// can't ever remember all the IDC language (eg printf() is Message(), sprintf() is form(), etc.)
// so just going to grow a database of examples that can be referred to each time I need to write something!
// -andrewl

// iterate over IDA subroutines, outputting a windbg
// breakpoint command
auto subname;
auto subaddr;
auto mystr;
auto fname;
auto hFile;
subaddr=0;
fname="c:\\temp.txt";
hFile=fopen(fname,"w+");
if(hFile)
{
	while(1)
	{
	        subaddr=NextFunction(subaddr);
	        if(subaddr==-1)
	                break;
	        subname=GetFunctionName(subaddr);
		    mystr=form("bp %08X \".echo %s; g\"\n",subaddr,subname);
    		fprintf(hFile,mystr);
            Message(mystr);
	}
	fclose(hFile);
}
else
{
	Warning("couldn't open %s for writing\n",fname);
}

// simple loop to de-obfuscate some dwords
//
auto a,d;
a=0x401040;
while(a != 0x401524)
{
  d = Dword(a);
  d = d ^ 0x0F;
  PatchDword(a,d);
  a++;
}

// here are some scripts by red477 for de-obfuscating "russian dolls" crackme
//
#include <idc.idc>
static main() {
    auto i,b,k;
    auto pStart, nCodeLen;
    pStart=0x40501D;
    // nCodeLen=0x01866A;
    while(pStart<=0x40501D+0x01866A)
    {
       Message("Processing 0x%08X\n",pStart);
         i=pStart;
         k=Byte(pStart-7);
         nCodeLen=Dword(pStart-0x0D);
         while(i<pStart+nCodeLen){
              b=Byte(i);
              b=b^k;
              PatchByte(i,b);
              i++;
         }
         for(;;)
         {
              // if "call $+5 / pop esi / add esi,15" instructions pair found
              if ((Dword(pStart)==0x000000E8) && (Dword(pStart+4)==0xC6815E00)){
                   if(Dword(pStart+8)==0x0015){
                        break;
                   }
              }
              pStart++;
           if(pStart>=0x40501D+0x01866A)break;
         }
         pStart=pStart+0x1A;
         // if (pStart>=0x40501D+0x01866A)break;
    }
}
//
#include <idc.idc>
static main() {
    auto i,b,k;
    auto pStart, nCodeLen;
    auto c,d;
    auto bFound;
    auto j;
    for(j=0;j<=7;j++){
         pStart=0x405020;
         i=pStart;
         while ( i<0x41D687 ) {
              b=Byte(i+0x03);
              if(b==j){
                   k=Byte(i+0x0E);
                   if(k==1){
                        k=Byte(i+0x09);
                        // Message("0%02Xh\n",k);
                        bFound=1;
                       
                        for(c=i;c<0x41D687;c=c+0x41){
                             d=Byte(c+0x03);
                             if(d!=b)continue;
                             d=Byte(c+0x09);
                             if(d!=k)continue;
                             d=Byte(c+0x0E);
                             if(d==0){bFound=0;break;}
                        }
                        if(bFound==1){
                             Message("FOUND %d:%c\n",j,k);
                        }
                   }
              }
              i=i+0x41;
         } // while ( i<0x41D687 ) {
    } // for(j=0;j<=7;j++){
}

// I used this IDC script to produce some breakpoints to monitor execution that went
// through the table in _death's Saddam crackme - it just iterates over a range of
// addresses, making breakpoints at both data and code references to these addresses

  auto addr;
  auto i;
  auto t;
  auto fname;
  auto hFile;
  fname="c:\\temp.txt";
  hFile=fopen(fname,"w+");
  addr=0x417004;
  for(i=0; i<21; ++i)
  {
    auto curr;
    curr=RfirstB(addr);
    if(curr!=-1)
    {
       do
       {
         t=form("bp %08X\n",curr);
         Message(t);
         fprintf(hFile,t);
         curr = RnextB(addr, curr);
       } while(curr!=-1);
    }
    curr=DfirstB(addr);
    if(curr!=-1)
    {
       do
       {
         t=form("bp %08X\n",curr);
         Message(t);
         fprintf(hFile,t);
         curr = DnextB(addr, curr);
       } while(curr!=-1);
    }
    addr=addr+4;
  }