I think I've gotten the hang of writing IDA scripts recently so I thought I'd share them with you all.
I've got a couple of basic scripts in this
repo, but the more fun one is the Netprop Importer. It parses a netprop dump (given by sm_dump_netprops_xml) and is able to build IDA structs and insert members at the provided offsets. It kinda shits the bed when it comes to datatables but it's very very useful regardless. You should also, obviously, dump and import the proper dump for your OS.
The importer also provides virtual table importing as well. This does what you think it does, imports the vtables of the provided classes from the same dump and adds its type to the struct at offset 0.
It should be noted that the vtable part of the importer only works in Linux, Windows would not be fun to try and do. Also, it kinda makes IDA flip its shit when it comes to globals; e.g. engine
thinks its a CBaseEntity occasionally. But other than that, it really cleans up those ugly dereferences. Another caveat is that member offsets, when viewing through pseudocode, show up as gap
and then a trailing number. It should be straightforward in telling that the trailing number is the raw offset.
Grab the netprop importer here
Next is Symbol Smasher.
Symbol Smasher is an IDA script(s) that compares Linux (symboled) and Windows binaries and attempts to interpret the stripped functions on the Windows side.
To be specific, it runs through Linux's strings and stores all of their xrefs. Then it runs through the same strings on Windows and understands that if a unique string has a single xref to a stripped (sub_
) function, then that function must be the same as that of the xref found while running through Linux.
Once the script figures out what the sub_
function is, it renames it to the mangled, Linux name. IDA then unmangles it for you so you can search it in your Functions window. Now you have a nice handful of symbols on your Windows binary.
It doesn't find every
function, though. Only ones with a unique reference to a string. Secondly, not all found functions are guaranteed to be correct. It is unpredictable how Linux functionality (mainly inlining) translates to Windows. If all else fails you can simply makesig it yourself.
Lastly, you have the option of dumping the found functions and their signatures to a json file (dump.json). It dumps regardless, but all those signatures take a loooooong time to get, so you can choose. I dumped 3000 TF2 functions and it took ~40 minutes. YMMV.
You can even use the symbol smasher alongside the netprop importer to really, really clean up your Windows pseudocode.
Grab the symbol smasher here
For non-pro users
Fret not! I have a few included dumps on the Github from the smasher and plan on dumping more games if possible. You should also browse the .yml files as .json double escapes SM signatures.
You'll find dumps here
and I'll try to keep them reasonably updated. If you have a dump of a game that isn't included or is outdated please open a pull request!