1# 2# IDAPython script for IDA Pro 3# Slightly modified from https://github.com/googleprojectzero/p0tools/blob/master/TrapFuzz/findPatchPoints.py 4# 5 6import idautils 7import idaapi 8import ida_nalt 9import idc 10 11# See https://www.hex-rays.com/products/ida/support/ida74_idapython_no_bc695_porting_guide.shtml 12 13from os.path import expanduser 14 15home = expanduser("~") 16 17patchpoints = set() 18 19max_offset = 0 20for seg_ea in idautils.Segments(): 21 name = idc.get_segm_name(seg_ea) 22 # print("Segment: " + name) 23 if name != "__text" and name != ".text": 24 continue 25 26 start = idc.get_segm_start(seg_ea) 27 end = idc.get_segm_end(seg_ea) 28 first = 0 29 subtract_addr = 0 30 # print("Start: " + hex(start) + " End: " + hex(end)) 31 for func_ea in idautils.Functions(start, end): 32 f = idaapi.get_func(func_ea) 33 if not f: 34 continue 35 for block in idaapi.FlowChart(f): 36 if start <= block.start_ea < end: 37 if first == 0: 38 if block.start_ea >= 0x1000: 39 subtract_addr = 0x1000 40 first = 1 41 42 max_offset = max(max_offset, block.start_ea) 43 patchpoints.add(block.start_ea - subtract_addr) 44 # else: 45 # print("Warning: broken CFG?") 46 47# Round up max_offset to page size 48size = max_offset 49rem = size % 0x1000 50if rem != 0: 51 size += 0x1000 - rem 52 53print("Writing to " + home + "/Desktop/patches.txt") 54 55with open(home + "/Desktop/patches.txt", "w") as f: 56 f.write(ida_nalt.get_root_filename() + ":" + hex(size) + "\n") 57 f.write("\n".join(map(hex, sorted(patchpoints)))) 58 f.write("\n") 59 60print("Done, found {} patchpoints".format(len(patchpoints))) 61 62# For headless script running remove the comment from the next line 63# ida_pro.qexit() 64