├── ruff.toml ├── requirements.txt ├── test ├── test.png └── Makefile ├── fix_state.py ├── README.md ├── LICENSE.txt └── functioninliner.py /ruff.toml: -------------------------------------------------------------------------------- 1 | [lint] 2 | ignore = ["E741"] 3 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | ida-netnode 2 | parse 3 | sark 4 | tqdm 5 | wrapt 6 | -------------------------------------------------------------------------------- /test/test.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cellebrite-labs/FunctionInliner/HEAD/test/test.png -------------------------------------------------------------------------------- /test/Makefile: -------------------------------------------------------------------------------- 1 | # building for arm64-apple-macosx11 (or iOS) naively using clang will imply -target-abi=darwinpcs 2 | # which apparently disables -moutline, so we have to compile "manually" 3 | 4 | CC=clang -cc1 5 | LD=clang 6 | 7 | TARGET=arm64-apple-macosx11 8 | 9 | CFLAGS=-triple $(TARGET) -emit-obj -fgnuc-version=4.2.1 \ 10 | -isystem /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include \ 11 | 12 | O3_CFLAGS=-O3 13 | O3_MOUTLINE_CFLAGS=-O3 -mllvm -enable-machine-outliner 14 | 15 | LDFLAGS=-target $(TARGET) 16 | 17 | all: gzip-O3 gzip-O3-moutline 18 | 19 | %-O3.o: %.c 20 | $(CC) $(CFLAGS) $(O3_CFLAGS) -o $@ $< 21 | 22 | %-O3-moutline.o: %.c 23 | $(CC) $(CFLAGS) $(O3_MOUTLINE_CFLAGS) -o $@ $< 24 | 25 | gzip-O3: gzip-O3.o 26 | $(LD) $(LDFLAGS) -o $@ $^ 27 | 28 | gzip-O3-moutline: gzip-O3-moutline.o 29 | $(LD) $(LDFLAGS) -o $@ $^ 30 | 31 | clean: 32 | rm -f *.o gzip-O3 gzip-O3-moutline 33 | -------------------------------------------------------------------------------- /fix_state.py: -------------------------------------------------------------------------------- 1 | import idaapi 2 | import ida_frame 3 | import ida_funcs 4 | import ida_bytes 5 | 6 | import sark 7 | import parse 8 | 9 | import functioninliner 10 | 11 | 12 | # disable unused addresses (mapped, but not under any segment -> will always be unknown) 13 | print("DISABLING UNUSED ADDRESSES") 14 | 15 | 16 | def has_segment(ea): 17 | return bool(sark.Segment(ea).name) 18 | 19 | 20 | ea = idaapi.next_unknown(0, idaapi.BADADDR) 21 | while ea != idaapi.BADADDR: 22 | if not has_segment(ea): 23 | print(f"disabling address {ea:#x}") 24 | idaapi.disable_flags(ea, ea + ida_bytes.get_item_size(ea)) 25 | ea = idaapi.next_unknown(ea, idaapi.BADADDR) 26 | 27 | # look for dangling clones metadata and: 28 | # 1. remove clones for missing sources 29 | # 2. undo patched BLs to missing clones 30 | print("FIXING CLONES METADATA") 31 | 32 | 33 | def get_original_bytes(start_ea, size): 34 | orig = bytearray() 35 | for ea in range(start_ea, start_ea + size): 36 | orig.append(idaapi.get_original_byte(ea)) 37 | return bytes(orig) 38 | 39 | 40 | def revert_patched_BL(src_ea, original_bytes=None): 41 | size = ida_bytes.get_item_size(src_ea) 42 | if original_bytes is None: 43 | original_bytes = get_original_bytes(src_ea, size) 44 | if original_bytes == b"\xff\xff\xff\xff": 45 | print(f"cannot revert patch @ {src_ea:#x}!") 46 | return 47 | else: 48 | assert len(original_bytes) == size 49 | 50 | print(f"reverting patch @ {src_ea:#x}") 51 | idaapi.patch_bytes(src_ea, original_bytes) 52 | 53 | idaapi.plan_and_wait(src_ea, src_ea + size) 54 | 55 | try: 56 | src_func = sark.Function(src_ea) 57 | for chunk_ea in functioninliner.unreachable_function_chunks_eas(src_func): 58 | idaapi.remove_func_tail(src_func._func, chunk_ea) 59 | except sark.exceptions.SarkNoFunction: 60 | pass 61 | 62 | 63 | def is_valid_branch(src_ea, target_ea): 64 | if not idaapi.is_mapped(src_ea): 65 | return False 66 | 67 | src = sark.Line(src_ea) 68 | try: 69 | if src.insn.mnem == "B" and src.insn.operands[0].addr == target_ea: 70 | return True 71 | except sark.exceptions.SarkNoInstruction: 72 | return False 73 | 74 | 75 | def fix_func_tail(src_ea, clone_ea): 76 | try: 77 | src_func = sark.Function(src_ea) 78 | clone_end_ea = sark.Segment(clone_ea).end_ea 79 | # we used to just call append_func_tail, but on some IDA version 80 | # we started getting occasional internal errors on some of these 81 | if src_func.ea not in functioninliner.function_chunk_parent_eas(clone_ea): 82 | idaapi.append_func_tail(src_func._func, clone_ea, clone_end_ea) 83 | except sark.exceptions.SarkNoFunction: 84 | pass 85 | 86 | 87 | storage = functioninliner.ClonesStorage() 88 | patches = sark.data.get_patched_bytes() 89 | 90 | for func_ea, clones in list(storage.items()): 91 | for src_ea, clone_info in list(clones.items()): 92 | valid_src = is_valid_branch(src_ea, clone_info.clone_ea) 93 | 94 | if idaapi.is_mapped(clone_info.clone_ea): 95 | clone_seg_name = sark.Segment(clone_info.clone_ea).name 96 | parts = functioninliner.ClonesStorage.parse_storage_key(clone_seg_name) 97 | if parts: 98 | valid_target = parts["src_ea"] == src_ea 99 | else: 100 | valid_target = False 101 | else: 102 | valid_target = False 103 | 104 | if valid_src and valid_target: 105 | # make sure the clone is a proper func tail of its caller 106 | fix_func_tail(src_ea, clone_info.clone_ea) 107 | continue 108 | 109 | if valid_target: 110 | print(f"deleting clone @ {clone_info.clone_ea:#x}") 111 | idaapi.del_segm(clone_info.clone_ea, idaapi.SEGMOD_KILL) 112 | 113 | if valid_src: 114 | print(f"reverting patch @ {src_ea:#x}") 115 | revert_patched_BL(src_ea, clone_info.orig_bytes) 116 | 117 | del clones[src_ea] 118 | 119 | # look for dangling clones 120 | print("REMOVING DANGLING CLONES") 121 | 122 | 123 | clone_ea_to_clone_info = {} 124 | storage = functioninliner.ClonesStorage() 125 | for func_ea, clones in storage.items(): 126 | for src_ea, clone_info in clones.items(): 127 | assert clone_info.clone_ea not in clone_ea_to_clone_info 128 | clone_ea_to_clone_info[clone_info.clone_ea] = (func_ea, src_ea, clone_info) 129 | 130 | 131 | for seg in list(sark.segments()): 132 | if not seg.name.startswith("inlined_"): 133 | continue 134 | 135 | clone_ea = seg.ea 136 | 137 | if clone_ea in clone_ea_to_clone_info: 138 | continue 139 | 140 | parts = parse.parse(functioninliner.CLONE_NAME_FMT, seg.name) 141 | src_ea = parts["src_ea"] 142 | 143 | print(f"deleting dangling clone @ {clone_ea:#x}") 144 | idaapi.del_segm(clone_ea, idaapi.SEGMOD_KILL) 145 | 146 | if idaapi.is_mapped(src_ea) and is_valid_branch(src_ea, clone_ea): 147 | revert_patched_BL(src_ea) 148 | 149 | # look for dangling patched BLs 150 | print("UNDOING DANGLING PATCHED BLs") 151 | 152 | 153 | def patch_size(p): 154 | size_bits = max(p.original.bit_length(), p.patched.bit_length()) 155 | return (size_bits + 7) // 8 156 | 157 | 158 | def revert_range(start_ea, size): 159 | for ea in range(start_ea, start_ea + size): 160 | idaapi.revert_byte(ea) 161 | 162 | 163 | storage = functioninliner.ClonesStorage() 164 | 165 | for patch in sark.data.get_patched_bytes().values(): 166 | size = patch_size(patch) 167 | 168 | for l in sark.lines(patch.ea & ~0x3, patch.ea + size): 169 | try: 170 | if l.insn.mnem != "B": 171 | continue 172 | except sark.exceptions.SarkNoInstruction: 173 | continue 174 | 175 | target_ea = l.insn.operands[0].addr 176 | if idaapi.is_mapped(target_ea): 177 | continue 178 | 179 | revert_patched_BL(l.ea) 180 | 181 | # reanalyze program 182 | print("REANALYZING") 183 | idaapi.plan_and_wait(0, idaapi.BADADDR) 184 | 185 | # re-inline missing calls for inlined functions 186 | print("RE-INLINING MISSING CALLS FOR INLINED FUNCTIONS") 187 | storage = functioninliner.ClonesStorage() 188 | 189 | for func_ea in storage.keys(): 190 | f = sark.Function(func_ea) 191 | if list(functioninliner.external_callers(f)): 192 | functioninliner.inline_function(sark.Function(func_ea)) 193 | 194 | # recalculate SP delta for all outlined chunks 195 | print("FIXING CLONE SP ANALYSIS") 196 | storage = functioninliner.ClonesStorage() 197 | 198 | for func_ea, clones in list(storage.items()): 199 | for src_ea, clone_info in list(clones.items()): 200 | clone_ea = clone_info.clone_ea 201 | clone_end_ea = ida_funcs.get_fchunk(clone_ea).end_ea 202 | 203 | pfn = ida_funcs.get_func(src_ea) 204 | ea = clone_ea 205 | while ea < clone_end_ea: 206 | ida_frame.recalc_spd_for_basic_block(pfn, ea) 207 | ea += ida_bytes.get_item_size(ea) 208 | 209 | # fix noncoherent entries in the renames storage 210 | print("FIXING RENAMES STORAGE") 211 | storage = functioninliner.ClonesStorage() 212 | rstorage = functioninliner.RenamesStorage() 213 | 214 | for func_ea in storage.keys(): 215 | rename_info = rstorage.get(func_ea) 216 | 217 | func = sark.Function(func_ea) 218 | assert func.start_ea == func_ea 219 | 220 | if rename_info and func.name == rename_info.new_name: 221 | continue 222 | 223 | if rename_info: 224 | print(f"function name for {ea:#x} is {func.name}. renaming to {rename_info.new_name}") 225 | func.name = rename_info.new_name 226 | else: 227 | orig_name = func.name.lstrip("outlined_") 228 | rename_info = rstorage.RenameInfo(orig_name, func.name) 229 | rstorage[func.ea] = rename_info 230 | 231 | print(f"rename info for {ea:#x} is missing. setting to orig={orig_name} new={func.name}") 232 | 233 | for func_ea, rename_info in list(rstorage.items()): 234 | if func_ea in storage: 235 | continue 236 | 237 | print(f"found rename info for non-inlined function {func_ea:#x}") 238 | 239 | func = sark.Function(func_ea) 240 | if func.start_ea != func_ea: 241 | print("\twhich isn't even a function start") 242 | elif func.name == rename_info.new_name: 243 | print(f"\tand renaming back to {rename_info.orig_name}") 244 | func.name = rename_info.orig_name 245 | else: 246 | print(f"\tcurrent name is: {func.name} which differs from new: {rename_info.new_name}. " 247 | f"not renaming back to orig: {rename_info.orig_name}") 248 | 249 | del rstorage[func_ea] 250 | 251 | # reanalyze program 252 | print("REANALYZING") 253 | idaapi.plan_and_wait(0, idaapi.BADADDR) 254 | 255 | print("DONE!") 256 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # FunctionInliner 2 | 3 | FunctionInliner is an IDA plugin that can be used to ease the reversing of binaries that have been 4 | space-optimized with function outlining (e.g. `clang --moutline`). 5 | 6 | Our plugin works by creating a clone of the outlined function per each of its xref callers, and 7 | linking it to the caller directly by replacing the BL to with a regular branch to the clone and the 8 | RET of the clone with a branch back to the caller (thus adding the clone as a function chunk of its 9 | caller). 10 | 11 | In case the an outlined function has been succesfully inlined into all of its callers, it'll be 12 | renamed to have the `inlined_` prefix, to make it easy to identify in functions/xrefs listing. 13 | 14 | The plugin supports both manually choosing functions to inline from their context menu, and 15 | heuristically identifying all outlined functions and inlining them. 16 | 17 | ## Why? 18 | 19 | Code with outlined functions is a pain to reverse because the outlined functions usually use 20 | registers and memory that is local to their *caller* (i.e. they don't conform to the ABI). Therefore 21 | you don't have the entire context when reversing the caller and have to jump back and forth into 22 | those outlined parts to follow what's going on. 23 | 24 | Moreover, reversing code with outlined functions using Hex Rays simply doesn't work since Hex Rays 25 | assumes that functions conform to the ABI in order to do its magic. Moreover, if you'll try to jump 26 | into the outlined function in Hex Rays you'll often see them as empty because of that. 27 | 28 | ## Example 29 | 30 | As an example we used gzip 1.3.5 which is a single source file that was easy to work with, and we 31 | looked at the beginning of a single function from it (`bi_windup`): 32 | 33 | ![](test/test.png) 34 | 35 | On the left, you see the function compiled with `-O3` and in the middle you see it compiled with 36 | `-O3 -moutline`. Calls to outlined functions were highlighted (obviously, these wouldn't have stood 37 | out from other calls in case symbols have been stripped). 38 | 39 | We've also marked some screwups in Hex Rays' decompilation that were caused by these outlined 40 | functions not conforming to the ABI. 41 | 42 | On the right, you see the same function after our whole-IDB analysis has been applied. You can see 43 | that most outlined functions have been automatically inlined, and all decompilation screwups have 44 | been resolved. 45 | 46 | To be exact, in this file our whole-IDB analysis found and automayically inlined 130 out of 165 47 | outlined functions, with no false positives. The rest of the outlined functions can be easily 48 | inlined from their context menu in case they're manually identified later. 49 | 50 | Specifically in this example, you can also see that `OUTLINED_FUNCTION_13` (which was not 51 | automatically inlined) is a simple wrapper to `write` which specifies `nbytes = 0x4000`. In this 52 | case we could never determine whether this was an original wrapper function or an outlined function 53 | that we should inline. 54 | 55 | ## Installation 56 | 57 | 1. Install the dependencies listed in `requirements.txt` where IDA can import them. For example 58 | using `/path/to/python3/used/by/ida -m pip install -r requirements.txt`. 59 | 2. Install [keypatch](https://github.com/keystone-engine/keypatch). 60 | 3. Clone this repository and symlink `~/.idapro/plugins/functioninliner.py` to `functioninliner.py` 61 | in the cloned repo. 62 | 63 | ## Usage TL;DR 64 | 65 | From the menu select `Edit -> Plugins -> FunctionInliner -> Patch constant register-based calls to 66 | regular calls` and then `Edit -> Plugin -> FunctionInliner -> Inline all outlined functions` in 67 | order to try and do everything we can to make the IDB more readable. 68 | 69 | ## Per-function usage 70 | 71 | Note: all of the context menus described below work both in IDA views and in Psuedocode views. 72 | 73 | ### Inlining outlined functions 74 | 75 | Right-click on a `BL` to an outlined function, or on the beginning of an outlined function and 76 | choose `Inline function` (or use the keyboard shortcut `Meta-P`, i.e. `Cmd/WinKey-P`). 77 | 78 | Note that the cloning logic does not support functions which consist of multiple function 79 | chunks. For such cases, you should dechunk the function manually, or have it done automatically by 80 | running our whole-IDB processing. 81 | 82 | ### Undoing inlining of outlined functions 83 | 84 | Right-click on a `B` to the cloned code that was originally outlined, on the begining of the cloned 85 | code, or on the beginning of the original outlined function and choose `Undo function inlining` 86 | 87 | ## Whole-IDB usage 88 | 89 | The plugin also supports working on the entire IDB and inlining *every* function that is identified 90 | as an outlined function. See the `Principals of operation` section for the heuristics used to 91 | identify these. 92 | 93 | ### Inlining all outlined functions 94 | 95 | From the menu select `Edit -> Plugins -> FunctionInliner -> Inline all outlined functions` in order 96 | to scan all of the functions in the binary and inline those who are identified as outlined. 97 | 98 | Note that we first do some preprocessing on the entire IDB in order to fix various situations that 99 | may have occured from IDA auto-analyzing the IDB without taking outlined functions into 100 | consideration. 101 | 102 | ### Patching constant register-based calls 103 | 104 | In some cases the compiler and linker generate register-based calls for constant addresses (and not 105 | regular calls). IDA obviously doesn't generate call xrefs in these cases (but data xrefs) and so our 106 | inlining logic cannot patch these calls. 107 | 108 | From the menu select `Edit -> Plugins -> FunctionInliner -> Patch constant register-based calls to 109 | regular calls` in order to scan all of the IDB for these patterns and patch them to regular calls. 110 | 111 | Since this behaviour is actively patching the IDB we kept it as a separate (optional) action, and do 112 | not do this as part of the `Inline all outlined functions` preprocessing logic. 113 | 114 | ## Principals of operation 115 | 116 | ### What preprocessing is done prior to inlining all outlined functions 117 | 118 | Our preprocessing is comprised of a number of steps: 119 | 1. Exploration steps are repeated until there's nothing new to be done: 120 | 1. We create functions at xref targets that IDA didn't make a function out of. 121 | 1. We identify NORET functions that IDA didn't identify as such. 122 | 2. Preprocessing steps are done afterward the exploration: 123 | 1. We dechunks all of the functions in the binary (split each chunk into a separate function). 124 | This helps us identify later on which chunks were outlined and which are "real" functions. 125 | Plus, our cloning logic doesn't support chunked functions. 126 | 2. We split functions that are placed right before another function they tail-call into, and were 127 | treated by IDA as one whole function. 128 | 3. We split adjacent functions that were treated by IDA as one whole function. 129 | 130 | ### How cloning is done 131 | 132 | For each xref to the outlined function, we create a new segment named 133 | `inlined_0x{func_ea:x}_for_0x{src_ea:x}` and clone the function there. 134 | 135 | When cloning, we in fact have to translate some of the opcodes on the way -- if an opcode has 136 | relative data or code xrefs we need to fix them to work from the new location. We also may have to 137 | fix relative xrefs inside the cloned code because our translation may move stuff around in the clone 138 | as well. 139 | 140 | We then replace the original `BL` to the outlined function with a `B` to the cloned code, and 141 | replace the `RET` in the end of the outlined function with a `B` back to the caller. 142 | 143 | There are of course edge cases when the outlined function tail-calls some other function, or when 144 | the outlined function is tail-called by its caller, which should be handled. 145 | 146 | We also take care to find a spot for the cloned code segment which will be close enough to the 147 | caller and to outgoing xrefs from the clone in order to use regular branches back and forth. 148 | 149 | ### How outlined functions are identified 150 | 151 | Currently we use a few heuristics to identify outlined functions. 152 | 153 | There may be false-negatives (i.e. we may miss some outlined functions) but we expect their count to 154 | be pretty low and they can always be inlined manually when encountered. 155 | 156 | Also, in case there will be any false-positives (i.e. we'll identify some real functions as outlined 157 | and inline them into their callers) the effect shouldn't be that bad for RE and can also be undone 158 | manually. 159 | 160 | The heuristics we use are the following: 161 | 1. ~~We expect outlined functions to have more than one caller (otherwise it wouldn't have been useful 162 | to outline them)~~ for some reason this doesn't hold in real cases, so we've dropped this 163 | heuristic. 164 | 2. We expect all outlined functions not to have a prologue (not really sure about that, but it makes 165 | sense). This is more of an optimization for us, in order not to statically analyze *every* 166 | function in the IDB. 167 | 3. We expect some outlined functions not to conform to the ABI and to make use of non-argument 168 | registers that were not initialized internally. 169 | 4. We expect some outlined functions not to conform to the ABI and to leave side-effects on 170 | non-result registers (that are not propagated to any result register or stored in memory). 171 | 5. The last two heuristics also hold for condition flags and not registers (i.e. if the function is 172 | using uninitializing/setting unused condition flags). 173 | 174 | ### Inlining of extra functions 175 | 176 | In some IDBs with a huge amount of outlined functions, the amount of false-negatives can start 177 | getting high, and so we implemented extra heuristics that can match more outlined functions that 178 | do conform to the ABI. 179 | 180 | Note that this maybe reduce the amount of false-negatives but it comes with the cost of possible 181 | false-positives. Therefore, we only apply these heuristics on functions that haven't been 182 | eliminated by the previous heuristics (i.e. functions that do not have a prologue). 183 | 184 | The usage of these extra heuristics can be enabled from the plugin menu. 185 | 186 | With extra heuristics enabled, we also consider the following kinds of functions as outlined: 187 | 1. Functions that use X1-X7 as return registers. 188 | 1. This is supported by the ABI, but isn't used by most binaries (i.e. a function that returns a 189 | struct). 190 | 1. Functions that do not set up a stack frame but still use stack variables. 191 | 1. This may be the case with a function that gets stack arguments but does not set up a stack 192 | frame, but we expect it to be low-probability (i.e. a simple function with more than 8 193 | arguments). 194 | 195 | ## Future improvements 196 | 197 | There are some cases of outlined functions that we currently don't auto detect with our heuristics: 198 | 1. Some outlined functions leave side-effects on higher result registers but do not set all of the 199 | lower ones, so it's obvious that they're not just returning a structure by value. 200 | 2. Consider removing the heuristic about outlined functions not having prologues, since we've seen 201 | cases of outlined prologues. 202 | 203 | There are some cases which our cloning logic doesn't support: 204 | 1. Some uses of conditional opcodes (e.g. when the call to the outlined function is a conditional 205 | tail-call). 206 | 207 | Some other stuff: 208 | 1. When running our heuristics, we currently stop analyzing a function if we encounter a BL or a 209 | tail-call in it, because that may lead to another outlined function. The proper handling should 210 | probably be to analyze and inline all functions in order of a topological sort based on call 211 | targets (i.e. first analyze and inline functions which don't call anything, then those who call 212 | already analyzed functions, and so on). 213 | 2. When running our heuristics, we usually stop analyzing a function if we encounter more than one 214 | basic block. We could theoretically continue analyzing recursively in each of the branches. 215 | 216 | ## Limitations 217 | 218 | The plugin currently works only on ARM64 binaries that conform to 219 | [the ABI](https://developer.arm.com/documentation/ihi0055/d?lang=en). 220 | 221 | ## Fixing corrupted state 222 | 223 | If for any reason (e.g. IDA crashed in the middle of function inlining) the IDB has gotten into 224 | corrupted state with regards to FunctionInliner, where for example: 225 | 1. You have deleted but not disabled addresses that were once inlined clones. 226 | 2. You have inlined clones with unpatched source calls. 227 | 3. You have patched source calls with missing clones. 228 | 4. FunctionInliner thinks it has already inlined (or undid inlining of) something which it hasn't. 229 | 230 | You should run the `fix_state.py` script in the context of the corrupted IDB. 231 | 232 | In our testing, this happened once after months of heavy usage, and we suspect another conflicting 233 | plugin to cause this, so we didn't bother integrating the fixing logic into the plugin. 234 | 235 | ## Meta 236 | 237 | Authored by Tomer Harpaz of Cellebrite Security Research Labs. 238 | Developed and tested for IDA 7.6 on macOS with Python 3.7.9. 239 | Also tested on IDA up to 8.4 240 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | 635 | Copyright (C) 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Copyright (C) 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . 675 | -------------------------------------------------------------------------------- /functioninliner.py: -------------------------------------------------------------------------------- 1 | import collections 2 | import contextlib 3 | import functools 4 | import itertools 5 | import logging 6 | import pickle 7 | import re 8 | import struct 9 | import time 10 | import types 11 | 12 | import ida_auto 13 | import ida_bytes 14 | import ida_funcs 15 | import ida_frame 16 | import ida_idaapi 17 | import ida_idp 18 | import ida_kernwin 19 | import ida_segment 20 | import ida_ua 21 | import ida_xref 22 | import idc 23 | 24 | import keypatch 25 | import netnode 26 | import parse 27 | import sark 28 | import tqdm 29 | import wrapt 30 | 31 | 32 | # DEFINITIONS 33 | 34 | 35 | INLINED_FUNCTION_PREFIX = "inlined_" 36 | CLONE_NAME_FMT = "inlined_0x{func_ea:x}_for_0x{src_ea:x}" 37 | TRACE = False 38 | 39 | 40 | # LOGGING 41 | 42 | 43 | class LoggerWithTrace(logging.getLoggerClass()): 44 | def __init__(self, *args, **kwargs): 45 | super().__init__(*args, **kwargs) 46 | 47 | if TRACE: 48 | # add TRACE level 49 | logging.TRACE = 5 50 | logging.addLevelName(logging.TRACE, "TRACE") 51 | 52 | def trace(self, msg, *args, **kwargs): 53 | if TRACE: 54 | self.log(logging.TRACE, msg, *args, **kwargs) 55 | 56 | 57 | logger = LoggerWithTrace("FunctionInliner") 58 | 59 | 60 | # EXCEPTIONS 61 | 62 | 63 | class FunctionInlinerException(Exception): 64 | pass 65 | 66 | 67 | class FunctionInlinerUnsupportedException(FunctionInlinerException): 68 | pass 69 | 70 | 71 | class FunctionInlinerUnknownFlowException(FunctionInlinerException): 72 | pass 73 | 74 | 75 | # HELPERS 76 | 77 | 78 | @contextlib.contextmanager 79 | def autoanalysis(enabled): 80 | ida_auto.enable_auto(enabled) 81 | try: 82 | yield None 83 | finally: 84 | ida_auto.enable_auto(not enabled) 85 | 86 | 87 | def with_autoanalysis(enabled): 88 | @wrapt.decorator 89 | def decorator(wrapped, instance, args, kwargs): 90 | with autoanalysis(enabled): 91 | return wrapped(*args, **kwargs) 92 | return decorator 93 | 94 | 95 | @contextlib.contextmanager 96 | def wait_box(msg, hide_cancel=False): 97 | prefix = "HIDECANCEL\n" if hide_cancel else "" 98 | ida_kernwin.show_wait_box(prefix + msg) 99 | try: 100 | yield None 101 | finally: 102 | ida_kernwin.hide_wait_box() 103 | 104 | 105 | def get_function_under_cursor(): 106 | line = sark.Line() 107 | 108 | # abort on unmapped addresses 109 | if not ida_bytes.is_mapped(line.ea): 110 | return None 111 | 112 | # if we're on a call -> return its target 113 | for xref in line.xrefs_from: 114 | if xref.type.is_jump or xref.type.is_call: 115 | try: 116 | f = sark.Function(xref.to) 117 | if xref.to == f.ea: 118 | return f 119 | except sark.exceptions.SarkNoFunction: 120 | return None 121 | 122 | # if we're on the start of a function -> return it 123 | try: 124 | func = sark.Function() 125 | if func.start_ea == line.ea: 126 | return func 127 | except sark.exceptions.SarkNoFunction: 128 | return None 129 | 130 | return None 131 | 132 | 133 | def align_downwards(ea, alignment): 134 | return ea & ~(alignment - 1) 135 | 136 | 137 | def align_upwards(ea, alignment): 138 | return align_downwards(ea + (alignment - 1), alignment) 139 | 140 | 141 | def reanalyze_line(line): 142 | ida_auto.plan_range(line.ea, line.end_ea) 143 | 144 | 145 | def reanalyze_program(): 146 | """ we used to not reanalyze the entire program, but for some reason when we surgically marked 147 | for reanalysis only the stuff that we've changed, sometimes the auto analysis didn't recursively 148 | go through to everything """ 149 | ida_auto.plan_range(0, ida_idaapi.BADADDR) 150 | 151 | 152 | def is_conditional_insn(insn): 153 | # is having a condition suffix 154 | return insn._insn.segpref != 0xe # see module/arm/arm.hpp in the IDA SDK 155 | 156 | 157 | def is_chunked_function(func): 158 | return len(list(function_chunk_eas(func))) > 1 159 | 160 | 161 | def function_chunk_eas(func): 162 | ea = idc.first_func_chunk(func.ea) 163 | while ea != ida_idaapi.BADADDR: 164 | yield ea 165 | ea = idc.next_func_chunk(func.ea, ea) 166 | 167 | 168 | def function_chunk_lines(ea): 169 | start_ea = idc.get_fchunk_attr(ea, idc.FUNCATTR_START) 170 | end_ea = idc.get_fchunk_attr(ea, idc.FUNCATTR_END) 171 | 172 | ea = start_ea 173 | l = sark.Line(start_ea) 174 | while l.ea < end_ea: 175 | yield l 176 | l = l.next 177 | 178 | 179 | def function_chunk_crefs(ea, ret_ea=None): 180 | start_ea = idc.get_fchunk_attr(ea, idc.FUNCATTR_START) 181 | end_ea = idc.get_fchunk_attr(ea, idc.FUNCATTR_END) 182 | 183 | for l in function_chunk_lines(ea): 184 | try: 185 | if l.insn.mnem == "RET" and ret_ea is not None: 186 | external_cref_eas = (ret_ea,) 187 | else: 188 | external_cref_eas = (c for c in l.crefs_from if c < start_ea or c >= end_ea) 189 | 190 | for target_ea in external_cref_eas: 191 | yield (l.ea - start_ea, target_ea) 192 | except sark.exceptions.SarkNoInstruction: 193 | if not list(l.crefs_to): 194 | pass # some times there's non-code inside function chunks, e.g. jumptables 195 | else: 196 | raise # but if there's a flow cref into it, this is bad 197 | 198 | 199 | def function_chunk_parent_eas(ea): 200 | fchunk = ida_funcs.get_fchunk(ea) 201 | fpi = ida_funcs.func_parent_iterator_t(fchunk) 202 | if not fpi.first(): 203 | return 204 | 205 | while True: 206 | yield fpi.parent() 207 | if not fpi.next(): 208 | break 209 | 210 | 211 | def containing_funcs(line): 212 | funcs = set() 213 | for parent_ea in function_chunk_parent_eas(line.ea): 214 | try: 215 | funcs.add(sark.Function(parent_ea)) 216 | except sark.exceptions.SarkNoFunction: 217 | pass 218 | try: 219 | funcs.add(sark.Function(line.ea)) 220 | except sark.exceptions.SarkNoFunction: 221 | pass 222 | return funcs 223 | 224 | 225 | def unreachable_function_chunks_eas(func): 226 | # map all chunks in our function 227 | remaining_chunks = set() 228 | for start_ea in function_chunk_eas(func): 229 | end_ea = idc.get_fchunk_attr(start_ea, idc.FUNCATTR_END) 230 | remaining_chunks.add((start_ea, end_ea)) 231 | 232 | if len(remaining_chunks) == 1: 233 | return 234 | 235 | # discard reachable chunks 236 | def discard_reachable_chunks(chunk): 237 | remaining_chunks.discard(chunk) 238 | 239 | for src_off, target in function_chunk_crefs(chunk[0]): 240 | for other_chunk in remaining_chunks: 241 | start_ea, end_ea = other_chunk 242 | if start_ea <= target < end_ea: 243 | discard_reachable_chunks(other_chunk) 244 | break 245 | if not remaining_chunks: 246 | break 247 | 248 | main_chunk = (func.start_ea, func.end_ea) 249 | assert main_chunk in remaining_chunks 250 | 251 | discard_reachable_chunks(main_chunk) 252 | 253 | yield from (c[0] for c in remaining_chunks) 254 | 255 | 256 | def function_crefs(func, ret_ea=None): 257 | chunk_eas = list(function_chunk_eas(func)) 258 | for chunk_ea in chunk_eas: 259 | for off, target_ea in function_chunk_crefs(chunk_ea, ret_ea): 260 | if ida_funcs.func_contains(func._func, target_ea): 261 | continue 262 | 263 | src_ea = chunk_ea + off 264 | src = sark.Line(src_ea) 265 | if src.insn.mnem == "BL" and target_ea == src.end_ea: 266 | # we have a flow xref going from a BL which is the last instruction of a function 267 | # chunk. this can be one of two cases: 268 | # 1. IDA didn't recognize that the target function is a NORET function, hence there 269 | # shouldn't be a flow-xref from the BL 270 | # 2. after BL-ing, the source function implicitly tail-calls to the next instruction 271 | # which should be another function 272 | # because we cannot know which of the cases is the right one, and in case it's (1), 273 | # the next line might be data, we'll let a heuristic decide 274 | if is_data_heuristic(sark.Line(target_ea)): 275 | continue 276 | 277 | yield src_ea, target_ea 278 | 279 | 280 | def has_function_flow_xref(line): 281 | for xref in line.xrefs_to: 282 | # we're only interested in flow xrefs 283 | if not xref.type.is_flow: 284 | continue 285 | 286 | # sometimes there are useless NOPs before real code, so we discard xrefs from code 287 | # which isn't in a function 288 | try: 289 | sark.Function(xref.frm) 290 | except sark.exceptions.SarkNoFunction: 291 | continue 292 | 293 | return True 294 | 295 | return False 296 | 297 | 298 | def external_callers(line, functions_only=False, include_flow=False): 299 | funcs = containing_funcs(line) 300 | 301 | for xref in line.xrefs_to: 302 | caller = sark.Line(xref.frm) 303 | 304 | # skip non-code xrefs 305 | if not xref.type.is_code: 306 | continue 307 | 308 | # skip flow xrefs 309 | if not include_flow and xref.type.is_flow: 310 | continue 311 | 312 | # skip recursive calls 313 | caller_funcs = containing_funcs(caller) 314 | 315 | if funcs and caller_funcs == funcs: 316 | continue 317 | elif not caller_funcs and functions_only: 318 | continue 319 | 320 | yield caller 321 | 322 | 323 | def linegroups(n): 324 | iters = [sark.lines() for _ in range(n)] 325 | for i, it in enumerate(iters): 326 | for _ in range(i): 327 | next(it) 328 | return zip(*iters) 329 | 330 | 331 | def register_parts(r): 332 | w = r[0] 333 | n = r[1:] 334 | 335 | families = ( 336 | ("W", "X"), 337 | ("B", "H", "S", "D", "Q") 338 | ) 339 | 340 | for f in families: 341 | if w in f: 342 | return (ww + n for ww in f) 343 | else: 344 | raise FunctionInlinerException(f"encountered unknown register: {r}") 345 | 346 | 347 | def add_comment(line, cmt, prepend=True): 348 | if line.comments.regular is None: 349 | line.comments.regular = cmt 350 | elif prepend: 351 | line.comments.regular = cmt + "\n" + line.comments.regular 352 | else: 353 | line.comments.regular = line.comments.regular + "\n" + cmt 354 | 355 | 356 | def get_branch_target_ea(line): 357 | crefs_from = set() 358 | for xref in line.xrefs_from: 359 | if not xref.iscode: 360 | continue 361 | if xref.type.is_flow: 362 | continue 363 | crefs_from.add(xref.to) 364 | assert len(crefs_from) == 1 365 | return crefs_from.pop() 366 | 367 | 368 | def drefs_from_eas(line): 369 | # IDA marks enum refs as drefs with top address byte set to 0xff, so we filter out 370 | # drefs that are not actually mapped 371 | return (ea for ea in line.drefs_from if ida_bytes.is_mapped(ea)) 372 | 373 | 374 | # NETNODE 375 | 376 | 377 | class PickleNetnode(netnode.Netnode): 378 | @staticmethod 379 | def _encode(data): 380 | return pickle.dumps(data) 381 | 382 | @staticmethod 383 | def _decode(data): 384 | return pickle.loads(data) 385 | 386 | 387 | class RenamesStorage(PickleNetnode): 388 | NETNODE = "$ FunctionInliner.renames" 389 | 390 | RenameInfo = collections.namedtuple("RenameInfo", ("orig_name", "new_name")) 391 | 392 | def __init__(self): 393 | super().__init__(self.NETNODE) 394 | 395 | def __setitem__(self, func_ea, rename_info): 396 | if not isinstance(rename_info, RenamesStorage.RenameInfo): 397 | raise ValueError("value must be of type RenamesStorage.RenameInfo") 398 | super().__setitem__(func_ea, tuple(rename_info)) 399 | 400 | def __getitem__(self, func_ea): 401 | v = super().__getitem__(func_ea) 402 | return RenamesStorage.RenameInfo(*v) 403 | 404 | 405 | class SingletonUserDict(type(collections.UserDict)): 406 | _instance = None 407 | 408 | def __call__(cls, *args, **kwargs): 409 | if not cls._instance: 410 | cls._instance = super(SingletonUserDict, cls).__call__(*args, **kwargs) 411 | return cls._instance 412 | 413 | 414 | class ClonesStorage(collections.UserDict, metaclass=SingletonUserDict): 415 | NETNODE = "$ functioninliner.clones" 416 | 417 | CloneInfo = collections.namedtuple("CloneInfo", ("clone_ea", "orig_bytes")) 418 | 419 | class InlinedFunctionInfo(collections.UserDict): 420 | def __init__(self, update_callback): 421 | super().__init__() 422 | self._update_callback = update_callback 423 | 424 | def __setitem__(self, src_ea, clone): 425 | if not isinstance(clone, ClonesStorage.CloneInfo): 426 | raise ValueError("value must be of type ClonesStorage.CloneInfo") 427 | self.data[src_ea] = clone 428 | self._update_callback(self, src_ea) 429 | 430 | def __delitem__(self, src_ea): 431 | del self.data[src_ea] 432 | self._update_callback(self, src_ea) 433 | 434 | def __init__(self): 435 | super().__init__() 436 | self.netnode = PickleNetnode(self.NETNODE) 437 | self.update_from_storage() 438 | 439 | def update_from_storage(self): 440 | self.data.clear() 441 | 442 | for k, v in self.netnode.items(): 443 | parts = ClonesStorage.parse_storage_key(k) 444 | if not parts: 445 | continue 446 | 447 | func_ea = parts["func_ea"] 448 | src_ea = parts["src_ea"] 449 | 450 | func_storage = self[func_ea] 451 | clone_info = ClonesStorage.CloneInfo(*v) 452 | func_storage[src_ea] = clone_info 453 | 454 | @staticmethod 455 | def storage_key(func_ea, src_ea): 456 | return CLONE_NAME_FMT.format(func_ea=func_ea, src_ea=src_ea) 457 | 458 | @staticmethod 459 | def parse_storage_key(k): 460 | return parse.parse(CLONE_NAME_FMT, k) 461 | 462 | def write_to_storage(self, func_ea, func_storage, src_ea): 463 | key = ClonesStorage.storage_key(func_ea, src_ea) 464 | clone_info = func_storage.get(src_ea, None) 465 | if clone_info is None: # delete 466 | del self.netnode[key] 467 | 468 | # if there are no more outlined 469 | if not func_storage and func_ea in self.data: 470 | del self.data[func_ea] 471 | else: # set 472 | self.netnode[key] = tuple(clone_info) 473 | self.data[func_ea] = func_storage 474 | 475 | def __getitem__(self, func_ea): 476 | if func_ea in self.data: 477 | return self.data[func_ea] 478 | else: 479 | update_callback = functools.partial(self.write_to_storage, func_ea) 480 | func_storage = ClonesStorage.InlinedFunctionInfo(update_callback) 481 | return func_storage 482 | 483 | def __setitem__(self, k, v): 484 | raise RuntimeError("Do not try setting a value directly, but rather get its value as with " 485 | "a defaultdict") 486 | 487 | def __delitem__(self, func_ea): 488 | for src_ea, _ in self[func_ea].items(): 489 | key = ClonesStorage.storage_key(func_ea, src_ea) 490 | del self.netnode[key] 491 | 492 | if func_ea in self.data: 493 | del self.data[func_ea] 494 | 495 | 496 | # FUNCTION INLINING 497 | 498 | 499 | def get_cloned_function(ea): 500 | seg = sark.Segment(ea) 501 | if not seg.name: 502 | return None 503 | 504 | parts = parse.parse(CLONE_NAME_FMT, seg.name) 505 | if not parts: 506 | return None 507 | 508 | return sark.Function(parts["func_ea"]) 509 | 510 | 511 | def is_originally_chunked_function(func): 512 | for chunk_ea in function_chunk_eas(func): 513 | # dismiss the "main" chunk 514 | if chunk_ea == func.ea: 515 | continue 516 | 517 | # dismiss chunks which are inlined clones of outlined functions 518 | if get_cloned_function(chunk_ea): 519 | continue 520 | 521 | # we found a "real" chunk 522 | return True 523 | 524 | return False 525 | 526 | 527 | def create_code_segment(name, size, close_to=None, page_align=False): 528 | if page_align: 529 | alignment = 0x1000 530 | else: 531 | alignment = 0x4 532 | 533 | size = align_upwards(size, alignment) 534 | 535 | segs = list(sorted(sark.segments(), key=lambda s: s.ea)) 536 | 537 | # delete a previously cloned segment if such exists 538 | for s in segs: 539 | if s.name == name: 540 | ida_segment.del_segm(s.start_ea, ida_segment.SEGMOD_KILL) 541 | 542 | # map the holes between existing segments 543 | holes = [] 544 | holes.append((0, segs[0].start_ea)) 545 | for s, next_s in zip(segs, segs[1:]): 546 | holes.append((s.end_ea, next_s.start_ea)) 547 | holes.append((segs[-1].end_ea, ida_idaapi.BADADDR)) 548 | 549 | # align the start and end of each hole 550 | holes = [(align_upwards(h[0], alignment), align_downwards(h[1], alignment)) for h in holes] 551 | 552 | # filter-out holes which are too small 553 | holes = [h for h in holes if h[1] - h[0] >= size] 554 | 555 | # find the hole nearest to our caller 556 | if close_to is None: 557 | hole = holes[-1] 558 | else: 559 | def hole_dist(h): 560 | start, end = h 561 | if start > close_to: 562 | return start - close_to 563 | else: 564 | return close_to - end - size 565 | hole = min(holes, key=hole_dist) 566 | 567 | # create the segment 568 | if hole[0] > close_to: 569 | start_ea = hole[0] 570 | end_ea = hole[0] + size 571 | else: 572 | start_ea = hole[1] - size 573 | end_ea = hole[1] 574 | 575 | seg_t = ida_segment.segment_t() 576 | seg_t.start_ea = start_ea 577 | seg_t.end_ea = end_ea 578 | seg_t.align = ida_segment.saRelDble 579 | seg_t.comb = ida_segment.scPub 580 | seg_t.perm = ida_segment.SEGPERM_EXEC | ida_segment.SEGPERM_READ 581 | seg_t.bitness = 2 # 64 bits 582 | seg_t.sel = ida_segment.setup_selector(0) 583 | seg_t.type = ida_segment.SEG_CODE 584 | seg_t.color = idc.DEFCOLOR 585 | 586 | flags = ida_segment.ADDSEG_NOSREG | ida_segment.ADDSEG_QUIET | ida_segment.ADDSEG_NOAA 587 | 588 | ida_segment.add_segm_ex(seg_t, name, "CODE", flags) 589 | 590 | return sark.Segment(start_ea) 591 | 592 | 593 | def validate_branch_displacements(func, src_ea, clone_ea, ret_ea): 594 | # we only go over the first function chunk since that's the one we're cloning 595 | 596 | max_b_displ = 0x8000000 597 | 598 | def b_displ(src, target): 599 | return abs(target - (src + 4)) 600 | 601 | # this isn't the most accurate condition since the clone offsets may move because of 602 | # our translation, but we discard that. if anything, the assembly later will fail 603 | clone_cref_displs = (b_displ(clone_ea + src_off, target_ea) for src_off, target_ea in 604 | function_chunk_crefs(func.ea, ret_ea)) 605 | if b_displ(src_ea, clone_ea) >= max_b_displ or \ 606 | any(displ >= max_b_displ for displ in clone_cref_displs): 607 | 608 | # TBH we were greedy when choosing when to create our segment, but we don't expect 609 | # this to fail with +-128MB of max displacement, so we didn't bother implementing 610 | # a better algorithm 611 | raise FunctionInlinerException("created clone segment is not close enough to its " 612 | "caller or one of its call targets") 613 | 614 | 615 | def fix_outlined_function_call(src, clone_ea, clone_end_ea, func_ea, kp_asm=None): 616 | if kp_asm is None: 617 | kp_asm = keypatch.Keypatch_Asm() 618 | 619 | # unfortunately, we've seen cases where IDA creates a function out of our clone instead of a 620 | # function chunk, and this also happens sometimes when calling auto_apply_tail. 621 | # therefore, we first ida_funcs.append_func_tail and only then patch and plan to reanalyze the 622 | # caller 623 | ida_funcs.append_func_tail(ida_funcs.get_func(src.ea), clone_ea, clone_end_ea) 624 | 625 | # replace the source instruction with a B to our clone 626 | mnem = src.insn.mnem 627 | if mnem == "BL": 628 | asm = f"B #{clone_ea:#x}" # we drop PAC flags 629 | code = bytes(kp_asm.assemble(asm, src.ea)[0]) 630 | assert len(code) == src.size 631 | ida_bytes.patch_bytes(src.ea, code) 632 | else: # is_jump 633 | fix_cloned_branch(kp_asm, src.ea, func_ea, clone_ea) 634 | 635 | reanalyze_line(src) 636 | 637 | # delete the original xref 638 | ida_xref.del_cref(src.ea, func_ea, 0) 639 | 640 | # wait for analysis of the source instruction and the clone 641 | assert ida_auto.auto_wait_range(src.ea, src.end_ea) >= 0 642 | assert ida_auto.auto_wait_range(clone_ea, clone_end_ea) >= 0 643 | 644 | # recalculate SP delta for the instructions in the clone. we do it for every instruction in 645 | # case the clone contains more than one basic block 646 | pfn = ida_funcs.get_func(src.ea) 647 | ea = clone_ea 648 | while ea < clone_end_ea: 649 | ida_frame.recalc_spd_for_basic_block(pfn, ea) 650 | ea += ida_bytes.get_item_size(ea) 651 | 652 | def inline_function_call(src, func, kp_asm=None): 653 | storage = ClonesStorage() 654 | func_storage = storage[func.ea] 655 | 656 | if kp_asm is None: 657 | kp_asm = keypatch.Keypatch_Asm() 658 | 659 | # verify that the function isn't chunked 660 | if is_chunked_function(func): 661 | raise FunctionInlinerUnsupportedException("chunked functions are currently unsupported") 662 | 663 | # clone and inline the function for each of its callers 664 | size = func.end_ea - func.start_ea 665 | 666 | # create a segment for the cloned function 667 | seg_size = size * 2 # we put a factor of 2 here for our ADR->ADRP+ADD fixups 668 | seg_name = CLONE_NAME_FMT.format(func_ea=func.ea, src_ea=src.ea) 669 | seg = create_code_segment(seg_name, seg_size, src.ea) 670 | clone_ea = seg.ea 671 | 672 | try: 673 | # analyze the caller 674 | if src.insn.mnem == "B" and not is_conditional_insn(src.insn): # tail-call 675 | ret_ea = None 676 | elif src.insn.mnem in ("B", "BL", "CBNZ", "CBZ", "TBNZ", "TBZ"): 677 | ret_ea = src.end_ea 678 | else: 679 | raise FunctionInlinerException(f"unexpected call opcode: {src.insn.mnem}") 680 | 681 | # validate that the created segment is close enough for the required branches 682 | validate_branch_displacements(func, src.ea, clone_ea, ret_ea) 683 | 684 | # clone the function 685 | logger.debug(f"cloning to {clone_ea:#x}") 686 | clone_end_ea = clone_function(func, clone_ea, ret_ea, kp_asm) 687 | 688 | # replace the source opcode with a branch to our clone 689 | orig_bytes = src.bytes 690 | fix_outlined_function_call(src, clone_ea, clone_end_ea, func.ea, kp_asm) 691 | 692 | # add clone info to storage 693 | clone_info = ClonesStorage.CloneInfo(clone_ea, orig_bytes) 694 | func_storage[src.ea] = clone_info 695 | 696 | except: # noqa: E722 697 | # remove from storage if it's already been added 698 | func_storage.pop(clone_ea, None) 699 | 700 | # undo the source patch if it's already been done 701 | ida_bytes.patch_bytes(src.ea, src.bytes) 702 | reanalyze_line(src) 703 | 704 | # remove the created segment 705 | ida_segment.del_segm(clone_ea, ida_segment.SEGMOD_KILL) 706 | 707 | logger.error(f"unhandled exception was raised while inlining call to {func.name} from {src.ea:#x}") 708 | raise 709 | 710 | return clone_ea 711 | 712 | 713 | def function_chunk_inlined_functions(ea): 714 | start_ea = idc.get_fchunk_attr(ea, idc.FUNCATTR_START) 715 | 716 | for off, target_ea in function_chunk_crefs(ea): 717 | func = get_cloned_function(target_ea) 718 | 719 | if func: 720 | src = sark.Line(start_ea + off) 721 | yield (src, func) 722 | 723 | 724 | def rename_outlined_function(func): 725 | storage = RenamesStorage() 726 | 727 | rename_info = storage.get(func.ea) 728 | if rename_info and func.name == rename_info.new_name: 729 | return 730 | 731 | new_name = f"outlined_{func.name}" 732 | rename_info = RenamesStorage.RenameInfo(func.name, new_name) 733 | 734 | func.name = new_name 735 | storage[func.ea] = rename_info 736 | 737 | 738 | def undo_rename_outlined_function(func): 739 | storage = RenamesStorage() 740 | 741 | rename_info = storage.get(func.ea) 742 | if not rename_info: 743 | return 744 | 745 | if func.name == rename_info.new_name: 746 | func.name = rename_info.orig_name 747 | 748 | del storage[func.ea] 749 | 750 | 751 | def inline_function(func, kp_asm=None): 752 | # verify that the function doesn't have any chunks which aren't inlined clones of outlined 753 | # functions 754 | if is_originally_chunked_function(func): 755 | raise FunctionInlinerUnsupportedException("chunked functions are currently unsupported") 756 | 757 | # find functions that we've inlined into this function 758 | inlined_function_calls = list(function_chunk_inlined_functions(func.ea)) 759 | 760 | # temporarily undo inlining into our function 761 | for src, inlined_func in inlined_function_calls: 762 | logger.debug(f"temporarily undoing inlining of {inlined_func.name} into {src.ea:#x}") 763 | undo_inline_function_call(src, inlined_func) 764 | 765 | # wait for analysis of our function 766 | assert ida_auto.auto_wait_range(func.ea, func.end_ea) >= 0 767 | 768 | # assert that the function is now unchunked 769 | assert not is_chunked_function(func) 770 | 771 | func_has_outgoing_crefs = bool(list(function_chunk_crefs(func.ea))) 772 | 773 | # inline our function into its callers 774 | for src in external_callers(func): 775 | logger.debug(f"inlining call to {func.name} from {src.ea:#x}") 776 | clone_ea = inline_function_call(src, func, kp_asm) 777 | 778 | # wait for analysis of our clone (optimization: only if needed) 779 | # this is both for the case we need to redo inlining into it in a bit, and also for the case 780 | # we're inlining all outlined functions in the IDB and we want the clones' outgoing crefs to 781 | # be indexed as well 782 | if func_has_outgoing_crefs: 783 | seg = sark.Segment(clone_ea) 784 | assert ida_auto.auto_wait_range(seg.start_ea, seg.end_ea) >= 0 785 | 786 | # redo inlining into our function clones 787 | for _, inlined_func in inlined_function_calls: 788 | logger.debug(f"redoing inlining of {inlined_func.name} into the cloned functions") 789 | inline_function(inlined_func) 790 | 791 | # if there are no more xrefs to this function, rename it 792 | if not list(external_callers(func)): 793 | rename_outlined_function(func) 794 | 795 | 796 | @with_autoanalysis(False) 797 | def inline_all_functions(extra=False): 798 | logger.info("inlining all outlined functions...") 799 | 800 | failed_analysis = 0 801 | inlined = 0 802 | skipped = 0 803 | erroronous = 0 804 | kp_asm = keypatch.Keypatch_Asm() 805 | 806 | all_funcs = list(sark.functions()) 807 | 808 | with wait_box("finding outlined functions..."): 809 | outlined_funcs = [] 810 | for func in tqdm.tqdm(all_funcs, desc="analyzing", ncols=80, unit="func"): 811 | ida_auto.show_auto(func.ea) 812 | 813 | if ida_kernwin.user_cancelled(): 814 | return False 815 | 816 | logger.debug(f"analyzing {func.name}") 817 | try: 818 | if is_function_outlined(func, extra=extra): 819 | outlined_funcs.append(func) 820 | except Exception: 821 | logger.exception(f"unhandled exception raised when trying to analyze {func.name}:") 822 | failed_analysis += 1 823 | 824 | logger.info(f"found {len(outlined_funcs)} outlined functions") 825 | if failed_analysis: 826 | logger.error(f"failed analysing {failed_analysis} functions") 827 | 828 | retval = True 829 | with wait_box("inlining all outlined functions... (this may take a few minutes)"): 830 | start_time = time.time() 831 | 832 | for func in tqdm.tqdm(outlined_funcs, desc="inlining", ncols=80, unit="func"): 833 | ida_auto.show_auto(func.ea) 834 | 835 | if ida_kernwin.user_cancelled(): 836 | retval = False 837 | break 838 | 839 | logger.debug(f"inlining {func.name}") 840 | try: 841 | inline_function(func, kp_asm) 842 | inlined += 1 843 | except FunctionInlinerUnsupportedException: 844 | skipped += 1 # skip functions that we can't inline 845 | except Exception: 846 | logger.exception(f"unhandled exception raised when trying to inline {func.name}:") 847 | erroronous += 1 848 | 849 | elapsed_time = int(time.time() - start_time) 850 | 851 | logger.info(f"inlined a total of {inlined} functions in {elapsed_time} seconds") 852 | 853 | if skipped: 854 | logger.warning(f"skipped {skipped} unsupported functions") 855 | 856 | if erroronous: 857 | logger.error(f"failed inlining {erroronous} functions") 858 | 859 | return retval 860 | 861 | 862 | def clone_insn_ret(kp_asm, line, dst_ea, ret_ea): 863 | assert line.insn.mnem == "RET" and not is_conditional_insn(line.insn) 864 | 865 | asm = f"B #{ret_ea:#x}" # we drop PAC flags 866 | code = bytes(kp_asm.assemble(asm, dst_ea)[0]) 867 | 868 | logger.trace(f" translated to: {asm}") 869 | return code 870 | 871 | 872 | def clone_insn_branch(kp_asm, line, dst_ea, func, ret_ea): 873 | mnem = line.insn.mnem 874 | 875 | # resolve the the branch target 876 | if mnem == "BR": 877 | target_ea = None 878 | else: 879 | target_ea = get_branch_target_ea(line) 880 | 881 | if target_ea and func.start_ea <= target_ea < func.end_ea: # local target -> copy as-is 882 | logger.trace(" local target -> copied as-is") 883 | return line.bytes, target_ea - func.ea 884 | 885 | else: # external target -> fix it 886 | if is_conditional_insn(line.insn): 887 | raise FunctionInlinerUnsupportedException("translating conditioned tail-calls is " 888 | "currently unsupported") 889 | 890 | if mnem == "BR": 891 | # target is the first arg even if it's an authenticated BR 892 | target_reg = line.insn.operands[0].text 893 | asm = f"BLR {target_reg}" # we drop PAC flags 894 | else: 895 | assert mnem in ("BL", "B") 896 | asm = f"BL #{target_ea:#x}" # we drop PAC flags 897 | 898 | if mnem in ("B", "BR"): # tail-call -> also add a following B back or RET 899 | if ret_ea: 900 | asm += f"\nB #{ret_ea:#x}" 901 | else: 902 | asm += "\nRET" 903 | 904 | code = bytes(kp_asm.assemble(asm, dst_ea)[0]) 905 | 906 | logger.trace(f" translated to: {asm}") 907 | return code, None 908 | 909 | 910 | def clone_insn_mem(kp_asm, line, dst_ea): 911 | drefs_from = set(drefs_from_eas(line)) 912 | insn = line.insn 913 | 914 | if len(drefs_from) == 1: 915 | target_ea = drefs_from.pop() 916 | else: # this may happen with LDR when the target contains another address 917 | assert len(drefs_from) == 2 and insn.mnem == "LDR" 918 | xref = [x for x in line.xrefs_from if x.type.is_read][0] 919 | target_ea = xref.to 920 | 921 | target_page = target_ea & ~0xfff 922 | target_offset = target_ea & 0xfff 923 | 924 | if is_conditional_insn(line.insn): 925 | raise FunctionInlinerUnsupportedException("translating conditional mem instructions is " 926 | "currently unsupported") 927 | 928 | # full_mnem should be the same as insn.mnem, but compare the full one just to be on the safe side 929 | full_mnem = ida_ua.print_insn_mnem(line.ea) 930 | 931 | if full_mnem in ("ADR", "ADRL"): 932 | # usually ADR is followed by NOP, because the compiler doesn't know if it'll be ADR or 933 | # ADRP + ADD (ADRL), but we don't want to rely on it so we'll translate both alternatives 934 | # with two instructions 935 | 936 | reg = line.insn.regs.pop() 937 | asm = f""" 938 | ADRP {reg}, #{target_page:#x} 939 | ADD {reg}, {reg}, #{target_offset:#x} 940 | """ 941 | code = bytes(kp_asm.assemble(asm, dst_ea)[0]) 942 | 943 | logger.trace(f" {full_mnem} -> translated to: {asm}") 944 | return code 945 | 946 | elif full_mnem == "ADRP": 947 | reg = line.insn.regs.pop() 948 | asm = f"ADRP {reg}, #{target_page:#x}" 949 | code = bytes(kp_asm.assemble(asm, dst_ea)[0]) 950 | 951 | logger.trace(f" ADRP -> translated to: {asm}") 952 | return code 953 | 954 | elif full_mnem == "MOV": 955 | logger.trace(" MOV -> copied as-is") 956 | return line.bytes 957 | 958 | else: 959 | # we expect the rest to be e.g. LDR/STR/ADD using an address or a PAGEOFF 960 | 961 | # IDA won't always show "@PAGEOFF" in the disassembly, so we have to check for this case 962 | # manually 963 | found_displ = 0 964 | for op in line.insn.operands: 965 | if op.type.is_mem: 966 | found_displ = -1 967 | break 968 | if op.type.is_displ: 969 | found_displ += 1 970 | pageoff_flow = found_displ == 1 971 | 972 | if pageoff_flow: 973 | # the PAGEOFF shouldn't change, so we can copy as-is 974 | logger.trace(" PAGEOFF -> copied as-is") 975 | return line.bytes 976 | 977 | else: # direct memory access flow 978 | # try finding and replacing the target operand with the fixed one 979 | new_ops = [] 980 | ops_fixed = 0 981 | for op in insn.operands: 982 | if op.type.is_mem and op.addr == target_ea: 983 | new_ops.append(f"#{target_ea:#x}") 984 | ops_fixed += 1 985 | else: 986 | new_ops.append(op.text) 987 | assert ops_fixed == 1 988 | 989 | # recreate the instruction 990 | asm = full_mnem + " " + ", ".join(new_ops) 991 | code = bytes(kp_asm.assemble(asm, dst_ea)[0]) 992 | 993 | logger.trace(f" direct memory reference -> translated to: {asm}") 994 | return code 995 | 996 | 997 | def fix_cloned_branch(kp_asm, src_ea, current_target_ea, fixed_target_ea): 998 | # analyze this single instruction 999 | idc.set_flag(idc.INF_AF, idc.AF_CODE, 0) 1000 | ida_ua.create_insn(src_ea) 1001 | idc.set_flag(idc.INF_AF, idc.AF_CODE, 1) 1002 | 1003 | line = sark.Line(src_ea) 1004 | insn = line.insn 1005 | 1006 | # we believe that our handling here won't match all cases, but we've never even encountered 1007 | # a case where this fixup has been required so we don't want to spend too much effort around it 1008 | 1009 | # try finding and replacing the target operand with the fixed one 1010 | new_ops = [] 1011 | ops_fixed = 0 1012 | for op in insn.operands: 1013 | if op.type.is_near and op.addr == current_target_ea: 1014 | new_ops.append(f"#{fixed_target_ea:#x}") 1015 | ops_fixed += 1 1016 | else: 1017 | new_ops.append(op.text) 1018 | assert ops_fixed == 1 1019 | 1020 | # recreate the instruction 1021 | full_mnem = ida_ua.print_insn_mnem(line.ea) 1022 | asm = full_mnem + " " + ", ".join(new_ops) 1023 | code = bytes(kp_asm.assemble(asm, line.ea)[0]) 1024 | 1025 | logger.trace(f" -> {asm}") 1026 | 1027 | assert line.size == len(code) 1028 | 1029 | # undo the analysis of this instruction and patch it 1030 | ida_bytes.del_items(src_ea, ida_bytes.DELIT_SIMPLE, line.size) 1031 | ida_bytes.patch_bytes(line.ea, code) 1032 | 1033 | 1034 | def clone_function(func, dst_ea, ret_ea=None, kp_asm=None): 1035 | if kp_asm is None: 1036 | kp_asm = keypatch.Keypatch_Asm() 1037 | 1038 | clone_ea = dst_ea 1039 | 1040 | # maps func_offset to clone_offset, for each cloned instruction 1041 | clone_offsets = {} 1042 | # maps source_func_offset to target_func_offset, for cloned branches which point internally 1043 | # to the cloned function 1044 | potential_target_fixups = {} 1045 | 1046 | # go over all instructions in the first function chunk 1047 | for line in function_chunk_lines(func.start_ea): 1048 | logger.trace(f"-> {line.disasm}") 1049 | 1050 | # remember where we moved it to in the clone 1051 | func_offset = line.ea - func.ea 1052 | clone_offset = dst_ea - clone_ea 1053 | clone_offsets[func_offset] = clone_offset 1054 | 1055 | # clone this instruction 1056 | try: 1057 | assert line.is_code 1058 | 1059 | # generate some metadata about it 1060 | 1061 | is_brk = line.insn.mnem == "BRK" 1062 | is_ret = line.insn.mnem == "RET" 1063 | 1064 | is_normal_flow = False 1065 | for xref in line.xrefs_from: 1066 | if not xref.iscode: 1067 | continue 1068 | 1069 | if not xref.type.is_flow: 1070 | is_normal_flow = False # at least one non-flow code xrefs -> not normal flow 1071 | break 1072 | else: 1073 | is_normal_flow = True # all (at least one) flow code xrefs -> normal flow 1074 | 1075 | if any(drefs_from_eas(line)): 1076 | has_drefs = True 1077 | else: 1078 | has_drefs = False 1079 | 1080 | # identify which kind of translation we should do 1081 | 1082 | if (is_normal_flow and not has_drefs) or (is_ret and not ret_ea) or is_brk: # "simple" instruction 1083 | logger.trace(" 'simple' instruction flow -> copied as-is") 1084 | code = line.bytes 1085 | 1086 | elif is_ret and ret_ea: # ret (and we should translate it) 1087 | assert not has_drefs 1088 | 1089 | logger.trace(" ret flow") 1090 | code = clone_insn_ret(kp_asm, line, dst_ea, ret_ea) 1091 | 1092 | elif not is_normal_flow: # conditional branch, BL, or tail-call 1093 | assert not has_drefs 1094 | 1095 | # note: we never actually encountered any outlined code with conditional branches or BLs, 1096 | # but tail-call handling is similiar so we're keeping the logic here anyway 1097 | 1098 | logger.trace(" conditional branch, bl or tail-call flow") 1099 | code, target_offset = clone_insn_branch(kp_asm, line, dst_ea, func, ret_ea) 1100 | 1101 | # if the new code jumps into an address internal to our cloned function, we may need 1102 | # to fix it up afterwards (depending on how much we'll move stuff around) 1103 | if target_offset is not None: 1104 | potential_target_fixups[func_offset] = target_offset 1105 | 1106 | elif has_drefs: # memory access 1107 | assert is_normal_flow 1108 | 1109 | # note: we never actually encountered outlined code which did direct memory access 1110 | # but we're keeping the logic here anyway 1111 | 1112 | logger.trace(" memory access flow") 1113 | code = clone_insn_mem(kp_asm, line, dst_ea) 1114 | 1115 | else: 1116 | raise FunctionInlinerException("unexpected instruction") 1117 | 1118 | # write the new code to the clone 1119 | 1120 | ida_bytes.patch_bytes(dst_ea, code) 1121 | dst_ea += len(code) 1122 | 1123 | except Exception: 1124 | logger.error(f"failed to clone instruction @ {line.ea:#x}: {line.disasm}") 1125 | raise 1126 | 1127 | # fix local branch targets if required 1128 | for src_offset, target_offset in potential_target_fixups.items(): 1129 | src_ea = clone_ea + clone_offsets[src_offset] 1130 | logger.trace(f"analyzing local branch at {src_ea:#x}") 1131 | 1132 | current_target_ea = src_ea + (target_offset - src_offset) 1133 | fixed_target_ea = clone_ea + clone_offsets[target_offset] 1134 | 1135 | if current_target_ea != fixed_target_ea: 1136 | # note: we never actually gotten to this flow in any outlined code we've inlined 1137 | # but we're keeping the logic here anyway 1138 | 1139 | logger.trace(f" fixing target from {current_target_ea:#x} to {fixed_target_ea:#x}") 1140 | fix_cloned_branch(kp_asm, src_ea, current_target_ea, fixed_target_ea) 1141 | else: 1142 | logger.trace(" no fixing is required") 1143 | 1144 | # analyze the clone as code 1145 | ida_auto.auto_make_code(clone_ea) 1146 | 1147 | return dst_ea 1148 | 1149 | 1150 | # UNDO FUNCTION INLINING 1151 | 1152 | 1153 | def get_inlined_function_under_cursor(): 1154 | line = sark.Line() 1155 | 1156 | # abort on unmapped addresses 1157 | if not ida_bytes.is_mapped(line.ea): 1158 | return None 1159 | 1160 | # if we're on a branch/call -> analyze its target instead 1161 | for xref in line.xrefs_from: 1162 | if xref.type.is_jump or xref.type.is_call: 1163 | line = sark.Line(xref.to) 1164 | break 1165 | 1166 | # if we're in a cloned segment -> return the function it was cloned from 1167 | seg = sark.Segment(line.ea) 1168 | if seg is None: # we're pointing at an old (now non-existant) line 1169 | return None 1170 | func = get_cloned_function(line.ea) 1171 | if line.ea == seg.ea and func: 1172 | return func 1173 | 1174 | # if we're on the beginning of an inlined function -> return it 1175 | try: 1176 | func = sark.Function() 1177 | except sark.exceptions.SarkNoFunction: 1178 | return None 1179 | 1180 | storage = ClonesStorage() 1181 | if line.ea == func.ea and func.ea in storage: 1182 | return func 1183 | 1184 | return None 1185 | 1186 | 1187 | def undo_inline_function_call(src, func): 1188 | storage = ClonesStorage() 1189 | func_storage = storage[func.ea] 1190 | clone_info = func_storage[src.ea] 1191 | 1192 | logger.debug(f"undoing clone of {func.name} at {clone_info.clone_ea:#x} for caller at {src.ea:#x}") 1193 | 1194 | # delete the cloned function 1195 | ida_segment.del_segm(clone_info.clone_ea, ida_segment.SEGMOD_KILL) 1196 | 1197 | if ida_bytes.is_mapped(src.ea): # maybe this was into another clone that has been undone as well 1198 | # revert the BL patch 1199 | # we don't want to do revert_byte() here, since the patched opcode may have been 1200 | # originally patched (e.g. inlining one outlined function into another outlined function 1201 | # that has been inlined) 1202 | ida_bytes.patch_bytes(src.ea, clone_info.orig_bytes) 1203 | reanalyze_line(src) 1204 | 1205 | # remove unreachable chunks from the calling function. this may happen in case our clone had 1206 | # function chunks (e.g. it called other outlined functions that were inlined into it) 1207 | src_func = sark.Function(src) 1208 | for chunk_ea in unreachable_function_chunks_eas(src_func): 1209 | ida_funcs.remove_func_tail(src_func._func, chunk_ea) 1210 | 1211 | # remove from storage 1212 | del func_storage[src.ea] 1213 | 1214 | 1215 | def undo_inline_function(func): 1216 | storage = ClonesStorage() 1217 | func_storage = storage[func.ea] 1218 | 1219 | # pre-iterate the generator since we're deleting items inside 1220 | for src_ea, clone_info in list(func_storage.items()): 1221 | src = sark.Line(src_ea) 1222 | undo_inline_function_call(src, func) 1223 | 1224 | undo_rename_outlined_function(func) 1225 | 1226 | 1227 | # FUNCTION EXPLORATION 1228 | 1229 | 1230 | def fix_function_noret_flags(): 1231 | found = False 1232 | 1233 | # pre-iterate since we might be adding functions inside 1234 | for func in list(sark.functions()): 1235 | for src_ea, target_ea in function_crefs(func): 1236 | try: 1237 | sark.Function(target_ea) 1238 | continue 1239 | except sark.exceptions.SarkNoFunction: 1240 | pass 1241 | 1242 | # the target is not inside a function, ida probably failed to make one 1243 | 1244 | logger.debug(f"found call to non-function from {src_ea:#x} to {target_ea:#x}") 1245 | 1246 | fn = ida_funcs.func_t() 1247 | fn.start_ea = target_ea 1248 | ret = ida_funcs.find_func_bounds(fn, ida_funcs.FIND_FUNC_NORMAL) 1249 | if ret != ida_funcs.FIND_FUNC_UNDEF: 1250 | logger.debug(f" finding function bounds unexpectedly succeeded: {ret}. skipping...") 1251 | continue 1252 | 1253 | logger.debug(f" making function failed because of undefined instruction @ {fn.end_ea:#x}") 1254 | tail_call = sark.Line(fn.end_ea - 1) 1255 | 1256 | # we expect that to be because the last insn was a BL to a NORET function which isn't 1257 | # marked as such 1258 | 1259 | if tail_call.insn.mnem != "BL": 1260 | logger.debug(" didn't find a BL in the last instruction. skipping...") 1261 | continue 1262 | 1263 | bl_target_ea = get_branch_target_ea(tail_call) 1264 | logger.debug(f" previous instruction is a BL to {bl_target_ea:#x} -> setting to NORET") 1265 | 1266 | try: 1267 | bl_target_func = sark.Function(bl_target_ea) 1268 | except sark.exceptions.SarkNoFunction: 1269 | logger.debug(" BL target isn't a function. skipping...") 1270 | continue 1271 | if bl_target_func.ea != bl_target_ea: 1272 | logger.debug(" BL target isn't the beginning of a function. skipping...") 1273 | continue 1274 | 1275 | flags = idc.get_func_flags(bl_target_ea) 1276 | if not (flags & ida_funcs.FUNC_NORET): 1277 | idc.set_func_attr(bl_target_ea, idc.FUNCATTR_FLAGS, flags | ida_funcs.FUNC_NORET) 1278 | ida_auto.plan_range(fn.start_ea, fn.end_ea) 1279 | found = True 1280 | else: 1281 | logger.debug(" BL target was already set to NORET. skipping...") 1282 | 1283 | return found 1284 | 1285 | 1286 | def create_missing_functions(): 1287 | found = False 1288 | 1289 | # pre-iterate since we might be adding functions inside 1290 | for func in list(sark.functions()): 1291 | for src_ea, target_ea in function_crefs(func): 1292 | try: 1293 | sark.Function(target_ea) 1294 | continue 1295 | except sark.exceptions.SarkNoFunction: 1296 | pass 1297 | 1298 | # the target is not inside a function, make one 1299 | 1300 | logger.debug(f"found call to non-function from {src_ea:#x} to {target_ea:#x} " 1301 | "-> making function") 1302 | 1303 | if ida_funcs.add_func(target_ea): 1304 | found = True 1305 | else: 1306 | logger.debug(" failed to make function") 1307 | 1308 | return found 1309 | 1310 | 1311 | def is_data_heuristic(line): 1312 | if line.is_code: 1313 | return False 1314 | 1315 | # data with refs (e.g. jumptable) 1316 | if list(line.drefs_to): 1317 | return True 1318 | 1319 | # all 00s (alignment data) 1320 | if not any(line.bytes): 1321 | return True 1322 | 1323 | return False 1324 | 1325 | 1326 | # IDB PREPROCESSING 1327 | 1328 | 1329 | def detach_chunk(chunk_ea): 1330 | # check whether we should dechunk this 1331 | chunk = sark.Line(chunk_ea) 1332 | if has_function_flow_xref(chunk): 1333 | logger.debug(f" found flow xref to {chunk_ea:#x} -> shouldn't dechunk") 1334 | return None 1335 | 1336 | logger.debug(f" detaching chunk @ {chunk_ea:#x}") 1337 | chunk_end_ea = idc.get_fchunk_attr(chunk_ea, idc.FUNCATTR_END) 1338 | 1339 | # pre-iterate the generator since we're removing fchunks inside 1340 | parents = list(function_chunk_parent_eas(chunk_ea)) 1341 | 1342 | # remove the chunk from each of its parents 1343 | for parent_ea in parents: 1344 | logger.trace(f" removing from parent @ {parent_ea:#x}") 1345 | idc.remove_fchunk(parent_ea, chunk_ea) 1346 | 1347 | # create a function out of it 1348 | ida_funcs.add_func(chunk_ea, chunk_end_ea) 1349 | func = sark.Function(chunk_ea) 1350 | 1351 | # remove unreachable chunks from the parents. this may happen in case our detachee has had 1352 | # additional function chunks 1353 | for parent_ea in parents: 1354 | parent_func = sark.Function(parent_ea) 1355 | for chunk_ea in unreachable_function_chunks_eas(parent_func): 1356 | ida_funcs.remove_func_tail(parent_func._func, chunk_ea) 1357 | 1358 | return func 1359 | 1360 | 1361 | def dechunk_functions(): 1362 | # pre-iterate since we're adding functions inside 1363 | functions = list(sark.functions()) 1364 | 1365 | for func in functions: 1366 | if ida_kernwin.user_cancelled(): 1367 | return False 1368 | 1369 | if not is_originally_chunked_function(func): 1370 | continue 1371 | 1372 | logger.debug(f"dechunking {func.name}...") 1373 | 1374 | # pre-iterate the generator since we're removing fchunks inside 1375 | for chunk_ea in list(function_chunk_eas(func)): 1376 | if chunk_ea == func.ea: 1377 | continue # skip first chunk 1378 | 1379 | if get_cloned_function(chunk_ea): 1380 | continue # skip inlined chunks 1381 | 1382 | new_func = detach_chunk(chunk_ea) 1383 | 1384 | # add the new function for processing 1385 | if new_func: 1386 | functions.append(new_func) 1387 | 1388 | 1389 | def split_outlined_function_trampolines(): 1390 | for l in sark.lines(): 1391 | try: 1392 | insn = l.insn 1393 | except sark.exceptions.SarkNoInstruction: 1394 | continue # nothing to do here... 1395 | 1396 | if insn.mnem != "B" or is_conditional_insn(insn): 1397 | continue # we're looking for unconditional branches 1398 | 1399 | target_ea = insn.operands[0].addr 1400 | if target_ea != l.end_ea: 1401 | continue # to the next instruction 1402 | 1403 | # check if the next instruction is already marked as a different function 1404 | try: 1405 | src_func = sark.Function(l) 1406 | target_func = sark.Function(target_ea) 1407 | 1408 | if src_func != target_func: 1409 | continue # it's already split 1410 | except sark.exceptions.SarkNoFunction: 1411 | continue # nothing to split 1412 | 1413 | # check if there are external crefs to the next instruction (i.e. someone else has it as 1414 | # a function chunk) 1415 | target = sark.Line(target_ea) 1416 | if not list(external_callers(target)): 1417 | continue # no external cref. no benefit in splitting 1418 | 1419 | logger.debug(f"splitting trampoline from adjacent function at {target_ea:#x}") 1420 | 1421 | # split the function after this branch 1422 | end_ea = src_func.end_ea 1423 | ida_funcs.set_func_end(l.ea, target_ea) 1424 | ida_funcs.add_func(target_ea, end_ea) 1425 | 1426 | 1427 | def make_function_chunk(line): 1428 | to_reprocess = [] 1429 | 1430 | try: 1431 | func = sark.Function(line) 1432 | 1433 | # check whether we need to split target's chunk 1434 | chunk_start_ea = idc.get_fchunk_attr(line.ea, idc.FUNCATTR_START) 1435 | should_split = chunk_start_ea != line.ea 1436 | 1437 | chunk_end_ea = idc.get_fchunk_attr(line.ea, idc.FUNCATTR_END) 1438 | except sark.exceptions.SarkNoFunction: 1439 | func = None 1440 | should_split = None 1441 | chunk_end_ea = ida_idaapi.BADADDR 1442 | 1443 | if should_split: 1444 | ida_funcs.set_func_end(chunk_start_ea, line.ea) 1445 | reanalyze_line(line.prev) 1446 | to_reprocess.append(func) 1447 | 1448 | # it's important to first add it to the other callers and not the original function, otherwise 1449 | # IDA will automatically merge it with the chunk we've just removed it from 1450 | for caller in external_callers(line, functions_only=True, include_flow=True): 1451 | for caller_func in containing_funcs(caller): 1452 | if func != caller_func: 1453 | ida_funcs.append_func_tail(caller_func._func, line.ea, chunk_end_ea) 1454 | to_reprocess.append(caller_func) 1455 | 1456 | if should_split: 1457 | # re-add it to the original function and set it as the owner 1458 | ida_funcs.append_func_tail(func._func, line.ea, chunk_end_ea) 1459 | ida_funcs.set_tail_owner(ida_funcs.get_fchunk(line.ea), func.ea) 1460 | 1461 | ida_auto.plan_range(line.ea, chunk_end_ea) 1462 | 1463 | return to_reprocess 1464 | 1465 | 1466 | def split_function(line): 1467 | chunk_start_ea = idc.get_fchunk_attr(line.ea, idc.FUNCATTR_START) 1468 | chunk_end_ea = idc.get_fchunk_attr(line.ea, idc.FUNCATTR_END) 1469 | 1470 | # verify that there's no flow xref into this line 1471 | if has_function_flow_xref(line): 1472 | # try adding it as a function tail to src 1473 | logger.debug(f" found flow xref to {line.ea:#x} -> cannot split function. making function " 1474 | "chunk instead") 1475 | return make_function_chunk(line) 1476 | 1477 | # if there's a flow xref back into *all* of our callers, create a function chunk instead 1478 | line_after_chunk = sark.Line(chunk_end_ea).next 1479 | if has_function_flow_xref(line_after_chunk): 1480 | # accumulate all of the funcs calling us (incl. a marker for non-func callers) 1481 | calling_funcs = set() 1482 | for caller in external_callers(line, include_flow=True): 1483 | caller_funcs = containing_funcs(caller) 1484 | if not caller_funcs: 1485 | calling_funcs.add(None) 1486 | else: 1487 | calling_funcs.update(caller_funcs) 1488 | 1489 | if calling_funcs == containing_funcs(line_after_chunk): 1490 | logger.debug(" found flow xref back to all of the the callers -> making function chunk" 1491 | " instead") 1492 | return make_function_chunk(line) 1493 | 1494 | # split the function 1495 | logger.debug(f" splitting function chunk at {line.ea:#x}") 1496 | 1497 | ida_funcs.set_func_end(chunk_start_ea, line.ea) 1498 | reanalyze_line(line.prev) 1499 | 1500 | ida_funcs.add_func(line.ea, chunk_end_ea) 1501 | ida_auto.plan_range(line.ea, chunk_end_ea) 1502 | 1503 | return (sark.Function(line.ea), sark.Function(line.prev.ea)) 1504 | 1505 | 1506 | def split_adjacent_functions(): 1507 | # pre-iterate since we're adding functions inside 1508 | functions = list(sark.functions()) 1509 | 1510 | while True: 1511 | to_reprocess = [] 1512 | for func in functions: 1513 | for src_ea, target_ea in function_crefs(func): 1514 | src = sark.Line(src_ea) 1515 | target = sark.Line(target_ea) 1516 | 1517 | # check whether we're jumping to the middle of another function 1518 | try: 1519 | target_func = sark.Function(target.ea) 1520 | except sark.exceptions.SarkNoFunction: 1521 | logger.debug(f"found flow xref from {src.ea:#x} to non-function.") 1522 | continue 1523 | 1524 | if target.ea == target_func.ea: 1525 | continue 1526 | 1527 | # if so, split the target function 1528 | logger.debug(f"found call/branch to middle of function from {src.ea:#x} (as part of " 1529 | f"{func.name}) to {target.ea:#x}") 1530 | more_to_reprocess = split_function(target) 1531 | 1532 | # add the new function for processing, and the current for reprocessing 1533 | if more_to_reprocess: 1534 | to_reprocess.extend(more_to_reprocess) 1535 | 1536 | if to_reprocess: 1537 | # wait for what we've previously done to finish analysing 1538 | if not ida_auto.auto_wait(): 1539 | return False # auto-analysis was cancelled 1540 | 1541 | # repeat with what we need to reprocess 1542 | functions = to_reprocess 1543 | else: 1544 | break 1545 | 1546 | 1547 | @with_autoanalysis(False) 1548 | def explore_idb(): 1549 | logger.info("exploring IDB...") 1550 | 1551 | logger.debug("reanalyzing program...") 1552 | reanalyze_program() 1553 | 1554 | exploration_steps = { 1555 | # some times IDA misses some trivial functions on reanalysis, I'm not sure why, so we do 1556 | # this ourselves as well 1557 | "creating missing functions...": create_missing_functions, 1558 | "fixing missing NORET flags on functions...": fix_function_noret_flags, 1559 | } 1560 | 1561 | for i in itertools.count(): 1562 | found = False 1563 | with wait_box(f"exploring (iteration {i})..."): 1564 | for msg, func in exploration_steps.items(): 1565 | logger.debug("waiting for auto-analysis to complete...") 1566 | if not ida_auto.auto_wait(): 1567 | return False # auto-analysis was cancelled 1568 | 1569 | logger.info(f"{msg} (iteration {i})") 1570 | found = found or func() 1571 | 1572 | if ida_kernwin.user_cancelled(): 1573 | return False 1574 | if found: 1575 | reanalyze_program() 1576 | else: 1577 | break 1578 | 1579 | logger.info("exploration done!") 1580 | return True 1581 | 1582 | 1583 | @with_autoanalysis(False) 1584 | def preprocess_idb(): 1585 | logger.info("preprocessing IDB...") 1586 | 1587 | preprocessing_steps = { 1588 | "dechunking functions...": dechunk_functions, 1589 | "splitting trampolines from adjacent functions...": split_outlined_function_trampolines, 1590 | "splitting adjacent functions...": split_adjacent_functions, 1591 | } 1592 | 1593 | with wait_box("preprocessing..."): 1594 | for msg, func in preprocessing_steps.items(): 1595 | logger.debug("waiting for auto-analysis to complete...") 1596 | if not ida_auto.auto_wait(): 1597 | return False # auto-analysis was cancelled 1598 | 1599 | logger.info(msg) 1600 | func() 1601 | 1602 | if ida_kernwin.user_cancelled(): 1603 | return False 1604 | 1605 | reanalyze_program() 1606 | 1607 | logger.info("preprocessing done!") 1608 | return True 1609 | 1610 | 1611 | # OUTLINED FUNCTION FINDING 1612 | 1613 | 1614 | def code_flow_iterator(line, forward=True, stop=None, abort_on_calls=True, dfs=False, 1615 | ignore_aborts=False, _visited_eas=None): 1616 | 1617 | func = sark.Function(line) 1618 | if stop is None: 1619 | if forward: 1620 | stop = sark.Line(func.end_ea - 1) 1621 | else: 1622 | stop = sark.Line(func.start_ea) 1623 | 1624 | if _visited_eas is None: 1625 | _visited_eas = set() 1626 | 1627 | while True: 1628 | if line.ea in _visited_eas: 1629 | break 1630 | else: 1631 | _visited_eas.add(line.ea) 1632 | 1633 | yield line 1634 | 1635 | # if we encounter a BL or a tail-call, this may be to an actual outlined function, and 1636 | # therefore analysis following this code flow shouldn't treat it as an ABI-complaint 1637 | # function and "skip" it 1638 | if abort_on_calls: 1639 | if any(x.type.is_code and not ida_funcs.func_contains(func._func, x.to) for x in 1640 | line.xrefs_from): 1641 | raise FunctionInlinerUnknownFlowException() 1642 | 1643 | if line == stop: 1644 | break 1645 | 1646 | if forward: 1647 | crefs = [x.to for x in line.xrefs_from if 1648 | x.type.is_code and ida_funcs.func_contains(func._func, x.to)] 1649 | else: 1650 | crefs = [x.frm for x in line.xrefs_to if 1651 | x.type.is_code and ida_funcs.func_contains(func._func, x.frm)] 1652 | 1653 | if len(crefs) == 0: 1654 | break 1655 | 1656 | if len(crefs) > 1 and ignore_aborts: 1657 | crefs = [x for x in crefs if sark.Line(x).insn.mnem != "BRK"] 1658 | 1659 | if len(crefs) > 1: 1660 | if not dfs: 1661 | raise FunctionInlinerUnknownFlowException() 1662 | 1663 | for cref in crefs[:-1]: 1664 | yield from code_flow_iterator( 1665 | sark.Line(cref), 1666 | stop=stop, 1667 | forward=forward, 1668 | abort_on_calls=abort_on_calls, 1669 | dfs=dfs, 1670 | ignore_aborts=ignore_aborts, 1671 | _visited_eas=_visited_eas) 1672 | 1673 | crefs = crefs[-1:] 1674 | 1675 | line = sark.Line(crefs[0]) 1676 | 1677 | 1678 | def find_function_ends(func, ignore_aborts=False): 1679 | def is_internal(ea): 1680 | return ida_funcs.func_contains(func._func, ea) 1681 | 1682 | def finder(ea, visited): 1683 | end_eas = set() 1684 | 1685 | while ea not in visited: 1686 | visited.add(ea) 1687 | next_eas = [next_ea for next_ea in sark.Line(ea).crefs_from if is_internal(next_ea)] 1688 | 1689 | # ignore aborts if asked to 1690 | if ignore_aborts and sark.Line(ea).insn.mnem == "BRK": 1691 | break 1692 | 1693 | # handle ret/tail-call 1694 | if len(next_eas) == 0: 1695 | end_eas.add(ea) 1696 | break 1697 | 1698 | # handle branch to self 1699 | if len(next_eas) == 1 and next_eas[0] == ea: 1700 | end_eas.add(ea) 1701 | break 1702 | 1703 | for next_ea in next_eas[1:]: 1704 | end_eas |= finder(next_ea, visited) 1705 | 1706 | ea = next_eas[0] 1707 | 1708 | return end_eas 1709 | 1710 | end_eas = finder(func.start_ea, set()) 1711 | return map(sark.Line, end_eas) 1712 | 1713 | 1714 | def is_function_prologue(line): 1715 | # check LR is signed (relevant only ARMv8.3 code which uses it) 1716 | if line.disasm == "PACIBSP": 1717 | return True 1718 | 1719 | # check for BTI (relevant only ARMv8.5 code which uses it) 1720 | if line.insn.mnem == "BTI" and line.insn.operands[0].text == "c": 1721 | return True 1722 | 1723 | return False 1724 | 1725 | def is_function_stack_prologue(line): 1726 | """ 1727 | we used to have this logic as part of is_function_prologue() but nowadays stack preparation 1728 | is often outlined as well, so we don't use it 1729 | """ 1730 | 1731 | # expect stack space to be allocated 1732 | insn = line.insn 1733 | ops = insn.operands 1734 | 1735 | potential_stored_regs = set((f"X{i}" for i in range(19, 31))) | set(("FP", "LR")) 1736 | 1737 | if insn.mnem == "SUB" and ops[0].text == "SP" and ops[1].text == "SP": 1738 | # stack space is allocated explicitly 1739 | stack_space = ops[-1].value 1740 | elif insn.mnem in ("STP", "STR") and ops[-1].base == "SP" and insn.indexing_mode.is_pre and \ 1741 | all(o.text in potential_stored_regs for o in ops[:-1]): 1742 | 1743 | # stack space is allocated inline with the first store 1744 | stack_space = struct.unpack(" {l.disasm}") 1872 | 1873 | # regs that we'll treat as initialized once done with this instruction 1874 | new_initialized_regs = set() 1875 | 1876 | insn = l.insn 1877 | for op in get_insn_ops_with_condition_flags(insn): 1878 | regs = get_op_regs(op) 1879 | 1880 | # special treatment for zeroing regs with EOR 1881 | is_eor = insn.mnem == "EOR" and \ 1882 | insn.operands[0].text == insn.operands[1].text == insn.operands[2].text 1883 | 1884 | for r in regs: 1885 | if op.type.is_displ: 1886 | # if we're reading an initialized reg, it's all good 1887 | if r in initialized_regs: 1888 | continue 1889 | 1890 | logger.trace(f" found uninitialized use of {r}") 1891 | return True 1892 | 1893 | if op.is_read and not is_eor: 1894 | # if we're reading an initialized reg, it's all good 1895 | if r in initialized_regs: 1896 | continue 1897 | 1898 | # if an uninitialized reg is being read it's either that or that it's actually a 1899 | # callee saved reg, and the we're reading it to store it somewhere and reuse that 1900 | # register internally 1901 | if r in potential_callee_saved_regs and insn.mnem in callee_saved_allowed_mnems: 1902 | # if it's the latter case -- we'll remember it 1903 | callee_saved_regs[r] = (l.ea, insn.mnem) 1904 | logger.trace(f" marking {r} as callee saved") 1905 | continue 1906 | 1907 | logger.trace(f" found uninitialized use of {r}") 1908 | return True 1909 | 1910 | elif op.is_write: 1911 | if r in initialized_regs: 1912 | continue 1913 | 1914 | # special treatment for registers who aren't can't be split into parts 1915 | if r == "NZCV": 1916 | logger.trace(f" marking {r} as initialized") 1917 | new_initialized_regs.add(r) 1918 | continue 1919 | 1920 | # mark all of the "parts" of this register as initialized 1921 | parts = list(register_parts(r)) 1922 | parts_s = ", ".join(parts) 1923 | logger.trace(f" marking {{{parts_s}}} as initialized") 1924 | new_initialized_regs.update(parts) 1925 | 1926 | initialized_regs |= new_initialized_regs 1927 | except FunctionInlinerUnknownFlowException: 1928 | logger.trace("aborting because code flow cannot be followed any longer...") 1929 | return False 1930 | 1931 | # verify that callee saved regs are actually restored in the end 1932 | # if not -- they were really just used and not stored 1933 | if not callee_saved_regs: 1934 | return False 1935 | 1936 | logger.trace("finished forward pass ; starting backwards pass") 1937 | 1938 | # some functions have multiple ends. in case one of them points to a noret function, 1939 | # the callee saved regs may not be restored, so in case there are multiple function ends 1940 | # we'll just skip this validation 1941 | func_ends = list(find_function_ends(func)) 1942 | if len(func_ends) > 1: 1943 | logger.trace("aborting because more than one function end was found...") 1944 | return False 1945 | 1946 | # we don't have to wrap this code_flow_iterator with try-except, since if the forward-pass 1947 | # didn't find any basic blocks, the backwards pass surely won't 1948 | for l in code_flow_iterator(func_ends[0], forward=False, ignore_aborts=True): 1949 | logger.trace(f"-> {l.disasm}") 1950 | 1951 | insn = l.insn 1952 | for op in get_insn_ops_with_condition_flags(insn): 1953 | for r in op.regs: 1954 | if r not in callee_saved_regs: 1955 | continue 1956 | 1957 | store_ea, store_mnem = callee_saved_regs[r] 1958 | restore_mnem = callee_saved_allowed_mnems[store_mnem] 1959 | 1960 | # the last "use" of the callee saved reg must be to restore it, mnem must match 1961 | # the storing mnem, and the ea must be after that of the storing ea 1962 | if not op.is_write or insn.mnem != restore_mnem or l.ea < store_ea: 1963 | logger.trace(f" last use of callee saved {r} isn't restoring") 1964 | return True 1965 | 1966 | # it was properly restored -> forget about it 1967 | logger.trace(f" found restore of callee saved {r}") 1968 | del callee_saved_regs[r] 1969 | if not callee_saved_regs: 1970 | return False 1971 | 1972 | return False 1973 | 1974 | 1975 | def is_function_affecting_non_result_regs(func, *, allow_multiple_result_registers=True): 1976 | logger.trace(f"analyzing {func.name} for non-result-registers effects") 1977 | 1978 | # these special regs can also be affected in the function epilogue 1979 | result_regs = set(("SP", "X29", "X30", "LR", "WZR", "XZR")) 1980 | 1981 | n = 8 if allow_multiple_result_registers else 1 1982 | for i in range(n): 1983 | result_regs.add(f"W{i}") 1984 | result_regs.add(f"X{i}") 1985 | 1986 | # callee saved regs can be STR/STP-ed but nothing else 1987 | callee_saved_allowed_mnems = { 1988 | "LDR": "STR", 1989 | "LDP": "STP", 1990 | } 1991 | potential_callee_saved_regs = set((f"X{i}" for i in range(19, 29))) 1992 | callee_saved_regs = dict() # matches restored reg to (restore ea, restore mnem) 1993 | 1994 | # some functions have multiple ends. in case one of them points to a noret function, 1995 | # we may be in the midst of a function, and see internally registers being used, so we'll just 1996 | # skip this validation 1997 | func_ends = list(find_function_ends(func, ignore_aborts=True)) 1998 | if len(func_ends) > 1: 1999 | logger.trace("aborting because more than one function end was found...") 2000 | return False 2001 | 2002 | # look for "useless" writes into non-result regs 2003 | try: 2004 | for l in code_flow_iterator(func_ends[0], forward=False, ignore_aborts=True): 2005 | logger.trace(f"-> {l.disasm}") 2006 | 2007 | # regs that we'll treat as result regs once done with this instruction 2008 | new_result_regs = set() 2009 | 2010 | insn = l.insn 2011 | 2012 | for op in get_insn_ops_with_condition_flags(insn): 2013 | regs = get_op_regs(op) 2014 | 2015 | for r in regs: 2016 | if op.is_write and not op.type.is_displ: 2017 | # if we're writing into a result reg, it's all good 2018 | if r in result_regs: 2019 | continue 2020 | 2021 | # if a non-result reg is being written into it's either that or that it's actually a 2022 | # callee saved reg, and the we're restoring its value here 2023 | if r in potential_callee_saved_regs and insn.mnem in callee_saved_allowed_mnems: 2024 | # if it's the latter case -- we'll remember it 2025 | callee_saved_regs[r] = (l.ea, insn.mnem) 2026 | logger.trace(f" marking {r} as callee saved") 2027 | continue 2028 | 2029 | logger.trace(f" found write into non-result reg {r}") 2030 | return True 2031 | elif op.is_read or op.type.is_displ: 2032 | if r in result_regs: 2033 | continue 2034 | 2035 | # if we got here and won't return True on anything else about this instruction, 2036 | # it means that this non-result reg is read and is either stored into memory 2037 | # or affects only-result regs. in both of these cases, we should treat it as 2038 | # a result reg as well 2039 | 2040 | # special treatment for registers who aren't can't be split into parts 2041 | if r == "NZCV": 2042 | logger.trace(f" marking {r} as result reg") 2043 | new_result_regs.add(r) 2044 | continue 2045 | 2046 | # mark all of the "parts" of this register as result regs 2047 | logger.trace(f" marking *{r[1:]} as result regs") 2048 | new_result_regs.update(register_parts(r)) 2049 | 2050 | result_regs |= new_result_regs 2051 | 2052 | except FunctionInlinerUnknownFlowException: 2053 | logger.trace("aborting because code flow cannot be followed any longer...") 2054 | return False 2055 | 2056 | # verify that callee saved regs are actually stored in the beginning 2057 | # if not -- they were really just written to and not restored 2058 | if not callee_saved_regs: 2059 | return False 2060 | 2061 | logger.trace("finished backwards pass ; starting forward pass") 2062 | 2063 | try: 2064 | for l in code_flow_iterator(sark.Line(func.start_ea), ignore_aborts=True): 2065 | logger.trace(f"-> {l.disasm}") 2066 | 2067 | insn = l.insn 2068 | for op in get_insn_ops_with_condition_flags(insn): 2069 | for r in op.regs: 2070 | if r not in callee_saved_regs: 2071 | continue 2072 | 2073 | restore_ea, restore_mnem = callee_saved_regs[r] 2074 | store_mnem = callee_saved_allowed_mnems[restore_mnem] 2075 | 2076 | # the first "use" of the callee saved reg must be to store it, mnem must match 2077 | # the restoring mnem, and the ea must be before that of the restoring ea 2078 | if not op.is_read or not insn.mnem == store_mnem or l.ea > restore_ea: 2079 | logger.trace(f" first use of callee saved {r} isn't storing") 2080 | return True 2081 | 2082 | # it was properly stored -> forget about it 2083 | logger.trace(f" found store of callee saved {r}") 2084 | del callee_saved_regs[r] 2085 | if not callee_saved_regs: 2086 | return False 2087 | 2088 | except FunctionInlinerUnknownFlowException: 2089 | logger.trace("aborting because code flow cannot be followed any longer...") 2090 | 2091 | return False 2092 | 2093 | 2094 | def is_function_using_uninitialized_stack(func, stack_args_size=0): 2095 | """ 2096 | note these accesses 2097 | """ 2098 | 2099 | logger.trace(f"analyzing {func.name} for stack accesses outside the stack frame") 2100 | 2101 | size = ida_frame.get_frame_size(func._func) + stack_args_size 2102 | logger.trace(f" frame size: {size:#x}") 2103 | 2104 | try: 2105 | for l in code_flow_iterator(sark.Line(func.start_ea), ignore_aborts=True): 2106 | logger.trace(f"-> {l.disasm}") 2107 | 2108 | insn = l.insn 2109 | 2110 | if not insn.has_reg("SP"): 2111 | continue 2112 | 2113 | for i in range(len(insn.operands)): 2114 | off = ida_frame.calc_stkvar_struc_offset(func._func, insn._insn, i) 2115 | 2116 | if off == ida_idaapi.BADADDR: 2117 | continue 2118 | 2119 | if off > size: 2120 | logger.trace(f" accessed stack frame at offset {off:#x} -> out of bounds") 2121 | return True 2122 | else: 2123 | logger.trace(f" accessed stack frame at offset {off:#x}") 2124 | except FunctionInlinerUnknownFlowException: 2125 | logger.trace("aborting because code flow cannot be followed any longer...") 2126 | 2127 | return False 2128 | 2129 | 2130 | def is_function_outlined(func, *, include_inlined=False, extra=False): 2131 | if include_inlined: 2132 | if func.ea in ClonesStorage().items: 2133 | return True 2134 | 2135 | # nothing to do here if we have no callers 2136 | if not list(external_callers(func)): 2137 | return False 2138 | 2139 | # i'm not really sure about whether outlined functions never have prologues, but we'll see 2140 | if is_function_prologue(sark.Line(func.ea)): 2141 | return False 2142 | 2143 | if is_function_using_uninitialized_regs(func): 2144 | return True 2145 | 2146 | # most programs don't really return structs from functions, if "extra" is set, we will assume 2147 | # that X1-X7 aren't really used as return registers 2148 | if is_function_affecting_non_result_regs(func, allow_multiple_result_registers=not extra): 2149 | return True 2150 | 2151 | if not extra: 2152 | return False 2153 | 2154 | # this is under "extra" since we don't know how many args func gets so we can't really say 2155 | # if a stack access is out-of-bounds or not 2156 | # 2157 | # however, we assume that a function with more than 8 arguments will have a proper prologue 2158 | # or stack frame set up 2159 | if (not is_function_stack_prologue(sark.Line(func.ea)) 2160 | and is_function_using_uninitialized_stack(func)): 2161 | return True 2162 | 2163 | return False 2164 | 2165 | 2166 | def find_next_reg_use(line, reg): 2167 | reg_parts = set(register_parts(reg)) 2168 | 2169 | for l in code_flow_iterator(line, abort_on_calls=False, dfs=True): 2170 | for op in l.insn.operands: 2171 | if not op.regs & reg_parts: 2172 | continue 2173 | if op.is_write: 2174 | return None 2175 | else: 2176 | return l 2177 | 2178 | 2179 | def apply_code_patch(start_ea, end_ea, code, kp_asm=None): 2180 | if kp_asm is None: 2181 | kp_asm = keypatch.Keypatch_Asm() 2182 | 2183 | size = end_ea - start_ea 2184 | assert len(code) <= size 2185 | 2186 | if len(code) < size: 2187 | nop = bytes(kp_asm.assemble("NOP", 0)[0]) 2188 | nop_slide_size = size - len(code) 2189 | assert nop_slide_size % len(nop) == 0 2190 | code += nop * (nop_slide_size // len(nop)) 2191 | 2192 | assert len(code) == size 2193 | ida_bytes.patch_bytes(start_ea, code) 2194 | ida_auto.plan_range(start_ea, end_ea) 2195 | 2196 | 2197 | def patch_constant_BRs(kp_asm=None): 2198 | """patches snippets of the form: 2199 | ADR/L Xn, sub_1337 2200 | NOP/- 2201 | BR/BLR Xn 2202 | 2203 | to: 2204 | B/BL sub_1337 2205 | """ 2206 | if kp_asm is None: 2207 | kp_asm = keypatch.Keypatch_Asm() 2208 | 2209 | count = 0 2210 | retval = True 2211 | for l1, l2, l3 in linegroups(3): 2212 | if ida_kernwin.user_cancelled(): 2213 | retval = False 2214 | break 2215 | 2216 | # check if we're at a constant BR 2217 | try: 2218 | if l1.insn.mnem not in ("ADR", "ADRL"): 2219 | continue 2220 | 2221 | if l1.insn.mnem == "ADR": 2222 | if l2.insn.mnem != "NOP": 2223 | continue 2224 | else: # ADRL spans 8 bytes and hence no NOP 2225 | l3 = l2 # align both cases' line numbers 2226 | 2227 | if l3.insn.mnem not in ("BR", "BLR"): 2228 | continue 2229 | except sark.exceptions.SarkNoInstruction: 2230 | continue 2231 | 2232 | target_ea = l1.insn.operands[1].value 2233 | 2234 | r = l1.insn.operands[0].text 2235 | if r != l3.insn.operands[0].text: 2236 | continue 2237 | 2238 | logger.debug(f"found constant BR to {target_ea:#x} at {l1.ea:#x}") 2239 | 2240 | # verify that the register isn't used in the rest of the function 2241 | l = find_next_reg_use(l3.next, r) 2242 | if l is not None: 2243 | logger.debug(f" constant BR is unpatchable because there's another ref to {r} at {l.ea:#x}") 2244 | continue 2245 | 2246 | # patch to a standard call 2247 | call_mnem = l3.insn.mnem[:-1] 2248 | asm = f"{call_mnem} #{target_ea:#x}" # we drop PAC flags 2249 | code = bytes(kp_asm.assemble(asm, l1.ea)[0]) 2250 | apply_code_patch(l1.ea, l3.end_ea, code, kp_asm) 2251 | 2252 | add_comment(l1, f"FunctionInliner: patched from constant BR using {r}") 2253 | 2254 | logger.debug(" patched") 2255 | count += 1 2256 | 2257 | logger.info(f"patched {count} constant BRs") 2258 | return retval 2259 | 2260 | 2261 | def patch_constant_tested_BRs(kp_asm=None): 2262 | """patches snippets of the form: 2263 | ADR/L Xn, sub_1337 2264 | NOP/- 2265 | CBNZ Xn, do_call 2266 | B dont_call 2267 | do_call: 2268 | BR/BLR Xn 2269 | dont_call: 2270 | 2271 | to: 2272 | B/BL sub_1337 2273 | """ 2274 | if kp_asm is None: 2275 | kp_asm = keypatch.Keypatch_Asm() 2276 | 2277 | count = 0 2278 | retval = True 2279 | for l1, l2, l3, l4, l5 in linegroups(5): 2280 | if ida_kernwin.user_cancelled(): 2281 | retval = False 2282 | break 2283 | 2284 | # check if we're at a constant BR 2285 | try: 2286 | if l1.insn.mnem not in ("ADR", "ADRL"): 2287 | continue 2288 | 2289 | if l1.insn.mnem == "ADR": 2290 | if l2.insn.mnem != "NOP": 2291 | continue 2292 | else: # ADRL spans 8 bytes and hence no NOP 2293 | l3, l4, l5 = l2, l3, l4 # align both cases' line numbers 2294 | 2295 | target_ea = l1.insn.operands[1].value 2296 | r = l1.insn.operands[0].text 2297 | 2298 | if (l3.insn.mnem != "CBNZ" 2299 | or l3.insn.operands[0].text != r # noqa: W503 2300 | or l3.insn.operands[1].addr != l5.ea): # noqa: W503 2301 | continue 2302 | 2303 | if (l4.insn.mnem != "B" 2304 | or l4.insn.operands[0].addr != l5.end_ea): # noqa: W503 2305 | continue 2306 | 2307 | if (l5.insn.mnem not in ("BR", "BLR") 2308 | or l5.insn.operands[0].text != r): # noqa: W503 2309 | continue 2310 | except sark.exceptions.SarkNoInstruction: 2311 | continue 2312 | 2313 | logger.debug(f"found constant tested BR to {target_ea:#x} at {l1.ea:#x}") 2314 | 2315 | try: 2316 | sark.Function(l5.next) 2317 | except sark.exceptions.SarkNoFunction: 2318 | logger.debug(f" constant tested BR is unpatchable because this is not a function and so" 2319 | f" we couldn't verify whether there's another ref to {r}") 2320 | continue 2321 | 2322 | # verify that the register isn't used in the rest of the function 2323 | l = find_next_reg_use(l5.next, r) 2324 | if l is not None: 2325 | logger.debug(f" constant tested BR is unpatchable because there's another ref to {r} at {l.ea:#x}") 2326 | continue 2327 | 2328 | # patch to a standard call 2329 | call_mnem = l5.insn.mnem[:-1] 2330 | asm = f"{call_mnem} #{target_ea:#x}" # we drop PAC flags 2331 | code = bytes(kp_asm.assemble(asm, l1.ea)[0]) 2332 | apply_code_patch(l1.ea, l5.end_ea, code, kp_asm) 2333 | 2334 | add_comment(l1, f"FunctionInliner: patched from constant tested BR using {r}") 2335 | 2336 | logger.debug(" patched") 2337 | count += 1 2338 | 2339 | logger.info(f"patched {count} constant tested BRs") 2340 | return retval 2341 | 2342 | 2343 | def patch_constant_data_BLRs(kp_asm=None): 2344 | """patches snippets of the form: 2345 | NOP/ADRP 2346 | LDR Xn, =sub_1337 2347 | BLR Xn 2348 | 2349 | where the data lives in a const segment 2350 | 2351 | to: 2352 | BL sub_1337 2353 | """ 2354 | if kp_asm is None: 2355 | kp_asm = keypatch.Keypatch_Asm() 2356 | 2357 | count = 0 2358 | retval = True 2359 | for l1, l2, l3 in linegroups(3): 2360 | if ida_kernwin.user_cancelled(): 2361 | retval = False 2362 | break 2363 | 2364 | # check if we're at a constant BR 2365 | try: 2366 | if l2.insn.mnem != "LDR": 2367 | continue 2368 | 2369 | if l1.insn.mnem == "NOP": 2370 | if not l2.insn.operands[1].type.is_mem: 2371 | continue 2372 | elif l1.insn.mnem == "ADRP": 2373 | if not l2.insn.operands[1].type.is_displ: 2374 | continue 2375 | if not l2.insn.operands[1].reg == l1.insn.operands[0].reg: 2376 | continue 2377 | else: 2378 | continue 2379 | 2380 | r = l2.insn.operands[0].reg 2381 | 2382 | if l3.insn.mnem != "BLR" or l3.insn.operands[0].reg != r: 2383 | continue 2384 | except sark.exceptions.SarkNoInstruction: 2385 | continue 2386 | 2387 | # resolve the loaded addr 2388 | drefs_from = set(drefs_from_eas(l2)) 2389 | if len(drefs_from) == 1: 2390 | p_target_ea = drefs_from.pop() 2391 | else: # this may happen with LDR when the target contains another address 2392 | assert len(drefs_from) == 2 and l2.insn.mnem == "LDR" 2393 | xref = [x for x in l2.xrefs_from if x.type.is_read][0] 2394 | p_target_ea = xref.to 2395 | 2396 | # skip pointers which aren't in __auth_ptr or in const data segments 2397 | p_target_seg_name = sark.Segment(p_target_ea).name 2398 | if p_target_seg_name != "__auth_ptr" and "const" not in p_target_seg_name.lower(): 2399 | continue 2400 | 2401 | target_ea = ida_bytes.get_qword(p_target_ea) 2402 | 2403 | logger.debug(f"found constant data BLR to {target_ea:#x} at {l1.ea:#x}") 2404 | 2405 | # verify that the register isn't used in the rest of the function 2406 | l = find_next_reg_use(l3.next, r) 2407 | if l is not None: 2408 | logger.debug(f" constant data BLR is unpatchable because there's another ref to {r} at {l.ea:#x}") 2409 | continue 2410 | 2411 | # patch to a standard call 2412 | asm = f"BL #{target_ea:#x}" # we drop PAC flags 2413 | code = bytes(kp_asm.assemble(asm, l1.ea)[0]) 2414 | apply_code_patch(l1.ea, l3.end_ea, code, kp_asm) 2415 | 2416 | add_comment(l1, f"FunctionInliner: patched from constant data BLR using {r}") 2417 | 2418 | logger.debug(" patched") 2419 | count += 1 2420 | 2421 | logger.info(f"patched {count} constant data BLRs") 2422 | return retval 2423 | 2424 | 2425 | # PLUGIN STUFF 2426 | 2427 | 2428 | class FunctionInlinerActionBase(ida_kernwin.action_handler_t): 2429 | def __init__(self, plugin): 2430 | super().__init__() 2431 | self.plugin = plugin 2432 | 2433 | @property 2434 | def name(self): 2435 | return f"{self.plugin.wanted_name}:{self.__class__.__name__}" 2436 | 2437 | @property 2438 | def label(self): 2439 | return "Inline function under cursor" 2440 | 2441 | @property 2442 | def shortcut(self): 2443 | return None 2444 | 2445 | @property 2446 | def tooltip(self): 2447 | return None 2448 | 2449 | @property 2450 | def icon(self): 2451 | return ida_kernwin.get_action_icon("MakeFunction")[1] 2452 | 2453 | @property 2454 | def flags(self): 2455 | return 0 2456 | 2457 | @property 2458 | def menu_flags(self): 2459 | return 0 2460 | 2461 | @property 2462 | def path(self): 2463 | return f"Edit/Plugins/{self.plugin.wanted_name}/" 2464 | 2465 | def register(self): 2466 | desc = ida_kernwin.action_desc_t( 2467 | self.name, 2468 | self.label, 2469 | self, 2470 | self.shortcut, 2471 | self.tooltip, 2472 | self.icon, 2473 | self.flags 2474 | ) 2475 | ida_kernwin.register_action(desc) 2476 | 2477 | def unregister(self): 2478 | ida_kernwin.unregister_action(self.name) 2479 | 2480 | def activate(self, ctx): 2481 | raise NotImplementedError() 2482 | 2483 | def update(self, ctx): 2484 | raise NotImplementedError() 2485 | 2486 | 2487 | class FunctionInlinerInlineAction(FunctionInlinerActionBase): 2488 | @property 2489 | def label(self): 2490 | return "Inline function" 2491 | 2492 | @property 2493 | def shortcut(self): 2494 | return "Meta-P" 2495 | 2496 | def activate(self, ctx): 2497 | func = get_function_under_cursor() 2498 | inline_function(func) 2499 | return 1 2500 | 2501 | def update(self, ctx): 2502 | f = get_function_under_cursor() 2503 | if f and list(external_callers(f)): 2504 | return ida_kernwin.AST_ENABLE 2505 | else: 2506 | return ida_kernwin.AST_DISABLE 2507 | 2508 | 2509 | class FunctionInlinerUndoInlineAction(FunctionInlinerActionBase): 2510 | @property 2511 | def label(self): 2512 | return "Undo function inlining" 2513 | 2514 | def activate(self, ctx): 2515 | outlined_func = get_inlined_function_under_cursor() 2516 | undo_inline_function(outlined_func) 2517 | return 1 2518 | 2519 | def update(self, ctx): 2520 | if get_inlined_function_under_cursor(): 2521 | return ida_kernwin.AST_ENABLE 2522 | else: 2523 | return ida_kernwin.AST_DISABLE 2524 | 2525 | 2526 | class FunctionInlinerInlineAllAction(FunctionInlinerActionBase): 2527 | @property 2528 | def label(self): 2529 | return "Inline all outlined functions" 2530 | 2531 | @property 2532 | def menu_flags(self): 2533 | return ida_kernwin.SETMENU_ENSURE_SEP 2534 | 2535 | def activate(self, ctx): 2536 | if not explore_idb(): 2537 | return 1 2538 | if not preprocess_idb(): 2539 | return 1 2540 | if not inline_all_functions(extra=self.plugin.inline_extra): 2541 | return 1 2542 | reanalyze_program() 2543 | return 1 2544 | 2545 | def update(self, ctx): 2546 | return ida_kernwin.AST_ENABLE_ALWAYS 2547 | 2548 | 2549 | class FunctionInlinerInlineAllActionNoPreprocessing(FunctionInlinerActionBase): 2550 | @property 2551 | def label(self): 2552 | return "Inline all outlined functions (no preprocessing)" 2553 | 2554 | def activate(self, ctx): 2555 | if not inline_all_functions(extra=self.plugin.inline_extra): 2556 | return 1 2557 | reanalyze_program() 2558 | return 1 2559 | 2560 | def update(self, ctx): 2561 | return ida_kernwin.AST_ENABLE_ALWAYS 2562 | 2563 | 2564 | class FunctionInlinerToggleExtra(FunctionInlinerActionBase): 2565 | @property 2566 | def label(self): 2567 | return "Toggle inlining of extra functions" 2568 | 2569 | @property 2570 | def flags(self): 2571 | flags = ida_kernwin.ADF_CHECKABLE 2572 | 2573 | if self.plugin.inline_extra: 2574 | flags |= ida_kernwin.ADF_CHECKED 2575 | 2576 | return flags 2577 | 2578 | @property 2579 | def menu_flags(self): 2580 | return ida_kernwin.SETMENU_ENSURE_SEP 2581 | 2582 | @property 2583 | def icon(self): 2584 | return 0 2585 | 2586 | def activate(self, ctx): 2587 | self.plugin.inline_extra = ida_kernwin.get_action_checked(self.name)[1] 2588 | return 1 2589 | 2590 | def update(self, ctx): 2591 | return ida_kernwin.AST_ENABLE_ALWAYS 2592 | 2593 | 2594 | class FunctionInlinerPatchConstantBLRs(FunctionInlinerActionBase): 2595 | @property 2596 | def label(self): 2597 | return "Patch constant register-based calls to regular calls" 2598 | 2599 | @property 2600 | def icon(self): 2601 | return 0 2602 | 2603 | def activate(self, ctx): 2604 | if not explore_idb(): 2605 | return 1 2606 | with wait_box("patching constant BRs..."): 2607 | if not patch_constant_BRs(): 2608 | return 1 2609 | if not patch_constant_tested_BRs(): 2610 | return 1 2611 | if not patch_constant_data_BLRs(): 2612 | return 1 2613 | return 1 2614 | 2615 | def update(self, ctx): 2616 | return ida_kernwin.AST_ENABLE_ALWAYS 2617 | 2618 | 2619 | class FunctionInlinerHooks(ida_kernwin.UI_Hooks): 2620 | def __init__(self, ctx_actions, menu_actions): 2621 | super().__init__() 2622 | 2623 | self.ctx_actions = ctx_actions 2624 | self.menu_actions = menu_actions 2625 | 2626 | def ready_to_run(self): 2627 | for action in self.menu_actions: 2628 | ida_kernwin.attach_action_to_menu( 2629 | action.path, action.name, ida_kernwin.SETMENU_APP | action.menu_flags 2630 | ) 2631 | 2632 | def finish_populating_widget_popup(self, form, popup): 2633 | if ida_kernwin.get_widget_type(form) in (ida_kernwin.BWN_DISASM, ida_kernwin.BWN_PSEUDOCODE): 2634 | ida_kernwin.attach_action_to_popup(form, popup, "-", None, ida_kernwin.SETMENU_FIRST) 2635 | for action in reversed(self.ctx_actions): 2636 | ida_kernwin.attach_action_to_popup( 2637 | form, popup, action.name, None, ida_kernwin.SETMENU_FIRST | action.menu_flags 2638 | ) 2639 | 2640 | 2641 | class FunctionInlinerPlugin(ida_idaapi.plugin_t): 2642 | version = ida_idp.IDP_INTERFACE_VERSION 2643 | flags = ida_idaapi.PLUGIN_MOD | ida_idaapi.PLUGIN_HIDE 2644 | 2645 | comment = "inlines functions that were outlined" 2646 | help = "" 2647 | wanted_name = "FunctionInliner" 2648 | wanted_hotkey = "" 2649 | 2650 | ctx_actions_types = (FunctionInlinerInlineAction, FunctionInlinerUndoInlineAction) 2651 | menu_actions_types = ( 2652 | FunctionInlinerPatchConstantBLRs, FunctionInlinerInlineAllAction, 2653 | FunctionInlinerInlineAllActionNoPreprocessing,FunctionInlinerToggleExtra 2654 | ) 2655 | 2656 | NETNODE = "$ FunctionInliner.plugin" 2657 | 2658 | @staticmethod 2659 | def init_logging(): 2660 | logger_formatter = logging.Formatter(fmt="{name}.{levelname:<5s}: {message}", style="{") 2661 | 2662 | class TqdmHandler(logging.StreamHandler): 2663 | def emit(self, record): 2664 | msg = self.format(record) 2665 | tqdm.tqdm.write(msg, nolock=True) 2666 | 2667 | logger_hdlr = TqdmHandler() 2668 | logger_hdlr.setFormatter(logger_formatter) 2669 | 2670 | logger.addHandler(logger_hdlr) 2671 | 2672 | if TRACE: 2673 | logger.setLevel(logging.TRACE) 2674 | else: 2675 | logger.setLevel(logging.INFO) 2676 | 2677 | def is_compatible(self): 2678 | info = ida_idaapi.get_inf_structure() 2679 | return info.procname == "ARM" and info.is_64bit() 2680 | 2681 | def init(self): 2682 | FunctionInlinerPlugin.init_logging() 2683 | 2684 | self._netnode = netnode.Netnode(self.NETNODE) 2685 | 2686 | self.ctx_actions = [] 2687 | self.menu_actions = [] 2688 | self.hooks = None 2689 | 2690 | if not self.is_compatible(): 2691 | logger.error("IDB deemed unsuitable (not an ARM64 binary). Skipping...") 2692 | return ida_idaapi.PLUGIN_SKIP 2693 | 2694 | for t in FunctionInlinerPlugin.ctx_actions_types: 2695 | a = t(self) 2696 | a.register() 2697 | self.ctx_actions.append(a) 2698 | 2699 | for t in FunctionInlinerPlugin.menu_actions_types: 2700 | a = t(self) 2701 | a.register() 2702 | self.menu_actions.append(a) 2703 | 2704 | self.hooks = FunctionInlinerHooks(self.ctx_actions, self.menu_actions) 2705 | self.hooks.hook() 2706 | 2707 | logger.info("initialized successfully") 2708 | 2709 | return ida_idaapi.PLUGIN_KEEP 2710 | 2711 | def term(self): 2712 | if self.hooks: 2713 | self.hooks.unhook() 2714 | 2715 | for a in self.ctx_actions: 2716 | a.unregister() 2717 | 2718 | for a in self.menu_actions: 2719 | a.unregister() 2720 | 2721 | def run(self, arg=0): 2722 | pass 2723 | 2724 | @property 2725 | def inline_extra(self): 2726 | return bool(self._netnode.get("inline_extra")) 2727 | 2728 | @inline_extra.setter 2729 | def inline_extra(self, value: bool): 2730 | self._netnode["inline_extra"] = value 2731 | 2732 | 2733 | def PLUGIN_ENTRY(): 2734 | return FunctionInlinerPlugin() 2735 | --------------------------------------------------------------------------------