Example of IDA Microcode script to parse the arguments of a call to a decryption function

decrypt_from_args_mc.py

import idautils
import ida_range
import ida_hexrays as hr

class decryptor(hr.mop_visitor_t):

    def visit_mop(self, op, type, is_target):
        if op.t != hr.mop_f:
            return 0

        if op.f.callee != ida_name.get_name_ea(0, "f_decrypt_string"):
            return 0
        
        # check if the first argument is an address and second arg is a number
        if op.f.args[0].t != hr.mop_a or op.f.args[1].t != hr.mop_n:
            return 0
        
        # check if mop_addr_t is a global variable 
        if op.f.args[0].a.t != hr.mop_v:
            return 0
            
        addr_buffer_enc = op.f.args[0].a.g
        size_buffer_enc = op.f.args[1].nnn.value
        
        addr_key = EA_KEY
        size_key = SIZE_KEY
        
        buffer_dec = ""
        for i in range(size_buffer_enc):
            buffer_dec += chr(ida_bytes.get_byte(addr_buffer_enc+i)^ida_bytes.get_byte(addr_key+(i%size_key)))
        
        idc.MakeComm(self.curins.ea, buffer_dec)
        
        return 0
        

ea_f = ida_name.get_name_ea(0, "f_decrypt_string")
for ref in idautils.XrefsTo(ea_f):
    f = ida_funcs.get_func(ref.frm)
    F = ida_bytes.get_flags(f.start_ea)
    if ida_bytes.is_code(F):
        hf = hr.hexrays_failure_t()
        mbr = hr.mba_ranges_t()
        mbr.ranges.push_back(ida_range.range_t(f.start_ea, f.end_ea))
        mba = hr.gen_microcode(mbr, hf, None, hr.DECOMP_WARNINGS, hr.MMAT_CALLS)
        mba.for_all_ops(decryptor())