flat assembler
Message board for the users of flat assembler.

Index > Tutorials and Examples > IDA SDK porting it to fasm

Author
Thread Post new topic Reply to topic
ProMiNick



Joined: 24 Mar 2012
Posts: 798
Location: Russian Federation, Sochi
ProMiNick 25 Dec 2019, 14:56
without SDK includes for now

callee.plw.ASM
Code:
format PE GUI 4.0 DLL as ''
entry DllEntryPoint

include 'win32a.inc'
include 'IDA6.X_SDK_target_32.inc'

section '.text' code readable executable

DllEntryPoint: procedure (hinstDLL,fdwReason,lpvReserved)
        mov     eax, [fdwReason]
        cmp     eax, 1
        jne     .retTRUE
        mov     eax, [hinstDLL]
        invoke  DisableThreadLibraryCalls, eax
      .retTRUE:
        xor     eax, eax
        inc     eax
        ret
endp

AskUsingForm_c: procedure (buffer,pcallee)
        lea     eax, [pcallee]
        cinvoke callui,ui_form,[buffer],eax
        ret
endp 

init: procedure ()
        mov     eax,[ph]
        mov     eax, [eax + processor_t.id]
        test    eax, eax ;PLFM_386
        jz      .retTRUE
        cmp     eax, PLFM_MIPS
        jz      .retTRUE
        cmp     eax, PLFM_ARM
        jz      .retTRUE
        xor     eax, eax
        ret
  .retTRUE:
        mov     eax, TRUE
        ret
endp

run: procedure ()
        mov     eax,[ph]
        mov     eax, [eax + processor_t.id]
        sub     eax, PLFM_MIPS
        jz      .MIPS_case
        ja      .ARM_case
        mov     eax, x86_case
        jmp     .nname_ready
  .MIPS_case:
        mov     eax, mips_case
        jmp     .nname_ready
  .MIPS_case:
        mov     eax, arm_case
  .nname_ready:
        mov     [nname], eax
        invoke  netnode_check,nnode,eax,0,FALSE
        cinvoke callui,ui_screenea,ea
        invoke  get_flags_ex,[ea],GFE_NOVALUE
        and     eax, MS_CLS
        cmp     eax, FF_CODE
        jnz     .locret
        invoke  netnode_altval,[nnode],[ea],'A'
        dec     eax
        mov     [callee],eax
        mov     eax, [ph]
        cmp     [eax + processor_t.id], PLFM_ARM
        jnz     .skipClearingARMmodebit
        and     [callee], not 1
  .skipClearingARMmodebit:
        cinvoke qsnprintf,buf,MAXSTR,form,help
        ccall   AskUsingForm_c,buf,callee
        test    eax, eax
        jz      .locret
        cmp     [callee], BADADDR
        jnz     .valid_callee
        invoke  netnode_supdel,[nnode],[ea],'A'
        jmp     .reanalyze
  .valid_callee:
        mov     edx, [ph]
        cmp     [edx + processor_t.id], PLFM_ARM
        jnz     .not_ARM
        test    al, 1
        jnz     .skipthumbbit
        invoke  get_segreg,[callee],reg__T
        test    eax, eax
        jz      .skipthumbbit
        cmp     eax, BADSEL
        jz      .skipthumbbit
        or      [callee], 1
  .skipthumbbit:
        mov     eax, [callee]
        inc     eax
        mov     [ea], eax
        invoke  netnode_supset,[nnode],[ea],ea,4,'A'
  .reanalyze:
        mov     eax, [ea+ea_t.lo]
        cmp     eax, BADADDR
        jz      .locret
        mov     eax, [ea]
        inc     eax
        invoke  auto_mark_range,[ea],eax,$28
  .locret:
        ret
endp

section '.data' data readable writeable

PLUGIN plugin_t IDP_INTERFACE_VERSION,0,init,NULL,run,comment,help,wanted_name,wanted_hotkey

nname           dd ?
nnode           nodeidx_t ;dd
ea              ea_t      ;dd

comment         db 'Change the callee address',0
help            db 'This plugin allows the user to change the address of the called function,10,\
                   'in constructs like',10,\
                   10,\
                   '       call esi',10,\
                   10,\
                   'You can enter a function name instead of its address',10,0
form            db 'HELP',10,\
                   '%s',10,\
                   'ENDHELP',10,\
                   'Enter the callee address',10,\
                   10,\
                   '  <~C~allee:$:500:40:::>',10\
                   ,10\
                   ,10,0
virtual at comment
        wanted_name     db 'Change the callee address',0
end virtual
wanted_hotkey   db 'Alt-F11',0
mips_case       db '$ mips',0
arm_case        db ' $arm',0
x86_case        db '$ vmm functions',0

buf             db MAXSTR dup (?)


section '.idata' import data readable writeable

  library idawll,'IDA.WLL',\
          kernel32,'KERNEL32.DLL'

  import idawll,\
         netnode_check,'netnode_check',\
         netnode_altval,'netnode_altval',\
         netnode_supset,'netnode_supset',\
         netnode_supdel,'netnode_supdel',\
         get_flags_ex,'get_flags_ex',\
         callui,'callui',\
         auto_mark_range,'auto_mark_range',\
         ph,'ph',\
         get_segreg,'get_segreg',\
         qsnprintf,'qsnprintf'

  import kernel32,\
         DisableThreadLibraryCalls,'DisableThreadLibraryCalls'

section '.edata' export data readable

  export 'callee.plw',\
         PLUGIN,'PLUGIN'

section '.reloc' fixups data readable discardable    


callee.p64.ASM
Code:
format PE GUI 4.0 DLL as ''
entry DllEntryPoint

include 'win32a.inc'
include 'IDA6.X_SDK_target_64.inc'

section '.text' code readable executable

DllEntryPoint: procedure (hinstDLL,fdwReason,lpvReserved)
        mov     eax, [fdwReason]
        cmp     eax, 1
        jne     .retTRUE
        mov     eax, [hinstDLL]
        invoke  DisableThreadLibraryCalls, eax
      .retTRUE:
        xor     eax, eax
        inc     eax
        ret
endp

AskUsingForm_c: procedure (buffer,pcallee)
        lea     eax, [pcallee]
        cinvoke callui,ui_form,[buffer],eax
        ret
endp 

init: procedure ()
        mov     eax,[ph]
        mov     eax, [eax + processor_t.id]
        test    eax, eax ;PLFM_386
        jz      .retTRUE
        cmp     eax, PLFM_MIPS
        jz      .retTRUE
        cmp     eax, PLFM_ARM
        jz      .retTRUE
        xor     eax, eax
        ret
  .retTRUE:
        mov     eax, TRUE
        ret
endp

run: procedure ()
        mov     eax, [ph]
        mov     eax, [eax + processor_t.id]
        sub     eax, PLFM_MIPS
        jz      .MIPS_case
        ja      .ARM_case
        mov     eax, x86_case
        jmp     .nname_ready
  .MIPS_case:
        mov     eax, mips_case
        jmp     .nname_ready
  .MIPS_case:
        mov     eax, arm_case
  .nname_ready:
        mov     [nname], eax
        invoke  netnode_check,nnode,eax,0,FALSE
        cinvoke callui,ui_screenea,ea
        invoke  get_flags_ex,[ea + ea_t.lo],[ea + ea_t.hi],GFE_NOVALUE
        and     eax, MS_CLS
        cmp     eax, FF_CODE
        jnz     .locret
        invoke  netnode_altval,[nnode + nodeidx_t.lo],[nnode + nodeidx_t.hi],[ea + ea_t.lo],[ea + ea_t.hi],'A'
        add     eax, -1
        adc     edx, -1
        mov     [callee+ea_t.lo], eax
        mov     [callee+ea_t.hi], edx
        mov     eax, [ph]
        cmp     [eax + processor_t.id], PLFM_ARM
        jnz     .skipClearingthumbbit
        and     [callee+ea_t.lo], not 1
  .skipClearingthumbbit:
        cinvoke qsnprintf,buf,MAXSTR,form,help
        ccall   AskUsingForm_c,buf,callee
        test    eax, eax
        jz      .locret
        mov     eax, [callee+ea_t.lo]
        mov     edx, [callee+ea_t.hi]
        and     edx, eax
        cmp     edx, BADADDR
        jnz     .valid_callee
        invoke  netnode_supdel,[nnode + nodeidx_t.lo],[nnode + nodeidx_t.hi],[ea + ea_t.lo],[ea + ea_t.hi],'A'
        jmp     .reanalyze
  .valid_callee:
        mov     edx, [ph]
        cmp     [edx + processor_t.id], PLFM_ARM
        jnz     .skipthumbbit
        test    al, 1
        jnz     .skipthumbbit
        invoke  get_segreg,[callee+ea_t.lo],[callee+ea_t.hi],reg__T
        and     eax, edx
        jz      .skipthumbbit
        cmp     eax, BADSEL
        jz      .skipthumbbit
        or      [callee+ea_t.lo], 1
  .skipthumbbit:
        mov     eax, [callee+ea_t.lo]
        mov     edx, [callee+ea_t.hi]
        add     eax, 1
        adc     edx, 0
        mov     [ea], eax
        invoke  netnode_supset,[nnode + nodeidx_t.lo],[nnode + nodeidx_t.hi],[ea + ea_t.lo],[ea + ea_t.hi],ea,8,'A'
  .reanalyze:
        mov     eax, [ea+ea_t.lo]
        and     eax, [ea+ea_t.hi]
        cmp     eax, BADADDR
        jz      .locret
        mov     eax, [ea+ea_t.lo]
        mov     edx, [ea+ea_t.hi]
        add     eax, 1
        adc     edx, 0
        invoke  auto_mark_range,[ea+ea_t.lo],[ea+ea_t.hi],eax,edx,$28
  .locret:
        ret
endp

section '.data' data readable writeable

PLUGIN plugin_t IDP_INTERFACE_VERSION,0,init,NULL,run,comment,help,wanted_name,wanted_hotkey

nname           dd ?
nnode           nodeidx_t;dq
ea              ea_t     ;dq

comment         db 'Change the callee address',0
help            db 'This plugin allows the user to change the address of the called function,10,\
                   'in constructs like',10,\
                   10,\
                   '       call esi',10,\
                   10,\
                   'You can enter a function name instead of its address',10,0
form            db 'HELP',10,\
                   '%s',10,\
                   'ENDHELP',10,\
                   'Enter the callee address',10,\
                   10,\
                   '  <~C~allee:$:500:40:::>',10\
                   ,10\
                   ,10,0
virtual at comment
        wanted_name     db 'Change the callee address',0
end virtual
wanted_hotkey   db 'Alt-F11',0
mips_case       db '$ mips',0
arm_case        db ' $arm',0
x86_case        db '$ vmm functions',0

buf             db MAXSTR dup (?)


section '.idata' import data readable writeable

  library idawll,'IDA64.WLL',\
          kernel32,'KERNEL32.DLL'

  import idawll,\
         netnode_check,'netnode_check',\
         netnode_altval,'netnode_altval',\
         netnode_supset,'netnode_supset',\
         netnode_supdel,'netnode_supdel',\
         get_flags_ex,'get_flags_ex',\
         callui,'callui',\
         auto_mark_range,'auto_mark_range',\
         ph,'ph',\
         get_segreg,'get_segreg',\
         qsnprintf,'qsnprintf'

  import kernel32,\
         DisableThreadLibraryCalls,'DisableThreadLibraryCalls'

section '.edata' export data readable

  export 'callee.p64',\
         PLUGIN,'PLUGIN'

section '.reloc' fixups data readable discardable    


original in C:
Code:
/*
 *  Change the callee address for constructions like
 *
 *  call esi    ; LocalFree
 *
 */

#include <ida.hpp>
#include <idp.hpp>
#include <loader.hpp>
#include <kernwin.hpp>
#include <bytes.hpp>
#include <auto.hpp>
#include <srarea.hpp>
#define T 20

//--------------------------------------------------------------------------
int idaapi init(void)
{
  if ( ph.id != PLFM_386 && ph.id != PLFM_MIPS && ph.id != PLFM_ARM )
    return PLUGIN_SKIP; // only for x86, MIPS and ARM
  return PLUGIN_OK;
}

//--------------------------------------------------------------------------
static const char comment[] = "Change the callee address";
static const char help[] =
  "This plugin allows the user to change the address of the called function\n"
  "in constructs like\n"
  "\n"
  "       call esi\n"
  "\n"
  "You can enter a function name instead of its address\n";

//--------------------------------------------------------------------------
static const char *const form =
  "HELP\n"
  "%s\n"
  "ENDHELP\n"
  "Enter the callee address\n"
  "\n"
  "  <~C~allee:$:500:40:::>\n"
  "\n"
  "\n";

void idaapi run(int)
{
  static const char * nname;
  if ( ph.id == PLFM_MIPS )
    nname = "$ mips";
  else if ( ph.id == PLFM_ARM )
    nname = " $arm";
  else
    nname = "$ vmm functions";
  netnode n(nname);
  ea_t ea = get_screen_ea();    // get current address
  if ( !isCode(get_flags_novalue(ea)) ) return; // not an instruction
  ea_t callee = n.altval(ea)-1;         // get the callee address from the database
  // remove thumb bit for arm
  if ( ph.id == PLFM_ARM )
    callee &= ~1;
  char buf[MAXSTR];
  qsnprintf(buf, sizeof(buf), form, help);
  if ( AskUsingForm_c(buf, &callee) )
  {
    if ( callee == BADADDR )
    {
      n.altdel(ea);
    }
    else
    {
      if ( ph.id == PLFM_ARM && (callee & 1) == 0 )
      {
        // if we're calling a thumb function, set bit 0
        sel_t tbit = get_segreg(callee, T);
        if ( tbit != 0 && tbit != BADSEL )
          callee |= 1;
      }
      n.altset(ea, callee+1);     // save the new address
    }
    noUsed(ea);                 // reanalyze the current instruction
  }
}

//--------------------------------------------------------------------------
static const char wanted_name[] = "Change the callee address";
static const char wanted_hotkey[] = "Alt-F11";

//--------------------------------------------------------------------------
//
//      PLUGIN DESCRIPTION BLOCK
//
//--------------------------------------------------------------------------
plugin_t PLUGIN =
{
  IDP_INTERFACE_VERSION,
  0,                    // plugin flags
  init,                 // initialize

  NULL,                 // terminate. this pointer may be NULL.

  run,                  // invoke plugin

  comment,              // long comment about the plugin
                        // it could appear in the status line
                        // or as a hint

  help,                 // multiline help about the plugin

  wanted_name,          // the preferred short name of the plugin
  wanted_hotkey         // the preferred hotkey to run the plugin
};    


Is someone interested in writing plugins & loaders for IDA PRO in fasm?
I can support 6.X versions format PE GUI 4.0 DLL & 7.X versions format PE64 GUI 5.0 DLL.

_________________
I don`t like to refer by "you" to one person.
My soul requires acronim "thou" instead.


Last edited by ProMiNick on 27 Apr 2020, 22:24; edited 1 time in total
Post 25 Dec 2019, 14:56
View user's profile Send private message Send e-mail Reply with quote
masm



Joined: 10 Oct 2014
Posts: 6
masm 04 Apr 2020, 14:00
Please help how can get (IDA6.X_SDK_target_64.inc) or (IDA7.X_SDK_target_64.inc) please post this files because wen i compile error missing files
Post 04 Apr 2020, 14:00
View user's profile Send private message Reply with quote
ProMiNick



Joined: 24 Mar 2012
Posts: 798
Location: Russian Federation, Sochi
ProMiNick 04 Apr 2020, 18:18
No way (For now - no way). I didn`t create them yet.(I even write: "without SDK includes for now" in 1st post)
If thou interest in development in fasm for IDA I ready to cooperate development.
If thou going to wait when I make them myself.
Order of my interests:

[SEMISOLVED]highest prioritet: adapt fasm for dev for win16 subsystem, and port all existing win16 examples that makes practical sence (demonstrated various technologies that actual in modern windows) to fasm syntax.

2nd prioritet: simplificate to api-only old Delphi example HTTPClient, than port it to fasm (once I done similar thing and port SHELLEX to fasm).

3rd prioritet: rewrite (cutoff unneeded parts of) openssl in assembly (it is opensource, so I don`t see problems), port HTTPClient & openssl to kolibri (maybe to menuet too)

4th prioritet: support IDA extensions in fasm (and because of that dissassembling going in that extensions & IDA itself only visualizer maybe someone write disasm in assembly based on such extensions).

[ACCIDENTALY SOLVED]5th prioritet: fix struct in my package (they incorrect calculate subunions size & incorect addressing of following members.

6th prioritet: rewrite in assembly windows research kernel, try to rewrite parts of reactOS( or parts of Windows)

7th prioritet: pseudo3D antalogy - example of similars demos in DX1 to DX12, OGL1 to OGL3 with examples that goes in appropriate SDKs.

8th prioritet: regular expressions framework for fasm.

9th prioriten: documentation related to all previous.

If I stuck (the muse will not come for first 3 prioritets or they will be done) I made thour request (maybe).


Last edited by ProMiNick on 28 Apr 2020, 13:24; edited 1 time in total
Post 04 Apr 2020, 18:18
View user's profile Send private message Send e-mail Reply with quote
masm



Joined: 10 Oct 2014
Posts: 6
masm 05 Apr 2020, 13:36
Thank you i create plugins for idapro and hiew in pure assembler without sdk and it is work but if you have sdk compatible with fasm or how convert sdk c++ to fasm can you help if you can.? Sorry for my English
Post 05 Apr 2020, 13:36
View user's profile Send private message Reply with quote
macgub



Joined: 11 Jan 2006
Posts: 346
Location: Poland
macgub 08 Apr 2020, 14:52
ProMiNick wrote:

Order of my interests:

highest prioritet: adapt fasm for dev for win16 subsystem, and port all existing win16 examples that makes practical sence (demonstrated various technologies that actual in modern windows) to fasm syntax.

2nd prioritet: simplificate to api-only old Delphi example HTTPClient, than port it to fasm (once I done similar thing and port SHELLEX to fasm).

3rd prioritet: rewrite (cutoff unneeded parts of) openssl in assembly (it is opensource, so I don`t see problems), port HTTPClient & openssl to kolibri (maybe to menuet too)

4th prioritet: support IDA extensions in fasm (and because of that dissassembling going in that extensions & IDA itself only visualizer maybe someone write disasm in assembly based on such extensions).

5th prioritet: fix struct in my package (they incorrect calculate subunions size & incorect addressing of following members.

6th prioritet: rewrite in assembly windows research kernel, try to rewrite parts of reactOS( or parts of Windows)

7th prioritet: pseudo3D antalogy - example of similars demos in DX1 to DX12, OGL1 to OGL3 with examples that goes in appropriate SDKs.

8th prioritet: regular expressions framework for fasm.

9th prioriten: documentation related to all previous.


ProMiNick - I like your goals, especially this one with Kolibri and Menuet development. I wish you good luck to achive it. Exclamation Stay safe.
Post 08 Apr 2020, 14:52
View user's profile Send private message Visit poster's website Reply with quote
ProMiNick



Joined: 24 Mar 2012
Posts: 798
Location: Russian Federation, Sochi
ProMiNick 20 Apr 2020, 15:52
first of all need some table where what types declared.
PRO.H it is main for different compilers (there is nothing important except how they should interpret types).
In assembly such interpretting is task for programer. Or we need to create much of struct & equs.
for example I always forgot size of bool.
Code:
;typedef          int           bool            PRO_H
;typedef unsigned char          uchar           PRO_H
;typedef unsigned short         ushort          PRO_H
;typedef unsigned int           uint            PRO_H
;typedef          char          int8            PRO_H
;typedef   signed char          sint8           PRO_H
;typedef unsigned char          uint8           PRO_H
;typedef          short         int16           PRO_H
;typedef unsigned short         uint16          PRO_H
;typedef          int           int32           PRO_H
;typedef unsigned int           uint32          PRO_H
;typedef          longlong      int64           PRO_H
;typedef          ulonglong     uint64          PRO_H
;typedef          uint16        wchar16_t       PRO_H
;typedef          uint32        wchar32_t       PRO_H

;#ifdef __EA64__
;typedef          uint64        ea_t            PRO_H
;typedef          uint64        sel_t           PRO_H
;typedef          uint64        asize_t         PRO_H
;typedef          int64         adiff_t         PRO_H
;#else
;typedef          uint32        ea_t            PRO_H
;typedef          uint32        sel_t           PRO_H
;typedef          uint32        asize_t         PRO_H
;typedef          int32         adiff_t         PRO_H
;#endif

;typedef __EA64__ asize_t       uval_t          PRO_H
;typedef __EA64__ adiff_t       sval_t          PRO_H


;typedef          uchar         comp_t          IDA_HPP
;typedef          uchar         cm_t            IDA_HPP    


as we see in most cases if type has _t postfix it is __EA64__ (size of effective address dependant - analog of targetx86 & targetx64)

about inline procs (2 above examples could be rewritten to):
Code:
format PE GUI 4.0 DLL as 'plw'
entry DllEntryPoint

include 'win32a.inc'
include 'IDA6.X_SDK_target_32.inc'
;(ida.inc, idp.inc, loader.inc, kernwin.inc, bytes.inc, auto.inc, srarea.inc)

macro netnode this,name,namlen:0,do_create:FALSE { ;netnode.hpp
        invoke  netnode_check,this,name,namlen,do_create }

macro netnode_altval this,alt,tag:'A' { ;netnode.hpp
        invoke  netnode_altval,dword[this],dword[alt],tag }

macro netnode_altdel this,alt,tag:'A' { ;netnode.hpp
        invoke  netnode_supdel,dword[this],dword[alt],tag }

macro netnode_altset this,alt,value,length:0,tag:'A' { ;netnode.hpp
        invoke  netnode_supdel,dword[this],dword[alt],value,length,tag }

macro get_screen_ea,ea { cinvoke callui,ui_screenea,ea } ;kernwin.hpp

macro autoMark ea,type { ;auto.hpp
        local   ..out
        mov     eax, [ea]
        cmp     eax, BADADDR
        jz      ..out
        mov     eax, [ea]
        inc     eax
        invoke  auto_mark_range,dword[ea],eax,type
  ..out: }

macro noUsed,ea { autoMark ea,AU_USED } ;auto.hpp

macro isCode? reg:eax { ;bytes.hpp
        and     reg, MS_CLS
        cmp     reg, FF_CODE }

macro get_flags_novalue,ea { invoke  get_flags_ex,dword[ea],GFE_NOVALUE } ;bytes.hpp



section '.text' code readable executable

DllEntryPoint: procedure (hinstDLL,fdwReason,lpvReserved)
        mov     eax,TRUE
        ret
endp

AskUsingForm_c: procedure (buffer,pcallee)
        lea     eax, [pcallee]
        cinvoke callui,ui_form,[buffer],eax
        ret
endp

init: procedure ()
        mov     eax,[ph]
        mov     eax, [eax + processor_t.id]
        test    eax, eax ;PLFM_386
        jz      .retTRUE
        cmp     eax, PLFM_MIPS
        jz      .retTRUE
        cmp     eax, PLFM_ARM
        jz      .retTRUE
        xor     eax, eax
        ret
  .retTRUE:
        mov     eax, TRUE
        ret
endp

run: procedure ()
        mov     eax,[ph]
        mov     eax, [eax + processor_t.id]
        sub     eax, PLFM_MIPS
        jz      .MIPS_case
        ja      .ARM_case
        mov     eax, x86_case
        jmp     .nname_ready
  .MIPS_case:
        mov     eax, mips_case
        jmp     .nname_ready
  .MIPS_case:
        mov     eax, arm_case
  .nname_ready:
        mov     [nname], eax
        netnode nnode,eax
        ;invoke netnode_check,nnode,eax,0,FALSE
        get_screen_ea ea
        ;cinvoke callui,ui_screenea,ea
        get_flags_novalue ea
        ;invoke  get_flags_ex,dword[ea],GFE_NOVALUE
        isCode?
        ;and     eax, MS_CLS
        ;cmp     eax, FF_CODE
        jnz     .locret
        netnode_altval nnode,ea
        ;invoke  netnode_altval,dword[nnode],dword[ea],'A'
        dec     eax
        mov     [callee],eax
        mov     eax, [ph]
        cmp     [eax + processor_t.id], PLFM_ARM
        jnz     .skipClearingARMmodebit
        and     [callee], not 1
  .skipClearingARMmodebit:
        cinvoke qsnprintf,buf,MAXSTR,form,help
        ccall   AskUsingForm_c,buf,callee
        test    eax, eax
        jz      .locret
        cmp     [callee], BADADDR
        jnz     .valid_callee
        netnode_altdel nnode,ea
        ;invoke  netnode_supdel,dword[nnode],dword[ea],'A'
        jmp     .reanalyze
  .valid_callee:
        mov     edx, [ph]
        cmp     [edx + processor_t.id], PLFM_ARM
        jnz     .not_ARM
        test    al, 1
        jnz     .skipthumbbit
        invoke  get_segreg,dword[callee],reg__T
        test    eax, eax
        jz      .skipthumbbit
        cmp     eax, BADSEL
        jz      .skipthumbbit
        or      [callee], 1
  .skipthumbbit:
        mov     eax, [callee]
        inc     eax
        mov     [ea], eax
        netnode_altset nnode,ea,ea,4
        ;invoke  netnode_supset,dword[nnode],dword[ea],ea,4,'A'
  .reanalyze:
        noUsed ea
        ;mov     eax, [ea]
        ;cmp     eax, BADADDR
        ;jz      .locret
        ;mov     eax, [ea]
        ;inc     eax
        ;invoke  auto_mark_range,dword[ea],eax,$28
  .locret:
        ret
endp

section '.data' data readable writeable

PLUGIN plugin_t IDP_INTERFACE_VERSION,0,init,NULL,run,comment,help,wanted_name,wanted_hotkey

nname           dd ?
nnode           nodeidx_t ;dd
ea              ea_t      ;dd

comment         db 'Change the callee address',0
help            db 'This plugin allows the user to change the address of the called function,10,\
                   'in constructs like',10,\
                   10,\
                   '       call esi',10,\
                   10,\
                   'You can enter a function name instead of its address',10,0
form            db 'HELP',10,\
                   '%s',10,\
                   'ENDHELP',10,\
                   'Enter the callee address',10,\
                   10,\
                   '  <~C~allee:$:500:40:::>',10\
                   ,10\
                   ,10,0
virtual at comment
        wanted_name     db 'Change the callee address',0
end virtual
wanted_hotkey   db 'Alt-F11',0
mips_case       db '$ mips',0
arm_case        db ' $arm',0
x86_case        db '$ vmm functions',0

buf             db MAXSTR dup (?)


section '.idata' import data readable writeable

  library idawll,'IDA.WLL',\
          kernel32,'KERNEL32.DLL'

  import idawll,\
         netnode_check,'netnode_check',\
         netnode_altval,'netnode_altval',\
         netnode_supset,'netnode_supset',\
         netnode_supdel,'netnode_supdel',\
         get_flags_ex,'get_flags_ex',\
         callui,'callui',\
         auto_mark_range,'auto_mark_range',\
         ph,'ph',\
         get_segreg,'get_segreg',\
         qsnprintf,'qsnprintf'

  import kernel32,\
         DisableThreadLibraryCalls,'DisableThreadLibraryCalls'

section '.edata' export data readable

  export 'callee.plw',\
         PLUGIN,'PLUGIN'

section '.reloc' fixups data readable discardable    

for 64effective address
Code:
format PE GUI 4.0 DLL as 'p64'
entry DllEntryPoint

include 'win32a.inc'
include 'IDA6.X_SDK_target_64.inc'
;(ida.inc, idp.inc, loader.inc, kernwin.inc, bytes.inc, auto.inc, srarea.inc)

macro netnode this,name,namlen:0,do_create:FALSE { ;netnode.hpp
        invoke  netnode_check,this,name,namlen,do_create }

macro netnode_altval this,alt,tag:'A' { ;netnode.hpp
        invoke  netnode_altval,qword[this],qword[alt],tag }

macro netnode_altdel this,alt,tag:'A' { ;netnode.hpp
        invoke  netnode_supdel,qword[this],qword[alt],tag }

macro netnode_altset this,alt,value,length:0,tag:'A' { ;netnode.hpp
        invoke  netnode_supdel,qword[this],qword[alt],value,length,tag }

macro get_screen_ea,ea { cinvoke callui,ui_screenea,ea } ;kernwin.hpp

macro autoMark ea,type { ;auto.hpp
        local   ..out
        mov     eax, [ea.lo]
        and     eax, [ea.hi]
        cmp     eax, BADADDR
        jz      ..out
        mov     eax, [ea.lo]
        mov     edx, [ea.hi]
        add     eax, 1
        adc     edx, 0
        invoke  auto_mark_range,qword[ea],qword edx:eax,type
  ..out: }

macro noUsed,ea { autoMark ea,AU_USED } ;auto.hpp

macro isCode? reg:eax { ;bytes.hpp
        and     reg, MS_CLS
        cmp     reg, FF_CODE }

macro get_flags_novalue,ea { invoke  get_flags_ex,qword[ea],GFE_NOVALUE } ;bytes.hpp



section '.text' code readable executable

DllEntryPoint: procedure (hinstDLL,fdwReason,lpvReserved)
        mov     eax, [fdwReason]
        cmp     eax, 1
        jne     .retTRUE
        mov     eax, [hinstDLL]
        invoke  DisableThreadLibraryCalls, eax
      .retTRUE:
        xor     eax, eax
        inc     eax
        ret
endp

AskUsingForm_c: procedure (buffer,pcallee)
        lea     eax, [pcallee]
        cinvoke callui,ui_form,[buffer],eax
        ret
endp

init: procedure ()
        mov     eax,[ph]
        mov     eax, [eax + processor_t.id]
        test    eax, eax ;PLFM_386
        jz      .retTRUE
        cmp     eax, PLFM_MIPS
        jz      .retTRUE
        cmp     eax, PLFM_ARM
        jz      .retTRUE
        xor     eax, eax
        ret
  .retTRUE:
        mov     eax, TRUE
        ret
endp

run: procedure ()
        mov     eax, [ph]
        mov     eax, [eax + processor_t.id]
        sub     eax, PLFM_MIPS
        jz      .MIPS_case
        ja      .ARM_case
        mov     eax, x86_case
        jmp     .nname_ready
  .MIPS_case:
        mov     eax, mips_case
        jmp     .nname_ready
  .MIPS_case:
        mov     eax, arm_case
  .nname_ready:
        mov     [nname], eax
        netnode nnode,eax
        ;invoke  netnode_check,nnode,eax,0,FALSE
        get_screen_ea ea
        ;cinvoke callui,ui_screenea,ea
        get_flags_novalue ea
        ;invoke  get_flags_ex,qword[ea],GFE_NOVALUE
        isCode?
        ;and     eax, MS_CLS
        ;cmp     eax, FF_CODE
        jnz     .locret
        netnode_altval nnode,ea
        ;invoke  netnode_altval,qword[nnode],qword[ea],'A'
        sub     eax, 1
        sbb     edx, 0
        mov     [callee+ea_t.lo], eax
        mov     [callee+ea_t.hi], edx
        mov     eax, [ph]
        cmp     [eax + processor_t.id], PLFM_ARM
        jnz     .skipClearingthumbbit
        and     [callee+ea_t.lo], not 1
  .skipClearingthumbbit:
        cinvoke qsnprintf,buf,MAXSTR,form,help
        ccall   AskUsingForm_c,buf,callee
        test    eax, eax
        jz      .locret
        mov     eax, [callee+ea_t.lo]
        mov     edx, [callee+ea_t.hi]
        and     edx, eax
        cmp     edx, BADADDR
        jnz     .valid_callee
        netnode_altdel nnode,ea
        ;invoke  netnode_supdel,qword[nnode],qword[ea],'A'
        jmp     .reanalyze
  .valid_callee:
        mov     edx, [ph]
        cmp     [edx + processor_t.id], PLFM_ARM
        jnz     .skipthumbbit
        test    al, 1
        jnz     .skipthumbbit
        invoke  get_segreg,qword[callee],reg__T
        and     eax, edx
        jz      .skipthumbbit
        cmp     eax, BADSEL
        jz      .skipthumbbit
        or      [callee+ea_t.lo], 1
  .skipthumbbit:
        mov     eax, [callee+ea_t.lo]
        mov     edx, [callee+ea_t.hi]
        add     eax, 1
        adc     edx, 0
        mov     [ea], eax
        netnode_altset nnode,ea,ea,8
        ;invoke  netnode_supset,qword[nnode],qword[ea],ea,8,'A'
  .reanalyze:
        noUsed ea
        ;mov     eax, [ea+ea_t.lo]
        ;and     eax, [ea+ea_t.hi]
        ;cmp     eax, BADADDR
        ;jz      .locret
        ;mov     eax, [ea+ea_t.lo]
        ;mov     edx, [ea+ea_t.hi]
        ;add     eax, 1
        ;adc     edx, 0
        ;invoke  auto_mark_range,qword[ea],qword edx:eax,$28
  .locret:
        ret
endp

section '.data' data readable writeable

PLUGIN plugin_t IDP_INTERFACE_VERSION,0,init,NULL,run,comment,help,wanted_name,wanted_hotkey

nname           dd ?
nnode           nodeidx_t;dq
ea              ea_t     ;dq

comment         db 'Change the callee address',0
help            db 'This plugin allows the user to change the address of the called function,10,\
                   'in constructs like',10,\
                   10,\
                   '       call esi',10,\
                   10,\
                   'You can enter a function name instead of its address',10,0
form            db 'HELP',10,\
                   '%s',10,\
                   'ENDHELP',10,\
                   'Enter the callee address',10,\
                   10,\
                   '  <~C~allee:$:500:40:::>',10\
                   ,10\
                   ,10,0
virtual at comment
        wanted_name     db 'Change the callee address',0
end virtual
wanted_hotkey   db 'Alt-F11',0
mips_case       db '$ mips',0
arm_case        db ' $arm',0
x86_case        db '$ vmm functions',0

buf             db MAXSTR dup (?)


section '.idata' import data readable writeable

  library idawll,'IDA64.WLL',\
          kernel32,'KERNEL32.DLL'

  import idawll,\
         netnode_check,'netnode_check',\
         netnode_altval,'netnode_altval',\
         netnode_supset,'netnode_supset',\
         netnode_supdel,'netnode_supdel',\
         get_flags_ex,'get_flags_ex',\
         callui,'callui',\
         auto_mark_range,'auto_mark_range',\
         ph,'ph',\
         get_segreg,'get_segreg',\
         qsnprintf,'qsnprintf'

  import kernel32,\
         DisableThreadLibraryCalls,'DisableThreadLibraryCalls'

section '.edata' export data readable

  export 'callee.p64',\
         PLUGIN,'PLUGIN'

section '.reloc' fixups data readable discardable    


when some consistency of SDK will be reached i will update fasmpack with it inside.
It additionaly will require to override pushd in way similar to ...ax.inc ...wx.inc headers (there "double" word, I used "qword") for reasons of same look coding for x32 & x64 targets.
Post 20 Apr 2020, 15:52
View user's profile Send private message Send e-mail Reply with quote
ProMiNick



Joined: 24 Mar 2012
Posts: 798
Location: Russian Federation, Sochi
ProMiNick 21 Apr 2020, 23:50
I explore IDA SDKs from 4.13 to 7.2 and I think support of 6.8 & 7.0-7.2 would be more then enought.
Why these?: I succesfuly can use IDA in 64 bit environment of my winXP64 (I don`t targeting to debugging - so all works perfect), but not all had 64bit machines.
So SDK should contain 2 different versions of IDA: IDA 6.8 (last I can test for x86) & IDA 7.X (7.0 is free & buggy, so for 7.0 & 7.2 same time).

root of SDK:
1. "X_TARGET" - contains macros|strucs|fixes to declare new data definition directive & size operator that are altered according to target bitness:
x86.inc:
Code:
d? fix dd
d% fix dd
r? fix rd
r% fix rd
cell? fix dword    
x64.inc:
Code:
d? fix dq
d% fix dq
r? fix rq
r% fix rq
cell? fix qword    


2. "COMMON" contain stuff common to all 6.8-7.2 versions, and common to different bitness of host.

3. "X86_ENVT" contain stuff related to x86 environment

4. "X64_ENVT" contain stuff related to x64 environment

https://yadi.sk/d/BmUyS1Tq15GV8w - pro.H & IDA.HPP, RANGE.HPP, NETNODE.HPP, NALT.HPP, SEGMENT.HPP, LINES.HPP, BYTES.HPP implemented in corresponding incs.
Post 21 Apr 2020, 23:50
View user's profile Send private message Send e-mail Reply with quote
ProMiNick



Joined: 24 Mar 2012
Posts: 798
Location: Russian Federation, Sochi
ProMiNick 27 Apr 2020, 22:18
first plugin assembled via SDK (32bit version of x86 environment), SDK is still not fully reproduced.(64bit bersion will require pushd override seamless to xtended headers way).
https://yadi.sk/d/HTs1wxZvp6BmYw
version for x64 environment will require later reversing of x64 plugins.
Post 27 Apr 2020, 22:18
View user's profile Send private message Send e-mail Reply with quote
ProMiNick



Joined: 24 Mar 2012
Posts: 798
Location: Russian Federation, Sochi
ProMiNick 28 Apr 2020, 07:46
https://yadi.sk/d/HTs1wxZvp6BmYw updated (64bit version compilable too)
in win32a.inc added this:
Code:
macro pushd value {
        match =addr var,value \{
                if +var relativeto 0 | +var relativeto $
                        push var
                else
                        lea edx,[var]
                        push edx
                end if
                pushd equ \}
        match pushd =qword high:low,pushd value \{
                match any [more] rest,:high[$]:\\{
                        match [$]:,rest \\\{ push dword high \\\}
                        match =$:,more \\\{ push high \\\} \\}
                match any [more] rest,:low[$]:\\{
                        match [$]:,rest \\\{ push dword low \\\}
                        match =$:,more \\\{ push low \\\} \\}
                pushd equ \}
        match pushd =qword [var],pushd value \{
                push dword [var+4]
                push dword [var]
                pushd equ \}
        match pushd =qword num,pushd value \{ \local ..high,..low
                virtual at 0
                        dq num
                        load ..low dword from 0
                        load ..high dword from 4
                end virtual
                push ..high
                push ..low
                pushd equ \}
        ; I dislike support of passing strings as direct parameters
        match pushd,pushd \{ ;\local ..continue
                ;if value eqtype ''
                ;        call ..continue
                ;        db value,0
                ;        ..continue:
                ;else
                        push value
                ;end if
                pushd equ \}
        restore pushd }    

It seemed like it conflict with pushd override from win32ax.inc but I don`t target to use extended headers, so or standard headers with my functionlity or extended ones with cuted off of my functional. so there is no conflict.
Post 28 Apr 2020, 07:46
View user's profile Send private message Send e-mail Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.