IDA Script

1.dump memory

script command(IDC):

static main(void)
{
  auto fp, begin, end, dexbyte;
  fp = fopen("d:/test.so", "wb");
  begin = 0xC006889B80;
  end = begin + 0x3b4
  for ( dexbyte = begin; dexbyte < end; dexbyte ++ )
      fputc(Byte(dexbyte), fp);
}

2.READ REGISTER(Condition breakpoint+python)

import ida_dbg
import idc
import re

str_addr = ida_dbg.get_reg_val("RAX")
str_len =  ida_dbg.get_reg_val("RBX")
yaml_content = idc.read_dbg_memory(str_addr, str_len).decode()
name = None
for line in yaml_content.split("\n"):
    if line.startswith("name: "):
        name = line[7:]
        break
if name is None:
    name = "unknown"

print("dump yaml {}".format(name))
name = re.sub(r'[^a-zA-Z0-9\-_]', "", name)
    
with open("e:\\store\\{}.yaml".format(name), "ab+") as file:
    file.write(yaml_content.encode())
    file.write(b"\n\n\n")
    file.flush()

你可能感兴趣的:(安全工具,网络安全)