AFLplusplus/utils/afl_untracer/ida_get_patchpoints.py

#
# IDAPython script for IDA Pro
# Slightly modified from https://github.com/googleprojectzero/p0tools/blob/master/TrapFuzz/findPatchPoints.py
#

import idautils
import idaapi
import ida_nalt
import idc

# See https://www.hex-rays.com/products/ida/support/ida74_idapython_no_bc695_porting_guide.shtml

from os.path import expanduser

home = expanduser("~")

patchpoints = set()

max_offset = 0
for seg_ea in idautils.Segments():
    name = idc.get_segm_name(seg_ea)
    # print("Segment: " + name)
    if name != "__text" and name != ".text":
        continue

    start = idc.get_segm_start(seg_ea)
    end = idc.get_segm_end(seg_ea)
    first = 0
    subtract_addr = 0
    # print("Start: " + hex(start) + " End: " + hex(end))
    for func_ea in idautils.Functions(start, end):
        f = idaapi.get_func(func_ea)
        if not f:
            continue
        for block in idaapi.FlowChart(f):
            if start <= block.start_ea < end:
                if first == 0:
                    if block.start_ea >= 0x1000:
                        subtract_addr = 0x1000
                        first = 1

                max_offset = max(max_offset, block.start_ea)
                patchpoints.add(block.start_ea - subtract_addr)
            # else:
            #    print("Warning: broken CFG?")

# Round up max_offset to page size
size = max_offset
rem = size % 0x1000
if rem != 0:
    size += 0x1000 - rem

print("Writing to " + home + "/Desktop/patches.txt")

with open(home + "/Desktop/patches.txt", "w") as f:
    f.write(ida_nalt.get_root_filename() + ":" + hex(size) + "\n")
    f.write("\n".join(map(hex, sorted(patchpoints))))
    f.write("\n")

print("Done, found {} patchpoints".format(len(patchpoints)))

# For headless script running remove the comment from the next line
# ida_pro.qexit()