def init(self):
self.raw = self.data
self.binary = self.raw.read(0, len(self.raw))
macho_list = self.get_macho_names(self.data, len(self.raw))
print(f"Found {len(macho_list)} apps")
[print(f" - {macho}") for macho in macho_list]
offset = self.get_header_offset()
sep_fw_header = self.get_fw_header(offset)
offset += 0xC8
choice = interaction.get_choice_input("sep-firmware modules",
"choices", macho_list)
if choice is not None:
print(f"extracting {macho_list[choice]}")
if choice == 0:
app = self.extract_sepos_kernel(sep_fw_header)
elif choice == 1:
app = self.extract_sepos_root(sep_fw_header)
else:
name = macho_list[choice]
app = self.process_apps(sep_fw_header, offset, name, choice)
mainthread.execute_on_main_thread_and_wait(
lambda: UIContext.allContexts()[0].openFilename(app))
else:
return False
return True
def get_workspace():
choice = get_choice_input("Select Trace Type", "Input",
["Trace File", "Manticore Workspace"])
if choice == 0:
workspace = get_open_filename_input("Trace File")
else:
workspace = get_directory_name_input("Workspace Directory")
return workspace
def init(self):
user_choice = get_choice_input("Select MCU family", "MCU selection",
self.MCUS)
if user_choice is not None:
chosen_mcu = self.MCUS[user_choice]
mcu_lib = importlib.import_module("binaryninja_cortex.platforms." +
chosen_mcu)
mcu = mcu_lib.Chip
else:
mcu_lib = importlib.import_module("binaryninja_cortex.platforms")
mcu = mcu_lib.MCU
#Add RAM segment
self.add_auto_segment(
mcu.RAM_OFF, 0xffff, 0, 0, SegmentFlag.SegmentReadable
| SegmentFlag.SegmentWritable | SegmentFlag.SegmentExecutable)
# Add peripherals segment
self.add_auto_segment(
mcu.PERIPH_OFF, 0x10000000, 0, 0,
SegmentFlag.SegmentReadable | SegmentFlag.SegmentWritable)
#Add flash segment, assume flash < 2MB
self.add_auto_segment(
mcu.ROM_OFF, 0x200000, 0, 0x200000,
SegmentFlag.SegmentReadable | SegmentFlag.SegmentExecutable)
#Add IVT symbols
#SP_VALUE is a data pointer
self.define_auto_symbol_and_var_or_function(
Symbol(SymbolType.DataSymbol, mcu.ROM_OFF, mcu.IRQ[0]),
Type.pointer(self.arch, Type.void(), const=True), self.platform)
addr = struct.unpack("<I", self.parent_view.read(0, 4))[0]
self.define_auto_symbol(
Symbol(SymbolType.DataSymbol, addr, "p_{}".format(mcu.IRQ[0])))
#All other vectory are function pointers
for i in range(1, len(mcu.IRQ)):
self.define_auto_symbol_and_var_or_function(
Symbol(SymbolType.DataSymbol, mcu.ROM_OFF + (4 * i),
mcu.IRQ[i]),
Type.pointer(self.arch, Type.void(), const=True),
self.platform)
addr = struct.unpack("<I", self.parent_view.read(4 * i, 4))[0] & ~1
self.define_auto_symbol(
Symbol(SymbolType.FunctionSymbol, addr,
"f_{}".format(mcu.IRQ[i])))
self.add_function(addr, self.platform)
#Add entry point to RESET_IRQ
self.add_entry_point(self.symbols['f_RESET_IRQ'].address,
self.platform)
return True
def is_valid_for_data(self, data):
hdr = data.read(0, 16)
if len(hdr) < 16:
return False
if hdr[0:4] != b"\x7fELF":
return False
choice: int = get_choice_input(
"Do you want to load the binary with LIEF?", "choices",
["Yes", "No"])
return choice == 0
def function_source_code_start(view):
filename_asm_json = get_open_filename_input('Asm-json file', "*.asm.json")
workspace = os.path.dirname(filename_asm_json)
solidity_ln = SolidityLineNumber(filename_asm_json, workspace=workspace)
contracts = solidity_ln.contracts.keys()
contract_index = get_choice_input('Name of the contract',
'Name of the contract', contracts)
contract_name = contracts[contract_index]
PrintSourceCode(solidity_ln, contract_name, view)
def _concretize(self, address, expr):
new_expr = self.current_state.solver.evaluate(expr)
res = get_choice_input(
"Concretize *%s to %s?" % (hex(address), hex(new_expr.value)),
"Concretize", ["Yes", "No"])
if res == 0:
self.current_state.mem.store(address, new_expr)
self.current_state.solver.add_constraints(expr == new_expr)
self.changes.add(
(address - self.address_start,
address - self.address_start + new_expr.size // 8))
self.update_mem_delta(self.current_state)
def analyze_delphi_vmts(bv: BinaryView):
type_name = 'Delphi VMTs'
tt = bv.tag_types[
type_name] if type_name in bv.tag_types else bv.create_tag_type(
type_name, '🔍')
choices = [
'Delphi 2', 'Delphi 3', 'Delphi 4', 'Delphi 5', 'Delphi 6', 'Delphi 7',
'Delphi 2005', 'Delphi 2006', 'Delphi 2007', 'Delphi 2009',
'Delphi 2010', 'Delphi 2011', 'Delphi 2012', 'Delphi 2013',
'Delphi 2014'
]
index = interaction.get_choice_input('Please, select the Delphi version',
'Delphi version', choices)
clear_tags(bv, type_name)
t = AnalyzeDelphiVmtsTask(bv, tt, int(choices[index][7:]))
t.start()
def _async_change_current_state(bv, address):
if not __check_executor():
return
states = globs.executor.fringe.get_list_deferred_by_address(address)
if len(states) == 0:
log_alert("no such deferred state")
return
if len(states) == 1:
state = globs.executor.fringe.get_deferred_by_address(address)
else:
state_idx = get_choice_input("Select state", "states",
list(map(str, states)))
state = globs.executor.fringe.get_deferred_by_address(
address, state_idx)
disable_widgets()
globs.executor.delete_comment_for_address(address)
globs.executor.set_current_state(state)
sync_ui(bv, delta=False)
enable_widgets()
def _menuAction_add_constraint(self, buffer_id):
buff = self.current_state.symbolic_buffers[buffer_id][0]
constraints = self.current_state.symbolic_buffers[buffer_id][2]
if constraints != "":
show_message_box("Error", "The buffer already has a constraint.")
return
choices = [CreateBufferDialog.constraint_list[i]
for i in CreateBufferDialog.constraint_list.keys() if i != NO_CONSTRAINTS]
res = get_choice_input(
"Constraint buffer", "choices:", choices
)
if choices[res] == "Alphanumeric string":
constraint_alphanumeric_string(buff, self.current_state)
elif choices[res] == "ASCII string":
constraint_ascii_string(buff, self.current_state)
else:
return
t = self.current_state.symbolic_buffers[buffer_id]
t = t[0], t[1], choices[res]
self.current_state.symbolic_buffers[buffer_id] = t
self.update_state(self.current_state)
def on_customContextMenuRequested(self, pos):
item = self._table.itemAt(pos)
if item is None:
return
row_idx = item.row()
if self.index_to_reg[row_idx] == self.arch.getip_reg():
return
expr = getattr(self.current_state.regs, self.index_to_reg[row_idx])
menu = QMenu()
show_reg_expr = menu.addAction(
"Show reg expression") if not isinstance(expr, BVV) else None
make_reg_symb = menu.addAction("Make reg symbolic") if isinstance(
expr, BVV) else None
set_reg_value = menu.addAction("Set reg value")
eval_with_sol = menu.addAction(
"Evaluate with solver") if not isinstance(expr, BVV) else None
eval_upto_with_sol = menu.addAction(
"Evaluate upto with solver") if not isinstance(expr, BVV) else None
concretize = menu.addAction("Concretize") if not isinstance(
expr, BVV) else None
copy = menu.addAction("Copy to clipboard") if not isinstance(
expr, BVS) else None
bind_to_buffer = menu.addAction("Bind to symbolic buffer")
action = menu.exec_(self._table.viewport().mapToGlobal(pos))
if action is None:
return
if action == bind_to_buffer:
buffer_names = [
b[0].name for b in self.current_state.symbolic_buffers
]
if len(buffer_names) == 0:
return
buff_id = get_choice_input("Select a buffer", "choices",
buffer_names)
address = self.current_state.symbolic_buffers[buff_id][1]
buff_p = BVV(address, self.current_state.arch.bits())
setattr(self.current_state.regs, self.index_to_reg[row_idx],
buff_p)
self.set_reg_value(self.index_to_reg[row_idx], buff_p,
RegisterView.dirty_color)
if action == show_reg_expr:
show_message_box("Reg Expression", str(expr.z3obj.sexpr()))
if action == make_reg_symb:
new_expr = BVS('symb_injected_through_ui_%d' % self.symb_idx,
expr.size)
setattr(self.current_state.regs, self.index_to_reg[row_idx],
new_expr)
self.set_reg_value(self.index_to_reg[row_idx], new_expr,
RegisterView.dirty_color)
self.symb_idx += 1
if action == set_reg_value:
self.on_doubleClick(item)
if action == eval_with_sol:
expr = getattr(self.current_state.regs, self.index_to_reg[row_idx])
if not self.current_state.solver.symbolic(expr):
new_expr = self.current_state.solver.evaluate(expr)
setattr(self.current_state.regs, self.index_to_reg[row_idx],
new_expr)
self.set_reg_value(self.index_to_reg[row_idx], new_expr,
RegisterView.dirty_color)
show_message_box(
"Reg Value (with solver)",
"The value was indeed concrete! State modified")
else:
show_message_box(
"Reg Value (with solver)",
hex(self.current_state.solver.evaluate(expr).value))
if action == eval_upto_with_sol:
expr = getattr(self.current_state.regs, self.index_to_reg[row_idx])
if not self.current_state.solver.symbolic(expr):
new_expr = self.current_state.solver.evaluate(expr)
setattr(self.current_state.regs, self.index_to_reg[row_idx],
new_expr)
self.set_reg_value(self.index_to_reg[row_idx], new_expr,
RegisterView.dirty_color)
show_message_box(
"Reg Value (with solver)",
"The value was indeed concrete! State modified")
else:
n_eval = get_int_input("How many values (upto) ?",
"Number of distinct values")
r = ""
for i, v in enumerate(
self.current_state.solver.evaluate_upto(expr, n_eval)):
r += "solution %d: %s\n" % (i, hex(v.value))
show_message_box("Reg Value (with solver)", r)
if action == concretize:
expr = getattr(self.current_state.regs, self.index_to_reg[row_idx])
new_expr = self.current_state.solver.evaluate(expr)
res = get_choice_input(
"Concretize %s to %s?" %
(self.index_to_reg[row_idx], hex(new_expr.value)),
"Concretize", ["Yes", "No"])
if res == 0:
setattr(self.current_state.regs, self.index_to_reg[row_idx],
new_expr)
self.current_state.solver.add_constraints(expr == new_expr)
self.set_reg_value(self.index_to_reg[row_idx], new_expr,
RegisterView.dirty_color)
if action == copy:
mime = QMimeData()
if isinstance(expr, BVV):
mime.setText(hex(expr.value))
else:
mime.setText(str(expr.z3obj.sexpr()))
QApplication.clipboard().setMimeData(mime)
def select_typelib(bv):
libs = bv.platform.type_libraries
choice = get_choice_input("Select Type Library", "Platform Libraries",
[i.name for i in libs])
bv.add_type_library(libs[choice])
def on_customContextMenuRequested(self, pos):
item = self._table.itemAt(pos)
if item is None: return
row_idx = item.row()
if self.index_to_reg[row_idx] == self.arch.getip_reg():
return
expr = getattr(self.current_state.regs, self.index_to_reg[row_idx])
menu = QMenu()
show_reg_expr = menu.addAction("Show reg expression") if not isinstance(expr, BVV) else None
make_reg_symb = menu.addAction("Make reg symbolic") if not isinstance(expr, BVS) else None
set_reg_value = menu.addAction("Set reg value")
eval_with_sol = menu.addAction("Evaluate with solver") if not isinstance(expr, BVV) else None
concretize = menu.addAction("Concretize") if not isinstance(expr, BVV) else None
copy = menu.addAction("Copy to clipboard") if not isinstance(expr, BVS) else None
action = menu.exec_(self._table.viewport().mapToGlobal(pos))
if action is None: return
if action == show_reg_expr:
show_message_box("Reg Expression", str(expr.z3obj))
if action == make_reg_symb:
new_expr = BVS('symb_injected_through_ui_%d' % self.symb_idx, expr.size)
setattr(self.current_state.regs, self.index_to_reg[row_idx], new_expr)
self.set_reg_value(self.index_to_reg[row_idx], new_expr, RegisterView.dirty_color)
self.symb_idx += 1
if action == set_reg_value:
self.on_doubleClick(item)
if action == eval_with_sol:
expr = getattr(self.current_state.regs, self.index_to_reg[row_idx])
if not self.current_state.solver.symbolic(expr):
new_expr = self.current_state.solver.evaluate(expr)
setattr(self.current_state.regs, self.index_to_reg[row_idx], new_expr)
self.set_reg_value(self.index_to_reg[row_idx], new_expr, RegisterView.dirty_color)
show_message_box(
"Reg Value (with solver)",
"The value was indeed concrete! State modified"
)
else:
show_message_box(
"Reg Value (with solver)",
hex(self.current_state.solver.evaluate(expr).value)
)
if action == concretize:
expr = getattr(self.current_state.regs, self.index_to_reg[row_idx])
new_expr = self.current_state.solver.evaluate(expr)
res = get_choice_input(
"Concretize %s to %s?" % (self.index_to_reg[row_idx], hex(new_expr.value)),
"Concretize",
["Yes", "No"]
)
if res == 0:
setattr(self.current_state.regs, self.index_to_reg[row_idx], new_expr)
self.current_state.solver.add_constraints(
expr == new_expr
)
self.set_reg_value(self.index_to_reg[row_idx], new_expr, RegisterView.dirty_color)
if action == copy:
mime = QMimeData()
mime.setText(hex(expr.value))
QApplication.clipboard().setMimeData(mime)
