Salut !

Un tout petit article pour vous donner un petit script utile pour IDA. Il permet d’extraire les arguments des fonctions icc_nvs_read et icc_nvs_write .

Vue de IDA et de la sortie du plugin

Ces fonctions gèrent le SFlash et donc les Switch Bank de la PS4. Les reverses peuvent être d’une grande utilité, mais au vue du nombre d’appels et le fait qu’analyser plusieurs noyaux peut être intéressant, j’ai écrit un plugin python pour ça.

# NVS Read / Write arguments extractor - TheoryWrong
from idaapi import *
import idautils

start_address = 0
nvs_read = get_name_ea_simple("icc_nvs_read")
nvs_write = get_name_ea_simple("icc_nvs_write")

for s in idautils.Segments():
    start_address = s
    break;

print "start address 0x{:08x}".format(start_address)
print "nvs read 0x{:08x}".format(nvs_read)
print "nvs write 0x{:08x}".format(nvs_write)

for addr in XrefsTo(nvs_read, flags=0):
    current_address = addr.frm
    relative_address = current_address - start_address
    addr_minus_70 = current_address-70
    push_count = 0
    bank_id = -1
    offset = -1
    size = -1
    while current_address >= addr_minus_70:
        current_address = PrevHead(current_address)
        if GetMnem(current_address) == 'mov' and idc.GetOpnd(current_address, 0) == 'edi':
            bank_id = idc.GetOperandValue(current_address, 1)

        if GetMnem(current_address) == 'mov' and idc.GetOpnd(current_address, 0) == 'esi':
            offset = idc.GetOperandValue(current_address, 1)

        if GetMnem(current_address) == 'mov' and idc.GetOpnd(current_address, 0) == 'edx':
            size = idc.GetOperandValue(current_address, 1)

    print "XRef: {:s} Relative: {:s} Type: READ Bank id: {:d} Offset: {:s} Size: {:s}".format(hex(current_address), hex(relative_address), bank_id, hex(offset), hex(size))

for addr in XrefsTo(nvs_write, flags=0):
    current_address = addr.frm
    relative_address = current_address - start_address
    addr_minus_70 = current_address-70
    push_count = 0
    bank_id = -1
    offset = -1
    size = -1
    while current_address >= addr_minus_70:
        current_address = PrevHead(current_address)
        if GetMnem(current_address) == 'mov' and idc.GetOpnd(current_address, 0) == 'edi':
            bank_id = idc.GetOperandValue(current_address, 1)

        if GetMnem(current_address) == 'mov' and idc.GetOpnd(current_address, 0) == 'esi':
            offset = idc.GetOperandValue(current_address, 1)

        if GetMnem(current_address) == 'mov' and idc.GetOpnd(current_address, 0) == 'edx':
            size = idc.GetOperandValue(current_address, 1)

    print "XRef: {:s} Relative: {:s} Type: WRITE Bank id: {:d} Offset: {:s} Size: {:s}".format(hex(current_address), hex(relative_address), bank_id, hex(offset), hex(size))

Pour l’utiliser rien de plus simple : Renommer les bonnes fonctions en icc_nvs_read et icc_nvs_write . Enregistrer le script et utiliser File > Script File. Tadaa 😉

Le résultat sur un kernel en 5.05 : https://ghostbin.co/paste/rmvor

Le script est facilement modifiable pour d’autre application du style ! Happy hacking ! ^^


0 commentaire

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée.