flare-ida icon indicating copy to clipboard operation
flare-ida copied to clipboard
verified publisher icon mandiant

MSDN data doesn't have constant values

Open fubuki8087 opened this issue 7 years ago • 6 comments

I cannot use your script to generate the xml file (MSDN data) successfully because "Windows Software Development Kit (SDK) for Windows 7 and .NET Framework 3.5 Service Pack 1" was unavailable in Microsoft website years ago. So I straightly used the xml file you provided in

https://github.com/mr-tz/flare-ida/blob/master/MSDN_data/msdn_data.zip

But no constant in this xml file has value. So when I execute the script in IDA, no API constant will rename to macro.

This is a part of the xml file:

<constants>
	<constant>
		<name>BFT_NTDS_DATABASE</name>
		<description>The file is an NTDS database file. This file should be copied to the file identified as BFT_NTDS_DATABASE when the data is restored.</description>
	</constant>
	<constant>
		<name>BFT_LOG</name>
		<description>The file is a log file. All log files are copied to the directory identified as BFT_LOG_DIR when the data is restored.</description>
	</constant>
	<constant>
		<name>BFT_PATCH_FILE</name>
		<description>The file is a patch file. All patch files are copied to the directory identified as BFT_CHECKPOINT_DIR when the data is restored.</description>
	</constant>
</constants>

As you can see, all constants only have <name> and <description>. I can't see <value> in all <constant>.

fubuki8087 avatar Dec 24 '18 12:12 fubuki8087

The script matches up each constant name and IDA Pro's standard enum. So the constant value is not required to rename constants. However, there's other places where the current mechanism can go wrong. Does it really rename no constants (hint: look for debugging output containing the string renaming constant)?

mr-tz avatar Dec 27 '18 17:12 mr-tz

I cannot see any renaming constant in my IDA Output Window. This is my output:

INFO:__main__:Saving config
INFO:IDB_MSDN_Annotator:Starting script execution
INFO:IDB_MSDN_Annotator:Backing up database to file xxx.idb
Flushing buffers, please wait...ok
INFO:IDB_MSDN_Annotator.xml_parser:Starting parsing G:/IDA 7.0/MSDN_DATA\msdn_data.xml
  4. Creating a new segment  (004144B8-00414CB8) ... ... OK

======================
MSDN Annotator SUMMARY
======================
 Functions not found
 -------------------
  1	RegOpenKeyExA
  2	DragQueryFileA

Enums can be loaded normally. Backup is normal too, and .msdn segment is also added. But no constants will be renamed. My IDA version is 7.0. Is there anything incompatible?

fubuki8087 avatar Dec 28 '18 10:12 fubuki8087

It is possible that the constant renaming does not work on the sample you are looking at. Can you try other binaries?

mr-tz avatar Dec 29 '18 11:12 mr-tz

Every binary I've tried is the same problem.

fubuki8087 avatar Dec 30 '18 13:12 fubuki8087

I've confirmed the issue in a few tests. Investigating this further will take some time though. If you'd like to help I can provide some pointers.

mr-tz avatar Jan 09 '19 13:01 mr-tz

During further testing the plugin renamed some constants successfully, e.g. for CreateFile. One issue I've identified is that some enums are named differently between IDA 6.x and 7.x.

mr-tz avatar Jan 10 '19 15:01 mr-tz