def parse_impexp(self, top, end, cls, callback):
arr = []
cur = top
while cur < end:
impexp_foffset = self.phdr_modinfo.p_offset + cur
impexp_addr = idaapi.get_fileregion_ea(impexp_foffset)
self.fin.seek(impexp_foffset)
impexp = cls(self.fin.read(cls.SIZE))
if impexp.library_name_ptr:
library_name_foffset = self.phdr_modinfo.p_offset + impexp.library_name_ptr - self.phdr_modinfo.p_vaddr
self.fin.seek(library_name_foffset)
# create a library name string
idc.MakeStr(idaapi.get_fileregion_ea(library_name_foffset), idc.BADADDR)
data = self.fin.read(256)
impexp.library_name = c_str(data)
# apply struct
apply_struct(impexp_addr, cls._find_or_create_struct())
#idc.MakeComm(impexp_addr, "{}".format(impexp.library_name))
arr.append(impexp)
cur += impexp.size
for impexp in arr:
for x in xrange(impexp.num_syms_funcs):
self.fin.seek(self.phdr_modinfo.p_offset + impexp.nid_table - self.phdr_modinfo.p_vaddr + x * 4)
nid = u32(self.fin.read(4))
self.fin.seek(self.phdr_modinfo.p_offset + impexp.entry_table - self.phdr_modinfo.p_vaddr + x * 4)
func = u32(self.fin.read(4))
callback(impexp, func, nid)
def goto_file_ofs():
fofs = 0
txt = clip_text()
if txt.isdigit():
try:
fofs = int(txt, 10)
except:
pass
elif txt.isalnum():
try:
fofs = int(txt, 16)
except:
pass
fofs = ida_kernwin.ask_addr(fofs, "Enter the file offset to jump to")
if fofs is None:
return 0
ea = idaapi.get_fileregion_ea(fofs)
if ea != idc.BADADDR:
plg_print("File offset = 0x%X -> EA = 0x%X" % (fofs, ea))
idc.jumpto(ea)
return 1
else:
plg_print("Invalid file offset 0x%X" % fofs)
return 0
def find_kernel_base():
"""Find the kernel base."""
base = idaapi.get_fileregion_ea(0)
if base != 0xffffffffffffffff:
return base
seg = [seg for seg in map(idaapi.get_segm_by_name, ['__TEXT.HEADER', '__TEXT:HEADER']) if seg]
if not seg:
raise RuntimeError("unable to find kernel base")
return seg[0].start_ea
def strings(self):
# Before returning strings, fixup the offsets to be virtual addresses.
if self._strings is None:
self._strings = []
for offset, identifier, data in self._match.strings:
if self._offset is not None:
offset += self._offset
if self._file_offset:
offset = idaapi.get_fileregion_ea(offset)
self._strings.append((idc.get_item_head(offset), identifier, data))
return self._strings
def jump_addr(self, row, column):
addr = int(self.tableWidget.item(row, 0).text(), 16) # RAW
RVA = 0
for i in range(len(self.Seg)-1):
if self.Seg[i][0] < addr < self.Seg[i+1][0]:
## https://reverseengineering.stackexchange.com/questions/2835/how-to-extract-the-input-file-offset-of-a-byte-in-idapython
RVA = idaapi.get_fileregion_ea(addr)
break
jumpto(RVA)
def _yara_callback(data):
"""
Description:
Generic yara callback.
Input:
As defined by YARA. See YARA's documentation for more info.
Output:
A list of tuples: (offset, identifier)
"""
if not data['matches']:
return False
for datum in data['strings']:
_YARA_MATCHES.append((idc.ItemHead(idaapi.get_fileregion_ea(datum[0])), datum[1]))
return yara.CALLBACK_CONTINUE
def Search(self):
result = []
if self.CheckButton.isChecked():
rule = yara.compile(source=self.rule)
else:
rulepath = open(self.path.text(), "r")
rule = yara.compile(source=rulepath.read())
rulepath.close()
matches = rule.match(data=self.data)
for match in matches:
for i in match.strings:
result.append([hex(i[0]).replace("L",""), match.rule, i[1], i[2]])
self.tableWidget.setRowCount(len(result))
for idx, i in enumerate(result):
self.tableWidget.setItem(idx, 0, QTableWidgetItem(hex(int(i[0], 16)).replace("L","")))
self.tableWidget.setItem(idx, 1, QTableWidgetItem(i[1]))
self.tableWidget.setItem(idx, 2, QTableWidgetItem(i[2]))
text_endea = idaapi.get_segm_by_name(".text").endEA
size = idaapi.get_fileregion_ea(int(i[0], 16))
if size < text_endea:
a = []
info = idaapi.get_inf_structure()
if info.is_64bit():
md = Cs(CS_ARCH_X86, CS_MODE_64)
elif info.is_32bit():
md = Cs(CS_ARCH_X86, CS_MODE_32)
for i in md.disasm(i[3], 0x1000):
a.append(i.mnemonic + " " + i.op_str)
self.tableWidget.setItem(idx, 3, QTableWidgetItem(' || '.join(a)))
else:
self.tableWidget.setItem(idx, 3, QTableWidgetItem(i[3]))
self.layout.addWidget(self.tableWidget)
def _yara_callback(data):
'''
Description:
Generic yara callback.
Input:
As defined by YARA. See YARA's documentation for more info.
Output:
A list of tuples: (offset, identifier) where offsets are always item heads
'''
if not data['matches']:
return False
for datum in data['strings']:
if FROM_FILE:
_YARA_MATCHES.append(
(idc.ItemHead(idaapi.get_fileregion_ea(datum[0])), datum[1]))
else:
_YARA_MATCHES.append(
(idc.ItemHead(datum[0] + SECTION_START), datum[1]))
return yara.CALLBACK_CONTINUE
def find_kernel_base():
"""Find the kernel base."""
return idaapi.get_fileregion_ea(0)
def go(self):
print "0) Building cache..."
self.load_nids()
# Vita is ARM
idaapi.set_processor_type("arm", idaapi.SETPROC_ALL | idaapi.SETPROC_FATAL)
# Set compiler info
cinfo = idaapi.compiler_info_t()
cinfo.id = idaapi.COMP_GNU
cinfo.cm = idaapi.CM_CC_CDECL | idaapi.CM_N32_F48
cinfo.size_s = 2
cinfo.size_i = cinfo.size_b = cinfo.size_e = cinfo.size_l = cinfo.defalign = 4
cinfo.size_ll = cinfo.size_ldbl = 8
idaapi.set_compiler(cinfo, 0)
# Import types
self.import_types()
self.load_proto()
print "1) Loading ELF segments"
self.fin.seek(0)
header = Ehdr(self.fin.read(Ehdr.SIZE))
self.fin.seek(header.e_phoff)
phdrs = [Phdr(self.fin.read(header.e_phentsize)) for _ in xrange(header.e_phnum)]
phdr_text = phdrs[0]
for phdr in phdrs:
if phdr.p_type == Phdr.PT_LOAD:
idaapi.add_segm(0, phdr.p_vaddr, phdr.p_vaddr + phdr.p_memsz,
".text" if phdr.x else ".data",
"CODE" if phdr.x else "DATA")
seg = idaapi.getseg(phdr.p_vaddr)
if phdr.x:
seg.perm = idaapi.SEGPERM_EXEC | idaapi.SEGPERM_READ
phdr_text = phdr
else:
seg.perm = idaapi.SEGPERM_READ | idaapi.SEGPERM_WRITE
self.fin.file2base(phdr.p_offset, phdr.p_vaddr, phdr.p_vaddr + phdr.p_filesz, 1)
if header.e_type == Ehdr.ET_SCE_EXEC:
self.phdr_modinfo = phdr_text
modinfo_off = phdr_text.p_offset + header.e_entry
else:
self.phdr_modinfo = phdrs[(header.e_entry & (0b11 << 30)) >> 30]
modinfo_off = self.phdr_modinfo.p_offset + (header.e_entry & 0x3FFFFFFF)
self.fin.seek(modinfo_off)
modinfo = SceModuleInfo(self.fin.read(SceModuleInfo.SIZE))
modinfo_ea = idaapi.get_fileregion_ea(modinfo_off)
apply_struct(modinfo_ea, SceModuleInfo._find_or_create_struct())
print ""
print " Module: " + str(modinfo.name)
print " NID: 0x{:08X}".format(modinfo.nid)
print ""
print "2) Parsing export tables"
self.parse_impexp(modinfo.export_top, modinfo.export_end, SceModuleExports, self.cb_exp)
print "3) Parsing import tables"
self.parse_impexp(modinfo.import_top, modinfo.import_end, SceModuleImports, self.cb_imp)
print "4) Waiting for IDA to analyze the program"
idc.Wait()
print "5) Analyzing system instructions"
from highlight_arm_system_insn import run_script
run_script()
print "6) Adding MOVT/MOVW pair xrefs"
add_xrefs()
