def guessValues(self, rawValue): """ Guess string values """ minLength = 5 str_value = idc.DbgDword(rawValue + 4) if str_value is None: return False value = idc.GetString(str_value, strtype=idc.ASCSTR_C) if value and len(value) >= minLength: value, raw_value = self.normalize_raw_value(value) self.addParsedvalue(value, 1, "std::basic_string", raw_value) return True if not value: # If this is not an ASCII string, check for the string value at offset +0x04 tmp = idc.GetString(rawValue, strtype=idc.ASCSTR_C) if tmp: return False value = idc.GetString(rawValue + 4, strtype=idc.ASCSTR_C) if value and len(value) >= minLength: value, raw_value = self.normalize_raw_value(value) self.addParsedvalue(value, 1, "std::basic_string", raw_value) return True return False
def parseValue(self, rawValue): """ Parse the string value @return: """ str_value = idc.DbgDword(rawValue + 4) if str_value is None: return False value = idc.GetString(str_value, strtype=idc.ASCSTR_C) if value: value, raw_value = self.normalize_raw_value(value) self.addParsedvalue(value, 1, "std::basic_string", raw_value) return True else: # If this is not an ASCII string, check for the string value at offset +0x04 tmp = idc.GetString(rawValue, strtype=idc.ASCSTR_C) if tmp: return False value = idc.GetString(rawValue + 4, strtype=idc.ASCSTR_C) value, raw_value = self.normalize_raw_value(value) self.addParsedvalue(value, 1, "std::basic_string", raw_value) return True return False
def __stack_dword(self, n, value=None): addr = self.StackPointer() + self.cpu['spoffset'] + (n * self.bsize) if value is not None: sval = self.ToString(value, size=self.bsize) idc.DbgWrite(addr, sval) return idc.DbgDword(addr)
def activate(self, ctx): selection = idaapi.read_selection() valid_selection = selection[0] if (valid_selection): addr = idc.DbgDword(selection[1]) idaapi.jumpto(addr) else: idaapi.msg("Invalid selection!\n")
def stage2(data): read_data = analyse_read() ret_addr = idc.DbgDword(idautils.cpu.esp) idautils.cpu.esp += 0x14 + 4 idautils.cpu.eip = ret_addr data += '\r\n' idc.DbgWrite(read_data.read_buf, data) idc.DbgWrite(read_data.nread_out, struct.pack('<I', len(data))) return read_data
def read(ea, size=4): val = 0 if size == 1: val = idc.DbgByte(ea) elif size == 2: val = idc.DbgWord(ea) elif size == 4: val = idc.DbgDword(ea) else: fatalError("Bad size encountered in Memory.read") return val
def __reg_value(self, reg, value=None): if value is not None: if reg.startswith('*'): idc.DbgWrite(idc.GetRegValue(reg[1:]), self.ToString(value)) else: idc.SetRegValue(value, reg) if reg.startswith('*'): return idc.DbgDword(idc.GetRegValue(reg[1:])) else: return idc.GetRegValue(reg)
def GetData(index): """ Gets the data of the stack @param path: index of where to pull from @return: the address of the stack """ import idc esp = idc.GetRegValue("ESP") return idc.DbgDword(esp + index)
def get_adrs_mem(ea): """ Get the memory at address according to native size (16, 32 or 64 bit) """ # Verify EA if not idc.isEnabled(ea): return None nativeSize = get_native_size() if nativeSize is 16: return idc.DbgWord(ea) if nativeSize is 32: return idc.DbgDword(ea) if nativeSize is 64: return idc.DbgQword(ea)
def ReadFileEnd(self): """ Monitors the the end of ReadFile function This is the function that will trigger the trace inputLoggingList is past from MyReadFile, which holds are of MyReadFile arguments """ retVal = idc.GetRegValue("EAX") self.logger.info("Returning from ReadFile... with %d" % retVal) lpBuffer = self.tempStack.pop(0) lpNumberOfBytesRead = self.tempStack.pop(0) hFile = self.tempStack.pop(0) callerAddr = self.tempStack.pop(0) callerFuncName = self.tempStack.pop(0) threadID = self.tempStack.pop(0) NumberOfBytesRead = idc.DbgDword(lpNumberOfBytesRead) self.logger.info("NumberOfBytesRead is 0x%x" % NumberOfBytesRead) _buffer = idaapi.dbg_read_memory(lpBuffer, NumberOfBytesRead) self.logger.debug(_buffer) inputLoggingList = [] inputLoggingList.append(lpBuffer) inputLoggingList.append(NumberOfBytesRead) inputLoggingList.append(_buffer) inputLoggingList.append(hFile) inputLoggingList.append(callerAddr) inputLoggingList.append(callerFuncName) inputLoggingList.append(threadID) if retVal: Print("ReadFile succeeded.") self.logger.info("ReadFile succeeded.") self.debuggerInstance.callbackProcessing(inputLoggingList) else: Print("ReadFile failed.") self.logger.info("ReadFile failed.") return 0
def setup(): path = 'C:/Users/benoit/work/you_are_very_good_at_this.exe' for i in range(10): res = idc.StartDebugger(path, '', 'C:/Users/benoit/work') print('got res >> ', res) if res == 1: break idc.StopDebugger() time.sleep(1) else: assert False, 'Could not start debugger' wait_susp() funcs = ida.find_imported_funcs('kernel32') print(funcs) read_addr = funcs['ReadFile'][0] print('read addr >> ', read_addr) read_pos = idc.DbgDword(read_addr) idc.AddBpt(read_pos) print('read pos bpt >> ', hex(read_pos)) go(read_pos)
func_start = 0x40108c func_end = 0x4010d9 def go(addr): while idc.GetRegValue('eip') != addr: idc.GetDebuggerEvent(idc.WFNE_CONT | idc.WFNE_SUSP, -1) idc.AddBpt(func_end) idc.AddBpt(func_start) go(func_end) n = 0x25 buf_addr = idc.DbgDword(idautils.cpu.ebp + 0xc) data_addr = idc.DbgDword(idautils.cpu.ebp + 0x8) len_addr = idautils.cpu.ebp + 0x10 assert idc.DbgWrite(len_addr, struct.pack('<I', n)) print 'steaaart', hex(buf_addr) res = '' for i in range(n): for c in range(256): assert idc.DbgWrite(buf_addr + i, chr(c)) == 1 idc.RefreshDebuggerMemory() idautils.cpu.eip = func_start go(func_end) if idautils.cpu.edi != data_addr + n - i: print 'FOUND ONE', c
def analyse_read(): read_buf = idc.DbgDword(idautils.cpu.esp + 0x8) nread = idc.DbgDword(idautils.cpu.esp + 0xc) nread_out = idc.DbgDword(idautils.cpu.esp + 0x10) return Attributize(None, **locals())
def do_ret(): retaddr = idc.DbgDword(idautils.cpu.esp) idautils.cpu.esp += 4 idautils.cpu.eip = retaddr
def dbg_bpt(self, tid, ea): #if ea == self.cond_ea: # self.done = True # self.res_val = idc.DbgDword(idautils.cpu.esi) #print('ON >> ', hex(ea), 'want ') try: if ea == self.push_screen_ea: tmp=idc.DbgRead(self.screen_buf_ea, 6) self.screen_data.append(tmp) print('pushing screen here', tmp) self.count += 1 if 0 and self.count == 10000: self.done = 1 if self.count%10==0: self.save_screen() elif ea == self.deque_ea: recv_word = idautils.cpu.eax mask=idc.DbgDword(idautils.cpu.ebp-0x6070) self.dec_data.append([recv_word, mask]) if 1 and len(self.dec_data)==0x1000/8: self.done=1 print('DEQUE >> ', hex(recv_word), hex(mask)) elif ea == self.prepare_reg_send: if 1: return idc.DbgWrite(idautils.cpu.esp+0x3c-0x1d, chr(self.cur_byte)) abc=idc.DbgRead(idautils.cpu.esp+0x3c-0x1d, 1) print('SENDING CHAR >> ', abc, self.cur_byte) self.tmp_tb=[] self.last_edi=idautils.cpu.edi elif ea == self.enqueue_func: print('SKIPPING ENQUEUE') if 0: return do_ret() elif ea == self.enqueue_ea: #if 0: return if self.tmp_tb is not None: nedi=idautils.cpu.edi send_word=(nedi-self.last_edi)%8 self.last_edi=nedi self.tmp_tb.append(send_word) self.tb2.append([nedi, hex(idautils.cpu.eax)]) print('GOT TB LEN ', self.tmp_tb) if len(self.tmp_tb)==3: self.enc_data.append(self.tmp_tb) self.tmp_tb=None self.cur_byte+=1 self.last_edi=None if self.cur_byte==256: self.done=1 print('ENQUEUE >> ', send_word) elif ea == self.prepare_str_ea: if 1: return buf_len = idc.DbgDword(idautils.cpu.esi + 0x38) buf_addr = idc.DbgDword(idautils.cpu.esi + 0x34) buf = idc.DbgRead(buf_addr, buf_len) print(buf_len, buf_addr, buf) assert len(self.want_str) <= buf_len idc.DbgWrite(buf_addr, self.want_str) idc.DbgWrite(idautils.cpu.esi + 0x38, struct.pack('<I', len(self.want_str))) print('string is set') #self.done = 1 elif ea==self.test_time_end: if self.time>=3600*24: self.done=1 #entre 23h et 1h else: idautils.cpu.eip=self.test_time_start resv=idautils.cpu.eax h,m,s=self.get_time(self.time) print 'REsult: %d:%d:%d >> %d'%(h,m,s,resv) self.time+=60 elif ea==self.test_time_mod: h,m,s=self.get_time(self.time) addr=idautils.cpu.ebx write_u16(addr+4*2, h) write_u16(addr+5*2, m) write_u16(addr+6*2, s) except: traceback.print_exc() print('FAILED here') self.done=1 return 0
def do_ret_win(n=0): retaddr = idc.DbgDword(idautils.cpu.esp) idautils.cpu.esp += 4 + 4 * n idautils.cpu.eip = retaddr