-
|
In MLIL and HLIL I can see a function that looks like: sub_123456(variable1, "look at me", variable2) I've figured out 2 ways to get the args of the function, but wondering if there is a smarter way to accomplish my goal. One way I could do it was to look at each line of the MLIL, find the function call in question, and then parse the MLIL (or HLIL) instruction. Another mechanism I tried was functionRef.get_reg_value_at(address, 'r1'). But only works for args passed as registers. Just wondering if there was something more obvious in the API that I missed |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Nope, iterating over the higher order IL's is the correct way. Here's an example that finds all calls to MessageBoxA and prints the the popup string. for func in bv.functions:
for block in func.mlil:
for instr in block:
if instr.operation != MediumLevelILOperation.MLIL_CALL: continue
if instr.operands[1].tokens[0].text != 'MessageBoxA': continue
(hWnd, lpText, lpCaption, uType) = instr.operands[2]
string_ref = bv.get_string_at(lpText.value.value)
print('%08X: MessageBoxA(..., "%s", ...)' % (instr.address, string_ref.value)) |
Beta Was this translation helpful? Give feedback.
Nope, iterating over the higher order IL's is the correct way. Here's an example that finds all calls to MessageBoxA and prints the the popup string.