Lame MFC* Ordinals to Symbol Name Mapper (IDA Python)

Fri, 01 Jun 2007 23:40:55 -0500

It is fugly as all hell. I hadn't written a line of Python before attempting this script; so constructive criticism and advice is _much_ appreciated.

I was hoping to write a script that would work for all MFC, like 42, 71, and 8. I tested it on an app compiled against MFC71, and 40, and it sort of works. It doesn't want to map the functions that are called like:



call    ds:MFC71U_280

Where as it seems to map the ones that are called directly just fine. I think this is because I am using the:



ea = ScreenEA()

for function_ea in Functions(SegStart(ea), SegEnd(ea)):

method to iterate through all of the functions, is there a better way to do this? So that I can catch all of the call ds:MFC1U_234 types?

Additionally, I'll update it with one file read into an array as soon as I finish the reverse engineering project that I am working on. I just needed to hack together something that would work, so here you are. Please advise.

*Update: Bought a python reference..hehe.Added the single file read, should be faster now :).



import re

import string

import sys

from sets import Set



#Get the file from the user.

file_path = AskFile(0,"*.def","Please select the appropriate def file.")

def_file = open(file_path, 'rU').readlines()



if not def_file:

    print "[!]Could not read file."

    sys.exit(-1)

    

print "[+]Ok we are reading symbols from %s." % file_path



#Ugly hack so that IDAPython can handle my crappy code.

file_path_mangled = string.replace(file_path, "\\", "_")



#Strip file_path from def file name, we will use this

#to ID the function names that we need to update.

filename_re = re.compile (".*_(.*)\.def")

filename_match = filename_re.match(file_path_mangled)

if not filename_match:

    sys.exit(-1)



mfc_name = filename_match.group(1)

mfc_tag  = filename_match.group(1) + "_.*"



#Iterate through function names, using mfc_tag_match_re to determine

#what function names we will be modding.

mfc_tag_match_re = re.compile(mfc_tag, re.IGNORECASE)



#Does this symbol string have the same format for all MFC?

symbol_string_extract_re = re.compile(".+(\?.*)Z ")



print "[+]Starting this might take a while."



count = 0

ea = ScreenEA()

for function_ea in Functions(SegStart(ea), SegEnd(ea)):

    

    function_name = GetFunctionName(function_ea)

    #Check if this is an MFC function.

    mfc_function_name = mfc_tag_match_re.match(function_name)

    if mfc_function_name:

        count += 1

        

        #Get the ordinal from the matched function name.

        ordinal_from_idb_re = re.compile(".*_([0-9]*)", re.IGNORECASE)

        ordinal_from_mfc_function = ordinal_from_idb_re.match(function_name)



        #If we have a new ordinal, process it.

        if ordinal_from_mfc_function:

            

            ordinal_re = re.compile("(\s"+ordinal_from_mfc_function.group(1)+" )")



            #Search the def file list for the correct ordinal.

            for line in def_file:

                found_def_ordinal = ordinal_re.findall(line)

                if found_def_ordinal:

                    #print "[+]Got symbol string: %s" % line.replace('\n','')

                    stripped_symbol = symbol_string_extract_re.match(line)

                    if stripped_symbol:

                        stripped_mangled = stripped_symbol.group(1)

                        stripped_mangled = stripped_mangled.replace(' ','')

                        stripped_mangled = stripped_mangled.replace('\n','')

                        MakeName(function_ea, stripped_mangled+"_Ren_"+str(count))                   

#Go to the next function.



print "[+]Finished."

OpenRCE: Blog

Lame MFC* Ordinals to Symbol Name Mapper (IDA Python)