update to ida 7.6, add builds
This commit is contained in:
162
idasdk76/ldr/script_ldrs/archldr_tar.py
Normal file
162
idasdk76/ldr/script_ldrs/archldr_tar.py
Normal file
@@ -0,0 +1,162 @@
|
||||
# Sample archive loader: TAR file format
|
||||
# Feel free to improve it, this is just a sample
|
||||
|
||||
import os
|
||||
import os.path
|
||||
import tarfile
|
||||
import shutil
|
||||
import tempfile
|
||||
import idaapi
|
||||
from ida_kernwin import Choose
|
||||
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
def accept_file(li, filename):
|
||||
"""
|
||||
Check input file format.
|
||||
This function will be called one or more times depending on the result value.
|
||||
|
||||
@param li: a file-like object which can be used to access the input data
|
||||
@param filename: name of the file, if it is an archive member name then the actual file doesn't exist
|
||||
@return: 0 - no more supported formats
|
||||
string "name" - format name to display in the chooser dialog
|
||||
dictionary {
|
||||
'format': "name",
|
||||
'options': integer,
|
||||
'flags': integer
|
||||
}
|
||||
options: should be 1,
|
||||
if ORed with ACCEPT_ARCHIVE then it is an archive loader
|
||||
if ORed with ACCEPT_CONTINUE then this function will be called another time
|
||||
if ORed with ACCEPT_FIRST then indicates preferred format
|
||||
loader_flags: see GENFLG_
|
||||
"""
|
||||
li.seek(0)
|
||||
try:
|
||||
t = tarfile.open(fileobj=li, mode='r|*')
|
||||
t.close()
|
||||
(_, ext) = os.path.splitext(filename)
|
||||
if ext not in (".tar", ".tgz", "tar.gz"):
|
||||
return 0
|
||||
return {'format': "TAR archive",
|
||||
'options': 1 | idaapi.ACCEPT_ARCHIVE}
|
||||
except Exception:
|
||||
pass
|
||||
return 0
|
||||
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
def _read_whole_file(li):
|
||||
li.seek(0)
|
||||
return li.read(li.size())
|
||||
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
def _tmpnam():
|
||||
(h, n) = tempfile.mkstemp()
|
||||
os.close(h)
|
||||
return n
|
||||
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
class TarMemberChoose(Choose):
|
||||
"""
|
||||
TAR archive members selection chooser
|
||||
"""
|
||||
|
||||
def __init__(self, archive, items):
|
||||
title = "Archive: " + archive
|
||||
Choose.__init__(
|
||||
self,
|
||||
title,
|
||||
[["File name", Choose.CHCOL_PATH | 60],
|
||||
["Size", Choose.CHCOL_DEC | 10]],
|
||||
icon=-1, y1=-2,
|
||||
flags = Choose.CH_MODAL | Choose.CH_NOIDB)
|
||||
self.items = items
|
||||
|
||||
def OnGetLine(self, n):
|
||||
return [self.items[n].name, str(self.items[n].size)]
|
||||
|
||||
def OnGetSize(self):
|
||||
return len(self.items)
|
||||
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
def process_archive(li, archive, defmember, neflags, formatname):
|
||||
"""
|
||||
Display list of archive members and let the user select one.
|
||||
Extract the selected archive member into a temporary file.
|
||||
|
||||
@param li: a file-like object which can be used to access the input data
|
||||
@param archive: name of archive
|
||||
@param defmember: extract the specified member
|
||||
@param neflags: options selected by the user, see loader.hpp
|
||||
@param formatname: name of type of the file
|
||||
|
||||
@return: '' cancelled by the user
|
||||
string error message
|
||||
dictionary {
|
||||
'temp_file': string,
|
||||
'module_name': string,
|
||||
'neflags': integer
|
||||
}
|
||||
temp_file: name of the file with the extracted archive member
|
||||
module_name: name of the extracted archive member
|
||||
neflags: options selected by the user, see loader.hpp
|
||||
"""
|
||||
li.seek(0)
|
||||
try:
|
||||
t = tarfile.open(fileobj=li, mode='r|*')
|
||||
except tarfile.TarError as e:
|
||||
return str(e)
|
||||
|
||||
# list of archive members,
|
||||
members = t.getmembers()
|
||||
t.close()
|
||||
|
||||
# we are interested in regular files only
|
||||
items = [members[i] for i in range(0, len(members))]
|
||||
|
||||
# if default archive member is specified
|
||||
if defmember:
|
||||
for m in items:
|
||||
if os.path.basename(m.name) == defmember:
|
||||
selected_item = m
|
||||
break
|
||||
else:
|
||||
return "Unknown TAR archive default member: %s" % defmember
|
||||
else:
|
||||
chooser = TarMemberChoose(archive, items)
|
||||
code = chooser.Show(True)
|
||||
if code == Choose.NO_SELECTION:
|
||||
return "" # user canceled
|
||||
selected_item = items[code]
|
||||
|
||||
# construct archive member name
|
||||
member_name = os.path.basename(selected_item.name)
|
||||
module_name = os.path.join(os.path.dirname(archive), member_name)
|
||||
|
||||
# file for archive member
|
||||
workfile = _tmpnam()
|
||||
|
||||
# extract member
|
||||
# there is a bug reported in 2010 year but not fixed yet:
|
||||
# http://bugs.python.org/issue10436
|
||||
li.seek(0)
|
||||
buf = _read_whole_file(li)
|
||||
(h, workfile_tar) = tempfile.mkstemp()
|
||||
os.write(h, buf)
|
||||
os.close(h)
|
||||
|
||||
t = tarfile.open(name=workfile_tar, mode='r:*')
|
||||
tarinfo = t.getmember(selected_item.name)
|
||||
f_in = t.extractfile(tarinfo)
|
||||
f_out = open(workfile, 'wb')
|
||||
shutil.copyfileobj(f_in, f_out)
|
||||
f_out.close()
|
||||
f_in.close()
|
||||
t.close()
|
||||
os.unlink(workfile_tar)
|
||||
|
||||
return {'temp_file': workfile, 'module_name': module_name}
|
||||
74
idasdk76/ldr/script_ldrs/bios_image.idc
Normal file
74
idasdk76/ldr/script_ldrs/bios_image.idc
Normal file
@@ -0,0 +1,74 @@
|
||||
/*
|
||||
|
||||
Sample IDC loader: load BIOS image
|
||||
|
||||
Feel free to improve it, this is just a sample
|
||||
|
||||
*/
|
||||
|
||||
#include <idc.idc>
|
||||
|
||||
//--------------------------------------------------------------------------
|
||||
// Verify the input file format
|
||||
// li - loader_input_t object. it is positioned at the file start
|
||||
// Returns: if the input file is not recognized
|
||||
// return 0
|
||||
// else
|
||||
// return object with 2 attributes:
|
||||
// format: description of the file format
|
||||
// options:1 or ACCEPT_FIRST. it is ok not to set this attribute.
|
||||
// or return a string designating the format name
|
||||
|
||||
static accept_file(li, filename)
|
||||
{
|
||||
if ( li.size() > 0x10000 ) // we support max 64K images
|
||||
return 0;
|
||||
|
||||
li.seek(-16, SEEK_END);
|
||||
if ( li.getc() != 0xEA ) // jmp?
|
||||
return 0;
|
||||
|
||||
li.seek(-2, SEEK_END);
|
||||
if ( (li.getc() & 0xF0) != 0xF0 ) // reasonable computer type?
|
||||
return 0;
|
||||
|
||||
auto buf;
|
||||
li.seek(-11, SEEK_END);
|
||||
li.read(&buf, 9);
|
||||
// 06/03/08
|
||||
if ( buf[2] != "/" || buf[5] != "/" || buf[8] != "\x00" )
|
||||
return 0;
|
||||
|
||||
// accept the file
|
||||
auto res = object();
|
||||
res.format = "BIOS Image"; // description of the file format
|
||||
return res;
|
||||
}
|
||||
|
||||
//--------------------------------------------------------------------------
|
||||
// Load the file into the database
|
||||
// li - loader_input_t object. it is positioned at the file start
|
||||
// neflags - combination of NEF_... bits describing how to load the file
|
||||
// probably NEF_MAN is the most interesting flag that can
|
||||
// be used to select manual loading
|
||||
// format - description of the file format
|
||||
// Returns: 1 - means success, 0 - failure
|
||||
static load_file(li, neflags, format)
|
||||
{
|
||||
set_processor_type("metapc", SETPROC_LOADER);
|
||||
|
||||
auto base = 0xF000;
|
||||
auto start = base << 4;
|
||||
auto size = li.size();
|
||||
|
||||
// copy bytes to the database
|
||||
loadfile(li, 0, base<<4, size);
|
||||
|
||||
// create a segment
|
||||
add_segm_ex(start, start+size, base, 0, saRelPara, scPub, ADDSEG_NOSREG);
|
||||
|
||||
// set the entry registers
|
||||
set_inf_attr(INF_START_IP, size-16);
|
||||
set_inf_attr(INF_START_CS, base);
|
||||
return 1;
|
||||
}
|
||||
114
idasdk76/ldr/script_ldrs/bios_image.py
Normal file
114
idasdk76/ldr/script_ldrs/bios_image.py
Normal file
@@ -0,0 +1,114 @@
|
||||
|
||||
import sys
|
||||
|
||||
import idaapi
|
||||
import idc
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
def accept_file(li, filename):
|
||||
# ignore any trailer; align on 64KB boundary
|
||||
|
||||
size = li.size()
|
||||
if (size & 0xFFF) != 0:
|
||||
size &= ~0xFFFF
|
||||
|
||||
if size < 16:
|
||||
return 0
|
||||
|
||||
# check the code at F000:FFF0
|
||||
li.seek(size-16);
|
||||
jump = li.read(16)
|
||||
# skip any nops
|
||||
while jump[:1] == b'\x90':
|
||||
jump = jump[1:]
|
||||
# skip wbinvd
|
||||
if jump.startswith(b'\x0F\x09'):
|
||||
jump = jump[2:]
|
||||
|
||||
_byte = ord if sys.version_info.major < 3 else lambda t: t
|
||||
|
||||
# is it a jump?
|
||||
if (
|
||||
jump.startswith(b'\xEA') # jmp ptr16:16 EA oo oo ss ss
|
||||
and len(jump) >= 5
|
||||
and 0xF0 <= _byte(jump[4]) <= 0xFE # segment should be above F000
|
||||
) or (
|
||||
jump.startswith(b'\xE9') # jmp rel16 E9 ll hh
|
||||
and len(jump) >= 3
|
||||
# and (_byte(jump[2]) & 0x80) != 0 # jump backwards
|
||||
) or (
|
||||
jump.startswith(b'\xEB') # jmp rel8 EB dd
|
||||
and len(jump) >= 2
|
||||
and (_byte(jump[1]) & 0x80) != 0 # jump backwards
|
||||
):
|
||||
return {'format': "BIOS Image", 'processor':'metapc'} # accept the file
|
||||
|
||||
return 0
|
||||
|
||||
|
||||
def myAddSeg(startea, endea, base, use32, name, clas):
|
||||
s = idaapi.segment_t()
|
||||
s.start_ea = startea
|
||||
s.end_ea = endea
|
||||
s.sel = idaapi.setup_selector(base)
|
||||
s.bitness = use32
|
||||
s.align = idaapi.saRelPara
|
||||
s.comb = idaapi.scPub
|
||||
idaapi.add_segm_ex(s, name, clas, idaapi.ADDSEG_NOSREG|idaapi.ADDSEG_OR_DIE)
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
def load_file(li, neflags, format):
|
||||
chunksize = 0x10000
|
||||
base = 0xF000
|
||||
start = base << 4;
|
||||
size = li.size()
|
||||
if (size & 0xFFF) != 0:
|
||||
size &= ~0xFFFF
|
||||
offs = size - chunksize
|
||||
|
||||
idaapi.set_processor_type("metapc", idaapi.SETPROC_LOADER)
|
||||
|
||||
if size < chunksize:
|
||||
offs = 0
|
||||
start += (chunksize - size)
|
||||
chunksize = size
|
||||
|
||||
# make E and F segments for real-mode part
|
||||
myAddSeg(start, start+chunksize, base, 0, "BIOS_F", "CODE")
|
||||
li.file2base(offs, start, start+chunksize, 1)
|
||||
if offs > 0 and base > 0xE000:
|
||||
base -= 0x1000
|
||||
start -= chunksize
|
||||
offs -= chunksize
|
||||
myAddSeg(start, start+chunksize, base, 0, "BIOS_%X" % (base>>12), "CODE")
|
||||
li.file2base(offs, start, start+chunksize, 1)
|
||||
# set default ds to point to the current segment
|
||||
idc.set_default_sreg_value(start, "ds", base)
|
||||
|
||||
if offs > 0:
|
||||
# file is bigger than 128KB
|
||||
# make a flat 32-bit segment for the flash alias area
|
||||
start = (-size) & 0xFFFFFFFF # place it so that it ends at 4GB
|
||||
chunksize = size
|
||||
if not idc.__EA64__:
|
||||
chunksize -= 2 # truncate last two bytes to avoid address space overlap
|
||||
# map the whole file
|
||||
offs = 0
|
||||
base = 0
|
||||
myAddSeg(start, start+chunksize, base, 1, "BIOS_FLASH", "CODE")
|
||||
li.file2base(offs, start, start+chunksize, 1)
|
||||
|
||||
# set the entry registers to F000:FFF0
|
||||
idc.set_inf_attr(idc.INF_START_IP, 0xFFF0)
|
||||
idc.set_inf_attr(idc.INF_START_CS, 0xF000)
|
||||
# turn off "Convert 32bit instruction operand to offset", too many false positives in high areas
|
||||
idc.set_inf_attr(idc.INF_AF, idc.get_inf_attr(idc.INF_AF) & ~idc.AF_IMMOFF)
|
||||
# turn off "Create function tails"
|
||||
idc.set_inf_attr(idc.INF_AF, idc.get_inf_attr(idc.INF_AF) & ~idc.AF_FTAIL)
|
||||
|
||||
return 1
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
def move_segm(frm, to, sz, fileformatname):
|
||||
idc.warning("move_segm(from=%s, to=%s, sz=%d, formatname=%s" % (hex(frm), hex(to), sz, fileformatname))
|
||||
return 0
|
||||
600
idasdk76/ldr/script_ldrs/hppacore.idc
Normal file
600
idasdk76/ldr/script_ldrs/hppacore.idc
Normal file
@@ -0,0 +1,600 @@
|
||||
//
|
||||
// Loader for HP-UX PA-Risc core dumps that are not ELF
|
||||
//
|
||||
// Avi Cohen Stuart avi.cohenstuart@infor.com
|
||||
// August 2010
|
||||
//
|
||||
// The core image exists of sections defined by the types below
|
||||
//struct corehead {
|
||||
// int type;
|
||||
// uint space;
|
||||
// uint addr;
|
||||
// uint len;
|
||||
//};
|
||||
//
|
||||
// Analysing a core file can be tedious without the binary that
|
||||
// caused the crash.
|
||||
//
|
||||
// Note that the CORE_PROC section contains information about the
|
||||
// state of the process. See the proc_info in /usr/include/sys/core.h on
|
||||
// a HP-UX PA-Risc machine.
|
||||
//
|
||||
#include <idc.idc>
|
||||
|
||||
#define CORE_NONE 0x00000000 /* reserved for future use */
|
||||
#define CORE_FORMAT 0x00000001 /* core version */
|
||||
#define CORE_KERNEL 0x00000002 /* kernel version */
|
||||
#define CORE_PROC 0x00000004 /* per process information */
|
||||
#define CORE_TEXT 0x00000008 /* reserved for future use */
|
||||
#define CORE_DATA 0x00000010 /* data of the process */
|
||||
#define CORE_STACK 0x00000020 /* stack of the process */
|
||||
#define CORE_SHM 0x00000040 /* reserved for future use */
|
||||
#define CORE_MMF 0x00000080 /* reserved for future use */
|
||||
#define CORE_EXEC 0x00000100 /* exec information */
|
||||
#define CORE_ANON_SHMEM 0x00000200 /* anonymous shared memory */
|
||||
|
||||
static Structures_0(id) {
|
||||
auto mid;
|
||||
|
||||
id = add_struc(-1,"__reg32_t",0);
|
||||
id = add_struc(-1,"__reg64_t",0);
|
||||
id = add_struc(-1,"__save_state::$8C0FCFCC2B9ACB495244C4B504AA9783",1);
|
||||
id = add_struc(-1,"fp_int_block_t",0);
|
||||
id = add_struc(-1,"fp_dbl_block_t",0);
|
||||
id = add_struc(-1,"__save_state::$F0F3A0B47411777C5961C26FBCE8E4DA",1);
|
||||
id = add_struc(-1,"__ss_narrow_t",0);
|
||||
|
||||
id = add_struc(-1,"save_state_t",0);
|
||||
id = add_struc(-1,"aux_id",0);
|
||||
id = add_struc(-1,"som_exec_auxhdr",0);
|
||||
id = add_struc(-1,"proc_exec::$733C094BD5627056653FFCFE6E9DB4EB",0);
|
||||
id = add_struc(-1,"proc_info",0);
|
||||
id = add_struc(-1,"shl_descriptor",0);
|
||||
id = add_struc(-1,"proc_exec",0);
|
||||
|
||||
id = get_struc_id("__reg32_t");
|
||||
mid = add_struc_member(id,"ss_reserved", 0X0, 0x20000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_gr1_hi", 0X8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr1_lo", 0XC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_rp_hi", 0X10, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_rp_lo", 0X14, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr3_hi", 0X18, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr3_lo", 0X1C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr4_hi", 0X20, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr4_lo", 0X24, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr5_hi", 0X28, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr5_lo", 0X2C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr6_hi", 0X30, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr6_lo", 0X34, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr7_hi", 0X38, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr7_lo", 0X3C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr8_hi", 0X40, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr8_lo", 0X44, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr9_hi", 0X48, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr9_lo", 0X4C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr10_hi", 0X50, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr10_lo", 0X54, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr11_hi", 0X58, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr11_lo", 0X5C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr12_hi", 0X60, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr12_lo", 0X64, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr13_hi", 0X68, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr13_lo", 0X6C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr14_hi", 0X70, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr14_lo", 0X74, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr15_hi", 0X78, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr15_lo", 0X7C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr16_hi", 0X80, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr16_lo", 0X84, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr17_hi", 0X88, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr17_lo", 0X8C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr18_hi", 0X90, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr18_lo", 0X94, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr19_hi", 0X98, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr19_lo", 0X9C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr20_hi", 0XA0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr20_lo", 0XA4, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr21_hi", 0XA8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr21_lo", 0XAC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr22_hi", 0XB0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr22_lo", 0XB4, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_arg3_hi", 0XB8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_arg3_lo", 0XBC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_arg2_hi", 0XC0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_arg2_lo", 0XC4, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_arg1_hi", 0XC8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_arg1_lo", 0XCC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_arg0_hi", 0XD0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_arg0_lo", 0XD4, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_dp_hi", 0XD8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_dp_lo", 0XDC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_ret0_hi", 0XE0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_ret0_lo", 0XE4, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_ret1_hi", 0XE8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_ret1_lo", 0XEC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sp_hi", 0XF0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sp_lo", 0XF4, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr31_hi", 0XF8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr31_lo", 0XFC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr11_hi", 0X100, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr11_lo", 0X104, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_pcoq_head_hi", 0X108, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_pcoq_head_lo", 0X10C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_pcsq_head_hi", 0X110, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_pcsq_head_lo", 0X114, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_pcoq_tail_hi", 0X118, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_pcoq_tail_lo", 0X11C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_pcsq_tail_hi", 0X120, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_pcsq_tail_lo", 0X124, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr15_hi", 0X128, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr15_lo", 0X12C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr19_hi", 0X130, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr19_lo", 0X134, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr20_hi", 0X138, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr20_lo", 0X13C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr21_hi", 0X140, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr21_lo", 0X144, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr22_hi", 0X148, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr22_lo", 0X14C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cpustate_hi", 0X150, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cpustate_lo", 0X154, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sr4_hi", 0X158, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sr4_lo", 0X15C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sr0_hi", 0X160, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sr0_lo", 0X164, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sr1_hi", 0X168, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sr1_lo", 0X16C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sr2_hi", 0X170, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sr2_lo", 0X174, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sr3_hi", 0X178, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sr3_lo", 0X17C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sr5_hi", 0X180, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sr5_lo", 0X184, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sr6_hi", 0X188, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sr6_lo", 0X18C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sr7_hi", 0X190, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sr7_lo", 0X194, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr0_hi", 0X198, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr0_lo", 0X19C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr8_hi", 0X1A0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr8_lo", 0X1A4, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr9_hi", 0X1A8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr9_lo", 0X1AC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr10_hi", 0X1B0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr10_lo", 0X1B4, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr12_hi", 0X1B8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr12_lo", 0X1BC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr13_hi", 0X1C0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr13_lo", 0X1C4, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr24_hi", 0X1C8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr24_lo", 0X1CC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr25_hi", 0X1D0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr25_lo", 0X1D4, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr26_hi", 0X1D8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr26_lo", 0X1DC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr27_hi", 0X1E0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr27_lo", 0X1E4, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_reserved2", 0X1E8, 0x20000400, -1, 16);
|
||||
mid = add_struc_member(id,"ss_oldcksum", 0X1F8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_newcksum", 0X1FC, 0x20000400, -1, 4);
|
||||
|
||||
id = get_struc_id("__reg64_t");
|
||||
mid = add_struc_member(id,"ss_reserved", 0X0, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_gr1", 0X8, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_rp", 0X10, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_gr3", 0X18, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_gr4", 0X20, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_gr5", 0X28, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_gr6", 0X30, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_gr7", 0X38, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_gr8", 0X40, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_gr9", 0X48, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_gr10", 0X50, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_gr11", 0X58, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_gr12", 0X60, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_gr13", 0X68, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_gr14", 0X70, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_gr15", 0X78, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_gr16", 0X80, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_gr17", 0X88, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_gr18", 0X90, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_gr19", 0X98, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_gr20", 0XA0, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_gr21", 0XA8, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_gr22", 0XB0, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_arg3", 0XB8, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_arg2", 0XC0, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_arg1", 0XC8, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_arg0", 0XD0, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_dp", 0XD8, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_ret0", 0XE0, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_ret1", 0XE8, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_sp", 0XF0, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_gr31", 0XF8, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_cr11", 0X100, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_pcoq_head", 0X108, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_pcsq_head", 0X110, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_pcoq_tail", 0X118, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_pcsq_tail", 0X120, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_cr15", 0X128, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_cr19", 0X130, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_cr20", 0X138, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_cr21", 0X140, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_cr22", 0X148, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_cpustate", 0X150, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_sr4", 0X158, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_sr0", 0X160, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_sr1", 0X168, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_sr2", 0X170, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_sr3", 0X178, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_sr5", 0X180, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_sr6", 0X188, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_sr7", 0X190, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_cr0", 0X198, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_cr8", 0X1A0, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_cr9", 0X1A8, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_cr10", 0X1B0, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_cr12", 0X1B8, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_cr13", 0X1C0, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_cr24", 0X1C8, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_cr25", 0X1D0, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_cr26", 0X1D8, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_cr27", 0X1E0, 0x30000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_reserved2", 0X1E8, 0x30000400, -1, 16);
|
||||
mid = add_struc_member(id,"ss_oldcksum", 0X1F8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_newcksum", 0X1FC, 0x20000400, -1, 4);
|
||||
|
||||
id = get_struc_id("__save_state::$8C0FCFCC2B9ACB495244C4B504AA9783");
|
||||
mid = add_struc_member(id,"ss_64", 0X0, 0x60000400, get_struc_id("__reg64_t"), 512);
|
||||
mid = add_struc_member(id,"ss_32", 0X0, 0x60000400, get_struc_id("__reg32_t"), 512);
|
||||
|
||||
id = get_struc_id("fp_int_block_t");
|
||||
mid = add_struc_member(id,"ss_fpstat", 0X0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fpexcept1", 0X4, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fpexcept2", 0X8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fpexcept3", 0XC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fpexcept4", 0X10, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fpexcept5", 0X14, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fpexcept6", 0X18, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fpexcept7", 0X1C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp4_hi", 0X20, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp4_lo", 0X24, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp5_hi", 0X28, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp5_lo", 0X2C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp6_hi", 0X30, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp6_lo", 0X34, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp7_hi", 0X38, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp7_lo", 0X3C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp8_hi", 0X40, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp8_lo", 0X44, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp9_hi", 0X48, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp9_lo", 0X4C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp10_hi", 0X50, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp10_lo", 0X54, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp11_hi", 0X58, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp11_lo", 0X5C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp12_hi", 0X60, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp12_lo", 0X64, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp13_hi", 0X68, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp13_lo", 0X6C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp14_hi", 0X70, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp14_lo", 0X74, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp15_hi", 0X78, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp15_lo", 0X7C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp16_hi", 0X80, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp16_lo", 0X84, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp17_hi", 0X88, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp17_lo", 0X8C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp18_hi", 0X90, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp18_lo", 0X94, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp19_hi", 0X98, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp19_lo", 0X9C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp20_hi", 0XA0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp20_lo", 0XA4, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp21_hi", 0XA8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp21_lo", 0XAC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp22_hi", 0XB0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp22_lo", 0XB4, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp23_hi", 0XB8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp23_lo", 0XBC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp24_hi", 0XC0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp24_lo", 0XC4, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp25_hi", 0XC8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp25_lo", 0XCC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp26_hi", 0XD0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp26_lo", 0XD4, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp27_hi", 0XD8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp27_lo", 0XDC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp28_hi", 0XE0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp28_lo", 0XE4, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp29_hi", 0XE8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp29_lo", 0XEC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp30_hi", 0XF0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp30_lo", 0XF4, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp31_hi", 0XF8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fp31_lo", 0XFC, 0x20000400, -1, 4);
|
||||
|
||||
id = get_struc_id("fp_dbl_block_t");
|
||||
mid = add_struc_member(id,"ss_fp0", 0X0, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp1", 0X8, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp2", 0X10, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp3", 0X18, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp4", 0X20, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp5", 0X28, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp6", 0X30, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp7", 0X38, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp8", 0X40, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp9", 0X48, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp10", 0X50, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp11", 0X58, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp12", 0X60, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp13", 0X68, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp14", 0X70, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp15", 0X78, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp16", 0X80, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp17", 0X88, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp18", 0X90, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp19", 0X98, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp20", 0XA0, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp21", 0XA8, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp22", 0XB0, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp23", 0XB8, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp24", 0XC0, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp25", 0XC8, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp26", 0XD0, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp27", 0XD8, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp28", 0XE0, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp29", 0XE8, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp30", 0XF0, 0x90000400, -1, 8);
|
||||
mid = add_struc_member(id,"ss_fp31", 0XF8, 0x90000400, -1, 8);
|
||||
|
||||
id = get_struc_id("__save_state::$F0F3A0B47411777C5961C26FBCE8E4DA");
|
||||
mid = add_struc_member(id,"fpdbl", 0X0, 0x60000400, get_struc_id("fp_dbl_block_t"), 256);
|
||||
mid = add_struc_member(id,"fpint", 0X0, 0x60000400, get_struc_id("fp_int_block_t"), 256);
|
||||
|
||||
id = get_struc_id("__ss_narrow_t");
|
||||
mid = add_struc_member(id,"ss_gr1", 0X0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_rp", 0X4, 0x20500400, 0XFFFFFFFF, 4, 0XFFFFFFFF, 0X0, 0x000002);
|
||||
mid = add_struc_member(id,"ss_gr3", 0X8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr4", 0XC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr5", 0X10, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr6", 0X14, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr7", 0X18, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr8", 0X1C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr9", 0X20, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr10", 0X24, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr11", 0X28, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr12", 0X2C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr13", 0X30, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr14", 0X34, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr15", 0X38, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr16", 0X3C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr17", 0X40, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr18", 0X44, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr19", 0X48, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr20", 0X4C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr21", 0X50, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_gr22", 0X54, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_arg3", 0X58, 0x20500400, 0XFFFFFFFF, 4, 0XFFFFFFFF, 0X0, 0x000002);
|
||||
mid = add_struc_member(id,"ss_arg2", 0X5C, 0x20500400, 0XFFFFFFFF, 4, 0XFFFFFFFF, 0X0, 0x000002);
|
||||
mid = add_struc_member(id,"ss_arg1", 0X60, 0x20500400, 0XFFFFFFFF, 4, 0XFFFFFFFF, 0X0, 0x000002);
|
||||
mid = add_struc_member(id,"ss_arg0", 0X64, 0x20500400, 0XFFFFFFFF, 4, 0XFFFFFFFF, 0X0, 0x000002);
|
||||
mid = add_struc_member(id,"ss_dp", 0X68, 0x20500400, 0XFFFFFFFF, 4, 0XFFFFFFFF, 0X0, 0x000002);
|
||||
mid = add_struc_member(id,"ss_ret0", 0X6C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_ret1", 0X70, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sp", 0X74, 0x20500400, 0XFFFFFFFF, 4, 0XFFFFFFFF, 0X0, 0x000002);
|
||||
mid = add_struc_member(id,"ss_gr31", 0X78, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr11", 0X7C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_pcoq_head", 0X80, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_pcsq_head", 0X84, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_pcoq_tail", 0X88, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_pcsq_tail", 0X8C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr15", 0X90, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr19", 0X94, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr20", 0X98, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr21", 0X9C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr22", 0XA0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cpustate", 0XA4, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sr4", 0XA8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sr0", 0XAC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sr1", 0XB0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sr2", 0XB4, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sr3", 0XB8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sr5", 0XBC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sr6", 0XC0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_sr7", 0XC4, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr0", 0XC8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr8", 0XCC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr9", 0XD0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr10", 0XD4, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr12", 0XD8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr13", 0XDC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr24", 0XE0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr25", 0XE4, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr26", 0XE8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_cr27", 0XEC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_mpsfu_low", 0XF0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_mpsfu_ovflo", 0XF4, 0x20000400, -1, 4);
|
||||
|
||||
id = get_struc_id("save_state_t");
|
||||
mid = add_struc_member(id,"ss_flags", 0X0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_narrow", 0X4, 0x60000400, get_struc_id("__ss_narrow_t"), 248);
|
||||
mid = add_struc_member(id,"ss_pad", 0XFC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ss_fpblock", 0X100, 0x60000400, get_struc_id("__save_state::$F0F3A0B47411777C5961C26FBCE8E4DA"), 256);
|
||||
mid = add_struc_member(id,"ss_xor", 0X200, 0x000400, -1, 128);
|
||||
mid = add_struc_member(id,"ss_wide", 0X280, 0x60000400, get_struc_id("__save_state::$8C0FCFCC2B9ACB495244C4B504AA9783"), 512);
|
||||
|
||||
id = get_struc_id("proc_info");
|
||||
mid = add_struc_member(id,"sig", 0X0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"trap_type", 0X4, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"hw_regs", 0X8, 0x60000400, get_struc_id("save_state_t"), 1152);
|
||||
mid = add_struc_member(id,"lwpid", 0X488, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"user_tid", 0X48C, 0x30000400, -1, 8);
|
||||
|
||||
id = get_struc_id("shl_descriptor");
|
||||
mid = add_struc_member(id,"tstart", 0X0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"tend", 0X4, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"dstart", 0X8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"dend", 0XC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"ltptr", 0X10, 0x25500400, 0XFFFFFFFF, 4, 0XFFFFFFFF, 0X0, 0x000002);
|
||||
mid = add_struc_member(id,"handle", 0X14, 0x25500400, 0XFFFFFFFF, 4, 0XFFFFFFFF, 0X0, 0x000002);
|
||||
mid = add_struc_member(id,"filename", 0X18, 0x50000400, 0x0, 1025);
|
||||
mid = add_struc_member(id,"initializer", 0X41C, 0x25500400, 0XFFFFFFFF, 4, 0XFFFFFFFF, 0X0, 0x000002);
|
||||
mid = add_struc_member(id,"ref_count", 0X420, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"reserved3", 0X424, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"reserved2", 0X428, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"reserved1", 0X42C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"reserved0", 0X430, 0x20000400, -1, 4);
|
||||
|
||||
id = get_struc_id("aux_id");
|
||||
mid = add_struc_member(id,"type", 0X0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"length", 0X4, 0x20000400, -1, 4);
|
||||
|
||||
id = get_struc_id("som_exec_auxhdr");
|
||||
mid = add_struc_member(id,"som_auxhdr", 0X0, 0x60000400, get_struc_id("aux_id"), 8);
|
||||
mid = add_struc_member(id,"exec_tsize", 0X8, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"exec_tmem", 0XC, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"exec_tfile", 0X10, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"exec_dsize", 0X14, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"exec_dmem", 0X18, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"exec_dfile", 0X1C, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"exec_bsize", 0X20, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"exec_entry", 0X24, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"exec_flags", 0X28, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"exec_bfill", 0X2C, 0x20000400, -1, 4);
|
||||
|
||||
id = get_struc_id("proc_exec::$733C094BD5627056653FFCFE6E9DB4EB");
|
||||
mid = add_struc_member(id,"u_magic", 0X0, 0x20000400, -1, 4);
|
||||
mid = add_struc_member(id,"som_aux", 0X4, 0x60000400, get_struc_id("som_exec_auxhdr"), 48);
|
||||
|
||||
id = get_struc_id("proc_exec");
|
||||
mid = add_struc_member(id,"exdata", 0X0, 0x60000400, get_struc_id("proc_exec::$733C094BD5627056653FFCFE6E9DB4EB"), 52);
|
||||
mid = add_struc_member(id,"cmd", 0X34, 0x50000400, 0x0, 15);
|
||||
mid = add_struc_member(id,"_padding", 0X43, 0x000400, -1, 1);
|
||||
|
||||
|
||||
return id;
|
||||
}
|
||||
|
||||
//------------------------------------------------------------------------
|
||||
// Information about structure types
|
||||
|
||||
static Structures(void) {
|
||||
auto id;
|
||||
id = Structures_0(id);
|
||||
}
|
||||
|
||||
// End of file.
|
||||
|
||||
static accept_file(li, filename)
|
||||
{
|
||||
auto buf;
|
||||
|
||||
li.seek(16,0); // skip first header
|
||||
li.read(&buf, 6);
|
||||
|
||||
// Magic:
|
||||
if (buf != "HP-UX\0")
|
||||
return 0;
|
||||
return "HP-UX HP-PA Core dump Image (non ELF)";
|
||||
}
|
||||
|
||||
static read_core_head(li)
|
||||
{
|
||||
auto core_type;
|
||||
auto core_space;
|
||||
auto core_addr;
|
||||
auto core_len;
|
||||
|
||||
auto proc_info_addr;
|
||||
auto proc_exec_addr;
|
||||
auto proc_exec_sel;
|
||||
|
||||
proc_info_addr = 0;
|
||||
proc_exec_addr = 0;
|
||||
proc_exec_sel = 0;
|
||||
|
||||
auto ret;
|
||||
auto mf = (get_inf_attr(INF_LFLAGS) & LFLG_MSF) != 0;
|
||||
li.seek(0, 0);
|
||||
ret = 0;
|
||||
// keep reading corehead structs and process them
|
||||
while (1) {
|
||||
ret = li.readbytes(&core_type, 4, mf);
|
||||
if (ret!=0) break;
|
||||
//msg("ret: %d\n", ret);
|
||||
|
||||
ret = li.readbytes(&core_space, 4, mf);
|
||||
ret= li.readbytes(&core_addr, 4, mf);
|
||||
ret= li.readbytes(&core_len, 4, mf);
|
||||
|
||||
//msg("type %x addr %x len %x\n", core_type, core_addr, core_len);
|
||||
|
||||
loadfile(li, li.tell(), core_addr, core_len);
|
||||
|
||||
AddSeg(core_addr, core_addr+core_len, 0, 1, saRelPara, 2);
|
||||
if (core_type==CORE_FORMAT) {
|
||||
set_segm_class(core_addr, "FORMAT");
|
||||
set_segm_type(core_addr, SEG_DATA);
|
||||
}
|
||||
if (core_type==CORE_PROC) {
|
||||
set_segm_class(core_addr, "PROC");
|
||||
set_segm_type(core_addr, SEG_DATA);
|
||||
proc_info_addr = core_addr;
|
||||
}
|
||||
if (core_type==CORE_DATA) {
|
||||
set_segm_class(core_addr, "DATA");
|
||||
set_segm_type(core_addr, SEG_DATA);
|
||||
|
||||
}
|
||||
if (core_type==CORE_STACK) {
|
||||
set_segm_class(core_addr, "STACK");
|
||||
set_segm_type(core_addr, SEG_DATA);
|
||||
}
|
||||
if (core_type==CORE_MMF) {
|
||||
set_segm_class(core_addr, "MMF");
|
||||
}
|
||||
if (core_type==CORE_NONE) {
|
||||
set_segm_class(core_addr, "NONE");
|
||||
}
|
||||
if (core_type==CORE_EXEC) {
|
||||
set_segm_class(core_addr, "EXEC");
|
||||
set_segm_type(core_addr, SEG_DATA);
|
||||
proc_exec_addr = core_addr;
|
||||
proc_exec_sel = get_segm_attr(core_addr, SEGATTR_SEL);
|
||||
}
|
||||
}
|
||||
|
||||
set_inf_attr(INF_COMPILER, COMP_GNU); // closest to HP compiler
|
||||
set_inf_attr(INF_SIZEOF_ALGN, 4);
|
||||
|
||||
Structures();
|
||||
|
||||
if (proc_info_addr !=0) {
|
||||
//provide sime initial information about
|
||||
//the process state
|
||||
msg("set proc_data\n");
|
||||
create_struct(proc_info_addr, -1, "proc_info");
|
||||
}
|
||||
if (proc_exec_addr !=0) {
|
||||
// provide some info about the exec
|
||||
create_struct(proc_exec_addr, -1 , "proc_exec");
|
||||
set_inf_attr(INF_START_IP, proc_exec_addr);
|
||||
set_inf_attr(INF_START_CS, proc_exec_sel);
|
||||
}
|
||||
|
||||
//
|
||||
// from here on, in a future version: locate the binary,
|
||||
// shared libraries and load them as well into the idb...
|
||||
}
|
||||
|
||||
static load_file(li, neflags, format)
|
||||
{
|
||||
set_processor_type("hppa", SETPROC_LOADER);
|
||||
|
||||
msg("file size %d\n", li.size());
|
||||
|
||||
read_core_head(li);
|
||||
|
||||
return 1;
|
||||
}
|
||||
24
idasdk76/ldr/script_ldrs/makefile
Normal file
24
idasdk76/ldr/script_ldrs/makefile
Normal file
@@ -0,0 +1,24 @@
|
||||
|
||||
include ../../allmake.mak
|
||||
|
||||
LDRDIR = $(R)loaders
|
||||
|
||||
LOADERS += archldr_tar.py
|
||||
LOADERS += bios_image.py
|
||||
LOADERS += pdfldr.py
|
||||
LOADERS += uimage.py
|
||||
LOADERS += wince.py
|
||||
LOADERS-$(IDAADV) += hppacore.idc
|
||||
|
||||
LOADERS += $(LOADERS-1)
|
||||
|
||||
all: $(addprefix $(LDRDIR)/, $(LOADERS))
|
||||
|
||||
$(LDRDIR)/%.idc: %.idc
|
||||
$(CP) $? $@
|
||||
|
||||
$(LDRDIR)/%.py: %.py
|
||||
$(CP) $? $@
|
||||
|
||||
clean::
|
||||
rm -f $(addprefix $(LDRDIR)/, $(LOADERS))
|
||||
319
idasdk76/ldr/script_ldrs/pdfldr.py
Normal file
319
idasdk76/ldr/script_ldrs/pdfldr.py
Normal file
@@ -0,0 +1,319 @@
|
||||
"""
|
||||
A script that extracts shellcode from PDF files
|
||||
|
||||
The script uses very basic shellcode extraction algorithm
|
||||
|
||||
Copyright (c) 1990-2021 Hex-Rays
|
||||
ALL RIGHTS RESERVED.
|
||||
|
||||
Revision history
|
||||
=========================
|
||||
v1.0 - initial version
|
||||
|
||||
|
||||
Possible enhancements:
|
||||
=========================
|
||||
1. From Didier:
|
||||
-----------------
|
||||
FYI: the regex you use to match /JavaScript /JS will fail to match
|
||||
name obfuscation. Name obuscation use a feature of the PDF language
|
||||
that allows a character in a name (like /JavaScript) to be replaced
|
||||
with its hexcode. Example: /#4AavaScript
|
||||
http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
|
||||
|
||||
It's something that's used in-the-wild.
|
||||
|
||||
I've updated your regex to support name obfuscation. The JavaScript
|
||||
itself is now captured in group 13.
|
||||
|
||||
\/S\s*\/(J|#4A|#4a)(a|#61)(v|#76)(a|#61)(S|#53)(c|#63)(r|#72)(i|#69)(p|#70)(t|#74)\s*\/(J|#4A|#4a)(S|#53)
|
||||
\((.+?)>>
|
||||
|
||||
2.
|
||||
---------------
|
||||
|
||||
"""
|
||||
|
||||
import sys
|
||||
import re
|
||||
import zlib
|
||||
|
||||
SAMPLE1 = 'malware1.pdf.vir'
|
||||
SAMPLE2 = 'heapspray-simpler-calc.pdf.vir'
|
||||
|
||||
try:
|
||||
import idaapi
|
||||
import idc
|
||||
import ida_idp
|
||||
ida = True
|
||||
except:
|
||||
ida = False
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
# Tries to find shellcode inside JavaScript statements
|
||||
# The seach algorithm is simple: it searchs for anything between unescape()
|
||||
# if it encounters %u or %x it correctly decodes them to characters
|
||||
def extract_shellcode(lines):
|
||||
p = 0
|
||||
shellcode = [] # accumulate shellcode
|
||||
while True:
|
||||
p = lines.find(b'unescape("', p)
|
||||
if p == -1:
|
||||
break
|
||||
e = lines.find(b')', p)
|
||||
if e == -1:
|
||||
break
|
||||
expr = lines[p+9:e]
|
||||
data = []
|
||||
def put_byte(b):
|
||||
if sys.version_info.major >= 3:
|
||||
data.append(b)
|
||||
else:
|
||||
data.append(chr(b))
|
||||
|
||||
for i in range(0, len(expr)):
|
||||
if expr[i:i+2] == b"%u":
|
||||
i += 2
|
||||
put_byte(int(expr[i+2:i+4], 16))
|
||||
put_byte(int(expr[i:i+2], 16))
|
||||
i += 4
|
||||
elif expr[i] == b"%":
|
||||
i += 1
|
||||
put_byte(int(expr[i:i+2], 16))
|
||||
i += 2
|
||||
# advance the match pos
|
||||
p += 8
|
||||
if sys.version_info.major >= 3:
|
||||
shellcode.append(bytes(data))
|
||||
else:
|
||||
shellcode.append("".join(data))
|
||||
|
||||
# That's it
|
||||
return shellcode
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
# Given a PDF object id and version, we return the object declaration
|
||||
def find_obj(buf, id, ver):
|
||||
stream = re.search(b'%d %d obj(.*?)endobj' % (id, ver), buf, re.MULTILINE | re.DOTALL)
|
||||
if not stream:
|
||||
return None
|
||||
return buf[stream.start(1):stream.end(1)]
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
# Find JavaScript objects and extract the referenced script object id/ver
|
||||
def find_js_ref_streams(buf):
|
||||
o = []
|
||||
js_ref_streams = re.finditer(r'\/S\s*\/JavaScript\/JS (\d+) (\d+) R'.encode("UTF-8"), buf)
|
||||
for g in js_ref_streams:
|
||||
id = int(g.group(1))
|
||||
ver = int(g.group(2))
|
||||
o.append([id, ver])
|
||||
return o
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
# Find JavaScript objects and extract the embedded script
|
||||
def find_embedded_js(buf):
|
||||
r = re.finditer(r'\/S\s*\/JavaScript\s*\/JS \((.+?)>>'.encode("UTF-8"), buf, re.MULTILINE | re.DOTALL)
|
||||
if not r:
|
||||
return None
|
||||
|
||||
ret = []
|
||||
for js in r:
|
||||
p = buf.rfind(b'obj', 0, js.start(1))
|
||||
if p == -1:
|
||||
return None
|
||||
|
||||
scs = extract_shellcode(js.group(1))
|
||||
if not scs:
|
||||
return None
|
||||
|
||||
t = buf[p - min(20, len(buf)): p + 3]
|
||||
obj = re.search('(\d+) (\d+) obj'.encode("UTF-8"), t)
|
||||
if not obj:
|
||||
id, ver = 0
|
||||
else:
|
||||
id = int(obj.group(1))
|
||||
ver = int(obj.group(2))
|
||||
n = 0
|
||||
for sc in scs:
|
||||
n += 1
|
||||
ret.append([id, ver, n, sc])
|
||||
return ret
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
# Given a gzipped stream object, it returns the decompressed contents
|
||||
def decompress_stream(buf):
|
||||
if buf.find(b'Filter[/FlateDecode]') == -1:
|
||||
return None
|
||||
m = re.search(b'stream\s*(.+?)\s*endstream', buf, re.DOTALL | re.MULTILINE)
|
||||
if not m:
|
||||
return None
|
||||
# Decompress and return
|
||||
return zlib.decompress(m.group(1))
|
||||
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
def read_whole_file(li):
|
||||
li.seek(0)
|
||||
return li.read(li.size())
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
def extract_pdf_shellcode(buf):
|
||||
ret = []
|
||||
|
||||
# find all JS stream references
|
||||
r = find_js_ref_streams(buf)
|
||||
for id, ver in r:
|
||||
# extract the JS stream object
|
||||
obj = find_obj(buf, id, ver)
|
||||
|
||||
# decode the stream
|
||||
stream = decompress_stream(obj)
|
||||
|
||||
# extract shell code
|
||||
scs = extract_shellcode(stream)
|
||||
i = 0
|
||||
for sc in scs:
|
||||
i += 1
|
||||
ret.append([id, ver, i, sc])
|
||||
|
||||
# find all embedded JS
|
||||
r = find_embedded_js(buf)
|
||||
if r:
|
||||
ret.extend(r)
|
||||
|
||||
return ret
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
def accept_file(li, filename):
|
||||
"""
|
||||
Check if the file is of supported format
|
||||
|
||||
@param li: a file-like object which can be used to access the input data
|
||||
@param filename: name of the file, if it is an archive member name then the actual file doesn't exist
|
||||
@return: 0 - no more supported formats
|
||||
string "name" - format name to display in the chooser dialog
|
||||
dictionary { 'format': "name", 'options': integer }
|
||||
options: should be 1, possibly ORed with ACCEPT_FIRST (0x8000)
|
||||
to indicate preferred format
|
||||
"""
|
||||
|
||||
# we support only one format per file
|
||||
li.seek(0)
|
||||
if li.read(5) != b'%PDF-':
|
||||
return 0
|
||||
|
||||
buf = read_whole_file(li)
|
||||
r = extract_pdf_shellcode(buf)
|
||||
if not r:
|
||||
return 0
|
||||
|
||||
return {'format': 'PDF with shellcode', 'processor': 'metapc'}
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
def load_file(li, neflags, format):
|
||||
|
||||
"""
|
||||
Load the file into database
|
||||
|
||||
@param li: a file-like object which can be used to access the input data
|
||||
@param neflags: options selected by the user, see loader.hpp
|
||||
@return: 0-failure, 1-ok
|
||||
"""
|
||||
|
||||
# Select the PC processor module
|
||||
idaapi.set_processor_type("metapc", ida_idp.SETPROC_LOADER)
|
||||
|
||||
buf = read_whole_file(li)
|
||||
r = extract_pdf_shellcode(buf)
|
||||
if not r:
|
||||
return 0
|
||||
|
||||
# Load all shellcode into different segments
|
||||
start = 0x10000
|
||||
seg = idaapi.segment_t()
|
||||
for id, ver, n, sc in r:
|
||||
size = len(sc)
|
||||
end = start + size
|
||||
|
||||
# Create the segment
|
||||
seg.start_ea = start
|
||||
seg.end_ea = end
|
||||
seg.bitness = 1 # 32-bit
|
||||
idaapi.add_segm_ex(seg, "obj_%d_%d_%d" % (id, ver, n), "CODE", 0)
|
||||
|
||||
# Copy the bytes
|
||||
idaapi.mem2base(sc, start, end)
|
||||
|
||||
# Mark for analysis
|
||||
idc.AutoMark(start, idc.AU_CODE)
|
||||
|
||||
# Compute next loading address
|
||||
start = ((end // 0x1000) + 1) * 0x1000
|
||||
|
||||
# Select the bochs debugger
|
||||
idc.load_debugger("bochs", 0)
|
||||
|
||||
return 1
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
def test1(sample = SAMPLE1):
|
||||
# open the file
|
||||
f = file(sample, 'rb')
|
||||
buf = f.read()
|
||||
f.close()
|
||||
|
||||
# find all JS stream references
|
||||
r = find_js_ref_streams(buf)
|
||||
if not r:
|
||||
return
|
||||
|
||||
for id, ver in r:
|
||||
obj = find_obj(buf, id, ver)
|
||||
|
||||
# extract the JS stream object
|
||||
f = file('obj_%d_%d.bin' % (id, ver), 'wb')
|
||||
f.write(obj)
|
||||
f.close()
|
||||
|
||||
# decode the stream
|
||||
stream = decompress_stream(obj)
|
||||
f = file('dec_%d_%d.bin' % (id, ver), 'wb')
|
||||
f.write(stream)
|
||||
f.close()
|
||||
|
||||
# extract shell code
|
||||
scs = extract_shellcode(stream)
|
||||
i = 0
|
||||
for sc in scs:
|
||||
i += 1
|
||||
f = file('sh_%d_%d_%d.bin' % (id, ver, i), 'wb')
|
||||
f.write(sc)
|
||||
f.close()
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
def test2(sample = SAMPLE1):
|
||||
# open the file
|
||||
f = file(sample, 'rb')
|
||||
buf = f.read()
|
||||
f.close()
|
||||
|
||||
r = extract_pdf_shellcode(buf)
|
||||
for id, ver, n, sc in r:
|
||||
print("sc %d.%d[%d]=%d" % (id, ver, n, len(sc)))
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
def test3(sample = SAMPLE2):
|
||||
# open the file
|
||||
f = file(sample, 'rb')
|
||||
buf = f.read()
|
||||
f.close()
|
||||
t = find_embedded_js(buf)
|
||||
print(t)
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
def main():
|
||||
test1(SAMPLE1)
|
||||
|
||||
if not ida:
|
||||
main()
|
||||
218
idasdk76/ldr/script_ldrs/uimage.py
Normal file
218
idasdk76/ldr/script_ldrs/uimage.py
Normal file
@@ -0,0 +1,218 @@
|
||||
# a file loader for U-Boot "uImage" flash images
|
||||
# Copyright (c) 2011-2021 Hex-Rays
|
||||
# ALL RIGHTS RESERVED.
|
||||
|
||||
import idaapi
|
||||
import idc
|
||||
import zlib
|
||||
import ida_idp
|
||||
import ida_typeinf
|
||||
|
||||
IH_TYPE_INVALID = 0 # /* Invalid Image */
|
||||
IH_TYPE_STANDALONE = 1 # /* Standalone Program */
|
||||
IH_TYPE_KERNEL = 2 # /* OS Kernel Image */
|
||||
IH_TYPE_RAMDISK = 3 # /* RAMDisk Image */
|
||||
IH_TYPE_MULTI = 4 # /* Multi-File Image */
|
||||
IH_TYPE_FIRMWARE = 5 # /* Firmware Image */
|
||||
IH_TYPE_SCRIPT = 6 # /* Script file */
|
||||
IH_TYPE_FILESYSTEM = 7 # /* Filesystem Image (any type) */
|
||||
|
||||
ImageTypeNames = [ "Invalid", "Standalone Program", "OS Kernel", "RAMDisk",
|
||||
"Multi-File", "Firmware", "Script file", "Filesystem" ]
|
||||
|
||||
IH_ARCH_INVALID = 0 # /* Invalid CPU */
|
||||
IH_ARCH_ALPHA = 1 # /* Alpha */
|
||||
IH_ARCH_ARM = 2 # /* ARM */
|
||||
IH_ARCH_I386 = 3 # /* Intel x86 */
|
||||
IH_ARCH_IA64 = 4 # /* IA64 */
|
||||
IH_ARCH_MIPS = 5 # /* MIPS */
|
||||
IH_ARCH_MIPS64 = 6 # /* MIPS 64 Bit */
|
||||
IH_ARCH_PPC = 7 # /* PowerPC */
|
||||
IH_ARCH_S390 = 8 # /* IBM S390 */
|
||||
IH_ARCH_SH = 9 # /* SuperH */
|
||||
IH_ARCH_SPARC = 10 # /* Sparc */
|
||||
IH_ARCH_SPARC64 = 11 # /* Sparc 64 Bit */
|
||||
IH_ARCH_M68K = 12 # /* M68K */
|
||||
IH_ARCH_NIOS = 13 # /* Nios-32 */
|
||||
IH_ARCH_MICROBLAZE = 14 # /* MicroBlaze */
|
||||
IH_ARCH_NIOS2 = 15 # /* Nios-II */
|
||||
IH_ARCH_BLACKFIN = 16 # /* */
|
||||
IH_ARCH_AVR32 = 17 # /* */
|
||||
IH_ARCH_ST200 = 18 # /* */
|
||||
IH_ARCH_SANDBOX = 19 # /* */
|
||||
IH_ARCH_NDS32 = 20 # /* */
|
||||
IH_ARCH_OPENRISC = 21 # /* */
|
||||
IH_ARCH_ARM64 = 22 # /* */
|
||||
IH_ARCH_ARC = 23 # /* */
|
||||
|
||||
CPUNames = [ "Invalid", "Alpha", "ARM", "x86", "IA64", "MIPS", "MIPS64", "PowerPC",
|
||||
"IBM S390", "SuperH", "Sparc", "Sparc64", "M68K", "Nios-32", "MicroBlaze", "Nios-II",
|
||||
"Blackfin", "AVR32", "ST200","Sandbox","NDS32", "OpenRISC", "ARM64", "ARC" ]
|
||||
|
||||
IDACPUNames = { IH_ARCH_ALPHA: "alphab",
|
||||
IH_ARCH_ARM:"ARM",
|
||||
IH_ARCH_I386: "metapc",
|
||||
IH_ARCH_IA64: "ia64b",
|
||||
IH_ARCH_MIPS:"mipsl",
|
||||
IH_ARCH_MIPS64:"mipsl",
|
||||
IH_ARCH_PPC: "ppc",
|
||||
IH_ARCH_SH: "SH4",
|
||||
IH_ARCH_SPARC: "sparcb",
|
||||
IH_ARCH_SPARC64:"sparcb",
|
||||
IH_ARCH_M68K:"68K",
|
||||
IH_ARCH_ARM64:"ARM",
|
||||
IH_ARCH_ARC: "arcmpct" }
|
||||
|
||||
IDAABINames = { IH_ARCH_MIPS:"n32",
|
||||
IH_ARCH_MIPS64:"n64" }
|
||||
|
||||
IH_COMP_NONE = 0 # /* No Compression Used */
|
||||
IH_COMP_GZIP = 1 # /* gzip Compression Used */
|
||||
IH_COMP_BZIP2 = 2 # /* bzip2 Compression Used */
|
||||
IH_COMP_LZMA = 3 # /* lzma Compression Used */
|
||||
IH_COMP_LZO = 4 # /* lzo Compression Used */
|
||||
CompTypeNames = [ "", "gzip", "bzip2", "lzma", "lzo" ]
|
||||
|
||||
IH_MAGIC = 0x27051956 # Image Magic Number
|
||||
IH_NMLEN = 32 # Image Name Length
|
||||
|
||||
import ctypes
|
||||
|
||||
uint8_t = ctypes.c_byte
|
||||
uint32_t = ctypes.c_uint
|
||||
|
||||
class image_header(ctypes.BigEndianStructure):
|
||||
_fields_ = [
|
||||
("ih_magic", uint32_t), # Image Header Magic Number
|
||||
("ih_hcrc", uint32_t), # Image Header CRC Checksum
|
||||
("ih_time", uint32_t), # Image Creation Timestamp
|
||||
("ih_size", uint32_t), # Image Data Size
|
||||
("ih_load", uint32_t), # Data Load Address
|
||||
("ih_ep", uint32_t), # Entry Point Address
|
||||
("ih_dcrc", uint32_t), # Image Data CRC Checksum
|
||||
("ih_os", uint8_t), # Operating System
|
||||
("ih_arch", uint8_t), # CPU architecture
|
||||
("ih_type", uint8_t), # Image Type
|
||||
("ih_comp", uint8_t), # Compression Type
|
||||
("ih_name", uint8_t * IH_NMLEN), # Image Name
|
||||
]
|
||||
RomFormatName = "U-Boot image"
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
def dwordAt(li, off):
|
||||
li.seek(off)
|
||||
s = li.read(4)
|
||||
if len(s) < 4:
|
||||
return 0
|
||||
return struct.unpack('<I', s)[0]
|
||||
|
||||
def read_struct(li, struct):
|
||||
s = struct()
|
||||
s.ih_magic = 0
|
||||
slen = ctypes.sizeof(s)
|
||||
if li.size() >= slen:
|
||||
bytes = li.read(slen)
|
||||
fit = min(len(bytes), slen)
|
||||
ctypes.memmove(ctypes.addressof(s), bytes, fit)
|
||||
return s
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
def accept_file(li, filename):
|
||||
"""
|
||||
Check if the file is of supported format
|
||||
|
||||
@param li: a file-like object which can be used to access the input data
|
||||
@param filename: name of the file, if it is an archive member name then the actual file doesn't exist
|
||||
@return: 0 - no more supported formats
|
||||
string "name" - format name to display in the chooser dialog
|
||||
dictionary { 'format': "name", 'options': integer }
|
||||
options: should be 1, possibly ORed with ACCEPT_FIRST (0x8000)
|
||||
to indicate preferred format
|
||||
"""
|
||||
|
||||
header = read_struct(li, image_header)
|
||||
# check the signature
|
||||
if header.ih_magic == IH_MAGIC:
|
||||
# accept the file
|
||||
t = header.ih_type
|
||||
c = header.ih_arch
|
||||
if t >= len(ImageTypeNames):
|
||||
t = "unknown type(%d)" % t
|
||||
else:
|
||||
t = ImageTypeNames[t]
|
||||
|
||||
if c >= len(CPUNames):
|
||||
cname = "unknown CPU(%d)" % c
|
||||
else:
|
||||
cname = CPUNames[c]
|
||||
|
||||
fmt = "%s (%s for %s)" % (RomFormatName, t, cname)
|
||||
comp = header.ih_comp
|
||||
if comp != IH_COMP_NONE:
|
||||
if comp >= len (CompTypeNames):
|
||||
cmpname = "unknown compression(%d)"
|
||||
else:
|
||||
cmpname = "%s compressed" % CompTypeNames[comp]
|
||||
fmt += " [%s]" % cmpname
|
||||
|
||||
proc = ''
|
||||
if c in IDACPUNames:
|
||||
proc = IDACPUNames[c]
|
||||
|
||||
return {'format': fmt, 'processor': proc}
|
||||
|
||||
# unrecognized format
|
||||
return 0
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
def load_file(li, neflags, format):
|
||||
|
||||
"""
|
||||
Load the file into database
|
||||
|
||||
@param li: a file-like object which can be used to access the input data
|
||||
@param neflags: options selected by the user, see loader.hpp
|
||||
@return: 0-failure, 1-ok
|
||||
"""
|
||||
|
||||
if format.startswith(RomFormatName):
|
||||
li.seek(0)
|
||||
header = read_struct(li, image_header)
|
||||
c = header.ih_arch
|
||||
cname = IDACPUNames.get(c)
|
||||
if not cname:
|
||||
idc.warning("Unsupported CPU")
|
||||
#return
|
||||
|
||||
if not header.ih_comp in (IH_COMP_NONE, IH_COMP_GZIP):
|
||||
idc.warning("Can only handle uncompressed or gzip-compressed images")
|
||||
return
|
||||
|
||||
if cname:
|
||||
idaapi.set_processor_type(cname, ida_idp.SETPROC_LOADER)
|
||||
|
||||
idc.AddSeg(header.ih_load, header.ih_load + header.ih_size, 0, 1, idaapi.saRelPara, idaapi.scPub)
|
||||
|
||||
# copy bytes to the database
|
||||
|
||||
if header.ih_comp == IH_COMP_NONE:
|
||||
li.file2base(ctypes.sizeof(header), header.ih_load, header.ih_load + header.ih_size, 0)
|
||||
else:
|
||||
cdata = li.read(header.ih_size)
|
||||
d = zlib.decompressobj(zlib.MAX_WBITS|32)
|
||||
udata = d.decompress(cdata)
|
||||
udata += d.flush()
|
||||
# expand segment to fit uncompressed data
|
||||
idc.set_segment_bounds(header.ih_load, header.ih_load, header.ih_load+len(udata), idc.SEGMOD_KEEP)
|
||||
idaapi.put_bytes(header.ih_load, udata)
|
||||
|
||||
if cname == "ARM" and (header.ih_ep & 1) != 0:
|
||||
# Thumb entry point
|
||||
header.ih_ep -= 1
|
||||
split_sreg_range(header.ih_ep, "T", 1)
|
||||
idaapi.add_entry(header.ih_ep, header.ih_ep, "start", 1)
|
||||
aname = IDAABINames.get(header.ih_arch)
|
||||
if aname:
|
||||
ida_typeinf.set_abi_name(aname)
|
||||
print("Load OK")
|
||||
return 1
|
||||
119
idasdk76/ldr/script_ldrs/wince.py
Normal file
119
idasdk76/ldr/script_ldrs/wince.py
Normal file
@@ -0,0 +1,119 @@
|
||||
# an example of a file loader in Python
|
||||
# The scripting loader must define at least two functions: accept_file and load_file
|
||||
# other optional functions are: save_file, move_segm, ...
|
||||
#
|
||||
# see also loader.hpp
|
||||
|
||||
import idaapi
|
||||
import ida_idp
|
||||
import idc
|
||||
import struct
|
||||
|
||||
ROM_SIGNATURE_OFFSET = 64
|
||||
ROM_SIGNATURE = "ECEC"
|
||||
RomFormatName = "Windows CE ROM"
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
def dwordAt(li, off):
|
||||
li.seek(off)
|
||||
s = li.read(4)
|
||||
if len(s) < 4:
|
||||
return 0
|
||||
return struct.unpack('<I', s)[0]
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
def guess_processor(li):
|
||||
jump = dwordAt(li, 0)
|
||||
if jump & 0xFF000000 == 0xEA000000: # looks like an ARM branch?
|
||||
return "arm"
|
||||
else:
|
||||
return "metapc"
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
def accept_file(li, filename):
|
||||
"""
|
||||
Check if the file is of supported format
|
||||
|
||||
@param li: a file-like object which can be used to access the input data
|
||||
@param filename: name of the file, if it is an archive member name then the actual file doesn't exist
|
||||
@return: 0 - no more supported formats
|
||||
string "name" - format name to display in the chooser dialog
|
||||
dictionary { 'format': "name", 'options': integer }
|
||||
options: should be 1, possibly ORed with ACCEPT_FIRST (0x8000)
|
||||
to indicate preferred format
|
||||
"""
|
||||
|
||||
# check the CECE signature
|
||||
li.seek(ROM_SIGNATURE_OFFSET)
|
||||
if li.read(4) == ROM_SIGNATURE:
|
||||
# accept the file
|
||||
proc = guess_processor(li)
|
||||
return {'format': RomFormatName, 'processor': proc}
|
||||
|
||||
# unrecognized format
|
||||
return 0
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
def load_file(li, neflags, format):
|
||||
|
||||
"""
|
||||
Load the file into database
|
||||
|
||||
@param li: a file-like object which can be used to access the input data
|
||||
@param neflags: options selected by the user, see loader.hpp
|
||||
@return: 0-failure, 1-ok
|
||||
"""
|
||||
|
||||
if format == RomFormatName:
|
||||
proc = guess_processor(li)
|
||||
idaapi.set_processor_type(proc, ida_idp.SETPROC_LOADER)
|
||||
|
||||
li.seek(0, idaapi.SEEK_END)
|
||||
size = li.tell()
|
||||
|
||||
#next dword after signature is a pointer to ROMHDR
|
||||
romhdr = dwordAt(li, ROM_SIGNATURE_OFFSET + 4)
|
||||
|
||||
# let's try to find such imagebase that potential ROMHDR's "physfirst" value matches it
|
||||
imgbase = (romhdr-size) & ~0xfff
|
||||
bases = []
|
||||
maxbase = 0
|
||||
while imgbase < romhdr+8:
|
||||
physfirst = dwordAt(li, romhdr - imgbase + 8)
|
||||
if physfirst == imgbase:
|
||||
bases.append(imgbase)
|
||||
imgbase += 0x1000
|
||||
|
||||
if len(bases) == 1:
|
||||
start = bases[0]
|
||||
elif len(bases) > 1:
|
||||
print("warning: several potential imagebases detemined: " + ", ".join("%08X"%i for i in bases))
|
||||
start = bases[-1]
|
||||
else:
|
||||
warning("Unable to determine load image base.")
|
||||
start = 0x80000000
|
||||
print("Using imagebase %08X" % start)
|
||||
|
||||
physlast = dwordAt(li, romhdr - start + 12)
|
||||
if physlast <= start:
|
||||
warning("Internal error")
|
||||
return 0
|
||||
size = physlast - start
|
||||
|
||||
idc.AddSeg(start, start+size, 0, 1, idaapi.saRelPara, idaapi.scPub)
|
||||
|
||||
# copy bytes to the database
|
||||
li.seek(0)
|
||||
li.file2base(0, start, start+size, 0)
|
||||
|
||||
idaapi.add_entry(start, start, "start", 1)
|
||||
print("Load OK")
|
||||
return 1
|
||||
|
||||
idc.warning("Unknown format name: '%s'" % format)
|
||||
return 0
|
||||
|
||||
# -----------------------------------------------------------------------
|
||||
def move_segm(frm, to, sz, fileformatname):
|
||||
idc.warning("move_segm(from=%s, to=%s, sz=%d, formatname=%s" % (hex(frm), hex(to), sz, fileformatname))
|
||||
return 0
|
||||
Reference in New Issue
Block a user