nixware.cc
Эксперт
-
Автор темы
- #1
Полезный скрипт, который поможет автоматизировать рутинную работу и упростить анализ кода.
Использование: IDA PRO > File > Script file / Script command
Использование: IDA PRO > File > Script file / Script command
Python:
import idautils
import idc
register_convar_functions = [
"48 89 5C 24 08 48 89 74 24 10 48 89 7C 24 18 55 48 8D 6C 24 B1 48 81 EC A0 00 00 00 4C",
"48 89 5C 24 08 48 89 74 24 10 55 48",
"40 53 48 83 EC 60 41"
]
# unknowncheats.me/forum/counterstrike-global-offensive/404445-ida-script-automatically-rename-convars.html
known_names = []
def find_function_address(signature):
start_address = next(idautils.Segments())
end_address = idc.get_segm_end(start_address)
current_address = idc.find_binary(start_address, idc.SEARCH_DOWN, signature)
while current_address != idc.BADADDR and current_address < end_address:
if idc.get_func_attr(current_address, idc.FUNCATTR_START) == current_address:
return current_address
current_address = idc.find_binary(current_address + 1, idc.SEARCH_DOWN, signature)
return None
def find_and_rename_cvars(function_address):
for function in idautils.Functions():
for head in idautils.FuncItems(function):
if idc.print_insn_mnem(head) == "call":
if idc.get_operand_value(head, 0) == function_address:
skip = False
lea_rcx_address = head
while lea_rcx_address != idc.BADADDR:
lea_rcx_address = idc.prev_head(lea_rcx_address)
if idc.get_operand_type(lea_rcx_address, 0) == idc.o_reg and idc.get_operand_value(lea_rcx_address, 0) == ida_idp.str2reg("rcx"):
if idc.print_insn_mnem(lea_rcx_address) == "lea" and idc.get_segm_name(idc.get_operand_value(lea_rcx_address, 1)) == ".data":
break
skip = True
break
lea_rdx_address = head
if not skip:
while lea_rdx_address != idc.BADADDR:
lea_rdx_address = idc.prev_head(lea_rdx_address)
if idc.get_operand_type(lea_rdx_address, 0) == idc.o_reg and idc.get_operand_value(lea_rdx_address, 0) == ida_idp.str2reg("rdx"):
if idc.print_insn_mnem(lea_rdx_address) == "lea" and idc.get_segm_name(idc.get_operand_value(lea_rdx_address, 1)) == ".rdata":
break
skip = True
break
if skip:
continue
rcx_operand = idc.get_operand_value(lea_rcx_address, 1)
rdx_operand = idc.get_operand_value(lea_rdx_address, 1)
cvar_name = idc.get_strlit_contents(rdx_operand)
if cvar_name:
name = cvar_name.decode("utf-8")
count = known_names.count(name)
if count == 0:
idc.set_name(rcx_operand, name)
else:
idc.set_name(rcx_operand, name + '_' + str(count))
known_names.append(name)
for register_convar in register_convar_functions:
function_address = find_function_address(register_convar)
if function_address is not None:
find_and_rename_cvars(function_address)
print("Success.")
else:
print(f"Cant find {register_convar}")
Последнее редактирование:
