thebabush / nampa Goto Github PK

TL;DR first: I have this working for my purposes but it won't fly with Binja as-is. I'm not sure how much time I'll have on this after this week so I wanted to share what I have so far and since r2 can talk to IDA pretty easily, I'm not sure if they'll actually get around to implementing this.

I've got an implementation that appears to work for me but won't do anything for you. I don't have Binary Ninja so I can't do any testing outside of my work on angr which is currently held up by a missing feature in CFG generation, which may not be implemented for a while.

Also, I'm afraid that this relies on REF functions always first being defined as Public functions in the SIG file, meaning they can be identified in the binary ahead of time, but I'm not sure that's always the case. And, with angr, I'm using your code as a module in my own plugin, which is where I do my checks for whether the function was already identified and re-generating the CFG based on the FLIRT signature's claim of what the function should look like; I'm guessing this will have to be done in nampa itself in order to work with Binja.

My Python is more of a pseudo-C so I didn't want to try ham-fisting this into your nice Pythonic implementation.

EDIT: My test binary, lib and signature is here.

As far as I can tell, the behavior for when multiple functions that match the same signature is not specified. For small functions, it's quite common to encounter multiple matches for the same FLIRT signature (especially for small functions).
It would be optimal to be able to specify whether the matches are ignored or alternate behaviors when multiple functions match a single pattern, however documenting the current behavior in the readme would be a step in the right direction.
IDA lets you specify the behavior (the first suggestion) and was the inspiration for this issue.

Instead of renaming or just logging the match,It would be useful in some cases to have it place a tag at the appropriate location instead.

I don't use Binja so I'm not sure how it's handled there but the callback returns the plain addr. The addr only refers to the buffer so the matched function's actual address in the binary is at addr+funk.offset.

Was that intentional?

With the introduction of the Binary Ninja Plugin Manager 2.0 we will be releasing a installation UI for all plugins in the community repository. Please check https://binary.ninja/2019/07/04/plugin-manager-2.0.html for the latest information about how to submit your plugin. If you no longer want your plugin in the repository please disregard this issue