-
Notifications
You must be signed in to change notification settings - Fork 51
Examples | Random things with strings
Ali Rizvi-Santiago edited this page Mar 10, 2023
·
5 revisions
Sometimes you want all the strings used as a parameter to some function call.
ea = ins.op_ref(0) # wanted references to the call instruction i have highlighted
func.arg(ea, 1, 'const char*') # make sure the function has its arg typed
for ref in func.up(ins.op_ref(0)):
ea = func.x.arg(ref, 1) # 2nd arg
if isinstance(ins.op(ea, 0), int): # only care about ints (which could be a reference)
target = ins.op_ref(ea, 0) # hopefully its a "push XXX"
if str in db.get.type(target): # if it's a string (pythonic)
s = db.get.string(target) # save it
else: # if it isn't
db.set.undefine(target) # get rid of whatever it is
s = db.set.string(target) # make it a string (and return it)
print('found:', s) # print it
else:
print('not sure what this is:', db.disasm(ea))
continue
# or do it (poorly) in 2 lines
for ref in func.up(ins.op_ref(0)):
print(db.get(ins.op_ref(func.x.args(ref)[1], 0)) if isinstance(ins.op(func.x.args(ref)[1],0),int) else 'no '+db.disasm(ref))
Or if you're a psycho, you can combine map
with function composition, itertools.chain
, and functools.partial
. In this line, the secret is ins.ops_immediate
, which returns an opref_t
for every immediate in an instruction's operands. Afterwards it's just chaining the results together and joining them with a newline.
print('\n'.join(map(fcompose(ins.op_ref, db.get), ichain(*map(fcompose(fpartial(func.x.arg, 1), ins.ops_constant), func.up(ins.op_ref(0)))))))
func.up(ins.op_ref(ea, 0)) # return all calls to the function being called (operand #0)
fcompose(fpartial(func.x.arg, 1), ins.ops_immediate) # return instruction address of parameter #1, convert that to an opref_t for every immediate operand
fcompose(ins.op_ref, db.get) # return target of opref_t, get whatever is at the address that's returned
|