-
Notifications
You must be signed in to change notification settings - Fork 2
/
resolve-apis.py
26 lines (24 loc) · 952 Bytes
/
resolve-apis.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
"""It can be use to decode the apis used by a program which resolves API calls at runtime using hashing.
Alternatives to this script:
- C:\Program Files\IDA Pro 7.7\idc\renimp.idc
- Universal Unpacker Manual Reconstruct under plugins
"""
import idaapi, idc
# api resolution table starts at START and ends at END
# Run this script after the apis have been resolved
ea = START
while ea <= END:
# same as create_data(ea, FF_DWORD, 4, ida_idaapi.BADADDR)
op_offset(ea, 1, idaapi.REF_OFF32)
addr = get_wide_dword(ea)
name = get_name(addr)
if name == "":
print(f"ERROR at {hex(ea)}")
ea += 1
continue
# IDA recognizes the function if we use Sleep instead of kernel32_Sleep
func_name = name.split("_")[-1]
# SN_FORCE = if the specified name is already present in the database, adds a numerical suffix instead of failing
set_name(ea, func_name, idaapi.SN_FORCE)
print(name)
ea += 4