williballenthin/flare-on-6__extract_buffer.py

## flare-on-6__extract_buffer.py
from idaapi import *

GEN_REG = 0x1
MEM_REF = 0x2
BASE_INDEX = 0x3
BASE_INDEX_DISP = 0x4
IMMED = 0x5

def doone(ea):
    xrefs = []
    for xref in DataRefsTo(ea):
        xrefs.append(xref)
    if len(xrefs) != 1:
        print(hex(ea), "%d xrefs" % len(xrefs))
    if len(xrefs) == 0:
        return None

    one_worked = False
    for xref in xrefs:
        if GetMnem(xref) != "mov":
            print(hex(ea), hex(xref), "not a mov")
            continue
        if GetOpType(xref, 0) != MEM_REF:
            print(hex(ea), hex(xref), "not correct op type (0)")
            continue
        if GetOpType(xref, 1) != GEN_REG:
            print(hex(ea), hex(xref), "not correct op type (1)")
            continue

        p1 = PrevHead(xref)
        if GetMnem(p1) != "movzx":
            print(hex(ea), hex(p1), "not a movzx")
            continue
        if GetOpType(p1, 0) != GEN_REG:
            print(hex(ea), hex(p1), "not correct op type (0)")
            continue
        if GetOpType(p1, 1) != BASE_INDEX:
            print(hex(ea), hex(p1), "not correct op type (1)")
            continue

        p2 = PrevHead(p1)
        if GetMnem(p2) != "mov":
            print(hex(ea), hex(p2), "not a mov")
            continue
        if GetOpType(p2, 0) != GEN_REG:
            print(hex(ea), hex(p2), "not correct op type (0)")
            continue
        if GetOpType(p2, 1) != BASE_INDEX_DISP:
            print(hex(ea), hex(p2), "not correct op type (1)")
            continue

        p3 = PrevHead(p2)
        if GetMnem(p3) != "mov":
            print(hex(ea), hex(p3), "not a mov")
            continue
        if GetOpType(p3, 0) != BASE_INDEX_DISP:
            print(hex(ea), hex(p3), "not correct op type (0)")
            continue
        if GetOpType(p3, 1) != IMMED:
            print(hex(ea), hex(p3), "not correct op type (1)")
            continue

        string_ea = GetOperandValue(p3, 1)
        return GetManyBytes(string_ea, 1)
    return None


def main():
    ea = 0x729900
    ret = ""
    while True:
        c = doone(ea)
        if c is None:
            break
        print(chr(ord(c)), hex(ord(c)))
        ret += c
        ea += 0x1

    print(ret)


if __name__ == "__main__":
    main()
	from idaapi import *

	GEN_REG = 0x1
	MEM_REF = 0x2
	BASE_INDEX = 0x3
	BASE_INDEX_DISP = 0x4
	IMMED = 0x5

	def doone(ea):
	xrefs = []
	for xref in DataRefsTo(ea):
	xrefs.append(xref)
	if len(xrefs) != 1:
	print(hex(ea), "%d xrefs" % len(xrefs))
	if len(xrefs) == 0:
	return None

	one_worked = False
	for xref in xrefs:
	if GetMnem(xref) != "mov":
	print(hex(ea), hex(xref), "not a mov")
	continue
	if GetOpType(xref, 0) != MEM_REF:
	print(hex(ea), hex(xref), "not correct op type (0)")
	continue
	if GetOpType(xref, 1) != GEN_REG:
	print(hex(ea), hex(xref), "not correct op type (1)")
	continue

	p1 = PrevHead(xref)
	if GetMnem(p1) != "movzx":
	print(hex(ea), hex(p1), "not a movzx")
	continue
	if GetOpType(p1, 0) != GEN_REG:
	print(hex(ea), hex(p1), "not correct op type (0)")
	continue
	if GetOpType(p1, 1) != BASE_INDEX:
	print(hex(ea), hex(p1), "not correct op type (1)")
	continue

	p2 = PrevHead(p1)
	if GetMnem(p2) != "mov":
	print(hex(ea), hex(p2), "not a mov")
	continue
	if GetOpType(p2, 0) != GEN_REG:
	print(hex(ea), hex(p2), "not correct op type (0)")
	continue
	if GetOpType(p2, 1) != BASE_INDEX_DISP:
	print(hex(ea), hex(p2), "not correct op type (1)")
	continue

	p3 = PrevHead(p2)
	if GetMnem(p3) != "mov":
	print(hex(ea), hex(p3), "not a mov")
	continue
	if GetOpType(p3, 0) != BASE_INDEX_DISP:
	print(hex(ea), hex(p3), "not correct op type (0)")
	continue
	if GetOpType(p3, 1) != IMMED:
	print(hex(ea), hex(p3), "not correct op type (1)")
	continue

	string_ea = GetOperandValue(p3, 1)
	return GetManyBytes(string_ea, 1)
	return None


	def main():
	ea = 0x729900
	ret = ""
	while True:
	c = doone(ea)
	if c is None:
	break
	print(chr(ord(c)), hex(ord(c)))
	ret += c
	ea += 0x1

	print(ret)


	if __name__ == "__main__":
	main()