Snippets

Alexander Hanel UIWIX string decoder

Created by Alexander Hanel
decoder.py
Raw 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# UIWIX string decoder for IDAPython   
import idautils
from string import maketrans


def backtrace(addr):
    encoded_push_addr = idc.PrevHead(addr)
    if idc.GetMnem(encoded_push_addr) == 'mov' and idc.GetOpnd(encoded_push_addr,0) == "edx":
        return (True, idc.GetOperandValue(encoded_push_addr, 1))
    else:
        return (False, encoded_push_addr)


def decode(encoded_string,trantab):
    return str(encoded_string).translate(trantab)


func_addr = 0xABA6FA8
intable = 'amNFHufoTRn0P3vI8xBS4t6jM9CqXeibUDEpQ1ZGYywJzAg7sk2lc5WLOrKdhV'
outtable = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
trantab = maketrans(intable, outtable)


for addr in idautils.CodeRefsTo(func_addr, 0):
    temp_addr = addr
    for ii in range(0,5):
        found, temp_addr  = backtrace(temp_addr)
        if found:
            encode_data_offset = temp_addr
            break

    if found:
        encoded_string = idc.GetString(encode_data_offset)
        decoded =  decode(encoded_string,trantab)
        idc.MakeComm(addr, decoded)

Comments (1)

  1. Alexander Hanel

    API Renamer

    import idautils
from string import maketrans

def backtrace(addr):
    call_addr = idc.PrevHead(addr)
    comment = idc.GetCommentEx(call_addr,0)
    if idc.GetMnem(call_addr) == 'call' and comment != None:
        return (True, call_addr)
    else:
        return (False, call_addr)

def traceforward(addr):
    cur_addr = idc.NextHead(addr)
    if idc.GetMnem(cur_addr) == "mov" and GetOpType(cur_addr,0) == 2 and GetOpnd(cur_addr,1) == "eax":
         return (True, cur_addr)
    else:
        return (False, cur_addr)


gpa_addr = 0x0ABA728C

for addr in idautils.CodeRefsTo(gpa_addr, 0):
    temp_addr = addr
    for ii in range(0,5):
        found, temp_addr  = backtrace(temp_addr)
        if found:
            comment =  idc.GetCommentEx(temp_addr,0) 
            break

    if found:
        for ii in range(0,5):
            found, temp_addr  = traceforward(temp_addr)
            if found:
                print hex(temp_addr)[:-1], comment
                status = True
                status = MakeNameEx(GetOperandValue(temp_addr,0), comment, SN_NOWARN)
                if status == False:
                    MakeNameEx(GetOperandValue(temp_addr,0), str("_" + comment), SN_NOWARN)
HTTPS SSH

You can clone a snippet to your computer for local editing. Learn more.