Messages

51

Reverse Engineering / Re: IDA Snippets

« on: April 22, 2013, 09:04:48 AM »

Maybe we can have the script name state objects/event managers/etc. In the funtions where they initialize there is usually an address of where the return ends up.

This way its not just dword_sjdflfj

hmm, Now I confusing in Alex's method4 ,,,,  I will try to make it when I  finish it. But I can't understand what you need...
Also I want to mearge g3gg and nanomads script If I can.
Anyway, current code is multiple segment supported . Try it if you interested in it.

52

Reverse Engineering / Re: IDA Snippets

« on: April 20, 2013, 06:32:43 PM »

Added new method by me.
The subroutine which is only Get/Set memory to naming [SG]etVal_v(Memory Address)

ex:
SetVal_v80c90()
GetVal_v80c90()

53

Reverse Engineering / Re: IDA Snippets

« on: April 20, 2013, 04:04:06 PM »

https://bitbucket.org/minimimi/ml-idc/src/
porting from Alex's method 2. and solved some valiable bug in method 1

54

Reverse Engineering / Re: IDA Snippets

« on: April 18, 2013, 03:49:30 PM »

ported Alex's method 1. But something wrong.....

55

Reverse Engineering / Re: IDA Snippets

« on: April 18, 2013, 10:12:05 AM »

code added on bitbacket
https://bitbucket.org/minimimi/ml-idc/src/d6d5e1c6b918cada4a828c54bfd592a04f374078/ml.py?at=default

How to use it.
1: Get and use CHDK.idc and related files.
2: ml.py from IDA menu (File -> script file)

This script is now supporting MakeFunc by STMFD and MakeName by register_func
change log
 - [STMFD] added nanomad's suggestion related codes

56

Reverse Engineering / Re: IDA Snippets

« on: April 16, 2013, 06:16:46 PM »

Lesson1 IDA python version of my function-nized by STMFD.(lol

Code: [Select]

from idaapi import *

# Get current ea
adStea = MinEA()
adEdea = MaxEA()

intCount = 0;
for ad in range(adStea,adEdea,4):
    insPre = get_word(ad-2)
    insCur = get_word(ad+2)
    strFname = ""
    strFname = get_func_name(ad)
    if((insCur==0xE92D) and (insPre==0xE8BD) and not (strFname==None)):
        MakeFunction(ad,BADADDR);
        print "MakeFunc %x %s\n" % (ad, strFname)
        intCount = intCount + 1

print "TotalCount=%d\n" % intCount



57

Reverse Engineering / Re: IDA Snippets

« on: April 16, 2013, 09:27:44 AM »

Oh, Alex you already have simmuler codes.
name_funcx.py is really simmuler with my work. And I think it's a more better with mine.
Anyway, try to port it. but IDA script has no dictionaly...

You can try to port these (or just use them to save an IDC):

https://github.com/alexdu/ARM-console/blob/master/scripts/guessfunc.py
http://a1ex.magiclantern.fm/bleeding-edge/name_funcx.py

58

Reverse Engineering / Re: IDA Snippets

« on: April 16, 2013, 07:42:30 AM »

nanomad:
Yes correct! I know this problem but it's not so big problem, I think . So just *now* I'm not supported it.
Do you have a problem on your environment?
I'm checking prev instruction with word(addr -4). Does not enouth?

A1ex:
Thanks for pointing this . But IDA script is really inconvinience. So  I need to learn IDA python first.

1%:
Yes I know it. IDA script is not supported bigger size of split segment current code.  THe "for" function is not working....

59

Reverse Engineering / Re: IDA Snippets

« on: April 15, 2013, 09:44:27 AM »

MakeFunction to STMFD.
When I use CHDK.idc , nanomad's script not working. Because almost STMFD section is already done with MakeCode.
But It's not set a function styles (Keyboard shortcut p). So this script will automachically find STMFD , and MakeFunction those codes.

Code: [Select]

  auto sb = MinEA();
  auto se = MaxEA();
  auto a, c, w, d;
  auto nexf;

  c = 0;
  for (a=sb; a<se; a=a+4) {
    w = Word(a-2);
    d = Word(a+2);
   //0xBDE8
    if ((d==0xE92D) && (w == 0xE8BD) && !strlen(GetFunctionName(a))) {
   
      MakeFunction(a,BADADDR);
      Message("MakeFunc %x %s\n",a, GetFunctionName(a));
      c = c+1;
    }
  }


60

Reverse Engineering / Re: IDA Snippets

« on: April 13, 2013, 08:41:01 AM »

Updated func-guess by register_func  .

Previously, not actually convert   names.

61

Reverse Engineering / Re: IDA Snippets

« on: April 12, 2013, 08:07:48 PM »

Updated . save here for me.
about 3000 funcstions guessed now.

Usage: python ./main.py disasm.c | sort | uniq



Modified
on 6D DryosDebugMessage is moved to RAM space. so you may change a search key from DryosDebugMessage to v67C8

62

Reverse Engineering / Re: IDA Snippets

« on: April 12, 2013, 02:49:15 PM »

I made a small python code which will guess func name from IDA decompiled text.
Currently only phase one guessing method implemented.

this code automatically guess funcname and output a IDA script.

Current result is

Code: [Select]

Total func converted = 1258/18275

python code is

Code: [Select]

# coding=utf-8
import sys
import re

argvs = sys.argv
argc = len(argvs)

def parseDryDbgMsg(strFname,strCode,dicParams):
    lstCode1 = strCode.split('"')
    if(len(lstCode1) < 2):
        return ""

    strRet = ""
    lstRet = []
    lstCode = lstCode1[1].split(" ")
    #parse all lines
    for strT in lstCode:
        if(len(strT) == 0):                   continue;
        if(re.match('.*\\%',strT) != None):   continue;
        if(re.match(":",strT) != None):       continue;
        if(re.match("<-",strT) != None):      continue;
        if(re.match("->",strT) != None):      continue;
        if(re.match("ERR",strT) != None):     continue;
        if(re.match("#",strT) != None):       continue;
        if(re.match("!",strT) != None):       continue;
        if(re.match("=",strT) != None):       continue;
        if(re.match("\\(",strT) != None):     continue;
        if(re.match("\\)",strT) != None):     continue;
        if(re.match("^.*\\.c",strT) != None): continue;
        if(re.match("Unknown",strT) != None): continue;
        if(re.match(">",strT) != None):       continue;
        if(re.match("<",strT) != None):       continue;
        if(re.match("\\+",strT) != None):     continue;
        if(re.match("\\@",strT) != None):     continue;
        if(re.match("\\\n",strT) != None):    continue;
        strT = re.sub("\\*+","",strT)
        strT = re.sub(":","",strT)
        strT = re.sub("\\(","",strT)
        strT = re.sub("\\)","",strT)
        strT = re.sub("\\.+","",strT)
        strT = re.sub("\\,","",strT)
        strT = re.sub("-+","",strT)
        strT = re.sub("\\[","",strT)
#        print strT

        if(len(strT)):
            if(re.search("]",strT) != None):
                strT = re.sub("]","_",strT);
                strRet = strRet + strT
            else:
                strRet = strRet + strT
                strRet = strRet + " ";
    #parse result
    lstRet = strRet.split(" ")
    for strParam in lstRet:
        if(len(strParam)):
            if strParam in dicParams:
                dicParams[strParam] = dicParams[strParam] + 1
#                print "%s      %s " % (dicParams[strParam],strParam)
            else:
                dicParams[strParam] = 1;

def PrepareFuncCode(lstFuncCode):
    #get original funcname
    lstLine = lstFuncCode[0].split('(');
    strFname = re.sub("^.* ","",lstLine[0])
    if(len(strFname) == 0): return

#    print strFname

    dicParams = {}
    for strCode in lstFuncCode:
        if(strCode.find('DryosDebugMsg') != -1):
            parseDryDbgMsg(strFname,strCode,dicParams);

    #find most counted key
    strNFname = "";
    intCount = 0;
    for k, v in dicParams.items():
        if(intCount < v):
            strNFname = k
            intCount = v

    if(len(strNFname) < 8):
        return

#    print "%s      %s " % (dicParams[strNFname],strNFname)
    #Dsiplay result
    if(intCount > 1):
        print "MakeName(%s,%s);" % (strFname,strNFname)
        return 1
    return 0

def main(argvs,argc):
    intFuncnum = 0
    intPrevfuncnum = 0
    lstFunc = list()
    strFname = ""
    intConvNum = 0;

    #read lines
    for strLine in open(argvs[1], 'r'):

        #Split each funcs
        if(strLine.find("//----- ") != -1):
            intFuncnum = intFuncnum + 1

        if(intPrevfuncnum < intFuncnum): #enter newfunc
            if(len(lstFunc)):
#                print lstFunc
                if(PrepareFuncCode(lstFunc)):
                    intConvNum = intConvNum + 1
                del lstFunc[:]
            bFirstLine = 1
            intPrevfuncnum = intFuncnum
        else:
            if(intFuncnum >=1):
                lstFunc.append(strLine)

    print "Total func converted = %d/%d" % (intConvNum,intFuncnum)






main(argvs,argc)


63

Reverse Engineering / Re: IDA Snippets

« on: April 11, 2013, 03:36:58 PM »

Sorry solved myself.

Code: [Select]

    auto start_addr = MinEA();
    auto addr;
    auto func;
    auto func_name;
    auto addr16;
    auto optype;
    auto equal_addr;
    auto dis,name,str_ptr, possible_name, func_start, response;
    response = 0;
    while(1) {
        Message("Looking from %x\n", start_addr);
        addr =  FindText(start_addr,SEARCH_DOWN|SEARCH_NEXT|SEARCH_REGEX, 0, 0, "register_func");
        dis = GetDisasm(addr);
        if ( addr == BADADDR )
            break;
        if(strstr(dis,"BL") == 0) {
           
            str_ptr = GetOperandValue(addr-4,1);
            possible_name = GetString(str_ptr, -1, ASCSTR_C);
            if(strlen(possible_name) == 0){
                 start_addr = addr + 4;
                 continue;
            }
           
            Message("  %s\n", possible_name);
            addr16 = addr-8;
            addr16 = addr16-4;
           
            optype = GetOpType(addr16,1);
            dis = GetDisasm(addr16);
            Message("  %s %d\n", dis,optype);
            if(optype==2){
                func_name = GetOpnd(addr16,1);
                func_name = substr(func_name, 1, strlen(func_name));

            Message("  %s", func_name);
            }else{
                func = GetOperandValue(addr16,1);
                func_name = GetFunctionName(func);
            }
           
            Message("  %s\n",func_name);

            //check func_name length
            if(strlen(func_name) ==0){
                 Message("  Can't get func_name\n");
                 start_addr = addr + 4;
                 continue;
            }

            //check func_name already comverted
            if(strstr(func_name,"sub_") != 0){
                 Message("  Already comverted\n");
                 start_addr = addr + 4;
                 continue;
            }

            MakeName(func, possible_name);
            Message("Converted %s to %s\n", func_name, possible_name);
     
        }
        start_addr = addr + 4;
    }


64

Reverse Engineering / Re: IDA Snippets

« on: April 11, 2013, 12:57:04 PM »

I'm made a function rename script by the register_func.
Basically register_func is using function name to 1st argument . and 2nd argument is actual function pointer.

so now I have a problem to comvert &sub_xxxx in this script.(Thanks nanomad. this is based on your script)
sub_xxx is successfully comverted., but &sub_xxx is not successfully get correct function address by GetOperandValue...
Do you know how can I do that?
GetTypesomething(addr16) ?

Code: [Select]

    auto start_addr = MinEA();
    auto addr;
    auto func;
    auto func_name;
    auto addr16;
    auto dis,name,str_ptr, possible_name, func_start, response;
    response = 0;
    while(1) {
        Message("Looking from %x\n", start_addr);
        addr =  FindText(start_addr,SEARCH_DOWN|SEARCH_NEXT|SEARCH_REGEX, 0, 0, "register_func");
        dis = GetDisasm(addr);
        if ( addr == BADADDR )
            break;
        if(strstr(dis,"BL") == 0) {
           
            str_ptr = GetOperandValue(addr-4,1);
            possible_name = GetString(str_ptr, -1, ASCSTR_C);
            if(strlen(possible_name) == 0){
                 start_addr = addr + 4;
                 continue;
            }
           
            Message("  %s\n", possible_name);
            addr16 = addr-8;
            addr16 = addr16-4;
            func = GetOperandValue(addr16,1);
            dis = GetDisasm(addr16);
            Message("  %s\n", dis);
            func_name = GetFunctionName(func);
            Message("  %s\n", func_name);

            //check func_name length
            if(strlen(func_name) ==0){
                 Message("  Can't get func_name\n");
                 start_addr = addr + 4;
                 continue;
            }

            //check func_name already comverted
            if(strstr(func_name,"sub_") != 0){
                 Message("  Already comverted\n");
                 start_addr = addr + 4;
                 continue;
            }

            MakeName(func, possible_name);
            Message("Converted %s to %s\n", func_name, possible_name);
     
        }
        start_addr = addr + 4;
    }