pvefindaddr v1.30 released

pvefindaddr is a PyCommand (plugin) for Immunity Debugger. Immunity Debugger is a powerful new way to write exploits, analyze malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry’s first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility.

Drop the file in the pycommands folder within your Immunity Debugger installation folder. You can get the list of functions and paramters by running !pvefindaddr (without arguments) from the input box at the bottom of Immunity Debugger. Look at the “Log†window for outpu


  • Improved routine to determine module path
  • added feature “info†: !pvefindaddr info 0×1234567 (shows info about a given address within the context of the currently debugged application)
  • (v1.29) Output to file now includes full path of the module a given address belongs to (if possible to determine)
  • (v1.29) Fixed output bug in txt files, that prevented display of the indicator specifying whether a given address is made up of alphanum chars only or not.

Purpose : In this and this article, and in this exploit, I mentioned the use a custom printable-ascii encoder. Building this encoder can be done manually (as explained in those articles), but I have now implemented the logic into pvefindaddr as well.

Usage : There are 2 ways to invoke the encoder :

!pvefindaddr encode ascii (where are just the bytes that need to be encoded, without spaces or 0x characters). Example : !pvefindaddr encode ascii 8BC253040000FFE2

!pvefindaddr encode ascii (where points to a file that contains the bytes that need to be encoded)

The output of the decoding routine will be written to the Log window and to a file called encode.txt

Note : the current implementation does not deal with bad chars. But it should be really easy to filter out any bad chars once you already have the decoder in front of you.