def main(): # Function virtual address for the string decoder function fva = 0x10002F6C fva_end = 0x10003071 dbg = flaredbg.DebugUtils() # Use get call list to retrieve two push args and three register args call_list = dbg.get_call_list(fva, 2, ['eax', 'ecx', 'edi']) # Create a list of output decoded strings for an IDA python script out_list = [] # Iterate through all the times the fva was called for fromva, args in call_list: # Allocate some memory for a stack variable that will receive the output str_buf = dbg.malloc(0x20) # Update ecx with the new memory dbg.set_reg_arg(args, 'ecx', str_buf) try: # Make the call, and specify the last address of the function, this makes the function run much faster # as it will run until a breakpoint instead of single stepping a function looking for a return. out_buf = dbg.call(fva, args, fromva, tova=fva_end) # Read the string output str_va = dbg.read_pointer(out_buf) out_str = dbg.read_string(str_va) except flaredbg.AccessViolationException as e: print "Access violation at: 0x%x" % e.va out_str = '' # Print out the result print hex(fromva), repr(out_str) # Free the memory dbg.free(str_buf) # Append the result to the IDA comments list out_list.append((fromva, out_str)) # Generate an IDA script and write it out ida_script = utils.generate_ida_comments(out_list, True) open('C:\\ida_comments.py', 'wb').write(ida_script)
def main(): # Function virtual address for the string decoder function fva = 0x10002F6C fva_end = 0x10003071 dbg = flaredbg.DebugUtils() # Use get call list to retrieve two push args and three register args call_list = dbg.get_call_list(fva, 2, ['eax', 'ecx', 'edi']) # Create a list of output decoded strings for an IDA python script out_list = [] # Iterate through all the times the fva was called for fromva, args in call_list: # Allocate some memory for a stack variable that will receive the output str_buf = dbg.malloc(0x20) # Update ecx with the new memory dbg.set_reg_arg(args, 'ecx', str_buf) try: # Make the call, and specify the last address of the function, this makes the function run much faster # as it will run until a breakpoint instead of single stepping a function looking for a return. out_buf = dbg.call(fva, args, fromva, tova=fva_end) # Read the string output str_va = dbg.read_pointer(out_buf) out_str = dbg.read_string(str_va) except flaredbg.AccessViolationException as e: print "Access violation at: 0x%x" % e.va out_str = '' # Print out the result print hex(fromva), repr(out_str) # Free the memory dbg.free(str_buf) # Append the result to the IDA comments list out_list.append((fromva, out_str)) # Generate an IDA script and write it out ida_script = utils.generate_ida_comments(out_list, True) open('C:\\ida_comments.py', 'wb').write(ida_script)
def main(): # Function virtual address for the string decoder function fva = 0x401000 dbg = flaredbg.DebugUtils() # Get all the locations the fva function was called from as well as the arguments # get_call_list accepts the number of push arguments and the required registers # The function of interest in this example only accepts push arguments call_list = dbg.get_call_list(fva, 3) # Create a list of output decoded strings for an IDA python script out_list = [] # Iterate through all the times the fva was called for fromva, args in call_list: # Allocate some memory for the output string and the output string size str_va = dbg.malloc(args[2]) args[1] = str_va try: # Make the call! dbg.call(fva, args, fromva) # Read the string output out_str = dbg.read_string(str_va) except flaredbg.AccessViolationException as e: print "Access violation at: 0x%x" % e.va out_str = '' # Print out the result print hex(fromva), out_str # Free the memory dbg.free(str_va) # arg 0 contains the "unknown" bytes offset, and out contains the decoded string out_list.append((args[0], out_str)) # Generate an IDA script and write it out ida_script = utils.generate_ida_comments(out_list, True) open('C:\\ida_comments.py', 'wb').write(ida_script)
def main(): # Function virtual address for the string decoder function fva = 0x401000 dbg = flaredbg.DebugUtils() # Get all the locations the fva function was called from as well as the arguments # get_call_list accepts the number of push arguments and the required registers # The function of interest in this example only accepts push arguments call_list = dbg.get_call_list(fva, 3) # Create a list of output decoded strings for an IDA python script out_list = [] # Iterate through all the times the fva was called for fromva, args in call_list: # Allocate some memory for the output string and the output string size str_va = dbg.malloc(args[2]) args[1] = str_va try: # Make the call! dbg.call(fva, args, fromva) # Read the string output out_str = dbg.read_string(str_va) except flaredbg.AccessViolationException as e: print "Access violation at: 0x%x" % e.va out_str = "" # Print out the result print hex(fromva), out_str # Free the memory dbg.free(str_va) # arg 0 contains the "unknown" bytes offset, and out contains the decoded string out_list.append((args[0], out_str)) # Generate an IDA script and write it out ida_script = utils.generate_ida_comments(out_list, True) open("C:\\ida_comments.py", "wb").write(ida_script)