IDA script / plugin

[violentmagician]

Hi reversers.
i am trying to get to learn reversing ..very basic atm..
i have seen many posts by cypher and others which list lua callback addresses like
wow-3-0-9-info-lua-callbacks

and it says

This is a dump of all the LUA callbacks for WoW v3.0.9.

I had to write a dumper for two reasons.

1. So I could generate a complete list of all the callbacks to import into IDA with a script.
2. Because I noticed certain LUA calls had different callbacks (and different output) depending on when they were executed (one for the login process, another for once you're ingame).
3. I wanted 'better' output. The one I wrote dumps in alphabetical order, strips duplicates, and has support for callbacks registered with multiple pointers.

the question i ask is can i please get the name and/or link of the IDA script that you use to import the dump into ida?

[ggg898]

Gamedeception has a bunch

[schlumpf]

As far as I know, GD has the one searching for "Usage: ". That one is bad.

You better get a lua function and then search for the list, the function is referenced in. That list is referenced in a function and then pushed entry by entry into the RegisterFunction function. You then take that one and search for all cross references. Take the lists pushed into the function and rename the functions there. That will give you all functions (except the ones of the widget API afaik).

A source in IDC for this approach is here:

Code:

#include <idc.idc>

// RegisterFunction(): 0x0077D290

static getRegisterFunction()
{
	auto dwAddress, str;
	dwAddress = FindBinary( dwAddress + 1, SEARCH_DOWN|SEARCH_NEXT, "\"Usage: SetCharCustomizeFrame\"" );
	dwAddress = DfirstB( DfirstB( PrevFunction( DfirstB( dwAddress ) ) ) ) + 0xE;
	str = GetOpnd ( dwAddress,0 );
	
	if (strstr(str,"sub_") == -1)
		return -1;
		
	str = substr(str,4,strlen(str));
	Message( "str = x%x.\n", xtol(str) );
	
	return (xtol(str));
}


static main()
{
	auto dwAddress, nameptr, maxentries;
	auto dwRegisterFunction; 
	auto name,fname, i;
	dwRegisterFunction = getRegisterFunction();
	Message( "dwRegisterFunction = x%x.\n", dwRegisterFunction );
	if( dwRegisterFunction == -1 )
		return;
		
	dwAddress = 0;
	
	while ( dwAddress != BADADDR )
	{
		dwAddress = RnextB ( dwRegisterFunction, dwAddress );  
		nameptr = GetNamesPtrFromAdr( dwAddress );
		maxentries = Dword( dwAddress + 0xD );
		for (i=0;i<maxentries/8;i++)
		{
			name = GetString( Dword(nameptr), -1, ASCSTR_C );
		
			if(strlen(name) < 4)
				break;
			fname = "Unknown::LUA::" + name;
						
			if ( RenameFunc( Dword(nameptr+4), fname ) == 0 )
				break;
			nameptr = nameptr + 8;
		}
	}
	Message( "Done." );
}

static GetNamesPtrFromAdr( adr )
{
	auto dwRet;
	dwRet = adr - 0x10 + 0x4;
	return ( Dword( dwRet ) - 4 );
}

// 1 = Success, 0 = Failure
static RenameFunc( dwAddress, sFunction )
{
	auto dwRet;

	dwRet = MakeNameEx( dwAddress, sFunction, SN_NOCHECK );

	if( dwRet == 0 )
	{
		auto sTemp, i;
		for( i = 0; i < 32; i++ )
		{
			sTemp = form( "%s_%i", sFunction, i );

			if( ( dwRet = MakeNameEx( dwAddress, sTemp, SN_NOCHECK ) ) != 0 )
			{
				Message( "Info: Renamed to %s instead of %s\n", sTemp, sFunction );
				break;
			}
		}
	}
	return dwRet;	
}

Feel free to use it. ; D

[violentmagician]

thanx this is helpful... i can now finally reverse lua on my own and understand what to use in those codecaves!
any other scripts that you guys recommend?

As far as I know, GD has the one searching for "Usage: ". That one is bad.

You better get a lua function and then search for the list, the function is referenced in. That list is referenced in a function and then pushed entry by entry into the RegisterFunction function. You then take that one and search for all cross references. Take the lists pushed into the function and rename the functions there. That will give you all functions (except the ones of the widget API afaik).

A source in IDC for this approach is here:

Code:

#include <idc.idc>

// RegisterFunction(): 0x0077D290

static getRegisterFunction()
{
	auto dwAddress, str;
	dwAddress = FindBinary( dwAddress + 1, SEARCH_DOWN|SEARCH_NEXT, "\"Usage: SetCharCustomizeFrame\"" );
	dwAddress = DfirstB( DfirstB( PrevFunction( DfirstB( dwAddress ) ) ) ) + 0xE;
	str = GetOpnd ( dwAddress,0 );
	
	if (strstr(str,"sub_") == -1)
		return -1;
		
	str = substr(str,4,strlen(str));
	Message( "str = x%x.\n", xtol(str) );
	
	return (xtol(str));
}


static main()
{
	auto dwAddress, nameptr, maxentries;
	auto dwRegisterFunction; 
	auto name,fname, i;
	dwRegisterFunction = getRegisterFunction();
	Message( "dwRegisterFunction = x%x.\n", dwRegisterFunction );
	if( dwRegisterFunction == -1 )
		return;
		
	dwAddress = 0;
	
	while ( dwAddress != BADADDR )
	{
		dwAddress = RnextB ( dwRegisterFunction, dwAddress );  
		nameptr = GetNamesPtrFromAdr( dwAddress );
		maxentries = Dword( dwAddress + 0xD );
		for (i=0;i<maxentries/8;i++)
		{
			name = GetString( Dword(nameptr), -1, ASCSTR_C );
		
			if(strlen(name) < 4)
				break;
			fname = "Unknown::LUA::" + name;
						
			if ( RenameFunc( Dword(nameptr+4), fname ) == 0 )
				break;
			nameptr = nameptr + 8;
		}
	}
	Message( "Done." );
}

static GetNamesPtrFromAdr( adr )
{
	auto dwRet;
	dwRet = adr - 0x10 + 0x4;
	return ( Dword( dwRet ) - 4 );
}

// 1 = Success, 0 = Failure
static RenameFunc( dwAddress, sFunction )
{
	auto dwRet;

	dwRet = MakeNameEx( dwAddress, sFunction, SN_NOCHECK );

	if( dwRet == 0 )
	{
		auto sTemp, i;
		for( i = 0; i < 32; i++ )
		{
			sTemp = form( "%s_%i", sFunction, i );

			if( ( dwRet = MakeNameEx( dwAddress, sTemp, SN_NOCHECK ) ) != 0 )
			{
				Message( "Info: Renamed to %s instead of %s\n", sTemp, sFunction );
				break;
			}
		}
	}
	return dwRet;	
}

Feel free to use it. ; D

[_Mike]

I couldn't find any public scripts for naming the lua callbacks in the 64-bit binary so I adapted schlumpf's script for it.

Code:

#include <idc.idc>

static getRegisterFunction()
{
	auto dwAddress, str;
	dwAddress = FindBinary( dwAddress + 1, SEARCH_DOWN|SEARCH_NEXT, "\"Usage: SetCharCustomizeFrame\"" );
	dwAddress = DfirstB(DfirstB(PrevFunction( DfirstB( dwAddress ) ))-8)+ 0x1D;
	str = GetOpnd ( dwAddress,0 );
	
	if(!IsAddrStartOfFunction(LocByName(str)))
		return -1;

	RenameFunc(LocByName(str), "FrameScript_RegisterFunction");
	return LocByName(str);
}


static main()
{
	auto prefix = "Script_";
	auto dwAddress, nameptr, maxentries;
	auto dwRegisterFunction; 
	auto name,fname, i;
	dwRegisterFunction = getRegisterFunction();
	Message( "dwRegisterFunction = %x\n", dwRegisterFunction );
	if( dwRegisterFunction == -1 )
		return;
		
	dwAddress = 0;
	
	while ( dwAddress != BADADDR )
	{
		dwAddress = RnextB ( dwRegisterFunction, dwAddress );
		Message("dwAddress %x\n", dwAddress);
		nameptr = GetNamesPtrFromAdr( dwAddress );
		Message("nameptr %x\n", nameptr);
		maxentries = Dword( dwAddress + 0xD );
		for (i=0;i<maxentries/8;i++)
		{
			name = GetString( Qword(nameptr), -1, ASCSTR_C );
		
			if(strlen(name) < 4)
				break;
			if(!IsAddrStartOfFunction(Qword(nameptr+8)))
				break;
			fname = prefix + name;
			Message("%x : %s\n", Qword(nameptr+8), fname);
			
						
			if ( RenameFunc( Qword(nameptr+8), fname ) == 0 )
				break;
			nameptr = nameptr + 16;
		}
	}
	Message( "Done.\n" );
}

static GetNamesPtrFromAdr( adr )
{
	auto dwRet;
	dwRet = adr - 0x1D + 0x3;
	return ( (adr - 0x16) + Dword( dwRet ));
}

// 1 = Success, 0 = Failure
static RenameFunc(dwAddress, sFunction)
{
	auto dwRet;
	if(hasUserName(GetFlags(dwAddress)))
	{
		Message("%x already has custom name %s... skipping\n", dwAddress, Name(dwAddress));
		return 1;
	}
	
	dwRet = MakeNameEx( dwAddress, sFunction, SN_NOCHECK );

	if( dwRet == 0 )
	{
		auto sTemp, i;
		for( i = 0; i < 32; i++ )
		{
			sTemp = form( "%s_%i", sFunction, i );

			if( ( dwRet = MakeNameEx( dwAddress, sTemp, SN_NOCHECK ) ) != 0 )
			{
				Message( "Info: Renamed to %s instead of %s\n", sTemp, sFunction );
				break;
			}
		}
	}
	return dwRet;	
}

static IsAddrStartOfFunction(addr)
{
	if(GetFunctionAttr(addr, FUNCATTR_START) == addr)
		return 1;
	return 0;
}

[eracer]

I made a 32-bit version and got it working on 5.0.5.16057, mostly the same as what _Mike posted above, thanks _Mike.

Code:

#include <idc.idc>

static getRegisterFunction()
{
	auto dwAddress, str;
	dwAddress = FindBinary(dwAddress + 1, SEARCH_DOWN|SEARCH_NEXT, "\"Usage: SetCharCustomizeFrame\"");
	//Message("dwAddress %x\n", dwAddress);
	dwAddress = DfirstB(DfirstB(PrevFunction(DfirstB(dwAddress))))+0xE;
	str = GetOpnd (dwAddress,0);

	if(IsAddrStartOfFunction(LocByName(str)) == 0)
		return -1;

	RenameFunc(LocByName(str), "RegisterScriptFunction");
	return LocByName(str);
}

static main()
{
    auto prefix = "Script_";
	auto dwAddress, nameptr, maxentries;
	auto dwRegisterFunction; 
	auto name,fname, i;
	dwRegisterFunction = getRegisterFunction();
	//Message("dwRegisterFunction = %x\n", dwRegisterFunction);
	if(dwRegisterFunction == -1)
		return;
		
	dwAddress = 0;
	
	while (dwAddress != BADADDR)
	{
		dwAddress = RnextB (dwRegisterFunction, dwAddress); 
        //Message("dwAddress %x\n", dwAddress);		
		nameptr = GetNamesPtrFromAdr(dwAddress);
		//Message("nameptr %x\n", nameptr);
		maxentries = Dword(dwAddress + 0xD);
		for (i=0;i<maxentries/8;i++)
		{
			name = GetString(Dword(nameptr), -1, ASCSTR_C);
			//Message("name %s\n", name);
		
			if(strlen(name) < 4)
				break;
			if(IsAddrStartOfFunction(Dword(nameptr+4)) == 0)
				break;
			fname = prefix + name;
			Message("%x : %s\n", Dword(nameptr+4), fname);
						
			if (RenameFunc(Dword(nameptr+4), fname) == 0)
				break;
			nameptr = nameptr + 8;
		}
	}
	Message("Done.\n");
}

static GetNamesPtrFromAdr(adr)
{
	auto dwRet;
	dwRet = adr - 0x10 + 0x4;
	return (Dword(dwRet) - 4);
}

// 1 = Success, 0 = Failure
static RenameFunc(dwAddress, sFunction)
{
	auto dwRet;
	if(hasUserName(GetFlags(dwAddress)))
	{
		Message("%x already has custom name %s... skipping\n", dwAddress, Name(dwAddress));
		return 1;
	}
	
	dwRet = MakeNameEx(dwAddress, sFunction, SN_NOCHECK);

	if(dwRet == 0)
	{
		auto sTemp, i;
		for(i = 0; i < 32; i++)
		{
			sTemp = form("%s_%i", sFunction, i);

			if((dwRet = MakeNameEx(dwAddress, sTemp, SN_NOCHECK)) != 0)
			{
				Message("Info: Renamed to %s instead of %s\n", sTemp, sFunction);
				break;
			}
		}
	}
	return dwRet;	
}

static IsAddrStartOfFunction(addr)
{
	if(GetFunctionAttr(addr, FUNCATTR_START) == addr)
		return 1;
	return 0;
}