def jxx_target(head):
refs = idautils.CodeRefsFrom(head, 0)
refs = list([x for x in refs])
n = len(refs)
#jmp $+5
if n > 0:
target = refs[0]
elif n == 0:
if is_jmp_next(head):
target = idc.NextNotTail(head)
else:
print "decoding @ 0x%x" % head
#this is a bug in IDA. if MakeCode results in a new jmp, pointing to undefined byte:
#jmp lol
#...
#lol:
# db 0
# <defined instructions>
#then CodeRefsFrom() will return nothing, so we need to decode the address ourselves :p
#FIXME: remove everything except decode_jump?
target = decode_jump(head)
print "result: 0x%x" % target
else:
print "unknown jxx_target @ 0x%x" % head
assert (False)
return target
def main(): xrefs = XrefsTo(0x13070FC) for xref in xrefs: packetHeader = idc.NextNotTail(xref.frm) opCode1 = idc.GetOperandValue(packetHeader, 1) if opCode1 > 10 and opCode1 < 16655: print "%08x -> %2x" % (packetHeader, opCode1)
def processEncrypt(ea, name, CRYPTSTART_PATTERN, CRYPTEND_PATTERN, EPILOGUE_PATTERN, PROLOGUE_PATTERN):
prologue = idc.FindBinary(ea, SEARCH_UP, PROLOGUE_PATTERN) if len(PROLOGUE_PATTERN) != 0 else idc.GetFunctionAttr(ea, FUNCATTR_START)
epilogue = idc.FindBinary(ea, SEARCH_DOWN, EPILOGUE_PATTERN) if len(EPILOGUE_PATTERN) != 0 else idc.GetFunctionAttr(ea, FUNCATTR_END)
idc.MakeFunction(prologue, epilogue + EPILOGUE_PATTERN.count(' ') + 1);
cryptStart = idc.FindBinary(ea, SEARCH_DOWN if name != "BYTE" else SEARCH_UP, CRYPTSTART_PATTERN)
cryptEnd = idc.FindBinary(ea, SEARCH_DOWN, CRYPTEND_PATTERN)
# Generate Encrypt
ea = cryptStart + CRYPTSTART_PATTERN.count(' ') + 1
opStr = ""
while ea < cryptEnd:
if idc.GetMnem(ea) != 'mov':
result = {
'add': lambda x: "new Add({0})".format(idc.GetOperandValue(x, 1)),
'sub': lambda x: "new Sub({0})".format(idc.GetOperandValue(x, 1)),
'xor': lambda x: "new Xor({0})".format(idc.GetOperandValue(x, 1)),
'ror': lambda x: "new Ror({0})".format(idc.GetOperandValue(x, 1)),
'rol': lambda x: "new Rol({0})".format(idc.GetOperandValue(x, 1)),
'not': lambda x: "new Not()",
'inc': lambda x: "new Inc()",
'dec': lambda x: "new Dec()",
}[idc.GetMnem(ea)](ea)
opStr += str("{0}{1}".format(result, ", " if idc.NextNotTail(ea) != cryptEnd else ""))
ea = idc.NextNotTail(ea)
print "CryptOperations.Add(0x{0:X}, new Operations({1}));".format(zlib.crc32(opStr) & 0xffffffff, opStr)
idc.MakeNameEx(prologue, "Encrypt_{0}_{1:X}".format(name, zlib.crc32(opStr) & 0xffffffff), SN_NOCHECK | SN_NOWARN)
return;
def generate_data_from_offset(
offset): # credits to ferhat, or whoever wrote this
found_values = {}
chunks = idautils.Chunks(offset)
for begin, end in chunks:
name = ""
offset = -1
ea = begin
while ea != end:
mnem = idc.GetMnem(ea)
opnd = idc.GetOpnd(ea, 0)
stack_value = idc.GetOperandValue(ea, 0)
if mnem == "jz" or mnem == "jl":
name = ""
offset = -1
if offset == -1 and (mnem == "add" or mnem == "lea"
or mnem == "sub"):
offset = idc.GetOperandValue(ea, 1)
if mnem == "sub":
offset = 0x100000000 - offset
if mnem == "push" and "offset" in opnd and "pNodeName" not in opnd:
name = idc.GetString(stack_value, -1, idc.ASCSTR_C)
if is_user_name(stack_value): # this should crash? wtf
name = idc.NameEx(idc.BADADDR, stack_value)
if mnem == "call" or mnem == "jmp":
#print("{} at {}").format(name, dec_to_hex(offset))
if name:
found_values[offset] = name
name = ""
offset = -1
ea = idc.NextNotTail(ea)
return found_values
def main():
print "Parsing CharData..."
start = 0x00E36855
end = 0x00E39EC2
ea = start
parseOffset = False
property = ''
fstpIterator = 0
# Fill FSTP_Array
while ea != end:
mnem = idc.GetMnem(ea)
if mnem == "fstp":
FSTP_ARRAY.append(idc.GetOperandValue(ea, 1))
ea = idc.NextNotTail(ea)
ea = start
while ea != end:
mnem = idc.GetMnem(ea)
tmpb = False
# Get property name
if mnem == 'push':
stringAddr = idc.GetOperandValue(ea, 0)
if stringAddr != BADADDR:
tmpProperty = idc.GetString(stringAddr, -1, ASCSTR_C)
if tmpProperty in MOV_PROPERTIES or tmpProperty in FLOAT_PROPERTIES:
property = tmpProperty
tmpb = True
if tmpb == True and property != None and len(property) > 4:
parseOffset = True
# Get offset
if parseOffset == True and (mnem == "fstp" or mnem == "lea"
or mnem == "mov"):
# Offset
result = 0
# Inside fstp[]
if property in FLOAT_PROPERTIES:
result = FSTP_ARRAY[fstpIterator]
fstpIterator += 1
# Inside mov[]
if property in MOV_PROPERTIES:
if idc.GetOpnd(ea, 0) != "edx" and idc.GetOpnd(ea, 0) != "ecx":
result = {
'fstp': lambda offset: idc.GetOperandValue(offset, 1),
'mov': lambda offset: idc.GetOperandValue(offset, 0),
'lea': lambda offset: 0
}[mnem](ea)
# Display offset
if result != 0:
print "%s => %08x" % (property, result)
parseOffset = False
ea = idc.NextNotTail(ea)