def setInitializerExecution(self): n = self.GetLineNo() if n != 0: f = self.get_item(n - 1) else: return False initCodeSt = idc.BeginEA() initCodeSt = idc.AskAddr( initCodeSt, "Enter the start address of the Code Initializer that you want to run before Decryption Routine" ) if initCodeSt == BADADDR: kprint("[!] Cancelled") return False endCodeSt = initCodeSt + idc.ItemSize(initCodeSt) endCodeSt = idc.AskAddr( endCodeSt, "Enter the end address of the Code Initializer that you want to run before Decryption Routine" ) if endCodeSt == BADADDR: kprint("[!] Cancelled") return False return f.setInitializerExecution(initCodeSt, endCodeSt)
def AllocateCodeSegment(self): if self.segment_start != 0: self.FreeCodeSegment() while True: seg_start = idaapi.BADADDR while seg_start == idaapi.BADADDR: seg_start = idc.AskAddr( 0x1000, "Enter address to create new code segment") seg_size = 0 while seg_size == 0: seg_size = idc.AskAddr(0x10000, "Enter size of new code segment") if idc.SegCreate(seg_start, seg_start + seg_size, 0, 1, 0, 0) != 0: break self.segment_start = seg_start self.segment_size = seg_size while True: seg_name = '' while seg_name == '': seg_name = idc.AskStr("optimized", "Enter a new segment name") if idc.SegRename(self.segment_start, seg_name) != 0: break self.segment_name = seg_name self.free_ea = self.segment_start
def main(): wow_imagebase = idc.AskAddr(idc.BADADDR, "Enter WoW's base address.") if wow_imagebase and wow_imagebase is not idc.BADADDR: delta = wow_imagebase - idaapi.get_imagebase() status = rebase_program(delta, idc.MSF_NOFIX) if status is not idc.MOVE_SEGM_OK: print "rebase_program failed %d." % (status)
def __init__(self): ## dict of addresses and enum ids for faster lookup addr = idc.AskAddr(0, "Enter the original base address of the file") if addr == idaapi.BADADDR: idc.Warning("Invalid Address please enter the correct base address") idc.Exit idc.rebase_program(addr, idaapi.MSF_FIXONCE) self.enums = {} self.start_addr = None self.symbols = {}
def fix_names(self): """ Fix the table of imports and map enums to apis. """ start_addr = idc.AskAddr(idc.here(), "Enter table start address") ## check if address is within the base address and maximum address if (start_addr < idc.MinEA()) or (start_addr > idc.MaxEA()): idc.Warning("You have entered an invalid start address") idc.Exit self.start_addr = start_addr current_addr = self.start_addr #Current size of PoisonIvy IAT end_addr = current_addr + 568 # Walk the table 8 bytes at a time while current_addr <= end_addr: idc.MakeQword(current_addr) print "DEBUG: Current address - 0x%08x" % current_addr addr = idc.Qword(current_addr) print "DEBUG: address - 0x%08x" % addr if addr == -1: print "[!] Skipping address 0x%08x - 0x%08x" % (current_addr, addr) current_addr += 8 continue # Make the current address an offset idc.OpOff(current_addr,0,0) # We need to undefine the bytes incase IDA autoanalysis had converted an incorrect byte idc.MakeUnkn(addr, 1) # Create code at this address idc.MakeCode(addr) # Create function at the same address idc.MakeFunction(addr, addr+16) # Read the second operand at the address which should be the negative API address value imp_addr = idc.GetOperandValue(addr, 1) if imp_addr == -1: print "[!] Couldn't get operand at address - 0x%08x" % addr current_addr +=8 continue # try: # int_addr = int(imp_addr,16) # except ValueError as e: # print "[!] Failed on: %s - %s\n" % (imp_addr, e) # current_addr +=8 # continue # if we know about this value then let's do the work if imp_addr in self.enums.keys(): enum_id = self.enums[imp_addr] # Convert operand to enum idc.OpEnumEx(addr, 1, enum_id,0) const_id = idc.GetConstEx(enum_id, imp_addr, 0, -1) fn_name = "fn_"+idc.GetConstName(const_id) off_name = "ptr_"+idc.GetConstName(const_id) # Rename the function to the symbol name. # We append fn_ to the symbol for the function name # and ptr_ to the offset in the table. if not idc.MakeNameEx(addr, fn_name, idaapi.SN_NOWARN): print "[!] Failed to rename function %s at 0x%08x\n" % (fn_name, addr) if not idc.MakeNameEx(current_addr, off_name, idaapi.SN_NOWARN): print "[!] Failed to rename offset %s at 0x%08x\n" % (off_name,current_addr) current_addr += 8 return
import idc start = idc.AskAddr(ScreenEA(),"Start Address:") length = idc.AskLong(ItemSize(ScreenEA()),"Length:") datatype = idc.AskStr("b","Type:") i = 1 if datatype == "B" or datatype == "b": func = idc.Byte elif datatype == "w" or datatype == "W": func = idc.Word i = 2 elif datatype == "d" or datatype == "D": func = idc.Dword i = 4 elif datatype == "q" or datatype == "Q": func = idc.Qword i = 8 elif datatype == "f" or datatype == "F": func = idc.GetFloat i = 4 elif datatype == "lf" or datatype == "LF": func = idc.GetDouble i = 8 else: func = idc.Byte a = [] for n in range(0,length*i,i):
res: (string) Decrypted ascii string. """ res = '' for byte in val: ch = byte^(key&0xff) temp = (shr(key,0x18) + shl(key, 8)) & 0xffffffff res += chr(ch) ## Sign extending the byte if byte & 0x80 != 0 : dword_add = 0xffffff00 + byte else: dword_add = byte & 0xffffffff key = (temp + dword_add ) & 0xffffffff return res fn_addr = idc.AskAddr(idc.here(), "Enter address of string decoding function") ## check if address is valid if (fn_addr < idc.MinEA()) or (fn_addr > idc.MaxEA()): idc.Warning("You have entered an invalid start address") idc.Exit for ref in idautils.XrefsTo(fn_addr, flags=0): key, enc_str, ins_addr = get_args(ref.frm) dec_str = decrypt(key,enc_str) print "[+] Decoded String: %s " % dec_str idc.MakeComm(ins_addr, dec_str)
def ask_addr(value, prompt): if idaapi.IDA_SDK_VERSION <= 699: retval = idc.AskAddr(value, prompt) else: retval = ida_kernwin.ask_addr(value, prompt) return retval
def get_info(): addr = idc.AskAddr(idc.ScreenEA(), "Enter start address.") name = idc.AskStr("", "Enter name.") return addr, name
def add_bp_action(self): res = idc.AskAddr(idc.here(), "Breakpoint address:") if res is not None: self.bp_list.addItem(hex(res)) else: print "Invalid breakpoint entered!"
def writeWord(self): print('Write Word') addr = idc.AskAddr(0, 'Address to modify') value = idc.AskAddr(0, 'Value') command = '@cgc.writeWord(0x%x, 0x%x)' % (addr, value) simicsString = gdbProt.Evalx('SendGDBMonitor("%s");' % command)
def getUIAddress(self, prompt): value = self.registerMath() if value is None: value = idc.GetRegValue(self.SP) target_addr = idc.AskAddr(value, prompt) return target_addr
def GetAskForAddressResult(): tgtEA = idc.AskAddr(0, "Enter target address") if tgtEA is None: exit return tgtEA
import idc import idaapi #from tes_string_functions import * # insures that the module is reloaded idaapi.require('tes_string_functions') str_addr = idc.AskAddr(0, "Enter address of BSFixedString") if str_addr is None: exit() cstr = tes_string_functions.getCStrFromBSFixedString(str_addr) # print hex value print("cstr is: 0x%X" % (cstr))
def ask_address(self, address): return idc.AskAddr(address, "Please enter an address")
def get_info(): addr = idc.AskAddr(idc.ScreenEA(), "Enter start address.") comment = idc.AskStr("","Enter comment to add after the bp, if any.") outfilename = idc.AskStr("","Output file name.") command = idc.AskStr("","Vtrace command to use?.") return addr,comment,command,outfilename