0

I have this data

            ; CALL XREF from fcn.00401c60 @ 0x401c77
/ 43: fcn.00401dd0 (int32_t arg_8h, int32_t arg_ch);
|           ; arg int32_t arg_8h @ ebp+0x8
|           ; arg int32_t arg_ch @ ebp+0xc
|           0x00401dd0      55             push ebp
|           0x00401dd1      8bec           mov ebp, esp
|           0x00401dd3      56             push esi
|           0x00401dd4      8b750c         mov esi, dword [arg_ch]
|           0x00401dd7      57             push edi
|           0x00401dd8      8b7d08         mov edi, dword [arg_8h]
|           0x00401ddb      3bfe           cmp edi, esi
|       ,=< 0x00401ddd      7416           je 0x401df5
|       |   0x00401ddf      90             nop
|       |   ; CODE XREF from fcn.00401dd0 @ 0x401df3
|      .--> 0x00401de0      8b46fc         mov eax, dword [esi - 4]
|      :|   0x00401de3      85c0           test eax, eax
|     ,===< 0x00401de5      7407           je 0x401dee
|     |:|   0x00401de7      6a00           push 0
|     |:|   0x00401de9      ffd0           call eax
|     |:|   0x00401deb      83c404         add esp, 4
|     |:|   ; CODE XREF from fcn.00401dd0 @ 0x401de5
|     `---> 0x00401dee      83ee08         sub esi, 8
|      :|   0x00401df1      3bf7           cmp esi, edi
|      `==< 0x00401df3      75eb           jne 0x401de0
|       |   ; CODE XREF from fcn.00401dd0 @ 0x401ddd
|       `-> 0x00401df5      5f             pop edi
|           0x00401df6      b001           mov al, 1
|           0x00401df8      5e             pop esi
|           0x00401df9      5d             pop ebp
\           0x00401dfa      c3             ret

/ 260: fcn.004020b0 (int32_t arg_4h, int32_t arg_8h);
|           ; var int32_t var_324h @ ebp-0x324
|           ; arg int32_t arg_4h @ ebp+0x4
|           ; arg int32_t arg_8h @ ebp+0x8
|           0x004020b0      55             push ebp
|           0x004020b1      8bec           mov ebp, esp
|           0x004020b3      81ec24030000   sub esp, 0x324
|           0x004020b9      6a17           push 0x17                   ; 23
|           0x004020bb      ff151c304000   call dword [sym.imp.KERNEL32.dll_IsProcessorFeaturePresent] ; 0x40301c
|           0x004020c1      85c0           test eax, eax
|       ,=< 0x004020c3      7407           je 0x4020cc
|       |   0x004020c5      b902000000     mov ecx, 2
|           0x00402178      c78254734000.  mov dword [edx + 0x407354], 2
|           0x00402182      b804000000     mov eax, 4
|           0x00402187      6bc800         imul ecx, eax, 0
|           0x0040218a      8b150c404000   mov edx, dword [0x40400c]   ; [0x40400c:4]=0xbb40e64e
|           0x00402190      89540df8       mov dword [ebp + ecx - 8], edx
|           0x00402194      b804000000     mov eax, 4
|           0x00402199      c1e000         shl eax, 0
|           0x0040219c      8b0d08404000   mov ecx, dword [0x404008]   ; [0x404008:4]=0x44bf19b1
|           0x004021a2      894c05f8       mov dword [ebp + eax - 8], ecx
|           0x004021a6      6850364000     push 0x403650               ; 'P6@' ; "@s@"
|           0x004021ab      e8d0feffff     call fcn.00402080
|           0x004021b0      8be5           mov esp, ebp
|           0x004021b2      5d             pop ebp
\           0x004021b3      c3             ret

i want to get the ADDRESS fcn.ADDRESS and their opcodes like here in this question and puts it in dict like this

{"00401dd0":"558bec81ec240300006a17ff151c30400085c07407b902000000cd29a340744000890d3c744000891538744000--snip--","004020b0":"558bec81ec240300006a17ff151c30400085c07407b902000000cd29a340--snip--"}

and as you can see the end of opcodes starting with \ character not the ret string:

\           0x004021b3      c3             ret

so is it possable to do it in python using regex or something like that in python ?

Improve this question
1
  • "Is it possible?" are not great ways of asking, please do try to show at least a minimal example of what you have tried. Commented Jan 14, 2022 at 23:09

1 Answer 1

Reset to default
0

By extracting each of the code blocks and combining that output with using the answer to the previous question.

Code

Python Demo

import re
text = """            ; CALL XREF from fcn.00401c60 @ 0x401c77
/ 43: fcn.00401dd0 (int32_t arg_8h, int32_t arg_ch);
|           ; arg int32_t arg_8h @ ebp+0x8
|           ; arg int32_t arg_ch @ ebp+0xc
|           0x00401dd0      55             push ebp
|           0x00401dd1      8bec           mov ebp, esp
|           0x00401dd3      56             push esi
|           0x00401dd4      8b750c         mov esi, dword [arg_ch]
|           0x00401dd7      57             push edi
|           0x00401dd8      8b7d08         mov edi, dword [arg_8h]
|           0x00401ddb      3bfe           cmp edi, esi
|       ,=< 0x00401ddd      7416           je 0x401df5
|       |   0x00401ddf      90             nop
|       |   ; CODE XREF from fcn.00401dd0 @ 0x401df3
|      .--> 0x00401de0      8b46fc         mov eax, dword [esi - 4]
|      :|   0x00401de3      85c0           test eax, eax
|     ,===< 0x00401de5      7407           je 0x401dee
|     |:|   0x00401de7      6a00           push 0
|     |:|   0x00401de9      ffd0           call eax
|     |:|   0x00401deb      83c404         add esp, 4
|     |:|   ; CODE XREF from fcn.00401dd0 @ 0x401de5
|     `---> 0x00401dee      83ee08         sub esi, 8
|      :|   0x00401df1      3bf7           cmp esi, edi
|      `==< 0x00401df3      75eb           jne 0x401de0
|       |   ; CODE XREF from fcn.00401dd0 @ 0x401ddd
|       `-> 0x00401df5      5f             pop edi
|           0x00401df6      b001           mov al, 1
|           0x00401df8      5e             pop esi
|           0x00401df9      5d             pop ebp
\           0x00401dfa      c3             ret

/ 260: fcn.004020b0 (int32_t arg_4h, int32_t arg_8h);
|           ; var int32_t var_324h @ ebp-0x324
|           ; arg int32_t arg_4h @ ebp+0x4
|           ; arg int32_t arg_8h @ ebp+0x8
|           0x004020b0      55             push ebp
|           0x004020b1      8bec           mov ebp, esp
|           0x004020b3      81ec24030000   sub esp, 0x324
|           0x004020b9      6a17           push 0x17                   ; 23
|           0x004020bb      ff151c304000   call dword [sym.imp.KERNEL32.dll_IsProcessorFeaturePresent] ; 0x40301c
|           0x004020c1      85c0           test eax, eax
|       ,=< 0x004020c3      7407           je 0x4020cc
|       |   0x004020c5      b902000000     mov ecx, 2
|           0x00402178      c78254734000.  mov dword [edx + 0x407354], 2
|           0x00402182      b804000000     mov eax, 4
|           0x00402187      6bc800         imul ecx, eax, 0
|           0x0040218a      8b150c404000   mov edx, dword [0x40400c]   ; [0x40400c:4]=0xbb40e64e
|           0x00402190      89540df8       mov dword [ebp + ecx - 8], edx
|           0x00402194      b804000000     mov eax, 4
|           0x00402199      c1e000         shl eax, 0
|           0x0040219c      8b0d08404000   mov ecx, dword [0x404008]   ; [0x404008:4]=0x44bf19b1
|           0x004021a2      894c05f8       mov dword [ebp + eax - 8], ecx
|           0x004021a6      6850364000     push 0x403650               ; 'P6@' ; "@s@"
|           0x004021ab      e8d0feffff     call fcn.00402080
|           0x004021b0      8be5           mov esp, ebp
|           0x004021b2      5d             pop ebp
\           0x004021b3      c3             ret
"""


result = {}
for match in re.finditer(r"/\s*\d+:\s*fcn\.(?P<name>[a-f0-9]+)\s*\((?P<args>[^)]+)\);\s*(?P<analysis>[^\\]+^\\[^\r\n]+)", text, re.IGNORECASE | re.MULTILINE):
    bytecode = ''.join(re.findall(r'0x[0-9a-fA-F]{8}[\t ]*(\S+)', match.group("analysis")))
    result[match.group("name")] = bytecode


print(result)

Output

{'00401dd0': '558bec568b750c578b7d083bfe7416908b46fc85c074076a00ffd083c40483ee083bf775eb5fb0015e5dc3', '004020b0': '558bec81ec240300006a17ff151c30400085c07407b902000000c78254734000.b8040000006bc8008b150c40400089540df8b804000000c1e0008b0d08404000894c05f86850364000e8d0feffff8be55dc3'}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.