statements:
                        print('\t{0}'.format(stmt))
                        print('\t{0}'.format(hex(stmt.imark.addr)))
                        print('\t\t{0}'.format(stmt.state.regs.rip))
                        print('\t\t{0}'.format(stmt.state.regs.rax))
                    '''

                    
    def get_final_state_for_imark(self, path, imark_addr):
        for stmt in path.previous_run.statements:
            if stmt.imark.addr == imark_addr:
                state = stmt.state

        return state

        ''' 
        for path in self.pg.deadended:
            for trace in path.history_iterator:
                print(trace)
                for stmt in trace.irsb:
                    print(dir(trace.irsb))
                    print('\t{0}'.format(stmt))
        '''
        '''jj^Lj

        cfg = self.project.analyses.CFGAccurate(context_sensitivity_level=2,
                                                keep_state=2)

        cdg = self.project.analyses.CDG(cfg)

        # ddg = p.analyses.DDG(cfg)

        # dfg = p.analyses.DFG()

        vfg = self.project.analyses.VFG(cfg=cfg)

        vsa = self.project.analyses.VSA_DDG(start_address=0x40056a, keep_data=True)

        # ddg.pp()

        # target_node = cfg.get_any_node(0x4005cd)
        cl = angr.analyses.code_location.CodeLocation(0x4005cd, -1)

        bs = self.project.analyses.BackwardSlice(cfg, cdg=cdg, ddg=vsa,
                                                 targets=[cl])

        annocfg = bs.annotated_cfg()

        print(annocfg.dbg_repr())

        color = 0xc0c020
        # for addr, stmnt in annocfg._run_statement_whitelist.items():
        #    SetColor(addr, CIC_ITEM, color)
        '''



if __name__ == '__main__':
    a = AngrIDA(sys.argv[1])
    InteractiveShellEmbed()()