Beispiel #1
0
def main():
    start_address = 0x63A79034
    # check valid dex header.
    header = idaapi.dbg_read_memory(start_address, 0x08)
    if header == "\x64\x65\x78\x0A\x30\x33\x35\x00":
        dex_size = idaapi.dbg_read_memory(start_address + 0x20, 0x04)
        file_size = struct.unpack("i", dex_size)[0]
        dex_data = idaapi.dbg_read_memory(start_address, file_size)
        file_name = "%s_%08x_%08x.dex" % (GetIdbPath()[:-4], start_address, file_size)
        file_out = open(file_name, "wb")
        file_out.write(dex_data)
        file_out.close()
        print "Writing buffer %0x(%x) to %s" % (start_address, file_size, file_name)
    else:
        print "Invalid dex header."
Beispiel #2
0
def main():
    start_address = 0x63A79034
    # check valid dex header.
    header = idaapi.dbg_read_memory(start_address, 0x08)
    if header == "\x64\x65\x78\x0A\x30\x33\x35\x00":
        dex_size = idaapi.dbg_read_memory(start_address + 0x20, 0x04)
        file_size = struct.unpack("i", dex_size)[0]
        dex_data = idaapi.dbg_read_memory(start_address, file_size)
        file_name = "%s_%08x_%08x.dex" % (GetIdbPath()[:-4], start_address, file_size)
        file_out = open(file_name, "wb")
        file_out.write(dex_data)
        file_out.close()
        print "Writing buffer %0x(%x) to %s" % (start_address, file_size, file_name)
    else:
        print "Invalid dex header."
Beispiel #3
0
def Read(addr,size):
    """
    Converts a string to hexadecimal
    
    @param path: the string to convert to hexadecimal
    @return: the hexadecimal representation of a string
    
    """
    import idaapi
    import struct
    
    byteArray = []
    count = 0

    while True:
        byte= idaapi.dbg_read_memory(addr,size)

        count = count+1
        nullTest= struct.unpack("B",byte[0])
        
        if nullTest[0]==0:
            break;
        else:
            byteArray.append(byte[0])
            addr = addr+size
        
    #print byteArray
    
    return byteArray
Beispiel #4
0
def Read(addr, size):
    """
    Converts a string to hexadecimal
    
    @param path: the string to convert to hexadecimal
    @return: the hexadecimal representation of a string
    
    """
    import idaapi
    import struct

    byteArray = []
    count = 0

    while True:
        byte = idaapi.dbg_read_memory(addr, size)

        count = count + 1
        nullTest = struct.unpack("B", byte[0])

        if nullTest[0] == 0:
            break
        else:
            byteArray.append(byte[0])
            addr = addr + size

    #print byteArray

    return byteArray
    def My_freadEnd(self):

        numBytesRead = idc.GetRegValue("EAX")
        self.logger.info( "_fread read %d bytes." % (numBytesRead) )
        
        pBuffer = self.tempStack.pop(0)
        pSize = self.tempStack.pop(0)
        stream = self.tempStack.pop(0)
        callerAddr = self.tempStack.pop(0)
        callerFuncName = self.tempStack.pop(0)
        threadID = self.tempStack.pop(0)
        
        _buffer = idaapi.dbg_read_memory(pBuffer,pSize)
        self.logger.debug( _buffer)
        
        inputLoggingList = []
        
        inputLoggingList.append(pBuffer)
        inputLoggingList.append(pSize)
        inputLoggingList.append(_buffer)
        inputLoggingList.append(stream)
        inputLoggingList.append(callerAddr)
        inputLoggingList.append(callerFuncName)
        inputLoggingList.append(threadID)
        
        if numBytesRead > 0:
            self.logger.info( "_fread succeeded.")
            self.debuggerInstance.callbackProcessing(inputLoggingList)
        else:
            Print ("_fread failed." )
            self.logger.info( "_fread failed.")
        
        return 0
Beispiel #6
0
    def My_freadEnd(self):

        numBytesRead = idc.GetRegValue("EAX")
        self.logger.info("_fread read %d bytes." % (numBytesRead))

        pBuffer = self.tempStack.pop(0)
        pSize = self.tempStack.pop(0)
        stream = self.tempStack.pop(0)
        callerAddr = self.tempStack.pop(0)
        callerFuncName = self.tempStack.pop(0)
        threadID = self.tempStack.pop(0)

        _buffer = idaapi.dbg_read_memory(pBuffer, pSize)
        self.logger.debug(_buffer)

        inputLoggingList = []

        inputLoggingList.append(pBuffer)
        inputLoggingList.append(pSize)
        inputLoggingList.append(_buffer)
        inputLoggingList.append(stream)
        inputLoggingList.append(callerAddr)
        inputLoggingList.append(callerFuncName)
        inputLoggingList.append(threadID)

        if numBytesRead > 0:
            self.logger.info("_fread succeeded.")
            self.debuggerInstance.callbackProcessing(inputLoggingList)
        else:
            Print("_fread failed.")
            self.logger.info("_fread failed.")

        return 0
Beispiel #7
0
    def WSOCK32Bind(self):
        """  
        int bind(
          _In_  SOCKET s,
          _In_  const struct sockaddr *name,
          _In_  int namelen
        );
        
        struct sockaddr_in {
            short   sin_family;
            u_short sin_port;
            struct  in_addr sin_addr;
            char    sin_zero[8];
        };
        """

        s = Util.GetData(0x4)
        self.logger.info("WSOCK32Bind: SOCKET is 0x%x" % (s))

        sockaddr_name = Util.GetData(0x8)
        self.logger.info("WSOCK32Bind: sockaddr_name is 0x%x" %
                         (sockaddr_name))

        port = struct.unpack(">H",
                             idaapi.dbg_read_memory(sockaddr_name + 0x2, 2))
        portName = str(port[0])
        self.logger.info("WSOCK32Bind: port value is %s" % (portName))

        namelen = Util.GetData(0xC)
        self.logger.info("WSOCK32Bind: namelen value is %d" % (namelen))

        retAddr = Util.GetData(0x0)
        Print(self.filter['network'])
        if portName in self.filter['network']:
            self.tempStack = []
            self.tempStack.append(s)
            self.tempStack.append(portName)
            idc.AddBpt(retAddr)
            idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
            idc.SetBptCnd(retAddr, "windowsNetworkIO.checkBindEnd()")
            self.logger.info(
                "WSOCK32Bind: Netork Filter matched. Adding port to the Handle's dictionary to start logging."
            )
            Print(
                "Filter matched. Add handle to the handle's dictionary to start logging."
            )

        else:
            if idc.CheckBpt(retAddr) >= 0:
                Print("Removing un-needed breakpoint.")
                self.logger.info("WSOCK32Bind: Removing un-needed breakpoint.")
                idc.DelBpt(retAddr)

            self.logger.info("WSOCK32Bind: Network Filter did not match.")

        return 0
Beispiel #8
0
def read_str(ea, max=256):
    c = ''
    while True:
        x = idaapi.dbg_read_memory(ea, 1)
        ea = ea + 1
        max = max - 1
        if x == '\0' or max < 0:
            break
        c += x
    return c
Beispiel #9
0
def dump_so(start_address, size):
    fp = open("E:\\dump.so", "wb")

    #read elf header and decrypt header
    data = idaapi.dbg_read_memory(start_address, 52)
    header = decryptso(data, 52)
    fp.write(header)

    #read elf program header tables
    phnum = 9
    data = idaapi.dbg_read_memory(start_address + 52, phnum * 32)
    pht = decryptso(data, phnum * 32)
    fp.write(pht)

    #read other part
    data = data = idaapi.dbg_read_memory(start_address + 52 + phnum * 32,
                                         size - phnum * 32 - 52)
    fp.write(data)

    fp.close()
 def getDbgMemPage(address, length):
     data = []
     L = 0
     data.append([
         idaapi.dbg_read_memory(address, 0x400 - (address & 0x3ff)),
         address, 0x400 - (address & 0x3ff)
     ])
     L += data[-1][2]
     for ea in range((address + 0x400) & (~0x3ff),
                     ((address + length) & (~0x3ff)), 0x400):
         data.append([idaapi.dbg_read_memory(ea, 0x400), ea, 0x400])
         L += 0x400
     data.append([
         idaapi.dbg_read_memory((address + length) & (~0x3ff),
                                (address + length) & (0x3ff)),
         (address + length) & (~0x3ff), (address + length) & (0x3ff)
     ])
     L += data[-1][2]
     assert (L == length)
     return data
Beispiel #11
0
def dump_module(name):

    module_base = get_module_base(name)

    if None != module_base:
        module_size = idc.GetModuleSize(module_base)
        print '[*] libart.so base=>0x%08X, Size=0x%08X' % (module_base,
                                                           module_size)

        data = idaapi.dbg_read_memory(module_base, module_size)
        fp = open('C:\\Users\\Administrator\\Desktop\\art.so', 'wb+')
        fp.write(data)
        fp.close()
Beispiel #12
0
def getdexsize(start):
    pos = start + 0x20
    # 在调试模式下才能获取到值
    mem = idaapi.dbg_read_memory(pos, 4)
    # 小端 <
    # natvie @ 和 = 或者无
    # native byteorder
    # 大端 > 和 !;
    # data from a sequence, network byteorder
    size = struct.unpack('<I', mem)[0]
    print('size is ' + str(hex(size)))
    print('size is 0x%08x') % (size)
    return int(size)
    def checkBind(self):
  
        """  
        int bind(
          _In_  SOCKET s,
          _In_  const struct sockaddr *name,
          _In_  int namelen
        );
        
        struct sockaddr_in {
            short   sin_family;
            u_short sin_port;
            struct  in_addr sin_addr;
            char    sin_zero[8];
        };
        """

        s = Util.GetData(0x4)
        self.logger.info ("checkBind: SOCKET is 0x%x" % (s))
        
        sockaddr_name = Util.GetData(0x8)
        self.logger.info ("checkBind: sockaddr_name is 0x%x" % (sockaddr_name))
        
        port = struct.unpack(">H", idaapi.dbg_read_memory(sockaddr_name+0x2,2) )
        portName = str(port[0])
        self.logger.info ("checkBind: port value is %s" % (portName))
        
        namelen = Util.GetData(0xC)
        self.logger.info ("checkBind: namelen value is %d" % (namelen))

        retAddr = Util.GetData(0x0)
        Print( self.filter['network'] )
        if portName in self.filter['network']:
            self.tempStack = []
            self.tempStack.append(s)
            self.tempStack.append(portName)
            idc.AddBpt(retAddr)
            idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
            idc.SetBptCnd(retAddr,"windowsNetworkIO.checkBindEnd()")
            self.logger.info( "checkBind: Netork Filter matched. Adding port to the Handle's dictionary to start logging.")
            Print( "Filter matched. Add handle to the handle's dictionary to start logging.")

        else:
            if idc.CheckBpt(retAddr) >= 0:
                Print( "Removing un-needed breakpoint." )
                self.logger.info("checkBind: Removing un-needed breakpoint.")
                idc.DelBpt(retAddr)
                
            self.logger.info( "checkBind: Network Filter did not match.")
            
        return 0
Beispiel #14
0
def DMA(dmau, dmal):

    DMA_T = (dmal >> 1) & 1

    if (DMA_T):

        MEM_ADDR = (dmau >> 5) << 5
        LC_ADDR = (dmal >> 5) << 5

        MEM_ADDR |= 0x80000000

        DMA_LEN_U = (dmau & 0x1F) << 8
        DMA_LEN_L = (dmal >> 2) & 3

        LEN = DMA_LEN_U | DMA_LEN_L

        if (LEN == 0):
            LEN = 0x80

        DMA_LD = (dmal >> 4) & 1

        print "DMA: mem = 0x%X, cache = 0x%X, len = 0x%X, LD = %d\n" % (
            MEM_ADDR, LC_ADDR, LEN, DMA_LD)

        if (DMA_LD):

            buf = idaapi.dbg_read_memory(MEM_ADDR, LEN)

            for i in range(len(buf)):
                idaapi.dbg_write_memory(LC_ADDR + i, buf[i])
        else:

            buf = idaapi.dbg_read_memory(LC_ADDR, LEN)

            for i in range(len(buf)):
                idaapi.dbg_write_memory(MEM_ADDR + i, buf[i])
Beispiel #15
0
    def checkRecvEnd(self):

        s = self.tempStack.pop(0)
        buf = self.tempStack.pop(0)
        _len = self.tempStack.pop(0)
        callerAddr = self.tempStack.pop(0)
        callerFuncName = self.tempStack.pop(0)
        threadID = self.tempStack.pop(0)

        bytesRecv = idc.GetRegValue("EAX")
        self.logger.info("checkRecvEnd: Number bytes received %d" % bytesRecv)

        #bytesRecv is the number of bytes returned by the recv function
        #use it for the logging size

        #Get the true size of the buffer
        _buffer = idaapi.dbg_read_memory(buf, bytesRecv)

        self.logger.debug("checkRecvEnd: buffer is %s" % _buffer)

        inputLoggingList = []

        inputLoggingList.append(buf)
        inputLoggingList.append(bytesRecv)
        inputLoggingList.append(_buffer)
        inputLoggingList.append(s)
        inputLoggingList.append(callerAddr)
        inputLoggingList.append(callerFuncName)
        inputLoggingList.append(threadID)

        if bytesRecv > 0:
            self.logger.info("checkRecvEnd: recv succeeded.")

            if self.socket_dict.has_key(s):
                self.logger.info("checkRecvEnd: Found socket 0x%x" % s)
                self.debuggerInstance.callbackProcessing(inputLoggingList)

            else:
                self.logger.info(
                    "checkRecvEnd: Cannot find socket socket 0x%x" % s)

        else:
            self.logger.error("checkRecvEnd: Recv function failed.")

        return 0
    def checkRecvEnd(self):
        
        s = self.tempStack.pop(0)
        buf = self.tempStack.pop(0)
        _len = self.tempStack.pop(0)
        callerAddr = self.tempStack.pop(0)
        callerFuncName = self.tempStack.pop(0)
        threadID = self.tempStack.pop(0)
        
        bytesRecv = idc.GetRegValue("EAX")
        self.logger.info( "checkRecvEnd: Number bytes received %d" % bytesRecv )
        
        #bytesRecv is the number of bytes returned by the recv function
        #use it for the logging size
        
        #Get the true size of the buffer
        _buffer = idaapi.dbg_read_memory(buf,bytesRecv)
        
        self.logger.debug( "checkRecvEnd: buffer is %s" % _buffer )
        
        inputLoggingList = []
        
        inputLoggingList.append(buf)
        inputLoggingList.append(bytesRecv)
        inputLoggingList.append(_buffer)
        inputLoggingList.append(s)
        inputLoggingList.append(callerAddr)
        inputLoggingList.append(callerFuncName)
        inputLoggingList.append(threadID)
        
        if bytesRecv > 0:
            self.logger.info( "checkRecvEnd: recv succeeded." )
            
            if self.socket_dict.has_key(s):
                self.logger.info( "checkRecvEnd: Found socket 0x%x" % s )
                self.debuggerInstance.callbackProcessing(inputLoggingList)

            else:
                self.logger.info( "checkRecvEnd: Cannot find socket socket 0x%x" % s )

        else:
            self.logger.error( "checkRecvEnd: Recv function failed." )
    
        return 0
 def ReadFileEnd(self):
     """
     Monitors the the end of ReadFile function
     This is the function that will trigger the trace
     inputLoggingList is past from MyReadFile, which holds are of MyReadFile arguments
     """
     
     retVal = idc.GetRegValue("EAX")
     self.logger.info( "Returning from ReadFile... with %d" % retVal )
 
     lpBuffer = self.tempStack.pop(0)
     lpNumberOfBytesRead = self.tempStack.pop(0)
     hFile = self.tempStack.pop(0)
     callerAddr = self.tempStack.pop(0)
     callerFuncName = self.tempStack.pop(0)
     threadID = self.tempStack.pop(0)
     
     NumberOfBytesRead = idc.DbgDword(lpNumberOfBytesRead)
     self.logger.info( "NumberOfBytesRead is 0x%x" % NumberOfBytesRead)
     
     _buffer = idaapi.dbg_read_memory(lpBuffer,NumberOfBytesRead)
     
     self.logger.debug( _buffer ) 
     
     inputLoggingList = []
     
     inputLoggingList.append(lpBuffer)
     inputLoggingList.append(NumberOfBytesRead)
     inputLoggingList.append(_buffer)
     inputLoggingList.append(hFile)
     inputLoggingList.append(callerAddr)
     inputLoggingList.append(callerFuncName)
     inputLoggingList.append(threadID)
     
     if retVal:
         Print(  "ReadFile succeeded." )
         self.logger.info( "ReadFile succeeded.")
         self.debuggerInstance.callbackProcessing(inputLoggingList)
     else:
         Print ("ReadFile failed." )
         self.logger.info("ReadFile failed.")
     
     return 0
    def ReadFileEnd(self):
        """
        Monitors the the end of ReadFile function
        This is the function that will trigger the trace
        inputLoggingList is past from MyReadFile, which holds are of MyReadFile arguments
        """

        retVal = idc.GetRegValue("EAX")
        self.logger.info("Returning from ReadFile... with %d" % retVal)

        lpBuffer = self.tempStack.pop(0)
        lpNumberOfBytesRead = self.tempStack.pop(0)
        hFile = self.tempStack.pop(0)
        callerAddr = self.tempStack.pop(0)
        callerFuncName = self.tempStack.pop(0)
        threadID = self.tempStack.pop(0)

        NumberOfBytesRead = idc.DbgDword(lpNumberOfBytesRead)
        self.logger.info("NumberOfBytesRead is 0x%x" % NumberOfBytesRead)

        _buffer = idaapi.dbg_read_memory(lpBuffer, NumberOfBytesRead)

        self.logger.debug(_buffer)

        inputLoggingList = []

        inputLoggingList.append(lpBuffer)
        inputLoggingList.append(NumberOfBytesRead)
        inputLoggingList.append(_buffer)
        inputLoggingList.append(hFile)
        inputLoggingList.append(callerAddr)
        inputLoggingList.append(callerFuncName)
        inputLoggingList.append(threadID)

        if retVal:
            Print("ReadFile succeeded.")
            self.logger.info("ReadFile succeeded.")
            self.debuggerInstance.callbackProcessing(inputLoggingList)
        else:
            Print("ReadFile failed.")
            self.logger.info("ReadFile failed.")

        return 0
def main():
    address = AskAddr(BADADDR, "Enter address: ")
    if address == BADADDR:
        print "Invalid address."
        return

    size = AskLong(0, "Enter size: ")

    if size == 0:
        print "Invalid size."
        return

    print "Range: ", hex(address), hex(size)

    buffer = idaapi.dbg_read_memory(address, size)
    if (len(buffer)) != 0:
        output_file = os.path.join(os.path.dirname(GetIdbPath()), "dump_%08x_%08x.bin" % (address, size))

        with open(output_file, "wb") as f:
            f.write(buffer)
            print "Saved data success", output_file
def get_sreg_base_x64(name):
    sdb = idaapi.dbg_get_thread_sreg_base(idc.GetCurrentThreadId(),
                                          int(getattr(cpu, name)))
    if not sdb:
        for n in xrange(idaapi.get_segm_qty()):
            seg = idaapi.getnseg(n)
            sgname = idaapi.get_segm_name(seg, 0)
            if sgname.startswith('TIB['):
                _sdb = seg.startEA + 0x1000
                sdb_self = int(
                    base64.b16encode(
                        idaapi.dbg_read_memory(_sdb + 0x30, 8)[::-1]), 16)
                if (sdb_self == _sdb):
                    sdb = _sdb
                    print("\nwarning: the segname:%s is zero,I give %016x" %
                          (name, sdb))
                break
    if not sdb:
        print(
            "\n\nwarning: the segname:%s is zero, U need set it by yourself\n"
            % (name))
    return sdb
Beispiel #21
0
def main():
    address = AskAddr(BADADDR, "Enter address: ")
    if address == BADADDR:
        print "Invalid address."
        return

    size = AskLong(0, "Enter size: ")

    if size == 0:
        print "Invalid size."
        return

    print "Range: ", hex(address), hex(size)

    buffer = idaapi.dbg_read_memory(address, size)
    if (len(buffer)) != 0:
        output_file = os.path.join(os.path.dirname(GetIdbPath()),
                                   "dump_%08x_%08x.bin" % (address, size))

        with open(output_file, "wb") as f:
            f.write(buffer)
            print "Saved data success", output_file
Beispiel #22
0
def dumpMemoryToFile(start_addr, size, filename):
	data = idaapi.dbg_read_memory(start_addr, size)
	fp = open(filename, 'wb')
	fp.write(data)
	fp.close()
Beispiel #23
0
def test_readwrite():
    ea = cpu.Eip
    buf = idaapi.dbg_read_memory(ea, 5)
    print "read: ", [hex(ord(x)) for x in buf]
    idaapi.dbg_write_memory(ea, buf)
Beispiel #24
0
def writeMem(binfile, regs):
    segm = {}
    for n in xrange(idaapi.get_segm_qty()):
        seg = idaapi.getnseg(n)
        if seg:
            count = 0
            h = ''
            while (idaapi.get_segm_name(seg, 0) + h) in segm.keys():
                count += 1
                h = str(count)
            name = idaapi.get_segm_name(seg, 0) + h
            address = seg.startEA
            length = seg.endEA - seg.startEA

            db_data = idaapi.dbg_read_memory(address, length)
            if db_data:
                print('ok   ', name, seg.flags, length, 'bytes', length / 1024,
                      'kb')
                segm[name] = [address, length, db_data]
            else:
                print('faild', name, seg.flags, length, 'bytes', length / 1024,
                      'kb')
                pass
    nameoffset_p = 0
    dataoffset_p = 0
    all_ab_name = 0

    register_names = {
        16: 'rax',
        24: 'rcx',
        32: 'rdx',
        40: 'rbx',
        48: 'rsp',
        56: 'rbp',
        64: 'rsi',
        72: 'rdi',
        80: 'r8',
        88: 'r9',
        96: 'r10',
        104: 'r11',
        112: 'r12',
        120: 'r13',
        128: 'r14',
        136: 'r15',
        144: 'cc_op',
        152: 'cc_dep1',
        160: 'cc_dep2',
        168: 'cc_ndep',
        176: 'd',
        184: 'rip',
        192: 'ac',
        200: 'id',
        208: 'fs',
        216: 'sseround',
        224: 'ymm0',
        256: 'ymm1',
        288: 'ymm2',
        320: 'ymm3',
        352: 'ymm4',
        384: 'ymm5',
        416: 'ymm6',
        448: 'ymm7',
        480: 'ymm8',
        512: 'ymm9',
        544: 'ymm10',
        576: 'ymm11',
        608: 'ymm12',
        640: 'ymm13',
        672: 'ymm14',
        704: 'ymm15',
        736: 'ymm16',
        768: 'ftop',
        776: 'mm0',
        784: "mm1",
        792: "mm2",
        800: "mm3",
        808: "mm4",
        816: "mm5",
        824: "mm6",
        832: "mm7",
        840: 'fptag',
        848: 'fpround',
        856: 'fc3210',
        864: 'emnote',
        872: 'cmstart',
        880: 'cmlen',
        888: 'nraddr',
        904: 'gs',
        912: 'ip_at_syscall'
    }
    registers = {
        'rax': (16, 8),
        'eax': (16, 4),
        'ax': (16, 2),
        'al': (16, 1),
        'ah': (17, 1),
        'rcx': (24, 8),
        'ecx': (24, 4),
        'cx': (24, 2),
        'cl': (24, 1),
        'ch': (25, 1),
        'rdx': (32, 8),
        'edx': (32, 4),
        'dx': (32, 2),
        'dl': (32, 1),
        'dh': (33, 1),
        'rbx': (40, 8),
        'ebx': (40, 4),
        'bx': (40, 2),
        'bl': (40, 1),
        'bh': (41, 1),
        'rsp': (48, 8),
        'sp': (48, 8),
        'esp': (48, 4),
        'rbp': (56, 8),
        'bp': (56, 8),
        'ebp': (56, 4),
        'rsi': (64, 8),
        'esi': (64, 4),
        'si': (64, 2),
        'sil': (64, 1),
        'sih': (65, 1),
        'rdi': (72, 8),
        'edi': (72, 4),
        'di': (72, 2),
        'dil': (72, 1),
        'dih': (73, 1),
        'r8': (80, 8),
        'r9': (88, 8),
        'r10': (96, 8),
        'r11': (104, 8),
        'r12': (112, 8),
        'r13': (120, 8),
        'r14': (128, 8),
        'r15': (136, 8),
        'cc_op': (144, 8),
        'cc_dep1': (152, 8),
        'cc_dep2': (160, 8),
        'cc_ndep': (168, 8),
        'd': (176, 8),
        'dflag': (176, 8),
        'rip': (184, 8),
        'ip': (184, 8),
        'pc': (184, 8),
        'ac': (192, 8),
        'acflag': (192, 8),
        'id': (200, 8),
        'idflag': (200, 8),
        'fs': (208, 8),
        'fs_const': (208, 8),
        'sseround': (216, 8),
        'ymm0': (224, 32),
        'xmm0': (224, 16),
        'ymm1': (256, 32),
        'xmm1': (256, 16),
        'ymm2': (288, 32),
        'xmm2': (288, 16),
        'ymm3': (320, 32),
        'xmm3': (320, 16),
        'ymm4': (352, 32),
        'xmm4': (352, 16),
        'ymm5': (384, 32),
        'xmm5': (384, 16),
        'ymm6': (416, 32),
        'xmm6': (416, 16),
        'ymm7': (448, 32),
        'xmm7': (448, 16),
        'ymm8': (480, 32),
        'xmm8': (480, 16),
        'ymm9': (512, 32),
        'xmm9': (512, 16),
        'ymm10': (544, 32),
        'xmm10': (544, 16),
        'ymm11': (576, 32),
        'xmm11': (576, 16),
        'ymm12': (608, 32),
        'xmm12': (608, 16),
        'ymm13': (640, 32),
        'xmm13': (640, 16),
        'ymm14': (672, 32),
        'xmm14': (672, 16),
        'ymm15': (704, 32),
        'xmm15': (704, 16),
        'ymm16': (736, 32),
        'xmm16': (736, 16),
        'ftop': (768, 4),
        'fpreg': (776, 64),
        'fpu_regs': (776, 64),
        'mm0': (776, 8),
        'mm1': (784, 8),
        'mm2': (792, 8),
        'mm3': (800, 8),
        'mm4': (808, 8),
        'mm5': (816, 8),
        'mm6': (824, 8),
        'mm7': (832, 8),
        'fptag': (840, 8),
        'fpu_tags': (840, 8),
        'fpround': (848, 8),
        'fc3210': (856, 8),
        'emnote': (864, 4),
        'cmstart': (872, 8),
        'cmlen': (880, 8),
        'nraddr': (888, 8),
        'gs': (904, 8),
        'gs_const': (904, 8),
        'ip_at_syscall': (912, 8)
    }

    for regAddress in regs:
        INT = regs[regAddress]
        regName = register_names[regAddress]
        size = registers[regName][1]
        if size == 1:
            db_data = struct.pack("<B", INT)
        elif size == 2:
            db_data = struct.pack("<H", INT)
        elif size == 4:
            db_data = struct.pack("<I", INT)
        elif size == 8:
            db_data = struct.pack("<Q", INT)
        elif size == 16:
            db_data = struct.pack("<QQ", int(INT & 0xffffffffffffffff),
                                  int(INT >> 64))
        elif size == 32:
            db_data = struct.pack("<QQQQ", INT & 0xffffffffffffffff,
                                  (INT >> 64) & 0xffffffffffffffff,
                                  (INT >> 128) & 0xffffffffffffffff,
                                  INT >> 192)
        else:
            continue
        segm['registers' +
             str(regAddress)] = [regAddress, len(db_data), db_data]

    for name in segm:
        address, length, db_data = segm[name]
        ab_name = (name + '\x00').encode('utf-8')
        all_ab_name += len(ab_name)
    for name in segm:
        address, length, db_data = segm[name]
        ab_name = (name + '\x00').encode('utf-8')
        nameoffset = len(segm) * 32 + nameoffset_p
        dataoffset = len(segm) * 32 + all_ab_name + dataoffset_p
        db1 = struct.pack("<Q", nameoffset)
        db2 = struct.pack("<Q", address)
        db3 = struct.pack("<Q", length)
        db4 = struct.pack("<Q", dataoffset)
        binfile.write(db1)
        binfile.write(db2)
        binfile.write(db3)
        binfile.write(db4)
        nameoffset_p += len(ab_name)
        dataoffset_p += length
    for name in segm:
        address, length, db_data = segm[name]
        ab_name = (name + '\x00').encode('utf-8')
        binfile.write(ab_name)
    for name in segm:
        address, length, db_data = segm[name]
        binfile.write(db_data)
Beispiel #25
0
import idaapi
start_address = 0x4B68A0
data_length = 662
data = idaapi.dbg_read_memory(start_address, data_length)
fp = open('dump1.pyc', 'wb')
fp.write(data)
fp.close()
Beispiel #26
0
def read_dword(ea):
    val = int(binascii.hexlify(idaapi.dbg_read_memory(ea, 4)), 16)
    r = (val & 0xff) << 24 | (val & 0xff00) << 8 | (val & 0xff0000) >> 8 | (
        val & 0xff000000) >> 24
    return r
Beispiel #27
0
def read_bool(ea):
    val = int(binascii.hexlify(idaapi.dbg_read_memory(ea, 1)), 16)
    return val
Beispiel #28
0
def readMemory(address, size):
    if idaapi.dbg_can_query():
        val = idaapi.dbg_read_memory(address, size)

        return val
    return None
    def writeMem(self, binfile):
        regs = self.getRegs()
        segm = self.init_segm_mem()
        idaapi.refresh_debugger_memory()
        print(
            "+-------------------+----------------------+--------------------+----------+--------+"
        )
        print(
            "|      segment      |          VA          |        size        |   flag   | status |"
        )
        print(
            "+-------------------+----------------------+--------------------+----------+--------+"
        )

        for n in xrange(idaapi.get_segm_qty()):
            seg = idaapi.getnseg(n)
            if seg:
                name = Dump.getSegName(seg, segm)
                address = seg.startEA
                length = seg.endEA - seg.startEA

                db_data = idaapi.dbg_read_memory(address, length)
                print("| %-17s |  %18x  | %8x -> %5dkb|    %2d    |   " %
                      (name, address, length, length / 1024, seg.flags),
                      end="")
                if db_data:
                    segm[name] = [address, length, db_data]
                    print('ok   |')
                    length = len(db_data)
                    segm[name] = [address, length, db_data]
                else:
                    if (length >= 0x400):
                        print(
                            "war  |\n+-------------------+----------------------+--------------------+----------+--------+"
                        )
                        data = Dump.getDbgMemPage(address, length)
                        data.append([b"", 0, 0])
                        is_unmap = False
                        tmp = b''
                        begin = address
                        fbegin = address
                        fsize = 0
                        for i, d in enumerate(data):
                            db, ea, size = d
                            if is_unmap:
                                if db:  # 0 1
                                    is_unmap = False
                                    begin = ea
                                    tmp = db
                                    print(
                                        "| %-17s |  %18x  | %8x -> %5dkb|    %2d    |  faild |"
                                        % (name, fbegin, fsize, fsize / 1024,
                                           seg.flags))
                                else:  # 0 0
                                    fsize += size
                                    if (i == len(data) - 1):
                                        print(
                                            "| %-17s |  %18x  | %8x -> %5dkb|    %2d    |  faild |"
                                            % (name, fbegin, fsize,
                                               fsize / 1024, seg.flags))
                                    pass
                            else:
                                if db:  # 1 1
                                    is_unmap = False
                                    tmp += db
                                else:  # 1 0
                                    fbegin = ea
                                    fsize = size
                                    is_unmap = True
                                    if tmp:
                                        name = Dump.getSegName(seg, segm)
                                        segm[name] = [begin, len(tmp), tmp]
                                        print(
                                            "| %-17s |  %18x  | %8x -> %5dkb|    %2d    |   ok   |"
                                            % (name, begin, len(tmp),
                                               len(tmp) / 1024, seg.flags))
                                    else:
                                        print(
                                            "| %-17s |  %18x  | %8x -> %5dkb|    %2d    |  faild |"
                                            % (name, fbegin, fsize,
                                               fsize / 1024, seg.flags))
                                        break

                        print(
                            "+-------------------+----------------------+--------------------+----------+--------+"
                        )
                    else:
                        print('  faild')
                    continue

        print(
            "+-------------------+----------------------+--------------------+----------+--------+"
        )
        # GetBptQty() GetBptEA(n):
        nameoffset_p = 0
        dataoffset_p = 0
        all_ab_name = 0

        for regAddress in regs:
            INT = regs[regAddress]
            regName = self.register_names[regAddress]
            size = self.registers[regName][1]
            up = None
            if INT < 0:
                up = lambda x: x.lower()
            else:
                up = lambda x: x

            try:
                if size == 1:
                    db_data = struct.pack(up("<B"), INT)
                elif size == 2:
                    db_data = struct.pack(up("<H"), INT)
                elif size == 4:
                    db_data = struct.pack(up("<I"), INT)
                elif size == 8:
                    db_data = struct.pack(up("<Q"), INT)
                elif size == 16:
                    db_data = struct.pack(up("<QQ"),
                                          int(INT & 0xffffffffffffffff),
                                          int(INT >> 64))
                elif size == 32:
                    db_data = struct.pack(up("<QQQQ"),
                                          INT & 0xffffffffffffffff,
                                          (INT >> 64) & 0xffffffffffffffff,
                                          (INT >> 128) & 0xffffffffffffffff,
                                          INT >> 192)
                else:
                    continue
                segm['registers' +
                     str(regAddress)] = [regAddress,
                                         len(db_data), db_data]
                print(" (%-10s IR_offset: %-5d) (regValue: %-32x nb: %2d) " %
                      (regName, regAddress, (INT), len(db_data)))
            except Exception as e:
                print("-=1-=1-=1-=1- error:", e, regName, hex(INT), size,
                      "-=1-=1-=1-=1- ")

        def find_segm(va, length, bpt_l):
            global BPNORMAL
            for ea, bptype, hwtype_hwsize, code in bpt_l:
                if va <= ea and ea < va + length:
                    if bptype == BPNORMAL:
                        yield (code, ea - va)

        bpt_list = [i for i in Breakpoints()]
        for name in segm:
            address, length, db_data = segm[name]
            ab_name = (name + '\x00').encode('utf-8')
            all_ab_name += len(ab_name)
            # 将软件断点pass掉
            len_db_data = len(db_data)
            for code, offset in find_segm(address, length, bpt_list):
                db_data = db_data[:offset] + struct.pack(
                    up("<H"), code) + db_data[offset + 2:]
                segm[name] = [address, length, db_data]
                assert (len(db_data) == len_db_data)
                print("bkp found: address: %x code: %s" %
                      (address + offset,
                       base64.b16encode(struct.pack(up("<H"), code))))

        for name in segm:
            address, length, db_data = segm[name]
            ab_name = (name + '\x00').encode('utf-8')
            nameoffset = len(segm) * 32 + nameoffset_p
            dataoffset = len(segm) * 32 + all_ab_name + dataoffset_p
            db1 = struct.pack("<Q", nameoffset)
            db2 = struct.pack("<Q", address)
            db3 = struct.pack("<Q", length)
            db4 = struct.pack("<Q", dataoffset)
            self.mem_mmap[name] = [address, dataoffset, length]
            binfile.write(db1)
            binfile.write(db2)
            binfile.write(db3)
            binfile.write(db4)
            nameoffset_p += len(ab_name)
            dataoffset_p += length
        for name in segm:
            address, length, db_data = segm[name]
            ab_name = (name + '\x00').encode('utf-8')
            binfile.write(ab_name)
        for name in segm:
            address, length, db_data = segm[name]
            binfile.write(db_data)
Beispiel #30
0
import idaapi

idtr_str = Eval('SendDbgCommand("r idtr")')
idtr = long(idtr_str[5:-1], 16)
print "idtr = 0x%x" % idtr
i = 256
for i in range(0, 256):
    buf = idaapi.dbg_read_memory(idtr + 16 * i, 16)
    isr = 0
    isr = isr + (ord(buf[11]) << (8 * 7))
    isr = isr + (ord(buf[10]) << (8 * 6))
    isr = isr + (ord(buf[9]) << (8 * 5))
    isr = isr + (ord(buf[8]) << (8 * 4))
    isr = isr + (ord(buf[7]) << (8 * 3))
    isr = isr + (ord(buf[6]) << (8 * 2))
    isr = isr + (ord(buf[1]) << (8 * 1))
    isr = isr + (ord(buf[0]) << (8 * 0))
    #for j in range(6,12):
    #    isr = isr+(ord(buf[j]) << (8*(j-4)))
    #for j in range(0,2):
    #    isr = isr+(ord(buf[j]) << (8*(j)))
    print "isr %x address = 0x" % i, hex(isr)
    idc.MakeCode(isr)
    idc.MakeFunction(isr)
    MakeNameEx(isr, str('mISR_') + hex(i).upper(), SN_NOWARN)
Beispiel #31
0
def dumpdex(start, size, target):
    rawdex = idaapi.dbg_read_memory(start, size)
    fd = open(target, 'wb')
    fd.write(rawdex)
    fd.close()
Beispiel #32
0
while (True):

    Go()

    PC = GetRegValue("PC")

    if (PC == DMAU):

        dmau = GetRegValue("R0")

    elif (PC == DMAL):

        dmal = GetRegValue("R0")

        DMA(dmau, dmal)

    elif (PC == CRC):

        R3 = GetRegValue("R3")
        R4 = GetRegValue("R4")

        print "DUMP: 0x%X 0x%X" % (R3, R4)

        data = idaapi.dbg_read_memory(R3, R4)
        f.write(data)

    else:

        break

f.close()
Beispiel #33
0
def test_readwrite():
    ea  = cpu.Eip
    buf = idaapi.dbg_read_memory(ea, 5)
    print "read: ", [hex(ord(x)) for x in buf]
    idaapi.dbg_write_memory(ea, buf)
Beispiel #34
0
    def writeMem(self, binfile):
        regs = self.getRegs()
        segm = self.init_segm_mem()
        for n in xrange(idaapi.get_segm_qty()):
            seg = idaapi.getnseg(n)
            if seg:
                count = 0
                h = ''
                while (idaapi.get_segm_name(seg, 0) + h) in segm.keys():
                    count += 1
                    h = str(count)
                name = idaapi.get_segm_name(seg, 0) + h
                address = seg.startEA
                length = seg.endEA - seg.startEA

                db_data = idaapi.dbg_read_memory(address, length)
                if db_data:
                    print('ok   ', name, seg.flags, length, 'bytes',
                          length / 1024, 'kb')
                    segm[name] = [address, length, db_data]
                else:
                    print('faild', name, seg.flags, length, 'bytes',
                          length / 1024, 'kb')
                    pass
        nameoffset_p = 0
        dataoffset_p = 0
        all_ab_name = 0

        for regAddress in regs:
            INT = regs[regAddress]
            regName = self.register_names[regAddress]
            size = self.registers[regName][1]
            try:
                if size == 1:
                    db_data = struct.pack("<B", INT)
                elif size == 2:
                    db_data = struct.pack("<H", INT)
                elif size == 4:
                    db_data = struct.pack("<I", INT)
                elif size == 8:
                    db_data = struct.pack("<Q", INT)
                elif size == 16:
                    db_data = struct.pack("<QQ", int(INT & 0xffffffffffffffff),
                                          int(INT >> 64))
                elif size == 32:
                    db_data = struct.pack("<QQQQ", INT & 0xffffffffffffffff,
                                          (INT >> 64) & 0xffffffffffffffff,
                                          (INT >> 128) & 0xffffffffffffffff,
                                          INT >> 192)
                else:
                    continue
                segm['registers' +
                     str(regAddress)] = [regAddress,
                                         len(db_data), db_data]
                print(" (%-10s : %-5d) (%-x) (%d)" % (regName, regAddress,
                                                      (INT), len(db_data)))
            except Exception as e:
                print("--------- error:", e, regName, hex(INT), size,
                      "--------- ")

        for name in segm:
            address, length, db_data = segm[name]
            ab_name = (name + '\x00').encode('utf-8')
            all_ab_name += len(ab_name)
        for name in segm:
            address, length, db_data = segm[name]
            ab_name = (name + '\x00').encode('utf-8')
            nameoffset = len(segm) * 32 + nameoffset_p
            dataoffset = len(segm) * 32 + all_ab_name + dataoffset_p
            db1 = struct.pack("<Q", nameoffset)
            db2 = struct.pack("<Q", address)
            db3 = struct.pack("<Q", length)
            db4 = struct.pack("<Q", dataoffset)
            binfile.write(db1)
            binfile.write(db2)
            binfile.write(db3)
            binfile.write(db4)
            nameoffset_p += len(ab_name)
            dataoffset_p += length
        for name in segm:
            address, length, db_data = segm[name]
            ab_name = (name + '\x00').encode('utf-8')
            binfile.write(ab_name)
        for name in segm:
            address, length, db_data = segm[name]
            binfile.write(db_data)
Beispiel #35
0
import idaapi


def fn_f9():
    idaapi.continue_process()
    GetDebuggerEvent(WFNE_SUSP | WFNE_CONT, -1)


i = 1
while (1):
    fn_f9()
    while (1):
        file_name = "d:\\" + str(i)
        if os.path.exists(file_name):
            i = i + 1
        else:
            break
    r1 = GetRegValue("R1")
    r2 = GetRegValue("R2")
    data = idaapi.dbg_read_memory(r1, r2)
    fp = open(file_name, 'wb')
    fp.write(data)
    fp.close()
Beispiel #36
0
def read_data(ea, size):
    return idaapi.dbg_read_memory(ea, size)
def getdexlen(start):
    pos = start + 0x20
    mem = idaapi.dbg_read_memory(pos, 4)
    len = struct.unpack('<I', mem)[0]
    # print 'len is ' + str(hex(len))
    return int(len)
Beispiel #38
0
def dump_dex(start_address, size):
    data = idaapi.dbg_read_memory(start_address, size)
    fp = open('E:\\dump.dex', 'wb')
    fp.write(data)
    fp.close()