Skip to content

Instantly share code, notes, and snippets.

View a1ext's full-sized avatar
:octocat:
.

a1ext

:octocat:
.
190 followers · 11 following
View GitHub Profile
@a1ext
a1ext / ngioweb - step3 - [ida] resolve obfuscated API calls.py
Created September 24, 2018 10:45
for item in __result__:
MakeComm(item['ref'] - remote + base, item['api_name'])
@a1ext
a1ext / ngioweb - step2 - [x32dbg] resolve obfuscated API calls.py
Created September 24, 2018 10:44
__result__ = list()
for item in __extern__:
ref = item['ref']
push_args_list = item['push_args_list']
# prepare stack
for i in range(len(push_args_list), 0, -1):
ll.api.Register_SetEIP(push_args_list[i - 1])
ll.api.Debug_StepOver()
@a1ext
a1ext / ngioweb - step1 - [ida] resolve obfuscated API calls.py
Created September 24, 2018 10:42
# address of the API resolver routine
fn_ea = LocByName("resolve")
# base address in IDB
base = idaapi.get_imagebase()
# base address in the target process
remote = 0x00020000
refs = list(CodeRefsTo(fn_ea, 0))
print 'found %d refs' % len(refs)
@a1ext
a1ext / boleto - step 3 - [ida] apply decrypted data in IDA.py
Last active September 21, 2018 15:57
# if string reference is not found within 5 instructions - report unresolved
# returns an operand value or None if nothing is found
def find_function_arg(addr, max_insns=5):
for _ in xrange(max_insns):
addr = idc.PrevHead(addr)
if addr == idaapi.BADADDR:
break
if GetMnem(addr) == "mov" and GetOpnd(addr, 0) == 'eax':
return GetOperandValue(addr, 1)
@a1ext
a1ext / boleto - step 2 - [olly2] decrypt strings in Olly.py
Last active September 21, 2018 15:57
import struct
# get image base of malware module
image_base = ll.api.Findmodulebyname(u'12345678_db').base
# set this value to point to any 'decrypt_string' call
orig_eip = image_base + __extern__['decr_fn_rva']
DECR_PTR_SIZE = 0x4
@a1ext
a1ext / boleto - step 1 - [ida] grab strings.py
Last active July 27, 2023 19:55
# if string reference is not found within 5 instructions - report unresolved
# returns an operand value or None if nothing is found
def find_function_arg(addr, max_insns=5):
for _ in xrange(max_insns):
addr = idc.PrevHead(addr)
if addr == idaapi.BADADDR:
break
if GetMnem(addr) == "mov" and GetOpnd(addr, 0) == 'eax':
return GetOperandValue(addr, 1)
@a1ext
a1ext / log_and_scripts_api_resolving_with_x64dbg.md
Last active December 5, 2022 03:50
Log and scripts used in the following video [Resolving APIs dynamically with Labeless & x64dbg] https://youtu.be/hMWuWVRkpB0

Resolving APIs dynamically with Labeless & x64dbg

Previous part Resolving APIs dynamically with Labeless & OllyDbg2

Hi, now we try to do the same things using x64dbg with x64-bit target application...

Let's try to find out the difference we need to make in IDA python script...

As the base, I use the previous script (see video how to do the same in OllyDbg 2)

@a1ext
a1ext / log_and_scripts_api_resolving_with_olly2.md
Last active December 5, 2022 03:49
Log and scripts used in the following video [Resolving APIs dynamically with Labeless & OllyDbg 2] https://youtu.be/Dv8YlzXJ5x8

Resolving APIs dynamically with Labeless & OllyDbg 2

Hello guys, today I'm going to demonstrate how to use Labeless to obtain API names.

The malware often use not trivial methods to call some API. In our case there is some function which receives hashes of dll and procedure name and returns API address and then calls it...

So, the easiest way to get result is to trace all references in debugger