-
Notifications
You must be signed in to change notification settings - Fork 25
/
Copy pathrebase.cpp
258 lines (200 loc) · 6.1 KB
/
rebase.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
/*
* Rebase 16bit MS-DOS files.
*
*
*
*/
#include <ida.hpp>
#include <idp.hpp>
#include <bytes.hpp>
#include <kernwin.hpp>
#include <diskio.hpp>
#include <loader.hpp>
#include <segment.hpp>
#include <srarea.hpp>
#include <fixup.hpp>
#include <exehdr.h>
bool rebase_exe(adiff_t delta)
{
exehdr E;
sel_t dseg_sel = 0;
char exe_name[QMAXPATH];
get_input_file_path(exe_name, sizeof(exe_name));
msg("exe = %s\n", exe_name);
FILE *fp = fopenRB(exe_name);
if(fp == NULL)
{
char *user_exe = askfile_c(0, "*.*", "Please select the exe for this db.", exe_name);
if(user_exe == NULL)
return false;
fp = fopenRB(user_exe);
if(fp == NULL)
return false;
}
qfread(fp, &E, sizeof(E));
msg("E.ReloCnt = %d\n", E.ReloCnt);
if(E.ReloCnt)
{
fixup_data_t fd;
fd.type = FIXUP_SEG16;
fd.off = 0;
fd.displacement = 0;
qfseek(fp, E.TablOff, SEEK_SET);
for(int i = 0; i < E.ReloCnt; i++)
{
unsigned short buf[2];
qfread(fp, buf, sizeof(buf));
ea_t xEA = toEA((ushort)(inf.baseaddr+buf[1]), buf[0]); //i we need ushort() here!
ushort old_word = get_word(xEA);
ushort new_word = ushort((int32)old_word + delta);
//msg("Reloc: %a delta = %d : %x => %xh\n",xEA, delta, old_word, new_word);
put_word(xEA, new_word);
del_fixup(xEA);
fd.sel = new_word;
set_fixup(xEA, &fd);
}
}
qfclose(fp);
return true;
}
//--------------------------------------------------------------------------
void rebase_to(ea_t new_base)
{
ea_t currentbase = new_base;
ea_t imagebase = inf.baseaddr<<4;
msg("imagebase = %a newbase=%a\n", imagebase, new_base);
if ( imagebase != currentbase )
{
adiff_t delta = currentbase - imagebase;
delta /= 16;
msg("delta = %d\n", delta);
if(inf.filetype == f_EXE)
{
if(rebase_exe(delta) == false)
{
warning("Failed to relocate EXE offsets!");
return;
}
}
int code = rebase_program(currentbase - imagebase, MSF_FIXONCE);
if ( code != MOVE_SEGM_OK )
{
msg("Failed to rebase program, error code %d\n", code);
warning("IDA Pro failed to rebase the program.\n"
"Most likely it happened because of the debugger\n"
"segments created to reflect the real memory state.\n\n"
"Please stop the debugger and rebase the program manually.\n"
"For that, please select the whole program and\n"
"use Edit, Segments, Rebase program with delta 0x%08lX",
currentbase - imagebase);
}
else
{
//fix up segment selectors
segment_t *seg;
for(int i = 0;i < get_segm_qty();i++)
{
seg = getnseg(i);
if(seg->is_debugger_segm() == false)
{
seg->sel += delta; //seg->startEA>>4;
seg->update();
msg("seg[%d] ", i);
for(int j = 0;j<SREG_NUM;j++)
{
sel_t sel = seg->defsr[j];
if(sel != BADSEL)
{
msg("sel[%s] = %x %x, ", ph.regNames[j+ph.regFirstSreg], sel, sel + delta);
SetDefaultRegisterValue(seg, j+ph.regFirstSreg, sel + delta);
}
}
msg("\n");
}
}
int sr_num = SRareas.get_area_qty();
segreg_t *sr;
sel_t regs[SREG_NUM];
bool update_sr;
//rebase segment registers
for(int i = 0; i < sr_num;i++)
{
sr = getnSRarea(i);
update_sr = false;
for(int j=0;j<SREG_NUM;j++)
{
regs[j] = sr->reg(ph.regFirstSreg+j);
if(regs[j] != BADSEL)
{
if(((int)regs[j] + delta) >= 0)
{
ea_t sEA = (regs[j] + delta)<<4;
seg = getseg(sEA);
if(seg != NULL && seg->is_debugger_segm() == false)
{
regs[j] += delta;
// msg("regs[%s] = %x ", ph.regNames[j+ph.regFirstSreg], regs[j]);
update_sr = true;
}
}
}
}
if(update_sr)
{
// msg("\n");
sr->setregs(regs);
SRareas.update(sr);
}
}
}
}
warning("Warning!\n\nDatabase rebased to %ah\n\nPlease consider starting with a new database at this address.", new_base);
}
//--------------------------------------------------------------------------
int init(void)
{
return PLUGIN_OK;
}
//--------------------------------------------------------------------------
void term(void)
{
}
//--------------------------------------------------------------------------
void run(int /*arg*/)
{
ea_t addr;
if(askaddr(&addr, "Please enter an address to rebase to.") == 1)
rebase_to(addr);
}
//--------------------------------------------------------------------------
char comment[] = "Rebase MS-Dos EXE or COM files";
char help[] =
"Rebase MSDOS EXE or COM files\n";
//--------------------------------------------------------------------------
// This is the preferred name of the plugin module in the menu system
// The preferred name may be overriden in plugins.cfg file
char wanted_name[] = "rebase msdos";
// This is the preferred hotkey for the plugin module
// The preferred hotkey may be overriden in plugins.cfg file
// Note: IDA won't tell you if the hotkey is not correct
// It will just disable the hotkey.
char wanted_hotkey[] = "Ctrl-1";
//--------------------------------------------------------------------------
//
// PLUGIN DESCRIPTION BLOCK
//
//--------------------------------------------------------------------------
plugin_t PLUGIN =
{
IDP_INTERFACE_VERSION,
0, // plugin flags
init, // initialize
term, // terminate. this pointer may be NULL.
run, // invoke plugin
comment, // long comment about the plugin
// it could appear in the status line
// or as a hint
help, // multiline help about the plugin
wanted_name, // the preferred short name of the plugin
wanted_hotkey // the preferred hotkey to run the plugin
};