WOW script names in IDA

**Jadd** · 03-26-2015

Originally Posted by splasher

As of 6.1.2.19802:
Jadd's script: 3 315 hits (+25 new scripts to previous Wow release)
My script: 1762 (+3)
Total scripts: 3 606 (+25)
So there are 25 new scripts in the recent release.

Care to list which results mine are not picking up? I'd guess it's class functions, but maybe not.

**splasher** · 03-27-2015

Originally Posted by Jadd

Care to list which results mine are not picking up? I'd guess it's class functions, but maybe not.

They seem to be added token support.

Deleted:
Script_C_RecruitAFriend.GetRecruitInfo

Added:
Script_C_WowTokenGlue.CanVeteranBuy
Script_C_WowTokenGlue.CheckVeteranTokenEligibility
Script_C_WowTokenGlue.GetAccountRemainingGoldAmount
Script_C_WowTokenGlue.GetTokenCount
Script_C_WowTokenPublic.BuyToken
Script_C_WowTokenPublic.GetCommerceSystemStatus
Script_C_WowTokenPublic.GetCurrentMarketPrice
Script_C_WowTokenPublic.GetGuaranteedPrice
Script_C_WowTokenPublic.GetListedAuctionableTokenInfo
Script_C_WowTokenPublic.GetNumListedAuctionableTokens
Script_C_WowTokenPublic.IsAuctionableWowToken
Script_C_WowTokenPublic.IsConsumableWowToken
Script_C_WowTokenPublic.SellToken
Script_C_WowTokenPublic.UpdateListedAuctionableTokens
Script_C_WowTokenPublic.UpdateMarketPrice
Script_C_WowTokenPublic.UpdateTokenCount
Script_C_WowTokenSecure.CancelRedeem
Script_C_WowTokenSecure.ConfirmBuyToken
Script_C_WowTokenSecure.ConfirmSellToken
Script_C_WowTokenSecure.GetPriceLockDuration
Script_C_WowTokenSecure.GetRedemptionInfo
Script_C_WowTokenSecure.GetRemainingGameTime
Script_C_WowTokenSecure.GetTokenCount
Script_C_WowTokenSecure.RedeemToken
Script_C_WowTokenSecure.RedeemTokenConfirm
Script_C_WowTokenSecure.WillKickFromWorld

**Jadd** · 03-28-2015

Mine pick these up. I asked if you can list which ones mine don't pick up, compared with yours.

**splasher** · 03-28-2015

Originally Posted by Jadd

Mine pick these up. I asked if you can list which ones mine don't pick up, compared with yours.

Mmmm.....probably I had to formulate it in more evident way. For the latest release none of additional new scripts found as compared to yours.
The total number of new hits is 25 (26-1), few mine have full intersection with yours.

**Konctantin** · 03-25-2016

I wrote the script to rename Lua functions for the x64 client

Code:

luaFuncs = []

def DumpFunctionArray(ref, arrPtr, size, nameSpace):
    if size > 0 and arrPtr > 1000:
        for i in xrange(0, size):
            ptr  = arrPtr+(i*16)
            name = GetString(Qword(ptr), -1, ASCSTR_C)
            addr = Qword(ptr+8)
            if name != None:
                if nameSpace != None:
                    name = nameSpace+"."+name
                #print("0x%016X 0x%016X %s" % (ptr, addr, name))   
                luaFuncs.append(["Script_"+name, addr])
            else:
                print("# Bad str ref at 0x%X and addr 0x%X" % (ref, ptr))
    else:
        print("# >> Bad parse at ref: 0x%X (Ptr: 0x%X, Size %i)" % (ref, arrPtr, size))

def DumpGlobalFuncs():
    searchPatern = "48 89 5C 24 08 57 48 83 EC 20 48 8B ? ? ? ? ? 48 8B D9 45 33 C0"
    regFunc = FindBinary(0, SEARCH_DOWN, searchPatern)
    print("# !!! FrameScript::RegisterFunction = 0x%016X" % regFunc)
    reference = RnextB(regFunc, 0)
    while reference != BADADDR:
        prev = PrevHead(reference)
        opType = GetOpType(prev, 1)
        opVal = GetOperandValue(prev, 0)
        if opType == 2: #Memory Reference
            # array has 1 function
            arrPtr  = GetOperandValue(prev, 1)
            DumpFunctionArray(reference, arrPtr, 1, None)
        elif opType == 3: #Base + Index
            while (GetMnem(prev) != "lea"):
                prev = PrevHead(prev)
            arrPtr = GetOperandValue(prev, 1)           # lea rbx, arr_adr
            size   = GetOperandValue(NextHead(prev), 1) # mov rdi, arr_size
            DumpFunctionArray(reference, arrPtr, size, None)
        else:
            print("# >> ERR: Unhandled operand type at 0x%X: %u" % (reference, opType))
        reference = RnextB(regFunc, reference)

def DumpNamespaceFunc():
    searchPatern = "48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 48 8B 1D ? ? ? ? 8B F2"
    regFunc = FindBinary(0, SEARCH_DOWN, searchPatern)
    print("# !!! FrameScript::RegisterFunctionNamespaceWithCount = 0x%016X" % regFunc)
    reference = RnextB(regFunc, 0)
    while reference != BADADDR:
        # find first lea r8, namespace_ptr
        lea_r8  = PrevHead(reference)
        while (GetMnem(lea_r8) != "lea" or GetOperandValue(lea_r8, 0) != 8 or GetOpType(lea_r8, 0) != 1):
            lea_r8 = PrevHead(lea_r8)

        # find first lea rcx, table_ptr
        lea_rcx = PrevHead(reference)
        while (GetMnem(lea_rcx) != "lea" or GetOperandValue(lea_rcx, 0) != 1 or GetOpType(lea_rcx, 0) != 1):
            lea_rcx = PrevHead(lea_rcx)

        #find first mov edx, rec_count
        mov_edx = PrevHead(reference)
        while (GetMnem(mov_edx) != "mov" or GetOperandValue(mov_edx, 0) != 2 or GetOpType(mov_edx, 0) != 1):
            mov_edx = PrevHead(mov_edx)
            
        #print("lea_r8 = %X, lea_rcx = %X, mov_edx = %X" % (lea_r8,lea_rcx,mov_edx))
        size  = GetOperandValue(mov_edx, 1)
        table = GetOperandValue(lea_rcx, 1)
        ns    = GetOperandValue(lea_r8, 1)
        namesp= GetString(ns, -1, ASCSTR_C)

        DumpFunctionArray(reference, table, size, namesp)
        reference = RnextB(regFunc, reference)

DumpNamespaceFunc();
DumpGlobalFuncs();

luaFuncs.sort()

for i in xrange(0, len(luaFuncs)):
    print("MakeNameEx(0x%X, \"%s\", SN_NOWARN)" % (luaFuncs[i][1], luaFuncs[i][0]))
    MakeNameEx(luaFuncs[i][1], luaFuncs[i][0], SN_NOWARN)

**taladork** · 12-20-2018

Originally Posted by Konctantin

I wrote the script to rename Lua functions for the x64 client

Code:

luaFuncs = []

def DumpFunctionArray(ref, arrPtr, size, nameSpace):
    if size > 0 and arrPtr > 1000:
        for i in xrange(0, size):
            ptr  = arrPtr+(i*16)
            name = GetString(Qword(ptr), -1, ASCSTR_C)
            addr = Qword(ptr+8)
            if name != None:
                if nameSpace != None:
                    name = nameSpace+"."+name
                #print("0x%016X 0x%016X %s" % (ptr, addr, name))   
                luaFuncs.append(["Script_"+name, addr])
            else:
                print("# Bad str ref at 0x%X and addr 0x%X" % (ref, ptr))
    else:
        print("# >> Bad parse at ref: 0x%X (Ptr: 0x%X, Size %i)" % (ref, arrPtr, size))

def DumpGlobalFuncs():
    searchPatern = "48 89 5C 24 08 57 48 83 EC 20 48 8B ? ? ? ? ? 48 8B D9 45 33 C0"
    regFunc = FindBinary(0, SEARCH_DOWN, searchPatern)
    print("# !!! FrameScript::RegisterFunction = 0x%016X" % regFunc)
    reference = RnextB(regFunc, 0)
    while reference != BADADDR:
        prev = PrevHead(reference)
        opType = GetOpType(prev, 1)
        opVal = GetOperandValue(prev, 0)
        if opType == 2: #Memory Reference
            # array has 1 function
            arrPtr  = GetOperandValue(prev, 1)
            DumpFunctionArray(reference, arrPtr, 1, None)
        elif opType == 3: #Base + Index
            while (GetMnem(prev) != "lea"):
                prev = PrevHead(prev)
            arrPtr = GetOperandValue(prev, 1)           # lea rbx, arr_adr
            size   = GetOperandValue(NextHead(prev), 1) # mov rdi, arr_size
            DumpFunctionArray(reference, arrPtr, size, None)
        else:
            print("# >> ERR: Unhandled operand type at 0x%X: %u" % (reference, opType))
        reference = RnextB(regFunc, reference)

def DumpNamespaceFunc():
    searchPatern = "48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 48 8B 1D ? ? ? ? 8B F2"
    regFunc = FindBinary(0, SEARCH_DOWN, searchPatern)
    print("# !!! FrameScript::RegisterFunctionNamespaceWithCount = 0x%016X" % regFunc)
    reference = RnextB(regFunc, 0)
    while reference != BADADDR:
        # find first lea r8, namespace_ptr
        lea_r8  = PrevHead(reference)
        while (GetMnem(lea_r8) != "lea" or GetOperandValue(lea_r8, 0) != 8 or GetOpType(lea_r8, 0) != 1):
            lea_r8 = PrevHead(lea_r8)

        # find first lea rcx, table_ptr
        lea_rcx = PrevHead(reference)
        while (GetMnem(lea_rcx) != "lea" or GetOperandValue(lea_rcx, 0) != 1 or GetOpType(lea_rcx, 0) != 1):
            lea_rcx = PrevHead(lea_rcx)

        #find first mov edx, rec_count
        mov_edx = PrevHead(reference)
        while (GetMnem(mov_edx) != "mov" or GetOperandValue(mov_edx, 0) != 2 or GetOpType(mov_edx, 0) != 1):
            mov_edx = PrevHead(mov_edx)
            
        #print("lea_r8 = %X, lea_rcx = %X, mov_edx = %X" % (lea_r8,lea_rcx,mov_edx))
        size  = GetOperandValue(mov_edx, 1)
        table = GetOperandValue(lea_rcx, 1)
        ns    = GetOperandValue(lea_r8, 1)
        namesp= GetString(ns, -1, ASCSTR_C)

        DumpFunctionArray(reference, table, size, namesp)
        reference = RnextB(regFunc, reference)

DumpNamespaceFunc();
DumpGlobalFuncs();

luaFuncs.sort()

for i in xrange(0, len(luaFuncs)):
    print("MakeNameEx(0x%X, \"%s\", SN_NOWARN)" % (luaFuncs[i][1], luaFuncs[i][0]))
    MakeNameEx(luaFuncs[i][1], luaFuncs[i][0], SN_NOWARN)

I'm trying to get this script to work for me. I found the framescript register function and made a signature for it, but how do I find it's "namespace with count" the second pattern?

**airjqqq** · 01-04-2020

Code:

registerScriptFunction = 0x31F910

def get_string(addr):
  out = ""
  while True:
    if Byte(addr) != 0:
      out += chr(Byte(addr))
    else:
      break
    addr += 1
  return out

for address in XrefsTo(registerScriptFunction):

    if GetMnem(address.frm + 11) == "cmp" and GetMnem(address.frm - 14) =="lea" and GetOpnd(address.frm-14,0) == "rbx":
        name_address = get_operand_value(address.frm - 14,1)
        size = get_operand_value(address.frm + 11,1)
    elif GetMnem(address.frm + 11) == "cmp" and GetMnem(address.frm - 19) =="lea" and GetOpnd(address.frm-19,0) == "rbx":
        name_address = get_operand_value(address.frm - 14,1)
        size = get_operand_value(address.frm + 11,1)
    elif GetMnem(address.frm - 29) =="lea" and GetOpnd(address.frm-29,0) == "rbx" and GetMnem(address.frm - 22) =="lea" and GetOpnd(address.frm-22,0) == "rdi":
        name_address = get_operand_value(address.frm - 29,1)
        size = (get_operand_value(address.frm - 22,1) - name_address ) / 0x10
    elif GetMnem(address.frm - 29) =="lea" and GetOpnd(address.frm-29,0) == "rbx" and GetMnem(address.frm - 22) =="mov" and GetOpnd(address.frm-22,0) == "edi":
        name_address = get_operand_value(address.frm - 29,1)
        size = get_operand_value(address.frm - 22,1)
    else:
        name_address = 0
        print(hex(address.frm), hex(name_address), size)
    if name_address > 0:
        for i in range(size):
            name_string_address = idaapi.get_64bit(name_address)
            if name_string_address == 0 or name_string_address > 0x30000000:
                break
            name = get_string(name_string_address)
            function_address = idaapi.get_64bit(name_address+8)
            idaapi.set_name(function_address, "script_"+name)
            # print("rename address {} to script_{}".format(hex(function_address), name))
            name_address += 0x10

a script for classic 1.13.3.32836

may need some update for futrue version.

you need to get registerScriptFunction address manually first