Skip to content

Instantly share code, notes, and snippets.

View haltarkon's full-sized avatar

Taras Khalimanenko haltarkon

5 followers · 3 following
  • Ukraine
View GitHub Profile
@haltarkon
haltarkon / how_to_deal_with_some_type_casts_in_ida_pro.md
Created June 23, 2022 15:54
How to deal with some type casts in IDA PRO

You may have encountered situations where in pseudocode a method returns a pointer to some type (base), but then it is cast to a pointer to another type (child). In such a situation, access to fields looks especially bad, include the virtual method table, because the size of structures may differ.

But for IDA PRO there is one solution: 0. Create a union with pointers to whatever you want right in IDA PRO (in Local Types window -> Insert... from contextual menu):

union AnyPointer {
  void* pVoid;
  
  class Type0* pType0;
class Type1* pType1;
@haltarkon
haltarkon / ida_fix_function_signatures.py
Created June 23, 2022 15:33
A script for idapython that tries to correct function signatures based on their mangled (MSVC) names. Unfortunately, at the moment it does NOT give any positive results, but it may be useful to someone.
# Only IDA PRO 7.4+ supported!
# For porting to older versions see:
# https://hex-rays.com/products/ida/support/ida74_idapython_no_bc695_porting_guide.shtml
import re
import idc
import idautils
import ida_funcs
import ida_typeinf
@haltarkon
haltarkon / ida_apply_vftable_structures_to_functions_in_idb.py
Created June 23, 2022 15:23
A script for idapython that uses virtual function table structures from "Local Types" to rename functions in the database.
# Only IDA PRO 7.4+ supported!
# For porting to older versions see:
# https://hex-rays.com/products/ida/support/ida74_idapython_no_bc695_porting_guide.shtml
# How to use this script:
# 1. Open IDA and load sone binary file;
# 2. Load *.pdb file with *_vtbl structures;
# 3. Analyze binary file
# 4. Run this script from 'File' > 'Script file...' IDA PRO menu.
# 5. Done
@haltarkon
haltarkon / ida_list_sizes_for_classes.py
Created June 23, 2022 15:16
A script for idapython that naively finds possible sizes for C++ classes that have tables of virtual functions in the current database.
# Only IDA PRO 7.4+ supported!
# For porting to older versions see:
# https://hex-rays.com/products/ida/support/ida74_idapython_no_bc695_porting_guide.shtml
# How to use this script:
# 1. Open IDA and load sone binary file;
# 2. Analyze binary file
# 3. Run this script from 'File' > 'Script file...' IDA PRO menu.
# 4. Done