Created
May 26, 2019 11:25
-
-
Save thestr4ng3r/24a7b93a8b936019316d6fff46becf33 to your computer and use it in GitHub Desktop.
Annotate sp-based vars with offset from bp by importing x64dbg trace
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import x64trace | |
| import r2pipe | |
| r = r2pipe.open() | |
| base_real = 0x70E00000 # base address used in the trace | |
| base = r.cmdj("ij")["bin"]["baddr"] | |
| def import_trace(trace): | |
| for block in trace.blocks: | |
| regs = block.registers.regcontext | |
| esp = regs.csp | |
| ebp = regs.cbp | |
| eip = regs.cip | |
| addr = eip - base_real + base | |
| frame = ebp - esp | |
| if frame < 0: | |
| print(f"Warning: frame < 0 @ {addr:#x}") | |
| continue | |
| r.cmd(f"ahF {frame:#x} @ {addr:#x}") | |
| def annotate_vars(): | |
| hints = r.cmdj("ahj") | |
| for hint in hints: | |
| if "stackframe" not in hint: | |
| continue | |
| frame = hint["stackframe"] | |
| addr = hint["from"] | |
| ops = r.cmdj(f"aoj @ {addr:#x}") | |
| if len(ops) < 1: | |
| continue | |
| op = ops[0] | |
| operands = op["opex"]["operands"] | |
| for operand in operands: | |
| if operand["type"] == "mem" and "base" in operand and operand["base"] == "esp": # or rsp for x64 | |
| disp = operand["disp"] | |
| disp_bp = frame - disp | |
| r.cmd(f"CC [ebp - {disp_bp:#x}] @ {addr:#x}") | |
| break | |
| trace = x64trace.Trace.loadf("MyTrace.trace32") | |
| import_trace(trace) | |
| annotate_vars() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment