AlliedModders
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

AlliedModders (https://forums.alliedmods.net/index.php)
-   Snippets and Tutorials (https://forums.alliedmods.net/forumdisplay.php?f=112)
-   -   New IDA VTable Script (https://forums.alliedmods.net/showthread.php?t=191328)

asherkin 07-28-2012 22:23
New IDA VTable Script
 
Drifter and I were discussing making VTable reconstruction more accessible to beginners on IRC today, and the differences between GCC's and MSVC's ordering.

Over the last several hours, I've rewritten the well-known linux_vtable_dump IDC script in IDAPython, with the following changes:
  • Attempts to fully reconstruct the MSVC VTable ordering, giving Windows offsets that are accurate in almost all cases.
  • Prints to the IDA console instead of writing a file, much faster for quick lookups.
  • Many more safety checks to not try and process gibberish.

It can be found in the SourceMod repo, here.

The only downside to this script, is that due to using IDAPython, it's not compatible with IDA 5.0.

I've also included my simple IDC script that attempts to help with making Windows signatures.
Using it is easy, just place the cursor in a function and run the script, it'll dump a wildcarded signature to the output window.
It's primarily intended for use during rapid development, although by extending and checking the wildcards, you can make the generated sig more robust for released projects.
You can download it here.

Just post in this thread if you run into any problems, now go forth and reverse engineer!

Dr!fter 07-28-2012 22:26
Re: New IDA VTable Script
 
Nice job yet again!

GoD-Tony 07-29-2012 01:00
Re: New IDA VTable Script
 
Already gave both scripts a try, very nice job! Example vtable output for the curious: CCSGameRules | CCSPlayer

Quote:
Originally Posted by asherkin (Post 1760256)
I've also included my simple IDC script that attempts to help with making Windows signatures.
It's primarily intended for use during rapid development, although by extending and checking the wildcards, you can make the generated sig more robust for released projects.
Sometimes this can generate a very short unique signature. How far should it be extended to be considered "robust"?

asherkin 07-29-2012 06:47
Re: New IDA VTable Script
 
Quote:
Originally Posted by GoD-Tony (Post 1760318)
Sometimes this can generate a very short unique signature. How far should it be extended to be considered "robust"?
I generally go for another 5 non-wildcard bytes or so.

Peace-Maker 07-29-2012 06:58
Re: New IDA VTable Script
 
You're awesome.

Afronanny 07-29-2012 21:39
Re: New IDA VTable Script
 
The sigmaker, tried with about 5 different functions, just prints out the sig of the entire function. It doesn't attempt to shorten it at all.

GoD-Tony 08-15-2012 09:26
Re: New IDA VTable Script
 
When attempting to dump CBaseClient for CS:GO I get these errors:
Code:
Inheritance Tree:
CBaseClient
 IGameEventListener2
 IClient
  INetChannelHandler
 IClientMessageHandler
  INetMessageHandler
argument of type 'NoneType' is not iterable
Traceback (most recent call last):
  File "python\idaapi.py", line 373, in IDAPython_ExecScript execfile(script, g)
  File "idc/vtable_dump.py", line 253, in <module> Analyze()
  File "idc/vtable_dump.py", line 150, in Analyze if "`non-virtual thunk to'" in name:
TypeError: argument of type 'NoneType' is not iterable

asherkin 08-15-2012 11:16
Re: New IDA VTable Script
 
Quote:
Originally Posted by GoD-Tony (Post 1771989)
When attempting to dump CBaseClient for CS:GO I get these errors:
Code:
Inheritance Tree:
CBaseClient
 IGameEventListener2
 IClient
  INetChannelHandler
 IClientMessageHandler
  INetMessageHandler
argument of type 'NoneType' is not iterable
Traceback (most recent call last):
  File "python\idaapi.py", line 373, in IDAPython_ExecScript execfile(script, g)
  File "idc/vtable_dump.py", line 253, in <module> Analyze()
  File "idc/vtable_dump.py", line 150, in Analyze if "`non-virtual thunk to'" in name:
TypeError: argument of type 'NoneType' is not iterable
I've updated the script with support for this, the issue was with pure virtual functions.

Also, there was another update in the interim that I didn't mention in this thread, that adds support for RTTI trees and dumps MI vtables as well.

Peace-Maker 03-04-2013 15:38
Re: New IDA VTable Script
 
1 Attachment(s)
Noticed i'm using the attached script frequently too next to the vtable dumper, when searching for stuff.

The attached idc script lets you search for binary pattern in the gamedata formating.
So just copy&paste the signature like "\x55\x8B\xEC\x83\xEC\x2A\x56\x8B\x75\x08\x8B \x06" right out of the gamedata file.

GoD-Tony 07-14-2013 05:03
Re: New IDA VTable Script
 
Any chance of this being updated to support vtables in Mac bins? (mainly looking for the MSVC vtable feature)

Definitely not an important request, but it would be neat to have for the situation Dota is in.


All times are GMT -4. The time now is 14:07.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.