rev-symbol - Symbol Recovery | reverse-engineering

Stats

Actions

Tags

rev-symbol - Symbol Recovery | reverse-engineering

rev-symbol - Symbol Recovery

Analyze function code characteristics to recover/identify function symbols and names.

Pre-check

First, verify that IDA-NO-MCP exported data exists in the current directory:

Check if decompile/ directory exists
Check if there are .c files inside

If not found, prompt the user:

IDA-NO-MCP export data not detected.

Please export decompilation results using IDA-NO-MCP plugin first:
1. Download plugin: https://github.com/P4nda0s/IDA-NO-MCP
2. Copy INP.py to IDA plugins directory
3. Press Ctrl-Shift-E in IDA to export
4. Open the exported directory with Claude Code

Export Directory Structure

./
├── decompile/              # Decompiled C code directory
│   ├── 0x401000.c          # One file per function, named by hex address
│   ├── 0x401234.c
│   └── ...
├── decompile_failed.txt    # Failed decompilation list
├── decompile_skipped.txt   # Skipped functions list
├── strings.txt             # String table (address, length, type, content)
├── imports.txt             # Import table (address:function_name)
├── exports.txt             # Export table (address:function_name)
└── memory/                 # Memory hexdump (1MB chunks)

Function File Format (decompile/*.c)

Each .c file contains function metadata comments and decompiled code:

/*
 * func-name: sub_401000
 * func-address: 0x401000
 * callers: 0x402000, 0x403000    // List of functions that call this function
 * callees: 0x404000, 0x405000    // List of functions called by this function
 */

int __fastcall sub_401000(int a1, int a2)
{
    // Decompiled code...
}

Symbol Recovery Steps

Step 1: Analyze Internal Characteristics

Carefully examine the target function for:

String constants: Strings used in the function may reveal its purpose
Numeric constants / Magic Numbers:
- MD5: 0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476
- CRC32: 0xEDB88320
- Base64 charset: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
- AES S-Box: 0x63, 0x7C, 0x77, 0x7B...
- Zlib: 0x78, 0x9C (compression header)
- other constants/magic numbers...
Code structure: Loop patterns, bitwise operations, specific algorithm flows

If you can identify a known algorithm through constants/structure, tell the user directly.

Step 2: Analyze Cross-References

Analyze Callees (called functions):

Read functions in the callees list
For each callee, check if its address exists in imports.txt

Recognize call patterns even when symbols are missing:

Paired function patterns (identify by matching call pairs):

// malloc/free, new/delete, alloc/dealloc
xx = sub_A(0x100);        // alloc: takes size, returns pointer
...
sub_B(xx);                // free: takes the same pointer

// mutex_lock/mutex_unlock, pthread_mutex_lock/unlock
sub_A(lock_ptr);          // lock
...                       // critical section
sub_B(lock_ptr);          // unlock (same lock object)

// open/close, fopen/fclose, CreateFile/CloseHandle
fd = sub_A("/path", 0);   // open: path + flags, returns handle
...
sub_B(fd);                // close: takes the handle

// pthread_create/pthread_join
sub_A(&tid, 0, func, arg); // create: out param, attr, func, arg
...
sub_B(tid, &ret);          // join: tid, out param


**Argument pattern recognition:**
```c
// socket(AF_INET, SOCK_STREAM, 0) - fixed constants
sub_XXX(2, 1, 0);         // socket: domain=2, type=1, protocol=0

// connect/bind(sockfd, addr, addrlen)
sub_XXX(fd, &var, 16);   // addr struct, len=16 for IPv4

// memcpy/memmove(dst, src, size)
sub_XXX(dst, src, n);     // 3 params: dst, src, count

// memset(ptr, value, size)
sub_XXX(ptr, 0, 0x100);   // 3 params: ptr, byte value, count

// read/write(fd, buf, count)
ret = sub_XXX(fd, buf, n); // returns bytes read/written

// strcmp/strncmp(s1, s2) or (s1, s2, n)
if (sub_XXX(s1, s2) == 0)  // returns 0 on equal

Return value patterns:

// file/socket operations: -1 on error
if ((fd = sub_XXX(...)) == -1) goto error;

// allocation: NULL on failure
if (!(ptr = sub_XXX(size))) goto error;

// success/error: 0 = success
if (sub_XXX(...) != 0) goto error;

// strlen: returns size_t
len = sub_XXX(str);
sub_YYY(dst, src, len);   // len used in memcpy

Analyze Callers (calling functions):

Read functions in the callers list
If a caller has a symbol (check exports.txt), infer the callee's purpose from context
Recursive check: trace up the call chain until you find a function with a symbol
Analyze how the return value is used by callers

Step 3: Information Gathering and Search

Collect the following information:

Strings in the function (check strings.txt for addresses used in the function)
Magic Numbers / constants
Known imports called (cross-reference callees with imports.txt)
Caller/callee symbols from exports.txt
Paired function patterns identified

Based on collected information:

First attempt local reasoning based on:
- Function signature (number and types of parameters)
- Paired call patterns (alloc/free, lock/unlock)
- Known imports in the call chain
- Code structure similarity to known algorithms
If uncertain, use Web Search to search:
- Search Magic Numbers: 0x67452301 0xEFCDAB89 algorithm
- Search code patterns: rotate left xor constant algorithm
- Search unique strings found in the function
- Search parameter patterns: function(int, int, 0) socket

Output Format

## Symbol Recovery Analysis: <function_address>

### Function Characteristics
- Strings: <list discovered strings>
- Constants: <list key constants>
- Called imports: <list>

### Cross-Reference Analysis
- Callers: <callers and their symbols>
- Callees: <callees and their symbols>

### Inference Result
- **Suggested symbol name**: <suggested_name>
- **Confidence**: High / Medium / Low
- **Reasoning**: <explain why this name is suggested>

### Similar Open Source Implementation
- <if similar open source code is found, provide link>

Usage Examples

/reverse-engineering:rev-symbol 0x401000

or

/reverse-engineering:rev-symbol sub_401234