Sancaros/xgmsv
1
0
Fork 0
mirror of https://github.com/iriselia/xgmsv.git synced 2025-04-03 14:28:26 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
master
xgmsv/analysis/extract_opcode.py
Junimo 4d59850b08 .
2024-01-21 14:31:43 -08:00

63 lines
2.2 KiB
Python
Raw Permalink Blame History

import idautils
import idaapi
import idc
import ida_ua
import ida_hexrays
print("[+][lilpwny] script_begin")
func_name = 'nrproto_ServerDispatchMessage'
func = None
addr = 0
cursor = 0
names = idautils.Names()
for n in names:
if n[1] == func_name:
addr = n[0]
cursor = addr
func = idaapi.get_func(addr)
print(f"[+][lilpwny] {func_name} found at: {addr}")
print(f"[+][lilpwny] {func}")
opcode_str_addrs = []
cf = idaapi.decompile(addr)
num_cmts = idaapi.user_cmts_size(cf.user_cmts)
it = idaapi.user_cmts_begin(cf.user_cmts)
i = 0
while (i < num_cmts):
t = idaapi.user_cmts_first(it) #treeloc_t
c = idaapi.user_cmts_second(it) #user_cmts_t
#print(f"Comment: {c.c_str()} at addr: {hex(t.ea)} itp: {t.itp}")
#d[f_ea][i] = {"ea" : t.ea, "comment": c.c_str(), "itp": t.itp}
c = None
i += 1
it = idaapi.user_cmts_next(it)
while cursor < func.end_ea:
if idc.print_insn_mnem(cursor) == 'lea':
next3 = []
new_cursor = cursor
for i in range(0, 3):
new_cursor = idc.next_head(new_cursor, func.end_ea)
next3.append(idc.print_insn_mnem(new_cursor))
if next3[0] == 'mov' and next3[1] == 'mov' and next3[2] == 'call':
str_addr = idc.get_operand_value(cursor, 1)
str_val = idc.get_strlit_contents(idc.get_operand_value(cursor, 1)).decode('utf-8')
enc_str_val = idc.get_strlit_contents(idc.get_operand_value(cursor, 1) + 3800).decode('utf-8')
tl = idaapi.treeloc_t()
tl.ea = new_cursor
tl.itp = idaapi.ITP_BRACE2
cf.set_user_cmt(tl, "")
cf.set_user_cmt(tl, f'"{enc_str_val}" -> "{str_val}"')
#cf.del_orphan_cmts()
cf.save_user_cmts()
idc.set_name(idc.get_operand_value(cursor, 1), f"op_{enc_str_val}_{str_val}")
#print(f"{idc.get_name(idc.get_operand_value(cursor, 1))}, {idc.print_operand(cursor, 1)} = {str_val}")
#print(f"{idc.GetDisasm(cursor)}")
print(f"{enc_str_val} : {str_val},")
cursor = idc.next_head(cursor, func.end_ea)
print("[+][lilpwny] script_end")
Reference in New Issue View Git Blame Copy Permalink