Raised This Month: $12 Target: $400
 3% 

New IDA VTable Script


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
asherkin
SourceMod Developer
Join Date: Aug 2009
Location: OnGameFrame()
Old 07-28-2012 , 22:23   New IDA VTable Script
Reply With Quote #1

Drifter and I were discussing making VTable reconstruction more accessible to beginners on IRC today, and the differences between GCC's and MSVC's ordering.

Over the last several hours, I've rewritten the well-known linux_vtable_dump IDC script in IDAPython, with the following changes:
  • Attempts to fully reconstruct the MSVC VTable ordering, giving Windows offsets that are accurate in almost all cases.
  • Prints to the IDA console instead of writing a file, much faster for quick lookups.
  • Many more safety checks to not try and process gibberish.

It can be found in the SourceMod repo, here.

The only downside to this script, is that due to using IDAPython, it's not compatible with IDA 5.0.

I've also included my simple IDC script that attempts to help with making Windows signatures.
Using it is easy, just place the cursor in a function and run the script, it'll dump a wildcarded signature to the output window.
It's primarily intended for use during rapid development, although by extending and checking the wildcards, you can make the generated sig more robust for released projects.
You can download it here.

Just post in this thread if you run into any problems, now go forth and reverse engineer!
__________________

Last edited by asherkin; 07-28-2012 at 22:24.
asherkin is offline
Dr!fter
The Salt Boss
Join Date: Mar 2007
Old 07-28-2012 , 22:26   Re: New IDA VTable Script
Reply With Quote #2

Nice job yet again!
Dr!fter is offline
GoD-Tony
Veteran Member
Join Date: Jul 2005
Old 07-29-2012 , 01:00   Re: New IDA VTable Script
Reply With Quote #3

Already gave both scripts a try, very nice job! Example vtable output for the curious: CCSGameRules | CCSPlayer

Quote:
Originally Posted by asherkin View Post
I've also included my simple IDC script that attempts to help with making Windows signatures.
It's primarily intended for use during rapid development, although by extending and checking the wildcards, you can make the generated sig more robust for released projects.
Sometimes this can generate a very short unique signature. How far should it be extended to be considered "robust"?
__________________

Last edited by GoD-Tony; 07-29-2012 at 01:22.
GoD-Tony is offline
asherkin
SourceMod Developer
Join Date: Aug 2009
Location: OnGameFrame()
Old 07-29-2012 , 06:47   Re: New IDA VTable Script
Reply With Quote #4

Quote:
Originally Posted by GoD-Tony View Post
Sometimes this can generate a very short unique signature. How far should it be extended to be considered "robust"?
I generally go for another 5 non-wildcard bytes or so.
__________________
asherkin is offline
Peace-Maker
SourceMod Plugin Approver
Join Date: Aug 2008
Location: Germany
Old 07-29-2012 , 06:58   Re: New IDA VTable Script
Reply With Quote #5

You're awesome.
__________________
Peace-Maker is offline
Afronanny
Veteran Member
Join Date: Aug 2009
Old 07-29-2012 , 21:39   Re: New IDA VTable Script
Reply With Quote #6

The sigmaker, tried with about 5 different functions, just prints out the sig of the entire function. It doesn't attempt to shorten it at all.
Afronanny is offline
GoD-Tony
Veteran Member
Join Date: Jul 2005
Old 08-15-2012 , 09:26   Re: New IDA VTable Script
Reply With Quote #7

When attempting to dump CBaseClient for CS:GO I get these errors:
Code:
Inheritance Tree:
CBaseClient
 IGameEventListener2
 IClient
  INetChannelHandler
 IClientMessageHandler
  INetMessageHandler
argument of type 'NoneType' is not iterable
Traceback (most recent call last):
  File "python\idaapi.py", line 373, in IDAPython_ExecScript execfile(script, g)
  File "idc/vtable_dump.py", line 253, in <module> Analyze()
  File "idc/vtable_dump.py", line 150, in Analyze if "`non-virtual thunk to'" in name:
TypeError: argument of type 'NoneType' is not iterable
__________________
GoD-Tony is offline
asherkin
SourceMod Developer
Join Date: Aug 2009
Location: OnGameFrame()
Old 08-15-2012 , 11:16   Re: New IDA VTable Script
Reply With Quote #8

Quote:
Originally Posted by GoD-Tony View Post
When attempting to dump CBaseClient for CS:GO I get these errors:
Code:
Inheritance Tree:
CBaseClient
 IGameEventListener2
 IClient
  INetChannelHandler
 IClientMessageHandler
  INetMessageHandler
argument of type 'NoneType' is not iterable
Traceback (most recent call last):
  File "python\idaapi.py", line 373, in IDAPython_ExecScript execfile(script, g)
  File "idc/vtable_dump.py", line 253, in <module> Analyze()
  File "idc/vtable_dump.py", line 150, in Analyze if "`non-virtual thunk to'" in name:
TypeError: argument of type 'NoneType' is not iterable
I've updated the script with support for this, the issue was with pure virtual functions.

Also, there was another update in the interim that I didn't mention in this thread, that adds support for RTTI trees and dumps MI vtables as well.
__________________
asherkin is offline
Peace-Maker
SourceMod Plugin Approver
Join Date: Aug 2008
Location: Germany
Old 03-04-2013 , 15:38   Re: New IDA VTable Script
Reply With Quote #9

Noticed i'm using the attached script frequently too next to the vtable dumper, when searching for stuff.

The attached idc script lets you search for binary pattern in the gamedata formating.
So just copy&paste the signature like "\x55\x8B\xEC\x83\xEC\x2A\x56\x8B\x75\x08\x8B \x06" right out of the gamedata file.
Attached Files
File Type: zip escsig_search.zip (880 Bytes, 692 views)
__________________

Last edited by Peace-Maker; 03-04-2013 at 15:39. Reason: Added file..
Peace-Maker is offline
GoD-Tony
Veteran Member
Join Date: Jul 2005
Old 07-14-2013 , 05:03   Re: New IDA VTable Script
Reply With Quote #10

Any chance of this being updated to support vtables in Mac bins? (mainly looking for the MSVC vtable feature)

Definitely not an important request, but it would be neat to have for the situation Dota is in.
__________________
GoD-Tony is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 05:19.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode