Coder Social home page Coder Social logo

aarch64-sysreg-ida's Introduction

aarch64-sysreg-ida

Overview

When reversing Operating Systems on ARM, it is quite common to see machine-specific-registers (MSR) being used. However, IDA doesn't have a builtin database for those, and instead displays cryptic sequences:

For example:

__TEXT_EXEC:__text:FFFFFFF00812420C _start_first_cpu                        ; CODE XREF: __start↑j
__TEXT_EXEC:__text:FFFFFFF00812420C                 MSR             #0, c1, c0, #4
__TEXT_EXEC:__text:FFFFFFF008124210                 MSR             #6, #0xF
__TEXT_EXEC:__text:FFFFFFF008124214                 MOV             X20, X0
__TEXT_EXEC:__text:FFFFFFF008124218                 MOV             X21, #0
__TEXT_EXEC:__text:FFFFFFF00812421C                 ADRL            X0, _LowExceptionVectorBase
__TEXT_EXEC:__text:FFFFFFF008124224                 MSR             #0, c12, c0, #0, X0

Past solutions include Brandon Azad's script to add comments to these instructions. However, it takes a while for these script to run and you will need to run it again upon marking new data as code.

This plugin attempts to solve this problem by hooking into functions that are responsible for displaying instructions in IDA.

The result is that these cryptic sequences are replaced with standard MSR names...

__TEXT_EXEC:__text:FFFFFFF00812420C                 EXPORT _start_first_cpu
__TEXT_EXEC:__text:FFFFFFF00812420C _start_first_cpu                        ; CODE XREF: __start↑j
__TEXT_EXEC:__text:FFFFFFF00812420C                 MSR             OSLAR_EL1, , ,
__TEXT_EXEC:__text:FFFFFFF008124210                 MSR             DAIFSet, #0xF
__TEXT_EXEC:__text:FFFFFFF008124214                 MOV             X20, X0
__TEXT_EXEC:__text:FFFFFFF008124218                 MOV             X21, #0
__TEXT_EXEC:__text:FFFFFFF00812421C                 ADRL            X0, _LowExceptionVectorBase
__TEXT_EXEC:__text:FFFFFFF008124224                 MSR             VBAR_EL1, X0, , ,

IDA caches these printing so the hook is generally only invoked once every session. The performance overhead is generally unnoticable.

The plugin left the commas behind in order to avoid corrupting disassembler's data. I haven't had a problem with doing that; however, I decided not to in order to avoid corruptions.

This plugin do supports SYS instructions as shown in this example:

__TEXT_EXEC:__text:FFFFFFF008124498                 MSR             MAIR_EL1, X0, , ,
__TEXT_EXEC:__text:FFFFFFF00812449C                 ISB
__TEXT_EXEC:__text:FFFFFFF0081244A0                 TLBI            VMALLE1, , ,
__TEXT_EXEC:__text:FFFFFFF0081244A4                 DSB             ISH
__TEXT_EXEC:__text:FFFFFFF0081244A8                 CBZ             X21, loc_FFFFFFF0081244BC
__TEXT_EXEC:__text:FFFFFFF0081244AC                 ADRL            X0, _cpu_ttep
__TEXT_EXEC:__text:FFFFFFF0081244B4                 LDR             X0, [X0]
__TEXT_EXEC:__text:FFFFFFF0081244B8                 MSR             TTBR1_EL1, X0, , ,

MSR name database

The embedded database only includes standard ARMv8 MSRs; however, it could be extended by putting a register json database in the same directory

Do note that Apple SoC registers' names might varies between models.

Installation

Download and put the aarch64_sysreg.py in the plugins/ folder of IDA.

Apple-specific registers

Download apple_regs.json from Asahi Linux's m1n1 repo and put it in the same folder with the Python script (plugins/).

Disclaimer

This software comes with no warranty. It should work fine in normal circumstances. However, in unfortunate cases (if exists), please do NOT blame the author for corrupted databases. Please nicely file a bug report AFTER your anger is processed.

Examples are taken from XNU kernel.

Contribution

Issues, PRs are welcomed.

License

This repo is licensed under Mozilla Public License, v. 2.0.

aarch64-sysreg-ida's People

Contributors

trungnguyen1909 avatar jonpalmisc avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.