Want to Join Us ?

you'll be able to discuss, share and send private messages.

Python IDA Walker by Egor Zaytsev

Discussion in 'Plugins' started by storm shadow, Jun 28, 2016.

Share This Page

  1. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    Simple library for idapython.
    Main goal is fight with situations when all strings in binary are somehow obfuscated and decoded by calling some function.
    Walker is collecting all calls to such function and also collect arguments for it. So, you just need to implement decoding algo and apply it to list which will be returned by Walker.
    Moreover it can be used not only for strings decoding. For example file objSend.py make a comment with a selector at every call to _objc_msgSend method:
    Code (Text):
    __text:0000000100011DD7              call   cs:_objc_msgSend_ptr ; statusMsg
    __text:0000000100011DDD              mov     rdi, rax
    __text:0000000100011DE0              call   _objc_retainAutoreleasedReturnValue
    __text:0000000100011DE5              mov     [rbp+var_128], rax
    __text:0000000100011DEC              mov     r15, cs:classRef_NSString
    __text:0000000100011DF3              mov     rsi, cs:selRef_item
    __text:0000000100011DFA              mov     rdi, r14
    __text:0000000100011DFD              call   cs:_objc_msgSend_ptr ; item
    __text:0000000100011E03              mov     rdi, rax
    __text:0000000100011E06              call   _objc_retainAutoreleasedReturnValue
    It can be easily extended by creating own handlers for assembly instructions. For now only x86/x64 and mips is supported
    BPArgsTracker is one of examples such extending handler. It tracks movs at local variables and allows to create hooks for functions. This can be usefull if we works with C++ strings:
    Code (Text):
    std::string s("obfuscated");
    s.decode(); // s - now original string
    We can add hook at std::string constructor so, at the moment of decode call we have connection beetween hardcoded obfustated string and place where decode is taken
    Code (Text):
    mov rsi, dword_12345
    lea rdi, [rbp-800]
    call std::string
    ...
    lea rdi, [rbp-800]
    call decode
    https://gitlab.com/zaytsevgu/ida-walk
     

    Attached Files:

    samoray and Rip Cord like this.
Top