alexander-hanel · July 28, 2020 17:16
diff --git a/ida_regex.py b/ida_regex.py
 import idautils
 import re
 import struct 

 """

 String Storage 
 Example 1
 
 .text:004344F5 8D 05 47 3E 50 00               lea     eax, stru_503E47         
 .text:004344FB 89 04 24                        mov     [esp+8+s.str], eax      ; s
 .text:004344FE C7 44 24 04 09 00 00 00         mov     [esp+8+s.len], 9

 """

 GO_STR_PATTERN = b"\x8D.(?P<offset>....)\x89\x04\$\xC7\x44\$\x04(?P<size>....)"

 class MemHelper:
    def __init__(self):
        self.mem_results = b""
        self.mem_offsets = []
        if not self.mem_results:
            self._get_memory()

    def _get_memory(self):
        result = b""
        segments_starts = [ea for ea in idautils.Segments()]
        offsets = []
        start_len = 0
        for start in segments_starts:
            end = idc.get_segm_end(start)
            result += idc.get_bytes(start, end - start)
            offsets.append((start, start_len, len(result)))
            start_len = len(result)
        self.mem_results = result
        self.mem_offsets = offsets

    def to_virtual_address(self, offset):
        va_offset = 0
        for seg in self.mem_offsets:
            if seg[1] <= offset < seg[2]:
                va_offset = seg[0] + (offset - seg[1])
        return va_offset
    
 mem = MemHelper()
 match = re.finditer(GO_STR_PATTERN, mem.mem_results, re.DOTALL) 
 if match:
    for m in match:
        g = m.groupdict()
        offset = struct.unpack('<I', g.get('offset'))[0]
        if offset == ida_idaapi.BADADDR:
            break
        length = struct.unpack('<I', g.get('size'))[0]
        if idc.get_segm_name(offset) == '.text':
            ida_bytes.del_items(offset, 2, length)
            print(hex(mem.to_virtual_address(m.start())), hex(offset),hex(length))
            ida_bytes.create_strlit(offset, length, -1) 
            ida_auto.auto_wait()
	import idautils
	import re
	import struct

	"""

	String Storage
	Example 1

	.text:004344F5 8D 05 47 3E 50 00 lea eax, stru_503E47
	.text:004344FB 89 04 24 mov [esp+8+s.str], eax ; s
	.text:004344FE C7 44 24 04 09 00 00 00 mov [esp+8+s.len], 9

	"""

	GO_STR_PATTERN = b"\x8D.(?P<offset>....)\x89\x04\$\xC7\x44\$\x04(?P<size>....)"

	class MemHelper:
	def __init__(self):
	self.mem_results = b""
	self.mem_offsets = []
	if not self.mem_results:
	self._get_memory()

	def _get_memory(self):
	result = b""
	segments_starts = [ea for ea in idautils.Segments()]
	offsets = []
	start_len = 0
	for start in segments_starts:
	end = idc.get_segm_end(start)
	result += idc.get_bytes(start, end - start)
	offsets.append((start, start_len, len(result)))
	start_len = len(result)
	self.mem_results = result
	self.mem_offsets = offsets

	def to_virtual_address(self, offset):
	va_offset = 0
	for seg in self.mem_offsets:
	if seg[1] <= offset < seg[2]:
	va_offset = seg[0] + (offset - seg[1])
	return va_offset

	mem = MemHelper()
	match = re.finditer(GO_STR_PATTERN, mem.mem_results, re.DOTALL)
	if match:
	for m in match:
	g = m.groupdict()
	offset = struct.unpack('<I', g.get('offset'))[0]
	if offset == ida_idaapi.BADADDR:
	break
	length = struct.unpack('<I', g.get('size'))[0]
	if idc.get_segm_name(offset) == '.text':
	ida_bytes.del_items(offset, 2, length)
	print(hex(mem.to_virtual_address(m.start())), hex(offset),hex(length))
	ida_bytes.create_strlit(offset, length, -1)
	ida_auto.auto_wait()