-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create hopper_search_block.py #10
base: master
Are you sure you want to change the base?
Conversation
Python script for Hopper Disassembler v4
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
你好,非常感谢你编写了hopper版的脚本,不好意思因为一些私事,等了那么久才回你消息。
这两天我详细测试了下这个脚本,在里面发现了一些问题,希望你如果有时间的话能仔细看下我的commit,修改下脚本。
我对hopper的python接口不太熟悉,commit里的一些内容可能也不一定正确,如果你有什么想法欢迎继续交流哈~
ps:其实hopper v3版本的脚本,我师弟之前写过一个,不过因为hopper本身有些bug(文件保存,重新加载,reference信息会丢失),比较坑,所以正式放出来的只有ida的脚本,hopper v4之后,因为自己不太常用所以没有太留意了,如果你调试的时候,遇到什么奇怪的坑,可以多找人交流下,可能确实是hopper的bug。。。
if IS_MAC: | ||
codeRefs = filter(lambda x: TextSeg.getInstructionAtAddress(x).getInstructionString() == 'call', refsTo) | ||
else: | ||
codeRefs = filter(lambda x: TextSeg.getInstructionAtAddress(x).getInstructionString() == 'bl', refsTo) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
此处判断 最好用getTypeAtAddress来写,现在这个写法会出错,因为oc的class_method的那些结构体也在Text Segment里面 ,直接取instrument会出错的,因为那个地址可能并不是指令,而是Text段里的只读数据
if IS_MAC: | ||
return super_func_addr | ||
else: | ||
return super_func_addr | TextSeg.isThumbAtAddress(block_func) # thumb |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
我这里 hopper 4.0.8 调用 TextSeg.isThumbAtAddress(block_func) 会经常crash,不是python脚本出异常,而是整个hopper进程crash,怀疑hopper有bug,不知道你那边的环境是什么,
考虑把所有的 “| isThumbAtAddress”都去掉 检查一下结果对不对,我记得这里带上 thumb标志位,只是为了内部统一,理论上这里去掉,其他地方处理好下,应该不影响最后结果,检查下最后结果对不对就好
if superBlockFuncAddr == None: | ||
return ""; | ||
if not IS_MAC: | ||
superBlockFuncAddr = superBlockFuncAddr | TextSeg.isThumbAtAddress(superBlockFuncAddr) # thumb |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
同上面的isThumbAtAddress
allRefToBlock=[] | ||
StackBlockAddr = doc.getAddressForName("__NSConcreteStackBlock") | ||
# if IS32BIT: | ||
allRefToBlock = DataSeg.getReferencesOfAddress(SymbolSeg.getReferencesOfAddress(StackBlockAddr)[0]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
这个__NSConcreteStackBlock符号地址选取的不太对,你想要的那个符号不一定能在第一个,考虑下用下面这段代码,我这里简单测试了下,应该是可以的,也可能还有问题,
我觉得你应该是先想到了下面这个写法,但是你最后没有采用,可能是有我没有测到的问题,这个可以再详细交流下
StackBlockAddr = doc.getAddressForName("__NSConcreteStackBlock")
allRefToBlock = SymbolSeg.getReferencesOfAddress(StackBlockAddr)
allRefToBlock = filter(lambda x:isInText(x), allRefToBlock)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
所以这个事情目前还是没有结论呀?
Python script for Hopper Disassembler v4