IDA processor extension plugin for "patching" purposes

0ctf_plugin.py

import idaapi
import idc

# idautils.DecodeInstruction(here()).itype
JMP = 0x56
JL = 0x40
JLE = 0x41
JG = 0x3E
JE = 0x55
JZ = JE
JNE = 0x4F
JNZ = JNE
NOP = 0x81

code1_targets = {
    0x142A4A81: 0x3FE,
    0x282C8DC1: 0x122,
    0x28F82A19: 0x42,
    0x2928B129: 0x536,
    0x346C4C5C: 0x257,
    0x3C2DF07C: 0x4AC,
    0x3D8EC78B: 0x4CA,
    0x430A7CFC: 0x1B9,
    0x5373A4FC: 0x313,
    0x6ABCE02B: 0x94,
    0x6E674CF2: 0x30E,
    0x718FD50A: 0x5BB,
    0x8256903B: 0x320,
    0x9ACED86E: 0x339,
    0x9C529C1A: 0xDE,
    0x9FAE56F8: 0x4E8,
    0xB10DDE34: 0x506,
    0xBF0691A4: 0x207,
    0xC14DE862: 0x454,
    # 0xC37B4FCE: 0x167,
    0xD41C645A: 0x175,
    0xE332D478: 0x58A,
    0xED432E50: 0x59A,
    0xF6576C57: 0x2B7,
    0xF970E373: 0x3AF,
}

code1_patches = {
    0x5E4: (JMP, code1_targets[0x3C2DF07C]),
    0x4D6: (JL, code1_targets[0x0B10DDE34]),
    0x4D7: (JMP, code1_targets[0x6ABCE02B]),
    0x5B6: (JMP, code1_targets[0x3C2DF07C]),
    0x4A7: (JMP, code1_targets[0x282C8DC1]),
    0x44F: (JMP, code1_targets[0x430A7CFC]),
    0x31B: (JMP, code1_targets[0x6E674CF2]),
    0x524: (JZ, code1_targets[0xD41C645A]),
    0x525: (JMP, code1_targets[0x8256903B]),
    0x4B8: (JL, code1_targets[0x718FD50A]),
    0x4B9: (JMP, code1_targets[0x0E332D478]),
    0x585: (JMP, code1_targets[0x9ACED86E]),
    0x1DC: (JMP, code1_targets[0x3D8EC78B]),
    0x9C: (JMP, code1_targets[0x9FAE56F8]),
    0x130: (JMP, code1_targets[0x9FAE56F8]),
    0x595: (JMP, code1_targets[0x3D8EC78B]),
    0x4D: (JMP, code1_targets[0x6E674CF2]),
    0x40: (JMP, code1_targets[0x0BF0691A4]),
    0x4FE: (JL, code1_targets[0x0F970E373]),
    0x4FF: (JMP, code1_targets[0x5373A4FC]),
    0x331: (JZ, code1_targets[0x142A4A81]),
    0x332: (JMP, code1_targets[0x0F6576C57]),
    0x2EF: (JMP, code1_targets[0x430A7CFC]),
    0x61E: (JL, code1_targets[0x0C14DE862]),
    0x61F: (JMP, code1_targets[0x282C8DC1]),

    0x65F: (JNZ, code1_targets[0x346C4C5C]),
    0x660: (JMP, code1_targets[0x2928B129]),
}

PATCHES = None

class patch_jumps_hook(idaapi.IDP_Hooks):
    def __init__(self):
        idaapi.IDP_Hooks.__init__(self)

    def ev_ana_insn(self, insn):
        addr = (insn.ea - idaapi.get_imagebase()) & 0xFFFFFFFF

        if addr not in PATCHES:
            return False

        itype, target = PATCHES[addr]
        insn.itype = itype
        insn.size = 1
        insn.Op1.addr = target
        if insn.itype != NOP:
            insn.Op1.value = 0
            insn.Op1.type = idaapi.o_near
            insn.Op1.dtype = idaapi.dt_void
            insn.Op1.addr += idaapi.get_imagebase()

        return True

    def ev_emu_insn(self, insn):
        addr = (insn.ea - idaapi.get_imagebase()) & 0xFFFFFFFF

        if addr not in PATCHES:
            return False

        if insn.itype in (JMP, JE, JNE, JL, JLE, JG):
            insn.add_cref(insn.Op1.addr, 0, idaapi.fl_JN)
        if insn.itype not in (JMP,):
            insn.add_cref(insn.ea + insn.size, 0, idaapi.fl_F)
        
        return True

class patcher_t(idaapi.plugin_t):
    flags = idaapi.PLUGIN_PROC | idaapi.PLUGIN_HIDE
    comment = "0ctf 2020 J task jumps fix"
    wanted_hotkey = ""
    help = "Runs transparently during analysis"
    wanted_name = "Fix_0ctf_J_jumps"
    hook = None

    def init(self):
        global PATCHES
        self.hook = None
        if idc.get_input_file_path() == r"D:\ctf\0ctf\j\code1_.bin":
            PATCHES = code1_patches
        else:
            return idaapi.PLUGIN_SKIP

        if idaapi.ph_get_id() != idaapi.PLFM_386:
            return idaapi.PLUGIN_SKIP

        print("\n\n[*] 0ctf 2020 J task jumps fix invoked")

        self.hook = patch_jumps_hook()
        self.hook.hook()
        return idaapi.PLUGIN_KEEP

    def run(self, arg):
        pass

    def term(self):
        if self.hook:
            self.hook.unhook()

def PLUGIN_ENTRY():
    return patcher_t()