Comments (2)
Hey there,
I played around a bit with some ARMv7 binary and it seems that indeed operands are not converted into wildcards, if that's what you mean (take a look at this example):
The signatures work just fine, but will probably be broken on the next compile of the binary.
To be honest though, I don't have much experience with ARM, I can't seem to understand what part of the bytecode is the actual operand (here: __snprintf_chk):
.text:0023B130 8F 78 FA EB BL __snprintf_chk ; Branch with Link
_snprintf_chk is located at:
.plt:000D9374 ; int __fastcall _snprintf_chk(_DWORD, _DWORD, _DWORD)
8F 78 FA EB
is the bytecode.
What part of 8F 78 FA EB
is pointing to D9374
? It does not seem to be a relative offset based on the virtual adresses either.
The IDA Plugin API basically says at that point that the operand offset is unknown (both offb and offo are 0):
It manages to extract "D9374" as the operand value though. The API does not provide any further info about this, so based on this, I have no way of elegantly wildcarding operands for ARM code (yet).
I noticed though that BL
instructions always look like XX XX XX EB
. The previous 3 bytes might be some sort of index for some variable table, or some offset? Operand offset 0 actually makes sense then, but the ida documentation says otherwise. Either way, I could try to implement a workaround for this. I would have to find the operand length though in some way.
I'll take a deeper look at how ARM bytecode actually works. I would have preferred it if the IDA plugin api actually provided more info on this (e.g. operand length) but I'll see what I can do. Thanks for letting me know :)
from ida-pro-sigmaker.
According to https://iitd-plos.github.io/col718/ref/arm-instructionset.pdf, ARM instructions should usually have 4 bytes, correct?
Based on that assumption, I added some sort of support for that, wildcarding a limited number of operand types:
I can imagine some signatures becoming unusably long (as well as taking a long time to generate in that case), could you try my current version to see if this matches your expectations?
from ida-pro-sigmaker.
Related Issues (7)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ida-pro-sigmaker.