def __init__(self, buf, round):
super(Hooker, self).__init__()
self.done = False
self.exited = False
self.check_ea = 0x402a7f
self.fgets_ea = 0x40e1f5
self.buf = buf
self.next = None
self.round = round
self.pos = 0
idc.AddBpt(self.fgets_ea)
idc.AddBpt(self.check_ea)
self.res_val = None
def prepare(self):
self.rw_seg_desc = idc.LocByName('rw_seg_desc')
self.rx_seg_desc = idc.LocByName('rx_seg_desc')
self.rw_seg_count = idc.LocByName('rw_seg_count')
self.rx_seg_count = idc.LocByName('rx_seg_count')
self.start_code_ea = idc.LocByName('STARTHANDLER')
self.ret_pad_ea = idc.LocByName('RETPAD')
self.decode_seg_ea = idc.LocByName('decode_seg')
self.virtual_protect_ea = read_u32(idc.LocByName('VirtualProtect'))
idc.AddBpt(self.start_code_ea)
idc.AddBpt(self.ret_pad_ea)
self.hx = self.handler()
self.segs = []
def dynamic_breakpoint(targe_type):
has_linker = False
module_base = idc.GetFirstModule()
while module_base != None:
module_name = idc.GetModuleName(module_base)
if module_name.find('linker') >= 0:
has_linker = True
break
module_base = idc.GetNextModule(module_base)
if has_linker == False:
print '[*]unable to find linker module base'
return
module_size = idc.GetModuleSize(module_base)
print '[*]found linker base=>0x%08X, Size=0x%08X' % (module_base,
module_size)
print("\t[-]begin to search DT_INIT")
init_func_ea = 0
init_array_ea = 0
# bytecode=b'\x53\x1e\x73\xb5\x03\x33\x06\x46\x0d\x46\x14\x46\x24\xd8\x13\x48\x78\x44\x01\x68\x01\x29'
bytecode = [
0x14, 0x49, 0x04, 0x20, 0x23, 0x46, 0x14, 0x4A, 0x79, 0x44, 0x7A, 0x44
]
findcode = True
for ea_offset in range(module_base, module_base + module_size):
findcode = True
for i in xrange(len(bytecode)):
if idaapi.get_byte(ea_offset + i) != bytecode[i]:
findcode = False
break
if (findcode == True):
init_func_ea = ea_offset + 0x1A
init_array_ea = ea_offset + 0x30
break
if (findcode == False):
print("can't find bytecode")
return
print "\t[-]found INIT=>0x%08X INIT_ARRAY=>0x%08X" % (init_func_ea,
init_array_ea)
print("\t[-]try set breakpoint there")
if targe_type == 12:
idc.AddBpt(init_func_ea)
if targe_type == 25:
idc.AddBpt(init_array_ea)
print("[*]script finish")
def addBP(self, ea, bp_description=None):
"""
Add a breakpoint
@param ea: The location address to add the breakpoint
@param bp_description: A breakpoint description
@return: True if breakpoint was added, otherwise False. Returns -1 if an error occurred.
"""
try:
if idc.CheckBpt(ea) > 0:
# If our breakpoint already exist
if ea in self.die_db.bp_list:
return False
# Must be a user defined breakpoint then..
self.die_db.bp_list[ea] = (WAS_USER_BREAKPOINT, bp_description)
else:
# Check if breakpoint is not excluded.
if self.is_exception_call(ea):
return False
# TODO: better replace with a named tuple.
self.die_db.bp_list[ea] = (0, bp_description)
idc.AddBpt(ea)
return True
except Exception as ex:
self.logger.exception("Could not add breakpoint: %s", ex)
return -1
def main():
idc.AddBpt(start)
n = 0x1c
ans = 'r' * n
ans += '\n'
ans = bytearray(ans.encode())
ans.append(0)
for j in range(n):
for i in range(ord('A'), ord('z')):
setup()
print('GOING FOR >> ', i)
ans[j] = i
ans[0] = 0x64
h = Hooker(bytes(ans), j + 1)
assert h.hook()
h.run()
print('NEXT NEEDED >> ', h.next)
print('CHR >> ', chr(h.next))
return
h.off()
time.sleep(1)
return
def taintStart(self):
Print("Taint Start pressed!")
#Remove the starting breakpoint
if self.taintStart is not None:
idc.DelBpt(self.taintStart)
#Add a new starting breakpoint
self.taintStart = idc.here()
instruction = idc.GetDisasm(self.taintStart)
Print(instruction)
idc.AddBpt(self.taintStart)
idc.SetBptAttr(self.taintStart, idc.BPT_BRK, 0)
callbackAddr = "interactivemodeCallback.startTrace()"
customCallbackFuncs = ['ReadFile', 'recv']
for callbackFunc in customCallbackFuncs:
if callbackFunc in instruction:
callbackAddr = "interactivemodeCallback." + callbackFunc + "()"
Print("Found callback function %s for interactive mode" %
callbackAddr)
break
idc.SetBptCnd(self.taintStart, callbackAddr)
def singleStep(segfault_addr):
# add breakpoint on segfault addr
idc.AddBpt(segfault_addr)
# move debugger
idc.GetDebuggerEvent(idc.WFNE_SUSP | idc.WFNE_CONT, -1)
rip = idc.GetRegValue("RIP")
# now single step through segfault code
while True:
# print instruction
addr = idc.GetRegValue("RIP")
disasm = idc.GetDisasm(addr)
msg = "{}: {}".format(hex(addr), disasm)
# step through loaded code
idc.StepInto()
idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
addr = idc.GetRegValue("RIP")
if addr < begin or addr > (begin + size):
break
idc.DelBpt(segfault_addr)
def Sync(self, offset, added, removed):
""" Sync(offset, added, removed) => None
Synchronize debug info with gef. This is an internal function. It is
not recommended using it from the command line.
"""
global _breakpoints, _current_instruction, _current_instruction_color
if _current_instruction > 0:
idc.SetColor(_current_instruction, CIC_ITEM, _current_instruction_color)
base_addr = idaapi.get_imagebase()
pc = base_addr + int(offset, 16)
_current_instruction = long(pc)
_current_instruction_color = GetColor(_current_instruction, CIC_ITEM)
idc.SetColor(_current_instruction, CIC_ITEM, 0x00ff00)
print("PC @ " + hex(_current_instruction).strip('L'))
# post it to the ida main thread to prevent race conditions
idaapi.execute_sync(lambda: idc.Jump(_current_instruction), idaapi.MFF_WRITE)
cur_bps = set([ idc.GetBptEA(n)-base_addr for n in range(idc.GetBptQty()) ])
ida_added = cur_bps - _breakpoints
ida_removed = _breakpoints - cur_bps
_breakpoints = cur_bps
# update bp from gdb
for bp in added:
idc.AddBpt(base_addr+bp)
_breakpoints.add(bp)
for bp in removed:
if bp in _breakpoints:
_breakpoints.remove(bp)
idc.DelBpt(base_addr+bp)
return [list(ida_added), list(ida_removed)]
def SetAllConditionBpt():
ea = 0x2C13000
while ea < 0x357D000:
mnem = idc.GetMnem(ea)
if mnem == 'jmp' or mnem == 'retn':
idc.AddBpt(ea)
ea = idc.NextHead(ea)
def checkAccept(self):
"""
SOCKET accept(
_In_ SOCKET s,
_Out_ struct sockaddr *addr,
_Inout_ int *addrlen
);
"""
s = Util.GetData(0x4)
self.logger.info("checkAccept: SOCKET is 0x%x" % (s))
sockaddr_addr = Util.GetData(0x8)
self.logger.info("checkAccept: sockaddr_addr is 0x%x" %
(sockaddr_addr))
addrlen = Util.GetData(0xC)
self.logger.info("checkAccept: *addrlen value is 0x%x" % (addrlen))
retAddr = Util.GetData(0x0)
self.tempStack = []
self.tempStack.append(s)
idc.AddBpt(retAddr)
idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
idc.SetBptCnd(retAddr, "windowsNetworkIO.checkAcceptEnd()")
return 0
def MyReadFile(self):
"""
Monitors the the beginning of ReadFile function
ReadFile arguments are read from the stack
This is the function that will trigger the trace
inputLoggingList holds arguments for
"""
"""
BOOL WINAPI ReadFile(
_In_ HANDLE hFile,
_Out_ LPVOID lpBuffer,
_In_ DWORD nNumberOfBytesToRead,
_Out_opt_ LPDWORD lpNumberOfBytesRead,
_Inout_opt_ LPOVERLAPPED lpOverlapped
);
"""
hFile = Util.GetData(0x4)
self.logger.info("hFile is 0x%x" % (hFile))
lpBuffer = Util.GetData(0x8)
self.logger.info("lpBuffer is 0x%x" % (lpBuffer))
nNumberOfBytesToRead = Util.GetData(0xC)
self.logger.info("nNumberOfBytesToRead value is 0x%x" %
(nNumberOfBytesToRead))
lpNumberOfBytesRead = Util.GetData(0x10)
self.logger.info("lpNumberOfBytesRead value is 0x%x" %
(lpNumberOfBytesRead))
lpOverlapped = Util.GetData(0x14)
self.logger.info("lpOverlapped is 0x%x" % (lpOverlapped))
retAddr = Util.GetData(0x0)
callerAddr = retAddr - idc.ItemSize(retAddr)
self.tempStack = []
self.tempStack.append(lpBuffer)
self.tempStack.append(lpNumberOfBytesRead)
self.tempStack.append(hFile)
self.tempStack.append(callerAddr)
#self.tempStack.append(idc.GetDisasm(callerAddr))
self.tempStack.append("ReadFile")
self.tempStack.append(idc.GetCurrentThreadId())
if hFile in self.handleSet:
self.logger.info("Ready to read from handle 0x%x" % hFile)
Print("Ready to read from handle 0x%x" % hFile)
idc.AddBpt(retAddr)
idc.SetBptCnd(retAddr, "windowsFileIO.MyReadFileEnd()")
else:
if idc.CheckBpt(retAddr) >= 0:
self.logger.info("Removing un-needed ReadFile breakpoint.")
Print("Removing un-needed ReadFile breakpoint.")
idc.DelBpt(retAddr)
return 0
def __init__(self, data):
super(Hooker, self).__init__()
self.done = False
self.exited = False
self.data = data
self.send_req_ea = idc.LocByName('send_req')
self.decrypt_ea = idc.LocByName('decrypt')
self.malloc2_ea = idc.LocByName('malloc2')
decrypt_func = idaapi.get_func(self.decrypt_ea)
self.decrypt_end_ea = decrypt_func.endEA - 1
idc.AddBpt(self.send_req_ea)
#idc.AddBpt(self.decrypt_ea)
idc.AddBpt(self.decrypt_end_ea)
self.reqid = 0
self.bufs = []
def WSOCK32Bind(self):
"""
int bind(
_In_ SOCKET s,
_In_ const struct sockaddr *name,
_In_ int namelen
);
struct sockaddr_in {
short sin_family;
u_short sin_port;
struct in_addr sin_addr;
char sin_zero[8];
};
"""
s = Util.GetData(0x4)
self.logger.info("WSOCK32Bind: SOCKET is 0x%x" % (s))
sockaddr_name = Util.GetData(0x8)
self.logger.info("WSOCK32Bind: sockaddr_name is 0x%x" %
(sockaddr_name))
port = struct.unpack(">H",
idaapi.dbg_read_memory(sockaddr_name + 0x2, 2))
portName = str(port[0])
self.logger.info("WSOCK32Bind: port value is %s" % (portName))
namelen = Util.GetData(0xC)
self.logger.info("WSOCK32Bind: namelen value is %d" % (namelen))
retAddr = Util.GetData(0x0)
Print(self.filter['network'])
if portName in self.filter['network']:
self.tempStack = []
self.tempStack.append(s)
self.tempStack.append(portName)
idc.AddBpt(retAddr)
idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
idc.SetBptCnd(retAddr, "windowsNetworkIO.checkBindEnd()")
self.logger.info(
"WSOCK32Bind: Netork Filter matched. Adding port to the Handle's dictionary to start logging."
)
Print(
"Filter matched. Add handle to the handle's dictionary to start logging."
)
else:
if idc.CheckBpt(retAddr) >= 0:
Print("Removing un-needed breakpoint.")
self.logger.info("WSOCK32Bind: Removing un-needed breakpoint.")
idc.DelBpt(retAddr)
self.logger.info("WSOCK32Bind: Network Filter did not match.")
return 0
def setup0(self):
args = r''
exe = r'C:\Users\benoit\work\malware\run2.exe'
path = r'C:\Users\benoit\work\malware'
infile = r'C:\Users\benoit\work\malware\data.bin'
idc.StopDebugger()
idc.SetInputFilePath(infile)
self.run_call_addr = 0x4010df
self.main_addr = 0x401000
self.ret_pad_ea = self.run_call_addr + 0x10
idc.AddBpt(self.run_call_addr)
idc.AddBpt(self.main_addr)
self.add_bpt(self.ret_pad_ea)
res = idc.StartDebugger(exe, args, path)
print('starting dbugger')
time.sleep(1)
wait_susp()
def __init__(self, item):
super(Hooker, self).__init__()
self.done = False
self.exited = False
self.cond_ea = idc.LocByName('fill_main') + 260
self.item = item
final_ea = idc.LocByName('finalize_write_file') - 0x00D01CF0
fill_main_ea = idc.LocByName('fill_main') - 0xd015d0
self.fill_obj = 0x00D0176A + fill_main_ea
self.fill_ret = 0x00D018C9 + fill_main_ea
self.choose_item = 0x00D01DB4 + final_ea
self.file_ea = 0x00D01EE6 + final_ea
idc.AddBpt(self.fill_obj)
idc.AddBpt(self.fill_ret)
idc.AddBpt(self.choose_item)
idc.AddBpt(self.file_ea)
self.res_val = None
def setBreakAtStart(self):
''' keep from reversing past start of process '''
addr = LocByName("_start")
if addr is not None:
bptEnabled = idc.CheckBpt(addr)
if bptEnabled < 0:
print('breakAtStart bpt set at 0x%x' % addr)
idc.AddBpt(addr)
else:
print('setBreakAtStart, got no loc for _start')
return addr
def setup():
args = r''
exe = r'C:\Users\benoit\work\leet\leet_editr.exe'
path = r'C:\Users\benoit\work\leet'
idc.StopDebugger()
idc.AddBpt(idc.LocByName('main'))
res = idc.StartDebugger(exe, args, path)
print('starting dbugger')
time.sleep(1)
wait_susp()
def make_fun_name(): #修改函数名称
libDexHelp = 'libDexHelper.so'
DexHelperModuleBase = get_module_base(libDexHelp)
if DexHelperModuleBase != None:
moduleSize = idc.GetModuleSize(DexHelperModuleBase)
print '[*] libDexHelper.so base=>0x%08X, Size=0x%08X' % (
DexHelperModuleBase, moduleSize)
# idc.MakeName(DexHelperModuleBase + 0xD0E4 ,"strcpy")
# idc.MakeName(DexHelperModuleBase + 0xD09C, "memset")
# idc.MakeName(DexHelperModuleBase + 0xD060, "strlen")
# idc.MakeName(DexHelperModuleBase + 0xD0A8, "getpid")
# idc.MakeName(DexHelperModuleBase + 0xD1A4, "sprintf")
# idc.MakeName(DexHelperModuleBase + 0xD18C, "opendir")
# idc.MakeName(DexHelperModuleBase + 0xD198, "readdir")
# idc.MakeName(DexHelperModuleBase + 0xD1C8, "atoi")
# idc.MakeName(DexHelperModuleBase + 0xD2E8, "readlink")
# idc.MakeName(DexHelperModuleBase + 0xD15C, "strstr")
# idc.MakeName(DexHelperModuleBase + 0xD120, "fopen")
# idc.MakeName(DexHelperModuleBase + 0xD168, "fgets")
# idc.MakeName(DexHelperModuleBase + 0xD258, "fread")
# idc.MakeName(DexHelperModuleBase + 0xD150, "fclose")
# idc.MakeName(DexHelperModuleBase + 0xD228, "memcmp")
# idc.MakeName(DexHelperModuleBase + 0xD228, "memcmp")
# idc.MakeName(DexHelperModuleBase + 0xD090, "malloc")
# idc.MakeName(DexHelperModuleBase + 0xD1BC, "closedir")
# idc.MakeName(DexHelperModuleBase + 0x100CC, "StrDecrypt")
idc.AddBpt(DexHelperModuleBase + 0x1CCC4) #反调试点上一行 挂了
idc.AddBpt(DexHelperModuleBase + 0x1CCFE) #反调试点上一行 挂了
#idc.AddBpt(DexHelperModuleBase + 0X1CCC4) #反调试点
#idc.AddBpt(DexHelperModuleBase + 0X34DD0) #启动反调试线程
#idc.AddBpt(DexHelperModuleBase + 0X34FF6) #启动反调试线程
idc.PatchDword(DexHelperModuleBase, 0x00BF00BF)
else:
print ""
def ReadFile(self):
"""
Monitors the the beginning of ReadFile function
ReadFile arguments are read from the stack
This is the function that will trigger the trace
inputLoggingList holds arguments for
"""
"""
BOOL WINAPI ReadFile(
_In_ HANDLE hFile,
_Out_ LPVOID lpBuffer,
_In_ DWORD nNumberOfBytesToRead,
_Out_opt_ LPDWORD lpNumberOfBytesRead,
_Inout_opt_ LPOVERLAPPED lpOverlapped
);
"""
hFile = Util.GetData(0x0)
self.logger.info("hFile is 0x%x" % (hFile))
lpBuffer = Util.GetData(0x4)
self.logger.info("lpBuffer is 0x%x" % (lpBuffer))
nNumberOfBytesToRead = Util.GetData(0x8)
self.logger.info("nNumberOfBytesToRead value is 0x%x" %
(nNumberOfBytesToRead))
lpNumberOfBytesRead = Util.GetData(0xC)
self.logger.info("lpNumberOfBytesRead value is 0x%x" %
(lpNumberOfBytesRead))
lpOverlapped = Util.GetData(0x10)
self.logger.info("lpOverlapped is 0x%x" % (lpOverlapped))
ea = idc.GetRegValue("EIP")
retAddr = ea + idc.ItemSize(ea)
Print("The return address is 0x%x" % retAddr)
self.tempStack = []
self.tempStack.append(lpBuffer)
self.tempStack.append(lpNumberOfBytesRead)
self.tempStack.append(hFile)
self.tempStack.append(ea)
self.tempStack.append("ReadFile")
self.tempStack.append(idc.GetCurrentThreadId())
idc.AddBpt(retAddr)
idc.SetBptCnd(retAddr, "interactivemodeCallback.ReadFileEnd()")
return 0
def main():
idc.AddBpt(start)
res = 'Is_th1s_3v3'
nx = 0x30
nx = len(res) + 20
for i in range(len(res), nx):
print('trying for ', res)
need = solve(res)
res += need
print('FOUND NEW CHAR >> ', need, res)
time.sleep(0.5)
def taintStop(self):
Print("Taint Stop pressed!")
#Remove the stopping breakpoint
if self.taintStop is not None:
idc.DelBpt(self.taintStop)
#Add a new stopping breakpoint
self.taintStop = idc.here()
Print( idc.GetDisasm(self.taintStop) )
idc.AddBpt(self.taintStop)
idc.SetBptAttr(self.taintStop, idc.BPT_BRK, 0)
idc.SetBptCnd(self.taintStop, "interactivemodeCallback.stopTrace()")
def Breakpoint(apiBreakList):
for apiName in apiBreakList:
addr = LocByName(apiName)
if addr != BADADDR:
xrefs = list(XrefsTo(addr,0))
if len(xrefs):
for xref in xrefs:
if xref.type in (16,17):
idc.AddBpt(xref.frm)
MakeComm(xref.frm,apiName)
if(apiName == 'GetProcAddress'):
resolveName = GetProcAddressAPIString(xref.frm)
MakeComm(xref.frm,"{}({})".format(apiName,resolveName))
return 0
def MyCreateFileA(self):
"""
Monitors the beginning of CreateFileA function
CreateFileA arguments are read from the stack
"""
"""
HANDLE WINAPI CreateFile(
_In_ LPCTSTR lpFileName,
_In_ DWORD dwDesiredAccess,
_In_ DWORD dwShareMode,
_In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes,
_In_ DWORD dwCreationDisposition,
_In_ DWORD dwFlagsAndAttributes,
_In_opt_ HANDLE hTemplateFile
);
"""
lpFileName = Util.GetData(0x4)
self.logger.info("MyCreateFileA lpFileName is 0x%x" % lpFileName)
filePath = "".join(Util.Read(lpFileName, 1))
self.logger.info("filePath is %s" % filePath)
dwDesiredAccess = Util.GetData(0x8)
self.logger.info("dwDesiredAccess is 0x%x" % (dwDesiredAccess))
dwShareMode = Util.GetData(0xC)
self.logger.info("dwShareMode value is 0x%x" % (dwShareMode))
lpSecurityAttributes = Util.GetData(0x10)
self.logger.info("lpSecurityAttributes value is 0x%x" %
(lpSecurityAttributes))
dwCreationDisposition = Util.GetData(0x14)
self.logger.info("dwCreationDisposition value is 0x%x" %
(dwCreationDisposition))
dwFlagsAndAttributes = Util.GetData(0x18)
hTemplateFile = Util.GetData(0x1C)
fileName = os.path.basename(filePath)
self.logger.info("The filename is %s" % fileName)
retAddr = Util.GetData(0x0)
idc.AddBpt(retAddr)
idc.SetBptCnd(retAddr, "windowsFileIO.MyCreateFileAEnd()")
return 0
def add_breakpointer():
print '[*]Find linker begin...'
libart = 'libjdbitmapkit.so'
linker = 'linker'
#JNI_OnLoad 下断点
art_module_base = get_module_base(libart)
if art_module_base != None:
module_size = idc.GetModuleSize(art_module_base)
print '[*] %s base=>0x%08X, Size=0x%08X' % (libart, art_module_base,
module_size)
# 小米6
# addr = art_module_base + 0x234FC8 #0x23FFC8
# idc.AddBpt(addr)
# addr = art_module_base + 0x23FFC8 #0x23FFC8
# idc.AddBpt(addr)
#大佬手机 art jni_load
#addr = art_module_base + 0x00012F4C
offset = 0x000114E0 #######加密函数点first_challenge->switch:sub_114E0开始
addr = art_module_base + offset
print "bp : %08X,%08X" % (addr, offset)
idc.AddBpt(addr)
offset = 0x00012D2E ####这个是114E0加密后
addr = art_module_base + offset # 乘法
print "bp : %08X,%08X" % (addr, offset)
idc.AddBpt(addr)
###########################这个是特殊点。永远不会触发的。在这里设置是为了测试这个
offset = 0x00013522 #####sub_13478 下边的v6==0的情况。理论上200% 不会触发这个断点
addr = art_module_base + offset # gettimeofday
print "bp : %08X,%08X" % (addr, offset)
idc.AddBpt(addr)
def My_fread(self):
"""
old - size_t fread ( void * ptr, size_t size, size_t count, FILE * stream );
size_t _IO_fread (void * ptr, size_t size, size_t count, FILE * stream )
"""
ptr = Util.GetData(0x4)
self.logger.info("fp is 0x%x" % (ptr))
_size = Util.GetData(0x8)
self.logger.info("size is %d" % (_size))
_count = Util.GetData(0xc)
self.logger.info("count is %d" % (_count))
stream = Util.GetData(0x10)
self.logger.info("stream is 0x%x" % (stream))
self.pSize = _size * _count
self.pBuffer = ptr
retAddr = Util.GetData(0x0)
callerAddr = retAddr - idc.ItemSize(retAddr)
self.tempStack = []
self.tempStack.append(self.pBuffer)
self.tempStack.append(self.pSize)
self.tempStack.append(stream)
self.tempStack.append(callerAddr)
self.tempStack.append("fread")
self.tempStack.append(idc.GetCurrentThreadId())
if stream in self.handleSet:
self.logger.info("Found stream 0x%x" % stream)
idc.AddBpt(retAddr)
idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
idc.SetBptCnd(retAddr, "linuxFileIO.My_freadEnd()")
else:
self.logger.info("Cannot find handle 0x%x" % stream)
Print("Removing un-needed fread breakpoint.")
idc.DelBpt(retAddr)
return 0
def setAndDisable(addr):
bptEnabled = idc.CheckBpt(addr)
if bptEnabled < 0:
# no breakpoint, add one
#print 'setAndDisable no bpt at %x, add one' % addr
idc.AddBpt(addr)
elif bptEnabled == 0:
# breakpoint, but not enabled
#print 'found bpt at %x, enable it' % addr
idc.EnableBpt(addr, True)
else:
#print 'breakpoint exists, use it'
pass
# disable all breakpoints, excempting the one we just set/enabled
disabledSet = disableAllBpts(addr)
return bptEnabled, disabledSet
def solve(prefix, c):
idc.AddBpt(start)
n = 0x1c
ans = prefix + c * (n - len(prefix))
ans += '\n'
ans = bytearray(ans.encode())
ans.append(0)
print(len(ans))
setup()
h = Hooker(bytes(ans), len(prefix))
assert h.hook()
h.run()
print('NEXT NEEDED >> ', h.got)
h.off()
time.sleep(0.1)
return h.got
def checkClosesocket(self):
"""
int closesocket(
_In_ SOCKET s
);
"""
s = Util.GetData(0x4)
self.logger.info("checkClosesocket: SOCKET is 0x%x" % (s))
retAddr = Util.GetData(0x0)
self.tempStack.append(s)
idc.AddBpt(retAddr)
idc.SetBptAttr(retAddr, idc.BPT_BRK, 0)
idc.SetBptCnd(retAddr, "windowsNetworkIO.checkClosesocketEnd()")
return 0
def static_breakpoint(target_type):
try:
base = idc.FirstSeg()
if base == idc.BADADDR:
print("can't find first seg")
return
filepath = idaapi.get_input_file_path()
print("filename:", filepath)
idbFile = open(filepath, "rb")
e_phoff = get_ushort(idbFile, 0x1C)
e_phentsize = get_ushort(idbFile, 0x2A)
e_phnum = get_ushort(idbFile, 0x2C)
print(e_phoff, e_phentsize, e_phnum)
dynamic = -1
for i in xrange(e_phnum):
idbFile.seek(e_phoff + e_phentsize * i)
p_type = get_ulong(idbFile, e_phoff + e_phentsize * i)
# define PT_DYNAMIC 2
if p_type == 2:
dynamic = get_ulong(idbFile, e_phoff + e_phentsize * i + 4)
break
if dynamic == -1:
print("\tcan't find dynamic")
return
dynamic_type = get_ulong(idbFile, dynamic)
init = -1
while dynamic_type != 0:
dynamic += 8
dynamic_type = get_ulong(idbFile, dynamic)
if dynamic_type == target_type:
init = get_ulong(idbFile, dynamic + 4)
break
if init == -1:
print("\tcan't find init")
return
idc.AddBpt(base + init)
print('\tbp the init on the %x' % (base + init))
print("\nbp init finished")
except BaseException, e:
print(e)
def main():
print('\n\n')
start = 0x401000
idc.AddBpt(start)
setup()
data = dict(s=binascii.unhexlify('010ff0'))
h = Hooker(data)
try:
assert h.hook()
h.run()
except:
pass
print(h.sent_data)
print(h.screen_data)
h.off()
print(h.dec_data)
print('ENC DATA >> ', h.enc_data)
print 'tb2 >> ', h.tb2
return h.dec_data