Why the function got by idapython is not the same as displayed in function window using IDA?












-1















I was trying to use IDA Pro to analyse a binary writen and compiled by myself on Linux. In the function window, IDA displayed the function experiment(std::string,int,std::string) .text 00000000004181FB 0000082F 000004D8 00000000 R . . . B . . But, when I tried to get the function by ida python, .



Python>for i in idautils.Functions():

Python>    name =  idaapi.get_func_name(i)

Python>    if name.startswith('_Z10experimentSsiSs') or name.startswith('experiment'):

Python>        print name

Python>        print idc.GetType(i)


the result is



_Z10experimentSsiSs
None



no function is named as experiment, and the type of function _Z10experimentSsiSs (it seems that it is the function experiment()) is None. I want to get the arguments of all functions, but as mentioned above, I can not get the function's infomation (_Z10experimentSsiSs), and even i can not find the function (experiment). Why is this? What should I do?






binary disassembly ida







share|improve this question





























    -1















    I was trying to use IDA Pro to analyse a binary writen and compiled by myself on Linux. In the function window, IDA displayed the function experiment(std::string,int,std::string) .text 00000000004181FB 0000082F 000004D8 00000000 R . . . B . . But, when I tried to get the function by ida python, .



    Python>for i in idautils.Functions():
    
Python>    name =  idaapi.get_func_name(i)
    
Python>    if name.startswith('_Z10experimentSsiSs') or name.startswith('experiment'):
    
Python>        print name
    
Python>        print idc.GetType(i)


    the result is



    _Z10experimentSsiSs
    None



    no function is named as experiment, and the type of function _Z10experimentSsiSs (it seems that it is the function experiment()) is None. I want to get the arguments of all functions, but as mentioned above, I can not get the function's infomation (_Z10experimentSsiSs), and even i can not find the function (experiment). Why is this? What should I do?






    binary disassembly ida







    share|improve this question



























      -1












      -1








      -1


      0






      I was trying to use IDA Pro to analyse a binary writen and compiled by myself on Linux. In the function window, IDA displayed the function experiment(std::string,int,std::string) .text 00000000004181FB 0000082F 000004D8 00000000 R . . . B . . But, when I tried to get the function by ida python, .



      Python>for i in idautils.Functions():
      
Python>    name =  idaapi.get_func_name(i)
      
Python>    if name.startswith('_Z10experimentSsiSs') or name.startswith('experiment'):
      
Python>        print name
      
Python>        print idc.GetType(i)


      the result is



      _Z10experimentSsiSs
      None



      no function is named as experiment, and the type of function _Z10experimentSsiSs (it seems that it is the function experiment()) is None. I want to get the arguments of all functions, but as mentioned above, I can not get the function's infomation (_Z10experimentSsiSs), and even i can not find the function (experiment). Why is this? What should I do?






      binary disassembly ida







      share|improve this question
















      I was trying to use IDA Pro to analyse a binary writen and compiled by myself on Linux. In the function window, IDA displayed the function experiment(std::string,int,std::string) .text 00000000004181FB 0000082F 000004D8 00000000 R . . . B . . But, when I tried to get the function by ida python, .



      Python>for i in idautils.Functions():
      
Python>    name =  idaapi.get_func_name(i)
      
Python>    if name.startswith('_Z10experimentSsiSs') or name.startswith('experiment'):
      
Python>        print name
      
Python>        print idc.GetType(i)


      the result is



      _Z10experimentSsiSs
      None



      no function is named as experiment, and the type of function _Z10experimentSsiSs (it seems that it is the function experiment()) is None. I want to get the arguments of all functions, but as mentioned above, I can not get the function's infomation (_Z10experimentSsiSs), and even i can not find the function (experiment). Why is this? What should I do?






      binary disassembly ida




      binary disassembly ida






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 25 '18 at 9:16







      greagen

















      asked Nov 21 '18 at 4:12









      greagengreagen

      13




      13
























          1 Answer
          1






          active

          oldest

          votes


















          0














          AFAIK, idc.getType only work with C functions. As you're using C++ the name is mangled.



          Here's a quick test I did:



          #include <iostream>
          
#include <string>
          

          

          
void test(const std::string& s1, const std::string& s2)
          
{
          
    std::cout << s1 << " " << s2 << std::endl;
          

          
    return;
          
}
          

          
int main(int argc, char* argv)
          
{
          
    if(argc != 3)
          
    {
          
        std::cerr << "2 args needed" << std::endl;
          
        return -1;
          
    }
          

          
    test(argv[1], argv[2]);
          

          
    return 0;    
          
}


          Compile, test:



          neitsa@eagle:/mnt/temp/gpp$ g++ -o test test.cpp
          
neitsa@eagle:/mnt/temp/gpp$ ./test hello world
          
hello world


          In IDA (I'm using 7.2), I have this (monstrosity) for the test function:



          .text:0000000000000CBA ; test(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&)
          
.text:0000000000000CBA                 public _Z4testRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_
          
.text:0000000000000CBA _Z4testRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ proc near


          So, technically the (mangled) function name is: _Z4testRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_



          As the type of the arguments is provided by the symbolic information (i.e if you strip your binary you don't have access to this information anymore! except in the case of RTTI which can also provide this type of information) the only way to get them is to demangle the name and then parse it:



          Get the name:



          Python>idaapi.get_func_name(0xcba)
          
_Z4testRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_


          Demangle it:



          Python>idc.Demangle(idaapi.get_func_name(0xcba), idc.GetLongPrm(idc.INF_SHORT_DN))
          
test(std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>> const&,std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>> const&)


          Once you have that you can parse the function prototype and extract the parameters types (which might not be an easy fit with C++...).



          You might want to try with INF_LONG_DN which seems to add spaces after each argument. That might help when parsing:



          Python>idc.Demangle(idaapi.get_func_name(0xcba), idc.GetLongPrm(idc.INF_LONG_DN))
          
test(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&)


          Note: do try with strip <program> -o <program_stripped> you'll see that the name of the function will simply not be here anymore.






          share|improve this answer























            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53405153%2fwhy-the-function-got-by-idapython-is-not-the-same-as-displayed-in-function-windo%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            AFAIK, idc.getType only work with C functions. As you're using C++ the name is mangled.



            Here's a quick test I did:



            #include <iostream>
            
#include <string>
            

            

            
void test(const std::string& s1, const std::string& s2)
            
{
            
    std::cout << s1 << " " << s2 << std::endl;
            

            
    return;
            
}
            

            
int main(int argc, char* argv)
            
{
            
    if(argc != 3)
            
    {
            
        std::cerr << "2 args needed" << std::endl;
            
        return -1;
            
    }
            

            
    test(argv[1], argv[2]);
            

            
    return 0;    
            
}


            Compile, test:



            neitsa@eagle:/mnt/temp/gpp$ g++ -o test test.cpp
            
neitsa@eagle:/mnt/temp/gpp$ ./test hello world
            
hello world


            In IDA (I'm using 7.2), I have this (monstrosity) for the test function:



            .text:0000000000000CBA ; test(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&)
            
.text:0000000000000CBA                 public _Z4testRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_
            
.text:0000000000000CBA _Z4testRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ proc near


            So, technically the (mangled) function name is: _Z4testRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_



            As the type of the arguments is provided by the symbolic information (i.e if you strip your binary you don't have access to this information anymore! except in the case of RTTI which can also provide this type of information) the only way to get them is to demangle the name and then parse it:



            Get the name:



            Python>idaapi.get_func_name(0xcba)
            
_Z4testRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_


            Demangle it:



            Python>idc.Demangle(idaapi.get_func_name(0xcba), idc.GetLongPrm(idc.INF_SHORT_DN))
            
test(std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>> const&,std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>> const&)


            Once you have that you can parse the function prototype and extract the parameters types (which might not be an easy fit with C++...).



            You might want to try with INF_LONG_DN which seems to add spaces after each argument. That might help when parsing:



            Python>idc.Demangle(idaapi.get_func_name(0xcba), idc.GetLongPrm(idc.INF_LONG_DN))
            
test(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&)


            Note: do try with strip <program> -o <program_stripped> you'll see that the name of the function will simply not be here anymore.






            share|improve this answer




























              0














              AFAIK, idc.getType only work with C functions. As you're using C++ the name is mangled.



              Here's a quick test I did:



              #include <iostream>
              
#include <string>
              

              

              
void test(const std::string& s1, const std::string& s2)
              
{
              
    std::cout << s1 << " " << s2 << std::endl;
              

              
    return;
              
}
              

              
int main(int argc, char* argv)
              
{
              
    if(argc != 3)
              
    {
              
        std::cerr << "2 args needed" << std::endl;
              
        return -1;
              
    }
              

              
    test(argv[1], argv[2]);
              

              
    return 0;    
              
}


              Compile, test:



              neitsa@eagle:/mnt/temp/gpp$ g++ -o test test.cpp
              
neitsa@eagle:/mnt/temp/gpp$ ./test hello world
              
hello world


              In IDA (I'm using 7.2), I have this (monstrosity) for the test function:



              .text:0000000000000CBA ; test(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&)
              
.text:0000000000000CBA                 public _Z4testRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_
              
.text:0000000000000CBA _Z4testRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ proc near


              So, technically the (mangled) function name is: _Z4testRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_



              As the type of the arguments is provided by the symbolic information (i.e if you strip your binary you don't have access to this information anymore! except in the case of RTTI which can also provide this type of information) the only way to get them is to demangle the name and then parse it:



              Get the name:



              Python>idaapi.get_func_name(0xcba)
              
_Z4testRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_


              Demangle it:



              Python>idc.Demangle(idaapi.get_func_name(0xcba), idc.GetLongPrm(idc.INF_SHORT_DN))
              
test(std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>> const&,std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>> const&)


              Once you have that you can parse the function prototype and extract the parameters types (which might not be an easy fit with C++...).



              You might want to try with INF_LONG_DN which seems to add spaces after each argument. That might help when parsing:



              Python>idc.Demangle(idaapi.get_func_name(0xcba), idc.GetLongPrm(idc.INF_LONG_DN))
              
test(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&)


              Note: do try with strip <program> -o <program_stripped> you'll see that the name of the function will simply not be here anymore.






              share|improve this answer


























                0












                0








                0







                AFAIK, idc.getType only work with C functions. As you're using C++ the name is mangled.



                Here's a quick test I did:



                #include <iostream>
                
#include <string>
                

                

                
void test(const std::string& s1, const std::string& s2)
                
{
                
    std::cout << s1 << " " << s2 << std::endl;
                

                
    return;
                
}
                

                
int main(int argc, char* argv)
                
{
                
    if(argc != 3)
                
    {
                
        std::cerr << "2 args needed" << std::endl;
                
        return -1;
                
    }
                

                
    test(argv[1], argv[2]);
                

                
    return 0;    
                
}


                Compile, test:



                neitsa@eagle:/mnt/temp/gpp$ g++ -o test test.cpp
                
neitsa@eagle:/mnt/temp/gpp$ ./test hello world
                
hello world


                In IDA (I'm using 7.2), I have this (monstrosity) for the test function:



                .text:0000000000000CBA ; test(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&)
                
.text:0000000000000CBA                 public _Z4testRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_
                
.text:0000000000000CBA _Z4testRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ proc near


                So, technically the (mangled) function name is: _Z4testRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_



                As the type of the arguments is provided by the symbolic information (i.e if you strip your binary you don't have access to this information anymore! except in the case of RTTI which can also provide this type of information) the only way to get them is to demangle the name and then parse it:



                Get the name:



                Python>idaapi.get_func_name(0xcba)
                
_Z4testRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_


                Demangle it:



                Python>idc.Demangle(idaapi.get_func_name(0xcba), idc.GetLongPrm(idc.INF_SHORT_DN))
                
test(std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>> const&,std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>> const&)


                Once you have that you can parse the function prototype and extract the parameters types (which might not be an easy fit with C++...).



                You might want to try with INF_LONG_DN which seems to add spaces after each argument. That might help when parsing:



                Python>idc.Demangle(idaapi.get_func_name(0xcba), idc.GetLongPrm(idc.INF_LONG_DN))
                
test(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&)


                Note: do try with strip <program> -o <program_stripped> you'll see that the name of the function will simply not be here anymore.






                share|improve this answer













                AFAIK, idc.getType only work with C functions. As you're using C++ the name is mangled.



                Here's a quick test I did:



                #include <iostream>
                
#include <string>
                

                

                
void test(const std::string& s1, const std::string& s2)
                
{
                
    std::cout << s1 << " " << s2 << std::endl;
                

                
    return;
                
}
                

                
int main(int argc, char* argv)
                
{
                
    if(argc != 3)
                
    {
                
        std::cerr << "2 args needed" << std::endl;
                
        return -1;
                
    }
                

                
    test(argv[1], argv[2]);
                

                
    return 0;    
                
}


                Compile, test:



                neitsa@eagle:/mnt/temp/gpp$ g++ -o test test.cpp
                
neitsa@eagle:/mnt/temp/gpp$ ./test hello world
                
hello world


                In IDA (I'm using 7.2), I have this (monstrosity) for the test function:



                .text:0000000000000CBA ; test(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&)
                
.text:0000000000000CBA                 public _Z4testRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_
                
.text:0000000000000CBA _Z4testRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ proc near


                So, technically the (mangled) function name is: _Z4testRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_



                As the type of the arguments is provided by the symbolic information (i.e if you strip your binary you don't have access to this information anymore! except in the case of RTTI which can also provide this type of information) the only way to get them is to demangle the name and then parse it:



                Get the name:



                Python>idaapi.get_func_name(0xcba)
                
_Z4testRKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_


                Demangle it:



                Python>idc.Demangle(idaapi.get_func_name(0xcba), idc.GetLongPrm(idc.INF_SHORT_DN))
                
test(std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>> const&,std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>> const&)


                Once you have that you can parse the function prototype and extract the parameters types (which might not be an easy fit with C++...).



                You might want to try with INF_LONG_DN which seems to add spaces after each argument. That might help when parsing:



                Python>idc.Demangle(idaapi.get_func_name(0xcba), idc.GetLongPrm(idc.INF_LONG_DN))
                
test(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&)


                Note: do try with strip <program> -o <program_stripped> you'll see that the name of the function will simply not be here anymore.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 22 '18 at 6:40









                NeitsaNeitsa

                4,87211832




                4,87211832
































                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53405153%2fwhy-the-function-got-by-idapython-is-not-the-same-as-displayed-in-function-windo%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Guess what letter conforming each word

                    Image
                    6 $begingroup$ This is an entry in the Fortnightly Topic Challenge #41: Short and Sweet. 1 letter only could be mean anything . With an additional letter in front , could be used as medicine component and something you definitely learn or at least heard once. Add another letter in front , you would possibly hear that many times . Add an additional letter in front , you would found an independent country . With an additional letter, in the end , you would found something related to apple . Add another letter in the end , you would found something bad . Hint: Each letter is unique . word knowledge letters chemistry share | improve this question ...
                    Read more

                    Run scheduled task as local user group (not BUILTIN)

                    Image
                    0 I am trying to run a scheduled task with User Group (not a single user). This is working fine when I in the field "when running a task, use the following user account:" insert BUILTIN User Group (for example: Administrators or Users). But when I try it with the created Local User Group (example: TestGroup) it is not working. The Users in the TestGroup are the same as in the Administrators group. What could be the problem? Are there some restrictions to the Created User Group compared to BUILTINUsers? scheduled-tasks taskscheduler windowstaskschedule share | improve this question asked Nov 15 '18 at 15:36 Far...
                    Read more

                    Port of Spain

                    Image
                    For ports in the country of Spain, see List of ports in Spain. City in City of Port of Spain, Trinidad and Tobago Port of Spain City City of Port of Spain Top to bottom (left to right): Skyline of Port of Spain from Gulf of Paria; National Academy for the Performing Arts, Independence Square, Eric Williams Plaza; MovieTowne, Port of Port of Spain Motto(s):  "We Gather Strength As We Go Along" Port of Spain Coordinates: 10°40′N 61°31′W  /  10.667°N 61.517°W  / 10.667; -61.517 Coordinates: 10°40′N 61°31′W  /  10.667°N 61.517°W  / 10.667; -61.517 Country   Trinidad and Tobago Jurisdiction City of Port of Spain Settled 1560 Incorporated (town) 1853 Incorporated (city) 1914 Government  • Mayor Joel Martinez  • Governing body City Corporation Area [1]  • City 12 km 2 (5 sq mi) Elevation [2] 66 m (217 ft) Population (2011) [1]  • City 37,074  • Rank 3rd  • Density 3,090/km 2 (8,000/sq mi)...
                    Read more