IDAPython - ARM 32bit Add Xref
ARM 32bit Binary를 분석하다 보면 가끔 역참조 기능이 없는 문자열이 존재한다.
이럴 때 어느 곳에서 문자열이 사용되는지 찾아 역참조를 추가해주는 소스다.
from idaapi import *
from idc import *
from idautils import *
from struct import *
# ARM xref adder
p32 = lambda x : pack("<I", x)
u32 = lambda x : unpack("<I", x)[0]
#make_str = lambda x : [hex(x >> (8 * i) & 0xff) for i in range(4)]
text_start = 0xF928
text_end = 0xb18d4
# set find str offset
find_str_offset = p32(0x00B284C)
def make_str(val):
make = ""
for i in range(4):
tmp = hex(val >> (8 * i) & 0xff)[2:-1]
if len(tmp) == 1:
make += "0%c" % (tmp) + " "
elif len(tmp) == 2:
make += "%s" % (tmp) + " "
return make[:-1]
print "[*] Start !!\n\n\n"
for reg in range(0, 12):
print "[!] R%d" % (reg)
if reg == 11:
reg_ = 0xE
elif reg:
reg_ = reg
find_str = find_str_offset[0] + chr((reg_ << 4) + (ord(find_str_offset[1]) & 0xF)) + chr(ord(find_str_offset[1]) >> 4) + "\xE3"
find_str = make_str(u32(find_str))
start_addr = text_start
while start_addr <= text_end:
addr = find_binary(start_addr, SEARCH_DOWN|SEARCH_CASE, find_str, 16)
if addr != 0xFFFFFFFF:
reg__str = "0%x %x0 40 E3" % (ord(find_str_offset[3]) & 0xf, reg_)
addr_ = find_binary(addr, SEARCH_DOWN, reg__str, 16)
if (addr_ - addr) <= 50:
print " -> FOUND : 0x%x" % (addr)
To = u32(find_str_offset)
From = addr
AddCodeXref(From, To, XREF_USER)
start_addr = addr + 4
elif addr == 0xFFFFFFFF:
print " -> NOT FOUND !!!"
break'# technic > - reversing' 카테고리의 다른 글
| 백신 분석 보고서. - 1 - (0) | 2018.10.20 |
|---|---|
| z3 모든 경우의 수 (0) | 2018.09.30 |
| Reversing a gameboy binary(*.gb) (0) | 2018.09.28 |
| [Android] SDK 버전 패치. (2) | 2017.04.27 |
| [python] RSA - chiper text decoe (0) | 2017.04.20 |
