├── .gitattributes
├── .gitignore
├── LICENSE
├── README.md
├── findLoop.sln
└── findLoop
    ├── findLoop.cpp
    ├── findLoop.vcxproj
    ├── findLoop.vcxproj.filters
    ├── idaScript.h
    ├── pch.cpp
    └── pch.h


/.gitattributes:
--------------------------------------------------------------------------------
 1 | ###############################################################################
 2 | # Set default behavior to automatically normalize line endings.
 3 | ###############################################################################
 4 | * text=auto
 5 | 
 6 | ###############################################################################
 7 | # Set default behavior for command prompt diff.
 8 | #
 9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs     diff=csharp
14 | 
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following 
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln       merge=binary
26 | #*.csproj    merge=binary
27 | #*.vbproj    merge=binary
28 | #*.vcxproj   merge=binary
29 | #*.vcproj    merge=binary
30 | #*.dbproj    merge=binary
31 | #*.fsproj    merge=binary
32 | #*.lsproj    merge=binary
33 | #*.wixproj   merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj   merge=binary
36 | #*.wwaproj   merge=binary
37 | 
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg   binary
44 | #*.png   binary
45 | #*.gif   binary
46 | 
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | # 
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the 
52 | # entries below.
53 | ###############################################################################
54 | #*.doc   diff=astextplain
55 | #*.DOC   diff=astextplain
56 | #*.docx  diff=astextplain
57 | #*.DOCX  diff=astextplain
58 | #*.dot   diff=astextplain
59 | #*.DOT   diff=astextplain
60 | #*.pdf   diff=astextplain
61 | #*.PDF   diff=astextplain
62 | #*.rtf   diff=astextplain
63 | #*.RTF   diff=astextplain
64 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | 
  4 | # User-specific files
  5 | *.suo
  6 | *.user
  7 | *.userosscache
  8 | *.sln.docstates
  9 | 
 10 | # User-specific files (MonoDevelop/Xamarin Studio)
 11 | *.userprefs
 12 | 
 13 | # Build results
 14 | [Dd]ebug/
 15 | [Dd]ebugPublic/
 16 | [Rr]elease/
 17 | [Rr]eleases/
 18 | x64/
 19 | x86/
 20 | bld/
 21 | [Bb]in/
 22 | [Oo]bj/
 23 | [Ll]og/
 24 | 
 25 | # Visual Studio 2015 cache/options directory
 26 | .vs/
 27 | # Uncomment if you have tasks that create the project's static files in wwwroot
 28 | #wwwroot/
 29 | 
 30 | # MSTest test Results
 31 | [Tt]est[Rr]esult*/
 32 | [Bb]uild[Ll]og.*
 33 | 
 34 | # NUNIT
 35 | *.VisualState.xml
 36 | TestResult.xml
 37 | 
 38 | # Build Results of an ATL Project
 39 | [Dd]ebugPS/
 40 | [Rr]eleasePS/
 41 | dlldata.c
 42 | 
 43 | # DNX
 44 | project.lock.json
 45 | project.fragment.lock.json
 46 | artifacts/
 47 | 
 48 | *_i.c
 49 | *_p.c
 50 | *_i.h
 51 | *.ilk
 52 | *.meta
 53 | *.obj
 54 | *.pch
 55 | *.pdb
 56 | *.pgc
 57 | *.pgd
 58 | *.rsp
 59 | *.sbr
 60 | *.tlb
 61 | *.tli
 62 | *.tlh
 63 | *.tmp
 64 | *.tmp_proj
 65 | *.log
 66 | *.vspscc
 67 | *.vssscc
 68 | .builds
 69 | *.pidb
 70 | *.svclog
 71 | *.scc
 72 | 
 73 | # Chutzpah Test files
 74 | _Chutzpah*
 75 | 
 76 | # Visual C++ cache files
 77 | ipch/
 78 | *.aps
 79 | *.ncb
 80 | *.opendb
 81 | *.opensdf
 82 | *.sdf
 83 | *.cachefile
 84 | *.VC.db
 85 | *.VC.VC.opendb
 86 | 
 87 | # Visual Studio profiler
 88 | *.psess
 89 | *.vsp
 90 | *.vspx
 91 | *.sap
 92 | 
 93 | # TFS 2012 Local Workspace
 94 | $tf/
 95 | 
 96 | # Guidance Automation Toolkit
 97 | *.gpState
 98 | 
 99 | # ReSharper is a .NET coding add-in
100 | _ReSharper*/
101 | *.[Rr]e[Ss]harper
102 | *.DotSettings.user
103 | 
104 | # JustCode is a .NET coding add-in
105 | .JustCode
106 | 
107 | # TeamCity is a build add-in
108 | _TeamCity*
109 | 
110 | # DotCover is a Code Coverage Tool
111 | *.dotCover
112 | 
113 | # NCrunch
114 | _NCrunch_*
115 | .*crunch*.local.xml
116 | nCrunchTemp_*
117 | 
118 | # MightyMoose
119 | *.mm.*
120 | AutoTest.Net/
121 | 
122 | # Web workbench (sass)
123 | .sass-cache/
124 | 
125 | # Installshield output folder
126 | [Ee]xpress/
127 | 
128 | # DocProject is a documentation generator add-in
129 | DocProject/buildhelp/
130 | DocProject/Help/*.HxT
131 | DocProject/Help/*.HxC
132 | DocProject/Help/*.hhc
133 | DocProject/Help/*.hhk
134 | DocProject/Help/*.hhp
135 | DocProject/Help/Html2
136 | DocProject/Help/html
137 | 
138 | # Click-Once directory
139 | publish/
140 | 
141 | # Publish Web Output
142 | *.[Pp]ublish.xml
143 | *.azurePubxml
144 | # TODO: Comment the next line if you want to checkin your web deploy settings
145 | # but database connection strings (with potential passwords) will be unencrypted
146 | #*.pubxml
147 | *.publishproj
148 | 
149 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
150 | # checkin your Azure Web App publish settings, but sensitive information contained
151 | # in these scripts will be unencrypted
152 | PublishScripts/
153 | 
154 | # NuGet Packages
155 | *.nupkg
156 | # The packages folder can be ignored because of Package Restore
157 | **/packages/*
158 | # except build/, which is used as an MSBuild target.
159 | !**/packages/build/
160 | # Uncomment if necessary however generally it will be regenerated when needed
161 | #!**/packages/repositories.config
162 | # NuGet v3's project.json files produces more ignoreable files
163 | *.nuget.props
164 | *.nuget.targets
165 | 
166 | # Microsoft Azure Build Output
167 | csx/
168 | *.build.csdef
169 | 
170 | # Microsoft Azure Emulator
171 | ecf/
172 | rcf/
173 | 
174 | # Windows Store app package directories and files
175 | AppPackages/
176 | BundleArtifacts/
177 | Package.StoreAssociation.xml
178 | _pkginfo.txt
179 | 
180 | # Visual Studio cache files
181 | # files ending in .cache can be ignored
182 | *.[Cc]ache
183 | # but keep track of directories ending in .cache
184 | !*.[Cc]ache/
185 | 
186 | # Others
187 | ClientBin/
188 | ~$*
189 | *~
190 | *.dbmdl
191 | *.dbproj.schemaview
192 | *.jfm
193 | *.pfx
194 | *.publishsettings
195 | node_modules/
196 | orleans.codegen.cs
197 | 
198 | # Since there are multiple workflows, uncomment next line to ignore bower_components
199 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
200 | #bower_components/
201 | 
202 | # RIA/Silverlight projects
203 | Generated_Code/
204 | 
205 | # Backup & report files from converting an old project file
206 | # to a newer Visual Studio version. Backup files are not needed,
207 | # because we have git ;-)
208 | _UpgradeReport_Files/
209 | Backup*/
210 | UpgradeLog*.XML
211 | UpgradeLog*.htm
212 | 
213 | # SQL Server files
214 | *.mdf
215 | *.ldf
216 | 
217 | # Business Intelligence projects
218 | *.rdl.data
219 | *.bim.layout
220 | *.bim_*.settings
221 | 
222 | # Microsoft Fakes
223 | FakesAssemblies/
224 | 
225 | # GhostDoc plugin setting file
226 | *.GhostDoc.xml
227 | 
228 | # Node.js Tools for Visual Studio
229 | .ntvs_analysis.dat
230 | 
231 | # Visual Studio 6 build log
232 | *.plg
233 | 
234 | # Visual Studio 6 workspace options file
235 | *.opt
236 | 
237 | # Visual Studio LightSwitch build output
238 | **/*.HTMLClient/GeneratedArtifacts
239 | **/*.DesktopClient/GeneratedArtifacts
240 | **/*.DesktopClient/ModelManifest.xml
241 | **/*.Server/GeneratedArtifacts
242 | **/*.Server/ModelManifest.xml
243 | _Pvt_Extensions
244 | 
245 | # Paket dependency manager
246 | .paket/paket.exe
247 | paket-files/
248 | 
249 | # FAKE - F# Make
250 | .fake/
251 | 
252 | # JetBrains Rider
253 | .idea/
254 | *.sln.iml
255 | 
256 | # CodeRush
257 | .cr/
258 | 
259 | # Python Tools for Visual Studio (PTVS)
260 | __pycache__/
261 | *.pyc


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2019 Lasha Khasaia
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # findLoop
 2 | 
 3 | 
 4 | `findLoop` uses [DynamoRIO](https://dynamorio.org/) to find code blocks executed more than `ITER_LIMIT` times (`ITER_LIMIT` is defined inside the project)
 5 | 
 6 | Based on produced data the project generates [`IDA Python`](https://github.com/idapython/src) script, which sets breakpoints at addresses executed more than `ITER_LIMIT` times.
 7 | 
 8 | The project can be used to find possible encryption/decryption and compression/decompression code snippets.
 9 | 
10 | #### Possible Targets: 
11 | Crackmes, malware samples, etc.
12 | 
13 | ### BUILD:
14 | The project assumes that `C:\\dynamorio` points to the [DynamoRIO folder](https://github.com/DynamoRIO/dynamorio/releases).
15 | 
16 | 
17 | ### [DEMO](https://www.youtube.com/watch?v=01gqgAaL7Eo):
18 | [![maxresdefault](https://user-images.githubusercontent.com/16405698/55261416-cfe9f600-5262-11e9-99a5-014473bfdbcd.jpg)](https://www.youtube.com/watch?v=01gqgAaL7Eo)
19 | 


--------------------------------------------------------------------------------
/findLoop.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 15
 4 | VisualStudioVersion = 15.0.28307.539
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "findLoop", "findLoop\findLoop.vcxproj", "{B2567D94-26DC-4B52-B625-F2006E3F8431}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Release|x86 = Release|x86
11 | 	EndGlobalSection
12 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
13 | 		{B2567D94-26DC-4B52-B625-F2006E3F8431}.Release|x86.ActiveCfg = Release|Win32
14 | 		{B2567D94-26DC-4B52-B625-F2006E3F8431}.Release|x86.Build.0 = Release|Win32
15 | 	EndGlobalSection
16 | 	GlobalSection(SolutionProperties) = preSolution
17 | 		HideSolutionNode = FALSE
18 | 	EndGlobalSection
19 | 	GlobalSection(ExtensibilityGlobals) = postSolution
20 | 		SolutionGuid = {5D2F0CEE-88CD-4607-82ED-549C333A1782}
21 | 	EndGlobalSection
22 | EndGlobal
23 | 


--------------------------------------------------------------------------------
/findLoop/findLoop.cpp:
--------------------------------------------------------------------------------
  1 | #include "pch.h"
  2 | 
  3 | #include "dr_api.h"
  4 | #include "drmgr.h"
  5 | 
  6 | #include <unordered_map>
  7 | #include "idaScript.h"
  8 | 
  9 | 
 10 | constexpr auto ITER_LIMIT = 200;
 11 | 
 12 | /* Base address */
 13 | static app_pc baseAddress;
 14 | 
 15 | /* Blocks */
 16 | static std::unordered_map<DWORD_PTR, size_t> blocks;
 17 | static std::string target_name;
 18 | 
 19 | static void
 20 | event_exit(void);
 21 | 
 22 | static dr_emit_flags_t
 23 | event_app_instruction(void* drcontext, void* tag, instrlist_t* bb, instr_t* inst,
 24 |                       bool for_trace, bool translating, void* user_data);
 25 | 
 26 | static void
 27 | ProcessBlock(DWORD_PTR);
 28 | 
 29 | DR_EXPORT void
 30 | dr_client_main(client_id_t id, int argc, const char* argv[])
 31 | {
 32 | 	UNREFERENCED_PARAMETER(id);
 33 | 	UNREFERENCED_PARAMETER(argc);
 34 | 	UNREFERENCED_PARAMETER(argv);
 35 | 
 36 | 	dr_set_client_name("Find possible encryption/decryption, compression/decompression blocks",
 37 | 	                   "https://github.com/secrary/");
 38 | 
 39 | 
 40 | 	drmgr_init();
 41 | 
 42 | 	target_name = dr_get_application_name();
 43 | 
 44 | 	const auto mainModule = dr_get_main_module();
 45 | 	if (mainModule != nullptr)
 46 | 		baseAddress = mainModule->start;
 47 | 	dr_free_module_data(mainModule);
 48 | 
 49 | 	/* also give notification to stderr */
 50 | 	if (dr_is_notify_on())
 51 | 	{
 52 | 		dr_enable_console_printing();
 53 | 	}
 54 | 
 55 | 	/* register events */
 56 | 	dr_register_exit_event(event_exit);
 57 | 
 58 | 	drmgr_register_bb_instrumentation_event(nullptr, event_app_instruction, nullptr);
 59 | }
 60 | 
 61 | static void
 62 | event_exit(void)
 63 | {
 64 | 	std::vector<DWORD_PTR> suspiciousBlocks;
 65 | 	for (const auto block : blocks)
 66 | 	{
 67 | 		if (block.second > ITER_LIMIT) // more than ITER_LIMIT iteration
 68 | 		{
 69 | 			// block.first: address
 70 | 			suspiciousBlocks.emplace_back(block.first);
 71 | 		}
 72 | 	}
 73 | 
 74 | 	if (!suspiciousBlocks.empty()) {
 75 | 
 76 | 		std::string idaScript = first;
 77 | 
 78 | 		for (const auto& block : suspiciousBlocks)
 79 | 		{
 80 | 			idaScript += std::to_string(block) + ", ";
 81 | 		}
 82 | 
 83 | 		idaScript += "]\n";
 84 | 
 85 | 		idaScript += second;
 86 | 
 87 | 		auto idaScriptName = target_name + "_findLoop.py";
 88 | 		auto fd = dr_open_file(idaScriptName.c_str(), DR_FILE_WRITE_OVERWRITE);
 89 | 		dr_write_file(fd, idaScript.c_str(), idaScript.size()); // write IDA Pro script
 90 | 		dr_close_file(fd);
 91 | 	}
 92 | 
 93 | 	drmgr_exit();
 94 | }
 95 | 
 96 | static dr_emit_flags_t
 97 | event_app_instruction(void* drcontext, void* tag, instrlist_t* bb, instr_t* inst,
 98 |                       bool for_trace, bool translating, void* user_data)
 99 | {
100 | 	UNREFERENCED_PARAMETER(user_data);
101 | 	UNREFERENCED_PARAMETER(translating);
102 | 	UNREFERENCED_PARAMETER(for_trace);
103 | 
104 | 	drmgr_disable_auto_predication(drcontext, bb);
105 | 
106 | 	const auto mod = dr_lookup_module(dr_fragment_app_pc(tag));
107 | 	if (mod != nullptr)
108 | 	{
109 | 		const auto mainModule = (mod->start == baseAddress);
110 | 		dr_free_module_data(mod);
111 | 		if (!mainModule)
112 | 		{
113 | 			return DR_EMIT_DEFAULT;
114 | 		}
115 | 	}
116 | 
117 | 	if (!drmgr_is_first_instr(drcontext, inst))
118 | 		return DR_EMIT_DEFAULT;
119 | 
120 | 	const auto instrFirst = instrlist_first(bb);
121 | 
122 | 	if (instr_is_return(instrFirst))
123 | 		return DR_EMIT_DEFAULT;
124 | 
125 | 	// check if "application (non-meta)" instruction
126 | 	if (!instr_is_app(instrFirst))
127 | 		return DR_EMIT_DEFAULT;
128 | 
129 | 	const auto instructionAddress = reinterpret_cast<DWORD_PTR>(instr_get_app_pc(instrFirst)) - DWORD_PTR(baseAddress);
130 | 	dr_insert_clean_call(drcontext, bb, instrlist_first_app(bb), static_cast<void *>(ProcessBlock),
131 | 	                     false /* save fpstate */, 1, OPND_CREATE_INTPTR(instructionAddress));
132 | 
133 | 
134 | 	return DR_EMIT_DEFAULT;
135 | }
136 | 
137 | static void ProcessBlock(DWORD_PTR instructionAddress)
138 | {
139 | 	if (blocks.find(instructionAddress) == blocks.end())
140 | 	{
141 | 		blocks[instructionAddress] = 1;
142 | 	}
143 | 	else
144 | 	{
145 | 		blocks[instructionAddress]++;
146 | 	}
147 | }
148 | 


--------------------------------------------------------------------------------
/findLoop/findLoop.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>15.0</VCProjectVersion>
 23 |     <ProjectGuid>{B2567D94-26DC-4B52-B625-F2006E3F8431}</ProjectGuid>
 24 |     <Keyword>Win32Proj</Keyword>
 25 |     <RootNamespace>findLoop</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0.17763.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v141</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v141</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v141</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v141</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <LinkIncremental>true</LinkIncremental>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 77 |     <LinkIncremental>true</LinkIncremental>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 80 |     <LinkIncremental>false</LinkIncremental>
 81 |     <IncludePath>C:\dynamorio\include;C:\dynamorio\ext\include;$(VC_IncludePath);$(WindowsSDK_IncludePath);</IncludePath>
 82 |   </PropertyGroup>
 83 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 84 |     <LinkIncremental>false</LinkIncremental>
 85 |   </PropertyGroup>
 86 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 87 |     <ClCompile>
 88 |       <PrecompiledHeader>Use</PrecompiledHeader>
 89 |       <WarningLevel>Level3</WarningLevel>
 90 |       <Optimization>Disabled</Optimization>
 91 |       <SDLCheck>true</SDLCheck>
 92 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 93 |       <ConformanceMode>true</ConformanceMode>
 94 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
 95 |     </ClCompile>
 96 |     <Link>
 97 |       <SubSystem>Console</SubSystem>
 98 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 99 |     </Link>
100 |   </ItemDefinitionGroup>
101 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
102 |     <ClCompile>
103 |       <PrecompiledHeader>Use</PrecompiledHeader>
104 |       <WarningLevel>Level3</WarningLevel>
105 |       <Optimization>Disabled</Optimization>
106 |       <SDLCheck>true</SDLCheck>
107 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
108 |       <ConformanceMode>true</ConformanceMode>
109 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
110 |     </ClCompile>
111 |     <Link>
112 |       <SubSystem>Console</SubSystem>
113 |       <GenerateDebugInformation>true</GenerateDebugInformation>
114 |     </Link>
115 |   </ItemDefinitionGroup>
116 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
117 |     <ClCompile>
118 |       <PrecompiledHeader>Use</PrecompiledHeader>
119 |       <WarningLevel>Level4</WarningLevel>
120 |       <Optimization>MaxSpeed</Optimization>
121 |       <FunctionLevelLinking>true</FunctionLevelLinking>
122 |       <IntrinsicFunctions>true</IntrinsicFunctions>
123 |       <SDLCheck>true</SDLCheck>
124 |       <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;SELFIE_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
125 |       <ConformanceMode>true</ConformanceMode>
126 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
127 |       <LanguageStandard>stdcpplatest</LanguageStandard>
128 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
129 |       <DebugInformationFormat>None</DebugInformationFormat>
130 |       <CompileAs>CompileAsCpp</CompileAs>
131 |     </ClCompile>
132 |     <Link>
133 |       <SubSystem>Windows</SubSystem>
134 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
135 |       <OptimizeReferences>true</OptimizeReferences>
136 |       <GenerateDebugInformation>false</GenerateDebugInformation>
137 |       <AdditionalLibraryDirectories>C:\dynamorio\ext\lib32\release;c:\dynamorio\lib32\release;C:\dynamorio\drmemory\drmf\lib32\release;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
138 |       <AdditionalDependencies>drmgr.lib;drwrap.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
139 |     </Link>
140 |   </ItemDefinitionGroup>
141 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
142 |     <ClCompile>
143 |       <PrecompiledHeader>Use</PrecompiledHeader>
144 |       <WarningLevel>Level3</WarningLevel>
145 |       <Optimization>MaxSpeed</Optimization>
146 |       <FunctionLevelLinking>true</FunctionLevelLinking>
147 |       <IntrinsicFunctions>true</IntrinsicFunctions>
148 |       <SDLCheck>true</SDLCheck>
149 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
150 |       <ConformanceMode>true</ConformanceMode>
151 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
152 |     </ClCompile>
153 |     <Link>
154 |       <SubSystem>Console</SubSystem>
155 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
156 |       <OptimizeReferences>true</OptimizeReferences>
157 |       <GenerateDebugInformation>true</GenerateDebugInformation>
158 |     </Link>
159 |   </ItemDefinitionGroup>
160 |   <ItemGroup>
161 |     <ClInclude Include="idaScript.h" />
162 |     <ClInclude Include="pch.h" />
163 |   </ItemGroup>
164 |   <ItemGroup>
165 |     <ClCompile Include="findLoop.cpp" />
166 |     <ClCompile Include="pch.cpp">
167 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
168 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
169 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
170 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
171 |     </ClCompile>
172 |   </ItemGroup>
173 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
174 |   <ImportGroup Label="ExtensionTargets">
175 |   </ImportGroup>
176 | </Project>


--------------------------------------------------------------------------------
/findLoop/findLoop.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClInclude Include="pch.h">
19 |       <Filter>Header Files</Filter>
20 |     </ClInclude>
21 |     <ClInclude Include="idaScript.h">
22 |       <Filter>Header Files</Filter>
23 |     </ClInclude>
24 |   </ItemGroup>
25 |   <ItemGroup>
26 |     <ClCompile Include="pch.cpp">
27 |       <Filter>Source Files</Filter>
28 |     </ClCompile>
29 |     <ClCompile Include="findLoop.cpp">
30 |       <Filter>Source Files</Filter>
31 |     </ClCompile>
32 |   </ItemGroup>
33 | </Project>


--------------------------------------------------------------------------------
/findLoop/idaScript.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include <string>
 3 | 
 4 | std::string first = R"(
 5 | # -------------------------------------------------------------------------------
 6 | #
 7 | # Copyright (c) 2019
 8 | # Lasha Khasaia @_qaz_qaz
 9 | #
10 | # -------------------------------------------------------------------------------
11 | 
12 | from __future__ import print_function
13 | import ida_bytes
14 | import ida_funcs
15 | import idaapi
16 | import idc
17 | 
18 | addresses = [
19 | )";
20 | 
21 | std::string second = R"(
22 | imageBase = idaapi.get_imagebase()
23 | 
24 | # return (start_ea, size)
25 | def getFuncRanges():
26 |     start = 0
27 |     next_func =  ida_funcs.get_next_func(start)
28 |     function_start_end = {}
29 |     while next_func:
30 |         function_start_end[next_func.start_ea] = next_func.end_ea
31 |         next_func = ida_funcs.get_next_func(next_func.start_ea)
32 |     return function_start_end
33 | 
34 | # we looking for loops inside a function
35 | # blacklist function starts
36 | blacklisted_functions = [] # start, end
37 | functions_table = getFuncRanges()
38 | for rva in addresses:
39 |     address = rva + imageBase
40 |     if functions_table.has_key(address):
41 |         fnc = ida_funcs.get_func(address)
42 |         blacklisted_functions.append(fnc)
43 | 
44 | loop_addresses = []
45 | for rva in addresses:
46 |     address = rva + imageBase
47 |     flags = ida_bytes.get_flags(address)
48 |     if not ida_bytes.is_code(flags):
49 |         print("[findLoop] {}: not an instruction".format(hex(address)))
50 |         continue
51 |     
52 |     valid = True
53 |     for fnc in blacklisted_functions:
54 |         if ida_funcs.func_contains(fnc, address):
55 |             valid = False
56 |             break
57 |     if valid:
58 |         loop_addresses.append(address)
59 |     
60 |     
61 | loop_addresses = set(loop_addresses)
62 | print("[findLoop] Possible encryption/decryption or compression/decompression code:")
63 | for address in loop_addresses:
64 |     idc.set_color(address, CIC_ITEM, 0x36AD80) # set color: green
65 |     idc.add_bpt(address)
66 |     print("0x{:x}".format(address))
67 | 
68 | print()
69 | )";
70 | 


--------------------------------------------------------------------------------
/findLoop/pch.cpp:
--------------------------------------------------------------------------------
1 | // pch.cpp: source file corresponding to pre-compiled header; necessary for compilation to succeed
2 | 
3 | #include "pch.h"
4 | 
5 | // In general, ignore this file, but keep it around if you are using pre-compiled headers.
6 | 


--------------------------------------------------------------------------------
/findLoop/pch.h:
--------------------------------------------------------------------------------
 1 | // Tips for Getting Started: 
 2 | //   1. Use the Solution Explorer window to add/manage files
 3 | //   2. Use the Team Explorer window to connect to source control
 4 | //   3. Use the Output window to see build output and other messages
 5 | //   4. Use the Error List window to view errors
 6 | //   5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project
 7 | //   6. In the future, to open this project again, go to File > Open > Project and select the .sln file
 8 | 
 9 | #ifndef PCH_H
10 | #define PCH_H
11 | 
12 | // TODO: add headers that you want to pre-compile here
13 | #define WINDOWS
14 | #define X86_32
15 | 
16 | #pragma comment (lib , "dynamorio.lib")
17 | 
18 | #include "dr_api.h"
19 | #include <Windows.h>
20 | 
21 | #endif //PCH_H
22 | 


--------------------------------------------------------------------------------