plympton 1.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 0c809128838470cc20b4ae9b7bac312bd736b33b
+  data.tar.gz: a770fb56e21f7c3f0bf1abda87a6873629f87094
+SHA512:
+  metadata.gz: 57781fabc6343ce5c5e3fb35dea0ad55525694026d2bbfd2da24302276f2ae9f3af4696c97f45235046d84c0586304097912a3536cfe68c5a39509b52d386386
+  data.tar.gz: 6970e51b07c92beead632679de4b653ac6d0d4b82e1f690bb59a38600791049e5e6c6904036c07c2e1fc87038c967096c82c00da5ac1ebbcda70e01572a75eac

data/.coveralls.yml

@@ -0,0 +1 @@
+service_name: travis-ci

data/.document

@@ -0,0 +1,5 @@
+lib/**/*.rb
+bin/*
+- 
+features/**/*.feature
+LICENSE.txt

data/.rspec

@@ -0,0 +1 @@
+--color

data/.travis.yml

@@ -0,0 +1,4 @@
+language: ruby
+rvm:
+  - 2.1.0
+  - 2.1.2 

data/Gemfile

@@ -0,0 +1,15 @@
+source "http://gemcutter.org"
+
+# Add dependencies to develop your gem here.
+# Include everything needed to run rake, tests, features, etc.
+group :development do
+   gem "jeweler", "~> 2.0"
+   gem "yard", "~> 0.8"
+   gem "rspec", "~> 3.1"
+   gem "bundler", ">= 1.0"
+end
+
+gem 'nokogiri', '~> 1.6'
+gem 'antlr3', '~> 1.10'
+gem 'narray', '~> 0.6'
+gem 'coveralls', require: false

data/LICENSE.txt

@@ -0,0 +1,20 @@
+Copyright (c) 2011 rogwfu
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,24 @@
+# plympton
+
+A gem to read program disassembly from a YAML dump.  The YAML dump is generated from an IDA Pro python script.  This script is included along with this Gem (func.py)
+
+## Status
+[![Build Status](https://travis-ci.org/rogwfu/plympton.png)](https://travis-ci.org/rogwfu/plympton)
+[![Coverage Status](https://coveralls.io/repos/rogwfu/plympton/badge.png)](https://coveralls.io/r/rogwfu/plympton)
+[![Dependency Status](https://www.versioneye.com/user/projects/543603aab2a9c5dd3d000092/badge.svg?style=flat)](https://www.versioneye.com/user/projects/543603aab2a9c5dd3d000092)
+
+## Contributing to plympton
+ 
+* Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet
+* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it
+* Fork the project
+* Start a feature/bugfix branch
+* Commit and push until you are happy with your contribution
+* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
+* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
+
+## Copyright
+
+Copyright (c) 2014 Roger Seagle. See LICENSE.txt for
+further details.
+

data/Rakefile

@@ -0,0 +1,48 @@
+# encoding: utf-8
+require 'rake'
+require 'jeweler'
+
+Jeweler::Tasks.new do |gem|
+  # gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
+  gem.name = "plympton"
+  gem.homepage = "http://github.com/rogwfu/plympton"
+  gem.license = "MIT"
+  gem.summary = %Q{Reads a YAML dump of a program's disassembly from IDA Pro}
+  gem.description = %Q{A Gem to read program disassembly from a YAML dump.  The YAML dump is generated from an ida pro python script.  This script is included along with this Gem (func.py)}
+  gem.email = "roger.seagle@gmail.com"
+  gem.authors = ["Roger Seagle"]
+  gem.required_ruby_version = '>= 1.9.3'
+end
+
+
+Jeweler::RubygemsDotOrgTasks.new
+
+require 'rspec/core'
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec) do |spec|
+  spec.pattern = FileList['spec/**/*_spec.rb']
+end
+
+RSpec::Core::RakeTask.new(:rcov) do |spec|
+  spec.pattern = 'spec/**/*_spec.rb'
+  spec.rcov = true
+end
+
+task :default => :spec
+
+#require 'rake/rdoctask'
+require 'rdoc/task'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "plympton #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+# Rake Task for building yard doc
+require 'yard'
+YARD::Rake::YardocTask.new do |t|
+	t.options = ['--exclude', 'bin/*']
+end

data/VERSION

@@ -0,0 +1 @@
+1.1.0

data/bin/func-auto.py

@@ -0,0 +1,431 @@
+import yaml
+import idascript
+import idc
+
+class Object(yaml.YAMLObject):
+    yaml_tag = u'!fuzz.io,2011/Object'
+    def __init__(self, textSegmentStart, textSegmentEnd):
+        self.name = GetInputFilePath() 
+        self.functionList = []
+        self.importList = []
+        self.textSegmentStart = textSegmentStart
+        self.textSegmentEnd = textSegmentEnd
+
+        #
+        # Pull out all information about functions
+        #
+        self.initialize_functions()
+
+        self.numFunctions = len(self.functionList)
+        self.numImports = len(self.importList)
+        self.numBlocks = self.iter_functions()
+        self.textSegmentStart = hex(textSegmentStart)
+        self.textSegmentEnd = hex(textSegmentEnd)
+
+    def initialize_functions(self): 
+        #
+        # Iterate through all of the functions
+        #
+        for fn in Functions(self.textSegmentStart, self.textSegmentEnd):
+            tmp = Function(fn)
+            if not tmp.isImport:
+        	    self.functionList.append(tmp)
+            else:
+                self.importList.append(tmp)
+
+    def iter_functions(self):
+        blockCount = 0
+        for fn in self.functionList:
+            blockCount = blockCount + fn.iter_chunks()
+
+        return(blockCount)
+
+#
+# Create a class for a function
+#
+class Function(yaml.YAMLObject):
+    yaml_tag = u'!fuzz.io,2011/Function'
+    def __init__(self, effectiveAddress):
+        self.name = Name(effectiveAddress) 
+        self.argSize = 0
+        self.numArgs = 0
+        self.numLocalVars = 0
+        self.isImport = False
+        self.chunkList = [] 
+        self.numChunks = 0
+        self.cyclomaticComplexity = 0
+        
+        #
+        # Get the function flags, structure, and frame info
+        #
+        flags = GetFunctionFlags(effectiveAddress)
+        funcStruct = idaapi.get_func(effectiveAddress) 
+        frameStruct  = idaapi.get_frame(funcStruct)
+
+        # if we're not in a "real" function. set the id and ea_start manually and stop analyzing.
+        if not funcStruct or flags & FUNC_LIB or flags & FUNC_STATIC:
+            self.startAddress   = hex(effectiveAddress) 
+            self.endAddress     = hex(effectiveAddress) 
+            self.name = idaapi.get_name(effectiveAddress, effectiveAddress) 
+            self.savedRegSize       = 0
+            self.localVarSize       = 0  
+            self.frameSize          = 0 
+            self.retSize            = 0
+            self.isImport  = True
+            
+            #
+            # Need to fix these if possible
+            #
+            self.argSize            = 0 
+            self.numArgs            = 0
+            self.numLocalVars       = 0
+            return 
+
+		#
+		# So we know we're in a real function
+		#
+        self.startAddress       = funcStruct.startEA
+        self.endAddress         = hex(PrevAddr(funcStruct.endEA))
+        self.savedRegSize       = funcStruct.frregs
+        self.localVarSize       = funcStruct.frsize 
+        self.frameSize          = idaapi.get_frame_size(funcStruct)
+        self.retSize            = idaapi.get_frame_retsize(funcStruct)
+
+        print("=========================================")
+        print("Frame Size %d" % self.frameSize)
+        print("EIP Return Size %d" % self.retSize)
+        print("Saved Registers Size %d" % self.savedRegSize)
+        print("Locals Size %d" % self.localVarSize)
+        print("=========================================")
+        print("Function name: %s" % self.name)
+
+        #
+        # Fixup numbers for arguments and local variables
+        #
+        self.__init_args_and_local_vars__(funcStruct, frameStruct)
+
+        #
+        # Initialize chunks
+        #
+        self.collect_function_chunks()
+        self.cyclomaticComplexity = self.calculate_cyclomatic_complexity(self.startAddress)
+        self.startAddress       = hex(self.startAddress)
+
+    def calculate_cyclomatic_complexity (self, function_ea):
+        '''Calculate the cyclomatic complexity measure for a function.
+		    
+	       Given the starting address of a function, it will find all
+           the basic block's boundaries and edges between them and will
+           return the cyclomatic complexity, defined as:
+
+           CC = Edges - Nodes + 2
+		   http://www.openrce.org/articles/full_view/11
+        '''
+
+        f_start = function_ea
+        f_end = FindFuncEnd(function_ea)
+
+        edges = set([])
+        boundaries = set((f_start,))
+    
+        # For each defined element in the function.
+        for head in Heads(f_start, f_end):
+
+            # If the element is an instruction
+            if isCode(GetFlags(head)):
+        
+				# Get the references made from the current instruction
+				# and keep only the ones local to the function.
+				refs = CodeRefsFrom(head, 0)
+				refs = set(filter(lambda x: x>=f_start and x<=f_end, refs))
+
+				if refs:
+					# If the flow continues also to the next (address-wise)
+					# instruction, we add a reference to it.
+					# For instance, a conditional jump will not branch
+					# if the condition is not met, so we save that
+					# reference as well.
+					next_head = NextHead(head, f_end)
+					if isFlow(GetFlags(next_head)):
+						refs.add(next_head)
+                
+					# Update the boundaries found so far.
+					boundaries.update(refs)
+                            
+					# For each of the references found, and edge is
+					# created.
+					for r in refs:
+						# If the flow could also come from the address
+						# previous to the destination of the branching
+						# an edge is created.
+						if isFlow(GetFlags(r)):
+							edges.add((PrevHead(r, f_start), r))
+						edges.add((head, r))
+
+	return len(edges) - len(boundaries) + 2
+
+    def __init_args_and_local_vars__ (self, funcStruct, frameStruct):
+        '''
+        Calculate the total size of arguments, # of arguments and # of local variables. Update the internal class member
+        variables appropriately. Taken directly from paimei
+        '''
+        # Initialize some local variables
+        args = {}
+        local_vars = {} 
+
+        if not frameStruct:
+            return
+
+        argument_boundary = self.frameSize 
+        frame_offset      = frameStruct.get_member(0).soff
+
+
+        for i in xrange(0, frameStruct.memqty):
+            end_offset = frameStruct.get_member(i).soff
+
+            if i == frameStruct.memqty - 1:
+                begin_offset = frameStruct.get_member(i).eoff
+            else:
+                begin_offset = frameStruct.get_member(i+1).soff
+
+            frame_offset += (begin_offset - end_offset)
+
+            # grab the name of the current local variable or argument.
+            name = idaapi.get_member_name(frameStruct.get_member(i).id)
+            print("=============================")
+            print("Name: %s" % name)
+#            print "Agument Boundary: %d" % argument_boundary
+#            print "Frame offset: %d" % frame_offset
+            print("End offset: %d" % end_offset)
+            print("Begin Offset: %d" % begin_offset)
+#            print("Frame offset: %d\n" % frame_offset)
+            print("=============================")
+
+            if name == None:
+                continue
+
+            if frame_offset > argument_boundary:
+                args[end_offset] = name
+#            if name.startswith("arg_"):
+#                args[end_offset] = name
+#                self.argSize = self.argSize + (begin_offset - end_offset) 
+            else:
+                # if the name starts with a space, then ignore it as it is either the stack saved ebp or eip.
+                # XXX - this is a pretty ghetto check.
+                if not name.startswith(" "):
+                    local_vars[end_offset] = name
+        self.argSize       = frame_offset - argument_boundary
+        self.numArgs       = len(args)
+        self.numLocalVars  = len(local_vars)
+
+    def iter_chunks(self):
+        chunkBlockCount = 0
+        for ch in self.chunkList:
+            chunkBlockCount = chunkBlockCount + len(ch.blockList)
+
+        return(chunkBlockCount)
+
+    def collect_function_chunks(self):
+        '''
+        Generate and return the list of function chunks (including the main one) for the current function. Ripped from idb2reml (Ero Carerra). Modified slightly by Roger Seagle.
+
+        @rtype:  None 
+        @return: None 
+        '''
+
+        #
+        # Loop through all chunks for a function
+        #
+        iterator = idaapi.func_tail_iterator_t(idaapi.get_func(self.startAddress))
+        status   = iterator.main()
+
+        while status:
+            chunk = iterator.chunk()
+            tmp = Chunk(chunk)
+            self.chunkList.append(tmp)
+            status = iterator.next()
+
+#
+# Create a class for a basic block
+#
+class Chunk(yaml.YAMLObject):
+    yaml_tag = u'!fuzz.io,2011/Chunk'
+    def __init__(self, chunk):
+        self.startEA = chunk.startEA 
+        self.endEA  = chunk.endEA 
+        self.blockList = []
+        self.numBlocks = 0
+
+        #
+        # Just to get it started
+        #
+        block_start = self.startEA
+
+    #
+    # Might be a bug? (effective address that has code mixed in and no ret instruction
+    # Or effective address just calls exit (there is no return instruction!!!!)
+    #
+
+        #
+        # Break down the chunk into blocks
+        #
+        for effectiveAddress in Heads(self.startEA, self.endEA):
+
+            #
+            # Ignore Head if data
+            #
+            if not isCode(GetFlags(effectiveAddress)):
+                continue
+
+            prev_ea = PrevNotTail(effectiveAddress)
+            next_ea = NextNotTail(effectiveAddress)
+
+            #
+            # Get the list of places branched to and from
+            #
+            branchesTo   = self._branches_to(effectiveAddress)
+            branchesFrom = self._branches_from(effectiveAddress)
+
+
+            # ensure that both prev_ea and next_ea reference code and not data.
+            while not isCode(GetFlags(prev_ea)):
+                prev_ea = PrevNotTail(prev_ea)
+
+            while not isCode(GetFlags(next_ea)):
+                next_ea = PrevNotTail(next_ea)
+
+            # if the current instruction is a ret instruction, end the current node at ea.
+            if idaapi.is_ret_insn(effectiveAddress):
+                tmp = Block(block_start, effectiveAddress, branchesTo, branchesFrom)
+                self.blockList.append(tmp)
+                block_start = next_ea
+
+            elif branchesTo and block_start != effectiveAddress:
+                tmp = Block(block_start, effectiveAddress, branchesTo, branchesFrom)
+                self.blockList.append(tmp)
+
+                # start a new block at ea.
+                block_start = effectiveAddress
+
+            # if there is a branch from the current instruction, end the current node at ea.
+            elif branchesFrom:
+                tmp = Block(block_start, effectiveAddress, branchesTo, branchesFrom)
+                self.blockList.append(tmp)
+
+                # start a new block at the next ea
+                block_start = next_ea
+
+        #
+        # Calculate the number of blocks
+        #
+        self.numBlocks = len(self.blockList)
+
+        #
+        # Covert addresses to hex
+        #
+        self.startEA = hex(self.startEA) 
+        self.endEA  = hex(self.endEA) 
+
+####################################################################################################################
+    def _branches_from (self, ea):
+        '''
+        Enumerate and return the list of branches from the supplied address, *including* the next logical instruction.
+        Part of the reason why we even need this function is that the "flow" argument to CodeRefsFrom does not appear
+        to be functional.
+
+        @type  ea: DWORD
+        @param ea: Effective address of instruction to enumerate jumps from.
+
+        @rtype:  List
+        @return: List of branches from the specified address.
+        '''
+
+        if idaapi.is_call_insn(ea):
+            return []
+
+        xrefs = list(CodeRefsFrom(ea, 1))
+
+        # if the only xref from ea is next ea, then return nothing.
+        if len(xrefs) == 1 and xrefs[0] == NextNotTail(ea):
+            xrefs = []
+
+        return xrefs
+
+
+    ####################################################################################################################
+    def _branches_to (self, ea):
+        '''
+        Enumerate and return the list of branches to the supplied address, *excluding* the previous logical instruction.
+        Part of the reason why we even need this function is that the "flow" argument to CodeRefsTo does not appear to
+        be functional.
+
+        @type  ea: DWORD
+        @param ea: Effective address of instruction to enumerate jumps to.
+
+        @rtype:  List
+        @return: List of branches to the specified address.
+        '''
+
+        xrefs        = []
+        prev_ea      = PrevNotTail(ea)
+        prev_code_ea = prev_ea
+
+        while not isCode(GetFlags(prev_code_ea)):
+            prev_code_ea = PrevNotTail(prev_code_ea)
+
+        for xref in list(CodeRefsTo(ea, 1)):
+            if not idaapi.is_call_insn(xref) and xref not in [prev_ea, prev_code_ea]:
+                xrefs.append(hex(xref))
+
+        return xrefs
+
+#
+# Create a class for a basic block
+#
+class Block(yaml.YAMLObject):
+    yaml_tag = u'!fuzz.io,2011/Block'
+    def __init__(self, effectiveAddressStart, effectiveAddressEnd, branchesTo, branchesFrom): 
+        self.startEA = hex(effectiveAddressStart)
+        self.endEA = hex(effectiveAddressEnd)
+        self.branchTo = branchesTo
+        branchFr = []
+        		
+        #
+        # Covert branches to hex addresses
+        #
+        for i in range(len(branchesFrom)):
+            branchFr.append(hex(branchesFrom[i]))
+
+        self.branchFrom = branchFr
+
+        #
+        # Get the number of instructions in the block
+        #
+        heads = [head for head in Heads(effectiveAddressStart, effectiveAddressEnd + 1) if isCode(GetFlags(head))]
+        self.numInstructions = len(heads)
+
+# Wait for the analysis to stop
+idaapi.autoWait()
+
+# Create the filenames to dump and log
+yamlFilename  = os.environ['PWD'] + "/" + GetInputFile() + ".fz" 
+
+# Open the file
+yamlFile = open(yamlFilename, 'w')
+
+# Get the start and end of the text section
+textSegmentSelector = SegByName("__text")
+textSegmentStart = SegByBase(textSegmentSelector)
+textSegmentEnd = SegEnd(textSegmentStart)
+
+# Pull out all the information
+disassembledObject = Object(textSegmentStart, textSegmentEnd)
+
+# Dump the disassembled Object info in a portable format
+yaml.dump(disassembledObject, yamlFile, default_flow_style=False)
+
+# Be nice close the file
+yamlFile.close()
+
+# Exit IDA Pro
+Exit(0)