[原创]高版本go语言符号还原
2023-6-5 15:26:10 Author: bbs.pediy.com(查看原文) 阅读量:10 收藏

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

import idc

from idc import *

import ida_nalt

moduledata_addr = 0x05289C0

pcHeader_addr = idc.get_qword(moduledata_addr)

if idc.get_wide_dword(pcHeader_addr) != 0x0FFFFFFF0:

    print(idc.get_wide_dword(pcHeader_addr))

    print("错误,并不是一个正确的go文件")

funcnametable_addr = idc.get_qword(moduledata_addr + 8)

filetab_addr = idc.get_qword(moduledata_addr + 8 + ((8*3) * 2))

pclntable_addr = idc.get_qword(moduledata_addr + 8 + ((8*3) * 4))

pclntable_size = idc.get_qword(moduledata_addr + 8 + ((8*3) * 4) + (8 * 4))

set_name(moduledata_addr, "firstmoduledata")

set_name(funcnametable_addr, "funcnametable")

set_name(filetab_addr, "filetab")

set_name(pclntable_addr, "pclntable")

print(pclntable_size)

def readString(addr):

    ea = addr

    res = ''

    cur_ea_db = get_db_byte(ea)

    while  cur_ea_db != 0 and cur_ea_db != 0xff:

        res += chr(cur_ea_db)

        ea += 1

        cur_ea_db = get_db_byte(ea)

    return res

def relaxName(name):

    if type(name) != str:

        name = name.decode()

    name = name.replace('.', '_').replace("<-", '_chan_left_').replace('*', '_ptr_').replace('-', '_').replace(';','').replace('"', '').replace('\\', '')

    name = name.replace('(', '').replace(')', '').replace('/', '_').replace(' ', '_').replace(',', 'comma').replace('{','').replace('}', '').replace('[', '').replace(']', '')

    return name

cur_addr = 0

for i in range(pclntable_size):

    cur_addr = pclntable_addr + (i * 8)

    funcentryOff = get_wide_dword(cur_addr)

    funcoff = get_wide_dword(cur_addr + 4)

    funcInfo_addr = pclntable_addr + funcoff

    funcentry_addr = get_wide_dword(funcInfo_addr)

    funnameoff = get_wide_dword(funcInfo_addr + 4)

    funname_addr = funcnametable_addr + funnameoff

    funname = readString(funname_addr)

    truefuncname = relaxName(funname)

    truefuncentry = ida_nalt.get_imagebase() + 0x1000 + funcentryOff

    print(hex(truefuncentry), hex(funcoff), hex(funcInfo_addr),hex(funcentry_addr), hex(funnameoff),hex(funname_addr) ,funname)

    set_name(truefuncentry, truefuncname)


文章来源: https://bbs.pediy.com/thread-277492.htm
如有侵权请联系:admin#unsafe.sh