The first thing I've seen very annoying when begins reverse a lot - I spend too much time for renaming variables which can be renamed automatically. So there is AutoRenamer has been implemented with following rules:
- Good-Name-Sources are:
- user named global/local variable, struct member
- user or library named arguments of called subroutine.
- string literal, "helper" name
- comment is not started from ';' letter
- number in range:
1 < const_val < 0x80000000
- number in
enum
form - call to procedure with following name (
A
/W
letters and additions like_2
in the end of proc name are ignored):GetLastError
produce nameerr
- Function with name contains
__get
or::get
substring. Example:SomeClass::getSomeMemb()
produce name:SomeMemb
LoadLibrary(LibName)
andGetModuleHandle(LibName)
produce name:hLibName
GetProcAddress(hMod, ProcName)
produce name:ProcName
strdup(Arg)
,wcsdup(Arg)
produce name:Arg
????code_pointer(Arg)
and??codePointer(Arg)
produce name:Arg
- for reference prepended Good-Name like
&X_
produce nameX
(last '_' symbol stripped)&X
produce namep_X
('p_' inserted)
- Bad-Name-Sources are:
- names like:
var_XX
,arg_XX
,aXX
,vXX, vXa,
whereXX
one or two digits - CPU register names with optional numeric suffix (like
ecx0
) - struct member with name
VT
or name begins fromfield_
orfld_
- case sensitive names optionally prefixed with
lp
:this
,result
,Mem
,Memory
,Block
,String
,ProcName
,ProcAddress
,LibFileName
,ModuleName
,LibraryA
,LibraryW
- in addition to above, for variables and call arguments only:
Str
,Src
,Dst
,dwBytes
,Flink
,Blink
- in addition to above, for variables and call arguments only:
- names like:
- For the assignment operator like
A = B;
where one of side is a Good-Name-Source and another is unnamed (Bad-Name-Source) variable or struct member, bad-named part is renamed toNameSource_XX
whereXX
is one or two digits - Same for relation ops like
A == B
,A < B
, etc - On renaming reference prepended variable or struct member like
&X
p_X
as new name becameX
(p_
is stripped)X
as new name becameX_
(last '_' symbol appended)
strcpy(A,B)
,wcscpy(A,B)
,lstrcpy(A,B)
,qmemcpy(A,B)
considered asA = B;
assignmentcall(a1, a2, ...)
with typeinfofunc(p1, p2, ...)
considered as series of assignmentsp1 = a1;
p2 = a2;
etc...- bonus: if call argument has typeinfo and prototype of func has not: type and name of arguments will be propagated into func type (only if count of x-refs to such func less five to avoid renaming args in popular funcs like
memcpy
,alloc
, etc).
- bonus: if call argument has typeinfo and prototype of func has not: type and name of arguments will be propagated into func type (only if count of x-refs to such func less five to avoid renaming args in popular funcs like
- call of proc with name like
off_xxx
(usually appears at IAT in debugger session) is renamed to destination of thisoff_xxx
- wrapper (thunk) proc with only one call
subproc(...)
statement inside, is renamed tosubproc_
. ('_' symbol is appended to the name) - every renaming has been happened is accompanied by a message in IDA Output Window
📝 Note: sometimes AutoRenamer too aggressively propagates a wrong, meaningless name. Do not need to correct all of such wrong names, just rename one of them to correct and kill other with "N"-"Del"-"Enter". Then propagate new correct name by pressing "F5"