From 575b63f4affbffc10389ad16569df0ba42d279f3 Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 6 Nov 2025 17:54:22 +0000 Subject: [PATCH 01/10] Add IDC scripts for IDA Pro 7.7 wchar_t* breakpoint debugging - ida_breakpoint_map_publish.idc: Conditional breakpoint that stops when Source parameter contains "map_publish" - ida_trace_all_calls.idc: Trace mode that logs all calls to sub_7C687790 without stopping Both scripts handle __thiscall convention (ECX=this, Source at [ESP+4]) and properly read wchar_t* strings. --- ida_breakpoint_map_publish.idc | 104 +++++++++++++++++++++++++++++++++ ida_trace_all_calls.idc | 74 +++++++++++++++++++++++ 2 files changed, 178 insertions(+) create mode 100644 ida_breakpoint_map_publish.idc create mode 100644 ida_trace_all_calls.idc diff --git a/ida_breakpoint_map_publish.idc b/ida_breakpoint_map_publish.idc new file mode 100644 index 0000000..af87cf8 --- /dev/null +++ b/ida_breakpoint_map_publish.idc @@ -0,0 +1,104 @@ +#include + +// ============================================================================ +// IDC Script: Conditional Breakpoint for wchar_t* containing "map_publish" +// Function: sub_7C687790(_DWORD *this, wchar_t *Source, struct_a3 *a3, int a4) +// Convention: __thiscall (ECX = this, Source at [ESP+4]) +// ============================================================================ + +static read_wchar_string(addr, max_len) { + auto wstr = ""; + auto i = 0; + + // Đọc wide string (mỗi wchar_t = 2 bytes) + while (i < max_len) { + auto wchar = Word(addr + i * 2); + if (wchar == 0) break; // NULL terminator + + // Chỉ lấy ký tự ASCII printable + if (wchar >= 0x20 && wchar < 0x7F) { + wstr = wstr + form("%c", wchar); + } else { + wstr = wstr + "?"; + } + i++; + } + + return wstr; +} + +static check_map_publish() { + auto esp = get_reg_value("ESP"); + auto ecx = get_reg_value("ECX"); + + // Đọc parameters từ stack + auto source_ptr = Dword(esp + 4); // Source parameter + auto a3_ptr = Dword(esp + 8); // a3 parameter + auto a4_val = Dword(esp + 12); // a4 parameter + + // Validate pointer + if (source_ptr == 0 || source_ptr == 0xFFFFFFFF || source_ptr == BADADDR) { + return 0; + } + + // Đọc wide string từ Source + auto wstr = read_wchar_string(source_ptr, 200); + + // Check nếu chứa "map_publish" + if (strstr(wstr, "map_publish") != -1) { + Message("\n"); + Message("========================================\n"); + Message("[!!!] BREAKPOINT HIT - map_publish FOUND!\n"); + Message("========================================\n"); + Message("Function : sub_7C687790\n"); + Message("EIP : 0x%08X\n", get_reg_value("EIP")); + Message("this : 0x%08X (ECX)\n", ecx); + Message("Source : 0x%08X\n", source_ptr); + Message(" -> \"%s\"\n", wstr); + Message("a3 : 0x%08X\n", a3_ptr); + Message("a4 : 0x%08X\n", a4_val); + Message("========================================\n"); + Message("\n"); + + return 1; // Dừng lại tại breakpoint + } + + return 0; // Tiếp tục execution +} + +static main() { + auto func_addr; + + // Thử lấy địa chỉ từ tên function + func_addr = get_name_ea_simple("sub_7C687790"); + + // Nếu không tìm thấy, dùng địa chỉ cố định + if (func_addr == BADADDR) { + func_addr = 0x7C687790; + Message("Warning: Using hardcoded address 0x7C687790\n"); + Message("If breakpoint doesn't work, update func_addr in script\n"); + } + + // Xóa breakpoint cũ nếu có + del_bpt(func_addr); + + // Set breakpoint mới + if (add_bpt(func_addr, 0, BPT_SOFT) == 1) { + // Set condition + SetBptCnd(func_addr, "check_map_publish()"); + + Message("\n"); + Message("========================================\n"); + Message("Breakpoint Setup Complete!\n"); + Message("========================================\n"); + Message("Function : sub_7C687790\n"); + Message("Address : 0x%08X\n", func_addr); + Message("Condition : Source contains 'map_publish'\n"); + Message("========================================\n"); + Message("\nStart debugging (F9). Breakpoint will trigger when\n"); + Message("Source parameter contains 'map_publish'\n\n"); + } else { + Message("Error: Failed to set breakpoint at 0x%08X\n", func_addr); + Message("Make sure the address is correct and debugger is attached\n"); + } +} diff --git a/ida_trace_all_calls.idc b/ida_trace_all_calls.idc new file mode 100644 index 0000000..afc7b52 --- /dev/null +++ b/ida_trace_all_calls.idc @@ -0,0 +1,74 @@ +#include + +// ============================================================================ +// IDC Script: Trace ALL calls to sub_7C687790 and log Source parameter +// Useful for debugging when you want to see all values +// ============================================================================ + +static read_wchar_string(addr, max_len) { + auto wstr = ""; + auto i = 0; + + while (i < max_len) { + auto wchar = Word(addr + i * 2); + if (wchar == 0) break; + + if (wchar >= 0x20 && wchar < 0x7F) { + wstr = wstr + form("%c", wchar); + } else { + wstr = wstr + "?"; + } + i++; + } + + return wstr; +} + +static trace_all_calls() { + auto esp = get_reg_value("ESP"); + auto ecx = get_reg_value("ECX"); + auto source_ptr = Dword(esp + 4); + auto wstr = ""; + + if (source_ptr != 0 && source_ptr != 0xFFFFFFFF && source_ptr != BADADDR) { + wstr = read_wchar_string(source_ptr, 100); + + // Log tất cả các lần gọi + Message("sub_7C687790: this=0x%08X, Source='%s'", ecx, wstr); + + // Highlight khi tìm thấy map_publish + if (strstr(wstr, "map_publish") != -1) { + Message(" <-- MATCH!"); + } + Message("\n"); + } + + return 0; // Không dừng lại, chỉ trace +} + +static main() { + auto func_addr; + + func_addr = get_name_ea_simple("sub_7C687790"); + if (func_addr == BADADDR) { + func_addr = 0x7C687790; + } + + del_bpt(func_addr); + + if (add_bpt(func_addr, 0, BPT_SOFT) == 1) { + SetBptCnd(func_addr, "trace_all_calls()"); + + Message("\n"); + Message("========================================\n"); + Message("Tracing Mode Enabled\n"); + Message("========================================\n"); + Message("Function : sub_7C687790\n"); + Message("Address : 0x%08X\n", func_addr); + Message("Mode : Log all calls (no break)\n"); + Message("========================================\n"); + Message("\nAll calls will be logged to Output window\n\n"); + } else { + Message("Error: Failed to set breakpoint\n"); + } +} From dd11292b4273ace64cc2575803ea411d15ec6fee Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 6 Nov 2025 17:59:49 +0000 Subject: [PATCH 02/10] Add comprehensive parameter logging script for sub_7C687790 - Logs all parameters for each call: this, Source, a3, a4 - Dumps this object (vtable + first fields) - Displays full wchar_t* Source string with escape sequences - Dumps struct_a3 memory (first 32 bytes) - Shows call count and return address - Highlights when Source contains 'map_publish' --- ida_log_all_params.idc | 174 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 174 insertions(+) create mode 100644 ida_log_all_params.idc diff --git a/ida_log_all_params.idc b/ida_log_all_params.idc new file mode 100644 index 0000000..cb47bda --- /dev/null +++ b/ida_log_all_params.idc @@ -0,0 +1,174 @@ +#include + +// ============================================================================ +// IDC Script: Log ALL parameters for sub_7C687790 +// Function: sub_7C687790(_DWORD *this, wchar_t *Source, struct_a3 *a3, int a4) +// ============================================================================ + +static read_wchar_string(addr, max_len) { + auto wstr = ""; + auto i = 0; + + if (addr == 0 || addr == 0xFFFFFFFF || addr == BADADDR) { + return ""; + } + + while (i < max_len) { + auto wchar = Word(addr + i * 2); + if (wchar == 0) break; + + if (wchar >= 0x20 && wchar < 0x7F) { + wstr = wstr + form("%c", wchar); + } else if (wchar < 0x100) { + wstr = wstr + form("\\x%02X", wchar); + } else { + wstr = wstr + form("\\u%04X", wchar); + } + i++; + } + + if (i == 0) { + return ""; + } + + return wstr; +} + +static dump_memory(addr, size) { + auto i; + auto result = ""; + + if (addr == 0 || addr == 0xFFFFFFFF || addr == BADADDR) { + return ""; + } + + for (i = 0; i < size; i++) { + if (i > 0 && i % 16 == 0) { + result = result + "\n "; + } + result = result + form("%02X ", Byte(addr + i)); + } + + return result; +} + +static dump_struct_a3(a3_ptr) { + if (a3_ptr == 0 || a3_ptr == 0xFFFFFFFF || a3_ptr == BADADDR) { + Message(" a3 : \n"); + return; + } + + Message(" a3 : 0x%08X\n", a3_ptr); + + // Dump first 32 bytes of struct + Message(" +0x00 : %s\n", dump_memory(a3_ptr, 16)); + Message(" +0x10 : %s\n", dump_memory(a3_ptr + 16, 16)); + + // Nếu biết structure, có thể parse chi tiết: + // Message(" field1 : 0x%08X\n", Dword(a3_ptr + 0)); + // Message(" field2 : 0x%08X\n", Dword(a3_ptr + 4)); +} + +static dump_this_object(this_ptr) { + if (this_ptr == 0 || this_ptr == 0xFFFFFFFF || this_ptr == BADADDR) { + Message(" this : \n"); + return; + } + + Message(" this : 0x%08X\n", this_ptr); + + // Dump vtable pointer và first few members + auto vtable = Dword(this_ptr); + Message(" vtable : 0x%08X\n", vtable); + Message(" +0x04 : 0x%08X\n", Dword(this_ptr + 4)); + Message(" +0x08 : 0x%08X\n", Dword(this_ptr + 8)); + Message(" +0x0C : 0x%08X\n", Dword(this_ptr + 12)); +} + +static log_all_parameters() { + static call_count = 0; + auto esp = get_reg_value("ESP"); + auto ecx = get_reg_value("ECX"); + auto eip = get_reg_value("EIP"); + + // Đọc parameters + auto this_ptr = ecx; + auto source_ptr = Dword(esp + 4); + auto a3_ptr = Dword(esp + 8); + auto a4_val = Dword(esp + 12); + auto ret_addr = Dword(esp); + + call_count++; + + // Header + Message("\n"); + Message("════════════════════════════════════════════════════════════════\n"); + Message("Call #%d to sub_7C687790\n", call_count); + Message("════════════════════════════════════════════════════════════════\n"); + Message("Called from: 0x%08X\n", ret_addr); + Message("EIP : 0x%08X\n", eip); + Message("\n"); + + // Parameters + Message("Parameters:\n"); + Message("────────────────────────────────────────────────────────────────\n"); + + // this pointer + dump_this_object(this_ptr); + Message("\n"); + + // Source (wchar_t*) + auto wstr = read_wchar_string(source_ptr, 200); + Message(" Source : 0x%08X\n", source_ptr); + Message(" -> \"%s\"\n", wstr); + + // Highlight nếu chứa map_publish + if (strstr(wstr, "map_publish") != -1) { + Message(" >>> CONTAINS 'map_publish' <<<\n"); + } + Message("\n"); + + // struct_a3 *a3 + dump_struct_a3(a3_ptr); + Message("\n"); + + // int a4 + Message(" a4 : 0x%08X (%d)\n", a4_val, a4_val); + + Message("════════════════════════════════════════════════════════════════\n"); + Message("\n"); + + return 0; // Không dừng lại, chỉ log +} + +static main() { + auto func_addr; + + // Tìm địa chỉ function + func_addr = get_name_ea_simple("sub_7C687790"); + if (func_addr == BADADDR) { + func_addr = 0x7C687790; + Message("Warning: Using hardcoded address 0x7C687790\n"); + } + + // Xóa breakpoint cũ + del_bpt(func_addr); + + // Set breakpoint mới + if (add_bpt(func_addr, 0, BPT_SOFT) == 1) { + SetBptCnd(func_addr, "log_all_parameters()"); + + Message("\n"); + Message("════════════════════════════════════════════════════════════════\n"); + Message("Parameter Logging Enabled\n"); + Message("════════════════════════════════════════════════════════════════\n"); + Message("Function : sub_7C687790\n"); + Message("Address : 0x%08X\n", func_addr); + Message("Mode : Log all parameters (no break)\n"); + Message("════════════════════════════════════════════════════════════════\n"); + Message("\nAll calls will be logged with full parameter details\n"); + Message("Check Output window (View -> Open subviews -> Output window)\n\n"); + } else { + Message("Error: Failed to set breakpoint at 0x%08X\n", func_addr); + } +} From 863b4b3ccfe82495e70f88d9f40972b5d3ffbbc1 Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 6 Nov 2025 18:10:02 +0000 Subject: [PATCH 03/10] Fix IDC syntax error: move call_count to global scope --- ida_log_all_params.idc | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/ida_log_all_params.idc b/ida_log_all_params.idc index cb47bda..c7b3b15 100644 --- a/ida_log_all_params.idc +++ b/ida_log_all_params.idc @@ -5,6 +5,9 @@ // Function: sub_7C687790(_DWORD *this, wchar_t *Source, struct_a3 *a3, int a4) // ============================================================================ +// Global counter for call tracking +auto g_call_count; + static read_wchar_string(addr, max_len) { auto wstr = ""; auto i = 0; @@ -86,7 +89,6 @@ static dump_this_object(this_ptr) { } static log_all_parameters() { - static call_count = 0; auto esp = get_reg_value("ESP"); auto ecx = get_reg_value("ECX"); auto eip = get_reg_value("EIP"); @@ -98,12 +100,12 @@ static log_all_parameters() { auto a4_val = Dword(esp + 12); auto ret_addr = Dword(esp); - call_count++; + g_call_count++; // Header Message("\n"); Message("════════════════════════════════════════════════════════════════\n"); - Message("Call #%d to sub_7C687790\n", call_count); + Message("Call #%d to sub_7C687790\n", g_call_count); Message("════════════════════════════════════════════════════════════════\n"); Message("Called from: 0x%08X\n", ret_addr); Message("EIP : 0x%08X\n", eip); @@ -144,6 +146,9 @@ static log_all_parameters() { static main() { auto func_addr; + // Initialize global counter + g_call_count = 0; + // Tìm địa chỉ function func_addr = get_name_ea_simple("sub_7C687790"); if (func_addr == BADADDR) { From 87aad368c985f0c6d160dfaa710238003869e8bc Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 6 Nov 2025 18:12:48 +0000 Subject: [PATCH 04/10] Fix IDC syntax: remove global variable declaration --- ida_log_all_params.idc | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/ida_log_all_params.idc b/ida_log_all_params.idc index c7b3b15..ac9e73b 100644 --- a/ida_log_all_params.idc +++ b/ida_log_all_params.idc @@ -5,9 +5,6 @@ // Function: sub_7C687790(_DWORD *this, wchar_t *Source, struct_a3 *a3, int a4) // ============================================================================ -// Global counter for call tracking -auto g_call_count; - static read_wchar_string(addr, max_len) { auto wstr = ""; auto i = 0; @@ -100,12 +97,10 @@ static log_all_parameters() { auto a4_val = Dword(esp + 12); auto ret_addr = Dword(esp); - g_call_count++; - // Header Message("\n"); Message("════════════════════════════════════════════════════════════════\n"); - Message("Call #%d to sub_7C687790\n", g_call_count); + Message("Call to sub_7C687790\n"); Message("════════════════════════════════════════════════════════════════\n"); Message("Called from: 0x%08X\n", ret_addr); Message("EIP : 0x%08X\n", eip); @@ -146,9 +141,6 @@ static log_all_parameters() { static main() { auto func_addr; - // Initialize global counter - g_call_count = 0; - // Tìm địa chỉ function func_addr = get_name_ea_simple("sub_7C687790"); if (func_addr == BADADDR) { From 69b2e1dcf32c53f0013bd8075c19028e3b90ea01 Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 6 Nov 2025 18:16:03 +0000 Subject: [PATCH 05/10] Only log when Source parameter is not NULL or empty --- ida_log_all_params.idc | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/ida_log_all_params.idc b/ida_log_all_params.idc index ac9e73b..16e9662 100644 --- a/ida_log_all_params.idc +++ b/ida_log_all_params.idc @@ -97,6 +97,19 @@ static log_all_parameters() { auto a4_val = Dword(esp + 12); auto ret_addr = Dword(esp); + // Kiểm tra Source pointer hợp lệ + if (source_ptr == 0 || source_ptr == 0xFFFFFFFF || source_ptr == BADADDR) { + return 0; // Skip nếu Source NULL + } + + // Đọc Source string + auto wstr = read_wchar_string(source_ptr, 200); + + // Kiểm tra nếu string empty hoặc NULL + if (wstr == "" || wstr == "" || strlen(wstr) == 0) { + return 0; // Skip nếu Source empty + } + // Header Message("\n"); Message("════════════════════════════════════════════════════════════════\n"); @@ -115,7 +128,6 @@ static log_all_parameters() { Message("\n"); // Source (wchar_t*) - auto wstr = read_wchar_string(source_ptr, 200); Message(" Source : 0x%08X\n", source_ptr); Message(" -> \"%s\"\n", wstr); From bd764a371d61519905babad059e4c97896698e6c Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 6 Nov 2025 18:17:11 +0000 Subject: [PATCH 06/10] Simplify logging: print only Source parameter in single line --- ida_log_all_params.idc | 103 ++--------------------------------------- 1 file changed, 4 insertions(+), 99 deletions(-) diff --git a/ida_log_all_params.idc b/ida_log_all_params.idc index 16e9662..4055f6b 100644 --- a/ida_log_all_params.idc +++ b/ida_log_all_params.idc @@ -34,68 +34,9 @@ static read_wchar_string(addr, max_len) { return wstr; } -static dump_memory(addr, size) { - auto i; - auto result = ""; - - if (addr == 0 || addr == 0xFFFFFFFF || addr == BADADDR) { - return ""; - } - - for (i = 0; i < size; i++) { - if (i > 0 && i % 16 == 0) { - result = result + "\n "; - } - result = result + form("%02X ", Byte(addr + i)); - } - - return result; -} - -static dump_struct_a3(a3_ptr) { - if (a3_ptr == 0 || a3_ptr == 0xFFFFFFFF || a3_ptr == BADADDR) { - Message(" a3 : \n"); - return; - } - - Message(" a3 : 0x%08X\n", a3_ptr); - - // Dump first 32 bytes of struct - Message(" +0x00 : %s\n", dump_memory(a3_ptr, 16)); - Message(" +0x10 : %s\n", dump_memory(a3_ptr + 16, 16)); - - // Nếu biết structure, có thể parse chi tiết: - // Message(" field1 : 0x%08X\n", Dword(a3_ptr + 0)); - // Message(" field2 : 0x%08X\n", Dword(a3_ptr + 4)); -} - -static dump_this_object(this_ptr) { - if (this_ptr == 0 || this_ptr == 0xFFFFFFFF || this_ptr == BADADDR) { - Message(" this : \n"); - return; - } - - Message(" this : 0x%08X\n", this_ptr); - - // Dump vtable pointer và first few members - auto vtable = Dword(this_ptr); - Message(" vtable : 0x%08X\n", vtable); - Message(" +0x04 : 0x%08X\n", Dword(this_ptr + 4)); - Message(" +0x08 : 0x%08X\n", Dword(this_ptr + 8)); - Message(" +0x0C : 0x%08X\n", Dword(this_ptr + 12)); -} - static log_all_parameters() { auto esp = get_reg_value("ESP"); - auto ecx = get_reg_value("ECX"); - auto eip = get_reg_value("EIP"); - - // Đọc parameters - auto this_ptr = ecx; auto source_ptr = Dword(esp + 4); - auto a3_ptr = Dword(esp + 8); - auto a4_val = Dword(esp + 12); - auto ret_addr = Dword(esp); // Kiểm tra Source pointer hợp lệ if (source_ptr == 0 || source_ptr == 0xFFFFFFFF || source_ptr == BADADDR) { @@ -110,42 +51,8 @@ static log_all_parameters() { return 0; // Skip nếu Source empty } - // Header - Message("\n"); - Message("════════════════════════════════════════════════════════════════\n"); - Message("Call to sub_7C687790\n"); - Message("════════════════════════════════════════════════════════════════\n"); - Message("Called from: 0x%08X\n", ret_addr); - Message("EIP : 0x%08X\n", eip); - Message("\n"); - - // Parameters - Message("Parameters:\n"); - Message("────────────────────────────────────────────────────────────────\n"); - - // this pointer - dump_this_object(this_ptr); - Message("\n"); - - // Source (wchar_t*) - Message(" Source : 0x%08X\n", source_ptr); - Message(" -> \"%s\"\n", wstr); - - // Highlight nếu chứa map_publish - if (strstr(wstr, "map_publish") != -1) { - Message(" >>> CONTAINS 'map_publish' <<<\n"); - } - Message("\n"); - - // struct_a3 *a3 - dump_struct_a3(a3_ptr); - Message("\n"); - - // int a4 - Message(" a4 : 0x%08X (%d)\n", a4_val, a4_val); - - Message("════════════════════════════════════════════════════════════════\n"); - Message("\n"); + // In 1 dòng duy nhất với Source + Message("Source: %s\n", wstr); return 0; // Không dừng lại, chỉ log } @@ -169,14 +76,12 @@ static main() { Message("\n"); Message("════════════════════════════════════════════════════════════════\n"); - Message("Parameter Logging Enabled\n"); + Message("Source Parameter Logging Enabled\n"); Message("════════════════════════════════════════════════════════════════\n"); Message("Function : sub_7C687790\n"); Message("Address : 0x%08X\n", func_addr); - Message("Mode : Log all parameters (no break)\n"); + Message("Mode : Log Source parameter only (1 line per call)\n"); Message("════════════════════════════════════════════════════════════════\n"); - Message("\nAll calls will be logged with full parameter details\n"); - Message("Check Output window (View -> Open subviews -> Output window)\n\n"); } else { Message("Error: Failed to set breakpoint at 0x%08X\n", func_addr); } From 6e2645abb50456974e977d721c80d8ba194ecf1d Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 6 Nov 2025 18:17:51 +0000 Subject: [PATCH 07/10] Write Source parameter to D:\1.log instead of IDA output --- ida_log_all_params.idc | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/ida_log_all_params.idc b/ida_log_all_params.idc index 4055f6b..e04fbea 100644 --- a/ida_log_all_params.idc +++ b/ida_log_all_params.idc @@ -37,6 +37,7 @@ static read_wchar_string(addr, max_len) { static log_all_parameters() { auto esp = get_reg_value("ESP"); auto source_ptr = Dword(esp + 4); + auto fp; // Kiểm tra Source pointer hợp lệ if (source_ptr == 0 || source_ptr == 0xFFFFFFFF || source_ptr == BADADDR) { @@ -51,8 +52,12 @@ static log_all_parameters() { return 0; // Skip nếu Source empty } - // In 1 dòng duy nhất với Source - Message("Source: %s\n", wstr); + // Ghi vào file D:\1.log (append mode) + fp = fopen("D:\\1.log", "a"); + if (fp != 0) { + fprintf(fp, "Source: %s\n", wstr); + fclose(fp); + } return 0; // Không dừng lại, chỉ log } @@ -80,7 +85,8 @@ static main() { Message("════════════════════════════════════════════════════════════════\n"); Message("Function : sub_7C687790\n"); Message("Address : 0x%08X\n", func_addr); - Message("Mode : Log Source parameter only (1 line per call)\n"); + Message("Output : D:\\1.log\n"); + Message("Mode : Append Source parameter (1 line per call)\n"); Message("════════════════════════════════════════════════════════════════\n"); } else { Message("Error: Failed to set breakpoint at 0x%08X\n", func_addr); From 97827582929585755ea6dda91a62c0b9ef4bd285 Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 6 Nov 2025 18:19:58 +0000 Subject: [PATCH 08/10] Add debug messages to troubleshoot file writing --- ida_log_all_params.idc | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ida_log_all_params.idc b/ida_log_all_params.idc index e04fbea..f67b33e 100644 --- a/ida_log_all_params.idc +++ b/ida_log_all_params.idc @@ -52,11 +52,17 @@ static log_all_parameters() { return 0; // Skip nếu Source empty } + // Debug: in ra IDA output + Message("Source: %s\n", wstr); + // Ghi vào file D:\1.log (append mode) fp = fopen("D:\\1.log", "a"); if (fp != 0) { fprintf(fp, "Source: %s\n", wstr); fclose(fp); + Message("[DEBUG] Wrote to D:\\1.log successfully\n"); + } else { + Message("[ERROR] Cannot open D:\\1.log for writing!\n"); } return 0; // Không dừng lại, chỉ log From 4d2f1419ccef3c778adaa194ad731044235192b3 Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 6 Nov 2025 18:22:44 +0000 Subject: [PATCH 09/10] Add verbose debug logging to diagnose why no output --- ida_log_all_params.idc | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/ida_log_all_params.idc b/ida_log_all_params.idc index f67b33e..f9f3cc2 100644 --- a/ida_log_all_params.idc +++ b/ida_log_all_params.idc @@ -38,17 +38,24 @@ static log_all_parameters() { auto esp = get_reg_value("ESP"); auto source_ptr = Dword(esp + 4); auto fp; + auto wstr; + + // Debug: log mỗi lần function được gọi + Message("[CALL] sub_7C687790 called! ESP=0x%08X, source_ptr=0x%08X\n", esp, source_ptr); // Kiểm tra Source pointer hợp lệ if (source_ptr == 0 || source_ptr == 0xFFFFFFFF || source_ptr == BADADDR) { + Message("[SKIP] Source pointer is NULL or invalid\n"); return 0; // Skip nếu Source NULL } // Đọc Source string - auto wstr = read_wchar_string(source_ptr, 200); + wstr = read_wchar_string(source_ptr, 200); + Message("[READ] Source string: '%s'\n", wstr); // Kiểm tra nếu string empty hoặc NULL if (wstr == "" || wstr == "" || strlen(wstr) == 0) { + Message("[SKIP] Source string is empty\n"); return 0; // Skip nếu Source empty } @@ -60,9 +67,9 @@ static log_all_parameters() { if (fp != 0) { fprintf(fp, "Source: %s\n", wstr); fclose(fp); - Message("[DEBUG] Wrote to D:\\1.log successfully\n"); + Message("[OK] Wrote to D:\\1.log\n"); } else { - Message("[ERROR] Cannot open D:\\1.log for writing!\n"); + Message("[ERROR] Cannot open D:\\1.log!\n"); } return 0; // Không dừng lại, chỉ log From a98e81598fa2a645d221d329e4072a7575709543 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 7 Nov 2025 01:34:14 +0000 Subject: [PATCH 10/10] Add IDC script to log Source parameter for sub_7C67BA10 to IDA output --- ida_log_source_7C67BA10.idc | 86 +++++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 ida_log_source_7C67BA10.idc diff --git a/ida_log_source_7C67BA10.idc b/ida_log_source_7C67BA10.idc new file mode 100644 index 0000000..1f9615d --- /dev/null +++ b/ida_log_source_7C67BA10.idc @@ -0,0 +1,86 @@ +#include + +// ============================================================================ +// IDC Script: Log Source parameter for sub_7C67BA10 +// Function: sub_7C67BA10(struct _RTL_CRITICAL_SECTION *this, wchar_t *Source, struct_a3 *a3, int a4) +// Output: IDA Output window, one line per value +// ============================================================================ + +static read_wchar_string(addr, max_len) { + auto wstr = ""; + auto i = 0; + + if (addr == 0 || addr == 0xFFFFFFFF || addr == BADADDR) { + return ""; + } + + while (i < max_len) { + auto wchar = Word(addr + i * 2); + if (wchar == 0) break; + + if (wchar >= 0x20 && wchar < 0x7F) { + wstr = wstr + form("%c", wchar); + } else if (wchar < 0x100) { + wstr = wstr + form("\\x%02X", wchar); + } else { + wstr = wstr + form("\\u%04X", wchar); + } + i++; + } + + return wstr; +} + +static log_source_only() { + auto esp = get_reg_value("ESP"); + auto source_ptr = Dword(esp + 4); + auto wstr; + + // Kiểm tra Source pointer hợp lệ + if (source_ptr == 0 || source_ptr == 0xFFFFFFFF || source_ptr == BADADDR) { + return 0; + } + + // Đọc Source string + wstr = read_wchar_string(source_ptr, 200); + + // Kiểm tra nếu string empty + if (strlen(wstr) == 0) { + return 0; + } + + // In chỉ giá trị, không có prefix + Message("%s\n", wstr); + + return 0; +} + +static main() { + auto func_addr; + + // Tìm địa chỉ function + func_addr = get_name_ea_simple("sub_7C67BA10"); + if (func_addr == BADADDR) { + func_addr = 0x7C67BA10; + Message("Warning: Using hardcoded address 0x7C67BA10\n"); + } + + // Xóa breakpoint cũ + del_bpt(func_addr); + + // Set breakpoint mới + if (add_bpt(func_addr, 0, BPT_SOFT) == 1) { + SetBptCnd(func_addr, "log_source_only()"); + + Message("\n"); + Message("════════════════════════════════════════════════════════════════\n"); + Message("Source Logging Enabled\n"); + Message("════════════════════════════════════════════════════════════════\n"); + Message("Function : sub_7C67BA10\n"); + Message("Address : 0x%08X\n", func_addr); + Message("Output : IDA Output window (one value per line)\n"); + Message("════════════════════════════════════════════════════════════════\n"); + } else { + Message("Error: Failed to set breakpoint at 0x%08X\n", func_addr); + } +}