secursig Posted July 10, 2017 Posted July 10, 2017 As ARM these days is becoming ever so popular on embedded devices..static analysis always doesn't get it done. Here's a couple of useful tools to allow you to run some code in an IDA database if you want to emulate simple subroutines as if you were debugging them with a JTAG...without any debugging hardware. https://github.com/cseagle/sk3wldbg support: x86 x86-64 ARM ARM64 MIPS MIPS64 SPARC SPARC64 M68K This one allows you to bind python style variables to the arm assembly and run it https://github.com/36hours/idaemu Example1 This is easy function for add. .text:000000000040052D public myadd .text:000000000040052D myadd proc near ; CODE XREF: main+1B�p .text:000000000040052D .text:000000000040052D var_4 = dword ptr -4 .text:000000000040052D .text:000000000040052D push rbp .text:000000000040052E mov rbp, rsp .text:0000000000400531 mov [rbp+var_4], edi .text:0000000000400534 mov edx, cs:magic ; magic dd 64h .text:000000000040053A mov eax, [rbp+var_4] .text:000000000040053D add eax, edx .text:000000000040053F pop rbp .text:0000000000400540 retn .text:0000000000400540 myadd endp Running the idapython scritp: from idaemu import * a = Emu(UC_ARCH_X86, UC_MODE_64) print a.eFunc(0x040052D, None, [7]) Get the function result: 107 Example2 If there is a library function call inner the function, we couldnt call it directly. We should use alt to hook the library function first. .text:0000000000400560 public myadd .text:0000000000400560 myadd proc near ; CODE XREF: main+27�p .text:0000000000400560 .text:0000000000400560 var_8 = dword ptr -8 .text:0000000000400560 var_4 = dword ptr -4 .text:0000000000400560 .text:0000000000400560 push rbp .text:0000000000400561 mov rbp, rsp .text:0000000000400564 sub rsp, 10h .text:0000000000400568 mov [rbp+var_4], edi .text:000000000040056B mov [rbp+var_8], esi .text:000000000040056E mov eax, [rbp+var_8] .text:0000000000400571 mov edx, [rbp+var_4] .text:0000000000400574 add eax, edx .text:0000000000400576 mov esi, eax .text:0000000000400578 mov edi, offset format ; "a+b=%d\n" .text:000000000040057D mov eax, 0 .text:0000000000400582 call _printf .text:0000000000400587 leave .text:0000000000400588 retn .text:0000000000400588 myadd endp Running the idapython scritp: from idaemu import * a = Emu(UC_ARCH_X86, UC_MODE_64) def myprint(uc, out, args): out.append("this is hook output: %d" % args[1]) return 0 myadd_addr = 0x00400560 printf_addr = 0x00400410 a.alt(printf_addr, myprint, 2, False) a.eFunc(myadd_addr, None, [1, 7]) print "---- below is the trace ----" a.showTrace() Get the result: ---- below is the trace ---- this is hook output: 8 Well Done. We can alter every function in this way. Example3 Sometimes it emulates fail with some abort: Python>from idaemu import * Python>a = Emu(UC_ARCH_ARM, UC_MODE_THUMB) Python>print a.eFunc(here(), 0xbeae, [4]) #ERROR: Invalid instruction (UC_ERR_INSN_INVALID) 1048576 Then we can use setTrace and showTrace for debugging. Python>from idaemu import * Python>a = Emu(UC_ARCH_ARM, UC_MODE_THUMB) Python>a.setTrace(TRACE_CODE) Python>a.eFunc(here(), 0xbeae, [4]) #ERROR: Invalid instruction (UC_ERR_INSN_INVALID) 1048576 Python>a.showTrace() ### Trace Instruction at 0x13dc, size = 2 ### Trace Instruction at 0x13de, size = 2 ### Trace Instruction at 0x13e0, size = 2 ...... ### Trace Instruction at 0x19c6, size = 2 ### Trace Instruction at 0x19c8, size = 2 ### Trace Instruction at 0x19ca, size = 2 ### Trace Instruction at 0xbeae, size = 2 So we found the abort reason (the RA is wrong) 1 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now