a1ext/boleto - step 3 - [ida] apply decrypted data in IDA.py

## boleto - step 3 - [ida] apply decrypted data in IDA.py
# if string reference is not found within 5 instructions - report unresolved
# returns an operand value or None if nothing is found
def find_function_arg(addr, max_insns=5):
    for _ in xrange(max_insns):
        addr = idc.PrevHead(addr)
        if addr == idaapi.BADADDR:
            break

        if GetMnem(addr) == "mov" and GetOpnd(addr, 0) == 'eax':
            return GetOperandValue(addr, 1)

    return None


### MAIN ###

decrypt_func_addr = LocByName("decrypt_string")
print "[*] Applying decrypted strings to the database in malware"

for x in XrefsTo(decrypt_func_addr, 0):
    ref = find_function_arg(x.frm)
    if str(ref) in __result__:
        # IDA7 accepts strings in “utf8” encoding so we state it explicitly
        MakeComm(x.frm, __result__[str(ref)].encode('utf8'))
    else:
        print 'No key %s found' % hex(ref)

print "[*] Script finished, check strings in comments"
	# if string reference is not found within 5 instructions - report unresolved
	# returns an operand value or None if nothing is found
	def find_function_arg(addr, max_insns=5):
	for _ in xrange(max_insns):
	addr = idc.PrevHead(addr)
	if addr == idaapi.BADADDR:
	break

	if GetMnem(addr) == "mov" and GetOpnd(addr, 0) == 'eax':
	return GetOperandValue(addr, 1)

	return None


	### MAIN ###

	decrypt_func_addr = LocByName("decrypt_string")
	print "[*] Applying decrypted strings to the database in malware"

	for x in XrefsTo(decrypt_func_addr, 0):
	ref = find_function_arg(x.frm)
	if str(ref) in __result__:
	# IDA7 accepts strings in “utf8” encoding so we state it explicitly
	MakeComm(x.frm, __result__[str(ref)].encode('utf8'))
	else:
	print 'No key %s found' % hex(ref)

	print "[*] Script finished, check strings in comments"