def go(self):
idaapi.set_processor_type("arm", idc.SETPROC_ALL | idc.SETPROC_FATAL)
inf = idaapi.get_inf_structure()
inf.af &= ~idc.AF_MARKCODE # this is so that IDA does not find functions inside .data segments
inf.af2 &= ~idc.AF2_FTAIL # don't create function tails
inf.af2 |= idc.AF2_PURDAT # control flow to data segment is ignored
print "0) Loading NIDs"
self.load_nids()
print "1) Mapping kernel VA"
self.dump_first_level()
print "2) Finding module table using heuristic"
self.find_module_ptr()
print "3) Creating segments"
self.process_chunks()
print "4) Resolving imports/exports"
self.resolve_impexp()
print "5) Waiting for IDA to analyze the program, this will take a while..."
idc.Wait()
print "6) Analyzing system instructions"
from highlight_arm_system_insn import run_script
run_script()
print "7) Adding MOVT/MOVW pair xrefs"
add_xrefs()
def load_file(li, neflags, format):
idaapi.set_processor_type("n2t-hack", idaapi.SETPROC_ALL|idaapi.SETPROC_FATAL)
li.seek(0)
hack_data = li.read(li.size())
hack_instructions = [int(instruction, 2) for instruction in hack_data.splitlines()]
hack_instructions_bin = ''.join(struct.pack("!H", instruction) for instruction in hack_instructions)
print "Found %d hack instructions" % len(hack_instructions)
seg = idaapi.segment_t()
seg.startEA= 0
seg.endEA = len(hack_instructions)
seg.align = idaapi.saAbs
seg.comb = idaapi.scPriv
seg.bitness = 0 # 16-bit
idaapi.add_segm_ex(seg, "Hack-ROM", "CODE", idaapi.ADDSEG_OR_DIE)
# This method seems to change in next versions.
#idaapi.mem2base(hack_instructions_bin, 0, -1)
idaapi.mem2base(hack_instructions_bin, 0)
return 1
def accept_file(li, n):
"""
Check if the file is of supported format
@param li: a file-like object which can be used to access the input data
@param n : format number. The function will be called with incrementing
number until it returns zero
@return: 0 - no more supported formats
string "name" - format name to display in the chooser dialog
dictionary { 'format': "name", 'options': integer }
options: should be 1, possibly ORed with ACCEPT_FIRST (0x8000)
to indicate preferred format
"""
# we support only one format per file
if n > 0:
return 0
li.seek(0)
magic = li.read(2)
if struct.unpack('>h',magic)[0] in magics:
idaapi.set_processor_type("A29K", SETPROC_ALL)
return { 'format': fmt_a29k_coff_big, 'options': 1 }
if struct.unpack('<h',magic)[0] in magics:
idaapi.set_processor_type("A29K", SETPROC_ALL)
return { 'format': fmt_a29k_coff_little, 'options': 1 }
# unrecognized format
return 0
def load_file(f, neflags, fmt):
idaapi.set_processor_type("mipsl", SETPROC_ALL | SETPROC_FATAL)
f.seek(0)
rh = ReesesHdr()
# BOGUS because ida gives you a "file like" object... f.readinto(rh)
stsz = sizeof(rh)
fbytes = f.read(stsz)
fit = min(len(fbytes), stsz)
memmove(addressof(rh), fbytes, fit)
print "reeses hdr done"
# get sections
f.seek(rh.sec1hdr_off)
for i in range(0, rh.nsec1):
curseg = SecHdr1()
# SUPER BOGUS f.readinto(curseg)
stsz = sizeof(curseg)
fbytes = f.read(stsz)
fit = min(len(fbytes), stsz)
memmove(addressof(curseg), fbytes, fit)
if curseg.cls == 1:
print "reeses: add segment 0x%08x, length=%d" % (curseg.addr,
curseg.length)
f.file2base(curseg.offset, curseg.addr,
curseg.addr + curseg.length, 1)
idaapi.add_segm(0, curseg.addr, curseg.addr + curseg.length,
"seg%d" % i, "CODE")
print "reeses: seg %d done" % i
print "reeses load_file done"
#print "entry pt is 0x%08x" % rh.entry
return 1
def load_file(li, neflags, format):
# Select the PC processor module
idaapi.set_processor_type("BPF", SETPROC_ALL|SETPROC_FATAL)
buf = read_whole_file(li, 8)
if not buf:
return 0
start = 0x0
seg = idaapi.segment_t()
size = len(buf)
end = start + size
# Create the segment
seg.startEA = start
seg.endEA = end
seg.bitness = 1 # 32-bit
idaapi.add_segm_ex(seg, "bpf_c", "CODE", 0)
# Copy the bytes
idaapi.mem2base(buf, start, end)
# add entry point
idaapi.add_entry(start, start, "start", 1)
# add comment to beginning of disassembly
idaapi.describe(start, True, "BPF bytecode disassembly")
# Mark for analysis
AutoMark(start, AU_CODE)
setup_enums()
return 1
def accept_file(li, n):
"""
Check if the file is of supported format
@param li: a file-like object which can be used to access the input data
@param n : format number. The function will be called with incrementing
number until it returns zero
@return: 0 - no more supported formats
string "name" - format name to display in the chooser dialog
dictionary { 'format': "name", 'options': integer }
options: should be 1, possibly ORed with ACCEPT_FIRST (0x8000)
to indicate preferred format
"""
# check the MAGIC
li.seek(0)
if n > 0: return 0
if dwordAt(li, 4) == MAGIC_NUM: # accept the file
idaapi.set_processor_type("arm:ARMv7-A&R", SETPROC_ALL | SETPROC_FATAL)
idc.ChangeConfig('ARM_DEFAULT_ARCHITECTURE = metaarm')
return SBL1
if dwordAt(li, 4) == HDR_FLASH_VER:
# accept the file
idaapi.set_processor_type("arm:ARMv7-A&R", SETPROC_ALL | SETPROC_FATAL)
idc.ChangeConfig('ARM_DEFAULT_ARCHITECTURE = metaarm')
return MBN
def accept_file(li, n):
"""
Check if the file is of supported format
@param li: a file-like object which can be used to access the input data
@param n : format number. The function will be called with incrementing
number until it returns zero
@return: 0 - no more supported formats
string "name" - format name to display in the chooser dialog
dictionary { 'format': "name", 'options': integer }
options: should be 1, possibly ORed with ACCEPT_FIRST (0x8000)
to indicate preferred format
"""
# check the MAGIC
li.seek(0)
if n > 0: return 0
if dwordAt(li, 4) == MAGIC_NUM: # accept the file
idaapi.set_processor_type("arm:ARMv7-A&R", SETPROC_ALL|SETPROC_FATAL)
idc.ChangeConfig('ARM_DEFAULT_ARCHITECTURE = metaarm')
return SBL1
if dwordAt(li, 4) == HDR_FLASH_VER:
# accept the file
idaapi.set_processor_type("arm:ARMv7-A&R", SETPROC_ALL|SETPROC_FATAL)
idc.ChangeConfig('ARM_DEFAULT_ARCHITECTURE = metaarm')
return MBN
def accept_file(li, n):
"""
Check if the file is of supported format
@param li: a file-like object which can be used to access the input data
@param n : format number. The function will be called with incrementing
number until it returns zero
@return: 0 - no more supported formats
string "name" - format name to display in the chooser dialog
dictionary { 'format': "name", 'options': integer }
options: should be 1, possibly ORed with ACCEPT_FIRST (0x8000)
to indicate preferred format
"""
# we support only one format per file
if n > 0:
return 0
while True:
s = gets(li)
if s == None:
break
s = s.strip()
if len(s) == 0 or s.startswith("#") or s.startswith(".*: ") or s.startswith(" "):
continue
if s.startswith("Disassembly of "):
idaapi.set_processor_type("arm", SETPROC_ALL|SETPROC_FATAL)
return FormatName
else:
break
# unrecognized format
return 0
def load_file(li, neflags, format):
if format != "NeoGeo 68k loader":
return 0
idaapi.set_processor_type("68000", SETPROC_ALL | SETPROC_FATAL)
idaapi.add_segm(0, 0x000000, 0x0FFFFF, "ROM", "CODE")
idaapi.add_segm(0, 0x100000, 0x10F2FF, "WRAM", "DATA")
idaapi.add_segm(0, 0x10F300, 0x10FFFF, "BIOSRAM", "DATA")
idaapi.add_segm(0, 0x200000, 0x2FFFFF, "PORT", "DATA")
idaapi.add_segm(0, 0x300000, 0x3FFFFF, "IO", "DATA")
idaapi.add_segm(0, 0x400000, 0x401FFF, "PALETTES", "DATA")
idaapi.add_segm(0, 0x800000, 0xBFFFFF, "MEMCARD", "DATA")
idaapi.add_segm(0, 0xC00000, 0xC1FFFF, "SYSROM", "DATA")
idaapi.add_segm(0, 0xD00000, 0xD0FFFF, "BRAM", "DATA")
li.seek(0, 2)
size = li.tell()
li.seek(0)
file_data = li.read(size)
idaapi.mem2base(file_data, 0, 0x100000)
name_long(0x000000, "InitSP")
name_long(0x000004, "InitPC")
idaapi.do_unknown(0x3C0000, 1)
idaapi.doByte(0x3C0000, 1)
idaapi.set_name(0x3C0000, "REG_VRAMADDR")
#idaapi.set_cmt(0x3C0000, "Pouet.", 1)
return 1
def load_file(li, neflags, format):
cpu_set = False
sz = li.seek(0, 2)
li.seek(0)
f = li.read(sz)
offset = 0
fpt = MeFptTable(f, offset)
manifs = []
for p in fpt.parts:
if p.ptype() == PT_CODE:
poff = offset + p.Offset
manif = get_struct(f, poff, MeManifestHeader)
manif.parse_mods(f, poff)
if not cpu_set:
cpuname = manif.cpu
if cpuname == "ARCompact":
cpuname = "arcmpct"
elif cpuname == "SPARC":
cpuname = "sparcb"
idaapi.set_processor_type(cpuname, idaapi.SETPROC_ALL|idaapi.SETPROC_FATAL)
cpu_set = True
for idx, mod in enumerate(manif.modules):
data, ext = manif._get_mod_data(f, poff+offset, idx)
if ext == "huff":
data = ""
load_mod(mod, data)
SetShortPrm(INF_AF2, GetShortPrm(INF_AF2) & ~(AF2_FTAIL|AF2_ANORET))
return 1
def accept_file(li, n):
"""
Check if the file is of supported format
@param li: a file-like object which can be used to access the input data
@param n : format number. The function will be called with incrementing
number until it returns zero
@return: 0 - no more supported formats
string "name" - format name to display in the chooser dialog
dictionary { 'format': "name", 'options': integer }
options: should be 1, possibly ORed with ACCEPT_FIRST (0x8000)
to indicate preferred format
"""
# we support only one format per file
if n > 0:
return 0
while True:
s = gets(li)
if s == None:
break
s = s.strip()
if len(s) == 0 or s.startswith("#") or s.startswith(".*: ") or s.startswith(" "):
continue
if s.startswith("Disassembly of "):
idaapi.set_processor_type("arm", SETPROC_ALL|SETPROC_FATAL)
return FormatName
else:
break
# unrecognized format
return 0
def load_file(li, neflags, format):
"""
Load the file into database
@param li: a file-like object which can be used to access the input data
@param neflags: options selected by the user, see loader.hpp
@return: 0-failure, 1-ok
"""
if format == RomFormatName:
jump = dwordAt(li, 0)
if jump & 0xFF000000 == 0xEA000000: # looks like an ARM branch?
idaapi.set_processor_type("arm", SETPROC_ALL | SETPROC_FATAL)
li.seek(0, idaapi.SEEK_END)
size = li.tell()
#next dword after signature is a pointer to ROMHDR
romhdr = dwordAt(li, ROM_SIGNATURE_OFFSET + 4)
# let's try to find such imagebase that potential ROMHDR's "physfirst" value matches it
imgbase = (romhdr - size) & ~0xfff
bases = []
maxbase = 0
while imgbase < romhdr + 8:
physfirst = dwordAt(li, romhdr - imgbase + 8)
if physfirst == imgbase:
bases.append(imgbase)
imgbase += 0x1000
if len(bases) == 1:
start = bases[0]
elif len(bases) > 1:
print "Warning: several potential imagebases detemined: " + ", ".join(
"%08X" % i for i in bases)
start = bases[-1]
else:
Warning("Unable to determine load image base.")
start = 0x80000000
print "Using imagebase %08X" % start
physlast = dwordAt(li, romhdr - start + 12)
if physlast <= start:
Warning("Internal error")
return 0
size = physlast - start
AddSeg(start, start + size, 0, 1, idaapi.saRelPara, idaapi.scPub)
# copy bytes to the database
li.seek(0)
li.file2base(0, start, start + size, 0)
idaapi.add_entry(start, start, "start", 1)
print "Load OK"
return 1
Warning("Unknown format name: '%s'" % format)
return 0
def load_file_sbl(li, neflags, format):
# set the processor type and enable 'metaarm' so ida disassembles all instructions
idaapi.set_processor_type("arm:ARMv7-A&R",
idaapi.SETPROC_ALL | idaapi.SETPROC_FATAL)
idc.ChangeConfig('ARM_DEFAULT_ARCHITECTURE = metaarm')
# rewind the input file and read its contents
li.seek(0)
init_val = li.read(li.size())
# Load the file data (sans header) into IDA
rom = SblImage(init_val)
AddSeg(rom.header.image_dest_ptr,
rom.header.image_dest_ptr + rom.header.image_size, 0, 1,
idaapi.saRelPara, idaapi.scPub)
SetSegmentType(rom.header.image_dest_ptr, idaapi.SEG_CODE)
RenameSeg(rom.header.image_dest_ptr, "CODE")
# li.file2base(file_offset, seg1, seg1 + code_seg_size, 0)
# Load the file data (sans header) into IDA
li.file2base(80, rom.header.image_dest_ptr,
rom.header.image_dest_ptr + rom.header.code_size, 0)
# Define the .text .data and .bss segments
#AddSegEx(0, rom.header.image_dest_ptr, rom.header.image_dest_ptr + rom.header.code_size, s, ".code", "CODE", ADDSEG_OR_DIE)
# AddSegment(0, data_start, data_end, ".data", "DATA")
# AddSegment(0, data_end, bss_end, ".bss", "BSS")
image_base = rom.header.image_dest_ptr
entry = rom.header.image_src
#if DEBUG:
# print "Created File Segments: "
# print "\t.text 0x%.8X - 0x%.8X" % (entry, data_start)
# print "\t.data 0x%.8X - 0x%.8X" % (data_start, data_end)
# print "\t.bss 0x%.8X - 0x%.8X" % (data_end, bss_end)
# mark the entry point as being the first byte of the loaded image
idaapi.add_entry(rom.header.image_dest_ptr, rom.header.image_dest_ptr,
"HEADER", 1)
AddIdbComment(image_base, 'Codeword: ', rom.header.codeword)
AddIdbComment(image_base, 'Magic No.: ', rom.header.magic)
AddIdbComment(image_base, 'Source Location: ', rom.header.image_src)
AddIdbComment(image_base, 'Destination Address: ',
rom.header.image_dest_ptr)
AddIdbComment(image_base, 'Image Size: ', rom.header.image_size)
AddIdbComment(image_base, 'Code Size: ', rom.header.code_size)
AddIdbComment(image_base, 'Signature Ptr: ', rom.header.sig_ptr)
AddIdbComment(image_base, 'Signature Size: ', rom.header.sig_size)
AddIdbComment(image_base, 'Cert Chain Ptr: ',
rom.header.cert_chain_ptr)
AddIdbComment(image_base, 'Cert Chain Size: ',
rom.header.cert_chain_size)
AddIdbComment(image_base, 'OEM Cert Sel: ',
rom.header.oem_root_cert_sel)
AddIdbComment(image_base, 'OEM Cert Num: ',
rom.header.oem_num_root_certs)
return 1
def load_file(li, neflags, format):
"""
Load the file into database
@param li: a file-like object which can be used to access the input data
@param neflags: options selected by the user, see loader.hpp
@return: 0-failure, 1-ok
"""
if format == RomFormatName:
jump = dwordAt(li, 0)
if jump & 0xFF000000 == 0xEA000000: # looks like an ARM branch?
idaapi.set_processor_type("arm", SETPROC_ALL|SETPROC_FATAL)
li.seek(0, idaapi.SEEK_END)
size = li.tell()
#next dword after signature is a pointer to ROMHDR
romhdr = dwordAt(li, ROM_SIGNATURE_OFFSET + 4)
# let's try to find such imagebase that potential ROMHDR's "physfirst" value matches it
imgbase = (romhdr-size) & ~0xfff
bases = []
maxbase = 0
while imgbase < romhdr+8:
physfirst = dwordAt(li, romhdr - imgbase + 8)
if physfirst == imgbase:
bases.append(imgbase)
imgbase += 0x1000
if len(bases) == 1:
start = bases[0]
elif len(bases) > 1:
print "Warning: several potential imagebases detemined: " + ", ".join("%08X"%i for i in bases)
start = bases[-1]
else:
Warning("Unable to determine load image base.")
start = 0x80000000
print "Using imagebase %08X" % start
physlast = dwordAt(li, romhdr - start + 12)
if physlast <= start:
Warning("Internal error")
return 0
size = physlast - start
AddSeg(start, start+size, 0, 1, idaapi.saRelPara, idaapi.scPub)
# copy bytes to the database
li.seek(0)
li.file2base(0, start, start+size, 0)
idaapi.add_entry(start, start, "start", 1)
print "Load OK"
return 1
Warning("Unknown format name: '%s'" % format)
return 0
def set_processor_type(type):
if type == ProcessorType.ARM32:
idaapi.set_processor_type('ARM:ARMv7-A',
idaapi.SETPROC_LOADER_NON_FATAL)
idaapi.get_inf_structure().lflags |= idaapi.LFLG_PC_FLAT
elif type == ProcessorType.ARM64:
idaapi.set_processor_type("arm", idaapi.SETPROC_LOADER_NON_FATAL)
idaapi.get_inf_structure().lflags |= idaapi.LFLG_64BIT
def load_file(li, neflags, format):
# set the processor type and enable 'metaarm' so ida disassembles all instructions
idaapi.set_processor_type('arm', idaapi.SETPROC_ALL | idaapi.SETPROC_FATAL)
idc.ChangeConfig('ARM_DEFAULT_ARCHITECTURE = metaarm')
# rewind the input file and read its contents
li.seek(0)
rom_data = li.read(li.size())
# for some reason this doesnt work, so we end up with this
#rom_name = li.filename().split('.')[0]
rom_name = ''
while rom_name == '':
rom_name = AskStr('', "Enter the input file's basename:")
if rom_name is None: rom_name = 'rom'
while True:
rom_name = os.path.basename(rom_name).split('.')[0]
# read the rom, letting exceptions fall through to ida's exception handler
rom = MbnRom(rom_data)
# for convenience
image_base = rom.header.image_virtual_address
# create the segments
AddSegment('%s_code' % rom_name, rom.code_base, rom.code_data)
if rom.sig_data is not None: AddSegment('%s_sig' % rom_name, rom.sig_base, rom.sig_data)
if rom.cert_data is not None: AddSegment('%s_cert' % rom_name, rom.cert_base, rom.cert_data)
if rom.tail_data is not None: AddSegment('%s_tail' % rom_name, rom.tail_base, rom.tail_data)
if rom.overlay_data is not None: AddSegment('%s_overlay' % rom_name, rom.overlay_base, rom.overlay_data)
# mark the entry point as being the first byte of the loaded image
idaapi.add_entry(rom.code_base, rom.code_base, '%s_start' % rom_name, 1)
# make some comments for usability
AddIdbComment(image_base, 'ROM: %s' % rom_name)
AddIdbComment(image_base, '')
AddIdbComment(image_base, 'Load Index', rom.header.load_index)
AddIdbComment(image_base, 'Flash Partition Version', rom.header.flash_partition_version)
AddIdbComment(image_base, 'Image File Offset', rom.header.image_offset + MbnHeader.SBL_HEADER_SIZE)
AddIdbComment(image_base, 'Image VA', rom.header.image_virtual_address)
AddIdbComment(image_base, 'Image Size', rom.header.image_size)
AddIdbComment(image_base, 'Code VA', rom.header.code_size)
AddIdbComment(image_base, 'Signature VA', rom.header.signature_virtual_address)
AddIdbComment(image_base, 'Signature Size', rom.header.signature_size)
AddIdbComment(image_base, 'Cert Chain VA', rom.header.cert_chain_virtual_address)
AddIdbComment(image_base, 'Cert Chain Size', rom.header.cert_chain_size)
# give the opportunity to keep loading mbn files into the address space
rom_name = AskFile(0, '*.mbn', 'Choose the next ROM filename to load, or click Cancel to continue')
if rom_name is None:
break
else:
rom_data = open(rom_name, 'rb').read()
return 1
def load_file(li, neflags, format):
# Select the PC processor module
idaapi.set_processor_type("EVM", SETPROC_ALL | SETPROC_FATAL)
# TODO: detect and emulate contract creation code
li.seek(0)
buf = li.read(li.size())
if not buf:
return 0
if buf[0:2] == '0x':
print "Detected hex"
new_buf = buf[2:].strip().rstrip()
buf_set = set()
for c in new_buf:
buf_set.update(c)
hex_set = set(list('0123456789abcdef'))
if buf_set <= hex_set: # subset
print "Replacing original buffer with hex decoded version"
buf = new_buf.decode('hex')
# Load all shellcode into different segments
start = 0x0
seg = idaapi.segment_t()
size = len(buf)
end = start + size
# Create the segment
seg.startEA = start
seg.endEA = end
seg.bitness = 1 # 32-bit
idaapi.add_segm_ex(seg, "evm", "CODE", 0)
# TODO: make segments for stack, memory, storage
# Copy the bytes
idaapi.mem2base(buf, start, end)
# check for swarm hash and make it data instead of code
swarm_hash_address = buf.find('ebzzr0')
if swarm_hash_address != -1:
print "Swarm hash detected, making it data"
for i in range(swarm_hash_address - 1, swarm_hash_address + 42):
MakeByte(i)
ida_bytes.set_cmt(swarm_hash_address - 1, "swarm hash", True)
# add entry point
idaapi.add_entry(start, start, "start", 1)
# add comment to beginning of disassembly
idaapi.describe(start, True, "EVM bytecode disassembly")
# Mark for analysis
AutoMark(start, AU_CODE)
#setup_enums()
return 1
def load_file(f, neflags, format):
idaapi.set_processor_type("arm:armv8", idaapi.SETPROC_LOADER)
f.seek(-0x20, os.SEEK_END)
nseg, = struct.unpack("<12xI16x", f.read(0x20))
print(f"Number of segments: {nseg}")
for sno in range(nseg):
f.seek(-0x20-0x20*(nseg-sno), os.SEEK_END)
mem_addr, file_addr, size, name = struct.unpack("<QII8x8s", f.read(0x20))
name, _, _ = name.partition(b'\0')
name = name.decode()
print(f"Segment {sno}: {name} at mem={hex(mem_addr)} file={hex(file_addr)} size={hex(size)}")
ida_seg_type = None
if name == "__TEXT":
ida_seg_type = "CODE"
if name == "__DATA":
ida_seg_type = "DATA"
idaapi.add_segm(0, mem_addr, mem_addr + size, name, ida_seg_type)
f.file2base(file_addr, mem_addr, mem_addr + size, True)
f.seek(-0x20-0x20*nseg, os.SEEK_END)
footer_start = f.tell()
footer_end = footer_start + 0x20 + 0x20 * nseg
idaapi.add_segm(0, footer_start, footer_end, "__FOOTER", "DATA")
f.file2base(footer_start, footer_start, footer_end, True)
header_start = footer_start + 0x20 * nseg
idaapi.add_extra_line(header_start, True, "")
idaapi.add_extra_cmt(header_start, True, f"File Header")
idaapi.create_strlit(header_start, 4, 0)
idaapi.set_cmt(header_start, "Magic", False)
idaapi.create_dword(header_start + 4, 4)
idaapi.set_cmt(header_start + 4, "Version?", False)
idaapi.create_dword(header_start + 8, 4)
idaapi.set_cmt(header_start + 8, "File length minus headers", False)
idaapi.create_dword(header_start + 12, 4)
idaapi.set_cmt(header_start + 12, "Section count", False)
for sno in range(nseg):
header_start = footer_start + 0x20 * sno
idaapi.add_extra_line(header_start, True, "")
idaapi.add_extra_cmt(header_start, True, f"Segment {sno + 1}")
idaapi.create_qword(header_start, 8)
idaapi.set_cmt(header_start, "Memory Address", False)
idaapi.create_dword(header_start + 8, 4)
idaapi.set_cmt(header_start + 8, "File Offset", False)
idaapi.create_dword(header_start + 12, 4)
idaapi.create_qword(header_start + 16, 8)
idaapi.set_cmt(header_start + 12, "Segment Length", False)
idaapi.create_strlit(header_start + 24, 8, 0)
idaapi.set_cmt(header_start + 24, "Segment Name", False)
idaapi.add_entry(0, 0, "start", 1)
return 1
def load_file(li, neflags, fmt):
idaapi.set_processor_type('rl78',
idaapi.SETPROC_ALL | idaapi.SETPROC_FATAL)
f = FupdFile(li)
if f.magic != MAGIC_PATCH:
make_seg(0xf0000, 0x10000)
for desc, block in f.iter_blocks():
make_seg(desc.flash_addr, desc.size)
idaapi.put_many_bytes(desc.flash_addr, block)
return 1
def go(self):
print "0) Building NID cache..."
self.load_nids()
# Vita is ARM
idaapi.set_processor_type("arm",
idaapi.SETPROC_ALL | idaapi.SETPROC_FATAL)
print "1) Loading ELF segments"
self.fin.seek(0)
header = ELFHeader(self.fin.read(0x34))
self.fin.seek(header.e_phoff)
phdrs = [
ELFphdr(self.fin.read(header.e_phentsize))
for _ in xrange(header.e_phnum)
]
for phdr in phdrs:
if phdr.p_type == p_type.PT_LOAD:
idaapi.add_segm(0, phdr.p_vaddr, phdr.p_vaddr + phdr.p_memsz,
".text" if phdr.x else ".data",
"CODE" if phdr.x else "DATA")
self.fin.file2base(phdr.p_offset, phdr.p_vaddr,
phdr.p_vaddr + phdr.p_filesz, 1)
self.seg0_off = phdrs[0].p_offset
self.seg0_va = phdrs[0].p_vaddr
self.fin.seek(self.seg0_off + header.e_entry)
modinfo = Modinfo(self.fin.read(0x34))
print "2) Doing noreturn functions first"
self.parse_impexp(modinfo.export_top, modinfo.export_end, Modexport,
self.cb_noret)
self.parse_impexp(modinfo.import_top, modinfo.import_end, Modimport,
self.cb_noret)
print "3) Parsing export tables"
self.parse_impexp(modinfo.export_top, modinfo.export_end, Modexport,
self.cb_exp)
print "4) Parsing import tables"
self.parse_impexp(modinfo.import_top, modinfo.import_end, Modimport,
self.cb_imp)
print "5) Waiting for IDA to analyze the program"
idc.Wait()
print "6) Analyzing system instructions"
from highlight_arm_system_insn import run_script
run_script()
print "6) Adding MOVT/MOVW pair xrefs"
add_xrefs()
def load_file(li, neflags, format):
if format == CRO_FORMAT_NAME:
idaapi.set_processor_type("arm", SETPROC_ALL | SETPROC_FATAL)
load_cro(li, False)
print "Load OK"
return 1
return 0
def load_file(li, neflags, format):
if format == CRO_FORMAT_NAME:
idaapi.set_processor_type("arm", SETPROC_ALL|SETPROC_FATAL)
load_cro(li, False)
print "Load OK"
return 1
return 0
def load_file(li, neflags, format):
# pydevd_pycharm.settrace('localhost', port=1234, stdoutToServer=True, stderrToServer=True)
fname = idaapi.get_input_file_path()
psx = PsxExe(os.path.basename(fname), ONLY_FIRST, MIN_ENTROPY)
psx.parse(li, True)
idaapi.set_processor_type('mipsl', ida_idp.SETPROC_LOADER)
idaapi.cvar.inf.af = \
idaapi.AF_CODE | idaapi.AF_JUMPTBL | idaapi.AF_USED | idaapi.AF_UNK | idaapi.AF_PROC | idaapi.AF_STKARG | \
idaapi.AF_REGARG | idaapi.AF_TRACE | idaapi.AF_VERSP | idaapi.AF_ANORET | idaapi.AF_MEMFUNC | \
idaapi.AF_TRFUNC | idaapi.AF_FIXUP | idaapi.AF_JFUNC | idaapi.AF_IMMOFF | idaapi.AF_STRLIT | \
idaapi.AF_MARKCODE | idaapi.AF_LVAR | idaapi.AF_PROCPTR | idaapi.AF_FLIRT
psx.create_segments(li)
im = idaapi.compiler_info_t()
idaapi.inf_get_cc(im)
im.id = idaapi.COMP_GNU
im.cm = idaapi.CM_N32_F48 | idaapi.CM_M_NN | idaapi.CM_CC_CDECL
im.defalign = 4
im.size_i = 4
im.size_b = 1
im.size_e = 4
im.size_s = 2
im.size_l = 4
im.size_ll = 8
im.size_ldbl = 8
idaapi.inf_set_cc(im)
# Replace predefined macros and included directories by id
# from IDA.CFG (see 'CC_PARMS' in Built-in C parser parameters)
idaapi.set_c_macros(ida_idp.cfg_get_cc_predefined_macros(im.id))
idaapi.set_c_header_path(ida_idp.cfg_get_cc_header_path(im.id))
# Resetting new settings :)
idc.set_inf_attr(idc.INF_COMPILER, im.id)
idc.process_config_line("MIPS_DEFAULT_ABI=o32")
detect = DetectPsyQ(psx.get_exe_name(), ONLY_FIRST, MIN_ENTROPY)
version = detect.get_psyq_version(psx.rom_addr,
psx.rom_addr + psx.rom_size)
if len(version) > 0:
psx.apply_psyq_signatures_by_version(version)
idaapi.add_entry(psx.init_pc, psx.init_pc, 'start', 1)
PsxExe.apply_til(version)
psx.update_gp()
return 1
def load_file(li, neflags, format):
if format != ROM_FORMAT_NAME:
Warning("Unknown format name: '%s'" % format)
return 0
jump = dwordAt(li, 0)
idaapi.set_processor_type("gb", SETPROC_ALL|SETPROC_FATAL)
li.seek(0, idaapi.SEEK_END)
size = li.tell()
# ROM0
idc.AddSeg(ROM0_START, ROM0_START + ROM0_SIZE, 0, 0, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(ROM0_START, "ROM0")
idc.SetSegmentType(ROM0_START, idc.SEG_CODE)
li.seek(0)
li.file2base(0, ROM0_START, ROM0_START + ROM0_SIZE, 0)
# ROM1
idc.AddSeg(ROM1_START, ROM1_START + ROM1_SIZE, 0, 0, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(ROM1_START, "ROM1")
idc.SetSegmentType(ROM1_START, idc.SEG_CODE)
# VRAM
idc.AddSeg(VRAM_START, VRAM_START + VRAM_SIZE, 0, 0, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(VRAM_START, "VRAM")
# RAM1
idc.AddSeg(RAM1_START, RAM1_START + RAM1_SIZE, 0, 0, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(RAM1_START, "RAM1")
# RAM0
idc.AddSeg(RAM0_START, RAM0_START + RAM0_SIZE, 0, 0, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(RAM0_START, "RAM0")
# ECHO
idc.AddSeg(ECHO_START, ECHO_START + ECHO_SIZE, 0, 0, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(ECHO_START, "ECHO")
# OAM
idc.AddSeg(OAM_START, OAM_START + OAM_SIZE, 0, 0, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(OAM_START, "OAM")
# IO
idc.AddSeg(IO_START, IO_START + IO_SIZE, 0, 0, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(IO_START, "IO")
# HRAM
idc.AddSeg(HRAM_START, HRAM_START + HRAM_SIZE, 0, 0, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(HRAM_START, "HRAM")
header_info(li)
naming()
print("[+] Load OK")
return 1
def load_file(li, neflags, format):
chunksize = 0x10000
base = 0xF000
start = base << 4
size = li.size()
if (size & 0xFFF) != 0:
size &= ~0xFFFF
offs = size - chunksize
idaapi.set_processor_type("metapc",
idaapi.SETPROC_ALL | idaapi.SETPROC_FATAL)
if size < chunksize:
offs = 0
start += (chunksize - size)
chunksize = size
# make E and F segments for real-mode part
myAddSeg(start, start + chunksize, base, 0, "BIOS_F", "CODE")
li.file2base(offs, start, start + chunksize, 1)
if offs > 0 and base > 0xE000:
base -= 0x1000
start -= chunksize
offs -= chunksize
myAddSeg(start, start + chunksize, base, 0, "BIOS_%X" % (base >> 12),
"CODE")
li.file2base(offs, start, start + chunksize, 1)
# set default ds to point to the current segment
SetSegDefReg(start, "ds", base)
if offs > 0:
# file is bigger than 128KB
# make a flat 32-bit segment for the flash alias area
start = (-size) & 0xFFFFFFFF # place it so that it ends at 4GB
chunksize = size
if not __EA64__:
chunksize -= 2 # truncate last two bytes to avoid address space overlap
# map the whole file
offs = 0
base = 0
myAddSeg(start, start + chunksize, base, 1, "BIOS_FLASH", "CODE")
li.file2base(offs, start, start + chunksize, 1)
# set the entry registers to F000:FFF0
SetLongPrm(INF_START_IP, 0xFFF0)
SetLongPrm(INF_START_CS, 0xF000)
# turn off "Convert 32bit instruction operand to offset", too many false positives in high areas
SetShortPrm(INF_START_AF, GetShortPrm(INF_START_AF) & ~AF_IMMOFF)
# turn off "Create function tails"
SetShortPrm(INF_AF2, GetShortPrm(INF_AF2) & ~AF2_FTAIL)
return 1
def load_file(li, neflags, fmt):
# Assume BCM20734 == cortex-m3
idaapi.set_processor_type('arm:armv7-m', idaapi.SETPROC_ALL | idaapi.SETPROC_FATAL)
parser = FwParser(li)
fw_index = parser.active_fw
if len(parser.fw) > 1:
msg = ['SPI dump has more than one PatchRAM image.\n\nEnter the index of the one to load:']
for i in range(len(parser.fw)):
if parser.fw_present(i):
msg.append('%i @ 0x%08x %s' % (i, parser.fw_offsets[i],
'[active]' if i == parser.active_fw else ''))
fw_index = ida_kernwin.asklong(parser.active_fw, '\n'.join(msg))
# Create known memory regions
make_seg([0x0, 0xC8000], 1)
make_seg([0x260000, 0x26C000], 1)
make_seg([0xD0000, 0xE0000])
make_seg([0x200000, 0x248000])
load_bin_file(0x0, "Choose ROM 1 (@0x000000)")
load_bin_file(0x260000, "Choose ROM 2 (@0x260000)")
load_bin_file(0xD0000, "Choose RAM_LO (@0x0D0000)")
load_bin_file(0x200000, "Choose RAM_HI (@0x200000)")
# The PatchRAM changes will show up as patched bytes
load_rampatch = 0
if ram_loaded == 0:
load_rampatch = ida_kernwin.askbuttons_c('Yes', 'No', 'Not sure', 1,'Do you want to patch ROM 1 and RAM regions with the provided PatchRAM?\n\n')
if load_rampatch == 1:
print('Patching ROM1, RAM_LO and RAM_HI:')
parser.process({0x08 : lambda r: idaapi.patch_many_bytes(r.addr, r.data), 0x0a : lambda r: idaapi.patch_many_bytes(r.addr, r.data)}, fw_index)
print('ROM 1, RAM_LO and RAM_HI regions were patched.')
elif ram_loaded == 1:
print('Patching ROM1:')
parser.process({0x08 : lambda r: idaapi.patch_many_bytes(r.addr, r.data)}, fw_index)
print('Only one RAM region loaded. ROM 1 was patched.')
elif ram_loaded == 2:
load_rampatch = ida_kernwin.askbuttons_c('Yes', 'No', 'Not sure', 0,'RAM_LO and RAM_HI were loaded.\n\nDo you want to patch them with the provided PatchRAM?\n\n')
if load_rampatch == -1 or load_rampatch == 0:
print('Patching ROM1:')
parser.process({0x08 : lambda r: idaapi.patch_many_bytes(r.addr, r.data)}, fw_index)
print('RAM_LO and RAM_HI loaded. ROM 1 was patched.')
elif load_rampatch == 1:
print('Patching ROM1, RAM_LO and RAM_HI:')
parser.process({0x08 : lambda r: idaapi.patch_many_bytes(r.addr, r.data), 0x0a : lambda r: idaapi.patch_many_bytes(r.addr, r.data)}, fw_index)
print('RAM_LO and RAM_HI loaded. ROM 1 and both RAM regions were patched.')
# Code is THUMB only
idc.SetReg(0x0, 't', 1)
return 1
def load_file(li, neflags, format):
if format != MBNImageFormatName and format != SBLImageFormatName:
Warning("Unknown format name: '%s'" % format)
return 0
idaapi.set_processor_type("arm:ARMv7-A&R", SETPROC_ALL | SETPROC_FATAL)
if format == SBLImageFormatName:
return load_file_sbl(li)
elif format == MBNImageFormatName:
return load_file_mbn(li)
return 0
def load_file_sbl(li, neflags, format):
# set the processor type and enable 'metaarm' so ida disassembles all instructions
idaapi.set_processor_type("arm:ARMv7-A&R", idaapi.SETPROC_ALL | idaapi.SETPROC_FATAL)
idc.ChangeConfig('ARM_DEFAULT_ARCHITECTURE = metaarm')
# rewind the input file and read its contents
li.seek(0)
init_val = li.read(li.size())
# Load the file data (sans header) into IDA
rom = SblImage(init_val)
AddSeg(rom.header.image_dest_ptr, rom.header.image_dest_ptr + rom.header.image_size, 0, 1, idaapi.saRelPara, idaapi.scPub)
SetSegmentType(rom.header.image_dest_ptr, idaapi.SEG_CODE)
RenameSeg(rom.header.image_dest_ptr, "CODE")
# li.file2base(file_offset, seg1, seg1 + code_seg_size, 0)
# Load the file data (sans header) into IDA
li.file2base(80, rom.header.image_dest_ptr, rom.header.image_dest_ptr + rom.header.code_size, 0)
# Define the .text .data and .bss segments
#AddSegEx(0, rom.header.image_dest_ptr, rom.header.image_dest_ptr + rom.header.code_size, s, ".code", "CODE", ADDSEG_OR_DIE)
# AddSegment(0, data_start, data_end, ".data", "DATA")
# AddSegment(0, data_end, bss_end, ".bss", "BSS")
image_base = rom.header.image_dest_ptr
entry = rom.header.image_src
#if DEBUG:
# print "Created File Segments: "
# print "\t.text 0x%.8X - 0x%.8X" % (entry, data_start)
# print "\t.data 0x%.8X - 0x%.8X" % (data_start, data_end)
# print "\t.bss 0x%.8X - 0x%.8X" % (data_end, bss_end)
# mark the entry point as being the first byte of the loaded image
idaapi.add_entry(rom.header.image_dest_ptr, rom.header.image_dest_ptr, "HEADER", 1)
AddIdbComment(image_base, 'Codeword: ', rom.header.codeword)
AddIdbComment(image_base, 'Magic No.: ', rom.header.magic)
AddIdbComment(image_base, 'Source Location: ', rom.header.image_src)
AddIdbComment(image_base, 'Destination Address: ', rom.header.image_dest_ptr)
AddIdbComment(image_base, 'Image Size: ', rom.header.image_size)
AddIdbComment(image_base, 'Code Size: ', rom.header.code_size)
AddIdbComment(image_base, 'Signature Ptr: ', rom.header.sig_ptr)
AddIdbComment(image_base, 'Signature Size: ', rom.header.sig_size)
AddIdbComment(image_base, 'Cert Chain Ptr: ', rom.header.cert_chain_ptr)
AddIdbComment(image_base, 'Cert Chain Size: ', rom.header.cert_chain_size)
AddIdbComment(image_base, 'OEM Cert Sel: ', rom.header.oem_root_cert_sel)
AddIdbComment(image_base, 'OEM Cert Num: ', rom.header.oem_num_root_certs)
return 1
def load_file(li, neflags, format):
chunksize = 0x10000
base = 0xF000
start = base << 4
size = li.size()
if (size & 0xFFF) != 0:
size &= ~0xFFFF
offs = size - chunksize
idaapi.set_processor_type("metapc", idaapi.SETPROC_ALL | idaapi.SETPROC_FATAL)
if size < chunksize:
offs = 0
start += chunksize - size
chunksize = size
# make E and F segments for real-mode part
myAddSeg(start, start + chunksize, base, 0, "BIOS_F", "CODE")
li.file2base(offs, start, start + chunksize, 1)
if offs > 0 and base > 0xE000:
base -= 0x1000
start -= chunksize
offs -= chunksize
myAddSeg(start, start + chunksize, base, 0, "BIOS_%X" % (base >> 12), "CODE")
li.file2base(offs, start, start + chunksize, 1)
# set default ds to point to the current segment
SetSegDefReg(start, "ds", base)
if offs > 0:
# file is bigger than 128KB
# make a flat 32-bit segment for the flash alias area
start = (-size) & 0xFFFFFFFF # place it so that it ends at 4GB
chunksize = size
if not __EA64__:
chunksize -= 2 # truncate last two bytes to avoid address space overlap
# map the whole file
offs = 0
base = 0
myAddSeg(start, start + chunksize, base, 1, "BIOS_FLASH", "CODE")
li.file2base(offs, start, start + chunksize, 1)
# set the entry registers to F000:FFF0
SetLongPrm(INF_START_IP, 0xFFF0)
SetLongPrm(INF_START_CS, 0xF000)
# turn off "Convert 32bit instruction operand to offset", too many false positives in high areas
SetShortPrm(INF_START_AF, GetShortPrm(INF_START_AF) & ~AF_IMMOFF)
# turn off "Create function tails"
SetShortPrm(INF_AF2, GetShortPrm(INF_AF2) & ~AF2_FTAIL)
return 1
def load_file(li, neflags, format):
if format != MBNImageFormatName and format != SBLImageFormatName:
Warning("Unknown format name: '%s'" % format)
return 0
idaapi.set_processor_type("arm:ARMv7-A&R", SETPROC_ALL|SETPROC_FATAL)
if format == SBLImageFormatName:
return load_file_sbl(li)
elif format == MBNImageFormatName:
return load_file_mbn(li)
return 0
def load_file(li, neflags, format):
"""
Load the file into database
@param li: a file-like object which can be used to access the input data
@param neflags: options selected by the user, see loader.hpp
@return: 0-failure, 1-ok
"""
if format.startswith(RomFormatName):
li.seek(0)
header = read_struct(li, image_header)
c = header.ih_arch
cname = IDACPUNames[c]
if cname == "":
warning("Unsupported CPU")
return
if not header.ih_comp in (IH_COMP_NONE, IH_COMP_GZIP):
warning("Can only handle uncompressed or gzip-compressed images")
return
idaapi.set_processor_type(cname, SETPROC_LOADER)
AddSeg(header.ih_load, header.ih_load + header.ih_size, 0, 1,
idaapi.saRelPara, idaapi.scPub)
# copy bytes to the database
if header.ih_comp == IH_COMP_NONE:
li.file2base(ctypes.sizeof(header), header.ih_load,
header.ih_load + header.ih_size, 0)
else:
cdata = li.read(header.ih_size)
d = zlib.decompressobj(zlib.MAX_WBITS | 32)
udata = d.decompress(cdata)
udata += d.flush()
# expand segment to fit uncompressed data
set_segment_bounds(header.ih_load, header.ih_load,
header.ih_load + len(udata), SEGMOD_KEEP)
idaapi.put_bytes(header.ih_load, udata)
if cname == "ARM" and (header.ih_ep & 1) != 0:
# Thumb entry point
header.ih_ep -= 1
split_sreg_range(header.ih_ep, "T", 1)
idaapi.add_entry(header.ih_ep, header.ih_ep, "start", 1)
print "Load OK"
return 1
def load_file(li, neflags, format):
"""
Load the SEGA Master System ROM
:param li: Loader input
:param neflags:
:param format:
:return: 1 on success, otherwise 0
"""
idaapi.set_processor_type('z80', idaapi.SETPROC_LOADER)
is_reload = (neflags & idaapi.NEF_RELOAD) != 0
if is_reload:
return 1
# Create ROM segment
rom_seg = idaapi.segment_t()
rom_seg.start_ea = 0x0000
rom_seg.end_ea = 0xbfff
rom_seg.bitness = 0
idaapi.add_segm_ex(rom_seg, 'ROM', 'CODE', idaapi.ADDSEG_OR_DIE)
# Read file into ROM segment
li.seek(0)
li.file2base(0, 0, li.size(), False)
# Create RAM Segment
ram_seg = idaapi.segment_t()
ram_seg.start_ea = 0xc000
ram_seg.end_ea = 0xdfff
ram_seg.bitness = 0
idaapi.add_segm_ex(ram_seg, 'RAM', 'DATA', idaapi.ADDSEG_OR_DIE)
# Create RAM mirror segment
ram_mirror_seg = idaapi.segment_t()
ram_mirror_seg.start_ea = 0xe000
ram_mirror_seg.end_ea = 0xffff
ram_mirror_seg.bitness = 0
idaapi.add_segm_ex(ram_mirror_seg, 'RAM_MIRROR', 'DATA',
idaapi.ADDSEG_OR_DIE)
# Define the I/O ports
create_io_ports()
# Disassemble reset vectors
create_reset_vectors()
# Specify entry
idaapi.add_entry(0x0000, 0x0000, 'RST0', 1)
return 1
def load_file(li, neflags, format):
"""
Load the file into database
@param li: a file-like object which can be used to access the input data
@param neflags: options selected by the user, see loader.hpp
@return: 0-failure, 1-ok
"""
# Select the PC processor module
idaapi.set_processor_type("metapc", ida_idp.SETPROC_LOADER)
# read MBR into buffer
li.seek(0, os.SEEK_SET)
buf = li.read(li.size())
seg = idaapi.segment_t()
start = 0x7C00
size = len(buf)
end = start + size
# Create the segment
seg.start_ea = start
seg.end_ea = end
seg.bitness = 0 # 16-bit
idaapi.add_segm_ex(seg, "seg0", "CODE", 0)
# Copy the bytes
idaapi.mem2base(buf, start, end)
# add entry point
idaapi.add_entry(start, start, "start", 1)
strid = add_struct_def()
idaapi.set_name(start + 0x1BE, "MBR_PARTITION_TABLE", idaapi.SN_CHECK)
str_size = idaapi.get_struc_size(strid)
idaapi.create_struct(start + 0x1BE, str_size, strid)
idaapi.set_name(510, "MBR_SIGN", idaapi.SN_CHECK)
# Mark for analysis
AutoMark(start, AU_CODE)
load_debugger("bochs", 0)
return 1
def load_file(f, neflags, format):
idaapi.set_processor_type('yara', idaapi.SETPROC_ALL)
f.seek(0x0, os.SEEK_END)
flen = f.tell()
f.seek(0)
hdr = parse_hdr(f)
file_hdr = parse_file_hdr(f)
# mark the proc type, so IDA can invoke the correct disassembler/processor.
mapsize = hdr.size
# map 0..mapsize from file at offset 0xc into idb (without relocation data)
# this makes all pointers relative offsets to this mapping's start
f.file2base(0xc, 0, flen - 0x0c, True) # true makes it patchable
f.seek(hdr.size + 0x0c)
code_end = find_code_end(file_hdr) or hdr.size
# list head shoule come right after (except some CC paddings. weirdly t4.yara compiles some extra garbage between the code and rules_list_head)
# note specifying CODE since it will force decoding of data that's in the section for padding
idaapi.add_segm(0, file_hdr.code_start, code_end, ".text", "")
# this will allow string references to work later
idaapi.add_segm(0, 0, file_hdr.code_start, ".data", "DATA")
idaapi.add_segm(0, code_end, mapsize, ".data", "DATA")
idaapi.add_segm(0, mapsize, flen - 0x0c, ".reloc", "RELOC")
parse_data_seg(hdr, file_hdr, f)
define_consts()
# set up entry point
idaapi.add_entry(file_hdr.code_start, file_hdr.code_start, "start",
1) # 1 means make code
# some comments
idaapi.describe(file_hdr.code_start, True,
"Compiled YARA rule disassembly")
yaraver = '(yara {})'.format(YARA_ARENA_TO_VERSION[
hdr.arena_ver]) if hdr.arena_ver in YARA_ARENA_TO_VERSION else ''
idaapi.describe(file_hdr.code_start, True, "Arena version {} {}".format(
hdr.arena_ver,
yaraver)) # T TODO: check changes between arena versions
idaapi.describe(file_hdr.code_start, True,
"max_threads: {}".format(hdr.max_threads))
return 1
def load_file(li, neflags, fmt):
idaapi.set_processor_type('arm', SETPROC_ALL|SETPROC_FATAL)
options = FORMAT_OPTIONS[fmt]
if OPT_EXEFS_LOAD in options:
ret = load_as_exefs(li, options)
else:
ret = load_one_file(li, options, 0)
eh_parse = idaapi.find_plugin('eh_parse', True)
if eh_parse:
print 'eh_parse ->', idaapi.run_plugin(eh_parse, 0)
else:
print 'warning: eh_parse missing'
return ret
def load_file(f, neflags, format):
f.seek(0)
magic = f.read(4)
version = struct.unpack("<I", f.read(4))[0]
flags = struct.unpack("<I", f.read(4))[0]
memType = struct.unpack("<I", f.read(4))[0]
serviceType = struct.unpack("<I", f.read(4))[0]
numInstances = struct.unpack("<I", f.read(4))[0]
uuid = struct.unpack("<IIII", f.read(16))
driverId = struct.unpack("<I", f.read(4))[0]
numThreads = struct.unpack("<I", f.read(4))[0]
textVA = struct.unpack("<I", f.read(4))[0]
textLen = struct.unpack("<I", f.read(4))[0]
dataVA = struct.unpack("<I", f.read(4))[0]
dataLen = struct.unpack("<I", f.read(4))[0]
bssLen = struct.unpack("<I", f.read(4))[0]
entry = struct.unpack("<I", f.read(4))[0]
f.seek(MCLF_TEXT_INFO_OFFSET)
idaapi.set_processor_type("arm", ida_idp.SETPROC_LOADER_NON_FATAL)
# Set VA for .text and add the segment
f.file2base(0, textVA, textVA + textLen, True)
idaapi.add_segm(0, textVA, textVA + textLen, ".text", "CODE")
# Set VA for .data and add the segment
f.file2base(textLen, dataVA, dataVA + dataLen, True)
idaapi.add_segm(0, dataVA, dataVA + dataLen, ".data", "DATA")
# Add BSS segment after .text and .data
idaapi.add_segm(0, dataVA + dataLen, dataVA + dataLen + bssLen, ".bss",
"BSS")
if entry % 4 == 1:
#Thumb address is always +1 to set the T bit
idaapi.add_entry(entry - 1, entry - 1, "_entry", 1)
idc.split_sreg_range(entry - 1, "T", 0x1, ida_segregs.SR_user)
else:
idaapi.add_entry(entry, entry, "_entry", 1)
idc.split_sreg_range(entry, "T", 0x0, ida_segregs.SR_user)
ida_bytes.create_data(tlApiLibEntry, idaapi.FF_DWORD, 4, idaapi.BADADDR)
idc.set_name(tlApiLibEntry, "tlApiLibEntry", ida_name.SN_CHECK)
return 1
def load_file(f, neflags, format):
f.seek(0)
magic = f.read(4)
version = struct.unpack("<I", f.read(4))[0]
flags = struct.unpack("<I", f.read(4))[0]
memType = struct.unpack("<I", f.read(4))[0]
serviceType = struct.unpack("<I", f.read(4))[0]
numInstances = struct.unpack("<I", f.read(4))[0]
uuid = struct.unpack("<IIII", f.read(16))
driverId = struct.unpack("<I", f.read(4))[0]
numThreads = struct.unpack("<I", f.read(4))[0]
textVA = struct.unpack("<I", f.read(4))[0]
textLen = struct.unpack("<I", f.read(4))[0]
dataVA = struct.unpack("<I", f.read(4))[0]
dataLen = struct.unpack("<I", f.read(4))[0]
bssLen = struct.unpack("<I", f.read(4))[0]
entry = struct.unpack("<I", f.read(4))[0]
f.seek(MCLF_TEXT_INFO_OFFSET)
idaapi.set_processor_type("arm", SETPROC_ALL)
# Set VA for .text and add the segment
f.file2base(0, textVA, textVA + textLen, True)
idaapi.add_segm(0, textVA, textVA + textLen, ".text", "CODE")
# Set VA for .data and add the segment
f.file2base(MCLF_HEADER_SIZE_V23 + textLen, dataVA, dataVA + dataLen, True)
idaapi.add_segm(0, dataVA, dataVA + dataLen, ".data", "DATA")
# Add BSS segment after .text and .data
idaapi.add_segm(0, dataVA + dataLen, dataVA + dataLen + bssLen, ".bss",
"BSS")
if entry % 4 == 1:
#Thumb address is always +1 to set the T bit
idaapi.add_entry(entry - 1, entry - 1, "_entry", 1)
SetRegEx(entry - 1, "T", 0x1, SR_user)
else:
idaapi.add_entry(entry, entry, "_entry", 1)
SetRegEx(entry, "T", 0x0, SR_user)
MakeDword(tlApiLibEntry)
MakeName(tlApiLibEntry, "tlApiLibEntry")
return 1
def load_file(li, neflags, format):
"""
Load the file into database
@param li: a file-like object which can be used to access the input data
@param neflags: options selected by the user, see loader.hpp
@return: 0-failure, 1-ok
"""
if not format == FILE_FORMAT_NAME:
warning("Unknown format name: '%s'" % format)
return 0
idaapi.set_processor_type("sh3b", ida_idp.SETPROC_LOADER)
load_sh2_data(li)
print("Load OK")
return 1
def load_file(li, neflags, format):
"""
Load the file into database
@param li: a file-like object which can be used to access the input data
@param neflags: options selected by the user, see loader.hpp
@return: 0-failure, 1-ok
"""
# Select the PC processor module
idaapi.set_processor_type("metapc", SETPROC_ALL|SETPROC_FATAL)
buf = read_whole_file(li)
r = extract_pdf_shellcode(buf)
if not r:
return 0
# Load all shellcode into different segments
start = 0x10000
seg = idaapi.segment_t()
for id, ver, n, sc in r:
size = len(sc)
end = start + size
# Create the segment
seg.startEA = start
seg.endEA = end
seg.bitness = 1 # 32-bit
idaapi.add_segm_ex(seg, "obj_%d_%d_%d" % (id, ver, n), "CODE", 0)
# Copy the bytes
idaapi.mem2base(sc, start, end)
# Mark for analysis
AutoMark(start, AU_CODE)
# Compute next loading address
start = ((end / 0x1000) + 1) * 0x1000
# Select the bochs debugger
LoadDebugger("bochs", 0)
return 1
def load_file(li, neflags, format):
"""Load the file into database
Args:
li: a file-like object which can be used to access the input data
neflags: options selected by the user, see loader.hpp
Returns:
0-failure
1-ok
"""
idaapi.set_processor_type("sh4", SETPROC_ALL | SETPROC_FATAL)
li.seek(0, idaapi.SEEK_END)
size = li.tell()
li.seek(0)
rom_data = li.read(size)
s = idaapi.segment_t()
s.startEA = 0
s.endEA = size
s.bitness = 1 # 32-bit
s.align = idaapi.saRelByte
s.comb = idaapi.scPub
s.sel = idaapi.setup_selector(0)
idaapi.add_segm_ex(s, "ROM", "DATA",
idaapi.ADDSEG_NOSREG | idaapi.ADDSEG_OR_DIE)
idaapi.mem2base(rom_data, 0)
headr = JasperThe2kCat()
headr.AnotateHeader(binary_file=li)
headr.MakeStrings(binary_file=li)
gentries = gameEntries()
gentries.readGameLoops(binary_file=li)
gentries.CreateSegments(binary_file=li)
gentries.makeDWordTables()
gentries.makeDWordTables(start_address=0x2a0, end_address=0x1000)
gentries.addIDA_entry()
print("load ok")
return 1
def load_file(li, neflags, format):
"""
Load the file into database
@param li: a file-like object which can be used to access the input data
@param neflags: options selected by the user, see loader.hpp
@return: 0-failure, 1-ok
"""
# Select the PC processor module
idaapi.set_processor_type("metapc", SETPROC_LOADER)
buf = read_whole_file(li)
r = extract_pdf_shellcode(buf)
if not r:
return 0
# Load all shellcode into different segments
start = 0x10000
seg = idaapi.segment_t()
for id, ver, n, sc in r:
size = len(sc)
end = start + size
# Create the segment
seg.start_ea = start
seg.end_ea = end
seg.bitness = 1 # 32-bit
idaapi.add_segm_ex(seg, "obj_%d_%d_%d" % (id, ver, n), "CODE", 0)
# Copy the bytes
idaapi.mem2base(sc, start, end)
# Mark for analysis
AutoMark(start, AU_CODE)
# Compute next loading address
start = ((end / 0x1000) + 1) * 0x1000
# Select the bochs debugger
load_debugger("bochs", 0)
return 1
def load_file(li, neflags, format):
"""
Load the file into database
@param li: a file-like object which can be used to access the input data
@param neflags: options selected by the user, see loader.hpp
@return: 0-failure, 1-ok
"""
li.seek(0)
vmlinux = li.read(li.size())
do_get_arch(kallsyms, vmlinux)
do_kallsyms(kallsyms, vmlinux)
# print_kallsyms(kallsyms, vmlinux)
if kallsyms['numsyms'] == 0:
print '[!]get kallsyms error...'
return 0
idaapi.set_processor_type("arm", idaapi.SETPROC_ALL | idaapi.SETPROC_FATAL)
if kallsyms['arch'] == 64:
idaapi.get_inf_structure().lflags |= idaapi.LFLG_64BIT
li.file2base(0, kallsyms['_start'], kallsyms['_start'] + li.size(), True)
s = idaapi.segment_t()
s.bitness = kallsyms['arch'] / 32
s.startEA = kallsyms['_start']
s.endEA = kallsyms['_start'] + li.size()
idaapi.add_segm_ex(s, ".text", "CODE", idaapi.ADDSEG_OR_DIE)
for i in xrange(kallsyms['numsyms']):
if kallsyms['type'][i] in ['t', 'T']:
idaapi.add_entry(kallsyms['address'][i], kallsyms['address'][i],
kallsyms['name'][i], 1)
else:
idaapi.add_entry(kallsyms['address'][i], kallsyms['address'][i],
kallsyms['name'][i], 0)
print "Android/Linux vmlinux loaded..."
return 1
def load_file(li, neflags, format):
"""
Load the file into database
@param li: a file-like object which can be used to access the input data
@param neflags: options selected by the user, see loader.hpp
@return: 0-failure, 1-ok
"""
li.seek(0)
vmlinux = li.read(li.size())
do_get_arch(kallsyms, vmlinux)
do_kallsyms(kallsyms, vmlinux)
# print_kallsyms(kallsyms, vmlinux)
if kallsyms['numsyms'] == 0:
print '[!]get kallsyms error...'
return 0
idaapi.set_processor_type("arm", SETPROC_ALL|SETPROC_FATAL)
if kallsyms['arch'] == 64:
idaapi.get_inf_structure().lflags |= idaapi.LFLG_64BIT
li.file2base(0, kallsyms['_start'], kallsyms['_start']+li.size(), True)
s = idaapi.segment_t()
s.bitness = kallsyms['arch'] / 32
s.startEA = kallsyms['_start']
s.endEA = kallsyms['_start']+li.size()
idaapi.add_segm_ex(s,".text","CODE",ADDSEG_OR_DIE)
for i in xrange(kallsyms['numsyms']):
if kallsyms['type'][i] in ['t','T']:
idaapi.add_entry(kallsyms['address'][i], kallsyms['address'][i], kallsyms['name'][i], 1)
else:
idaapi.add_entry(kallsyms['address'][i], kallsyms['address'][i], kallsyms['name'][i], 0)
print "Android vmlinux loaded..."
return 1
def load_file(li, neflags, format):
idaapi.set_processor_type("arm", SETPROC_ALL|SETPROC_FATAL)
offs = 0
for s in segments:
start = s["start"]
length = s["len"]
name = s["name"]
seg_type = s["type"]
li.file2base(offs, start, start+length, True)
idaapi.add_segm(0, start, start+length, name, seg_type)
offs += length
create_modem_hdr_struct()
add_modem_hdr_struct(8*4 + segments[0]["start"]) #this might fail unless we carve out a DATA segment from the CODE segment for it.
print "Samsung Shannon image loaded."
return 1
def load_file(li, neflags, format):
"""
Load the file into database
@param li: a file-like object which can be used to access the input data
@param neflags: options selected by the user, see loader.hpp
@return: 0-failure, 1-ok
"""
if format == FormatName:
idaapi.set_processor_type("arm", SETPROC_ALL|SETPROC_FATAL)
chunk = ""
while True:
s = gets(li)
if s == None:
break
# warning(s)
if s.startswith("#") or s.startswith(" ") or s.startswith(".*: "):
continue
words = s.split()
if len(words) > 2 and words[1].startswith('<') and words[1].endswith('>'):
hex = words[2].decode('hex')
chunk += hex[::-1]
if ishex(words[3]) and len(words[3]) == len(words[2]):
hex = words[3].decode('hex')
chunk += hex[::-1]
if len(chunk) == 0:
return 0
size = len(chunk)
AddSeg(0, size, 0, 1, idaapi.saRelByte, idaapi.scPub)
idaapi.put_many_bytes(0, chunk)
print "Load OK"
return 1
Warning("Unknown format name: '%s'" % format)
return 0
def load_file(li, neflags, format):
"""
Load the file into database
@param li: a file-like object which can be used to access the input data
@param neflags: options selected by the user, see loader.hpp
@return: 0-failure, 1-ok
"""
if format.startswith(RomFormatName):
li.seek(0)
header = read_struct(li, image_header)
c = header.ih_arch
cname = IDACPUNames[c]
if cname == "":
Warning("Unsupported CPU")
return
if header.ih_comp != IH_COMP_NONE:
Warning("Cannot load compressed images")
return
idaapi.set_processor_type(cname, SETPROC_ALL|SETPROC_FATAL)
AddSeg(header.ih_load, header.ih_load + header.ih_size, 0, 1, idaapi.saRelPara, idaapi.scPub)
# copy bytes to the database
li.file2base(ctypes.sizeof(header), header.ih_load, header.ih_load + header.ih_size, 0)
if cname == "ARM" and (header.ih_ep & 1) != 0:
# Thumb entry point
header.ih_ep -= 1
SetReg(header.ih_ep, "T", 1)
idaapi.add_entry(header.ih_ep, header.ih_ep, "start", 1)
print "Load OK"
return 1
def load_file(li, neflags, format):
idaapi.set_processor_type("arm:ARMv7-A&R", SETPROC_ALL|SETPROC_FATAL)
idc.ChangeConfig('ARM_DEFAULT_ARCHITECTURE = metaarm')
if format == SBL1:
init_val = li.read(li.size())
rom = SblImage(init_val)
image_base = rom.header.image_dest_ptr
entry = image_base
return load_file_sbl(li, neflags, format)
elif format == MBN:
init_val = li.read(li.size())
rom = MbnImage(init_val)
image_base = rom.header.image_dest_ptr
entry = image_base - rom.header.image_src
return load_file_mbn(li, neflags, format)
# rewind the input file and read its contents
li.seek(0)
(image_id, header_flash_ver, image_src, image_dest_ptr, image_size, code_size, signature_ptr, signature_size, cert_chain_ptr, cert_chain_size) = struct.unpack(">IIIIIIIIII", li.read(4*10))
# Load the file data (sans header) into IDA
li.file2base(entry, entry, data_end, True)
# Define the .text .data and .bss segments
add_segm(0, entry, data_end, ".text", "CODE")
add_segm(0, data_start, data_end, ".data", "DATA")
add_segm(0, data_end, bss_end, ".bss", "BSS")
if DEBUG:
print "Created File Segments: "
print "\t.text 0x%.8X - 0x%.8X" % (entry, data_start)
print "\t.data 0x%.8X - 0x%.8X" % (data_start, data_end)
print "\t.bss 0x%.8X - 0x%.8X" % (data_end, bss_end)
def load_file(li, neflags, format):
idaapi.set_processor_type('xap2csr', idaapi.SETPROC_ALL | idaapi.SETPROC_FATAL)
li.seek(0)
lines = li.read(li.size()).split('\n')
segs = {}
for seg in ('code', 'data'):
segs[seg] = {'chunks': [], 'syms': []}
def handle_line(line):
raise ValueError('got non-commented line before title: %r' % (line,))
for line in lines:
#print repr(line)
line = line.strip()
if not line:
continue
if not line.startswith('// '):
line = re.sub('\s*//.*', '', line)
handle_line(line)
continue
m = re.match('^// Title +: "(Code|Constant|Symbol) Table"', line)
if not m:
continue
kind = m.group(1)
if kind in ('Code', 'Constant'):
chunks = segs['code' if kind == 'Code' else 'data']['chunks']
if chunks != []:
raise ValueError('more than one %s table in file' % (kind,))
cur_addr_box = [None]
cur_chunk_box = [None]
def handle_line(line):
m = re.match('^@([0-9A-Fa-f]+)\s+([0-9A-Fa-f]{4})$', line)
if not m:
raise ValueError('unrecognized seg line: %r' % (line,))
addr, word = [int(x, 16) for x in m.groups()]
cur_addr, cur_chunk = cur_addr_box[0], cur_chunk_box[0]
if cur_addr is None or addr > cur_addr:
cur_chunk = cur_chunk_box[0] = []
chunks.append((addr, cur_chunk))
elif addr < cur_addr:
raise ValueError('going backwards with addresses (cur_addr=0x%x): %r' % (cur_addr, line,))
cur_chunk.append(word)
cur_addr_box[0] = addr + 1
else:
assert kind == 'Symbol'
cur_syms_box = [None]
def handle_line(line):
if line in ('.CODE', '.DATA'):
cur_syms_box[0] = segs[line[1:].lower()]['syms']
else:
m = re.match('^([^,]+), ([0-9a-fA-F]+)*$', line)
if not m:
raise ValueError('unknown symbol line: %r' % (line,))
cur_syms = cur_syms_box[0]
if cur_syms is None:
raise ValueError('symbols without a segment: %r' % (line,))
cur_syms.append((int(m.group(2), 16), m.group(1))) # (addr, name)
for (segname, info) in segs.iteritems():
kind = {'code': 0, 'data': 1}[segname]
base_addr = (0, 0x1000000)[kind]
if segname == 'code' and info['chunks'] == [] and info['syms'] == []:
continue
if not idaapi.set_selector(kind + 1, base_addr >> 4):
raise Exception("couldn't set selector for segment %s" % (name,))
for addr, chunk in info['chunks']:
seg = idaapi.segment_t()
seg.startEA = base_addr + addr
seg.endEA = base_addr + addr + len(chunk)
seg.bitness = 1 # 32-bit (we can have more than 16 bits of code, so just use for both)
seg.sel = kind + 1
name = '%s_%x' % (segname, addr)
klass = segname.upper()
#print '%s from %x to %x' % (name, seg.startEA, seg.endEA)
if not idaapi.add_segm_ex(seg, name, klass, ADDSEG_NOSREG):
raise Exception("couldn't add segment %s" % (name,))
ea = seg.startEA
for word in chunk:
idaapi.put_byte(ea, word)
ea += 1
if segname == 'code':
idaapi.autoMark(seg.startEA, AU_CODE)
if segname == 'data':
# fill in the remaining area with BSS
spaces = zip([0] + [addr+len(chunk) for (addr, chunk) in info['chunks']],
[addr for (addr, chunk) in info['chunks']] + [0x10000])
for start, end in spaces:
if end - start < 0x10:
continue
assert end > start
seg = idaapi.segment_t()
seg.startEA = base_addr + start
seg.endEA = base_addr + end
seg.bitness = 1
seg.sel = kind + 1
name = 'bss_%x' % (start,)
#print '%s from %x to %x' % (name, seg.startEA, seg.endEA)
if not idaapi.add_segm_ex(seg, name, 'BSS', idaapi.ADDSEG_SPARSE | ADDSEG_NOSREG):
raise Exception("couldn't add segment %s" % (name,))
return 1
def load_file(li, neflags, format):
"""
Load the file into database
@param li: a file-like object which can be used to access the input data
@param neflags: options selected by the user, see loader.hpp
@return: 0-failure, 1-ok
"""
li.seek(0)
vmlinux = li.read(li.size())
do_get_arch(kallsyms, vmlinux)
do_kallsyms(kallsyms, vmlinux)
if kallsyms['numsyms'] == 0:
print_log('[!]get kallsyms error...')
return 0
idaapi.set_processor_type("arm", idaapi.SETPROC_ALL|idaapi.SETPROC_FATAL)
if kallsyms['arch'] == 64:
idaapi.get_inf_structure().lflags |= idaapi.LFLG_64BIT
li.file2base(0, kallsyms['_start'], kallsyms['_start']+li.size(), True)
sinittext_addr = 0
max_sym_addr = 0
for i in range(kallsyms['numsyms']):
if kallsyms['arch'] == 32:
if kallsyms['address'][i] > 0xd0000000:
continue
if kallsyms['name'][i] == '_sinittext':
sinittext_addr = kallsyms['address'][i]
if kallsyms['address'][i] > max_sym_addr:
max_sym_addr = kallsyms['address'][i]
max_sym_addr = max_sym_addr + 1024
print_log("max_sym_addr = ", hex(max_sym_addr))
if (kallsyms['_start']+li.size()) > max_sym_addr:
max_sym_addr = kallsyms['_start']+li.size()
s = idaapi.segment_t()
s.bitness = kallsyms['arch'] // 32
s.startEA = kallsyms['_start']
if sinittext_addr == 0:
s.endEA = max_sym_addr
else:
s.endEA = sinittext_addr
s.perm = 5
idaapi.add_segm_ex(s,".text","CODE",idaapi.ADDSEG_OR_DIE)
if sinittext_addr > 0:
s = idaapi.segment_t()
s.bitness = kallsyms['arch'] // 32
s.startEA = sinittext_addr
s.endEA = max_sym_addr
s.perm = 7
idaapi.add_segm_ex(s,".data","DATA",idaapi.ADDSEG_OR_DIE)
for i in range(kallsyms['numsyms']):
if kallsyms['type'][i] in ['t','T']:
idaapi.add_entry(kallsyms['address'][i], kallsyms['address'][i], kallsyms['name'][i], 1)
else:
idaapi.add_entry(kallsyms['address'][i], kallsyms['address'][i], kallsyms['name'][i], 0)
print_log("Android/Linux vmlinux loaded...")
return 1
def load_file_mbn(li, neflags, format):
# set the processor type and enable 'metaarm' so ida disassembles all instructions
idaapi.set_processor_type("arm:ARMv7-A&R", idaapi.SETPROC_ALL | idaapi.SETPROC_FATAL)
idc.ChangeConfig('ARM_DEFAULT_ARCHITECTURE = metaarm')
# rewind the input file and read its contents
li.seek(0)
init_val = li.read(li.size())
# Load the file data (sans header) into IDA
rom = MbnImage(init_val)
#CODE SEGMENT
#seg1_size = (rom.header.image_dest_ptr + 0xFFF) &(~0xFFF)
#file_offset = header_size + reloc_header_size*3
AddSeg(rom.header.image_dest_ptr, rom.header.image_dest_ptr + rom.header.image_size, 0, 1, idaapi.saRelPara, idaapi.scPub)
SetSegmentType(rom.header.image_dest_ptr, idaapi.SEG_CODE)
RenameSeg(rom.header.image_dest_ptr, "CODE")
# li.file2base(file_offset, seg1, seg1 + code_seg_size, 0)
# Load the file data (sans header) into IDA
li.file2base(40, rom.header.image_dest_ptr, rom.header.image_dest_ptr + rom.header.code_size, 0)
#AddSegment('%s_code' % rom, rom.code_base, rom.code_data)
#if rom.sig_data is not None: AddSegment('%s_sig' % rom, rom.sig_base, rom.sig_data) RenameSeg(rom.header.image_dest_ptr, "CODE")
#if rom.cert_data is not None: AddSegment('%s_cert' % rom, rom.cert_base, rom.cert_data)
#if rom.tail_data is not None: AddSegment('%s_tail' % rom, rom.tail_base, rom.tail_data)
#dataseg = rom.header.image_dest_ptr
#dataseg_size = init_val
#filofs = rom.header.code_size
#AddSeg(dataseg, rom.header.image_dest_ptr + rom.header.image_size, 0, 1, idaapi.saRelPara, idaapi.scPub)
#SetSegmentType(dataseg, idaapi.SEG_DATA)
#RenameSeg(dataseg, "DATA")
#li.file2base(rom.header.image_dest_ptr, dataseg, dataseg + rom.header.image_dest_ptr + rom.header.image_size, 0)
# Define the .text .data and .bss segments
#AddSegEx(rom.header.image_dest_ptr, rom.header.image_dest_ptr + rom.header.code_size, 0, 1, ".code", "CODE", ADDSEG_OR_DIE)
#AddSegment(0, data_start, data_end, ".data", "DATA")
#AddSegment(0, data_end, bss_end, ".bss", "BSS")
image_base = rom.header.image_dest_ptr
entry = image_base - rom.header.image_src
#if DEBUG:
# print "Created File Segments: "
# print "\t.text 0x%.8X - 0x%.8X" % (entry, data_start)
# print "\t.data 0x%.8X - 0x%.8X" % (data_start, data_end)
# print "\t.bss 0x%.8X - 0x%.8X" % (data_end, bss_end)
# mark the entry point as being the first byte of the loaded image
idaapi.add_entry(rom.header.image_dest_ptr, rom.header.image_dest_ptr, "HEADER", 1)
AddIdbComment(image_base, 'Flash Part Version: ', rom.header.flash_parti_ver)
AddIdbComment(image_base, 'Source Location: ', rom.header.image_src)
AddIdbComment(image_base, 'Destination Address: ', rom.header.image_dest_ptr)
AddIdbComment(image_base, 'Image Size: ', rom.header.image_size)
AddIdbComment(image_base, 'Code Size: ', rom.header.code_size)
AddIdbComment(image_base, 'Signature Ptr: ', rom.header.sig_ptr)
AddIdbComment(image_base, 'Signature Size: ', rom.header.sig_size)
AddIdbComment(image_base, 'Cert Chain Ptr: ', rom.header.cert_chain_ptr)
AddIdbComment(image_base, 'Cert Chain Size: ', rom.header.cert_chain_size)
return 1
def load_file(li, neflags, format):
"""
Load the file into database
@param li: a file-like object which can be used to access the input data
@param neflags: options selected by the user, see loader.hpp
@return: 0-failure, 1-ok
"""
if format == _3DSX_FORMAT_NAME:
idaapi.set_processor_type("arm", SETPROC_ALL|SETPROC_FATAL)
li.seek(0)
(magic, header_size, reloc_header_size, format_ver, flags, code_seg_size, rodata_seg_size, data_seg_size, bss_seg_size) = struct.unpack("<IHHIIIIII", li.read(4*8))
#print(hex(header_size))
#print(hex(reloc_header_size))
#print(hex(code_seg_size))
#print(hex(rodata_seg_size))
#print(hex(data_seg_size))
#print(hex(bss_seg_size))
#CODE SEGMENT
seg1 = CN_3DSX_LOADADR
seg1_size = (code_seg_size + 0xFFF) &(~0xFFF)
file_offset = header_size + reloc_header_size*3
AddSeg(seg1, seg1 + seg1_size, 0, 1, idaapi.saRelPara, idaapi.scPub)
SetSegmentType(seg1, idaapi.SEG_CODE)
RenameSeg(seg1, "CODE")
li.file2base(file_offset, seg1, seg1 + code_seg_size, 0)
#RO_DATA SEGMENT
seg2 = seg1 + seg1_size
seg2_size = (rodata_seg_size + 0xFFF) &(~0xFFF)
file_offset += code_seg_size
AddSeg(seg2, seg2 + seg2_size, 0, 1, idaapi.saRelPara, idaapi.scPub)
SetSegmentType(seg2, idaapi.SEG_DATA)
RenameSeg(seg2, "RODATA")
li.file2base(file_offset, seg2, seg2 + rodata_seg_size, 0)
#DATA SEGMENT
seg3 = seg2 + seg2_size
seg3_size = (data_seg_size + 0xFFF) &(~0xFFF)
file_offset += rodata_seg_size
AddSeg(seg3, seg3 + seg3_size, 0, 1, idaapi.saRelPara, idaapi.scPub)
SetSegmentType(seg3, idaapi.SEG_DATA)
RenameSeg(seg3, "DATA")
li.file2base(file_offset, seg3, seg3 + (data_seg_size - bss_seg_size), 0)
#relocations
relocs_ptr = file_offset + (data_seg_size - bss_seg_size)
segments = [seg1, seg2, seg3]
for rel_table in range(3):
li.seek(header_size + rel_table * 8)
(abs_count, rel_count) = struct.unpack("<II", li.read(4*2))
li.seek(relocs_ptr)
relocs_ptr = relocs_ptr + (abs_count * 4 + rel_count * 4)
pos = segments[rel_table]
#absolute relocations
for i in range(abs_count):
(skip, patches) = struct.unpack("<HH", li.read(2*2))
pos += skip * 4
for x in range(patches):
addr = Dword(pos)
if addr < seg1_size:
addr = seg1 + addr
elif addr < (seg1_size + seg2_size):
addr = seg2 + addr - seg1_size
else:
addr = seg3 + addr - (seg1_size + seg2_size)
PatchDword(pos, addr)
SetFixup(pos, idaapi.FIXUP_OFF32 or idaapi.FIXUP_CREATED, 0, addr, 0)
pos += 4
# cross-segment relative relocations
for i in range(rel_count):
(skip, patches) = struct.unpack("<HH", li.read(2*2))
pos += skip * 4
for x in range(patches):
addr = Dword(pos)
if addr < seg1_size:
addr = seg1 + addr
elif addr < (seg1_size + seg2_size):
addr = seg2 + addr - seg1_size
else:
addr = seg3 + addr - (seg1_size + seg2_size)
PatchDword(pos, addr - pos)
SetFixup(pos, idaapi.FIXUP_OFF32 or idaapi.FIXUP_CREATED, 0, addr - pos, 0)
pos += 4
idaapi.add_entry(CN_3DSX_LOADADR, CN_3DSX_LOADADR, "start", 1)
idaapi.analyze_area(seg1, seg1 + seg1_size)
print "Load OK"
return 1
return 0
def load_file(li, neflags, format):
if format != ROM_FORMAT_NAME:
Warning("Unknown format name: '%s'" % format)
return 0
idaapi.set_processor_type("M6502", SETPROC_ALL | SETPROC_FATAL)
li.seek(0, idaapi.SEEK_END)
size = li.tell()
# RAM
idc.AddSeg(RAM_START, RAM_START + RAM_SIZE, 0, 0, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(RAM_START, "RAM")
li.seek(0x6)
CartTypeLSB = struct.unpack("<B", li.read(1))[0]
# SRAM
if (((CartTypeLSB & 0x2) >> 1) == 1):
idc.AddSeg(SRAM_START, SRAM_START + SRAM_SIZE, 0, 0, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(SRAM_START, "SRAM")
# EXPROM
idc.AddSeg(EXPROM_START, EXPROM_START + EXPROM_SIZE, 0, 0, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(EXPROM_START, "EXPROM")
# TRAINER
if (((CartTypeLSB & 0x4) >> 2) == 1):
idc.AddSeg(TRAINER_START, TRAINER_START + TRAINER_SIZE, 0, 0, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(TRAINER_START, "TRAINER")
# ROM
idc.AddSeg(ROM_START, ROM_START + ROM_SIZE, 0, 0, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(ROM_START, "ROM")
idc.SetSegmentType(ROM_START, idc.SEG_CODE)
CartTypeMSB = struct.unpack("<B", li.read(1))[0]
mapper_version = (((CartTypeLSB & 0xF0) >> 4) | (CartTypeMSB & 0xF0))
if (mapper_version == MAPPER_NONE or
mapper_version == MAPPER_MMC1 or
mapper_version == MAPPER_UxROM or
mapper_version == MAPPER_CNROM or
mapper_version == MAPPER_MMC3 or
mapper_version == MAPPER_MMC5 or
mapper_version == MAPPER_CAMERIC or
mapper_version == MAPPER_GNROM):
li.seek(0x4)
prg_rom_size = struct.unpack("<B", li.read(1))[0]
if (prg_rom_size != 0):
offset = HEADER_SIZE
if (((CartTypeLSB & 0x4) >> 2) == 1):
offset += TRAINER_SIZE
li.seek(offset)
li.file2base(0, ROM_START, ROM_START + PRG_PAGE_SIZE, 0)
offset = HEADER_SIZE + (prg_rom_size - 1) * PRG_PAGE_SIZE
if (((CartTypeLSB & 0x4) >> 2) == 1):
offset += TRAINER_SIZE
li.seek(offset)
li.file2base(0, ROM_START + PRG_PAGE_SIZE, ROM_START + PRG_PAGE_SIZE + PRG_PAGE_SIZE, 0)
elif (mapper_version == MAPPER_MMC2):
print("Second case mapper")
elif (mapper_version == MAPPER_AxROM or
mapper_version == MAPPER_COLOR_DREAMS or
mapper_version == MAPPER_BxROM):
print("Third case mapper")
else:
print("Mapper %d is not supported" % mapper_version)
naming()
idaapi.add_entry(Word(0xFFFC), Word(0xFFFC), "start", 1)
idaapi.cvar.inf.startIP = Word(0xFFFC)
idaapi.cvar.inf.beginEA = Word(0xFFFC)
header_info(li, 0xFFEF)
print("[+] Load OK")
return 1
def load_file(li, neflags, format):
if format != ROM_FORMAT_NAME:
Warning("Unknown format name: '%s'" % format)
return 0
jump = dwordAt(li, 0)
# Test ARM branch
if jump & 0xFF000000 != 0xEA000000:
Warning("Unknown format name: '%s'" % format)
return 0
idaapi.set_processor_type("arm", SETPROC_ALL | SETPROC_FATAL)
li.seek(0, idaapi.SEEK_END)
size = li.tell()
# Adding Header Section
idc.AddSeg(ROM_START, ROM_START + SIZE_HEADER, 0, 1, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(ROM_START, "HEADER")
idc.SetSegmentType(ROM_START, idc.SEG_CODE)
li.seek(0)
li.file2base(0, ROM_START, ROM_START + SIZE_HEADER, 0)
# Adding OEP
idaapi.add_entry(ROM_START, ROM_START, "start", 1)
idaapi.cvar.inf.startIP = ROM_START
idaapi.cvar.inf.beginEA = ROM_START
# Adding ROM Section
idc.AddSeg(ROM_START + SIZE_HEADER, ROM_START + (ROM_SIZE - SIZE_HEADER), 0, 1, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(ROM_START + SIZE_HEADER, "ROM")
idc.SetSegmentType(ROM_START + SIZE_HEADER, idc.SEG_CODE)
li.seek(SIZE_HEADER)
li.file2base(0, ROM_START + SIZE_HEADER, ROM_START + size, 0)
# Adding EWRAM
idc.AddSeg(0x02000000, 0x02040000, 0, 1, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(0x02000000, "EWRAM")
memset_seg(0x02000000, 0x40000)
# Adding IWRAM
idc.AddSeg(0x03000000, 0x03008000, 0, 1, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(0x03000000, "IWRAM")
memset_seg(0x03000000, 0x8000)
# Adding IO / Registers
idc.AddSeg(0x04000000, 0x04000400, 0, 1, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(0x04000000, "IOregisters")
memset_seg(0x04000000, 0x400)
# Adding BIOS System ROM
idc.AddSeg(0x00000000, 0x00004000, 0, 1, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(0x00000000, "BIOS")
memset_seg(0x00000000, 0x4000)
idc.SetSegmentType(0x0000000, idc.SEG_CODE)
idaapi.add_long_cmt(ROM_START, True, "ROM HEADER")
li.seek(0xA0)
idc.ExtLinA(ROM_START, 1, "; Game Title : %s" % li.read(12))
idc.ExtLinA(ROM_START, 2, "; Game Code : %s" % li.read(4))
idc.ExtLinA(ROM_START, 3, "; Marker Code : %s" % li.read(2))
idc.ExtLinA(ROM_START, 4, "; Fixed value : %02X" % struct.unpack("<B", li.read(1))[0])
idc.ExtLinA(ROM_START, 5, "; Main unit code : %02X" % struct.unpack("<B", li.read(1))[0])
idc.ExtLinA(ROM_START, 6, "; Device type : %02X" % struct.unpack("<B", li.read(1))[0])
idc.ExtLinA(ROM_START, 7, "; Reserved Area : db 7 dup(0)")
li.read(7)
idc.ExtLinA(ROM_START, 8, "; Software version %02X" % struct.unpack("<B", li.read(1))[0])
idc.ExtLinA(ROM_START, 9, "; Complement Check %02X" % struct.unpack("<B", li.read(1))[0])
idc.ExtLinA(ROM_START, 10, "; Reserved Area : db 2 dup(0)")
io_naming()
print("[+] Load OK")
return 1
def load_file(li, neflags, format):
if format != ROM_FORMAT_NAME:
Warning("Unknown format name: '%s'" % format)
return 0
idaapi.set_processor_type("M6502", SETPROC_ALL | SETPROC_FATAL)
li.seek(0, idaapi.SEEK_END)
size = li.tell()
li.seek(0, idaapi.SEEK_SET)
nheader = NES_HEADER.from_buffer_copy(li.read(LEN_NES_HEADER))
# RAM SEGMENT
idc.AddSeg(RAM_START, RAM_START + RAM_SIZE, 0, 0, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(RAM_START, "RAM")
zeromemory(RAM_START, RAM_SIZE)
# IOREG SEGMENT
idc.AddSeg(IOREG_START, IOREG_START + IOREG_SIZE, 0, 0, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(IOREG_START, "IOREG")
zeromemory(IOREG_START, IOREG_SIZE)
# SRAM SEGMENT
# bit 1 : Cartridge contains battery-backed PRG RAM ($6000-7FFF) or other persistent memory
if (nheader.rom_control_byte_0 & 0x02) != 0x00:
idc.AddSeg(SRAM_START, SRAM_START + SRAM_SIZE, 0, 0, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(SRAM_START, "SRAM")
zeromemory(SRAM_START, SRAM_SIZE)
# EXPROM SEGMENT
idc.AddSeg(EXPROM_START, EXPROM_START + EXPROM_SIZE, 0, 0, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(EXPROM_START, "EXPROM")
zeromemory(EXPROM_START, EXPROM_SIZE)
# TRAINER SEGMENT
# bit 2 : 512-byte trainer at $7000-$71FF (stored before PRG data)
if (nheader.rom_control_byte_0 & 0x04) != 0x00:
idc.AddSeg(TRAINER_START, TRAINER_START + TRAINER_SIZE, 0, 0, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(TRAINER_START, "TRAINER")
zeromemory(TRAINER_START, TRAINER_SIZE)
# ROM SEGMENT
idc.AddSeg(ROM_START, ROM_START + ROM_SIZE, 0, 0, idaapi.saRelPara, idaapi.scPub)
idc.RenameSeg(ROM_START, "ROM")
idc.SetSegmentType(ROM_START, idc.SEG_CODE | idc.SEG_DATA)
zeromemory(ROM_START, ROM_SIZE)
describe_header_info(li)
mapper_version = (((nheader.rom_control_byte_0 & 0xF0) >> 4) | (nheader.rom_control_byte_1 & 0xF0))
if (mapper_version == MAPPER_NONE or
mapper_version == MAPPER_MMC1 or
mapper_version == MAPPER_UxROM or
mapper_version == MAPPER_CNROM or
mapper_version == MAPPER_MMC3 or
mapper_version == MAPPER_MMC5 or
mapper_version == MAPPER_CAMERIC or
mapper_version == MAPPER_GNROM):
offset = LEN_NES_HEADER
if (nheader.rom_control_byte_0 & 0x04) != 0x00:
offset = offset + TRAINER_SIZE
offset = offset
li.file2base(offset, ROM_START, ROM_START + PRG_PAGE_SIZE, 0)
offset = LEN_NES_HEADER
if (nheader.rom_control_byte_0 & 0x04) != 0x00:
offset = offset + TRAINER_SIZE
offset = offset + (nheader.nb_prg_page_16k - 1) * PRG_PAGE_SIZE
li.file2base(offset, ROM_START + PRG_PAGE_SIZE, ROM_START + PRG_PAGE_SIZE + PRG_PAGE_SIZE, 0)
offset = LEN_NES_HEADER
if (nheader.rom_control_byte_0 & 0x04) != 0x00:
offset = offset + TRAINER_SIZE
offset = offset + PRG_PAGE_SIZE * nheader.nb_prg_page_16k
li.file2base(offset, RAM_START, RAM_START + CHR_PAGE_SIZE, 0)
elif (mapper_version == MAPPER_MMC2):
Warning("Second case mapper")
elif (mapper_version == MAPPER_AxROM or
mapper_version == MAPPER_COLOR_DREAMS or
mapper_version == MAPPER_BxROM):
Warning("Third case mapper")
else:
Warning("Mapper %d is not supported" % mapper_version)
naming()
idaapi.add_entry(Word(0xFFFC), Word(0xFFFC), "start", 1)
idaapi.cvar.inf.startIP = Word(0xFFFC)
idaapi.cvar.inf.beginEA = Word(0xFFFC)
return 1
def load_file(li, neflags, format):
"""
Load the file into database
@param li: a file-like object which can be used to access the input data
@param neflags: options selected by the user, see loader.hpp
@return: 0-failure, 1-ok
"""
if format == FormatName:
idaapi.set_processor_type("dsp56k", SETPROC_ALL | SETPROC_FATAL)
li.seek(0)
s = gets(li)
minprog = BADADDR
maxprog = 0
start_addr = 0
chunk = ""
clist = ChunkList()
while True:
if s == None:
break
s = s.strip()
if len(s) == 0 or s.startswith(" "):
s = gets(li)
continue
words = s.split()
if s.startswith("_START "):
# skip
s = gets(li)
continue
elif s.startswith("_DATA"):
# _DATA <Memory space> <Address> <Code/data> ...
if len(words) < 3:
idaapi.error("Bad _DATA record: %s" % s)
# we handle only P (program) memory
if not words[1] in ("P", "X", "Y"):
idaapi.error("Unhandled _DATA memory space: %s" % words[1])
if not ishex(words[2]):
idaapi.error("Bad _DATA starting address: %s" % words[2])
if len(chunk):
# append current chunk to the list
clist.add_chunk(start_addr, chunk, cur_mem)
# start a new chunk
cur_mem = words[1]
start_addr = int(words[2], 16)
chunk = make_chunk(words[3:], cur_mem)
s = gets(li)
continue
elif s.startswith("_END"):
if len(words) < 2 or not ishex(words[1]):
idaapi.error("Bad _END record: %s" % s)
# append current chunk to the list
clist.add_chunk(start_addr, chunk, cur_mem)
# load all
clist.load_to_idb()
# add the entrypoint
entry_ea = int(words[1], 16)
idaapi.add_entry(entry_ea, entry_ea, "start", 1)
break
elif s.startswith("_"):
idaapi.error("Unhandled record type: %s" % words[0])
# we're inside a _DATA record
chunk += make_chunk(words, cur_mem)
s = gets(li)
print "Load OK"
return 1
Warning("Unknown format name: '%s'" % format)
return 0
