def setInitializerExecution(self):
n = self.GetLineNo()
if n != 0:
f = self.get_item(n - 1)
else:
return False
initCodeSt = idc.BeginEA()
initCodeSt = idc.AskAddr(
initCodeSt,
"Enter the start address of the Code Initializer that you want to run before Decryption Routine"
)
if initCodeSt == BADADDR:
kprint("[!] Cancelled")
return False
endCodeSt = initCodeSt + idc.ItemSize(initCodeSt)
endCodeSt = idc.AskAddr(
endCodeSt,
"Enter the end address of the Code Initializer that you want to run before Decryption Routine"
)
if endCodeSt == BADADDR:
kprint("[!] Cancelled")
return False
return f.setInitializerExecution(initCodeSt, endCodeSt)
def AllocateCodeSegment(self):
if self.segment_start != 0:
self.FreeCodeSegment()
while True:
seg_start = idaapi.BADADDR
while seg_start == idaapi.BADADDR:
seg_start = idc.AskAddr(
0x1000, "Enter address to create new code segment")
seg_size = 0
while seg_size == 0:
seg_size = idc.AskAddr(0x10000,
"Enter size of new code segment")
if idc.SegCreate(seg_start, seg_start + seg_size, 0, 1, 0, 0) != 0:
break
self.segment_start = seg_start
self.segment_size = seg_size
while True:
seg_name = ''
while seg_name == '':
seg_name = idc.AskStr("optimized", "Enter a new segment name")
if idc.SegRename(self.segment_start, seg_name) != 0:
break
self.segment_name = seg_name
self.free_ea = self.segment_start
def main():
wow_imagebase = idc.AskAddr(idc.BADADDR, "Enter WoW's base address.")
if wow_imagebase and wow_imagebase is not idc.BADADDR:
delta = wow_imagebase - idaapi.get_imagebase()
status = rebase_program(delta, idc.MSF_NOFIX)
if status is not idc.MOVE_SEGM_OK:
print "rebase_program failed %d." % (status)
def __init__(self):
## dict of addresses and enum ids for faster lookup
addr = idc.AskAddr(0, "Enter the original base address of the file")
if addr == idaapi.BADADDR:
idc.Warning("Invalid Address please enter the correct base address")
idc.Exit
idc.rebase_program(addr, idaapi.MSF_FIXONCE)
self.enums = {}
self.start_addr = None
self.symbols = {}
def fix_names(self):
"""
Fix the table of imports and map enums to apis.
"""
start_addr = idc.AskAddr(idc.here(), "Enter table start address")
## check if address is within the base address and maximum address
if (start_addr < idc.MinEA()) or (start_addr > idc.MaxEA()):
idc.Warning("You have entered an invalid start address")
idc.Exit
self.start_addr = start_addr
current_addr = self.start_addr
#Current size of PoisonIvy IAT
end_addr = current_addr + 568
# Walk the table 8 bytes at a time
while current_addr <= end_addr:
idc.MakeQword(current_addr)
print "DEBUG: Current address - 0x%08x" % current_addr
addr = idc.Qword(current_addr)
print "DEBUG: address - 0x%08x" % addr
if addr == -1:
print "[!] Skipping address 0x%08x - 0x%08x" % (current_addr, addr)
current_addr += 8
continue
# Make the current address an offset
idc.OpOff(current_addr,0,0)
# We need to undefine the bytes incase IDA autoanalysis had converted an incorrect byte
idc.MakeUnkn(addr, 1)
# Create code at this address
idc.MakeCode(addr)
# Create function at the same address
idc.MakeFunction(addr, addr+16)
# Read the second operand at the address which should be the negative API address value
imp_addr = idc.GetOperandValue(addr, 1)
if imp_addr == -1:
print "[!] Couldn't get operand at address - 0x%08x" % addr
current_addr +=8
continue
# try:
# int_addr = int(imp_addr,16)
# except ValueError as e:
# print "[!] Failed on: %s - %s\n" % (imp_addr, e)
# current_addr +=8
# continue
# if we know about this value then let's do the work
if imp_addr in self.enums.keys():
enum_id = self.enums[imp_addr]
# Convert operand to enum
idc.OpEnumEx(addr, 1, enum_id,0)
const_id = idc.GetConstEx(enum_id, imp_addr, 0, -1)
fn_name = "fn_"+idc.GetConstName(const_id)
off_name = "ptr_"+idc.GetConstName(const_id)
# Rename the function to the symbol name.
# We append fn_ to the symbol for the function name
# and ptr_ to the offset in the table.
if not idc.MakeNameEx(addr, fn_name, idaapi.SN_NOWARN):
print "[!] Failed to rename function %s at 0x%08x\n" % (fn_name, addr)
if not idc.MakeNameEx(current_addr, off_name, idaapi.SN_NOWARN):
print "[!] Failed to rename offset %s at 0x%08x\n" % (off_name,current_addr)
current_addr += 8
return
import idc
start = idc.AskAddr(ScreenEA(),"Start Address:")
length = idc.AskLong(ItemSize(ScreenEA()),"Length:")
datatype = idc.AskStr("b","Type:")
i = 1
if datatype == "B" or datatype == "b":
func = idc.Byte
elif datatype == "w" or datatype == "W":
func = idc.Word
i = 2
elif datatype == "d" or datatype == "D":
func = idc.Dword
i = 4
elif datatype == "q" or datatype == "Q":
func = idc.Qword
i = 8
elif datatype == "f" or datatype == "F":
func = idc.GetFloat
i = 4
elif datatype == "lf" or datatype == "LF":
func = idc.GetDouble
i = 8
else:
func = idc.Byte
a = []
for n in range(0,length*i,i):
res: (string) Decrypted ascii string.
"""
res = ''
for byte in val:
ch = byte^(key&0xff)
temp = (shr(key,0x18) + shl(key, 8)) & 0xffffffff
res += chr(ch)
## Sign extending the byte
if byte & 0x80 != 0 :
dword_add = 0xffffff00 + byte
else:
dword_add = byte & 0xffffffff
key = (temp + dword_add ) & 0xffffffff
return res
fn_addr = idc.AskAddr(idc.here(), "Enter address of string decoding function")
## check if address is valid
if (fn_addr < idc.MinEA()) or (fn_addr > idc.MaxEA()):
idc.Warning("You have entered an invalid start address")
idc.Exit
for ref in idautils.XrefsTo(fn_addr, flags=0):
key, enc_str, ins_addr = get_args(ref.frm)
dec_str = decrypt(key,enc_str)
print "[+] Decoded String: %s " % dec_str
idc.MakeComm(ins_addr, dec_str)
def ask_addr(value, prompt):
if idaapi.IDA_SDK_VERSION <= 699:
retval = idc.AskAddr(value, prompt)
else:
retval = ida_kernwin.ask_addr(value, prompt)
return retval
def get_info():
addr = idc.AskAddr(idc.ScreenEA(), "Enter start address.")
name = idc.AskStr("", "Enter name.")
return addr, name
def add_bp_action(self):
res = idc.AskAddr(idc.here(), "Breakpoint address:")
if res is not None:
self.bp_list.addItem(hex(res))
else:
print "Invalid breakpoint entered!"
def writeWord(self):
print('Write Word')
addr = idc.AskAddr(0, 'Address to modify')
value = idc.AskAddr(0, 'Value')
command = '@cgc.writeWord(0x%x, 0x%x)' % (addr, value)
simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command)
def getUIAddress(self, prompt):
value = self.registerMath()
if value is None:
value = idc.GetRegValue(self.SP)
target_addr = idc.AskAddr(value, prompt)
return target_addr
def GetAskForAddressResult():
tgtEA = idc.AskAddr(0, "Enter target address")
if tgtEA is None:
exit
return tgtEA
import idc
import idaapi
#from tes_string_functions import *
# insures that the module is reloaded
idaapi.require('tes_string_functions')
str_addr = idc.AskAddr(0, "Enter address of BSFixedString")
if str_addr is None:
exit()
cstr = tes_string_functions.getCStrFromBSFixedString(str_addr)
# print hex value
print("cstr is: 0x%X" % (cstr))
def ask_address(self, address):
return idc.AskAddr(address, "Please enter an address")
def get_info():
addr = idc.AskAddr(idc.ScreenEA(), "Enter start address.")
comment = idc.AskStr("","Enter comment to add after the bp, if any.")
outfilename = idc.AskStr("","Output file name.")
command = idc.AskStr("","Vtrace command to use?.")
return addr,comment,command,outfilename
