frranck · 4kir4vjp · Nov 6, 2025 · Nov 6, 2025 · Nov 6, 2025 · Nov 6, 2025
diff --git a/ida_breakpoint_map_publish.idc b/ida_breakpoint_map_publish.idc
@@ -0,0 +1,104 @@
+#include <idc.idc>
+
+// ============================================================================
+// IDC Script: Conditional Breakpoint for wchar_t* containing "map_publish"
+// Function: sub_7C687790(_DWORD *this, wchar_t *Source, struct_a3 *a3, int a4)
+// Convention: __thiscall (ECX = this, Source at [ESP+4])
+// ============================================================================
+
+static read_wchar_string(addr, max_len) {
+    auto wstr = "";
+    auto i = 0;
+
+    // Đọc wide string (mỗi wchar_t = 2 bytes)
+    while (i < max_len) {
+        auto wchar = Word(addr + i * 2);
+        if (wchar == 0) break;  // NULL terminator
+
+        // Chỉ lấy ký tự ASCII printable
+        if (wchar >= 0x20 && wchar < 0x7F) {
+            wstr = wstr + form("%c", wchar);
+        } else {
+            wstr = wstr + "?";
+        }
+        i++;
+    }
+
+    return wstr;
+}
+
+static check_map_publish() {
+    auto esp = get_reg_value("ESP");
+    auto ecx = get_reg_value("ECX");
+
+    // Đọc parameters từ stack
+    auto source_ptr = Dword(esp + 4);   // Source parameter
+    auto a3_ptr = Dword(esp + 8);       // a3 parameter
+    auto a4_val = Dword(esp + 12);      // a4 parameter
+
+    // Validate pointer
+    if (source_ptr == 0 || source_ptr == 0xFFFFFFFF || source_ptr == BADADDR) {
+        return 0;
+    }
+
+    // Đọc wide string từ Source
+    auto wstr = read_wchar_string(source_ptr, 200);
+
+    // Check nếu chứa "map_publish"
+    if (strstr(wstr, "map_publish") != -1) {
+        Message("\n");
+        Message("========================================\n");
+        Message("[!!!] BREAKPOINT HIT - map_publish FOUND!\n");
+        Message("========================================\n");
+        Message("Function : sub_7C687790\n");
+        Message("EIP      : 0x%08X\n", get_reg_value("EIP"));
+        Message("this     : 0x%08X (ECX)\n", ecx);
+        Message("Source   : 0x%08X\n", source_ptr);
+        Message("  -> \"%s\"\n", wstr);
+        Message("a3       : 0x%08X\n", a3_ptr);
+        Message("a4       : 0x%08X\n", a4_val);
+        Message("========================================\n");
+        Message("\n");
+
+        return 1;  // Dừng lại tại breakpoint
+    }
+
+    return 0;  // Tiếp tục execution
+}
+
+static main() {
+    auto func_addr;
+
+    // Thử lấy địa chỉ từ tên function
+    func_addr = get_name_ea_simple("sub_7C687790");
+
+    // Nếu không tìm thấy, dùng địa chỉ cố định
+    if (func_addr == BADADDR) {
+        func_addr = 0x7C687790;
+        Message("Warning: Using hardcoded address 0x7C687790\n");
+        Message("If breakpoint doesn't work, update func_addr in script\n");
+    }
+
+    // Xóa breakpoint cũ nếu có
+    del_bpt(func_addr);
+
+    // Set breakpoint mới
+    if (add_bpt(func_addr, 0, BPT_SOFT) == 1) {
+        // Set condition
+        SetBptCnd(func_addr, "check_map_publish()");
+
+        Message("\n");
+        Message("========================================\n");
+        Message("Breakpoint Setup Complete!\n");
+        Message("========================================\n");
+        Message("Function  : sub_7C687790\n");
+        Message("Address   : 0x%08X\n", func_addr);
+        Message("Condition : Source contains 'map_publish'\n");
+        Message("========================================\n");
+        Message("\nStart debugging (F9). Breakpoint will trigger when\n");
+        Message("Source parameter contains 'map_publish'\n\n");
+    } else {
+        Message("Error: Failed to set breakpoint at 0x%08X\n", func_addr);
+        Message("Make sure the address is correct and debugger is attached\n");
+    }
+}
diff --git a/ida_log_all_params.idc b/ida_log_all_params.idc
@@ -0,0 +1,107 @@
+#include <idc.idc>
+
+// ============================================================================
+// IDC Script: Log ALL parameters for sub_7C687790
+// Function: sub_7C687790(_DWORD *this, wchar_t *Source, struct_a3 *a3, int a4)
+// ============================================================================
+
+static read_wchar_string(addr, max_len) {
+    auto wstr = "";
+    auto i = 0;
+
+    if (addr == 0 || addr == 0xFFFFFFFF || addr == BADADDR) {
+        return "<NULL>";
+    }
+
+    while (i < max_len) {
+        auto wchar = Word(addr + i * 2);
+        if (wchar == 0) break;
+
+        if (wchar >= 0x20 && wchar < 0x7F) {
+            wstr = wstr + form("%c", wchar);
+        } else if (wchar < 0x100) {
+            wstr = wstr + form("\\x%02X", wchar);
+        } else {
+            wstr = wstr + form("\\u%04X", wchar);
+        }
+        i++;
+    }
+
+    if (i == 0) {
+        return "<empty>";
+    }
+
+    return wstr;
+}
+
+static log_all_parameters() {
+    auto esp = get_reg_value("ESP");
+    auto source_ptr = Dword(esp + 4);
+    auto fp;
+    auto wstr;
+
+    // Debug: log mỗi lần function được gọi
+    Message("[CALL] sub_7C687790 called! ESP=0x%08X, source_ptr=0x%08X\n", esp, source_ptr);
+
+    // Kiểm tra Source pointer hợp lệ
+    if (source_ptr == 0 || source_ptr == 0xFFFFFFFF || source_ptr == BADADDR) {
+        Message("[SKIP] Source pointer is NULL or invalid\n");
+        return 0;  // Skip nếu Source NULL
+    }
+
+    // Đọc Source string
+    wstr = read_wchar_string(source_ptr, 200);
+    Message("[READ] Source string: '%s'\n", wstr);
+
+    // Kiểm tra nếu string empty hoặc NULL
+    if (wstr == "<NULL>" || wstr == "<empty>" || strlen(wstr) == 0) {
+        Message("[SKIP] Source string is empty\n");
+        return 0;  // Skip nếu Source empty
+    }
+
+    // Debug: in ra IDA output
+    Message("Source: %s\n", wstr);
+
+    // Ghi vào file D:\1.log (append mode)
+    fp = fopen("D:\\1.log", "a");
+    if (fp != 0) {
+        fprintf(fp, "Source: %s\n", wstr);
+        fclose(fp);
+        Message("[OK] Wrote to D:\\1.log\n");
+    } else {
+        Message("[ERROR] Cannot open D:\\1.log!\n");
+    }
+
+    return 0;  // Không dừng lại, chỉ log
+}
+
+static main() {
+    auto func_addr;
+
+    // Tìm địa chỉ function
+    func_addr = get_name_ea_simple("sub_7C687790");
+    if (func_addr == BADADDR) {
+        func_addr = 0x7C687790;
+        Message("Warning: Using hardcoded address 0x7C687790\n");
+    }
+
+    // Xóa breakpoint cũ
+    del_bpt(func_addr);
+
+    // Set breakpoint mới
+    if (add_bpt(func_addr, 0, BPT_SOFT) == 1) {
+        SetBptCnd(func_addr, "log_all_parameters()");
+
+        Message("\n");
+        Message("════════════════════════════════════════════════════════════════\n");
+        Message("Source Parameter Logging Enabled\n");
+        Message("════════════════════════════════════════════════════════════════\n");
+        Message("Function  : sub_7C687790\n");
+        Message("Address   : 0x%08X\n", func_addr);
+        Message("Output    : D:\\1.log\n");
+        Message("Mode      : Append Source parameter (1 line per call)\n");
+        Message("════════════════════════════════════════════════════════════════\n");
+    } else {
+        Message("Error: Failed to set breakpoint at 0x%08X\n", func_addr);
+    }
+}
diff --git a/ida_log_source_7C67BA10.idc b/ida_log_source_7C67BA10.idc
@@ -0,0 +1,86 @@
+#include <idc.idc>
+
+// ============================================================================
+// IDC Script: Log Source parameter for sub_7C67BA10
+// Function: sub_7C67BA10(struct _RTL_CRITICAL_SECTION *this, wchar_t *Source, struct_a3 *a3, int a4)
+// Output: IDA Output window, one line per value
+// ============================================================================
+
+static read_wchar_string(addr, max_len) {
+    auto wstr = "";
+    auto i = 0;
+
+    if (addr == 0 || addr == 0xFFFFFFFF || addr == BADADDR) {
+        return "";
+    }
+
+    while (i < max_len) {
+        auto wchar = Word(addr + i * 2);
+        if (wchar == 0) break;
+
+        if (wchar >= 0x20 && wchar < 0x7F) {
+            wstr = wstr + form("%c", wchar);
+        } else if (wchar < 0x100) {
+            wstr = wstr + form("\\x%02X", wchar);
+        } else {
+            wstr = wstr + form("\\u%04X", wchar);
+        }
+        i++;
+    }
+
+    return wstr;
+}
+
+static log_source_only() {
+    auto esp = get_reg_value("ESP");
+    auto source_ptr = Dword(esp + 4);
+    auto wstr;
+
+    // Kiểm tra Source pointer hợp lệ
+    if (source_ptr == 0 || source_ptr == 0xFFFFFFFF || source_ptr == BADADDR) {
+        return 0;
+    }
+
+    // Đọc Source string
+    wstr = read_wchar_string(source_ptr, 200);
+
+    // Kiểm tra nếu string empty
+    if (strlen(wstr) == 0) {
+        return 0;
+    }
+
+    // In chỉ giá trị, không có prefix
+    Message("%s\n", wstr);
+
+    return 0;
+}
+
+static main() {
+    auto func_addr;
+
+    // Tìm địa chỉ function
+    func_addr = get_name_ea_simple("sub_7C67BA10");
+    if (func_addr == BADADDR) {
+        func_addr = 0x7C67BA10;
+        Message("Warning: Using hardcoded address 0x7C67BA10\n");
+    }
+
+    // Xóa breakpoint cũ
+    del_bpt(func_addr);
+
+    // Set breakpoint mới
+    if (add_bpt(func_addr, 0, BPT_SOFT) == 1) {
+        SetBptCnd(func_addr, "log_source_only()");
+
+        Message("\n");
+        Message("════════════════════════════════════════════════════════════════\n");
+        Message("Source Logging Enabled\n");
+        Message("════════════════════════════════════════════════════════════════\n");
+        Message("Function  : sub_7C67BA10\n");
+        Message("Address   : 0x%08X\n", func_addr);
+        Message("Output    : IDA Output window (one value per line)\n");
+        Message("════════════════════════════════════════════════════════════════\n");
+    } else {
+        Message("Error: Failed to set breakpoint at 0x%08X\n", func_addr);
+    }
+}
diff --git a/ida_trace_all_calls.idc b/ida_trace_all_calls.idc
@@ -0,0 +1,74 @@
+#include <idc.idc>
+
+// ============================================================================
+// IDC Script: Trace ALL calls to sub_7C687790 and log Source parameter
+// Useful for debugging when you want to see all values
+// ============================================================================
+
+static read_wchar_string(addr, max_len) {
+    auto wstr = "";
+    auto i = 0;
+
+    while (i < max_len) {
+        auto wchar = Word(addr + i * 2);
+        if (wchar == 0) break;
+
+        if (wchar >= 0x20 && wchar < 0x7F) {
+            wstr = wstr + form("%c", wchar);
+        } else {
+            wstr = wstr + "?";
+        }
+        i++;
+    }
+
+    return wstr;
+}
+
+static trace_all_calls() {
+    auto esp = get_reg_value("ESP");
+    auto ecx = get_reg_value("ECX");
+    auto source_ptr = Dword(esp + 4);
+    auto wstr = "";
+
+    if (source_ptr != 0 && source_ptr != 0xFFFFFFFF && source_ptr != BADADDR) {
+        wstr = read_wchar_string(source_ptr, 100);
+
+        // Log tất cả các lần gọi
+        Message("sub_7C687790: this=0x%08X, Source='%s'", ecx, wstr);
+
+        // Highlight khi tìm thấy map_publish
+        if (strstr(wstr, "map_publish") != -1) {
+            Message(" <-- MATCH!");
+        }
+        Message("\n");
+    }
+
+    return 0;  // Không dừng lại, chỉ trace
+}
+
+static main() {
+    auto func_addr;
+
+    func_addr = get_name_ea_simple("sub_7C687790");
+    if (func_addr == BADADDR) {
+        func_addr = 0x7C687790;
+    }
+
+    del_bpt(func_addr);
+
+    if (add_bpt(func_addr, 0, BPT_SOFT) == 1) {
+        SetBptCnd(func_addr, "trace_all_calls()");
+
+        Message("\n");
+        Message("========================================\n");
+        Message("Tracing Mode Enabled\n");
+        Message("========================================\n");
+        Message("Function : sub_7C687790\n");
+        Message("Address  : 0x%08X\n", func_addr);
+        Message("Mode     : Log all calls (no break)\n");
+        Message("========================================\n");
+        Message("\nAll calls will be logged to Output window\n\n");
+    } else {
+        Message("Error: Failed to set breakpoint\n");
+    }
+}