def jxx_target(head): refs = idautils.CodeRefsFrom(head, 0) refs = list([x for x in refs]) n = len(refs) #jmp $+5 if n > 0: target = refs[0] elif n == 0: if is_jmp_next(head): target = idc.NextNotTail(head) else: print "decoding @ 0x%x" % head #this is a bug in IDA. if MakeCode results in a new jmp, pointing to undefined byte: #jmp lol #... #lol: # db 0 # <defined instructions> #then CodeRefsFrom() will return nothing, so we need to decode the address ourselves :p #FIXME: remove everything except decode_jump? target = decode_jump(head) print "result: 0x%x" % target else: print "unknown jxx_target @ 0x%x" % head assert (False) return target
def main(): xrefs = XrefsTo(0x13070FC) for xref in xrefs: packetHeader = idc.NextNotTail(xref.frm) opCode1 = idc.GetOperandValue(packetHeader, 1) if opCode1 > 10 and opCode1 < 16655: print "%08x -> %2x" % (packetHeader, opCode1)
def processEncrypt(ea, name, CRYPTSTART_PATTERN, CRYPTEND_PATTERN, EPILOGUE_PATTERN, PROLOGUE_PATTERN): prologue = idc.FindBinary(ea, SEARCH_UP, PROLOGUE_PATTERN) if len(PROLOGUE_PATTERN) != 0 else idc.GetFunctionAttr(ea, FUNCATTR_START) epilogue = idc.FindBinary(ea, SEARCH_DOWN, EPILOGUE_PATTERN) if len(EPILOGUE_PATTERN) != 0 else idc.GetFunctionAttr(ea, FUNCATTR_END) idc.MakeFunction(prologue, epilogue + EPILOGUE_PATTERN.count(' ') + 1); cryptStart = idc.FindBinary(ea, SEARCH_DOWN if name != "BYTE" else SEARCH_UP, CRYPTSTART_PATTERN) cryptEnd = idc.FindBinary(ea, SEARCH_DOWN, CRYPTEND_PATTERN) # Generate Encrypt ea = cryptStart + CRYPTSTART_PATTERN.count(' ') + 1 opStr = "" while ea < cryptEnd: if idc.GetMnem(ea) != 'mov': result = { 'add': lambda x: "new Add({0})".format(idc.GetOperandValue(x, 1)), 'sub': lambda x: "new Sub({0})".format(idc.GetOperandValue(x, 1)), 'xor': lambda x: "new Xor({0})".format(idc.GetOperandValue(x, 1)), 'ror': lambda x: "new Ror({0})".format(idc.GetOperandValue(x, 1)), 'rol': lambda x: "new Rol({0})".format(idc.GetOperandValue(x, 1)), 'not': lambda x: "new Not()", 'inc': lambda x: "new Inc()", 'dec': lambda x: "new Dec()", }[idc.GetMnem(ea)](ea) opStr += str("{0}{1}".format(result, ", " if idc.NextNotTail(ea) != cryptEnd else "")) ea = idc.NextNotTail(ea) print "CryptOperations.Add(0x{0:X}, new Operations({1}));".format(zlib.crc32(opStr) & 0xffffffff, opStr) idc.MakeNameEx(prologue, "Encrypt_{0}_{1:X}".format(name, zlib.crc32(opStr) & 0xffffffff), SN_NOCHECK | SN_NOWARN) return;
def generate_data_from_offset( offset): # credits to ferhat, or whoever wrote this found_values = {} chunks = idautils.Chunks(offset) for begin, end in chunks: name = "" offset = -1 ea = begin while ea != end: mnem = idc.GetMnem(ea) opnd = idc.GetOpnd(ea, 0) stack_value = idc.GetOperandValue(ea, 0) if mnem == "jz" or mnem == "jl": name = "" offset = -1 if offset == -1 and (mnem == "add" or mnem == "lea" or mnem == "sub"): offset = idc.GetOperandValue(ea, 1) if mnem == "sub": offset = 0x100000000 - offset if mnem == "push" and "offset" in opnd and "pNodeName" not in opnd: name = idc.GetString(stack_value, -1, idc.ASCSTR_C) if is_user_name(stack_value): # this should crash? wtf name = idc.NameEx(idc.BADADDR, stack_value) if mnem == "call" or mnem == "jmp": #print("{} at {}").format(name, dec_to_hex(offset)) if name: found_values[offset] = name name = "" offset = -1 ea = idc.NextNotTail(ea) return found_values
def main(): print "Parsing CharData..." start = 0x00E36855 end = 0x00E39EC2 ea = start parseOffset = False property = '' fstpIterator = 0 # Fill FSTP_Array while ea != end: mnem = idc.GetMnem(ea) if mnem == "fstp": FSTP_ARRAY.append(idc.GetOperandValue(ea, 1)) ea = idc.NextNotTail(ea) ea = start while ea != end: mnem = idc.GetMnem(ea) tmpb = False # Get property name if mnem == 'push': stringAddr = idc.GetOperandValue(ea, 0) if stringAddr != BADADDR: tmpProperty = idc.GetString(stringAddr, -1, ASCSTR_C) if tmpProperty in MOV_PROPERTIES or tmpProperty in FLOAT_PROPERTIES: property = tmpProperty tmpb = True if tmpb == True and property != None and len(property) > 4: parseOffset = True # Get offset if parseOffset == True and (mnem == "fstp" or mnem == "lea" or mnem == "mov"): # Offset result = 0 # Inside fstp[] if property in FLOAT_PROPERTIES: result = FSTP_ARRAY[fstpIterator] fstpIterator += 1 # Inside mov[] if property in MOV_PROPERTIES: if idc.GetOpnd(ea, 0) != "edx" and idc.GetOpnd(ea, 0) != "ecx": result = { 'fstp': lambda offset: idc.GetOperandValue(offset, 1), 'mov': lambda offset: idc.GetOperandValue(offset, 0), 'lea': lambda offset: 0 }[mnem](ea) # Display offset if result != 0: print "%s => %08x" % (property, result) parseOffset = False ea = idc.NextNotTail(ea)