Reverse Engineering Asked by park joh on September 30, 2021
I have code that looks like this:
byte_100031BA4 = v41;
byte_100031BA5 ^= 0x3Eu;
byte_100031BA6 ^= 0x47u;
LOBYTE(a1) = -9;
byte_100031BA7 ^= 0xF7u;
byte_100031BA8 ^= 0xA9u;
byte_100031BA9 ^= 0xE8u;
byte_100031BAA ^= 0x5Eu;
byte_100031BAB ^= 0x7Fu;
byte_100031BAC ^= 0x33u;
LOBYTE(a2) = 116;
byte_100031BAD ^= 0x74u;
byte_100031BAE ^= 0x78u;
byte_100031BAF ^= 0xFAu;
xmmword_100031B80 = (__int128)_mm_xor_ps((__m128)xmmword_100031B80, (__m128)xmmword_10002E1C0);
byte_100031B90 ^= 0x8Bu;
byte_100031B92 ^= 0xD5u;
byte_100031B93 ^= 0x53u;
byte_100031B94 ^= 0x9Bu;
byte_100031B95 ^= 0x16u;
byte_100031B96 ^= 0x18u;
I want to use IDA Python to run on each line of code and if it starts with ‘byte_’ and has ‘^=’ in it then do for me the or and show the ‘decrypted value’ in a comment.
How can I do this?
A decompiler plugin can be made to apply xor operations automatically. Please check this blog post for more info and sample code.
Answered by Igor Skochinsky on September 30, 2021
the output you posted doesn't seem to be disassembly but PseudoCode
I am not sure if you want your pseudo Code Commented or Disassembly Commented
below is an approach to Comment the Disassembly using the built-in idc on Ida Free 7
iirc you can run idc from python (ida free doesn't support either pseudo code or python so I cant be sure )
the disassembly look like this prior to using the script
.data:0000000140023898 byte_140023898 db 0
.data:0000000140023899 byte_140023899 db 0
.data:000000014002389A byte_14002389A db 0
script is along these lines entered an executed using shift+f2 or file->scriptCommand
auto addr,byteat,xorred;
addr = ask_addr(0,"enter an Address");
Message("you entered %xn",addr);
byteat = get_db_byte(addr);
Message("byte at Address is %xn",byteat);
Message("xorring byte with 0x3En");
xorred = byteat ^ 0x3e;
Message("result of xor = %xn" , xorred);
Message("Setting Commentn");
set_cmt(addr,sprintf("xorred result is %xn",xorred),0);
after execution these messages will be seen in the Output Window
you entered 140023898
byte at Address is 0
xorring byte with 0x3E
result of xor = 3e
Setting Comment
and the commented disassembly will look like
.data:0000000140023898 byte_140023898 db 0 ; xorred result is 3e
.data:0000000140023898 ;
.data:0000000140023899 byte_140023899 db 0
.data:000000014002389A byte_14002389A db 0
Answered by blabb on September 30, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP