Python script to extract call heirarchy and convert to C

  • 1 Replies
  • 1374 Views
*

Offline mil22

  • *
  • 29
Python script to extract call heirarchy and convert to C
« on: 20 / July / 2008, 23:45:40 »
Advertisements
Here's a Python script I whipped up today to recursively extract and convert call heirarchies. It takes .LST and .GDL (call graph) files output by IDA, and the list of methods to kick off extraction, and outputs .C to STDOUT.

Requires Python 2.5 or newer. It probably should to under tools/.

Hope it helps somebody else as much as it saved me time today making movie_rec work on the SD870!

Possible improvements:
  * extract caller/callee information directly from the lines of the subroutine, rather than relying on IDA's graph extraction which seems to be unreliable;
  * eliminate nullsub calls
  * automate this using a configuration file and integrate it into the make system somehow (longshot)

*

Offline mil22

  • *
  • 29
Re: Python script to extract call heirarchy and convert to C
« Reply #1 on: 20 / July / 2008, 23:50:41 »
Example output:

Parsed 18589 nodes, 57787 edges
Parsed 18589 subroutines
// Extracted method: taskcreate_MovieRecord (FF858324-FF858408)
// Overridden calls:
//     task_MovieRecord
void __attribute__((naked,noinline)) taskcreate_MovieRecord_my() {
    asm volatile (

    "var_20         = -0x20\n"

        "     STMFD   SP!, {R3-R9,LR}\n"
        "     LDR     R5, =0x54E0\n"
        "     MOV     R6, #0\n"
        "     STR     R6, [R5,#0x24]\n"
        "     LDR     R0, [R5,#8]\n"
        "     LDR     R8, =0x2710\n"
        "     CMP     R0, #0\n"
        "     BNE     loc_FF8583DC\n"
        "     MOV     R0, #1\n"
        "     STR     R0, [R5,#8]\n"
        "     MOV     R0, #0\n"
        "     MOV     R1, #0\n"
        "     BL         sub_FF81BF0C\n"
        "     STR     R0, [R5,#0x14]\n"
        "     MOV     R0, #0\n"
        "     MOV     R1, #0\n"
        "     BL         sub_FF81BF0C\n"
        "     STR     R0, [R5,#0x18]\n"
        "     MOV     R0, #0\n"
        "     MOV     R1, #0xA\n"
        "     BL         sub_FF81BEC4\n"
        "     STR     R0, [R5,#0x1C]\n"
        "     MOV     R0, #0\n"
        "     MOV     R1, #0xA\n"
        "     BL         sub_FF81BEC4\n"
        "     LDR     R7, =0x19C5C\n"
        "     MOV     R4, #9\n"
        "     ADD     R9, R4, #0x2D4\n"
        "     STR     R0, [R5,#0x20]\n"

    "loc_FF858398:\n"    // CODE XREF: taskcreate_MovieRecord+98j
        "     RSB     R0, R4, R4,LSL#3\n"
        "     STR     R6, [R7,R0,LSL#2]\n"
        "     ADD     R1, R7, R0,LSL#2\n"
        "     STR     R9, [SP,#0x20+var_20]\n"
        "     LDR     R0, [R5,#0x20]\n"
        "     LDR     R3, =0xFF8575B0\n"    // aMovierecorder_
        "     MOV     R2, R8\n"
        "     BL         sub_FF81BFD0\n"
        "     SUBS    R4, R4, #1\n"
        "     BPL     loc_FF858398\n"
        "     MOV     R3, #0\n"
        "     STR     R3, [SP,#0x20+var_20]\n"
        "     ADR     R3, task_MovieRecord_my\n"    //   --------------->
        "     MOV     R2, #0x1000\n"
        "     MOV     R1, #0x14\n"
        "     LDR     R0, =0xFF858528\n"    // aMovierecord = "MovieRecord"
        "     BL         _KernelCreateTask\n"

......

Required stubs:
NSTUB(CreateController, 0xFF86A6E4)
NSTUB(DebugAssert, 0xFF81C090)
NSTUB(GetAEIntegralServiceMode_0, 0xFF82C92C)
etc.

 

Related Topics