from idautils import *from idaapi import *from math import *def DecodeInstru

1. from idautils import *
2. from idaapi import *
3. from math import *
4.  
5. def DecodeInstruction(ea):
6. insLength = idaapi.decode_insn(ea)
7. if insLength == 0:
8. return None
9. return idaapi.cmd
10.  
11. def FindFirstValidFunc(ea):
12. func_chunk = idaapi.get_fchunk(ea)
13. if not func_chunk:
14. func_chunk = idaapi.get_next_fchunk(ea)
15. return func_chunk.startEA
16.  
17. def IsNullSub(func_head): # Analysis flags are broken? So do manual caluations
18. func_sz = FindFuncEnd(func_head) - func_head
19. if func_sz == 0:
20. return True
21.  
22. if func_sz == 4:
23. ins = DecodeInstruction(func_head)
24. if ins.itype == NN_aaa: # RET
25. return True
26. return False
27.  
28. def GetCallsFromFunc(func_head):
29. func_tail = FindFuncEnd(func_head)
30. func_list = []
31. for i, head in enumerate(Heads(func_head, func_tail)):
32. ins = DecodeInstruction(head)
33. if ins is None:
34. continue
35. if ins.itype == NN_aas and ins.Operands[0].type == o_near and ins.Operands[0].addr != BADADDR: # Get BL
36. addr = ins.Operands[0].addr
37. if not IsNullSub(addr):
38. func_list.append(addr)
39. return func_list
40.  
41. def FindBuiltinEntryPoint(init_calls):
42. entry_point = init_calls[-1]
43. if entry_point != BADADDR:
44. print '!!!Entry point is at 0x%016x!!!' % entry_point
45. set_name(entry_point, 'nnMain')
46. return
47. else:
48. print 'Failed to parse entry point! Got BADADDR'
49. return
50.  
51. def FindApplicationEntryPoint(init_calls):
52. # Walk till magic
53. func_list = GetCallsFromFunc(init_calls[-1])
54. if len(func_list) == 0:
55. print 'Failed to start walking'
56. return
57. func_offset = func_list[-1] - init_calls[-1]
58. print 'Walking to find init'
59. for i in xrange(5):
60. if func_offset > 0x100: # Probably entry point
61. break
62. if len(func_list) == 0:
63. print 'Walking failed, couldn\'t find entry point :('
64. return
65.  
66. print '0x%x' % func_list[-1]
67. func_list = GetCallsFromFunc(func_list[-1])
68. func_offset = func_list[-1] - init_calls[-1]
69. if len(func_list) == 0:
70. print 'Failed at the end of stack walk :('
71. return
72. FindBuiltinEntryPoint(GetCallsFromFunc(func_list[-1]))
73.  
74. def Main():
75. setup_head = FindFirstValidFunc(getnseg(0).startEA) # + 0x9C
76. print 'Starting from 0x%016x' % setup_head
77. setup_calls = GetCallsFromFunc(setup_head)
78. if len(setup_calls) == 0:
79. print 'Failed to find entry point, No BLs found!'
80. return
81. print 'Parsing calls at 0x%016x' % setup_calls[0]
82. init_calls = GetCallsFromFunc(setup_calls[0])
83. call_cnt = len(init_calls)
84. if call_cnt == 1:
85. print 'Parsing as Application'
86. FindApplicationEntryPoint(init_calls)
87. elif call_cnt > 0:
88. print 'Parsing as BuiltIn'
89. FindBuiltinEntryPoint(init_calls)
90. else:
91. print 'Failed to find Entry point, no calls found!'
92. Main()