Coder Social home page Coder Social logo

hi about ida-pro-sigmaker HOT 2 CLOSED

JoeElMasry0213 avatar JoeElMasry0213 commented on May 23, 2024
hi

from ida-pro-sigmaker.

Comments (2)

A200K avatar A200K commented on May 23, 2024

Hey there,
I played around a bit with some ARMv7 binary and it seems that indeed operands are not converted into wildcards, if that's what you mean (take a look at this example):

The signatures work just fine, but will probably be broken on the next compile of the binary.

To be honest though, I don't have much experience with ARM, I can't seem to understand what part of the bytecode is the actual operand (here: __snprintf_chk):
.text:0023B130 8F 78 FA EB BL __snprintf_chk ; Branch with Link

_snprintf_chk is located at:
.plt:000D9374 ; int __fastcall _snprintf_chk(_DWORD, _DWORD, _DWORD)

8F 78 FA EB is the bytecode.
What part of 8F 78 FA EB is pointing to D9374? It does not seem to be a relative offset based on the virtual adresses either.

The IDA Plugin API basically says at that point that the operand offset is unknown (both offb and offo are 0):

It manages to extract "D9374" as the operand value though. The API does not provide any further info about this, so based on this, I have no way of elegantly wildcarding operands for ARM code (yet).

I noticed though that BL instructions always look like XX XX XX EB. The previous 3 bytes might be some sort of index for some variable table, or some offset? Operand offset 0 actually makes sense then, but the ida documentation says otherwise. Either way, I could try to implement a workaround for this. I would have to find the operand length though in some way.

I'll take a deeper look at how ARM bytecode actually works. I would have preferred it if the IDA plugin api actually provided more info on this (e.g. operand length) but I'll see what I can do. Thanks for letting me know :)

from ida-pro-sigmaker.

A200K avatar A200K commented on May 23, 2024

According to https://iitd-plos.github.io/col718/ref/arm-instructionset.pdf, ARM instructions should usually have 4 bytes, correct?
Based on that assumption, I added some sort of support for that, wildcarding a limited number of operand types:

I can imagine some signatures becoming unusably long (as well as taking a long time to generate in that case), could you try my current version to see if this matches your expectations?

from ida-pro-sigmaker.

Related Issues (7)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.