IDC Scripts

	<a target="_top" href="http://ad.doubleclick.net/jump/fc.us468/member/tech;abr=!ie;s1=m;s3=tech;pos=1;tag=i;sz=468x60;mtile=1;ord=2001?"><img src="http://ad.doubleclick.net/ad/fc.us468/member/tech;abr=!ie;s1=m;s3=tech;pos=1;tag=i;sz=468x60;mtile=1;ord=2001?" border=0 height="60" width="468"></a>

<A HREF="http://ad.doubleclick.net/jump/fc.us88/member/tech;abr=!ie;s1=m;s3=tech;pos=2;tag=i;sz=88x31;mtile=2; ord=3100?"><IMG SRC="http://ad.doubleclick.net/ad/fc.us88/member/tech;abr=!ie;s1=m;s3=tech;pos=2;tag=i;sz=88x31;mtile=2; ord=3100?" height=31 width=88 border=0></A>

<A HREF="http://ad.doubleclick.net/jump/fc.us88/member/tech;abr=!ie;s1=m;s3=tech;pos=3;tag=i;sz=88x31;mtile=3; ord=3101?"><IMG SRC="http://ad.doubleclick.net/ad/fc.us88/member/tech;abr=!ie;s1=m;s3=tech;pos=3;tag=i;sz=88x31;mtile=3; ord=3101?" height=31 width=88 border=0></A>

IDC Scripts

For a while, IDC scripts were awfully exciting because they provided a relatively robust way of automating IDA. However, with the advent of plugins, all that has changed. IDC still has it's place for smaller projects and simple routine tasks, but for speed and power, plugins are the way to go. With that said, here are some IDC scripts.

IDB to SIG

This was my first attempt at a really ambitious IDC script. You can see me struggling with no global variables and a truly unwieldy array implementation. However, it works (although it messes up sometimes). What this does is convert all the user-named functions in an IDB into a .PAT file which can be fed to SIGMAKE.EXE in the FLAIR package to create a useable signature file. I have now rewritten this as a plugin, which you can find on the plugins page. I would strongly recommend using the plugin version over this one, but comparing the two can be quite instructive.

Make Indexed Jump Table

IDA can handle simple jump tables, however, there is a more complicated convention used by quite a few compilers which it cannot handle: the indexed jump table. For example, look at the following disassembly:

mov dl, bl
test eax, eax
cmp edx, 0EFh
ja loc_0_1005909D
mov dl, ds:byte_0_10057670[edx]
jmp ds:off_0_10057760[edx*4]

byte_0_10057670 contains an array of bytes which are indexes into the table of offsets at off_0_10057760. What this script does is number the cases with the appropriate case number determined by the index table. It has the further feature of labeling the cases with an enumeration of the user's choosing, rather than simply using numbers.

To use the script, just position the cursor over the instruction containing the reference to the index table (in the example, mov dl, Ds:byte_0_10057670[edx]) and run the script. I have not included any code to determine the starting value of the cases or the number of cases in the switch, so these need to be provided by the user.