API tools faq
paste
Advertisement
Dwack

IDA Labeler

Dwack
Jan 13th, 2012
453
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 13.21 KB | None | 0 0
raw download clone embed print report
  1. #include <idc.idc>
  2. // Basic X360 SDK functions labeler.
  3. // v 0.1
  4. // by Dwack
  5.  
  6. static labelFunctions()
  7. {
  8.     auto currAddr, lastAddr, i;
  9.    
  10.     Message("Finding CreateFile()\n");
  11.     for(currAddr=0; currAddr != BADADDR; currAddr=currAddr+4)
  12.     {      
  13.         currAddr = FindBinary(currAddr, SEARCH_DOWN, "7C 7D 1B 78 7C 9C 23 78 7C BA 2B 78 7C FB 3B 78");
  14.         if(currAddr == BADADDR)
  15.             break;
  16.         lastAddr = currAddr;
  17.         currAddr = FindBinary(currAddr, SEARCH_DOWN, "7D 1F 43 78 2B 07 00 01 41 9A 00 5C 2B 07 00 02");
  18.         if(currAddr == BADADDR)
  19.         {
  20.             Message("Function not found!\n");
  21.             break;
  22.         }
  23.         if((currAddr - lastAddr) == 16)
  24.         {
  25.             currAddr = lastAddr - 12;
  26.             MakeUnknown(currAddr, 496, 0); // DOUNK_SIMPLE 0 DOUNK_DELNAMES  0x0002
  27.             MakeCode(currAddr);
  28.             MakeFunction(currAddr, BADADDR);//currAddr + 500);
  29.             if(MakeNameEx(currAddr, "CreateFile", SN_NOCHECK|SN_NOWARN) != 1)
  30.                 MakeNameEx(currAddr, "CreateFile", 0);
  31.             Message("\tFunction found at %08X\n", currAddr);
  32.             break;
  33.         }
  34.         else
  35.             currAddr = lastAddr;
  36.     }
  37.     Message("Finding GetFileSize()\n");
  38.     for(currAddr=0; currAddr != BADADDR; currAddr=currAddr+4)
  39.     {      
  40.         currAddr = FindBinary(currAddr, SEARCH_DOWN, "7D 88 02 A6 91 81 FF F8 FB E1 FF F0 94 21 FF 90");
  41.         if(currAddr == BADADDR)
  42.         {
  43.             Message("Function not found!\n");
  44.             break;
  45.         }
  46.         lastAddr = currAddr;
  47.         currAddr = FindBinary(currAddr, SEARCH_DOWN, "2C 03 00 00 41 82 00 30 2B 1F 00 00 41 9A 00 0C");
  48.         if(currAddr == BADADDR)
  49.         {
  50.             Message("Function not found!\n");
  51.             break;
  52.         }
  53.         if((currAddr - lastAddr) == 28)
  54.         {
  55.             currAddr = lastAddr;
  56.             MakeUnknown(currAddr, 104, 0); // DOUNK_SIMPLE 0 DOUNK_DELNAMES  0x0002
  57.             MakeCode(currAddr);
  58.             MakeFunction(currAddr, currAddr + 104);
  59.             if(MakeNameEx(currAddr, "GetFileSize", SN_NOCHECK|SN_NOWARN) != 1)
  60.                 MakeNameEx(currAddr, "GetFileSize", 0);
  61.             Message("\tFunction found at %08X\n", currAddr);
  62.             break;
  63.         }
  64.         else
  65.             currAddr = lastAddr;
  66.     }
  67.    
  68.     Message("Finding GetFileAttributes()\n");
  69.     for(currAddr=0; currAddr != BADADDR; currAddr=currAddr+4)
  70.     {      
  71.         currAddr = FindBinary(currAddr, SEARCH_DOWN, "7D 88 02 A6 91 81 FF F8 94 21 FF 50 7C 64 1B 78 38 61 00 50");
  72.         if(currAddr == BADADDR)
  73.         {
  74.             Message("Function not found!\n");
  75.             break;
  76.         }
  77.         lastAddr = currAddr;
  78.         currAddr = FindBinary(currAddr+4, SEARCH_DOWN, "39 60 FF FD 39 40 00 40 39 21 00 50 91 61 00 58");
  79.         if(currAddr == BADADDR)
  80.         {
  81.             Message("Function not found!\n");
  82.             break;
  83.         }
  84.         if((currAddr - lastAddr) == 24)
  85.         {
  86.             currAddr = lastAddr;
  87.             MakeUnknown(currAddr, 100, 0); // DOUNK_SIMPLE 0 DOUNK_DELNAMES  0x0002
  88.             MakeCode(currAddr);
  89.             MakeFunction(currAddr, currAddr + 100);
  90.             if(MakeNameEx(currAddr, "GetFileAttributes", SN_NOCHECK|SN_NOWARN) != 1)
  91.                 MakeNameEx(currAddr, "GetFileAttributes", 0);
  92.             Message("\tFunction found at %08X\n", currAddr);
  93.             break;
  94.         }
  95.         else
  96.             currAddr = lastAddr;
  97.     }
  98.     Message("Finding GetLastError()\n");
  99.     for(currAddr=0; currAddr != BADADDR; currAddr=currAddr+4)
  100.     {      
  101.         currAddr = FindBinary(currAddr, SEARCH_DOWN, "81 6D 01 50 2B 0B 00 00 40 9A 00 10 81 6D 01 00");
  102.         if(currAddr == BADADDR)
  103.         {
  104.             Message("Function not found!\n");
  105.             break;
  106.         }
  107.         lastAddr = currAddr;
  108.         currAddr = FindBinary(currAddr, SEARCH_DOWN, "80 6B 01 60 4E 80 00 20 38 60 00 00 4E 80 00 20");
  109.         if(currAddr == BADADDR)
  110.         {
  111.             Message("Function not found!\n");
  112.             break;
  113.         }
  114.         if((currAddr - lastAddr) == 16)
  115.         {
  116.             currAddr = lastAddr;
  117.             MakeUnknown(currAddr, 32, 0); // DOUNK_SIMPLE 0 DOUNK_DELNAMES  0x0002
  118.             MakeCode(currAddr);
  119.             MakeFunction(currAddr, currAddr + 32);
  120.             if(MakeNameEx(currAddr, "GetLastError", SN_NOCHECK|SN_NOWARN) != 1)
  121.                 MakeNameEx(currAddr, "GetLastError", 0);
  122.             Message("\tFunction found at %08X\n", currAddr);
  123.             break;
  124.         }
  125.         else
  126.             currAddr = lastAddr;
  127.     }
  128.     // GetTickCount() ////////////////////////////////////////////////
  129.     Message("Finding GetTickCount()\n");
  130.     currAddr = 0;
  131.     for (;;)
  132.     {
  133.         currAddr = FindText(currAddr, 1, 0, 0, "KeTimeStampBundle@h");
  134.         if(currAddr == BADADDR)
  135.             {
  136.                 Message("Function not found!\n");
  137.                 break;
  138.             }
  139.         else
  140.         {
  141.             MakeUnknown(currAddr, 16, 0); // DOUNK_SIMPLE 0 DOUNK_DELNAMES  0x0002
  142.             MakeCode(currAddr);
  143.             MakeFunction(currAddr, currAddr + 16);
  144.             if(MakeNameEx(currAddr, "GetTickCount", SN_NOCHECK|SN_NOWARN) != 1)
  145.                 MakeNameEx(currAddr, "GetTickCount", 0);
  146.             Message("\tFunction found at %08X\n", currAddr);
  147.             break;
  148.         }
  149.     }
  150.     ///////////////////////////////////////////////////////////////////
  151.  
  152.     Message("Finding SetLastError()\n");
  153.     for(currAddr=0; currAddr != BADADDR; currAddr=currAddr+4)
  154.     {      
  155.         currAddr = FindBinary(currAddr, SEARCH_DOWN, "81 6D 01 50 2B 0B 00 00 4C 9A 00 20 81 6D 01 00 90 6B 01 60 4E 80 00 20");
  156.         if(currAddr == BADADDR)
  157.         {
  158.             Message("Function not found!\n");
  159.             break;
  160.         }
  161.         MakeUnknown(currAddr, 24, 0); // DOUNK_SIMPLE 0 DOUNK_DELNAMES  0x0002
  162.         MakeCode(currAddr);
  163.         MakeFunction(currAddr, currAddr + 24);
  164.         if(MakeNameEx(currAddr, "SetLastError", SN_NOCHECK|SN_NOWARN) != 1)
  165.             MakeNameEx(currAddr, "SetLastError", 0);
  166.         Message("\tFunction found at %08X\n", currAddr);
  167.         break;
  168.     }
  169.  
  170.     Message("Finding Free()\n");
  171.     for(currAddr=0; currAddr != BADADDR; currAddr=currAddr+4)
  172.     {      
  173.         currAddr = FindBinary(currAddr, SEARCH_DOWN, "7D 88 02 A6 91 81 FF F8 FB E1 FF F0 94 21 FF A0");
  174.         if(currAddr == BADADDR)
  175.         {
  176.             Message("Function not found!\n");
  177.             break;
  178.         }
  179.         //Message("1: %08X\n", currAddr);
  180.         lastAddr = currAddr;
  181.         currAddr = FindBinary(currAddr, SEARCH_DOWN, "7C 7F 1B 78 2B 03 00 00 41 9A 00 30");
  182.         if(currAddr == BADADDR)
  183.         {
  184.             Message("Function not found!\n");
  185.             break;
  186.         }
  187.         //Message("2: %08X\n", currAddr);
  188.         //Message("3: %d\n", (currAddr - lastAddr));
  189.         if((currAddr - lastAddr) == 16)
  190.         {
  191.             currAddr = lastAddr;
  192.             MakeUnknown(currAddr, 92, 0); // DOUNK_SIMPLE 0 DOUNK_DELNAMES  0x0002
  193.             MakeCode(currAddr);
  194.             MakeFunction(currAddr, currAddr + 92);
  195.             if(MakeNameEx(currAddr, "Free", SN_NOCHECK|SN_NOWARN) != 1)
  196.                 MakeNameEx(currAddr, "Free", 0);
  197.             Message("\tFunction found at %08X\n", currAddr);
  198.             break;
  199.         }
  200.         else
  201.             currAddr = lastAddr;
  202.     }
  203.  
  204.     Message("Finding CloseHandle()\n");
  205.     for(currAddr=0; currAddr != BADADDR; currAddr=currAddr+4)
  206.     {      
  207.         currAddr = FindBinary(currAddr, SEARCH_DOWN, "81 6B 00 04 7D 69 03 A6 4E 80 04 21 2C 03 00 00");
  208.         if(currAddr == BADADDR)
  209.         {
  210.             Message("Function not found!\n");
  211.             break;
  212.         }
  213.         //Message("1: %08X\n", currAddr);
  214.         lastAddr = currAddr;
  215.         currAddr = FindBinary(currAddr, SEARCH_DOWN, "41 80 00 0C 38 60 00 01 48 00 00 0C");
  216.         if(currAddr == BADADDR)
  217.         {
  218.             Message("Function not found!\n");
  219.             break;
  220.         }
  221.         //Message("2: %08X\n", currAddr);
  222.         //Message("3: %d\n", (currAddr - lastAddr));
  223.         if((currAddr - lastAddr) == 16)
  224.         {
  225.             currAddr = lastAddr - 20;
  226.             MakeUnknown(currAddr, 72, 0); // DOUNK_SIMPLE 0 DOUNK_DELNAMES  0x0002
  227.             MakeCode(currAddr);
  228.             MakeFunction(currAddr, currAddr + 72);
  229.             if(MakeNameEx(currAddr, "CloseHandle", SN_NOCHECK|SN_NOWARN) != 1)
  230.                 MakeNameEx(currAddr, "CloseHandle", 0);
  231.             Message("\tFunction found at %08X\n", currAddr);
  232.             break;
  233.         }
  234.         else
  235.             currAddr = lastAddr;
  236.     }
  237.     Message("Finding WriteFile()\n");
  238.     for(currAddr=0; currAddr != BADADDR; currAddr=currAddr+4)
  239.     {      
  240.         currAddr = FindBinary(currAddr, SEARCH_DOWN, "7D 88 02 A6 48 00 1D D9 94 21 FF 80 7C 7E 1B 78");
  241.         if(currAddr == BADADDR)
  242.         {
  243.             Message("Function not found!\n");
  244.             break;
  245.         }
  246.         lastAddr = currAddr;
  247.         currAddr = FindBinary(currAddr, SEARCH_DOWN, "7C 88 23 78 7C A9 2B 78 7C DD 33 78 7C FF 3B 78");
  248.         if(currAddr == BADADDR)
  249.         {
  250.             Message("Function not found!\n");
  251.             break;
  252.         }
  253.         if((currAddr - lastAddr) == 16)
  254.         {
  255.             currAddr = lastAddr;
  256.             MakeUnknown(currAddr, 292, 0); // DOUNK_SIMPLE 0 DOUNK_DELNAMES  0x0002
  257.             MakeCode(currAddr);
  258.             MakeFunction(currAddr, currAddr + 292);
  259.             if(MakeNameEx(currAddr, "WriteFile", SN_NOCHECK|SN_NOWARN) != 1)
  260.                 MakeNameEx(currAddr, "WriteFile", 0);
  261.             Message("\tFunction found at %08X\n", currAddr);
  262.             break;
  263.         }
  264.         else
  265.             currAddr = lastAddr;
  266.     }
  267.     Message("Finding DeleteFile()\n");
  268.     for(currAddr=0; currAddr != BADADDR; currAddr=currAddr+4)
  269.     {      
  270.         currAddr = FindBinary(currAddr, SEARCH_DOWN, "7D 88 02 A6 91 81 FF F8 FB E1 FF F0 94 21 FF 70");
  271.         if(currAddr == BADADDR)
  272.         {
  273.             Message("Function not found!\n");
  274.             break;
  275.         }
  276.         lastAddr = currAddr;
  277.         currAddr = FindBinary(currAddr, SEARCH_DOWN, "39 60 FF FD 39 40 00 40 39 21 00 58 91 61 00 68");
  278.         if(currAddr == BADADDR)
  279.         {
  280.             Message("Function not found!\n");
  281.             break;
  282.         }
  283.         if((currAddr - lastAddr) == 28)
  284.         {
  285.             currAddr = lastAddr;
  286.             MakeUnknown(currAddr, 180, 0); // DOUNK_SIMPLE 0 DOUNK_DELNAMES  0x0002
  287.             MakeCode(currAddr);
  288.             MakeFunction(currAddr, currAddr + 180);
  289.             if(MakeNameEx(currAddr, "DeleteFile", SN_NOCHECK|SN_NOWARN) != 1)
  290.                 MakeNameEx(currAddr, "DeleteFile", 0);
  291.             Message("\tFunction found at %08X\n", currAddr);
  292.             break;
  293.         }
  294.         else
  295.             currAddr = lastAddr;
  296.     }
  297.     Message("Finding MemCpy()\n");
  298.     for(currAddr=0; currAddr != BADADDR; currAddr=currAddr+4)
  299.     {      
  300.         currAddr = FindBinary(currAddr, SEARCH_DOWN, "F8 61 FF F8 54 66 07 7E 7C 00 22 2C 28 06 00 00");
  301.         if(currAddr == BADADDR)
  302.         {
  303.             Message("Function not found!\n");
  304.             break;
  305.         }
  306.         lastAddr = currAddr;
  307.         currAddr = FindBinary(currAddr, SEARCH_DOWN, "20 C6 00 08 41 82 00 50 7C 05 30 40 40 81 00 64");
  308.         if(currAddr == BADADDR)
  309.         {
  310.             Message("Function not found!\n");
  311.             break;
  312.         }
  313.         if((currAddr - lastAddr) == 16)
  314.         {
  315.             currAddr = lastAddr;
  316.             MakeUnknown(currAddr, 1160, 0); // DOUNK_SIMPLE 0 DOUNK_DELNAMES  0x0002
  317.             MakeCode(currAddr);
  318.             MakeFunction(currAddr, currAddr + 1160);
  319.             if(MakeNameEx(currAddr, "MemCpy", SN_NOCHECK|SN_NOWARN) != 1)
  320.                 MakeNameEx(currAddr, "MemCpy", 0);
  321.             Message("\tFunction found at %08X\n", currAddr);
  322.             break;
  323.         }
  324.         else
  325.             currAddr = lastAddr;
  326.     }
  327.     //7C 03 20 00 4D C2 00 20  40 E0 00 08 4B FF FA C4
  328.     Message("Finding MemMove()\n");
  329.     for(currAddr=0; currAddr != BADADDR; currAddr=currAddr+4)
  330.     {      
  331.         currAddr = FindBinary(currAddr, SEARCH_DOWN, "7C 03 20 00 4D C2 00 20 40 E0 00 08 4B FF FA C4");
  332.         if(currAddr == BADADDR)
  333.         {
  334.             Message("Function not found!\n");
  335.             break;
  336.         }
  337.  
  338.         MakeUnknown(currAddr, 16, 0); // DOUNK_SIMPLE 0 DOUNK_DELNAMES  0x0002
  339.         MakeCode(currAddr);
  340.         MakeFunction(currAddr, currAddr + 16);
  341.         if(MakeNameEx(currAddr, "MemMove", SN_NOCHECK|SN_NOWARN) != 1)
  342.             MakeNameEx(currAddr, "MemMove", 0);
  343.         Message("\tFunction found at %08X\n", currAddr);
  344.         break;
  345.     }
  346.     Message("Finding MemSet()\n");
  347.     for(currAddr=0; currAddr != BADADDR; currAddr=currAddr+4)
  348.     {      
  349.         currAddr = FindBinary(currAddr, SEARCH_DOWN, "38 05 00 01 7C 09 03 A6 60 66 00 00 48 00 00 10");
  350.         if(currAddr == BADADDR)
  351.         {
  352.             Message("Function not found!\n");
  353.             break;
  354.         }
  355.         lastAddr = currAddr;
  356.         currAddr = FindBinary(currAddr, SEARCH_DOWN, "38 A5 FF FF 98 86 00 00 38 C6 00 01 70 C0 00 03");
  357.         if(currAddr == BADADDR)
  358.         {
  359.             Message("Function not found!\n");
  360.             break;
  361.         }
  362.         if((currAddr - lastAddr) == 16)
  363.         {
  364.             currAddr = lastAddr;
  365.             MakeUnknown(currAddr, 160, 0); // DOUNK_SIMPLE 0 DOUNK_DELNAMES  0x0002
  366.             MakeCode(currAddr);
  367.             MakeFunction(currAddr, currAddr + 160);
  368.             if(MakeNameEx(currAddr, "MemSet", SN_NOCHECK|SN_NOWARN) != 1)
  369.                 MakeNameEx(currAddr, "MemSet", 0);
  370.             Message("\tFunction found at %08X\n", currAddr);
  371.             break;
  372.         }
  373.         else
  374.             currAddr = lastAddr;
  375.     }
  376.     Message("Finding ReadFile()\n");
  377.     for(currAddr=0; currAddr != BADADDR; currAddr=currAddr+4)
  378.     {      
  379.         currAddr = FindBinary(currAddr, SEARCH_DOWN, "94 21 FF 70 7C 7E 1B 78 7C 88 23 78 7C A9 2B 78");
  380.         if(currAddr == BADADDR)
  381.         {
  382.             Message("Function not found!\n");
  383.             break;
  384.         }
  385.         lastAddr = currAddr;
  386.         currAddr = FindBinary(currAddr, SEARCH_DOWN, "7C DD 33 78 7C FF 3B 78 3B 80 00 00 2B 06 00 00");
  387.         if(currAddr == BADADDR)
  388.         {
  389.             Message("Function not found!\n");
  390.             break;
  391.         }
  392.         if((currAddr - lastAddr) == 16)
  393.         {
  394.             currAddr = lastAddr - 8;
  395.             MakeUnknown(currAddr, 380, 0); // DOUNK_SIMPLE 0 DOUNK_DELNAMES  0x0002
  396.             MakeCode(currAddr);
  397.             MakeFunction(currAddr, currAddr + 380);
  398.             if(MakeNameEx(currAddr, "ReadFile", SN_NOCHECK|SN_NOWARN) != 1)
  399.                 MakeNameEx(currAddr, "ReadFile", 0);
  400.             Message("\tFunction found at %08X\n", currAddr);
  401.             break;
  402.         }
  403.         else
  404.             currAddr = lastAddr;
  405.     }
  406.     Message("Finding ResumeThread()\n");
  407.     for(currAddr=0; currAddr != BADADDR; currAddr=currAddr+4)
  408.     {      
  409.         currAddr = FindBinary(currAddr, SEARCH_DOWN, "7D 88 02 A6 91 81 FF F8 94 21 FF A0 38 81 00 50");
  410.         if(currAddr == BADADDR)
  411.         {
  412.             Message("Function not found!\n");
  413.             break;
  414.         }
  415.         lastAddr = currAddr;
  416.         currAddr = FindText(currAddr, 1, 0, 0, "NtResumeThread");
  417.         if(currAddr == BADADDR)
  418.         {
  419.             Message("Function not found!\n");
  420.             break;
  421.         }
  422.         if((currAddr - lastAddr) == 16)
  423.         {
  424.             currAddr = lastAddr;
  425.             MakeUnknown(currAddr, 60, 0); // DOUNK_SIMPLE 0 DOUNK_DELNAMES  0x0002
  426.             MakeCode(currAddr);
  427.             MakeFunction(currAddr, currAddr + 60);
  428.             if(MakeNameEx(currAddr, "ResumeThread", SN_NOCHECK|SN_NOWARN) != 1)
  429.                 MakeNameEx(currAddr, "ResumeThread", 0);
  430.             Message("\tFunction found at %08X\n", currAddr);
  431.             break;
  432.         }
  433.         else
  434.             currAddr = lastAddr;
  435.     }
  436. }
  437.  
  438. static main()
  439. {
  440.     labelFunctions();
  441.     Message("Functions Labeled!\n\n");
  442. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!