→ IDA: rename locals from a script

| No TrackBacks
IDA represents stack frame as a structure. So you need to convert frame offset to structure offset and call SetMemberName.

The following code snapshot demonstrates that.
# find next "mov xxx, eax" instruction
def get_next_eax_store(ea):
	temp_ea = ea
	max_steps = 10
	for step in range(0, max_steps):
		temp_ea = idc.NextHead(temp_ea) # get next instruction
		idaapi.decode_insn(temp_ea)     #decode it
		if idaapi.cmd.itype == idaapi.NN_mov and idaapi.cmd.Op2.type == idaapi.o_reg:
			return idaapi.cmd, temp_ea
	return 0, temp_ea
cmd, addr = get_next_eax_store(ea)
if cmd != 0 and cmd.Op1.type == idaapi.o_phrase: # take only "mov [ebp-xxx],eax" instructions
	sid = idc.GetFrame(ea)
	if sid != None:
		offset = idc.GetFrameLvarSize(ea) - (~(int(cmd.Op1.addr) - 1) & 0xFFFFFFFF)
		idc.SetMemberName(sid, offset, "NewLocalName")

The salt is
offset = GetFrameLvarSize(ea) - (~(int(cmd.Op1.addr) - 1) & 0xFFFFFFFF)
The cmd.Op1.addr (from command "mov [ebp-0x14]") contains -0x14, or 0xFFFFFFEC. Minus 1, then invert converts complement code to true form, & 0xFFFFFFFF is python trick to get valid positive number. So it produces 0x14 for initial value -0x14. Then subtract it from size of local vars, and get a structure offset which can be use as SetMemberName argument.

No TrackBacks

TrackBack URL: http://smokedchicken.org/m/mt-tb.cgi/80

About this Entry

This page contains a single entry by Павел Збицкий published on May 5, 2012 9:38 PM.

PlaidCTF 2012 - Mess [300] was the previous entry in this blog.

BaltCTF NA300 is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.