def DecryptStackStrings(addrDecryptFunction):
global emu
print "[+]DecryptStackStrings"
#Get All XrefsTo this function
calls = idautils.CodeRefsTo(addrDecryptFunction, 1)
# Iterate all Calls Decrypt Strings
for call in calls:
print "[+]Call at 0x%08X %s" % (call, idc.GetFunctionName(call))
# Resolve Parameters
# Param1. DestBuffer
# Param2. Length
# Param3. StackStringEncrypted
destBuffer, length = GetDecryptString1Parameters(call)
print "[+]Params dest = 0x%08X len = 0x%08X" % (destBuffer, length)
#Get Emulation Boundaries
emulStart, emulEnd = GetDecryptString1EmulationBoundaries(call, length)
print "[+]Start 0x%08X, End 0x%08X" % (emulStart, emulEnd)
#Inits Registers
PrepareEmuRegister(emu, emulStart)
#Try to Emulate and Update the ida databse
try:
#Emulate
szDecryptedString = Emulate(emu, emulStart, emulEnd)
#Valid Decrypted String
if 0 < len(szDecryptedString):
print "[+]Decrypted: \"%s\" at 0x%08X" % (szDecryptedString, call)
#Add Comment and Patch Database
idc.MakeRptCmt(call, szDecryptedString)
#If DestBuffer is an address and not a register
#Make Name and Patch IDB
if destBuffer != 0 and destBuffer != -1:
idc.MakeNameEx(destBuffer, "" + szDecryptedString, SN_NOCHECK)
# Patch decrypted Buffer and convert to String
idx = 0
for c in szDecryptedString:
idc.PatchByte(destBuffer + idx, ord(c))
idx += 1
idc.PatchByte(destBuffer + idx, 0)
idc.MakeStr(destBuffer, destBuffer + idx)
except:
print "[+]EmulStart = 0x%08X, EmulEnd = 0x%08X" % (emulStart, emulEnd)
emu.dump_regs()
e = sys.exc_info()[0]
print e
print
#Performs the Emulation and Returns the Dumped String
评论列表
文章目录