Created
May 10, 2019 13:47
-
-
Save patois/22f8b4b390575f2d66509b1857f24fe6 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <idc.idc> | |
| static GetExtfunFlags(flags) | |
| { | |
| auto s = 0; | |
| if ((flags & 1) == 1) | |
| s = "EXTFUN_BASE"; | |
| if ((flags & 2) == 2) | |
| { | |
| if (s) | |
| s = s + ", EXTFUN_NORET"; | |
| else | |
| s = "EXTFUN_NORET"; | |
| } | |
| return s; | |
| } | |
| static GetIDCFuncFlags(ea) | |
| { | |
| auto flags = 0; | |
| if (ea) | |
| flags = Qword(ea); | |
| return GetExtfunFlags (flags); | |
| } | |
| static GetVT(vt) | |
| { | |
| auto t = 0; | |
| if (vt == 1) | |
| t = "VT_STR"; | |
| else if (vt == 2) | |
| t = "VT_LONG"; | |
| else if (vt == 3) | |
| t = "VT_FLOAT"; | |
| else if (vt == 4) | |
| t = "VT_WILD"; | |
| else if (vt == 5) | |
| t = "VT_OBJ"; | |
| else if (vt == 6) | |
| t = "VT_FUNC"; | |
| else if (vt == 7) | |
| t = "VT_STR2"; | |
| else if (vt == 8) | |
| t = "VT_PVOID"; | |
| else if (vt == 9) | |
| t = "VT_INT64"; | |
| else if (vt == 10) | |
| t = "VT_REF"; | |
| return t; | |
| } | |
| static GetIDCFuncArgs(ea) | |
| { | |
| auto args = ""; | |
| auto b, t, _ea; | |
| _ea = ea; | |
| if (_ea) | |
| { | |
| while ((b=Byte (_ea)) != 0) | |
| { | |
| _ea = _ea + 1; | |
| t = GetVT (b); | |
| args = args + t; | |
| if (Byte (_ea) != 0) | |
| args = args+ ", "; | |
| } | |
| } | |
| return args; | |
| } | |
| static ParseExtfunTable(ea, count) | |
| { | |
| auto _ea = ea; | |
| auto i; | |
| auto ExtfunAddr, ExtfunName, ExtfunArgs, ExtfunFlags; | |
| if (ea && count) | |
| { | |
| auto extfun = object (); | |
| for (_ea; _ea < ea+count*5*8; _ea = _ea + 5*8) | |
| { | |
| for (i=0; i<5; i++) | |
| MakeQword(_ea+i*8); | |
| extfun.name = GetString(Qword(_ea), -1, GetStringType(Qword(_ea))); | |
| extfun.fp = Qword(_ea+8); | |
| extfun.args = GetIDCFuncArgs(Qword (_ea+8*2)); | |
| extfun.flags = GetIDCFuncFlags(_ea+8*3); | |
| MakeFunction(extfun.fp, BADADDR); | |
| MakeName(extfun.fp, "idcfunc_" + extfun.name); | |
| MakeRptCmt(Qword(_ea+8*2), extfun.args); | |
| MakeComm (_ea+8*3, extfun.flags); | |
| Message("%x: %s (%s)\n", extfun.fp, extfun.name, extfun.args); | |
| } | |
| } | |
| } | |
| static ParseFuncSetTable() | |
| { | |
| auto ea = LocByName("IDCFuncs"); | |
| if (ea != BADADDR) | |
| { | |
| auto funcSetTable = object(); | |
| // for now, manually parsing the structure | |
| // is favored over deserializing it (o.retrieve()) | |
| funcSetTable.qnty = Qword(ea); | |
| funcSetTable.extfun_t_ptr = Qword(ea+8); | |
| MakeName(ea+8, "p_Extfuntable"); | |
| funcSetTable.idcengine_startup_ptr = Qword(ea+8*2); | |
| MakeName(ea+8*2, "p_idcengine_startup"); | |
| funcSetTable.idcengine_shutdown_ptr = Qword(ea+8*3); | |
| MakeName(ea+8*3, "p_idcengine_shutdown"); | |
| funcSetTable.idcengine_init_ptr = Qword(ea+8*4); | |
| MakeName(ea+8*4, "p_idcengine_init"); | |
| funcSetTable.idcengine_term_ptr = Qword(ea+8*5); | |
| MakeName(ea+8*5, "p_idcengine_term"); | |
| funcSetTable.is_database_open_ptr = Qword(ea+0x8*6); | |
| MakeName(ea+8*6, "p_is_database_open"); | |
| funcSetTable.ea2str_ptr = Qword(ea+8*7); | |
| MakeName(ea+8*7, "p_ea2str"); | |
| funcSetTable.undeclared_variable_ok_ptr = Qword(ea+8*8); | |
| MakeName(ea+8*8, "p_undeclared_variable_ok"); | |
| funcSetTable.get_unkvar_ptr = Qword(ea+8*9); | |
| MakeName(ea+8*9, "p_get_unkvar"); | |
| funcSetTable.set_unkvar_ptr = Qword(ea+8*10); | |
| MakeName(ea+8*10, "p_set_unkvar"); | |
| funcSetTable.exec_resolved_func_ptr = Qword(ea+8*11); | |
| MakeName(ea+8*11, "p_exec_resolved_func"); | |
| funcSetTable.calc_sizeof_ptr = Qword(ea+8*12); | |
| MakeName(ea+8*12, "p_calc_sizeof"); | |
| funcSetTable.get_field_ea_ptr = Qword(ea+8*13); | |
| MakeName(ea+8*13, "p_get_field_ea"); | |
| MakeName(funcSetTable.extfun_t_ptr, "Extfuntable"); | |
| MakeName(funcSetTable.idcengine_startup_ptr, "idcengine_startup"); | |
| MakeName(funcSetTable.idcengine_shutdown_ptr, "idcengine_shutdown"); | |
| MakeName(funcSetTable.idcengine_init_ptr, "idcengine_init"); | |
| MakeName(funcSetTable.idcengine_term_ptr, "idcengine_init"); | |
| MakeName(funcSetTable.is_database_open_ptr, "is_database_open"); | |
| MakeName(funcSetTable.ea2str_ptr, "ea2str"); | |
| MakeName(funcSetTable.undeclared_variable_ok_ptr, "undeclared_variable_ok"); | |
| MakeName(funcSetTable.get_unkvar_ptr, "get_unkvar"); | |
| MakeName(funcSetTable.set_unkvar_ptr, "set_unkvar"); | |
| MakeName(funcSetTable.exec_resolved_func_ptr, "exec_resolved_func"); | |
| MakeName(funcSetTable.calc_sizeof_ptr, "calc_sizeof"); | |
| MakeName(funcSetTable.get_field_ea_ptr, "get_field_ea"); | |
| Message("%08X: FuncSetTable\n", ea); | |
| ParseExtfunTable (funcSetTable.extfun_t_ptr, funcSetTable.qnty); | |
| } | |
| } | |
| static main() | |
| { | |
| if (GetInputFile() == "ida.dll") | |
| { | |
| ParseFuncSetTable(); | |
| } | |
| else | |
| Message("This script can only be run on a dissassembled ida.dll idb.\n"); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment