Skip to content

Instantly share code, notes, and snippets.

@dbwodlf3

dbwodlf3/get_cfg.py

Last active July 17, 2020 05:48
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save dbwodlf3/17d5aaae84a24058c3fd6f444fe2a6fd to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save dbwodlf3/17d5aaae84a24058c3fd6f444fe2a6fd to your computer and use it in GitHub Desktop.
Download ZIP
disass.py
Raw
get_cfg.py
#https://github.com/lifting-bits/mcsema/blob/940ccd5357c5a6758203b70e5332b69d662412ff/tools/mcsema_disass/ida7/get_cfg.py#L1507
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument(
"--log_file",
type=argparse.FileType('w'),
default=sys.stderr,
help="Log to a specific file. Default is stderr.")
parser.add_argument(
'--arch',
help='Name of the architecture. Valid names are x86, amd64.',
required=True)
parser.add_argument(
'--os',
help='Name of the operating system. Valid names are linux, windows.',
required=True)
parser.add_argument(
"--output",
type=argparse.FileType('wb'),
default=None,
help="The output control flow graph recovered from this file",
required=True)
parser.add_argument(
"--std-defs",
action='append',
type=str,
default=[],
help="std_defs file: definitions and calling conventions of imported functions and data")
parser.add_argument(
"--syms",
type=argparse.FileType('r'),
default=None,
help="File containing <name> <address> pairs of symbols to pre-define.")
parser.add_argument(
"--pie-mode",
action="store_true",
default=False,
help="Assume all immediate values are constants (useful for ELFs built with -fPIE")
parser.add_argument(
'--entrypoint',
help="The entrypoint where disassembly should begin",
required=True)
parser.add_argument(
'--recover-global-vars',
type=argparse.FileType('r'),
default=None,
help="File containing the global variables to be lifted")
parser.add_argument(
'--recover-stack-vars',
action="store_true",
default=False,
help="Flag to enable stack variable recovery")
parser.add_argument(
'--recover-exception',
action="store_true",
default=False,
help="Flag to enable the exception handler recovery")
args = parser.parse_args(args=idc.ARGV[1:])
if args.log_file != os.devnull:
INIT_DEBUG_FILE(args.log_file)
DEBUG("Debugging is enabled.")
addr_size = {"x86": 32, "amd64": 64, "aarch64": 64}.get(args.arch, 0)
if addr_size != get_address_size_in_bits():
DEBUG("Arch {} address size does not match IDA's available bitness {}! Did you mean to use idal64?".format(
args.arch, get_address_size_in_bits()))
idc.process_config_line("ABANDON_DATABASE=YES")
idc.qexit(-1)
if args.pie_mode:
DEBUG("Using PIE mode.")
PIE_MODE = True
if args.recover_stack_vars:
TO_RECOVER["stack_var"] = True
if args.recover_exception:
RECOVER_EHTABLE = True
EMAP = {}
EMAP_DATA = {}
# Try to find the defs file or this OS
OS_NAME = args.os
os_defs_file = os.path.join(tools_disass_dir, "defs", "{}.txt".format(args.os))
if os.path.isfile(os_defs_file):
args.std_defs.insert(0, os_defs_file)
# Load in all defs files, include custom ones.
for defsfile in args.std_defs:
with open(defsfile, "r") as df:
DEBUG("Loading Standard Definitions file: {0}".format(defsfile))
parse_os_defs_file(df)
# Turn off "automatically make offset" heuristic, and set some
# other sane defaults.
idc.set_inf_attr(idc.INF_AF, 0xdfff)
idc.set_inf_attr(idc.INF_AF2, 0xfffd)
# Ensure that IDA is done processing
DEBUG("Using Batch mode.")
idaapi.auto_wait()
DEBUG("Starting analysis")
try:
# Pre-define a bunch of symbol names and their addresses. Useful when reading
# a core dump.
if args.syms:
for line in args.syms:
name, ea_str = line.strip().split(" ")
ea = int(ea_str, base=16)
if not is_internal_code(ea):
try_mark_as_code(ea)
if is_code(ea):
try_mark_as_function(ea)
set_symbol_name(ea, name)
idaapi.auto_wait()
M = recover_module(args.entrypoint, args.recover_global_vars)
DEBUG("Saving to: {0}".format(args.output.name))
args.output.write(M.SerializeToString())
args.output.close()
except:
DEBUG(traceback.format_exc())
DEBUG("Done analysis!")
idc.process_config_line("ABANDON_DATABASE=YES")
idc.qexit(0)
Raw
main.log
Debugging is enabled.
Loading Standard Definitions file: /usr/local/lib/python2.7/dist-packages/mcsema_disass-2.0-py2.7.egg/mcsema_disass/defs/linux.txt
Using Batch mode.
Starting analysis
Recovering module main.out
Looking for instructions in segment .init
Default block heads for function 400440 with loose bounds [400440, 400457)
block [400440, 400450)
block [400450, 400452)
block [400452, 400457)
chunk [400440, 400457)
Looking for instructions in segment .plt
Default block heads for function 400460 with loose bounds [400460, 40046c)
block [400460, 40046c)
chunk [400460, 40046c)
Default block heads for function 400470 with loose bounds [400470, 400476)
block [400470, 400476)
chunk [400470, 400476)
Default block heads for function 400480 with loose bounds [400480, 400486)
block [400480, 400486)
chunk [400480, 400486)
Default block heads for function 400490 with loose bounds [400490, 400496)
block [400490, 400496)
chunk [400490, 400496)
Looking for instructions in segment .text
Default block heads for function 4004a0 with loose bounds [4004a0, 4004cb)
block [4004a0, 4004cb)
chunk [4004a0, 4004cb)
Default block heads for function 4004d0 with loose bounds [4004d0, 4004d2)
block [4004d0, 4004d2)
chunk [4004d0, 4004d2)
Default block heads for function 4004e0 with loose bounds [4004e0, 40050a)
block [4004e0, 4004f1)
block [4004f1, 4004fb)
block [4004fb, 400503)
block [400508, 40050a)
chunk [4004e0, 40050a)
Default block heads for function 400510 with loose bounds [400510, 40054a)
block [400510, 400533)
block [400533, 40053d)
block [40053d, 400545)
block [400548, 40054a)
chunk [400510, 40054a)
Default block heads for function 400550 with loose bounds [400550, 400572)
block [400550, 400559)
block [400559, 40056b)
block [400570, 400572)
chunk [400550, 400572)
Default block heads for function 400580 with loose bounds [400580, 400587)
block [400580, 400587)
chunk [400580, 400587)
Default block heads for function 400650 with loose bounds [400650, 400685)
block [400650, 40066e)
block [40066e, 40067f)
block [40067f, 400685)
chunk [400650, 400685)
Default block heads for function 400690 with loose bounds [400690, 400704)
block [400690, 4006e8)
block [4006e8, 4006f4)
block [4006f4, 4006fb)
block [4006fb, 400704)
chunk [400690, 400704)
Default block heads for function 400710 with loose bounds [400710, 400775)
block [400710, 400746)
block [400746, 400750)
block [400750, 400766)
block [400766, 400775)
chunk [400710, 400775)
Default block heads for function 400780 with loose bounds [400780, 400782)
block [400780, 400782)
chunk [400780, 400782)
Looking for instructions in segment .fini
Default block heads for function 400784 with loose bounds [400784, 40078d)
block [400784, 40078d)
chunk [400784, 40078d)
Looking for strings in segment .rodata [400790, 40080b)
Found string 'Here is Dead Block.\n' of length 21 at 40079e, jumping to 4007b3
Found string "'jmp end' is relative 5bytes jmp instruction.\n" of length 47 at 4007b3, jumping to 4007e2
Found string 'code is modifed.\n' of length 18 at 4007e2, jumping to 4007f4
Found string 'Not Modifed.\n' of length 14 at 4007f4, jumping to 400802
Found string 'Faield!\n' of length 9 at 400802, jumping to 40080b
Looking for strings in segment .eh_frame_hdr [40080c, 400858)
Looking for strings in segment .eh_frame [400858, 400998)
Looking for strings in segment .init_array [600e10, 600e18)
Looking for strings in segment .fini_array [600e18, 600e20)
Looking for strings in segment .got [600ff0, 601000)
Looking for strings in segment .got.plt [601000, 601030)
Looking for strings in segment .data [601030, 601040)
Looking for strings in segment .bss [601040, 601048)
Looking for strings in segment .prgend [601048, 601049)
Looking for strings in segment extern [601050, 601078)
Looking for cross-references in segment .init [400440, 400457)
Looking for cross-references in segment .plt [400460, 4004a0)
Stopping scan at 40046c
Looking for cross-references in segment .text [4004a0, 400782)
Stopping scan at 4004cc
Stopping scan at 4004dc
Stopping scan at 400504
Stopping scan at 40050c
Stopping scan at ffffffffffffffff
Stopping scan at 40054c
Stopping scan at 40056c
Stopping scan at 40057c
Stopping scan at 40058c
Stopping scan at 400634
Stopping scan at ffffffffffffffff
Stopping scan at 40068c
Stopping scan at 40070c
Stopping scan at 40077c
Looking for cross-references in segment .fini [400784, 40078d)
Looking for cross-references in segment .rodata [400790, 40080b)
Found string at 4007f4, jumping to 400802
Found string at 400802, jumping to 40080b
Stopping scan at 400802
Looking for cross-references in segment .eh_frame_hdr [40080c, 400858)
Stopping scan at 400854
Looking for cross-references in segment .eh_frame [400858, 400998)
Stopping scan at 400994
Looking for cross-references in segment .init_array [600e10, 600e18)
Adding qword reference from 600e10 to 400580
Stopping scan at 600e10
Looking for cross-references in segment .fini_array [600e18, 600e20)
Adding qword reference from 600e18 to 400550
Stopping scan at 600e18
Looking for cross-references in segment .got [600ff0, 601000)
Adding qword reference from 600ff0 to 601058
Adding qword reference from 600ff8 to 601070
Stopping scan at 600ff8
Looking for cross-references in segment .got.plt [601000, 601030)
Adding qword reference from 601018 to 601050
Adding qword reference from 601020 to 601060
Adding qword reference from 601028 to 601068
Stopping scan at 601028
Looking for cross-references in segment .data [601030, 601040)
Stopping scan at 60103c
Looking for cross-references in segment .bss [601040, 601048)
Stopping scan at 601044
Looking for cross-references in segment .prgend [601048, 601049)
Stopping scan at 601048
Looking for cross-references in segment extern [601050, 601078)
Stopping scan at 601074
Looking for thunks
Found thunk for printf targeting 601050 at 400470
Found thunk for mprotect targeting 601060 at 400480
Found thunk for getpagesize targeting 601068 at 400490
Looking for external symbols
Function at 400470 is the external function printf
Function at 400480 is the external function mprotect
Function at 400490 is the external function getpagesize
Function at 601050 is the external function printf
Function at 601058 is the external function __libc_start_main
Function at 601060 is the external function mprotect
Function at 601068 is the external function getpagesize
Looking for entrypoints
Recovering .init_proc at 400440
Analysing subroutine .init_proc at 400440
Block head at 00400457 is not code.
Subroutine .init_proc at 400440 has 3 blocks
BB: 400440 in func 400440 with 4 insts
I: 400440
I: 400444 (data mem internal 600ff8 )
I: 40044b
I: 40044e (code flow internal 400452 )
Successors: 400450, 400452
BB: 400450 in func 400440 with 1 insts
I: 400450
Successors: 400452
BB: 400452 in func 400440 with 2 insts
I: 400452
I: 400456
No successors
Recovering 400460
Analysing subroutine sub_400460 at 400460
Subroutine sub_400460 at 400460 has 2 blocks
BB: 400460 in func 400460 with 2 insts
I: 400460 (data mem internal 601008 )
I: 400466 (data mem internal 601010 )
No successors
BB: 40046c in func 400460 with 1 insts
I: 40046c
Successors: 400470
Recovering __libc_csu_fini at 400780
Analysing subroutine __libc_csu_fini at 400780
Block head at 00400782 is not code.
Subroutine __libc_csu_fini at 400780 has 1 blocks
BB: 400780 in func 400780 with 1 insts
I: 400780
No successors
Recovering .term_proc at 400784
Analysing subroutine .term_proc at 400784
Block head at 0040078d is not code.
Subroutine .term_proc at 400784 has 1 blocks
BB: 400784 in func 400784 with 3 insts
I: 400784
I: 400788
I: 40078c
No successors
400590 is not a function! Not recovering.
Recovering _start at 4004a0
Analysing subroutine _start at 4004a0
Subroutine _start at 4004a0 has 2 blocks
BB: 4004a0 in func 4004a0 with 12 insts
I: 4004a0
I: 4004a2
I: 4004a5
I: 4004a6
I: 4004a9
I: 4004ad
I: 4004ae
I: 4004af (code imm internal 400780 __libc_csu_fini)
I: 4004b6 (code imm internal 400710 __libc_csu_init)
I: 4004bd (code imm internal 400590 main)
I: 4004c4 (data mem internal 600ff0 )
I: 4004ca
Does not return
BB: 4004cb in func 4004a0 with 1 insts
I: 4004cb
Successors: 4004d0
Recovering _dl_relocate_static_pie at 4004d0
Analysing subroutine _dl_relocate_static_pie at 4004d0
Subroutine _dl_relocate_static_pie at 4004d0 has 2 blocks
BB: 4004d0 in func 4004d0 with 1 insts
I: 4004d0
No successors
BB: 4004d2 in func 4004d0 with 2 insts
I: 4004d2
I: 4004dc
Successors: 4004e0
Recovering deregister_tm_clones at 4004e0
Analysing subroutine deregister_tm_clones at 4004e0
Subroutine deregister_tm_clones at 4004e0 has 6 blocks
BB: 4004e0 in func 4004e0 with 5 insts
I: 4004e0
I: 4004e1 (data imm internal 601040 __bss_start)
I: 4004e6 (data imm internal 601040 __bss_start)
I: 4004ec
I: 4004ef (code flow internal 400508 )
Successors: 400508, 4004f1
BB: 400503 in func 4004e0 with 1 insts
I: 400503
Successors: 400508
BB: 400508 in func 4004e0 with 2 insts
I: 400508
I: 400509
No successors
BB: 40050a in func 4004e0 with 1 insts
I: 40050a
Successors: 400510
BB: 4004f1 in func 4004e0 with 3 insts
I: 4004f1
I: 4004f6
I: 4004f9 (code flow internal 400508 )
Successors: 400508, 4004fb
BB: 4004fb in func 4004e0 with 3 insts
I: 4004fb
I: 4004fc (data imm internal 601040 __bss_start)
I: 400501
No successors
Recovering register_tm_clones at 400510
Analysing subroutine register_tm_clones at 400510
Subroutine register_tm_clones at 400510 has 6 blocks
BB: 400545 in func 400510 with 1 insts
I: 400545
Successors: 400548
BB: 400548 in func 400510 with 2 insts
I: 400548
I: 400549
No successors
BB: 40054a in func 400510 with 1 insts
I: 40054a
Successors: 400550
BB: 400510 in func 400510 with 10 insts
I: 400510 (data imm internal 601040 __bss_start)
I: 400515
I: 400516 (data imm internal 601040 __bss_start)
I: 40051d
I: 400520
I: 400524
I: 400527
I: 40052b
I: 40052e
I: 400531 (code flow internal 400548 )
Successors: 400548, 400533
BB: 400533 in func 400510 with 3 insts
I: 400533
I: 400538
I: 40053b (code flow internal 400548 )
Successors: 400548, 40053d
BB: 40053d in func 400510 with 3 insts
I: 40053d
I: 40053e (data imm internal 601040 __bss_start)
I: 400543
No successors
Recovering __do_global_dtors_aux at 400550
Analysing subroutine __do_global_dtors_aux at 400550
Subroutine __do_global_dtors_aux at 400550 has 5 blocks
BB: 400550 in func 400550 with 2 insts
I: 400550 (data mem internal 601040 __bss_start)
I: 400557 (code flow internal 400570 )
Successors: 400570, 400559
BB: 400559 in func 400550 with 6 insts
I: 400559
I: 40055a
I: 40055d (code flow internal 4004e0 deregister_tm_clones)
I: 400562 (data mem internal 601040 __bss_start)
I: 400569
I: 40056a
No successors
BB: 400572 in func 400550 with 2 insts
I: 400572
I: 400576
Successors: 400580
BB: 40056b in func 400550 with 1 insts
I: 40056b
Successors: 400570
BB: 400570 in func 400550 with 1 insts
I: 400570
No successors
Recovering smcInit at 400650
Analysing subroutine smcInit at 400650
Subroutine smcInit at 400650 has 4 blocks
BB: 400650 in func 400650 with 8 insts
I: 400650
I: 400651
I: 400654
I: 400658
I: 40065c
I: 400660 (code flow internal 400690 getMemoryPermission)
I: 400665
I: 400668 (code flow internal 40067f )
Successors: 40066e, 40067f
BB: 400685 in func 400650 with 2 insts
I: 400685
I: 40068f
Successors: 400690
BB: 40066e in func 400650 with 3 insts
I: 40066e (data imm internal 400802 format)
I: 400678
I: 40067a (data flow external 601050 printf)
Successors: 40067f
BB: 40067f in func 400650 with 3 insts
I: 40067f
I: 400683
I: 400684
No successors
Recovering getMemoryPermission at 400690
Analysing subroutine getMemoryPermission at 400690
Subroutine getMemoryPermission at 400690 has 5 blocks
BB: 400690 in func 400690 with 25 insts
I: 400690
I: 400691
I: 400694
I: 400698
I: 40069c (data flow external 601068 getpagesize)
I: 4006a1
I: 4006a3
I: 4006a5
I: 4006a8
I: 4006ac
I: 4006b0
I: 4006b2
I: 4006b6
I: 4006b8
I: 4006bb
I: 4006bf
I: 4006c3
I: 4006c6
I: 4006c9
I: 4006cd
I: 4006d1
I: 4006d5
I: 4006da (data flow external 601060 mprotect)
I: 4006df
I: 4006e2 (code flow internal 4006f4 )
Successors: 4006e8, 4006f4
BB: 4006e8 in func 400690 with 2 insts
I: 4006e8
I: 4006ef (code flow internal 4006fb )
Successors: 4006fb
BB: 4006fb in func 400690 with 4 insts
I: 4006fb
I: 4006fe
I: 400702
I: 400703
No successors
BB: 4006f4 in func 400690 with 1 insts
I: 4006f4
Successors: 4006fb
BB: 400704 in func 400690 with 2 insts
I: 400704
I: 40070e
Successors: 400710
Recovering frame_dummy at 400580
Analysing subroutine frame_dummy at 400580
Subroutine frame_dummy at 400580 has 6 blocks
BB: 400580 in func 400580 with 4 insts
I: 400580
I: 400581
I: 400584
I: 400585 (code flow internal 400510 register_tm_clones)
Successors: 400510
BB: 400647 in func 400580 with 4 insts
I: 400647
I: 400649
I: 40064d
I: 40064e
No successors
BB: 400587 in func 400580 with 22 insts
I: 400587
I: 400590
I: 400591
I: 400594
I: 400598 (code imm internal 400590 main)
I: 4005a2
I: 4005a9
I: 4005ac (code flow internal 400650 smcInit)
I: 4005b1
I: 4005b5 (data mem internal 400794 )
I: 4005bc
I: 4005bf (data mem internal 400798 )
I: 4005c6
I: 4005c9 (data mem internal 400799 )
I: 4005d0
I: 4005d3 (data mem internal 40079d )
I: 4005da
I: 4005dd
I: 4005e0 (code mem internal 4005f2 )
I: 4005e6
I: 4005e8 (code mem internal 4005ee _branch)
I: 4005ee (code flow internal 400636 _end_0)
Does not return
BB: 40064f in func 400580 with 1 insts
I: 40064f
Successors: 400650
BB: 4005f3 in func 400580 with 17 insts
I: 4005f3
I: 4005f4
I: 4005f5
I: 4005f6
I: 4005f7
I: 4005f8 (data imm internal 40079e aHereIsDeadBloc)
I: 400602
I: 400604 (data flow external 601050 printf)
I: 400609 (data imm internal 4007b3 aJmpEndIsRelati)
I: 400613
I: 400616
I: 400618 (data flow external 601050 printf)
I: 40061d (data imm internal 4007e2 aCodeIsModifed)
I: 400627
I: 40062a
I: 40062c (data flow external 601050 printf)
I: 400631 (code flow internal 400647 _return)
Does not return
BB: 400636 in func 400580 with 3 insts
I: 400636 (data imm internal 4007f4 aNotModifed)
I: 400640
I: 400642 (data flow external 601050 printf)
Successors: 400647
Recovering __libc_csu_init at 400710
Analysing subroutine __libc_csu_init at 400710
Subroutine __libc_csu_init at 400710 has 5 blocks
BB: 400710 in func 400710 with 17 insts
I: 400710
I: 400712
I: 400714
I: 400717
I: 400719
I: 40071b (data mem internal 600e10 __frame_dummy_init_array_entry)
I: 400722
I: 400723 (data mem internal 600e18 __do_global_dtors_aux_fini_array_entry)
I: 40072a
I: 40072b
I: 40072e
I: 400731
I: 400734
I: 400738
I: 40073c (code flow internal 400440 .init_proc)
I: 400741
I: 400744 (code flow internal 400766 )
Successors: 400766, 400746
BB: 400750 in func 400710 with 7 insts
I: 400750
I: 400753
I: 400756
I: 400759
I: 40075d
I: 400761
I: 400764 (code flow internal 400750 )
Successors: 400750, 400766
BB: 400746 in func 400710 with 2 insts
I: 400746
I: 400748
Successors: 400750
BB: 400766 in func 400710 with 8 insts
I: 400766
I: 40076a
I: 40076b
I: 40076c
I: 40076e
I: 400770
I: 400772
I: 400774
No successors
BB: 400775 in func 400710 with 2 insts
I: 400775
I: 400776
Successors: 400780
Global Variable None
WARNING: Global constructor and destructor sections are adjacent!
Splitting segment .bss at 601040 for exported variable __bss_start
Recovering region LOAD [400000, 400440) in segment LOAD
8-byte reference at 400018 to 4004a0 (_start)
8-byte reference at 4000f8 to 600e10 (__frame_dummy_init_array_entry)
8-byte reference at 4001a0 to 40080c (__GNU_EH_FRAME_HDR)
8-byte reference at 400210 to 600e10 (__frame_dummy_init_array_entry)
Recovering region .init [400440, 400457) in segment .init
Recovering region LOAD [400782, 400784) in segment LOAD
Recovering region LOAD [40080b, 40080c) in segment LOAD
Recovering region .fini [400784, 40078d) in segment .fini
Recovering region .got [600ff0, 601000) in segment .got
8-byte reference at 600ff0 to 601058 (__libc_start_main)
8-byte reference at 600ff8 to 601070 (__gmon_start__)
Function at 601070 is the external function __gmon_start__
Recovering region .got.plt [601000, 601030) in segment .got.plt
8-byte reference at 601018 to 601050 (printf)
8-byte reference at 601020 to 601060 (mprotect)
8-byte reference at 601028 to 601068 (getpagesize)
Recovering region .data [601030, 601040) in segment .data
Recovering region __bss_start [601040, 601048) in segment .bss
Variable __bss_start at 601040
Recovering region .plt [400460, 4004a0) in segment .plt
Recovering region .text [4004a0, 400782) in segment .text
Variable _branch at 4005ee
Recovering region .eh_frame_hdr [40080c, 400858) in segment .eh_frame_hdr
Recovering region LOAD [40078d, 400790) in segment LOAD
Recovering region .rodata [400790, 40080b) in segment .rodata
Variable aNotModifed at 4007f4
Variable format at 400802
Recovering region .prgend [601048, 601049) in segment .prgend
Recovering region LOAD [600e20, 600ff0) in segment LOAD
Recovering region .init_array [600e10, 600e20) in segment .init_array
8-byte reference at 600e10 to 400580 (frame_dummy)
8-byte reference at 600e18 to 400550 (__do_global_dtors_aux)
Variable __do_global_dtors_aux_fini_array_entry at 600e18
Recovering region LOAD [400457, 400460) in segment LOAD
Recovering region .eh_frame [400858, 400998) in segment .eh_frame
Recovering extern function mprotect at 400480
Recovering extern function getpagesize at 400490
Recovering extern function printf at 601050
Recovering extern function mprotect at 601060
Recovering extern function printf at 400470
Recovering extern function getpagesize at 601068
Recovering extern function __gmon_start__ at 601070
Recovering extern function __libc_start_main at 601058
Recovered 14 functions.
Saving to: /home/work/main.cfg
Done analysis!
Raw
recover_module.py
def recover_module(entrypoint, gvar_infile = None):
global EMAP
global EXTERNAL_FUNCS_TO_RECOVER
global INTERNAL_THUNK_EAS
M = CFG_pb2.Module()
M.name = idc.get_root_filename().format('utf-8')
DEBUG("Recovering module {}".format(M.name))
entry_ea = idc.get_name_ea_simple(args.entrypoint)
# If the entrypoint is `main`, then we'll try to find `main` via another
# means.
if is_invalid_ea(entry_ea):
if "main" == args.entrypoint and IS_ELF:
entry_ea = find_main_in_ELF_file()
if RECOVER_EHTABLE:
recover_exception_table()
process_segments(PIE_MODE)
func_eas = find_default_function_heads()
recovered_fns = 0
identify_thunks(func_eas)
identify_external_symbols()
exported_funcs, exported_vars = identify_program_entrypoints(func_eas)
if is_invalid_ea(entry_ea):
DEBUG("ERROR: Could not find entrypoint {}".format(args.entrypoint))
else:
func_eas.add(entry_ea)
exported_funcs.add(entry_ea)
# Process and recover functions.
while len(func_eas) > 0:
func_ea = func_eas.pop()
if func_ea in RECOVERED_EAS or func_ea in EXTERNAL_FUNCS_TO_RECOVER:
continue
RECOVERED_EAS.add(func_ea)
if try_identify_as_external_function(func_ea):
DEBUG("ERROR: External function {:x} not previously identified".format(func_ea))
continue
if not is_code_by_flags(func_ea):
DEBUG("ERROR: Function EA not code: {:x}".format(func_ea))
continue
if is_external_segment_by_flags(func_ea):
continue
recover_function(M, func_ea, func_eas, exported_funcs)
recovered_fns += 1
if recovered_fns == 0:
DEBUG("COULD NOT RECOVER ANY FUNCTIONS")
return
global_vars = [] # TODO(akshay): Pass in relevant info.
DEBUG("Global Variable {}".format(gvar_infile))
if gvar_infile is not None:
GM = CFG_pb2.Module()
GM.ParseFromString(gvar_infile.read())
count = 0
for gvar in GM.global_vars:
global_vars.append([gvar.name, gvar.ea, gvar.ea + gvar.size])
recover_regions(M, exported_vars, global_vars)
recover_external_symbols(M)
DEBUG("Recovered {0} functions.".format(recovered_fns))
return M
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment