-
Notifications
You must be signed in to change notification settings - Fork 8
/
aurorauaf.py
62 lines (57 loc) · 1.71 KB
/
aurorauaf.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
from idautils import *
def main():
ea = ScreenEA()
if ea == idaapi.BADADDR:
print("Could not get get_screen_ea()")
return
for funcea in Functions(SegStart(ea), SegEnd(ea)):
f = idc.Demangle(GetFunctionName(funcea), GetLongPrm(INF_SHORT_DN))
if (f == None):
continue
if (is_copy_constructor(f)):
#print f
if ( is_copy_constructor_compiler_generated(funcea) ):
print f + " looks compiler generated! Check it out at " + hex(funcea)
def is_copy_constructor_compiler_generated(funcea):
signature = "\x59\x8b\xfb\xf3\xa5"
end = FindFuncEnd(funcea)
buffer = idaapi.get_many_bytes(funcea, end - funcea)
"""
out = ""
for b in buffer:
out += b.encode('hex')
print out
"""
if (buffer.find(signature) != -1):
return True
else:
return False
def is_copy_constructor(str):
length = str.__len__()
start = 0
end = length - 1
separator = str.find("::")
if (separator == -1):
return False
openparen = str.find("(")
closeparen = str.find(")")
classname = str[0:separator]
#print classname
functionname = str[separator+2:openparen]
#print functionname
argument = str[openparen+1:closeparen]
#print argument
arguments = argument.split(",")
firstargument = arguments[0]
#print firstargument
space = firstargument.find(" ")
if (space == -1):
firstargumenttype = arguments[0]
else:
firstargumenttype = arguments[0][0:space]
#print firstargumenttype
if (classname == functionname and functionname == firstargumenttype):
return True
return False
if __name__ == '__main__':
main()