rev-symbol
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
Chineserev-symbol - Symbol Recovery
rev-symbol - 符号恢复
Analyze function code characteristics to recover/identify function symbols and names.
通过分析函数代码特征来恢复/识别函数符号和名称。
Pre-check
预检查
First, verify that IDA-NO-MCP exported data exists in the current directory:
- Check if directory exists
decompile/ - Check if there are files inside
.c
If not found, prompt the user:
IDA-NO-MCP export data not detected.
Please export decompilation results using IDA-NO-MCP plugin first:
1. Download plugin: https://github.com/P4nda0s/IDA-NO-MCP
2. Copy INP.py to IDA plugins directory
3. Press Ctrl-Shift-E in IDA to export
4. Open the exported directory with Claude Code首先,验证当前目录中存在IDA-NO-MCP导出的数据:
- 检查是否存在目录
decompile/ - 检查目录内是否有文件
.c
如果未找到,提示用户:
IDA-NO-MCP export data not detected.
Please export decompilation results using IDA-NO-MCP plugin first:
1. Download plugin: https://github.com/P4nda0s/IDA-NO-MCP
2. Copy INP.py to IDA plugins directory
3. Press Ctrl-Shift-E in IDA to export
4. Open the exported directory with Claude CodeExport Directory Structure
导出目录结构
./
├── decompile/ # Decompiled C code directory
│ ├── 0x401000.c # One file per function, named by hex address
│ ├── 0x401234.c
│ └── ...
├── decompile_failed.txt # Failed decompilation list
├── decompile_skipped.txt # Skipped functions list
├── strings.txt # String table (address, length, type, content)
├── imports.txt # Import table (address:function_name)
├── exports.txt # Export table (address:function_name)
└── memory/ # Memory hexdump (1MB chunks)./
├── decompile/ # Decompiled C code directory
│ ├── 0x401000.c # One file per function, named by hex address
│ ├── 0x401234.c
│ └── ...
├── decompile_failed.txt # Failed decompilation list
├── decompile_skipped.txt # Skipped functions list
├── strings.txt # String table (address, length, type, content)
├── imports.txt # Import table (address:function_name)
├── exports.txt # Export table (address:function_name)
└── memory/ # Memory hexdump (1MB chunks)Function File Format (decompile/*.c)
函数文件格式 (decompile/*.c)
Each file contains function metadata comments and decompiled code:
.cc
/*
* func-name: sub_401000
* func-address: 0x401000
* callers: 0x402000, 0x403000 // List of functions that call this function
* callees: 0x404000, 0x405000 // List of functions called by this function
*/
int __fastcall sub_401000(int a1, int a2)
{
// Decompiled code...
}每个文件包含函数元数据注释和反编译代码:
.cc
/*
* func-name: sub_401000
* func-address: 0x401000
* callers: 0x402000, 0x403000 // List of functions that call this function
* callees: 0x404000, 0x405000 // List of functions called by this function
*/
int __fastcall sub_401000(int a1, int a2)
{
// Decompiled code...
}Symbol Recovery Steps
符号恢复步骤
Step 1: Analyze Internal Characteristics
步骤1:分析内部特征
Carefully examine the target function for:
- String constants: Strings used in the function may reveal its purpose
- Numeric constants / Magic Numbers:
- MD5: ,
0x67452301,0xEFCDAB89,0x98BADCFE0x10325476 - CRC32:
0xEDB88320 - Base64 charset:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ - AES S-Box:
0x63, 0x7C, 0x77, 0x7B... - Zlib: ,
0x78(compression header)0x9C - other constants/magic numbers...
- MD5:
- Code structure: Loop patterns, bitwise operations, specific algorithm flows
If you can identify a known algorithm through constants/structure, tell the user directly.
仔细检查目标函数的以下内容:
- 字符串常量:函数中使用的字符串可能会揭示其用途
- 数值常量 / 魔数:
- MD5: ,
0x67452301,0xEFCDAB89,0x98BADCFE0x10325476 - CRC32:
0xEDB88320 - Base64 字符集:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ - AES S-Box:
0x63, 0x7C, 0x77, 0x7B... - Zlib: ,
0x78(压缩头)0x9C - 其他常量/魔数...
- MD5:
- 代码结构:循环模式、位运算、特定算法流程
如果可以通过常量/结构识别出已知算法,直接告知用户。
Step 2: Analyze Cross-References
步骤2:分析交叉引用
Analyze Callees (called functions):
-
Read functions in the callees list
-
For each callee, check if its address exists in
imports.txt -
Recognize call patterns even when symbols are missing:Paired function patterns (identify by matching call pairs):c
// malloc/free, new/delete, alloc/dealloc xx = sub_A(0x100); // alloc: takes size, returns pointer ... sub_B(xx); // free: takes the same pointer // mutex_lock/mutex_unlock, pthread_mutex_lock/unlock sub_A(lock_ptr); // lock ... // critical section sub_B(lock_ptr); // unlock (same lock object) // open/close, fopen/fclose, CreateFile/CloseHandle fd = sub_A("/path", 0); // open: path + flags, returns handle ... sub_B(fd); // close: takes the handle // pthread_create/pthread_join sub_A(&tid, 0, func, arg); // create: out param, attr, func, arg ... sub_B(tid, &ret); // join: tid, out param **Argument pattern recognition:** ```c // socket(AF_INET, SOCK_STREAM, 0) - fixed constants sub_XXX(2, 1, 0); // socket: domain=2, type=1, protocol=0 // connect/bind(sockfd, addr, addrlen) sub_XXX(fd, &var, 16); // addr struct, len=16 for IPv4 // memcpy/memmove(dst, src, size) sub_XXX(dst, src, n); // 3 params: dst, src, count // memset(ptr, value, size) sub_XXX(ptr, 0, 0x100); // 3 params: ptr, byte value, count // read/write(fd, buf, count) ret = sub_XXX(fd, buf, n); // returns bytes read/written // strcmp/strncmp(s1, s2) or (s1, s2, n) if (sub_XXX(s1, s2) == 0) // returns 0 on equalReturn value patterns:c// file/socket operations: -1 on error if ((fd = sub_XXX(...)) == -1) goto error; // allocation: NULL on failure if (!(ptr = sub_XXX(size))) goto error; // success/error: 0 = success if (sub_XXX(...) != 0) goto error; // strlen: returns size_t len = sub_XXX(str); sub_YYY(dst, src, len); // len used in memcpy
Analyze Callers (calling functions):
- Read functions in the callers list
- If a caller has a symbol (check exports.txt), infer the callee's purpose from context
- Recursive check: trace up the call chain until you find a function with a symbol
- Analyze how the return value is used by callers
分析被调用函数(callees):
-
读取被调用函数列表中的函数
-
对于每个被调用函数,检查其地址是否存在于中
imports.txt -
即使符号缺失也能识别调用模式:配对函数模式(通过匹配调用对识别):c
// malloc/free, new/delete, alloc/dealloc xx = sub_A(0x100); // alloc: takes size, returns pointer ... sub_B(xx); // free: takes the same pointer // mutex_lock/mutex_unlock, pthread_mutex_lock/unlock sub_A(lock_ptr); // lock ... // critical section sub_B(lock_ptr); // unlock (same lock object) // open/close, fopen/fclose, CreateFile/CloseHandle fd = sub_A("/path", 0); // open: path + flags, returns handle ... sub_B(fd); // close: takes the handle // pthread_create/pthread_join sub_A(&tid, 0, func, arg); // create: out param, attr, func, arg ... sub_B(tid, &ret); // join: tid, out param **参数模式识别:** ```c // socket(AF_INET, SOCK_STREAM, 0) - fixed constants sub_XXX(2, 1, 0); // socket: domain=2, type=1, protocol=0 // connect/bind(sockfd, addr, addrlen) sub_XXX(fd, &var, 16); // addr struct, len=16 for IPv4 // memcpy/memmove(dst, src, size) sub_XXX(dst, src, n); // 3 params: dst, src, count // memset(ptr, value, size) sub_XXX(ptr, 0, 0x100); // 3 params: ptr, byte value, count // read/write(fd, buf, count) ret = sub_XXX(fd, buf, n); // returns bytes read/written // strcmp/strncmp(s1, s2) or (s1, s2, n) if (sub_XXX(s1, s2) == 0) // returns 0 on equal返回值模式:c// file/socket operations: -1 on error if ((fd = sub_XXX(...)) == -1) goto error; // allocation: NULL on failure if (!(ptr = sub_XXX(size))) goto error; // success/error: 0 = success if (sub_XXX(...) != 0) goto error; // strlen: returns size_t len = sub_XXX(str); sub_YYY(dst, src, len); // len used in memcpy
分析调用方(callers):
- 读取调用方列表中的函数
- 如果某个调用方存在符号(检查exports.txt),则从上下文推断被调用方的用途
- 递归检查:向上追溯调用链,直到找到带符号的函数
- 分析调用方如何使用返回值
Step 3: Information Gathering and Search
步骤3:信息收集与搜索
Collect the following information:
- Strings in the function (check for addresses used in the function)
strings.txt - Magic Numbers / constants
- Known imports called (cross-reference callees with )
imports.txt - Caller/callee symbols from
exports.txt - Paired function patterns identified
Based on collected information:
-
First attempt local reasoning based on:
- Function signature (number and types of parameters)
- Paired call patterns (alloc/free, lock/unlock)
- Known imports in the call chain
- Code structure similarity to known algorithms
-
If uncertain, use Web Search to search:
- Search Magic Numbers:
0x67452301 0xEFCDAB89 algorithm - Search code patterns:
rotate left xor constant algorithm - Search unique strings found in the function
- Search parameter patterns:
function(int, int, 0) socket
- Search Magic Numbers:
收集以下信息:
- 函数中的字符串(检查中函数使用的地址对应的内容)
strings.txt - 魔数 / 常量
- 调用的已知导入函数(将被调用函数与交叉引用)
imports.txt - 来自的调用方/被调用方符号
exports.txt - 识别到的配对函数模式
基于收集的信息:
-
首先基于以下内容尝试本地推理:
- 函数签名(参数的数量和类型)
- 配对调用模式(alloc/free、lock/unlock)
- 调用链中的已知导入函数
- 与已知算法的代码结构相似度
-
如果不确定,使用网页搜索来查找:
- 搜索魔数:
0x67452301 0xEFCDAB89 algorithm - 搜索代码模式:
rotate left xor constant algorithm - 搜索函数中发现的唯一字符串
- 搜索参数模式:
function(int, int, 0) socket
- 搜索魔数:
Output Format
输出格式
undefinedundefinedSymbol Recovery Analysis: <function_address>
Symbol Recovery Analysis: <function_address>
Function Characteristics
Function Characteristics
- Strings: <list discovered strings>
- Constants: <list key constants>
- Called imports: <list>
- Strings: <list discovered strings>
- Constants: <list key constants>
- Called imports: <list>
Cross-Reference Analysis
Cross-Reference Analysis
- Callers: <callers and their symbols>
- Callees: <callees and their symbols>
- Callers: <callers and their symbols>
- Callees: <callees and their symbols>
Inference Result
Inference Result
- Suggested symbol name: <suggested_name>
- Confidence: High / Medium / Low
- Reasoning: <explain why this name is suggested>
- Suggested symbol name: <suggested_name>
- Confidence: High / Medium / Low
- Reasoning: <explain why this name is suggested>
Similar Open Source Implementation
Similar Open Source Implementation
- <if similar open source code is found, provide link>
undefined- <if similar open source code is found, provide link>
undefined