ngioweb - step1 - [ida] resolve obfuscated API calls.py

# address of the API resolver routine
fn_ea = LocByName("resolve")
# base address in IDB
base = idaapi.get_imagebase()
# base address in the target process
remote = 0x00020000

refs = list(CodeRefsTo(fn_ea, 0))
print 'found %d refs' % len(refs)

# max number of steps from a API resolver call
# to look for push instructions of function arguments
max_cmd_lookback = 10

# how much arguments API resolver uses
num_args = 2

# this variable is used for transmitting data to debugger's side
__extern__ = list()

for ref in refs:
    # ref is a reference to the API resolver routine
    # Now get all instructions in the function, 
    # where the API resolver is referenced from
    items = list(FuncItems(ref))  # We need this list to find 
    # were function arguments are pushed

    index_of_resolver_call = items.index(ref)
    push_args_list = []
    # move back from the call searching for arguments
    for i in range(1, max_cmd_lookback):
        if index_of_resolver_call - i < 0:
            break  # start of function was reached

        cmd_ref = items[index_of_resolver_call - i]

        # command should be PUSH
        if GetMnem(cmd_ref) != "push":
            continue  # take the next command 

        # push operand type should be immediate value
        if GetOpType(cmd_ref, 0) != o_imm:
            break  # we can't resolve API in this case

        push_args_list.append(cmd_ref - base + remote)
        if len(push_args_list) == num_args:
            break

    if len(push_args_list) != num_args:
        print "Failed to resolve %x" % ref
        continue

    __extern__.append({'ref': ref - base + remote,
                       'push_args_list': push_args_list})