爲了自動到被調試點,不用每次手動跟過去,所以使用腳本,下面是使用例子,以後的改改就好
// @file oci_test_on_vs2010.idc
// @brief debug for oci_test_on_vs2010.exe
#include <idc.idc>
#define PROG_FOR_DEBUG "oci_test_on_vs2010.exe"
#define MY_IDC_VER "IDC for " PROG_FOR_DEBUG " v1.0.0.1"
#define LINE_80 "--------------------------------------------------------------------------------"
#define MY_CONDITION_FOR_STARTING_THE_IDC "use ida load object program\n" \
"clear all breakpoint\n" \
"make sure F2 break on do_oci_task() :: OCIStmtExecute()\n" \
"F9 run program\n" \
"F7 into OCIStmtExecute_0 proc near\n" \
"F8 step to \"jmp cs:__imp_OCIStmtExecute\"\n" \
"F2 breakpoint on \"jmp cs:__imp_OCIStmtExecute\"\n" \
"then load oci_test_on_vs2010.idc"
/*
.text:00007FF778194D6A OCIStmtExecute_0 proc near ; CODE XREF: do_oci_task(OCIEnv *,OCIServer *,OCIError *,OCISvcCtx *,OCISession *)+213↑p
.text:00007FF778194D6A jmp cs:__imp_OCIStmtExecute // when run here, can load oci_test_on_vs2010.idc
.text:00007FF778194D6A OCIStmtExecute_0 endp
*/
#define REG_IP "RIP"
// sub function must declare befoe main()
static fn_show_offset_addr(str_tip, ull_addr_now, ull_addr_offset)
{
auto ull_addr_rc;
ull_addr_rc = ull_addr_now + ull_addr_offset;
msg("offset addr 0x%X : %s\r\n", ull_addr_rc, str_tip);
return ull_addr_rc;
}
static fn_f7()
{
StepInto();
wait_for_next_event(WFNE_SUSP | WFNE_CONT, -1);
}
static fn_f8()
{
StepOver();
wait_for_next_event(WFNE_SUSP | WFNE_CONT, -1);
}
static fn_go()
{
wait_for_next_event(WFNE_SUSP | WFNE_CONT, -1);
}
static fn_show_current_line_info()
{
auto l_addr;
auto str_name;
auto str_dasm_code;
l_addr = GetRegValue(REG_IP);
str_name = Name(l_addr);
str_dasm_code = generate_disasm_line(l_addr, GENDSM_FORCE_CODE);
msg("%s\n", LINE_80);
msg("0x%X : %s :: %s\n", l_addr, str_name, str_dasm_code);
}
static fn_get_current_dasm_code()
{
auto l_addr;
auto str_dasm_code;
l_addr = GetRegValue(REG_IP);
str_dasm_code = generate_disasm_line(l_addr, GENDSM_FORCE_CODE);
return str_dasm_code;
}
static fn_get_current_addr()
{
auto l_addr;
l_addr = GetRegValue(REG_IP);
return l_addr;
}
static fn_show_help()
{
auto i_index;
// clear debug output area
for (i_index = 0; i_index < 25; i_index++) {
msg("\n");
}
msg("%s\n", LINE_80);
msg("%s\n", MY_IDC_VER);
msg("debug for %s\n", PROG_FOR_DEBUG);
msg("%s\n", MY_CONDITION_FOR_STARTING_THE_IDC);
msg("%s\n", LINE_80);
}
static fn_add_bp(l_addr)
{
add_bpt(l_addr);
}
static fn_remove_bp(l_addr)
{
del_bpt(l_addr);
}
static main()
{
auto l_addr;
auto l_addr_tmp;
auto str_dasm_code;
fn_show_help();
fn_show_current_line_info();
str_dasm_code = fn_get_current_dasm_code();
if (str_dasm_code != "jmp cs:__imp_OCIStmtExecute") {
msg("error!!!\n");
fn_show_current_line_info();
} else {
msg("ok : debug now, will go to oran11_nioqrc() :: call near ptr oran11_nsbrecv\n");
msg("please wait a moment ...\n");
// step 1
fn_f8();
// step 2
l_addr = fn_get_current_addr();
l_addr = fn_show_offset_addr("call rax", l_addr, 0xb5);
fn_add_bp(l_addr);
fn_go();
fn_remove_bp(l_addr);
fn_f7();
fn_show_current_line_info();
// step 3
l_addr = fn_get_current_addr();
l_addr = fn_show_offset_addr("call near ptr oraclient11_kpuexec", l_addr, 0x41);
fn_add_bp(l_addr);
fn_go();
fn_remove_bp(l_addr);
fn_f7();
fn_show_current_line_info();
// step 4
l_addr = fn_get_current_addr();
l_addr = fn_show_offset_addr("call near ptr oraclient11_kpurcsc", l_addr, 0x2621);
fn_add_bp(l_addr);
fn_go();
fn_remove_bp(l_addr);
fn_f7();
fn_show_current_line_info();
// step 5
l_addr = fn_get_current_addr();
l_addr = fn_show_offset_addr("call near ptr oraclient11_upirtrc", l_addr, 0x91);
fn_add_bp(l_addr);
fn_go();
fn_remove_bp(l_addr);
fn_f7();
fn_show_current_line_info();
// step 6
l_addr = fn_get_current_addr();
l_addr = fn_show_offset_addr("oraclient11.dll:0000000003C9AF0D call near ptr unk_3CB4B9E", l_addr, 0x0000000003B0AF0D - 0x0000000003B0AE96);
fn_add_bp(l_addr);
fn_go();
fn_remove_bp(l_addr);
fn_f7();
fn_show_current_line_info();
// step 7
l_addr = fn_get_current_addr();
l_addr = fn_show_offset_addr("oraclient11.dll:0000000003B25213 call qword ptr [rax+20h]", l_addr, 0x0000000003B25213 - 0x0000000003B24B9E);
fn_add_bp(l_addr);
fn_go();
fn_remove_bp(l_addr);
fn_f7();
fn_show_current_line_info();
// step 8
l_addr = fn_get_current_addr();
l_addr_tmp = l_addr;
l_addr = fn_show_offset_addr("oran11.dll:0000000003D185F5 call r14", l_addr, 0x0000000003D185F5 - 0x0000000003D185C0);
fn_add_bp(l_addr);
fn_go();
fn_remove_bp(l_addr);
fn_f8();
fn_show_current_line_info();
// step 9
// call r14 要經過2次才行, 然後f7進去
l_addr = l_addr_tmp;
l_addr = fn_show_offset_addr("oran11.dll:0000000003D185F5 call r14", l_addr, 0x0000000003D185F5 - 0x0000000003D185C0);
fn_add_bp(l_addr);
fn_go();
fn_remove_bp(l_addr);
fn_f7();
fn_show_current_line_info();
// step 10
l_addr = fn_get_current_addr();
l_addr = fn_show_offset_addr("oracommon11.dll:000000000442DA6B call qword ptr [rsi+10h]", l_addr, 0x000000000442DA6B - 0x000000000442D496);
fn_add_bp(l_addr);
fn_go();
fn_remove_bp(l_addr);
fn_f7();
fn_show_current_line_info();
// step 11
// 到地方了, 對需要調試的地址下最後的斷點
l_addr = fn_get_current_addr();
l_addr = fn_show_offset_addr("oran11.dll:00000000049044C6 call near ptr oran11_nsbsend", l_addr, 0x00000000049044C6 - 0x000000000490438A);
fn_add_bp(l_addr);
l_addr = fn_get_current_addr();
l_addr = fn_show_offset_addr("oran11.dll:0000000004904595 call near ptr oran11_nsbrecv", l_addr, 0x0000000004904595 - 0x000000000490438A);
fn_add_bp(l_addr);
l_addr = fn_get_current_addr();
l_addr = fn_show_offset_addr("oran11_nsbsend pure data : oran11.dll:00000000054A4506 mov [rbx+20h], rcx", l_addr, 0x00000000054A4506 - 0x00000000054A438A);
fn_add_bp(l_addr);
fn_go();
fn_show_current_line_info();
// over, 用腳本一鍵到達調試地點的任務結束
// 已經對多處要調試的點,都下好了斷點
// 已經運行到了其中一個斷點上,停住了,等待調試
msg("please debug, nice to meet you :)\n");
}
}
// @file oci_test_on_vs2010.idc
// @brief debug for oci_test_on_vs2010.exe
#include <idc.idc>
#define REG_IP "RIP"
// sub function must declare befoe main()
static fn_show_offset_addr(str_tip, ull_addr_now, ull_addr_offset)
{
auto ull_addr_rc;
ull_addr_rc = ull_addr_now + ull_addr_offset;
msg("offset addr 0x%X : %s\r\n", ull_addr_rc, str_tip);
return ull_addr_rc;
}
static fn_f7()
{
StepInto();
wait_for_next_event(WFNE_SUSP | WFNE_CONT, -1);
}
static fn_f8()
{
StepOver();
wait_for_next_event(WFNE_SUSP | WFNE_CONT, -1);
}
static fn_f9()
{
wait_for_next_event(WFNE_SUSP | WFNE_CONT, -1);
}
static fn_show_current_line_info()
{
auto l_addr;
auto str_name;
auto str_dasm_code;
l_addr = GetRegValue(REG_IP);
str_name = Name(l_addr);
str_dasm_code = generate_disasm_line(l_addr, GENDSM_FORCE_CODE);
//msg("%s\n", LINE_80);
msg("0x%X : %s :: %s\n", l_addr, str_name, str_dasm_code);
}
static fn_get_current_dasm_code()
{
auto l_addr;
auto str_dasm_code;
l_addr = GetRegValue(REG_IP);
str_dasm_code = generate_disasm_line(l_addr, GENDSM_FORCE_CODE);
return str_dasm_code;
}
static fn_get_current_addr()
{
auto l_addr;
l_addr = GetRegValue(REG_IP);
return l_addr;
}
static fn_show_help()
{
auto i_index;
// clear debug output area
for (i_index = 0; i_index < 25; i_index++) {
msg("\n");
}
}
static fn_add_bp(l_addr)
{
add_bpt(l_addr);
}
static fn_del_bp(l_addr)
{
del_bpt(l_addr);
}
static runto(l_addr)
{
fn_add_bp(l_addr);
fn_f9();
fn_del_bp(l_addr);
}
static main()
{
//step1 fork
runto(0x40FD40);
RAX=0;
fn_f8();
//step2 jmp
runto(0x4102AF);
ZF=1;
fn_f8();
//step3 fork
runto(0x41F5E2);
RAX=0;
fn_f8();
//step4 sleep
runto(0x411C2D);
RDI=0;
//step5 int3
fn_f8();
fn_f9();
//step6 uuid
//fn_add_bp(0x413210);
runto(0x41320B);
//fn_f7();
}
