This plugin helps to navigate among the large number of unexplored functions in the ida pro disassembler.
When you are reverse-engineering a huge file and don't have time to analyze every function, it would be useful to get general information about the functions and show it in their names.
- The plugin makes the names of unexplored functions (sub_*) more informative.
- It is easy to write your own rules or remove existing ones, because each rule is in its own python file and all you need to create a rule is to create a file in the rules folder with a function that has a specific name and prototype.
The generic rule makes names like this:
nav_loc70_sub5_named3_imp6_switch2_cycle_d10_s5
It looks long, but not every function has all the tags like this one. Shorter examples:
nav_loc84_switch1_d1
nav_sub1_named3_d6
nav_imp2
nav_loc6_imp1
nav_loc1_cycle_s1
nav - means that function has been renamed with this plugin.
loc - shows number of local routines inside the function. It helps to determine the level of complexity of the function.
sub - shows number of unexplored functions (that had sub_ in it's default name) inside the analysed function.
named - shows number of functions that already have names.
imp - shows number of imported functions.
switch - shows number of switches inside the function.
cycle - that tag means that the function has one or several cycles.
cycleIsPossible - means that there was attampt to find cycle in the function, but the function is too complex to analyse.
d - shows number of global data usage.
s - shows number of strings usage.
This rule renames functions that have less than 5 lines of asm code.
This rule renames functions that have only one call.
This rule renames functions that have several calls of the same function and have no other calls.
This rule adds tags if it found usage of specified strings. It just add to the end of the name of the function "paths" or "urls" if strings that the functions uses contain something related with paths or urls.
This is the folder with rules. All rules that are there can be deleted or changed. You can add your own rule to this folder.
This is an example of simple rule that do nothing. You can find it in navigation_plugin/rules/example_of_rule.py.
A rule must return one of these values:
rule_exit(RULE_TRUE, ea, obj, new_name)
rule_exit(WEAK_RULE_TRUE, ea, obj, new_name)
rule_exit(RULE_FALSE)
The function rule_exit changes function name in IDA and return RULE_TRUE, WEAK_RULE_TRUE or RULE_FALSE.
RULE_TRUE - the function satisfies the conditions of the rule. The rule will be applied. Other rules will be ignored.
WEAK_RULE_TRUE - the function satisfies the conditions of the rule. The rule will be applied, but there will be attempt to apply other rules.
RULE_FALSE - the function does not satisfies the conditions of the rule. There will be attempt to apply other rules.
The parametr obj:FuncInfo is defined in global_data_and_classes.py. It has info about all xrefs that function uses.
If you want your rule runs anyway, you can add to your rule name "LATE_" prefix. Rules with that prefix run after other rules. But your rule still must exit with rule_exit(RULE_TRUE, ea, obj, new_name)
or rule_exit(RULE_FALSE)
.
Just copy navigation_plugin.py and navigation_plugin folder in %path_to_ida%\plugins.
Edit->Plugins->navigation_plugin