blob: 43cf6d892b7a00de19ec1a79c7be41bf05ec6d24 (
plain) (
blame)
| 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
 | #
# IDAPython script for IDA Pro
# Slightly modified from https://github.com/googleprojectzero/p0tools/blob/master/TrapFuzz/findPatchPoints.py
#
import idautils
import idaapi
import ida_nalt
import idc
# See https://www.hex-rays.com/products/ida/support/ida74_idapython_no_bc695_porting_guide.shtml
from os.path import expanduser
home = expanduser("~")
patchpoints = set()
max_offset = 0
for seg_ea in idautils.Segments():
    name = idc.get_segm_name(seg_ea)
    #print("Segment: " + name)
    if name != "__text" and name != ".text":
        continue
    start = idc.get_segm_start(seg_ea)
    end = idc.get_segm_end(seg_ea)
    first = 0
    subtract_addr = 0
    #print("Start: " + hex(start) + " End: " + hex(end))
    for func_ea in idautils.Functions(start, end):
        f = idaapi.get_func(func_ea)
        if not f:
            continue
        for block in idaapi.FlowChart(f):
            if start <= block.start_ea < end:
                if first == 0:
                    if block.start_ea >= 0x1000:
                        subtract_addr = 0x1000
                        first = 1
                        
                max_offset = max(max_offset, block.start_ea)
                patchpoints.add(block.start_ea - subtract_addr)
            #else:
            #    print("Warning: broken CFG?")
# Round up max_offset to page size
size = max_offset
rem = size % 0x1000
if rem != 0:
    size += 0x1000 - rem
print("Writing to " + home + "/Desktop/patches.txt")
with open(home + "/Desktop/patches.txt", "w") as f:
    f.write(ida_nalt.get_root_filename() + ':' + hex(size) + '\n')
    f.write('\n'.join(map(hex, sorted(patchpoints))))
    f.write('\n')
print("Done, found {} patchpoints".format(len(patchpoints)))
# For headless script running remove the comment from the next line
#ida_pro.qexit()
 |