Skip to content

Instantly share code, notes, and snippets.

@icecr4ck
Created October 9, 2019 16:57
Show Gist options
  • Save icecr4ck/ec39ddedf3f1948fdf7873094561739a to your computer and use it in GitHub Desktop.
Save icecr4ck/ec39ddedf3f1948fdf7873094561739a to your computer and use it in GitHub Desktop.
Example of IDA Microcode script to parse the arguments of a call to a decryption function
import idautils
import ida_range
import ida_hexrays as hr
class decryptor(hr.mop_visitor_t):
def visit_mop(self, op, type, is_target):
if op.t != hr.mop_f:
return 0
if op.f.callee != ida_name.get_name_ea(0, "f_decrypt_string"):
return 0
# check if the first argument is an address and second arg is a number
if op.f.args[0].t != hr.mop_a or op.f.args[1].t != hr.mop_n:
return 0
# check if mop_addr_t is a global variable
if op.f.args[0].a.t != hr.mop_v:
return 0
addr_buffer_enc = op.f.args[0].a.g
size_buffer_enc = op.f.args[1].nnn.value
addr_key = EA_KEY
size_key = SIZE_KEY
buffer_dec = ""
for i in range(size_buffer_enc):
buffer_dec += chr(ida_bytes.get_byte(addr_buffer_enc+i)^ida_bytes.get_byte(addr_key+(i%size_key)))
idc.MakeComm(self.curins.ea, buffer_dec)
return 0
ea_f = ida_name.get_name_ea(0, "f_decrypt_string")
for ref in idautils.XrefsTo(ea_f):
f = ida_funcs.get_func(ref.frm)
F = ida_bytes.get_flags(f.start_ea)
if ida_bytes.is_code(F):
hf = hr.hexrays_failure_t()
mbr = hr.mba_ranges_t()
mbr.ranges.push_back(ida_range.range_t(f.start_ea, f.end_ea))
mba = hr.gen_microcode(mbr, hf, None, hr.DECOMP_WARNINGS, hr.MMAT_CALLS)
mba.for_all_ops(decryptor())
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment