Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/sibears/hrast

PoC of modifying HexRays AST
https://github.com/sibears/hrast

hex-rays-decompiler idapro idapython

Last synced: 3 months ago
JSON representation

PoC of modifying HexRays AST

Host: GitHub
URL: https://github.com/sibears/hrast
Owner: sibears
License: mit
Created: 2018-04-14T10:46:36.000Z (over 6 years ago)
Default Branch: master
Last Pushed: 2019-12-17T16:16:57.000Z (almost 5 years ago)
Last Synced: 2024-02-11T15:55:32.942Z (9 months ago)
Topics: hex-rays-decompiler, idapro, idapython
Language: Python
Size: 789 KB
Stars: 236
Watchers: 21
Forks: 37
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # HexRaysAST matcher

[![MIT license](http://img.shields.io/badge/license-MIT-brightgreen.svg)](https://github.com/sibears/HRAST/blob/master/LICENSE)

This is simple PoC that allows you to define AST pattern you want to process and make some actions with them

### Current code contains templates for:

1.  Replacing inlined `strlen` called on global variable

2.  Auto renaming globals in expressions like `global_var = func(arg1, "newglobalname")`

3.  Auto renaming structure fields like `glob_str.f0 = sub_cafebabe` to `glob_str.sub_cafebabe = sub_cafebabe`

Scripts are not fully tested (e.g. it can fail on some ctree elements), but you can already make some useful things.

`ast_helper.py` contains some functions that help to create ctree items

*If you got some interr like 50680 etc after yours changes to ctree you should check IDADIR/hexrays_sdk/verifier/cverify.cpp (you need to have IDA 7.1+)*

### Usage:

1. Load **HRAST.py** into IDA

1. Write your patterns in **read_patterns.py**. You should define `PATTERNS` list with tuples (`template_code`, `replacement_fcn`, `is_chain`) as elements

1. Call `reLOAD()` function from IDAPython

1. Reload decompiler window

1. You can call `unLOAD()` function to disable modifications

1. Also `deBUG()` method switches DEBUG mode on/off

1. If you want to reload **HRAST.py** or remove hex-rays callback call `hr_remove()`

### Examples:

**Before**

![before screen](pics/before.png)

**After**

![after screen](pics/after.png)

cpp operator << replace:

**Before**

![before screen](pics/cpp_before.png)

**After**

![after screen](pics/cpp_after.png)

### License:

Released under [The MIT License](https://github.com/sibears/HRAST/blob/master/LICENSE)