def pablo(address, end, search):
while address < end:
address = idaapi.find_binary(address, end, search, 0x10, SEARCH_DOWN)
if address > idaapi.get_segm_by_name('CODE').end_ea:
offset = address - 0x3
if idaapi.isUnknown(idaapi.getFlags(offset)):
if idaapi.get_qword(offset) <= end:
idaapi.create_data(offset, FF_QWORD, 0x8, BADNODE)
address = offset + 4
else:
idaapi.do_unknown(address, 0)
idaapi.create_insn(address)
idaapi.add_func(address, BADADDR)
address += 4
def run(self, arg):
idaapi.msg("[%s] Syncing with WS Server\n" % (self.wanted_name,))
self.addr = idaapi.get_screen_ea()
if self.old_addr != self.addr:
# check against idc.BADADDR and None before going
if (self.addr is not None) and (self.addr != idc.BADADDR):
# Code Address
if idaapi.isCode(idaapi.getFlags(self.addr)):
# don't set the address if it's already the qira_address
if self.addr != self.qira_address:
# debugging
if DEBUG:
idaapi.msg(
"[%s] Qira Address 0x%x \n" %
(self.wanted_name, self.addr,))
# Instruction Address
self.set_qira_address(self.addr)
self.update_address("iaddr", self.addr)
# Data Address
elif idaapi.isData(idaapi.getFlags(self.addr)):
self.update_address("daddr", self.addr)
# Tail Address
elif idaapi.isTail(idaapi.getFlags(self.addr)):
self.update_address("taddr", self.addr)
# Unknown Address
elif idaapi.isUnknown(idaapi.getFlags(self.addr)):
self.update_address("uaddr", self.addr)
# Head Address
elif idaapi.isHead(idaapi.getFlags(self.addr)):
self.update_address("haddr", self.addr)
# Flow Address
elif idaapi.isFlow(idaapi.getFlags(self.addr)):
self.update_address("faddr", self.addr)
# Var Address
elif idaapi.isVar(idaapi.getFlags(self.addr)):
self.update_address("vaddr", self.addr)
# Data Address
else:
self.update_address("daddr", self.addr)
self.old_addr = self.addr
def is_unknown(self):
"""Is the line unknown."""
return idaapi.isUnknown(self.flags)
def load_file(f, neflags, format):
print('# PS4 Kernel Loader')
ps = Binary(f)
# PS4 Processor, Compiler, Library
bitness = ps.procomp('metapc', CM_N64 | CM_M_NN | CM_CC_FASTCALL, 'gnulnx_x64')
# Segment Loading...
for segm in ps.E_SEGMENTS:
if segm.name() == 'PHDR':
kASLR = False if segm.FILE_SIZE == 0x118 else True
# Process Loadable Segments...
if segm.name() in ['CODE', 'DATA', 'SCE_RELRO']:
address = segm.MEM_ADDR
size = segm.MEM_SIZE
# Dumped Kernel Fix-ups
if segm.name() in ['DATA', 'SCE_RELRO'] and (idaapi.get_segm_by_name('CODE').start_ea != 0xFFFFFFFF82200000 or not kASLR):
offset = address - idaapi.get_segm_by_name('CODE').start_ea
dumped = segm.MEM_SIZE
else:
offset = segm.OFFSET
dumped = segm.FILE_SIZE
print('# Creating %s Segment...' % segm.name())
f.file2base(offset, address, address + dumped, FILEREG_PATCHABLE)
idaapi.add_segm(0, address, address + size, segm.name(), segm.type(), ADDSEG_NOTRUNC | ADDSEG_FILLGAP)
# Processor Specific Segment Details
idc.set_segm_addressing(address, bitness)
idc.set_segm_alignment(address, segm.alignment())
idc.set_segm_attr(address, SEGATTR_PERM, segm.flags())
# Process Dynamic Segment...
elif segm.name() == 'DYNAMIC':
code = idaapi.get_segm_by_name('CODE')
data = idaapi.get_segm_by_name('DATA')
relro = idaapi.get_segm_by_name('SCE_RELRO')
# ------------------------------------------------------------------------------------------------------------
# Dynamic Tag Entry Structure
members = [('tag', 'Tag', 0x8),
('value', 'Value', 0x8)]
struct = segm.struct('Tag', members)
# Dynamic Tag Table
stubs = {}
modules = {}
location = segm.MEM_ADDR
# Dumps are offset by a small amount
if code.start_ea != 0xFFFFFFFF82200000:
dumped = code.start_ea - 0xFFFFFFFF82200000
else:
dumped = 0
f.seek(location - code.start_ea)
for entry in xrange(segm.MEM_SIZE / 0x10):
idaapi.create_struct(location + (entry * 0x10), 0x10, struct)
idc.set_cmt(location + (entry * 0x10), Dynamic(f).process(dumped, stubs, modules), False)
# ------------------------------------------------------------------------------------------------------------
# Hash Entry Structure
members = [('bucket', 'Bucket', 0x2),
('chain', 'Chain', 0x2),
('buckets', 'Buckets', 0x2),
('chains', 'Chains', 0x2)]
struct = segm.struct('Hash', members)
# Hash Table
try:
location = Dynamic.HASHTAB
size = Dynamic.HASHTABSZ
except:
location = Dynamic.HASH
size = Dynamic.SYMTAB - location
f.seek(location - code.start_ea)
for entry in xrange(size / 0x8):
idaapi.create_struct(location + (entry * 0x8), 0x8, struct)
if kASLR:
# --------------------------------------------------------------------------------------------------------
# Relocation Entry Structure (with specific addends)
members = [('offset', 'Offset (String Index)', 0x8),
('info', 'Info (Symbol Index : Relocation Code)', 0x8),
('addend', 'AddEnd', 0x8)]
struct = segm.struct('Relocation', members)
# Relocation Table (with specific addends)
location = Dynamic.RELATAB
f.seek(location - code.start_ea)
for entry in xrange(Dynamic.RELATABSZ / 0x18):
idaapi.create_struct(location + (entry * 0x18), 0x18, struct)
idc.set_cmt(location + (entry * 0x18), Relocation(f).process(dumped, code.end_ea), False)
# Initialization Function
idc.add_entry(Dynamic.INIT, Dynamic.INIT, '.init', True)
else:
# --------------------------------------------------------------------------------------------------------
# Symbol Entry Structure
members = [('name', 'Name (String Index)', 0x4),
('info', 'Info (Binding : Type)', 0x1),
('other', 'Other', 0x1),
('shtndx', 'Section Index', 0x2),
('offset', 'Value', 0x8),
('size', 'Size', 0x8)]
struct = segm.struct('Symbol', members)
# Symbol Table
location = Dynamic.SYMTAB
f.seek(location - code.start_ea)
functions = {}
# .symtab
idc.add_entry(location, location, '.symtab', False)
for entry in xrange((Dynamic.STRTAB - location) / 0x18):
idaapi.create_struct(location + (entry * 0x18), 0x18, struct)
idc.set_cmt(location + (entry * 0x18), Symbol(f).process(functions), False)
# --------------------------------------------------------------------------------------------------------
# Dynamic String Table
location = Dynamic.STRTAB
# .strtab
idc.add_entry(location, location, '.strtab', False)
# Functions
for key in functions:
idc.create_strlit(location + key, BADADDR)
functions[key] = idc.get_strlit_contents(location + key, BADADDR)
idc.set_cmt(location + key, 'Function', False)
functions = sorted(functions.iteritems(), key = operator.itemgetter(0))
#print('Functions: %s' % functions)
# Resolve Functions
location = Dynamic.SYMTAB
f.seek(location - code.start_ea + 0x18)
for entry in xrange((Dynamic.STRTAB - location - 0x18) / 0x18):
Symbol(f).resolve(functions[entry][1])
# Fix-up
if kASLR:
address = relro.start_ea
del_items(address, DELIT_SIMPLE, relro.end_ea - address)
while address < relro.end_ea:
create_data(address, FF_QWORD, 0x8, BADNODE)
address += 0x8
address = code.start_ea
# ELF Header Structure
members = [('File format', 0x4),
('File class', 0x1),
('Data encoding', 0x1),
('File version', 0x1),
('OS/ABI', 0x1),
('ABI version', 0x1),
('Padding', 0x7),
('File type', 0x2),
('Machine', 0x2),
('File version', 0x4),
('Entry point', 0x8),
('PHT file offset', 0x8),
('SHT file offset', 0x8),
('Processor-specific flags', 0x4),
('ELF header size', 0x2),
('PHT entry size', 0x2),
('Number of entries in PHT', 0x2),
('SHT entry size', 0x2),
('Number of entries in SHT', 0x2),
('SHT entry index for string table\n', 0x2)]
for (comment, size) in members:
flags = idaapi.get_flags_by_size(size)
idc.create_data(address, flags if flags != 0 else FF_STRLIT, size, BADNODE)
idc.set_cmt(address, comment, False)
address += size
for index, entry in enumerate(ps.E_SEGMENTS):
# ELF Program Header Structure
members = [('Type: %s' % entry.name(), 0x4),
('Flags', 0x4),
('File offset', 0x8),
('Virtual address', 0x8),
('Physical address', 0x8),
('Size in file image', 0x8),
('Size in memory image', 0x8),
('Alignment\n', 0x8)]
for (comment, size) in members:
flags = idaapi.get_flags_by_size(size)
idc.create_data(address, flags if flags != 0 else FF_STRLIT, size, BADNODE)
idc.set_cmt(address, comment, False)
address += size
# Wait for the AutoAnalyzer to Complete...
print('# Waiting for the AutoAnalyzer to Complete...')
idaapi.auto_wait()
if kASLR:
# Start Function
idc.add_entry(ps.E_START_ADDR, ps.E_START_ADDR, 'start', True)
# Xfast_syscall
address = idaapi.find_binary(code.start_ea, code.end_ea, '0F 01 F8 65 48 89 24 25 A8 02 00 00 65 48 8B 24', 0x10, SEARCH_DOWN)
idaapi.do_unknown(address, 0)
idaapi.create_insn(address)
idaapi.add_func(address, BADADDR)
idaapi.set_name(address, 'Xfast_syscall', SN_NOCHECK | SN_NOWARN)
# --------------------------------------------------------------------------------------------------------
# Znullptr's syscalls
print('# Processing Znullptr\'s Syscalls...')
# Syscall Entry Structure
members = [('narg', 'Number of Arguments', 0x4),
('_pad', 'Padding', 0x4),
('function', 'Function', 0x8),
('auevent', 'Augmented Event?', 0x2),
('_pad1', 'Padding', 0x2),
('_pad2', 'Padding', 0x4),
('trace_args_func', 'Trace Arguments Function', 0x8),
('entry', 'Entry', 0x4),
('return', 'Return', 0x4),
('flags', 'Flags', 0x4),
('thrcnt', 'Thread Count?', 0x4)]
struct = segm.struct('Syscall', members)
znullptr(code.start_ea, code.end_ea, '4F 52 42 49 53 20 6B 65 72 6E 65 6C 20 53 45 4C 46', struct)
# --------------------------------------------------------------------------------------------------------
# Chendo's cdevsw con-struct-or
print('# Processing Chendo\'s cdevsw structs...')
# cdevsw Entry Structure
members = [('d_version', 'Version', 0x4),
('d_flags', 'Flags', 0x4),
('d_name', 'Name', 0x8),
('d_open', 'Open', 0x8),
('d_fdopen', 'File Descriptor Open', 0x8),
('d_close', 'Close', 0x8),
('d_read', 'Read', 0x8),
('d_write', 'Write', 0x8),
('d_ioctl', 'Input/Ouput Control', 0x8),
('d_poll', 'Poll', 0x8),
('d_mmap', 'Memory Mapping', 0x8),
('d_strategy', 'Strategy', 0x8),
('d_dump', 'Dump', 0x8),
('d_kqfilter', 'KQFilter', 0x8),
('d_purge', 'Purge', 0x8),
('d_mmap_single', 'Single Memory Mapping', 0x8),
('d_spare0', 'Spare0', 0x8),
('d_spare1', 'Spare1', 0x8),
('d_spare2', 'Spare2', 0x8),
('d_spare3', 'Spare3', 0x8),
('d_spare4', 'Spare4', 0x8),
('d_spare5', 'Spare5', 0x8),
('d_spare6', 'Spare6', 0x4),
('d_spare7', 'Spare7', 0x4)]
struct = segm.struct('cdevsw', members)
chendo(data.start_ea, data.end_ea, '09 20 12 17', struct)
# --------------------------------------------------------------------------------------------------------
# Pablo's IDC
try:
print('# Processing Pablo\'s Push IDC...')
# Script 1) Push it real good...
pablo(code.start_ea, code.end_ea, 'C5 FA 5A C0 C5 F2 5A C9 C5 EA 5A D2 C5 FB 59 C1')
pablo(code.start_ea, code.end_ea, 'C5 F9 7E C0 31 C9')
pablo(code.start_ea, code.end_ea, '48 89 E0 55 53')
pablo(code.start_ea, code.end_ea, 'B8 2D 00 00 00 C3')
pablo(code.start_ea, code.end_ea, '31 C0 C3')
pablo(code.start_ea, code.end_ea, '55 48 89')
pablo(code.start_ea, code.end_ea, '48 81 EC A0 00 00 00 C7')
pablo(code.start_ea, code.end_ea, '48 81 EC A8 00 00 00')
# Script 2) Fix-up Dumped Data Pointers...
if dumped or not kASLR:
print('# Processing Pablo\'s Dumped Data Pointers IDC...')
pablo(data.start_ea, data.end_ea, '?? FF FF FF FF')
except:
pass
# --------------------------------------------------------------------------------------------------------
# Kiwidog's __stack_chk_fail
if kASLR:
print('# Processing Kiwidog\'s Stack Functions...')
kiwidog(code.start_ea, code.end_ea, '73 74 61 63 6B 20 6F 76 65 72 66 6C 6F 77 20 64 65 74 65 63 74 65 64 3B')
# --------------------------------------------------------------------------------------------------------
# Final Pass
print('# Performing Final Pass...')
address = code.start_ea
while address < code.end_ea:
address = idaapi.find_not_func(address, SEARCH_DOWN)
if idaapi.isUnknown(idaapi.getFlags(address)):
idaapi.create_insn(address)
else:
idc.add_func(address)
address += 4
print('# Done!')
return 1
def is_unknown(self):
"""Is the location unknown."""
return idaapi.isUnknown(self.flags)
def is_unknown(self):
"""Is the line unknown."""
return idaapi.isUnknown(self.flags)