Created
May 30, 2020 16:59
-
-
Save jsenin/ffabb66c268dfaa55f39b543443a5996 to your computer and use it in GitHub Desktop.
Trying to find global pointers by hand at MIPS code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Script for IDA | |
# find for MIPS global pointer and try to create a function | |
# | |
# conversion hex to opcode at https://www.eg.bucknell.edu/~csci320/mips_web/ | |
# 0x3c1c8064 | |
# LUI $gp 0x8064 | |
# | |
# 0x279c1c70 | |
# ADDIU $gp $gp 0x1C70 | |
def extract_lui_gp(curr_addr, end_addr): | |
def _defined_function_at(addr): | |
return GetFunctionAttr(curr_addr, FUNCATTR_START) != BADADDR | |
def _is_addiu_gp_at(addr): | |
# 0x279c1c70 | |
# ADDIU $gp $gp 0x1C70 | |
addiu_gp_opcode = '0x279c' | |
return hex(Word(addr)) == addiu_gp_opcode | |
def _extract_global_pointer_method_1(addr): | |
gp = Word(curr_addr + 2) | |
if _is_addiu_gp_at(curr_addr + 4): | |
lower = Word(curr_addr + 6) | |
gp = (gp << 16) + lower | |
return gp | |
def _extract_global_pointer_method_2(addr): | |
return GetOperandValue(addr, 1) | |
if curr_addr > end_addr: | |
print "Invalid end address of CODE segment!" | |
return n | |
lui_gp = "3C 1C" # 3C 1C XX XX lui $sp, 0xXXXXX | |
n = 0 | |
curr_addr = FindBinary(curr_addr, SEARCH_DOWN, lui_gp) | |
while curr_addr != BADADDR: | |
gp = _extract_global_pointer_method_1(curr_addr) | |
print ("possible global pointer method 1", hex(gp)) | |
gp = _extract_global_pointer_method_2(curr_addr) | |
print ("possible global pointer method 2", hex(gp)) | |
if not _defined_function_at(curr_addr): | |
if MakeFunction(curr_addr): | |
print("Created function at", hex(curr_addr)) | |
n += 1 | |
else: | |
print 'MakeFunction(0x%x) failed - running 2nd time maybe fixes this' % curr_addr | |
curr_addr += 1 | |
curr_addr = FindBinary(curr_addr, SEARCH_DOWN, lui_gp) | |
print "Created %d new functions\n" % n | |
return n | |
# curr_addr = ScreenEA() & 0xFFFFFFFC # makes sure start address is 4-byte aligned | |
curr_addr = 0x0000000 | |
end_addr = AskAddr(0, "Enter end address of CODE segment.") | |
print "mipsb searching global points between: 0x%X and 0x%x" % (curr_addr, end_addr) | |
extract_lui_gp(curr_addr, end_addr) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment