def main():
# Function virtual address for the string decoder function
fva = 0x10002F6C
fva_end = 0x10003071
dbg = flaredbg.DebugUtils()
# Use get call list to retrieve two push args and three register args
call_list = dbg.get_call_list(fva, 2, ['eax', 'ecx', 'edi'])
# Create a list of output decoded strings for an IDA python script
out_list = []
# Iterate through all the times the fva was called
for fromva, args in call_list:
# Allocate some memory for a stack variable that will receive the output
str_buf = dbg.malloc(0x20)
# Update ecx with the new memory
dbg.set_reg_arg(args, 'ecx', str_buf)
try:
# Make the call, and specify the last address of the function, this makes the function run much faster
# as it will run until a breakpoint instead of single stepping a function looking for a return.
out_buf = dbg.call(fva, args, fromva, tova=fva_end)
# Read the string output
str_va = dbg.read_pointer(out_buf)
out_str = dbg.read_string(str_va)
except flaredbg.AccessViolationException as e:
print "Access violation at: 0x%x" % e.va
out_str = ''
# Print out the result
print hex(fromva), repr(out_str)
# Free the memory
dbg.free(str_buf)
# Append the result to the IDA comments list
out_list.append((fromva, out_str))
# Generate an IDA script and write it out
ida_script = utils.generate_ida_comments(out_list, True)
open('C:\\ida_comments.py', 'wb').write(ida_script)
def main():
# Function virtual address for the string decoder function
fva = 0x10002F6C
fva_end = 0x10003071
dbg = flaredbg.DebugUtils()
# Use get call list to retrieve two push args and three register args
call_list = dbg.get_call_list(fva, 2, ['eax', 'ecx', 'edi'])
# Create a list of output decoded strings for an IDA python script
out_list = []
# Iterate through all the times the fva was called
for fromva, args in call_list:
# Allocate some memory for a stack variable that will receive the output
str_buf = dbg.malloc(0x20)
# Update ecx with the new memory
dbg.set_reg_arg(args, 'ecx', str_buf)
try:
# Make the call, and specify the last address of the function, this makes the function run much faster
# as it will run until a breakpoint instead of single stepping a function looking for a return.
out_buf = dbg.call(fva, args, fromva, tova=fva_end)
# Read the string output
str_va = dbg.read_pointer(out_buf)
out_str = dbg.read_string(str_va)
except flaredbg.AccessViolationException as e:
print "Access violation at: 0x%x" % e.va
out_str = ''
# Print out the result
print hex(fromva), repr(out_str)
# Free the memory
dbg.free(str_buf)
# Append the result to the IDA comments list
out_list.append((fromva, out_str))
# Generate an IDA script and write it out
ida_script = utils.generate_ida_comments(out_list, True)
open('C:\\ida_comments.py', 'wb').write(ida_script)
def main():
# Function virtual address for the string decoder function
fva = 0x401000
dbg = flaredbg.DebugUtils()
# Get all the locations the fva function was called from as well as the arguments
# get_call_list accepts the number of push arguments and the required registers
# The function of interest in this example only accepts push arguments
call_list = dbg.get_call_list(fva, 3)
# Create a list of output decoded strings for an IDA python script
out_list = []
# Iterate through all the times the fva was called
for fromva, args in call_list:
# Allocate some memory for the output string and the output string size
str_va = dbg.malloc(args[2])
args[1] = str_va
try:
# Make the call!
dbg.call(fva, args, fromva)
# Read the string output
out_str = dbg.read_string(str_va)
except flaredbg.AccessViolationException as e:
print "Access violation at: 0x%x" % e.va
out_str = ''
# Print out the result
print hex(fromva), out_str
# Free the memory
dbg.free(str_va)
# arg 0 contains the "unknown" bytes offset, and out contains the decoded string
out_list.append((args[0], out_str))
# Generate an IDA script and write it out
ida_script = utils.generate_ida_comments(out_list, True)
open('C:\\ida_comments.py', 'wb').write(ida_script)
def main():
# Function virtual address for the string decoder function
fva = 0x401000
dbg = flaredbg.DebugUtils()
# Get all the locations the fva function was called from as well as the arguments
# get_call_list accepts the number of push arguments and the required registers
# The function of interest in this example only accepts push arguments
call_list = dbg.get_call_list(fva, 3)
# Create a list of output decoded strings for an IDA python script
out_list = []
# Iterate through all the times the fva was called
for fromva, args in call_list:
# Allocate some memory for the output string and the output string size
str_va = dbg.malloc(args[2])
args[1] = str_va
try:
# Make the call!
dbg.call(fva, args, fromva)
# Read the string output
out_str = dbg.read_string(str_va)
except flaredbg.AccessViolationException as e:
print "Access violation at: 0x%x" % e.va
out_str = ""
# Print out the result
print hex(fromva), out_str
# Free the memory
dbg.free(str_va)
# arg 0 contains the "unknown" bytes offset, and out contains the decoded string
out_list.append((args[0], out_str))
# Generate an IDA script and write it out
ida_script = utils.generate_ida_comments(out_list, True)
open("C:\\ida_comments.py", "wb").write(ida_script)
