{"id":7369,"date":"2020-07-31T23:12:30","date_gmt":"2020-07-31T23:12:30","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=7369"},"modified":"2020-07-31T23:24:15","modified_gmt":"2020-07-31T23:24:15","slug":"ida-colonoscopy","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2020\/07\/31\/ida-colonoscopy\/","title":{"rendered":"IDA colonoscopy"},"content":{"rendered":"\n

One of the most annoying things I come across during analysis are … function names. It’s great to have many of them resolved either via flirt of symbols, but the length of some of these function names is making it really hard to read code.<\/p>\n\n\n\n

It is especially important with ‘basic’ string functions that hide behind constructs like:<\/p>\n\n\n\n

std::basic_string,std::allocator,_STL70>::assign\n(std::basic_string,std::allocator,_STL70> const &,uint,uint)<\/pre>\n\n\n\n
std::basic_string,std::allocator,_STL70>::operator=(ushort const *)<\/pre>\n\n\n\n
Why not simple ‘assign’ and ‘operator’?<\/p>\n\n\n\n
It’s because it’s puristic and accurate, that’s why \ud83d\ude42<\/p>\n\n\n\n
Reading code listings relying on these functions is difficult, and it involves a lot of mental processing to find the actual method name in these long strings.<\/p>\n\n\n\n
I got bored doing so and coded a very badly written idapython script that replaces these names with a shorter version. Again, this is a blasphemy to both IDA and IDAPython so you have been warned.<\/p>\n\n\n\n
import idaapi\nimport idc\nimport types\nimport os\nimport pprint\nimport random\n\nmask = idc.GetLongPrm(idc.INF_SHORT_DN)\n\nfor func_ea in idautils.Functions():\n    function_name = idc.GetFunctionName(func_ea)\n    function_name_dem = idc.Demangle(function_name, mask)\n    if function_name_dem != None:\n       function_name = function_name_dem\n    m=re.search(r'hex_',function_name,re.IGNORECASE) <\/code>\n    if not m:<\/code>\n       print function_name <\/code>\n       m=re.search(r'basic_string.*?::([^:=]+)\\(',function_name,re.IGNORECASE) <\/code>\n       if m: <\/code>\n          short_fun = m.group(1) <\/code>\n          short_fun1 = re.sub('[\\(=< ~\\'\\\"\\+\\`-].+$','',short_fun) <\/code>\n          cnt=0 <\/code>\n          while True: <\/code>\n             short_fun = 'hex_string_' + short_fun1 + \"_\" + str(cnt) <\/code>\n             res = MakeName(func_ea,short_fun) <\/code>\n             if res: <\/code>\n                print short_fun <\/code>\n                break <\/code>\n             cnt = cnt + 1 <\/code>\n             if cnt>1000: <\/code>\n                break<\/code><\/pre>\n\n\n\n
The result:<\/p>\n\n\n\n
before<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
after<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n","protected":false},"excerpt":{"rendered":"
One of the most annoying things I come across during analysis are … function names. It’s great to have many of them resolved either via flirt of symbols, but the length of some of these function names is making it … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[85],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7369"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=7369"}],"version-history":[{"count":6,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7369\/revisions"}],"predecessor-version":[{"id":7378,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7369\/revisions\/7378"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=7369"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=7369"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=7369"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}