Beispiel #1
0
    def load_symbols(self, file_data, is_big_endian=True):
        symbol_list = []
        if is_big_endian:
            unpack_format = '>I'
        else:
            unpack_format = '<I'

        symbol_count = struct.unpack(unpack_format, file_data[4:8])[0]
        print("symbol_count: %s" % symbol_count)
        symbol_offset = 8
        string_table_offset = 8 + 8 * symbol_count
        print("string_table_offset: %s" % string_table_offset)
        # get symbols
        for i in range(symbol_count):
            offset = i * 8
            symbol_data = file_data[symbol_offset + offset:symbol_offset +
                                    offset + 8]
            flag = ord(symbol_data[0])
            string_offset = struct.unpack(unpack_format,
                                          '\x00' + symbol_data[1:4])[0]
            string_offset += string_table_offset
            print("string_offset: %s" % string_offset)
            symbol_name = ""
            while True:
                if file_data[string_offset] != '\x00':
                    symbol_name += file_data[string_offset]
                    string_offset += 1

                else:
                    break
            print("symbol_name: %s" % symbol_name)
            symbol_address = struct.unpack(unpack_format, symbol_data[-4:])[0]
            symbol_list.append([flag, symbol_name, symbol_address])
            # Find TP-Link device loading address with symbols
            if "wrs_kernel_text_start" in symbol_name:
                load_address = symbol_address
                current_image_base = idaapi.get_imagebase()
                shift_address = load_address - current_image_base
                while shift_address >= 0x70000000:
                    idaapi.rebase_program(0x70000000, 0x0008)
                    shift_address -= 0x70000000
                idaapi.rebase_program(shift_address, 0x0008)

        # load symbols
        for symbol_data in symbol_list:
            flag, symbol_name, symbol_address = symbol_data
            idc.MakeName(symbol_address, symbol_name)
            if flag == 0x54:
                if symbol_name:
                    print("Start fix Function %s at %s" %
                          (symbol_name, hex(symbol_address)))
                    idc.MakeCode(symbol_address)  # might not need
                    idc.MakeFunction(symbol_address, idc.BADADDR)
Beispiel #2
0
 def fix_vxworks_idb(load_address, vx_version, symbol_table_start,
                     symbol_table_end):
     current_image_base = idaapi.get_imagebase()
     symbol_interval = 16
     if vx_version == 6:
         symbol_interval = 20
     symbol_table_start += load_address
     symbol_table_end += load_address
     ea = symbol_table_start
     shift_address = load_address - current_image_base
     while shift_address >= 0x70000000:
         idaapi.rebase_program(0x70000000, 0x0008)
         shift_address -= 0x70000000
     idaapi.rebase_program(shift_address, 0x0008)
     while ea < symbol_table_end:
         # for VxWorks 6 unknown symbol format
         if idc.Byte(ea + symbol_table_end - 2) == 3:
             ea += symbol_interval
             continue
         offset = 4
         if idaapi.IDA_SDK_VERSION >= 700:
             idc.create_strlit(idc.Dword(ea + offset), idc.BADADDR)
         else:
             idc.MakeStr(idc.Dword(ea + offset), idc.BADADDR)
         sName = idc.GetString(idc.Dword(ea + offset), -1, idc.ASCSTR_C)
         print("Found %s in symbol table" % sName)
         if sName:
             sName_dst = idc.Dword(ea + offset + 4)
             if vx_version == 6:
                 sName_type = idc.Dword(ea + offset + 12)
             else:
                 sName_type = idc.Dword(ea + offset + 8)
             idc.MakeName(sName_dst, sName)
             if sName_type in need_create_function:
                 # flags = idc.GetFlags(ea)
                 print("Start fix Function %s at %s" %
                       (sName, hex(sName_dst)))
                 idc.MakeCode(sName_dst)  # might not need
                 idc.MakeFunction(sName_dst, idc.BADADDR)
         ea += symbol_interval
     print("Fix function by symbol table finish.")
     print(
         "Start IDA auto analysis, depending on the size of the firmware this might take a few minutes."
     )
     idaapi.autoWait()
Beispiel #3
0
 def rsp(self, buffer, **kargs):
     idc.Message("Handling a rebase command from the rsp!\n")
     result = True
     #try:
     addr = buffer.read_string()
     #idc.Message("In rebase call: " +str(addr))
     rebase_to_addr = IdabridgeUtils.convert_str_to_numval(addr)
     current_ea = idc.ScreenEA()
     c_base_addr = idc.FirstSeg()
     r_base_diff = rebase_to_addr - c_base_addr
     idc.Message("instanceof(rebase_to_addr, str) == %s rebase_to_addr: %s Got: %s)"%(isinstance(rebase_to_addr, str), rebase_to_addr, addr))
     idaapi.rebase_program(r_base_diff, idc.MSF_FIXONCE)
     idc.AnalyseArea(idc.MinEA(),idc.MaxEA())
     new_ea = rebase_to_addr + ( current_ea - c_base_addr)
     idc.Jump(new_ea)
     result = True
     #except:
     #    pass
     return self.return_data(result)
Beispiel #4
0
def process(fd, bitness):
    enable_auto(False)
    base_addr = 0x0
    if bitness == 1:
        idaapi.set_processor_type('ARM:ARMv7-A',
                                  idaapi.SETPROC_ALL | idaapi.SETPROC_FATAL)
        idaapi.get_inf_structure().lflags |= idaapi.LFLG_PC_FLAT
    elif bitness == 2:
        idaapi.set_processor_type("arm", idaapi.SETPROC_LOADER_NON_FATAL)
        idaapi.get_inf_structure().lflags |= idaapi.LFLG_64BIT

    fd.seek(0, idaapi.SEEK_END)
    size = fd.tell()
    segm = idaapi.segment_t()
    segm.bitness = bitness
    segm.start_ea = 0
    segm.end_ea = size

    if base_addr != 0:
        print("[*] Rebasing to address 0x%x" % (base_addr))
        idaapi.rebase_program(base_addr, MSF_NOFIX)
        idaapi.autoWait()

    idaapi.add_segm_ex(segm, "SecureROM", "CODE", idaapi.ADDSEG_OR_DIE)

    fd.seek(0)
    fd.file2base(0, 0, size, False)
    print("[*] Pass One")
    print("[*] Defining functions")
    #locate_functions(segm)
    print("[*] Defining early initialation instructions")
    build_jump_table(segm)
    print("[*] Attempting to force string definitons")
    global string_start, string_end
    string_start, string_end = process_strings(segm)
    print("[*] Pass Two")
    print("[*] Hunting for and defining symbols")
    symbolicate(segm)
from sets import Set
import json
import idaapi
import idc

print('My Script is now running...')
print('Waiting for idapro...')
idaapi.autoWait()
print('start persisting...')

idaapi.rebase_program(-1*idaapi.get_imagebase(), 0)

ss = idaapi.get_input_file_path()
pn = os.path.splitext(ss)[0]
callees = dict()
funcmap = dict()
data = dict()
data['name'] = pn

for seg_ea in Segments():
    for function_ea in Functions(SegStart(seg_ea), SegEnd(seg_ea)):
        #fill call graph
        # For each of the incoming references
        for ref_ea in CodeRefsTo(function_ea, 0):
             # Get the name of the referring function
             caller_name = GetFunctionName(ref_ea)
             # Add the current function to the list of functions called by the referring function
             callees[caller_name] = callees.get(caller_name, Set())
             callees[caller_name].add(function_ea)

data['functions'] = list()
Beispiel #6
0
def load_file(fd, neflags, format):
    global prologues
    global br_flag
    size = 0
    base_addr = 0
    ea = 0
    nfunc = 0

    idaapi.set_processor_type("arm", ida_idp.SETPROC_LOADER_NON_FATAL)
    idaapi.get_inf_structure().lflags |= idaapi.LFLG_64BIT

    if (neflags & idaapi.NEF_RELOAD) != 0:
        return 1

    fd.seek(0, idaapi.SEEK_END)
    size = fd.tell()

    segm = idaapi.segment_t()
    segm.bitness = 2  # 64-bit
    segm.start_ea = 0
    segm.end_ea = size

    if br_flag == false:
        idaapi.add_segm_ex(segm, "iBoot", "CODE", idaapi.ADDSEG_OR_DIE)
    else:
        idaapi.add_segm_ex(segm, "SecureROM", "CODE", idaapi.ADDSEG_OR_DIE)

    fd.seek(0)
    fd.file2base(0, 0, size, false)

    idaapi.add_entry(0, 0, "start", 1)
    ida_funcs.add_func(ea)

    print("[+] Marked as code")

    # heuristic
    while (true):
        mnemonic = idc.print_insn_mnem(ea)

        if "LDR" in mnemonic:
            base_str = idc.print_operand(ea, 1)
            base_addr = int(base_str.split("=")[1], 16)

            break

        ea += 4

    print("[+] Rebasing to address 0x%x" % (base_addr))
    idaapi.rebase_program(base_addr, idc.MSF_NOFIX)

    segment_start = base_addr
    segment_end = idc.get_segm_attr(segment_start, idc.SEGATTR_END)

    ea = segment_start

    print("[+] Searching and defining functions")

    for prologue in prologues:
        while ea != ida_idaapi.BADADDR:
            ea = ida_search.find_binary(ea, segment_end, prologue, 16,
                                        ida_search.SEARCH_DOWN)

            if ea != ida_idaapi.BADADDR:
                if len(prologue) < 8:
                    ea = ea - 2

                if (ea % 4) == 0 and ida_bytes.get_full_flags(ea) < 0x200:
                    # print("[+] Defining a function at 0x%x" % (ea))
                    ida_funcs.add_func(ea)
                    nfunc = nfunc + 1

                ea = ea + 4

    idc.plan_and_wait(segment_start, segment_end)

    print("[+] Identified %d new functions" % (nfunc))

    print("[+] Looking for interesting functions")
    find_interesting(segment_start, segment_end)

    return 1
Beispiel #7
0
def load_file(fd, neflags, format):
    size = 0
    base_addr = 0
    ea = 0

    idaapi.set_processor_type("arm", idaapi.SETPROC_ALL)
    idaapi.get_inf_structure().lflags |= idaapi.LFLG_64BIT

    if (neflags & idaapi.NEF_RELOAD) != 0:
        return 1

    fd.seek(0, idaapi.SEEK_END)
    size = fd.tell()

    segm = idaapi.segment_t()
    segm.bitness = 2  # 64-bit
    segm.start_ea = 0
    segm.end_ea = size
    idaapi.add_segm_ex(segm, "iBoot", "CODE", idaapi.ADDSEG_OR_DIE)

    fd.seek(0)
    fd.file2base(0, 0, size, false)

    idaapi.add_entry(0, 0, "start", 1)
    idc.MakeFunction(ea)

    print("[+] Marked as code")

    # heuristic
    while (true):
        mnemonic = idc.GetMnem(ea)

        if "LDR" in mnemonic:
            base_str = idc.GetOpnd(ea, 1)
            base_addr = int(base_str.split("=")[1], 16)

            break

        ea += 4

    print("[+] Rebasing to address 0x%x" % (base_addr))
    idaapi.rebase_program(base_addr, idc.MSF_NOFIX)
    idaapi.autoWait()

    segment_start = base_addr
    segment_end = idc.GetSegmentAttr(segment_start, idc.SEGATTR_END)

    ea = segment_start

    print("[+] Searching and defining functions")

    while ea != idc.BADADDR:
        ea = idc.FindBinary(ea, idc.SEARCH_DOWN, "BF A9", 16)

        if ea != idc.BADADDR:
            ea = ea - 2

            if (ea % 4) == 0 and idc.GetFlags(ea) < 0x200:
                # print("[+] Defining a function at 0x%x" % (ea))
                idc.MakeFunction(ea)

            ea = ea + 4

    idc.AnalyzeArea(segment_start, segment_end)
    idaapi.autoWait()

    return 1


# EOF
Beispiel #8
0
#  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#  * See the License for the specific language governing permissions and
#  * limitations under the License.
#  *******************************************************************************/

from sets import Set
import json
import idaapi
import idc

print('My Script is now running...')
print('Waiting for idapro...')
idaapi.autoWait()
print('start persisting...')

idaapi.rebase_program(-1 * idaapi.get_imagebase(), 0)

ss = idaapi.get_input_file_path()
pn = os.path.splitext(ss)[0]
callees = dict()
funcmap = dict()
data = dict()
data['name'] = pn

for seg_ea in Segments():
    for function_ea in Functions(SegStart(seg_ea), SegEnd(seg_ea)):
        #fill call graph
        # For each of the incoming references
        for ref_ea in CodeRefsTo(function_ea, 0):
            # Get the name of the referring function
            caller_name = GetFunctionName(ref_ea)
Beispiel #9
0
def load_file(fd, flags, format):
    ea = 0
    size = 0

    fd.seek(0x200)
    search = fd.read(0x10)

    print("[sephelper]: starting...")

    if segbit == 1:
        print("[sephelper]: detected a 32bit SEPROM !")
        idaapi.set_processor_type("arm:armv7-m",
                                  idaapi.SETPROC_LOADER_NON_FATAL)
        idaapi.get_inf_structure().lflags |= idaapi.LFLG_PC_FLAT
    else:
        print("[sephelper]: detected a 64bit SEPROM !")
        idaapi.set_processor_type("arm", idaapi.SETPROC_LOADER_NON_FATAL)
        idaapi.get_inf_structure().lflags |= idaapi.LFLG_64BIT

    if (flags & idaapi.NEF_RELOAD) != 0: return 1

    fd.seek(0x0, idaapi.SEEK_END)

    size = fd.tell()

    segm = idaapi.segment_t()

    segm.bitness = segbit
    segm.start_ea = 0x0
    segm.end_ea = size

    idaapi.add_segm_ex(segm, "SEPROM", "CODE", idaapi.ADDSEG_OR_DIE)

    fd.seek(0x0)

    fd.file2base(0x0, 0x0, size, False)

    print("[sephelper]: adding entry point...")

    idaapi.add_entry(0x0, 0x0, "_start", 1)

    ida_funcs.add_func(ea)

    print("[sephelper]: base_addr = 0x%x" % base_addr)

    idaapi.rebase_program(base_addr, idc.MSF_NOFIX)

    print("[sephelper]: analyzing...")

    ea = base_addr
    segment_end = idc.get_segm_attr(base_addr, idc.SEGATTR_END)

    hexcode = ["BF A9", "BD A9"]  # there is not PAC on SEPROM

    if segbit == 1:
        hexcode = ["03 AF", "02 AF", "01 AF"]

    for prologue in hexcode:
        while ea != idc.BADADDR:
            ea = ida_search.find_binary(ea, segment_end, prologue, 0x10,
                                        ida_search.SEARCH_DOWN)

            if ea != idc.BADADDR:
                ea = ea - 0x2

                if (ea % 0x4) == 0 and ida_bytes.get_full_flags(ea) < 0x200:
                    # print("[sephelper]: function added = 0x%x" % ea)
                    ida_funcs.add_func(ea)

                ea = ea + 0x4

    idc.plan_and_wait(base_addr, segment_end)

    print('[sephelper]: finding some functions...')

    find_function(segm.start_ea, segment_end)

    print('[sephelper]: done !')

    return 1