-
Notifications
You must be signed in to change notification settings - Fork 90
/
Copy pathx64_helper.py
67 lines (54 loc) · 1.7 KB
/
x64_helper.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# x64 abi fast calling convention
# http://msdn.microsoft.com/en-us/library/ms235286.aspx
#
from idautils import *
from idc import *
def get_register_index(regs, reg):
for i in regs.keys():
if reg.endswith(i):
return i
return None
def dereference_register(ea, reg):
return GetReg(ea, reg)
ea = here()
for func in Functions(SegStart(ea), SegEnd(ea)):
regs = {
"di" : None,
"si" : None,
"dx" : None,
"cx" : None,
"r8" : None,
"r9" : None,
}
name = GetFunctionName(func)
for item in list(FuncItems(func)):
# opc = GetDisasm(item)
mnem = GetMnem(item)
if mnem == "call":
called_funcname = GetOpnd(item, 0)
args = ""
for i in regs.keys():
if regs[i] is not None:
args+= "%s, " % regs[i]
regs[i] = None
MakeComm(item, "%s ( %s )" % (called_funcname, args[:-2]))
elif mnem == "mov":
dst = GetOpnd(item, 0)
src = GetOpnd(item, 1)
# src = int(GetOperandValue(item, 1))
idx = get_register_index(regs, dst)
if idx is None:
continue
regs[idx] = src
MakeComm(item, "$%s = %s;" % (dst, src))
elif mnem == "xor":
dst = GetOpnd(item, 0)
src = GetOpnd(item, 1)
if dst != src:
MakeComm(item, "$%s = %s ^ %s;" % (dst, dst, src))
else:
MakeComm(item, "$%s = 0;" % (dst))
elif mnem == "cmps":
args = "%s, %s, %s" % (regs["di"], regs["si"], regs["cx"])
MakeComm(item, "strcmp( %s )" % args)
Refresh()