Skip to content

Instantly share code, notes, and snippets.

@patois
Created May 10, 2019 13:47
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save patois/22f8b4b390575f2d66509b1857f24fe6 to your computer and use it in GitHub Desktop.
#include <idc.idc>
static GetExtfunFlags(flags)
{
auto s = 0;
if ((flags & 1) == 1)
s = "EXTFUN_BASE";
if ((flags & 2) == 2)
{
if (s)
s = s + ", EXTFUN_NORET";
else
s = "EXTFUN_NORET";
}
return s;
}
static GetIDCFuncFlags(ea)
{
auto flags = 0;
if (ea)
flags = Qword(ea);
return GetExtfunFlags (flags);
}
static GetVT(vt)
{
auto t = 0;
if (vt == 1)
t = "VT_STR";
else if (vt == 2)
t = "VT_LONG";
else if (vt == 3)
t = "VT_FLOAT";
else if (vt == 4)
t = "VT_WILD";
else if (vt == 5)
t = "VT_OBJ";
else if (vt == 6)
t = "VT_FUNC";
else if (vt == 7)
t = "VT_STR2";
else if (vt == 8)
t = "VT_PVOID";
else if (vt == 9)
t = "VT_INT64";
else if (vt == 10)
t = "VT_REF";
return t;
}
static GetIDCFuncArgs(ea)
{
auto args = "";
auto b, t, _ea;
_ea = ea;
if (_ea)
{
while ((b=Byte (_ea)) != 0)
{
_ea = _ea + 1;
t = GetVT (b);
args = args + t;
if (Byte (_ea) != 0)
args = args+ ", ";
}
}
return args;
}
static ParseExtfunTable(ea, count)
{
auto _ea = ea;
auto i;
auto ExtfunAddr, ExtfunName, ExtfunArgs, ExtfunFlags;
if (ea && count)
{
auto extfun = object ();
for (_ea; _ea < ea+count*5*8; _ea = _ea + 5*8)
{
for (i=0; i<5; i++)
MakeQword(_ea+i*8);
extfun.name = GetString(Qword(_ea), -1, GetStringType(Qword(_ea)));
extfun.fp = Qword(_ea+8);
extfun.args = GetIDCFuncArgs(Qword (_ea+8*2));
extfun.flags = GetIDCFuncFlags(_ea+8*3);
MakeFunction(extfun.fp, BADADDR);
MakeName(extfun.fp, "idcfunc_" + extfun.name);
MakeRptCmt(Qword(_ea+8*2), extfun.args);
MakeComm (_ea+8*3, extfun.flags);
Message("%x: %s (%s)\n", extfun.fp, extfun.name, extfun.args);
}
}
}
static ParseFuncSetTable()
{
auto ea = LocByName("IDCFuncs");
if (ea != BADADDR)
{
auto funcSetTable = object();
// for now, manually parsing the structure
// is favored over deserializing it (o.retrieve())
funcSetTable.qnty = Qword(ea);
funcSetTable.extfun_t_ptr = Qword(ea+8);
MakeName(ea+8, "p_Extfuntable");
funcSetTable.idcengine_startup_ptr = Qword(ea+8*2);
MakeName(ea+8*2, "p_idcengine_startup");
funcSetTable.idcengine_shutdown_ptr = Qword(ea+8*3);
MakeName(ea+8*3, "p_idcengine_shutdown");
funcSetTable.idcengine_init_ptr = Qword(ea+8*4);
MakeName(ea+8*4, "p_idcengine_init");
funcSetTable.idcengine_term_ptr = Qword(ea+8*5);
MakeName(ea+8*5, "p_idcengine_term");
funcSetTable.is_database_open_ptr = Qword(ea+0x8*6);
MakeName(ea+8*6, "p_is_database_open");
funcSetTable.ea2str_ptr = Qword(ea+8*7);
MakeName(ea+8*7, "p_ea2str");
funcSetTable.undeclared_variable_ok_ptr = Qword(ea+8*8);
MakeName(ea+8*8, "p_undeclared_variable_ok");
funcSetTable.get_unkvar_ptr = Qword(ea+8*9);
MakeName(ea+8*9, "p_get_unkvar");
funcSetTable.set_unkvar_ptr = Qword(ea+8*10);
MakeName(ea+8*10, "p_set_unkvar");
funcSetTable.exec_resolved_func_ptr = Qword(ea+8*11);
MakeName(ea+8*11, "p_exec_resolved_func");
funcSetTable.calc_sizeof_ptr = Qword(ea+8*12);
MakeName(ea+8*12, "p_calc_sizeof");
funcSetTable.get_field_ea_ptr = Qword(ea+8*13);
MakeName(ea+8*13, "p_get_field_ea");
MakeName(funcSetTable.extfun_t_ptr, "Extfuntable");
MakeName(funcSetTable.idcengine_startup_ptr, "idcengine_startup");
MakeName(funcSetTable.idcengine_shutdown_ptr, "idcengine_shutdown");
MakeName(funcSetTable.idcengine_init_ptr, "idcengine_init");
MakeName(funcSetTable.idcengine_term_ptr, "idcengine_init");
MakeName(funcSetTable.is_database_open_ptr, "is_database_open");
MakeName(funcSetTable.ea2str_ptr, "ea2str");
MakeName(funcSetTable.undeclared_variable_ok_ptr, "undeclared_variable_ok");
MakeName(funcSetTable.get_unkvar_ptr, "get_unkvar");
MakeName(funcSetTable.set_unkvar_ptr, "set_unkvar");
MakeName(funcSetTable.exec_resolved_func_ptr, "exec_resolved_func");
MakeName(funcSetTable.calc_sizeof_ptr, "calc_sizeof");
MakeName(funcSetTable.get_field_ea_ptr, "get_field_ea");
Message("%08X: FuncSetTable\n", ea);
ParseExtfunTable (funcSetTable.extfun_t_ptr, funcSetTable.qnty);
}
}
static main()
{
if (GetInputFile() == "ida.dll")
{
ParseFuncSetTable();
}
else
Message("This script can only be run on a dissassembled ida.dll idb.\n");
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment