Ejemplo n.º 1
0
    def guessValues(self, rawValue):
        """
        Guess string values
        """
        minLength = 5
        str_value = idc.DbgDword(rawValue + 4)
        if str_value is None:
            return False

        value = idc.GetString(str_value, strtype=idc.ASCSTR_C)

        if value and len(value) >= minLength:
            value, raw_value = self.normalize_raw_value(value)
            self.addParsedvalue(value, 1, "std::basic_string", raw_value)
            return True

        if not value:
            # If this is not an ASCII string, check for the string value at offset +0x04
            tmp = idc.GetString(rawValue, strtype=idc.ASCSTR_C)
            if tmp:
                return False
            value = idc.GetString(rawValue + 4, strtype=idc.ASCSTR_C)
            if value and len(value) >= minLength:
                value, raw_value = self.normalize_raw_value(value)
                self.addParsedvalue(value, 1, "std::basic_string", raw_value)
                return True

        return False
Ejemplo n.º 2
0
    def parseValue(self, rawValue):
        """
        Parse the string value
        @return:
        """
        str_value = idc.DbgDword(rawValue + 4)
        if str_value is None:
            return False

        value = idc.GetString(str_value, strtype=idc.ASCSTR_C)

        if value:
            value, raw_value = self.normalize_raw_value(value)
            self.addParsedvalue(value, 1, "std::basic_string", raw_value)
            return True

        else:
            # If this is not an ASCII string, check for the string value at offset +0x04
            tmp = idc.GetString(rawValue, strtype=idc.ASCSTR_C)
            if tmp:
                return False
            value = idc.GetString(rawValue + 4, strtype=idc.ASCSTR_C)
            value, raw_value = self.normalize_raw_value(value)
            self.addParsedvalue(value, 1, "std::basic_string", raw_value)
            return True

        return False
Ejemplo n.º 3
0
    def __stack_dword(self, n, value=None):
        addr = self.StackPointer() + self.cpu['spoffset'] + (n * self.bsize)

        if value is not None:
            sval = self.ToString(value, size=self.bsize)
            idc.DbgWrite(addr, sval)

        return idc.DbgDword(addr)
Ejemplo n.º 4
0
 def activate(self, ctx):
     selection = idaapi.read_selection()
     valid_selection = selection[0]
     if (valid_selection):
         addr = idc.DbgDword(selection[1])
         idaapi.jumpto(addr)
     else:
         idaapi.msg("Invalid selection!\n")
Ejemplo n.º 5
0
def stage2(data):
    read_data = analyse_read()
    ret_addr = idc.DbgDword(idautils.cpu.esp)
    idautils.cpu.esp += 0x14 + 4
    idautils.cpu.eip = ret_addr
    data += '\r\n'
    idc.DbgWrite(read_data.read_buf, data)
    idc.DbgWrite(read_data.nread_out, struct.pack('<I', len(data)))

    return read_data
Ejemplo n.º 6
0
 def read(ea, size=4):
     val = 0
     if size == 1:
         val = idc.DbgByte(ea)
     elif size == 2:
         val = idc.DbgWord(ea)
     elif size == 4:
         val = idc.DbgDword(ea)
     else:
         fatalError("Bad size encountered in Memory.read")
     return val
Ejemplo n.º 7
0
    def __reg_value(self, reg, value=None):
        if value is not None:
            if reg.startswith('*'):
                idc.DbgWrite(idc.GetRegValue(reg[1:]), self.ToString(value))
            else:
                idc.SetRegValue(value, reg)

        if reg.startswith('*'):
            return idc.DbgDword(idc.GetRegValue(reg[1:]))
        else:
            return idc.GetRegValue(reg)
Ejemplo n.º 8
0
def GetData(index):
    """
    Gets the data of the stack
    
    @param path: index of where to pull from
    @return: the address of the stack
    
    """
    import idc

    esp = idc.GetRegValue("ESP")
    return idc.DbgDword(esp + index)
Ejemplo n.º 9
0
def get_adrs_mem(ea):
    """
    Get the memory at address according to native size (16, 32 or 64 bit)
    """
    # Verify EA
    if not idc.isEnabled(ea):
        return None

    nativeSize = get_native_size()

    if nativeSize is 16:
        return idc.DbgWord(ea)

    if nativeSize is 32:
        return idc.DbgDword(ea)

    if nativeSize is 64:
        return idc.DbgQword(ea)
Ejemplo n.º 10
0
    def ReadFileEnd(self):
        """
        Monitors the the end of ReadFile function
        This is the function that will trigger the trace
        inputLoggingList is past from MyReadFile, which holds are of MyReadFile arguments
        """

        retVal = idc.GetRegValue("EAX")
        self.logger.info("Returning from ReadFile... with %d" % retVal)

        lpBuffer = self.tempStack.pop(0)
        lpNumberOfBytesRead = self.tempStack.pop(0)
        hFile = self.tempStack.pop(0)
        callerAddr = self.tempStack.pop(0)
        callerFuncName = self.tempStack.pop(0)
        threadID = self.tempStack.pop(0)

        NumberOfBytesRead = idc.DbgDword(lpNumberOfBytesRead)
        self.logger.info("NumberOfBytesRead is 0x%x" % NumberOfBytesRead)

        _buffer = idaapi.dbg_read_memory(lpBuffer, NumberOfBytesRead)

        self.logger.debug(_buffer)

        inputLoggingList = []

        inputLoggingList.append(lpBuffer)
        inputLoggingList.append(NumberOfBytesRead)
        inputLoggingList.append(_buffer)
        inputLoggingList.append(hFile)
        inputLoggingList.append(callerAddr)
        inputLoggingList.append(callerFuncName)
        inputLoggingList.append(threadID)

        if retVal:
            Print("ReadFile succeeded.")
            self.logger.info("ReadFile succeeded.")
            self.debuggerInstance.callbackProcessing(inputLoggingList)
        else:
            Print("ReadFile failed.")
            self.logger.info("ReadFile failed.")

        return 0
Ejemplo n.º 11
0
def setup():
    path = 'C:/Users/benoit/work/you_are_very_good_at_this.exe'
    for i in range(10):
        res = idc.StartDebugger(path, '', 'C:/Users/benoit/work')
        print('got res >> ', res)
        if res == 1:
            break
        idc.StopDebugger()
        time.sleep(1)
    else:
        assert False, 'Could not start debugger'
    wait_susp()

    funcs = ida.find_imported_funcs('kernel32')
    print(funcs)

    read_addr = funcs['ReadFile'][0]
    print('read addr >> ', read_addr)
    read_pos = idc.DbgDword(read_addr)

    idc.AddBpt(read_pos)
    print('read pos bpt >> ', hex(read_pos))

    go(read_pos)
Ejemplo n.º 12
0
func_start = 0x40108c
func_end = 0x4010d9


def go(addr):
    while idc.GetRegValue('eip') != addr:
        idc.GetDebuggerEvent(idc.WFNE_CONT | idc.WFNE_SUSP, -1)


idc.AddBpt(func_end)
idc.AddBpt(func_start)

go(func_end)

n = 0x25
buf_addr = idc.DbgDword(idautils.cpu.ebp + 0xc)
data_addr = idc.DbgDword(idautils.cpu.ebp + 0x8)
len_addr = idautils.cpu.ebp + 0x10
assert idc.DbgWrite(len_addr, struct.pack('<I', n))

print 'steaaart', hex(buf_addr)
res = ''
for i in range(n):

    for c in range(256):
        assert idc.DbgWrite(buf_addr + i, chr(c)) == 1
        idc.RefreshDebuggerMemory()
        idautils.cpu.eip = func_start
        go(func_end)
        if idautils.cpu.edi != data_addr + n - i:
            print 'FOUND ONE', c
Ejemplo n.º 13
0
def analyse_read():
    read_buf = idc.DbgDword(idautils.cpu.esp + 0x8)
    nread = idc.DbgDword(idautils.cpu.esp + 0xc)
    nread_out = idc.DbgDword(idautils.cpu.esp + 0x10)
    return Attributize(None, **locals())
Ejemplo n.º 14
0
 def do_ret():
     retaddr = idc.DbgDword(idautils.cpu.esp)
     idautils.cpu.esp += 4
     idautils.cpu.eip = retaddr
Ejemplo n.º 15
0
  def dbg_bpt(self, tid, ea):
    #if ea == self.cond_ea:
    #    self.done = True
    #    self.res_val = idc.DbgDword(idautils.cpu.esi)
    #print('ON >> ', hex(ea), 'want ')

    try:
      if ea == self.push_screen_ea:
        tmp=idc.DbgRead(self.screen_buf_ea, 6)
        self.screen_data.append(tmp)
        print('pushing screen here', tmp)
        self.count += 1
        if 0 and self.count == 10000:
          self.done = 1
        if self.count%10==0:
          self.save_screen()

      elif ea == self.deque_ea:
        recv_word = idautils.cpu.eax
        mask=idc.DbgDword(idautils.cpu.ebp-0x6070)
        self.dec_data.append([recv_word, mask])
        if 1 and len(self.dec_data)==0x1000/8:
          self.done=1
        print('DEQUE >> ', hex(recv_word), hex(mask))

      elif ea == self.prepare_reg_send:
        if 1: return
        idc.DbgWrite(idautils.cpu.esp+0x3c-0x1d, chr(self.cur_byte))

        abc=idc.DbgRead(idautils.cpu.esp+0x3c-0x1d, 1)
        print('SENDING CHAR >> ', abc, self.cur_byte)
        self.tmp_tb=[]
        self.last_edi=idautils.cpu.edi

      elif ea == self.enqueue_func:
        print('SKIPPING ENQUEUE')
        if 0: return
        do_ret()
      elif ea == self.enqueue_ea:
        #if 0: return
        if self.tmp_tb is not None:
          nedi=idautils.cpu.edi
          send_word=(nedi-self.last_edi)%8
          self.last_edi=nedi
          self.tmp_tb.append(send_word)
          self.tb2.append([nedi, hex(idautils.cpu.eax)])
          print('GOT TB LEN ', self.tmp_tb)
          if len(self.tmp_tb)==3:
            self.enc_data.append(self.tmp_tb)
            self.tmp_tb=None
            self.cur_byte+=1
            self.last_edi=None
            if self.cur_byte==256:
              self.done=1

          print('ENQUEUE >> ', send_word)
      elif ea == self.prepare_str_ea:

        if 1: return
        buf_len = idc.DbgDword(idautils.cpu.esi + 0x38)
        buf_addr = idc.DbgDword(idautils.cpu.esi + 0x34)
        buf = idc.DbgRead(buf_addr, buf_len)
        print(buf_len, buf_addr, buf)
        assert len(self.want_str) <= buf_len
        idc.DbgWrite(buf_addr, self.want_str)
        idc.DbgWrite(idautils.cpu.esi + 0x38, struct.pack('<I', len(self.want_str)))

        print('string is set')

        #self.done = 1
      elif ea==self.test_time_end:
        if self.time>=3600*24:
          self.done=1
          #entre 23h et 1h
        else:
          idautils.cpu.eip=self.test_time_start
          resv=idautils.cpu.eax
          h,m,s=self.get_time(self.time)
          print 'REsult: %d:%d:%d >> %d'%(h,m,s,resv)
          self.time+=60

      elif ea==self.test_time_mod:
        h,m,s=self.get_time(self.time)
        addr=idautils.cpu.ebx
        write_u16(addr+4*2, h)
        write_u16(addr+5*2, m)
        write_u16(addr+6*2, s)
    except:
      traceback.print_exc()
      print('FAILED here')
      self.done=1


    return 0
Ejemplo n.º 16
0
 def do_ret_win(n=0):
     retaddr = idc.DbgDword(idautils.cpu.esp)
     idautils.cpu.esp += 4 + 4 * n
     idautils.cpu.eip = retaddr