diff --git a/ida_breakpoint_map_publish.idc b/ida_breakpoint_map_publish.idc new file mode 100644 index 0000000..af87cf8 --- /dev/null +++ b/ida_breakpoint_map_publish.idc @@ -0,0 +1,104 @@ +#include + +// ============================================================================ +// IDC Script: Conditional Breakpoint for wchar_t* containing "map_publish" +// Function: sub_7C687790(_DWORD *this, wchar_t *Source, struct_a3 *a3, int a4) +// Convention: __thiscall (ECX = this, Source at [ESP+4]) +// ============================================================================ + +static read_wchar_string(addr, max_len) { + auto wstr = ""; + auto i = 0; + + // Đọc wide string (mỗi wchar_t = 2 bytes) + while (i < max_len) { + auto wchar = Word(addr + i * 2); + if (wchar == 0) break; // NULL terminator + + // Chỉ lấy ký tự ASCII printable + if (wchar >= 0x20 && wchar < 0x7F) { + wstr = wstr + form("%c", wchar); + } else { + wstr = wstr + "?"; + } + i++; + } + + return wstr; +} + +static check_map_publish() { + auto esp = get_reg_value("ESP"); + auto ecx = get_reg_value("ECX"); + + // Đọc parameters từ stack + auto source_ptr = Dword(esp + 4); // Source parameter + auto a3_ptr = Dword(esp + 8); // a3 parameter + auto a4_val = Dword(esp + 12); // a4 parameter + + // Validate pointer + if (source_ptr == 0 || source_ptr == 0xFFFFFFFF || source_ptr == BADADDR) { + return 0; + } + + // Đọc wide string từ Source + auto wstr = read_wchar_string(source_ptr, 200); + + // Check nếu chứa "map_publish" + if (strstr(wstr, "map_publish") != -1) { + Message("\n"); + Message("========================================\n"); + Message("[!!!] BREAKPOINT HIT - map_publish FOUND!\n"); + Message("========================================\n"); + Message("Function : sub_7C687790\n"); + Message("EIP : 0x%08X\n", get_reg_value("EIP")); + Message("this : 0x%08X (ECX)\n", ecx); + Message("Source : 0x%08X\n", source_ptr); + Message(" -> \"%s\"\n", wstr); + Message("a3 : 0x%08X\n", a3_ptr); + Message("a4 : 0x%08X\n", a4_val); + Message("========================================\n"); + Message("\n"); + + return 1; // Dừng lại tại breakpoint + } + + return 0; // Tiếp tục execution +} + +static main() { + auto func_addr; + + // Thử lấy địa chỉ từ tên function + func_addr = get_name_ea_simple("sub_7C687790"); + + // Nếu không tìm thấy, dùng địa chỉ cố định + if (func_addr == BADADDR) { + func_addr = 0x7C687790; + Message("Warning: Using hardcoded address 0x7C687790\n"); + Message("If breakpoint doesn't work, update func_addr in script\n"); + } + + // Xóa breakpoint cũ nếu có + del_bpt(func_addr); + + // Set breakpoint mới + if (add_bpt(func_addr, 0, BPT_SOFT) == 1) { + // Set condition + SetBptCnd(func_addr, "check_map_publish()"); + + Message("\n"); + Message("========================================\n"); + Message("Breakpoint Setup Complete!\n"); + Message("========================================\n"); + Message("Function : sub_7C687790\n"); + Message("Address : 0x%08X\n", func_addr); + Message("Condition : Source contains 'map_publish'\n"); + Message("========================================\n"); + Message("\nStart debugging (F9). Breakpoint will trigger when\n"); + Message("Source parameter contains 'map_publish'\n\n"); + } else { + Message("Error: Failed to set breakpoint at 0x%08X\n", func_addr); + Message("Make sure the address is correct and debugger is attached\n"); + } +} diff --git a/ida_log_all_params.idc b/ida_log_all_params.idc new file mode 100644 index 0000000..f9f3cc2 --- /dev/null +++ b/ida_log_all_params.idc @@ -0,0 +1,107 @@ +#include + +// ============================================================================ +// IDC Script: Log ALL parameters for sub_7C687790 +// Function: sub_7C687790(_DWORD *this, wchar_t *Source, struct_a3 *a3, int a4) +// ============================================================================ + +static read_wchar_string(addr, max_len) { + auto wstr = ""; + auto i = 0; + + if (addr == 0 || addr == 0xFFFFFFFF || addr == BADADDR) { + return ""; + } + + while (i < max_len) { + auto wchar = Word(addr + i * 2); + if (wchar == 0) break; + + if (wchar >= 0x20 && wchar < 0x7F) { + wstr = wstr + form("%c", wchar); + } else if (wchar < 0x100) { + wstr = wstr + form("\\x%02X", wchar); + } else { + wstr = wstr + form("\\u%04X", wchar); + } + i++; + } + + if (i == 0) { + return ""; + } + + return wstr; +} + +static log_all_parameters() { + auto esp = get_reg_value("ESP"); + auto source_ptr = Dword(esp + 4); + auto fp; + auto wstr; + + // Debug: log mỗi lần function được gọi + Message("[CALL] sub_7C687790 called! ESP=0x%08X, source_ptr=0x%08X\n", esp, source_ptr); + + // Kiểm tra Source pointer hợp lệ + if (source_ptr == 0 || source_ptr == 0xFFFFFFFF || source_ptr == BADADDR) { + Message("[SKIP] Source pointer is NULL or invalid\n"); + return 0; // Skip nếu Source NULL + } + + // Đọc Source string + wstr = read_wchar_string(source_ptr, 200); + Message("[READ] Source string: '%s'\n", wstr); + + // Kiểm tra nếu string empty hoặc NULL + if (wstr == "" || wstr == "" || strlen(wstr) == 0) { + Message("[SKIP] Source string is empty\n"); + return 0; // Skip nếu Source empty + } + + // Debug: in ra IDA output + Message("Source: %s\n", wstr); + + // Ghi vào file D:\1.log (append mode) + fp = fopen("D:\\1.log", "a"); + if (fp != 0) { + fprintf(fp, "Source: %s\n", wstr); + fclose(fp); + Message("[OK] Wrote to D:\\1.log\n"); + } else { + Message("[ERROR] Cannot open D:\\1.log!\n"); + } + + return 0; // Không dừng lại, chỉ log +} + +static main() { + auto func_addr; + + // Tìm địa chỉ function + func_addr = get_name_ea_simple("sub_7C687790"); + if (func_addr == BADADDR) { + func_addr = 0x7C687790; + Message("Warning: Using hardcoded address 0x7C687790\n"); + } + + // Xóa breakpoint cũ + del_bpt(func_addr); + + // Set breakpoint mới + if (add_bpt(func_addr, 0, BPT_SOFT) == 1) { + SetBptCnd(func_addr, "log_all_parameters()"); + + Message("\n"); + Message("════════════════════════════════════════════════════════════════\n"); + Message("Source Parameter Logging Enabled\n"); + Message("════════════════════════════════════════════════════════════════\n"); + Message("Function : sub_7C687790\n"); + Message("Address : 0x%08X\n", func_addr); + Message("Output : D:\\1.log\n"); + Message("Mode : Append Source parameter (1 line per call)\n"); + Message("════════════════════════════════════════════════════════════════\n"); + } else { + Message("Error: Failed to set breakpoint at 0x%08X\n", func_addr); + } +} diff --git a/ida_log_source_7C67BA10.idc b/ida_log_source_7C67BA10.idc new file mode 100644 index 0000000..1f9615d --- /dev/null +++ b/ida_log_source_7C67BA10.idc @@ -0,0 +1,86 @@ +#include + +// ============================================================================ +// IDC Script: Log Source parameter for sub_7C67BA10 +// Function: sub_7C67BA10(struct _RTL_CRITICAL_SECTION *this, wchar_t *Source, struct_a3 *a3, int a4) +// Output: IDA Output window, one line per value +// ============================================================================ + +static read_wchar_string(addr, max_len) { + auto wstr = ""; + auto i = 0; + + if (addr == 0 || addr == 0xFFFFFFFF || addr == BADADDR) { + return ""; + } + + while (i < max_len) { + auto wchar = Word(addr + i * 2); + if (wchar == 0) break; + + if (wchar >= 0x20 && wchar < 0x7F) { + wstr = wstr + form("%c", wchar); + } else if (wchar < 0x100) { + wstr = wstr + form("\\x%02X", wchar); + } else { + wstr = wstr + form("\\u%04X", wchar); + } + i++; + } + + return wstr; +} + +static log_source_only() { + auto esp = get_reg_value("ESP"); + auto source_ptr = Dword(esp + 4); + auto wstr; + + // Kiểm tra Source pointer hợp lệ + if (source_ptr == 0 || source_ptr == 0xFFFFFFFF || source_ptr == BADADDR) { + return 0; + } + + // Đọc Source string + wstr = read_wchar_string(source_ptr, 200); + + // Kiểm tra nếu string empty + if (strlen(wstr) == 0) { + return 0; + } + + // In chỉ giá trị, không có prefix + Message("%s\n", wstr); + + return 0; +} + +static main() { + auto func_addr; + + // Tìm địa chỉ function + func_addr = get_name_ea_simple("sub_7C67BA10"); + if (func_addr == BADADDR) { + func_addr = 0x7C67BA10; + Message("Warning: Using hardcoded address 0x7C67BA10\n"); + } + + // Xóa breakpoint cũ + del_bpt(func_addr); + + // Set breakpoint mới + if (add_bpt(func_addr, 0, BPT_SOFT) == 1) { + SetBptCnd(func_addr, "log_source_only()"); + + Message("\n"); + Message("════════════════════════════════════════════════════════════════\n"); + Message("Source Logging Enabled\n"); + Message("════════════════════════════════════════════════════════════════\n"); + Message("Function : sub_7C67BA10\n"); + Message("Address : 0x%08X\n", func_addr); + Message("Output : IDA Output window (one value per line)\n"); + Message("════════════════════════════════════════════════════════════════\n"); + } else { + Message("Error: Failed to set breakpoint at 0x%08X\n", func_addr); + } +} diff --git a/ida_trace_all_calls.idc b/ida_trace_all_calls.idc new file mode 100644 index 0000000..afc7b52 --- /dev/null +++ b/ida_trace_all_calls.idc @@ -0,0 +1,74 @@ +#include + +// ============================================================================ +// IDC Script: Trace ALL calls to sub_7C687790 and log Source parameter +// Useful for debugging when you want to see all values +// ============================================================================ + +static read_wchar_string(addr, max_len) { + auto wstr = ""; + auto i = 0; + + while (i < max_len) { + auto wchar = Word(addr + i * 2); + if (wchar == 0) break; + + if (wchar >= 0x20 && wchar < 0x7F) { + wstr = wstr + form("%c", wchar); + } else { + wstr = wstr + "?"; + } + i++; + } + + return wstr; +} + +static trace_all_calls() { + auto esp = get_reg_value("ESP"); + auto ecx = get_reg_value("ECX"); + auto source_ptr = Dword(esp + 4); + auto wstr = ""; + + if (source_ptr != 0 && source_ptr != 0xFFFFFFFF && source_ptr != BADADDR) { + wstr = read_wchar_string(source_ptr, 100); + + // Log tất cả các lần gọi + Message("sub_7C687790: this=0x%08X, Source='%s'", ecx, wstr); + + // Highlight khi tìm thấy map_publish + if (strstr(wstr, "map_publish") != -1) { + Message(" <-- MATCH!"); + } + Message("\n"); + } + + return 0; // Không dừng lại, chỉ trace +} + +static main() { + auto func_addr; + + func_addr = get_name_ea_simple("sub_7C687790"); + if (func_addr == BADADDR) { + func_addr = 0x7C687790; + } + + del_bpt(func_addr); + + if (add_bpt(func_addr, 0, BPT_SOFT) == 1) { + SetBptCnd(func_addr, "trace_all_calls()"); + + Message("\n"); + Message("========================================\n"); + Message("Tracing Mode Enabled\n"); + Message("========================================\n"); + Message("Function : sub_7C687790\n"); + Message("Address : 0x%08X\n", func_addr); + Message("Mode : Log all calls (no break)\n"); + Message("========================================\n"); + Message("\nAll calls will be logged to Output window\n\n"); + } else { + Message("Error: Failed to set breakpoint\n"); + } +}