def LoadStringLiterals(ea=None):
if ea is None:
ea = ScreenEA()
path = os.getcwd()
os.system(path + '/unity_decoder.exe')
file = open('./string_literal.txt')
str_count = file.readline()
skip_count = file.readline()
ea += int(skip_count) * 0x4
for line in file:
line = line.strip(' ').replace('\r', '').replace('\n', '')
new_line = re.sub(r'[^a-zA-Z0-9_]', '_', line)
new_line = 'StringLiteral_' + new_line
i = 0
addr = GetVarFromAddr(ea)
ret = idc.MakeNameEx(addr, str(new_line), SN_NOWARN)
#ret = idc.MakeNameEx(addr, "", SN_NOWARN)
while ret == 0 and i < 5: # failed
new_line_rand = new_line + '_' + str(random.randint(0, 99999))
ret = idc.MakeNameEx(addr, str(new_line_rand), SN_NOWARN)
i = i + 1
idc.MakeComm(ea, str(line))
#idc.MakeComm(ea, "")
ea = IncreaseAddr(ea)
file.close()
def makeNameAndStructure(self, api, suffix=None):
if suffix is not None:
named = idc.MakeNameEx(api[0], str(api[3] + "_{}".format(suffix)), 256)
else:
named = idc.MakeNameEx(api[0], str(api[3]), 256)
self.makeDQWord(api)
return named
def LoadMethods(ea=None):
if ea is None:
ea = ScreenEA()
path = os.getcwd()
os.system(path + '/unity_decoder.exe')
file = open('./method_name.txt')
str_count = file.readline()
i = 0
for line in file:
line = line.strip(' ').replace('\r', '').replace('\n', '')
new_line = re.sub(r'[^a-zA-Z0-9_$]', '_', line)
i = 0
addr = GetMethodFromAddr(ea)
ret = idc.MakeNameEx(addr, str(new_line), SN_NOWARN)
while ret == 0 and i < 5: # failed
new_line_rand = new_line + '_' + str(random.randint(0, 99999))
ret = idc.MakeNameEx(addr, str(new_line_rand), SN_NOWARN)
idc.MakeComm(ea, str(line))
i = i + 1
ea = IncreaseAddr(ea)
file.close()
def parse_funcs(self):
'''
Parse function struct and rename function
'''
self.func_num = common.read_mem(self.start_addr + 8,
forced_addr_sz=self.ptr_sz)
common._info("Total functions number: %d\n" % self.func_num)
self.func_tbl_sz = self.func_num * 2 * self.ptr_sz
funcs_entry = self.start_addr + 8
self.func_tbl_addr = funcs_entry + self.ptr_sz
idc.MakeNameEx(funcs_entry, "funcs_entry", flags=idaapi.SN_FORCE)
idaapi.autoWait()
idc.MakeNameEx(self.func_tbl_addr, "pc0", flags=idaapi.SN_FORCE)
idaapi.autoWait()
for func_idx in xrange(self.func_num):
curr_addr = self.func_tbl_addr + func_idx * 2 * self.ptr_sz
func_addr = common.read_mem(curr_addr, forced_addr_sz=self.ptr_sz)
name_off = common.read_mem(curr_addr + self.ptr_sz,
forced_addr_sz=self.ptr_sz)
name_addr = self.start_addr + self.ptr_sz + name_off
func_st_addr = name_addr - self.ptr_sz
func_st = FuncStruct(func_st_addr, self)
func_st.parse()
# Make comment for name offset
idc.MakeComm(curr_addr + self.ptr_sz,
"Func Struct: 0x%x" % func_st_addr)
idaapi.autoWait()
def make_name(addr, export_name):
""" Appends a number if a given name exists """
ret = idc.MakeNameEx(addr, export_name, idc.SN_PUBLIC | idc.SN_NOWARN)
i = 0
while ret == 0 and i < 1000:
new_name = "%s_%d" % (export_name, i)
ret = idc.MakeNameEx(addr, new_name, idc.SN_PUBLIC | idc.SN_NOWARN)
i += 1
if ret == 0:
print "[!] could not set name %s at 0x%X" % (export_name, addr)
def renameDword(self):
proc_addr = self._import_table.item(self._import_table.currentRow(), 3).text()
proc_name = str(self._import_table.item(self._import_table.currentRow(), 2).text())
renamed = 0
if proc_addr:
try:
proc_addr = int(proc_addr, 16)
proc_bin_str = " ".join([x.encode("hex") for x in struct.pack("<I", proc_addr)])
next_dword = idc.FindBinary(idc.MinEA(), idc.SEARCH_DOWN|idc.SEARCH_NEXT, proc_bin_str)
while next_dword != idc.BADADDR:
log.debug("Trying to fix-up 0x{:08x}".format(next_dword))
# DWORDs can be "inaccessible" for many reasons and it requires "breaking up" the data blobs
# and manually fixing them
# Reason 1: In a dword array in an unknown section
if idc.isUnknown(next_dword):
idc.MakeUnkn(next_dword, idc.DOUNK_EXPAND)
idc.MakeDword(next_dword)
# Reason 2: In a dword array in a data section
elif idc.isData(next_dword):
hd = idc.ItemHead(next_dword)
idc.MakeDword(hd)
idc.MakeDword(next_dword)
# Reason 3: In a dword array in a code section (validate via "dd <dword>,")
elif idc.isCode(next_dword) and idc.GetDisasm(next_dword).startswith("dd "):
hd = idc.ItemHead(next_dword)
idc.MakeDword(hd)
idc.MakeDword(next_dword)
# Only perform
if idc.Name(next_dword).startswith(("off_", "dword_")) or idc.Name(next_dword) == "":
success = idc.MakeNameEx(next_dword, proc_name, idc.SN_NOWARN|idc.SN_NON_AUTO)
i = 0
new_proc_name = proc_name
while not success and i < 10:
new_proc_name = "{}{}".format(proc_name, i)
success = idc.MakeNameEx(next_dword, new_proc_name, idc.SN_NOWARN|idc.SN_NON_AUTO)
i += 1
if success:
renamed += 1
item = self._import_table.item(self._import_table.currentRow(), 5)
item.setText("{}, {}".format(str(item.text()), new_proc_name))
log.debug("DWORD @ 0x{:08x} now has name {}".format(next_dword, new_proc_name))
else:
log.error("Unable to auto-rename successfully, terminating search")
break
else: log.debug("Value at 0x{:08x} does not meet renaming requirements".format(next_dword))
next_dword = idc.FindBinary(next_dword+4, idc.SEARCH_DOWN|idc.SEARCH_NEXT, proc_bin_str)
except Exception, e:
log.error("Error encountered: {}".format(e))
log.debug("Renamed {:d} instances of {}".format(renamed, proc_name))
def Rename(ea, inStr):
returnVal = idc.MakeNameEx(ea, inStr, 0x100)
if returnVal == 1:
return 1
for i in range(0, 99):
returnVal = idc.MakeNameEx(ea, inStr + "_" + str(i), 0x100)
if returnVal == 1:
return 1
print 'Error, name {:s} already used and can not be automatically renamed'.format(
inStr)
return -1
def makeNameHard(ea, name):
'''Keeps trying to name the given ea until it works, adding the optional _%d suffix'''
count = 0
ret = idc.MakeNameEx(ea, name, idc.SN_PUBLIC | idc.SN_NOWARN)
m = HARD_NAME_RE.match(name)
if m is not None:
#already a name in <name>_<count> format
name, count = m.group(1, 2)
count = int(count)
if ret == 0:
while (count < 100) and (ret == 0):
newName = '%s_%d' % (name, count)
ret = idc.MakeNameEx(ea, newName, idc.SN_PUBLIC | idc.SN_NOWARN)
count += 1
def demangle_data_name(ea, name):
global libcmtIndex
if re.sub(r"\_*\d.*\_f.*", "", name) is not None:
idc.MakeNameEx(
ea, re.sub(r".*LIBCMT.*", "libCMT{}".format(libcmtIndex), name),
idc.SN_AUTO)
libcmtIndex += 1
def rename(self):
if not self.new_name_ok() or not self.old_name:
return False
found = False
for i, a in enumerate(self.vars):
item = self.occurences_lit.item(i)
if item.checkState() == QtCore.Qt.Checked:
clname = a["classname"]
filename = self.structname_to_file_table[clname]
hfile = hparser.HFile(filename)
struct = hfile.get(clname)
struct.rename_var(self.old_name, self.new_name)
hfile.update(struct)
hfile.save()
idc.ParseTypes(filename, idc.PT_FILE | idc.PT_PAKDEF)
found = True
for i, a in enumerate(self.functions):
item = self.occurences_lit.item(i + len(self.vars))
if item.checkState() == QtCore.Qt.Checked:
ea = a["ea"]
func_name = a["func_name"]
if func_name.demangled:
if not gui.ask(
"Function %s is mangled. If you wish to rename it, mangling will dissapear. Continue?"
% func_name.signature()):
continue
old_name = func_name.fullname()
func_name.set_base_name(self.new_name)
print ea, func_name.fullname(), idc.SN_NOCHECK
idc.MakeNameEx(ea, str(func_name.fullname()), idc.SN_NOCHECK)
print "FunctionName %s is replaced to %s" % (
old_name, func_name.fullname())
found = True
return found
def func_recovery(self, gopclntab):
seg_size = self.arch_word(gopclntab + 8)
func_i = gopclntab + 8 + self.addr_size # first func
read_end = func_i + (seg_size*self.addr_size*2)
"""Pseudo struct inside .gopclntab
struct funcInfo{
(Qword or Dword) funcAddr;
(Qword or Dword) offset;
}
"""
cnt = 0
while gopclntab < read_end:
offset = self.arch_word(func_i + self.addr_size)
func_i += 2*self.addr_size # say self.addr_size = 8, 16 = 8(bypass present func_i) + 8(bypass present func_i's offset), see struct given above
func_ptr = gopclntab + offset
funcAddr = self.arch_word(func_ptr)
nameOffset = Dword(func_ptr + self.addr_size) # note Dword
func_name = GetString(gopclntab + nameOffset)
if func_name == None:
return str(cnt)
cnt += 1
func_name = re.sub("[^a-z0-9\/\.]", "_", func_name, flags=re.IGNORECASE)
idc.MakeNameEx(funcAddr, func_name, idc.SN_NOWARN)
return str(cnt)
def parse_hdr(self):
'''
Refer: function [go12Init()] in https://golang.org/src/debug/gosym/pclntab.go
'''
magic = idc.Dword(self.start_addr) & 0xFFFFFFFF
if magic != Pclntbl.MAGIC:
print magic, Pclntbl.MAGIC
common._error("Invalid pclntbl header magic number!")
idc.Exit(1)
#raise Exception("Invalid pclntbl header magic number!")
idc.MakeDword(self.start_addr)
idc.MakeComm(self.start_addr, "Magic Number")
idc.MakeNameEx(self.start_addr,
"runtime_symtab",
flags=idaapi.SN_FORCE)
idaapi.autoWait()
if idc.Word(self.start_addr + 4) & 0xFFFF != 0:
raise Exception("Invalid pclntbl header")
idc.MakeWord(self.start_addr + 4)
self.min_lc = idc.Byte(self.start_addr + 6) & 0xFF
if (self.min_lc != 1) and (self.min_lc != 2) and (self.min_lc != 4):
raise Exception("Invalid pclntbl minimum LC!")
idc.MakeComm(self.start_addr + 6, "instruction size quantum")
idaapi.autoWait()
self.ptr_sz = idc.Byte(self.start_addr + 7) & 0xFF
if (self.ptr_sz != 4) and (self.ptr_sz != 8):
raise Exception("Invalid pclntbl pointer size!")
idc.MakeComm(self.start_addr + 7, "ptr size")
idaapi.autoWait()
def parse_func_pointer():
renamed = 0
for segea in idautils.Segments():
for addr in idautils.Functions(segea, idc.SegEnd(segea)):
#for addr in idautils.Functions(text_seg.startEA, text_seg.endEA):
name = idc.GetFunctionName(addr)
# Look at data xrefs to the function - find the pointer that is located in .rodata
data_ref = idaapi.get_first_dref_to(addr)
while data_ref != idc.BADADDR:
if 'rodata' in idc.get_segm_name(data_ref):
# Only rename things that are currently listed as an offset; eg. off_9120B0
if 'off_' in idc.GetTrueName(data_ref):
if idc.MakeNameEx(data_ref, ('%s_ptr' % name),
flags=idaapi.SN_FORCE):
idaapi.autoWait()
renamed += 1
else:
common._error(
'Failed to name pointer @ 0x%02x for %s' %
(data_ref, name))
data_ref = idaapi.get_next_dref_to(addr, data_ref)
common._info("\nRename %d function pointers.\n" % renamed)
def bulk_prefix():
"""
Prefix the Functions window selection with a user defined string.
"""
# prompt the user for a prefix to apply to the selected functions
tag = idc.AskStr(PREFIX_DEFAULT, "Function Tag")
# the user closed the window... ignore
if tag == None:
return
# the user put a blank string and hit 'okay'... notify & ignore
elif tag == '':
idc.Warning("[ERROR] Tag cannot be empty [ERROR]")
return
#
# loop through all the functions selected in the 'Functions window' and
# apply the user defined prefix tag to each one.
#
for func_name in get_selected_funcs():
# ignore functions that already have the specified prefix applied
if func_name.startswith(tag):
continue
# apply the user defined prefix to the function (rename it)
new_name = '%s%s%s' % (str(tag), PREFIX_SEPARATOR, func_name)
idc.MakeNameEx(idc.LocByName(func_name), new_name, idaapi.SN_NOWARN)
# refresh the IDA views
refresh_views()
def sample_dest():
global x
src_hashes = {}
for i in x.split("|"):
z = i.split(":")
if src_hashes.has_key(z):
src_hashes[z] = "baadf00d"
else:
src_hashes[i[1]] = i[0]
dst_hashes = {}
for addr in idautils.Functions(idc.MinEA(), idc.MaxEA()):
fname = idc.GetFunctionName(addr)
if fname.startswith("sub_"):
z = calc_hash(addr)
if dst_hashes.has_key(z):
src_hashes[z] = "baadf00d"
else:
src_hashes[z] = addr
for x in dst_hashes:
if dst_hashes[x] == "baadf00d":
continue
if src_hashes.has_key(x):
if src_hashes[x] != "baadf00d":
idc.MakeNameEx(dst_hashes[x], src_hashes[x], SN_NOWARN)
print full_hash
def name(ea, string=None):
'''Returns the name at the specified address. (local than global)'''
if string is not None:
SN_NOCHECK = 0x00
SN_NOLIST = 0x80
SN_LOCAL = 0x200
SN_PUBLIC = 0x02
n = name(ea)
flags = SN_NOCHECK
try:
function.top(ea)
flags |= SN_LOCAL
except ValueError:
flags |= 0
idc.MakeNameEx(ea, string, flags)
tag(ea, '__name__', string)
return n
try:
return tag(ea, '__name__')
except KeyError:
pass
return None
def clear_prefix():
"""
Clear user defined prefixes from the selected functions in the Functions window.
"""
#
# loop through all the functions selected in the 'Functions window' and
# clear any user defined prefixes applied to them.
#
for func_name in get_selected_funcs():
#
# locate the last (rfind) prefix separator in the function name as
# we will want to keep everything that comes after it
#
i = func_name.rfind(PREFIX_SEPARATOR)
# if there is no prefix (separator), there is nothing to trim
if i == -1:
continue
# trim the prefix off the original function name and discard it
new_name = func_name[i + 1:]
idc.MakeNameEx(idc.LocByName(func_name), new_name, idaapi.SN_NOWARN)
# refresh the IDA views
refresh_views()
def ParseAMXNativeInfo():
ida_string = idautils.Strings()
last_native = ""
for string in ida_string:
for native in natives:
if (str(string) == native and last_native != native):
last_native = native
for xref in XrefsTo(string.ea):
offset = xref.frm + 4
for native_addr in XrefsFrom(offset):
# Rename native handler function n_NativeName
idc.MakeNameEx(native_addr.to, "n_" + native,
idc.SN_NOWARN)
# Setup function prototype & automate setting the native's
tinfo = idaapi.tinfo_t()
ida_typeinf.guess_tinfo(native_addr.to, tinfo)
funcdata = idaapi.func_type_data_t()
tinfo.get_func_details(funcdata)
tinfo2 = idaapi.tinfo_t()
tinfo2.get_named_type(idaapi.get_idati(),
"Native" + native + "Params")
tinfo3 = idaapi.tinfo_t()
tinfo3.create_ptr(tinfo2)
if (
len(funcdata)
): # For some reason this is 0 for some natives with params? Not sure why...
funcdata[len(funcdata) - 1].type = tinfo3
function_tinfo = idaapi.tinfo_t()
function_tinfo.create_func(funcdata)
idaapi.apply_tinfo2(native_addr.to, function_tinfo,
idaapi.TINFO_DEFINITE)
def parse(self):
itype_addr = common.read_mem(self.addr) & 0xFFFFFFFFFFFFFFFF
self.itype = self.type_parser.parse_type(type_addr=itype_addr)
rtype_addr = common.read_mem(self.addr+common.ADDR_SZ) & 0xFFFFFFFFFFFFFFFF
self.rtype = self.type_parser.parse_type(type_addr=rtype_addr)
self.hash = common.read_mem(self.addr + 2*common.ADDR_SZ, forced_addr_sz=4) & 0xFFFFFFFF
# methods start addr(if has method)
curr_addr = self.addr + 3*common.ADDR_SZ
while True:
if len(idaapi.get_ea_name(curr_addr)) > 0:
# stop at next itab_elem addr
# next itab elem is labeled a head name by ida pro
break
meth_addr = common.read_mem(curr_addr)
if idaapi.get_func(meth_addr):
meth_name = idaapi.get_ea_name(meth_addr)
self.methods.append(meth_name)
self.meth_num += 1
curr_addr += common.ADDR_SZ
idc.MakeComm(self.addr, "interface: %s" % self.itype.name)
idc.MakeComm(self.addr+common.ADDR_SZ, "rtype: %s" % self.rtype.name)
idc.MakeComm(self.addr+2*common.ADDR_SZ, "rtype hash")
idaapi.autoWait()
itab_elem_name = "go_itab__%s_%s" % (self.rtype.name_obj.name_str, self.itype.name)
idc.MakeNameEx(self.addr, itab_elem_name,flags=idaapi.SN_FORCE)
common._debug("Go itab %s(@ 0x%x) parsed." % (itab_elem_name, self.addr))
idaapi.autoWait()
def ida_main():
import idc
filepath = idc.AskFile(0, "*.map", "Load a Dolphin emulator symbol map")
if filepath is None:
return
symbol_map = load_dolphin_map(filepath)
for symbol in symbol_map:
addr = int(symbol.vaddr, 16)
size = int(symbol.size, 16)
idc.MakeUnknown(addr, size, 0)
if symbol.section in [".init", ".text"]:
idc.MakeCode(addr)
success = idc.MakeFunction(
addr, idc.BADADDR if not size else (addr + size))
else:
success = idc.MakeData(addr, idc.FF_BYTE, size, 0)
if not success:
idc.Message("Can't apply properties for symbol:"
" {0.vaddr} - {0.name}\n".format(symbol))
flags = idc.SN_NOCHECK | idc.SN_PUBLIC
if symbol.name.startswith("zz_"):
flags |= idc.SN_AUTO | idc.SN_WEAK
else:
flags |= idc.SN_NON_AUTO
idc.MakeNameEx(addr, symbol.name, flags)
def parse(self):
_debug("Interface @ 0x%x" % self.addr)
# parse pkg path
self.pkg_path_addr = read_mem(self.addr + self.rtype.self_size)
if self.pkg_path_addr > 0 and self.pkg_path_addr != idc.BADADDR:
self.pkg_path_obj = Name(self.pkg_path_addr, self.type_parser.moddata)
self.pkg_path_obj.parse(False)
self.pkg_path = self.pkg_path_obj.name_str
# parse fields
methods_start_addr = read_mem(self.addr + self.rtype.self_size + ADDR_SZ)
methods_cnt = read_mem(self.addr + self.rtype.self_size + 2*ADDR_SZ)
methods_cap = read_mem(self.addr + self.rtype.self_size + 3*ADDR_SZ)
for idx in xrange(methods_cnt):
imeth = IMethodType(methods_start_addr + idx*2*4, self.type_parser)
imeth.parse()
self.methods.append(imeth)
idc.MakeComm(self.addr + self.rtype.self_size, "pkg path%s" % \
(("(@ 0x%x): %s" % (self.pkg_path_addr, self.pkg_path)) if (self.pkg_path_addr>0 and len(self.pkg_path)>0) else ""))
idc.MakeComm(self.addr + self.rtype.self_size + 2*ADDR_SZ, "methods count: 0x%x" % methods_cnt)
idc.MakeComm(self.addr + self.rtype.self_size + 3*ADDR_SZ, "methods capacity: 0x%x" % methods_cap)
idaapi.autoWait()
_debug("Interface pkg path%s" % \
(("(@ 0x%x): %s" % (self.pkg_path_addr, self.pkg_path)) if (self.pkg_path_addr>0 and len(self.pkg_path)>0) else ""))
_debug("Interface methods count: 0x%x" % methods_cnt)
if len(self.rtype.name) > 0:
idc.MakeNameEx(methods_start_addr, "%s_methods" % self.rtype.name, flags=idaapi.SN_FORCE)
idaapi.autoWait()
def parse(self):
_debug("Struct Type @ 0x%x" % self.addr)
# parse pkg path
self.pkg_path_addr = read_mem(self.addr + self.rtype.self_size)
if self.pkg_path_addr > 0 and self.pkg_path_addr != idc.BADADDR:
self.pkg_path_obj = Name(self.pkg_path_addr, self.type_parser.moddata)
self.pkg_path_obj.parse(False)
self.pkg_path = self.pkg_path_obj.simple_name
# parse fields
fields_start_addr = read_mem(self.addr + self.rtype.self_size + ADDR_SZ)
fields_cnt = read_mem(self.addr + self.rtype.self_size + 2*ADDR_SZ)
fields_cap = read_mem(self.addr + self.rtype.self_size + 3*ADDR_SZ)
for idx in xrange(fields_cnt):
field = StructFiled(fields_start_addr + idx*3*ADDR_SZ, self.type_parser)
field.parse()
self.fields.append(field)
idc.MakeComm(self.addr + self.rtype.self_size, "pkg path%s" % \
(("(@ 0x%x): %s" % (self.pkg_path_addr, self.pkg_path)) if (self.pkg_path_addr>0 and len(self.pkg_path)>0) else ""))
idc.MakeComm(self.addr + self.rtype.self_size + 2*ADDR_SZ, "fields count: 0x%x" % fields_cnt)
idc.MakeComm(self.addr + self.rtype.self_size + 3*ADDR_SZ, "fileds capacity: 0x%x" % fields_cap)
idaapi.autoWait()
_debug("Struct pkg path: %s" % (("(@ 0x%x): %s" % (self.pkg_path_addr, self.pkg_path)) \
if (self.pkg_path_addr>0 and len(self.pkg_path)>0) else ""))
_debug("Struct fields num: 0x%x" % fields_cnt)
if len(self.rtype.name) > 0 and fields_cnt > 0:
idc.MakeComm(self.addr + self.rtype.self_size + ADDR_SZ, "fields start address")
idc.MakeNameEx(fields_start_addr, "%s_fields" % self.rtype.name, flags=idaapi.SN_FORCE)
idaapi.autoWait()
_debug("Struct fields start addr: 0x%x" % fields_start_addr)
def define_functions():
native_rvas = [
0x1930,
0x3A90,
0x44b0,
]
native_rvas = [(0x400000 + x) for x in native_rvas]
for ea in native_rvas:
if ea == 0x401930:
# undefine and force convert to code as IDA doesn't analyse it at first
print "Defining fcn GODDAG at 0x%x" % ea
print "Making", ea, "unknown and defining it to code..."
idc.MakeUnkn(ea, 1)
idc.MakeCode(ea)
idc.MakeUnkn(ea + 8, 1)
idc.MakeCode(ea + 7)
else:
if ea == 0x403A90:
fcn_name = "NativeGRUNDTAL_NORRVIKEN"
print "Defining fcn %s at 0x%x" % (fcn_name, ea)
elif ea == 0x4044B0:
fcn_name = "FYRKANTIGImpl"
print "Defining fcn %s at 0x%x" % (fcn_name, ea)
idc.MakeFunction(ea)
idc.MakeNameEx(ea, fcn_name, idc.SN_NOWARN)
def sub_rename(self, sub_pattern, segments=None):
if segments is None:
segments = self.segmentNames
for name in segments:
segmentData = self.get_segment_names(name)
for address, name in segmentData:
idc.MakeNameEx(address, re.sub(sub_pattern, "", name),
idc.SN_AUTO)
def delete_by_pattern(self, delete_pattern, segments=None):
if segments is None:
segments = self.segmentNames
for name in segments:
segmentData = self.get_segment_names(name)
for address, name in segmentData:
if re.match(delete_pattern, name):
idc.MakeNameEx(address, "", idc.SN_AUTO)
def parse_pclntable(module_data):
pPcHeader = module_data.pPcHeader
pc_header = parse_pc_header(pMem=pPcHeader)
ptrSize = pc_header.ptrSize
numberOfFuncs = pc_header.nFunc
log._info("Number of Functions : %d" % numberOfFuncs)
pclntable_start = module_data.pPclnTable
cur_addr = pclntable_start
for idx in range(numberOfFuncs):
cur_addr = pclntable_start + (2 * ptrSize) * idx
func_rva = common.mem_read_integer(addr=cur_addr, read_size=ptrSize)
_func_structure_offset = common.mem_read_integer(addr=cur_addr +
ptrSize,
read_size=ptrSize)
_func_addr = pclntable_start + _func_structure_offset
if not idc.GetFunctionName(func_rva):
log._info("Unk Func @0x%x" % func_rva)
idc.MakeUnkn(func_rva, idc.DOUNK_EXPAND)
idaapi.autoWait()
idc.MakeCode(func_rva)
idaapi.autoWait()
if idc.MakeFunction(func_rva):
idaapi.autoWait()
log._info("Create Func @0x%x" % func_rva)
_func = parse__func(pMem=_func_addr)
#args=_func.args
#func_id=_func.args
func_name_addr = module_data.pFuncNameTable + _func.nameoff
func_name = idc.GetString(func_name_addr)
if func_name:
clean_func_name = utils.clean_function_name(func_name)
log._info("@0x%x Name : [%s]" % (func_rva, func_name))
idc.MakeComm(func_rva, "@0x" + str(hex(func_rva)) + " entry")
idaapi.autoWait()
if idc.MakeStr(func_name_addr,
func_name_addr + len(func_name) + 1):
idaapi.autoWait()
else:
log._error("@0x%x Name : [%s] Failed..." %
(func_rva, func_name))
_func_addr = idaapi.get_func(func_rva)
if _func_addr is not None:
if idc.MakeNameEx(_func_addr.startEA,
func_name,
flags=idaapi.SN_FORCE):
idaapi.autoWait()
log._info("@0x%x Name : [%s]" % (func_rva, func_name))
else:
log._error("@0x%x Name : [%s] Failed..." %
(func_rva, func_name))
def do_rename(line):
splitted = line.split()
strname = splitted[0]
straddr = splitted[1].replace("\r", "").replace("\n", "")
eaaddr = int(straddr, 16)
idc.MakeCode(eaaddr)
idc.MakeFunction(eaaddr)
idc.MakeNameEx(int(straddr, 16), strname, idc.SN_NOWARN)
def rename_vtable_functions(names, vtable_ea, class_name): # type: (typing.Dict[int, str], int, str) -> None
ea = vtable_ea
i = 0
while True:
function_ea = struct.unpack('<Q', idaapi.get_many_bytes(ea, 8))[0]
if '__cxa_pure_virtual' not in idc.GetDisasm(function_ea) and not idaapi.is_func(idaapi.get_flags(function_ea)):
break
member_fn_name = names.get(i, "m%d" % i)
function_name = "%s::%s" % (class_name, member_fn_name)
current_name = idc.GetFunctionName(function_ea)
if current_name.startswith('nullsub_') or current_name.startswith('j_nullsub_'):
idc.MakeNameEx(function_ea, function_name + '_null', idaapi.SN_NOWARN)
elif current_name.startswith('sub_') or \
current_name.startswith("%s::m%d" % (class_name, i)) or \
"runtimetypeinfo" in current_name.lower():
idc.MakeNameEx(function_ea, function_name, idaapi.SN_NOWARN)
i += 1
ea += 8
def parse(self):
self.elem_type_addr = read_mem(self.addr + self.rtype.self_size)
if self.type_parser.has_been_parsed(self.elem_type_addr):
self.elem_rtype = self.type_parser.parsed_types[self.elem_type_addr]
else:
self.elem_rtype = self.type_parser.parse_type(type_addr=self.elem_type_addr)
idc.MakeComm(self.addr + self.rtype.self_size, "elem rtype: %s" % self.elem_rtype.name)
idc.MakeNameEx(self.addr, "%s_slice" % self.elem_rtype.name, flags=idaapi.SN_FORCE)
idaapi.autoWait()
def rename(self):
if not self.new_name:
return False
item_num = 0
found = False
#rename class members
for a in self.text_items:
item = self.occurences_lit.item(item_num)
item_num += 1
if item.checkState() == QtCore.Qt.Checked:
f = open(a['filename'])
lines = f.readlines()
f.close()
lines[a['line']] = re.sub(self.regex(), self.new_name,
lines[a['line']])
f = open(a['filename'], "w")
f.write("".join(lines))
f.close()
found = True
#files
for header in self.header_files:
item = self.occurences_lit.item(item_num)
item_num += 1
if item.checkState() == QtCore.Qt.Checked:
newname = os.path.join(os.path.dirname(header),
self.new_name + ".h")
os.rename(header, newname)
print "File %s was renamed to %s" % (header, newname)
found = True
#functions
for a in self.functions:
item = self.occurences_lit.item(item_num)
item_num += 1
if item.checkState() == QtCore.Qt.Checked:
ea = a["ea"]
func_name = a["func_name"]
if func_name.demangled:
if not gui.ask(
"Function %s is mangled. If you wish to rename it, mangling will dissapear. Continue?"
% func_name.signature()):
continue
old_name = func_name.fullname()
func_name.set_namespace(self.new_name)
print ea, func_name.fullname()
idc.MakeNameEx(ea, str(func_name.fullname()), idc.SN_NOCHECK)
print "FunctionName %s is replaced to %s" % (
old_name, func_name.fullname())
found = True
return found
