patois / hexraystoolbox Goto Github PK

the example you gave in the copy loop doesn't find this type of code as a valid copy loop:

 while ( v5 )
  {
    result = func(arg, pBuffer, v4, v8);
    if ( result )
      break;
    v5 -= v8;
    v4 += v8;
    pBuffer = &chunk[v8];
    v8 = v5;
    if ( v5 > 0x1000 )
      v8 = 4096;
  }

this is the real life code:

while(leftovers > 0)
{
    result = func(arg, chunk, offset, size_to);
    if ( result )
      break;

    offset  += size_to;
    leftovers    -= size_to;
    chunk = (void *)((uint32_t)pBuffer + size_to);

    size_to  = min(leftovers, (uint32_t)SIZE_4K);
}

how can i fix the example you gave to support this ?

thanks!

I have used this toolbox for some days and it is very helpful for me to locate some code patterns. However, I do not know how to write a query like the follow decompile code pattern:

1 v1=a1+0x10;
2 if(v1)
3 do something

I want to locate the code like line 1 which the left value has been passed to the if expr or others. Because the line 1 is not the sub-expr of line 2, so I think find_child_expr() function cannot work.

if ur gonna use python, please give us pattern matching with sympy or something. hexrays schema is miserable to interact with in python. thx.

There are two places where a program can throw an UnboundLocalError exception:

• https://github.com/patois/HexraysToolbox/blob/master/hr_toolbox.py#L78
• https://github.com/patois/HexraysToolbox/blob/master/hr_toolbox.py#L144

The value of the variable cfunc is assigned only if the variable f is not None.
To fix this, it is enough to initialize the cfunc variable or rewrite the function like this:

def find_item(ea, q, parents=False):
    """find item within AST of decompiled function
    arguments:
    ea:         address belonging to a function
    q:          lambda/function: f(cfunc_t, citem_t) returning a bool
    parents:    False -> discard cexpr_t parent nodes
                True  -> maintain citem_t parent nodes
    returns list of tb_result_t objects
    """

    f = ida_funcs.get_func(ea)
    if not f:
        return list()
    cfunc = hr.decompile(f)
    if not cfunc:
        return list()
    return find_child_item(cfunc, cfunc.body, q, parents)