Skip to content

Create hopper_search_block.py#10

Open
sudo-angus wants to merge 1 commit intotobefuturer:masterfrom
sudo-angus:master
Open

Create hopper_search_block.py#10
sudo-angus wants to merge 1 commit intotobefuturer:masterfrom
sudo-angus:master

Conversation

@sudo-angus
Copy link

@sudo-angus sudo-angus commented Apr 4, 2017

Python script for Hopper Disassembler v4

@bersl
Create hopper_search_block.py
1f33f22 
Python script for Hopper Disassembler v4
tobefuturer
tobefuturer requested changes Apr 14, 2017
View reviewed changes
Copy link
Owner

@tobefuturer tobefuturer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

你好,非常感谢你编写了hopper版的脚本,不好意思因为一些私事,等了那么久才回你消息。
这两天我详细测试了下这个脚本,在里面发现了一些问题,希望你如果有时间的话能仔细看下我的commit,修改下脚本。
我对hopper的python接口不太熟悉,commit里的一些内容可能也不一定正确,如果你有什么想法欢迎继续交流哈~
ps:其实hopper v3版本的脚本,我师弟之前写过一个,不过因为hopper本身有些bug(文件保存,重新加载,reference信息会丢失),比较坑,所以正式放出来的只有ida的脚本,hopper v4之后,因为自己不太常用所以没有太留意了,如果你调试的时候,遇到什么奇怪的坑,可以多找人交流下,可能确实是hopper的bug。。。

search_oc_block/hopper_search_block.py
if IS_MAC:
codeRefs = filter(lambda x: TextSeg.getInstructionAtAddress(x).getInstructionString() == 'call', refsTo)
else:
codeRefs = filter(lambda x: TextSeg.getInstructionAtAddress(x).getInstructionString() == 'bl', refsTo)
Copy link
Owner

@tobefuturer tobefuturer Apr 14, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

此处判断 最好用getTypeAtAddress来写,现在这个写法会出错,因为oc的class_method的那些结构体也在Text Segment里面 ,直接取instrument会出错的,因为那个地址可能并不是指令,而是Text段里的只读数据

search_oc_block/hopper_search_block.py
if IS_MAC:
return super_func_addr
else:
return super_func_addr | TextSeg.isThumbAtAddress(block_func) # thumb
Copy link
Owner

@tobefuturer tobefuturer Apr 14, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

我这里 hopper 4.0.8 调用 TextSeg.isThumbAtAddress(block_func) 会经常crash,不是python脚本出异常,而是整个hopper进程crash,怀疑hopper有bug,不知道你那边的环境是什么,
考虑把所有的 “| isThumbAtAddress”都去掉 检查一下结果对不对,我记得这里带上 thumb标志位,只是为了内部统一,理论上这里去掉,其他地方处理好下,应该不影响最后结果,检查下最后结果对不对就好

search_oc_block/hopper_search_block.py
if superBlockFuncAddr == None:
return "";
if not IS_MAC:
superBlockFuncAddr = superBlockFuncAddr | TextSeg.isThumbAtAddress(superBlockFuncAddr) # thumb
Copy link
Owner

@tobefuturer tobefuturer Apr 14, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

同上面的isThumbAtAddress

search_oc_block/hopper_search_block.py
allRefToBlock=[]
StackBlockAddr = doc.getAddressForName("__NSConcreteStackBlock")
# if IS32BIT:
allRefToBlock = DataSeg.getReferencesOfAddress(SymbolSeg.getReferencesOfAddress(StackBlockAddr)[0])
Copy link
Owner

@tobefuturer tobefuturer Apr 14, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

这个__NSConcreteStackBlock符号地址选取的不太对,你想要的那个符号不一定能在第一个,考虑下用下面这段代码,我这里简单测试了下,应该是可以的,也可能还有问题,
我觉得你应该是先想到了下面这个写法,但是你最后没有采用,可能是有我没有测到的问题,这个可以再详细交流下
StackBlockAddr = doc.getAddressForName("__NSConcreteStackBlock")
allRefToBlock = SymbolSeg.getReferencesOfAddress(StackBlockAddr)
allRefToBlock = filter(lambda x:isInText(x), allRefToBlock)

Copy link

@g302ge g302ge Nov 19, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

所以这个事情目前还是没有结论呀?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tobefuturer tobefuturer tobefuturer requested changes

+1 more reviewer

@g302ge g302ge g302ge left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sudo-angus @tobefuturer @g302ge @bersl