Currently proof-of-concept
This project is a small POC plugin for launching dumpulator emulation within IDA, passing it addresses from your IDA view using the context menu.
Find the amazing dumpulator project by @mrexodia at link
You can now go to Edit -> Plugins -> Dumpulate and this will prompt you to select your dump file
For the example file found here you can
- Set your call address and choose a number of arguments to pass
- Right click an address, choose select argument, and then select which arg you'd like to pass it as
- Right click and select allocate temporary space for any arg you'd like to monitor the output of
- Finally right click and choose emulate function
This will emulate the chosen call address, pass your assigned arguments, and output the passed addresses as strings if possible
If you right click the variable within the function call line, you'll get the wrong address, so you have to be selecting it directly by clicking through to it.
Additionally, I haven't yet coded this to support stack variables. I will need to confirm how that is coded with dumpulator, before I try and impliment.
The biggest limitation is that that's insanely buggy
I feel that this could be more dynamic, and there are a lot more options and scenarios to account for than the basic string decryption POC.
I will look into more dynamic ways of building your function argument structure, as well as ways of controlling what you monitor and how it is outputted, potentially with enums or comments as an option