Tuesday, 22 October 2013

Using Python in IDA Pro to iterate over functions and name them

The following code finds what calls the function GameSendPacket,
It then iterates through each function till it finds the opcode of mov with param of byte ptr[xxx]
It then reads the hex param which happens to be the packetID for what I am using this for.

Then it goes to the function and gets its name, if it starts with sub_ then its just been named automatically by IDA so then rename it to be SendXX where XX is the packetID woo!

for ref in CodeRefsTo(LocByName('GameSendPacket'), 1):
   E = list(FuncItems(ref))
   if len(E) == 0:
     print "ORPHAN CALL (NOT IN A FUNCTION)!!!!"
     print " at %X " % ref
   for e in E:
      if (GetMnem(e)=="mov"):
         p1 = GetOpnd(e,0)
         if (p1=="byte ptr [eax]" or p1=="byte ptr [ebx]" or p1=="byte ptr [ecx]" or p1=="byte ptr [edx]"):
            OpHex(e, 1)
            n = GetOpnd(e,1)[:2].zfill(2)
            OldName = GetFunctionName(ref)
            NewName = 'Send'+n;
            FuncAddr = PrevFunction(ref)
            print '%s NewName: %s OldName: %s' % (hex(FuncAddr), NewName, OldName)
            if (OldName.startswith('sub_')):
               print 'Rename %s to %s' % (OldName, NewName)


Now to make one for handling recv array.
And maybe later graphing GUI click events through to their packets they send.

Calling Functions and getting a String from the pointer of their input and also Javascript in IDA Pro

So I learnt about a thing in IDA pro called Appcall which allows you to call a function you have defined *Which can be done with N*

You have to pause in debugger before using this.

I found a function called it GetMessageFromID it was a this call with 1 argument So I needed to know the pointer. I breakpointed it and got it called once then put the argument in and it worked as expected. I got back an address.

I thought this is good but I want to see the string.

In IDC you can use

In Python

A loop in python printing out the String value :)
for x in xrange(0,1000):print GetString(Appcall.GetMessageFromID(0x00A59000,x))

Just printing out a string
print GetString(Appcall.GetMessageFromID(0x00A59000,10))

Also we can use javascript as a scripting language which is much nicer than python and quite similar to IDC.

I am installing it now hopefully it works great for me coding unpackers or bypassers or helper functions in js seems quite good.

Friday, 11 October 2013

node.js Load and execute code at runtime

This is usefull when you have scripts you want to reload and execute at runtime.

function LoadJS(file, callback) {
console.log('Trying to load: ' + file);
fs.readFile(file, function(err, data) {
if (err) {
if (callback) callback(err, file);
} else {
try {
} catch (exception) {
console.log('Error loading ' + file, exception);
if (callback) callback(exception, file);
if (callback) callback(null, file);

Remember the contents of eval will be executed in global scope.
If you were using it through an object like
this.LoadJS = function(file, callback) { ...

Then before you could do something like this
var Something = this;

and in the js file you load
Something.W/e you want.

Thursday, 3 October 2013

Using Virtual Box to emualte a Physical / Real hard drive.

I recently setup a new computer to use at work, moved the hard drive from my old one with Windows8 onto it. And decided to try to boot it from VirtualBox rather than having to dual boot when I needed to work on windows software. *using it for windows phone 8 development*

Turns out its possible,

An awesome guide here.

Windows 8 will notice your hardwares different and you will need to repair the bootloader and os with the cd.

Just use these commands which I found out about here: http://www.tweakhound.com/2012/11/13/how-to-fix-the-windows-bootloader/

bootrec /fixmbr (writes mbr but does not overwrite partition table)
bootrec /fixboot (writes new boot sector to system partition)

Then you will be able to use Windows8 from your operating system. In my case Linux Mint 15 Cinnamon.