mirror of
https://github.com/ttttupup/wxhelper.git
synced 2024-11-05 18:09:24 +08:00
134 lines
5.4 KiB
Java
134 lines
5.4 KiB
Java
import java.util.List;
|
|
|
|
import docking.widgets.filter.ContainsTextFilterFactory;
|
|
import docking.widgets.filter.TextFilter;
|
|
import ghidra.app.decompiler.DecompInterface;
|
|
import ghidra.app.decompiler.DecompileOptions;
|
|
import ghidra.app.script.GhidraScript;
|
|
import ghidra.feature.fid.hash.FidHashQuad;
|
|
import ghidra.feature.fid.service.FidService;
|
|
import ghidra.program.model.address.Address;
|
|
import ghidra.program.model.listing.CodeUnit;
|
|
import ghidra.program.model.listing.Function;
|
|
import ghidra.program.model.listing.FunctionManager;
|
|
import ghidra.program.model.mem.MemoryAccessException;
|
|
import ghidra.program.model.symbol.Reference;
|
|
import ghidra.program.model.symbol.ReferenceIterator;
|
|
import ghidra.program.model.symbol.ReferenceManager;
|
|
import ghidra.program.util.string.FoundString;
|
|
import ghidra.util.UndefinedFunction;
|
|
|
|
public class FindSqliteCloseScript extends GhidraScript {
|
|
FidService service;
|
|
DecompInterface decompiler;
|
|
|
|
long sql3close_full_hash = -1574752015815545339L;
|
|
long sql3close_spec_hash = -1262376715505923342L;
|
|
|
|
@Override
|
|
protected void run() throws Exception {
|
|
service = new FidService();
|
|
|
|
decompiler = new DecompInterface();
|
|
DecompileOptions decompileOptions = new DecompileOptions();
|
|
decompiler.setOptions(decompileOptions);
|
|
decompiler.openProgram(currentProgram);
|
|
|
|
List<FoundString> findStrings = findStrings(null, 5, 1, true, false);
|
|
ContainsTextFilterFactory containsTextFilterFactory = new ContainsTextFilterFactory(false, true);
|
|
find_sqlite3Close(findStrings,containsTextFilterFactory);
|
|
|
|
}
|
|
|
|
|
|
|
|
void find_sqlite3Close(List<FoundString> list, ContainsTextFilterFactory factory) throws MemoryAccessException {
|
|
int size = currentProgram.getLanguage().getLanguageDescription().getSize() / 8;
|
|
FunctionManager functionManager = currentProgram.getFunctionManager();
|
|
ReferenceManager referenceManager = currentProgram.getReferenceManager();
|
|
TextFilter textFilter = factory.getTextFilter("unable to close due to unfinalized statements or unfinished backups");
|
|
for (FoundString foundString : list) {
|
|
if(monitor.isCancelled()) {
|
|
break;
|
|
}
|
|
String string = foundString.getString(currentProgram.getMemory());
|
|
if(textFilter.matches(string)) {
|
|
Address address = foundString.getAddress();
|
|
println("=====text addr :"+address.toString() );
|
|
ReferenceIterator referencesTo = referenceManager.getReferencesTo(address);
|
|
while (referencesTo.hasNext()) {
|
|
Reference ref = referencesTo.next();
|
|
Address sql3CloseAddr = ref.getFromAddress();
|
|
Function sql3CloseFunction = functionManager.getFunctionContaining(sql3CloseAddr);
|
|
if(null ==sql3CloseFunction ) {
|
|
continue;
|
|
}
|
|
FidHashQuad hashQuad = service.hashFunction(sql3CloseFunction);
|
|
if(hashQuad.getFullHash() == sql3close_full_hash && hashQuad.getSpecificHash() == sql3close_spec_hash) {
|
|
println("found sql3Close :" + sql3CloseFunction.getName() + " at " + sql3CloseFunction.getEntryPoint() +
|
|
" full hash " + hashQuad.getFullHash() + " specific hash " + hashQuad.getSpecificHash());
|
|
Address entryPoint = sql3CloseFunction.getEntryPoint();
|
|
ReferenceIterator referencesTo2 = referenceManager.getReferencesTo(entryPoint);
|
|
while (referencesTo2.hasNext()) {
|
|
Reference next = referencesTo2.next();
|
|
Address addr = next.getFromAddress();
|
|
Function sql_close_func = functionManager.getFunctionContaining(addr);
|
|
if(null !=sql_close_func ) {
|
|
continue;
|
|
}
|
|
|
|
CodeUnit codeUnitAt = currentProgram.getListing().getCodeUnitAt(addr);
|
|
if(null != codeUnitAt) {
|
|
String mnemonicString = codeUnitAt.getMnemonicString();
|
|
if("JMP".equals(mnemonicString)) {
|
|
CodeUnit codeUnitBefore = currentProgram.getListing().getCodeUnitBefore(addr);
|
|
String mnemonicString2 = codeUnitBefore.getMnemonicString();
|
|
Function function = UndefinedFunction.findFunction(currentProgram, addr, monitor);
|
|
if (null != function) {
|
|
Address entryPoint2 = function.getEntryPoint();
|
|
if("XOR".equals(mnemonicString2)) {
|
|
createFunction(entryPoint2, "sqlite3_close");
|
|
currentProgram.getListing().setComment(entryPoint2, CodeUnit.POST_COMMENT,
|
|
"auto define function: sqlite3_close");
|
|
println("sqlite3_close addr: " + entryPoint2.toString());
|
|
}else if ("MOV".equals(mnemonicString2)) {
|
|
createFunction(entryPoint2, "sqlite3_close_v2");
|
|
currentProgram.getListing().setComment(entryPoint2, CodeUnit.POST_COMMENT,
|
|
"auto define function : sqlite3_close_v2" );
|
|
println("sqlite3_close_v2 addr: " + entryPoint2.toString());
|
|
}
|
|
ReferenceIterator referencesTo3 = referenceManager.getReferencesTo(entryPoint2);
|
|
while (referencesTo3.hasNext()) {
|
|
Reference next2 = referencesTo3.next();
|
|
Address fromAddress = next2.getFromAddress();
|
|
if("XOR".equals(mnemonicString2)) {
|
|
long l = fromAddress.getOffset() - 16*size;
|
|
println("sqlite3_close xref:" + fromAddress.toString());
|
|
printf("sqlite3_api_routines addr: %x \n", l);
|
|
}else if ("MOV".equals(mnemonicString2)) {
|
|
long l = fromAddress.getOffset()- 179*size;
|
|
println("sqlite3_close_v2 xref:" +fromAddress.toString());
|
|
printf("sqlite3_api_routines addr: %x \n", l);
|
|
}
|
|
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|