Simple Unicorn emulation plugin. I originally developed the plugin as a quick way to emulate decoding strings obfuscated with ADVObfuscator or similar methods.
- Copy src/stackstack.py and src/stackstack/ to your Ida Plugins directory.
- Restart Ida
- Unicorn Emulator
- Yara
- Keystone engine
- Capstone engine
loglevel: Log level to use (DEBUG, ERROR, INFO...). Default:DEBUGext_yara_file: External yara file to use for automated scanning. Defaults tostackem.yarabookmarks: Create bookmarks at decoded offsets. Default:Truerename_func: Rename function which contains a single AdvObfuscated string. This is useful where a function encapsulates a call to a native API. Default:Falsecheck_update: Check if there is an update available.
Example config file
{
'loglevel': 'DEBUG', \
'ext_yara_file': 'stackstack.yara',
'bookmarks': True,
'rename_func': False,
'check_update': True
}
Emulates the current block or selected bytes and attempts to extract the decoded bytes.
- Decode Selected - Emulate the selected bytes
- Decode Current - Based on the current cursor position in the decompiler window. Detect the blocks to emulate.
- Shortcut:
shift-x
- Shortcut:
- Decode All - Scan for and attempt to decode each identified block.
- Decode Function - Scan the current function and attempt to decode the found blocks.
To help navigate the binary, the plugin can create a bookmark at the location of each decoded string. If this is configured, bookmarks will be created with the prefix SSB:
For now add register values as a comment and at the end of the block emit the last val for each register.
Emulate the current block and return the end state of all registers.
Scan for ADVObfuscated Strings or matches based on the passed yara rules.
Shortcut shift-s