 All right. So this is put on your info t hat. And I'm Mia Bez. And I work for Asthma. And this talk is going to be about C++ templates. And it's going to be about scripting IDA Pro or IDA as some call it. So C++ templates, they look like this. Basically they solve the problem that we have this function max. And the code is equally valid for, it's valid for cars, it's valid for 32 bit ints, it's valid for signed ints, unsigned ints. So we don't want to write the code over and over. So we have this expression. And then type then is replaced by the compiler by whatever types you're using. And then in the binary you will end up with this. And this is for whatever types are actually used. And then eventually your C++ templates look like this. But it's fine. When you're programming C++, when you're in IDA Pro, then here you have some binary. There's a function and the type of the function has templates in it. So you go in the function, you hit Y to edit the type. And then you just press enter and you don't edit it at all. You put in what's in there. And then it's just bad declaration. And it's a syntax there near something. And where the problem is, is where you have that all angle bracket. And it didn't get too far. So when you have these C++ templates, the type names can include the angle brackets, spaces, comments, which all characters that IDA Pro doesn't accept and the names. So we still want to get those template types in there. So there's three ways we can do it. And we're going to use Python. That's a Texas Python or Rattlesnake. So the first way, there's an IDC function, getTinfo. And it'll give you this couple of two strings. The first one is the type expression and the second one is the args. And we're going to look at the, so if we getTinfo and we give it to apply type, then it works out. And this is the type part of it. So the first, this is some stuff in black. But we're going to focus on the red and green part. And so they both start the same, the slash n or the 10. And there is the pointer, it's a star. You could have several in a row if you have several stars in your type. Then you have the length. Then you have the pound sign, which means there's an ordinal. And then there's two different ordinals. And then when you go into local types sub-U, you see the ordinals, right? And then, so you decode them, this math involved somewhat. And then we figured out that it's 16, 45, and 13, 98. That was actually the types. So then you can do the reverse operation. And then you can replace then those ordinals in that string you have. And then apply type and now it works again. So if, say from a PDB into your local types, you've gotten already types that have templates in them. Now you can just replace the ordinals in that string you got from IDA and then it still works. You magically get the proper types in there. And then that's one way of doing it. Sometimes that's a good way. Sometimes you want to do it another way. And actually, so when you're programming in C++, then the templated types, whatever, they have meaning. There's actual classes and types and whatever. And they are generated into the binary. There's a hierarchy, whatever. But actually, in terms of IDA, IDA doesn't know that the thing in the angle brackets is another type. To IDA, the whole thing is just a string. It's just like a type with a weird name that happens to have those symbols in them. So you can actually then rename types to anything. And so one way to get around the problems is basically when you go into this view and you try to edit a type or when you try to apply a type to a function, it parses your type declaration and also every type declaration declaration that is then referenced by that type. So if anywhere in that hierarchy of types that gets parsed, these bad characters, then it will fail. So you can just, whatever types are in your hierarchy, you rename them to something like temp1, temp2, whatever. Then you set the type. You apply the type to your function. And then you rename the types back and that achieves the same result. And so this is an API that's called IDA. It's renamed, named type. And unlike other IDA APIs, this one actually does exactly what it says. So then you call it for the original name, your name. And then you do the opposite operation after setting the type. Wow. Okay. So then the TINFO T API, this is an X-rays, I think. So you create a TINFO T. So TINFO is type info and underscore T is just something that's on all those types. And then you can call getName type on that TINFO T. And where it says some crazy name law, you can actually put in any string and it will create a TINFO T that has that name. And depending on whether you actually have a name with that, I mean the local type with that name, then when you apply the TINFO, you get different results. But all. So the VDUI is all, because much of the scripting for X-rays is intended so that when you're in the decompiler window and the user interface, then you can do stuff to what's visible in the window. So the VDU, so you have to then jump to the screen EA and open decompiler or whatever and then you're able to get this VDUI object. And then to then change the types of your function arguments, then you actually, you change the types, L bar here is a local variable. So you change the types of the local variables that are the arguments. And when you do that, it then changes the type of the function itself. And there's a, the L bar object itself has also a set type method which would seem to do the same operation as going through the UI and then changing an L bar's type. But the other set type actually does a different thing or nothing. And that's why you need to go through this VDUI. So here's the opening. You have to decompile it in there just to get it to open the decompiler window for you because otherwise you can't get the VDUI. And all, wow. So then there's the return type of the function. And so right there I was, I was changing the arguments, the local variables that are the arguments of the function. But the return type doesn't have a, even though there's a return, there's a local variable for the return type. Variable or whatever. But if you change that type, it won't actually let you do it. And it certainly won't change the return type of the function. And also when you're changing the, when you're doing this calling set L bar type, you can actually add or remove arguments which is something you might be interested in. So then to create a completely arbitrary function type where you can specify the return type but also the number and types of the arguments, you can do the following. So Ida has a, it has these simple types and ordinal types and maybe some other types. And in the simple types there's a, it's like a one byte enumeration. And like 80% of them are weird stuff that you will never use like this static volatile old word pointer or this other one which obviously is not actually a type but static volatile unsigned double but so on. And so then you can create this, your string that where you place these place holders or markers into your string for the return type and then for all the argument types however many you want and you give them different, different simple types. And then you make them, you put in as many pointers and then you put in as you want eventually. And then you actually, so here parse type returns the same type of that magic string that was in solution one. So then you can then do the replace thing. You can replace the however is encoded by Ida into the string, the simple types then you can replace them with how the ordinals are encoded. And in the early example I showed it was always a, it was always two bytes for the length of the, I mean the ordinal was always two bytes but for like the first 1000 ordinals it will actually be three bytes and then I mean one byte so the length will be three and then beyond 4000 or 8000 the ordinal when it goes above that then it will be five bytes but then the math is slightly different but you can then put in whatever you want. And then so this you can again create a tinfo t and when you call b serialize on it and give it whatever the IDC get tinfo function returns that actually, so it's another way of creating a tinfo that has a certain type because there's several functions in there that all seem to do the same thing like d serialize and parse type and create function type and there's like 40 of them and if you look into the Ida API documentation there isn't any, if you Google the function names the only hits on Google are at the mirrors of the header file and so there's no public usage of any of these APIs but this d serialize thing actually does what you want on the, if you have that type of string that you get from, get tinfo or parse type from IDC. So then there's a function called apply tinfo 2 because apply tinfo was taken but it doesn't apply tinfo so then apply tinfo 2 applies tinfo and now you can, that's the same as a whatever I did in the first one, let me see what it would, apply type from IDC. Here apparently is the whole thing and then that is all I have to say about this topic and wow, how fast even for a 20 minute slot. Any questions? You. So the question is like when would you end up with these types that cannot be parsed? So basically let's say you have a binary that you don't have symbols for or whatever and then that includes a statically linked library written in C plus plus and then you build that C plus plus library yourself with symbols and then you will then have those symbols in there and you want to transfer those symbols into the unknown binary and then these are completely like normal C plus plus types but IDA just can't parse them because they have angle brackets, commas and spaces so that's like the common situation where you end up with this or in general if you know something about the types that's not in the binary and it's C plus plus templates and basically for IDA then as I mentioned somewhere and there are all those templated types, they're just names of types that happen to be weird and IDA doesn't actually care about like what the members of the template are or like how the structure is formed of its members. If you have more questions I have a mic that makes it easy for everyone to hear. So we've got a question. Anybody? Did this all go over your heads? There's only two smart guys in the entire room. Alright thank you guys.