An IDA script that compares Linux (symboled) and Windows binaries and attempts to interpret the stripped functions on the Windows side.
To be specific, it runs through Linux's strings and stores all of their xref data to a YAML file. Then it runs through Windows' strings and compares the 2 sets.
One of the comparison methods is unique string xref sequences. In the script this is called "Simple Comparisons". If a symboled Foo::Bar()
references "FizzBuzz" twice and "Foo_Foo" once and is the only function to have those exact references, then a function on Windows with that exact behavior can be typed. "FizzBuzz" and "Foo_Foo" can be used elsewhere, but only Foo::Bar()
has that kind of sequence.
Secondly, it also compares subset xrefs. If Foo::Bar
on Linux references "Foo_Foo" twice, and a stripped function on Windows references "Foo_Foo" twice and "FizzBuzz" once, and Foo::Bar
is the only function that has a subset of these xrefs, then the Windows function must be Foo::Bar
. It also goes both ways, looking at stripped Windows functions in the same way.
Once the script figures out what a sub_
function is, it renames it to the mangled, Linux name. IDA then unmangles it for you so you can search it in your Functions window. Now you have a nice handful of symbols on your Windows binary.
It should be noted that not all found functions are guaranteed to be correct. It is unpredictable how Linux functionality (mainly inlining) translates to Windows. If all else fails you can simply rename functions yourself.
You can even use the symbol smasher alongside the netprop importer to really, really clean up your Windows pseudocode.
For non-pro users
Fret not! I publicly host signature dumps from the Symbol Smasher for most Source games.
You'll find dumps here
and I'll try to keep them reasonably updated.