IDA pro disassembler and debugger: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
 
(51 intermediate revisions by 23 users not shown)
Line 1: Line 1:
{{Wikify}}
Many of you might work for a company/university that has access to IDA pro or maybe you just downloaded their free version [http://www.hex-rays.com/idapro/idadown.htm IDA homepage] and need some help getting started.
Many of you might work for a company/university that has access to IDA pro or maybe you just downloaded their free version [http://www.hex-rays.com/idapro/idadown.htm IDA homepage] and need some help getting started.


=Extra tools=
=Extra tools=


First you should get all the tools you can get to make you life easyer.
First you should get all the tools you can get to make your life easier.


I would recommend the following tools
following tools are recommended


==Essential==
==Essential==
Line 16: Line 18:


Main branch
Main branch
http://git-hacks.com/ps3free/ps3ida  
https://github.com/kakaroto/ps3ida  // https://github.com/kakaroto/ps3ida/zipball/master (backup: [http://www.mirrorcreator.com/files/N0WYVWG0/kakaroto-ps3ida-a6e7f17.zip_links kakaroto-ps3ida-a6e7f17.zip (199.91 KB)])<br />
http://git-hacks.com/~psicoleo/ps3free/psicoleos-ps3ida
 
mirror/old: <strike>http://git-hacks.com/ps3free/ps3ida http://git-hacks.com/~psicoleo/ps3free/psicoleos-ps3ida</strike>
 
optimized scripts: http://rghost.net/46957385
 
*PPCJT plugin v0.3:
**- Fixed bug causing crash Ida Pro 6.1 ("oops! internal error 189")
**- Fixed memory leak
**+ Added several new structures for constructing jump tables
 
Plugin tested on the eboot.bin file from the F.E.A.R.2: found and successfully created 137 jump tables.
 
Source code and precompiled plugins:
http://www.ps3hax.net/attachment.php?attachmentid=3039&d=1376890580
found on hax in forum, you may wish to relocate
 
Mirror: <strike>http://akitel.com/download/ppcjt.rar</strike>
 
 
Fixed downloads for PPCJT v0.3:
* http://web.archive.org/web/20120512013125/http://akitel.com/download/ppcjt.rar
* http://playstation.lukeeey.tk/static/ppcjt.rar


==Optional==
==Optional==
Line 24: Line 47:
*ppchelper // http://www.hex-rays.com/contest2009/PPCHelper/ppchelper.zip
*ppchelper // http://www.hex-rays.com/contest2009/PPCHelper/ppchelper.zip
*ppc2c // http://www.hex-rays.com/contest2009/PPC2C/ppc2c.zip
*ppc2c // http://www.hex-rays.com/contest2009/PPC2C/ppc2c.zip
*xorloser's PS3 Loaders // http://www.xorloser.com/PS3%20Loaders%20v1.1%20for%20IDA%20v5.2.rar (down) / http://www.megaupload.com/?d=B3D9625D
*pypyc2c - improved ppc2c ported to ida python (ida 7.4+, python3) // https://github.com/Goatman13/pypyc2c
*xorloser's PPCAltivec plugin // http://xorloser.com/blog/wp-content/uploads/2009/05/ppcaltivec-plugin-for-ida-v52.rar (down) / http://megaupload.com/?d=MYVWMKUP
*spu2c - ppc2c inspired spu plugin (ida 7.4+, python3) // https://github.com/Goatman13/spu2c
*altivec2c - ppc2c inspired altivec plugin (ida 7.4+, python3) // https://github.com/Goatman13/altivec2c
*xorloser's PS3 Loaders // http://rghost.net/46524423
*xorloser's PPCAltivec plugin (not required since ida 6.1+) // http://xorloser.com/blog/wp-content/uploads/2009/05/ppcaltivec-plugin-for-ida-v52.rar (reup)
*xorloser's ps3.xml (updated lv2syscalls + sysmodules) : [[Ps3.xml]]
*ida-spu http://code.google.com/p/ida-spu/ // [http://www.multiupload.com/28N7UHCG8J spu_processor_module_1.2.1.zip (114.25 KB)]
*more Exports for fnids.idh : [[Fnids.idh]]
*updated syscall_names.idh (reup!) // https://github.com/kakaroto/ps3ida/blob/master/syscall_names.idh


==Compiling the tools==
==Compiling the tools==
Line 43: Line 73:
=Continuing your or someone else's work in another database=
=Continuing your or someone else's work in another database=


You might stump with someone's IDA database and you would like to continue his work.
You might stump with someone's IDA database and you would like to continue their work.
Or you found that there is a new great plugin/script that makes everything easier but you don´t want to loose your work.
Or you found that there is a new great plugin/script that makes everything easier, but you don´t want to lose your work.


==Continuing graf_chokolo's work==
==Continuing graf_chokolo's work==
Line 63: Line 93:
Assuming you produced a file named DATABASE.IDC
Assuming you produced a file named DATABASE.IDC


This file contains all what he has done to his database. We only want his function renames and comments so in linux we do
This file contains all what they have done to their database. We only want their function renames and comments so in linux we do
<pre>
<pre>
grep "MakeComm" DATABASE.IDC
grep "MakeComm" DATABASE.IDC
Line 93: Line 123:
1. Paste the commands you copied in COMMANDS.TXT in the IDC window (or create an IDC script out of it)
1. Paste the commands you copied in COMMANDS.TXT in the IDC window (or create an IDC script out of it)


2. ???????
2. Run the script
 
3. Profit
 
= deci3dbg - Ida Pro debugger module for Playstation 3 =
<div style="float:right">[[File:Deci3dbg.png|thumb|deci3dbg screenshot]]</div>
Source: http://oct0xor.github.io/2014/05/30/deci3dbg/
 
Whoever used to debug on Playstation 3 knows that there is only one debugger available - SN Systems ProDG. It has some nice features (that I even miss in others debuggers) but overall... its not that good. There also was a gdb client but it was pulled around 1.xx sdk (specification changed, there is no more step cmd, etc). So after some time that I spent with ProDG I realized that it just dont works for me and decided to get host debugger to communicate with Ida. It would have allowed me to use all those nice features like scripts, plugins, tracing, leaving comments in place, interface and hotkeys to which I am used to over the years.<br />
 
Okay, I hear that someone of you is asking why I did Ida module and not some kind of gdb proxy instead, and reasons are simple:
 
* I already have experience of making gdb proxys and hosts, but not had experience of making Ida debugger modules (actually not much who did this)
* Ida's gdb client is not open source
* ppc stub is buggy in 6.1. I do own the latest build of Ida Pro, but lets be honest here, most dont. So I was making this code around this version of Ida. Do not need to mention that Ida Pro 6.5 is backward compatible with 6.1, and even debugger module compiled with idasdk61 would work just fine (much better) with 6.5.
 
So I did it and it works pretty well. Was testing it for months, catching bugs. At the last time fixed some remaining bugs around half year ago, so it should be much better, but not used it much since then.
 
== Features ==
* PPU debugging
* General and Float registers
* Exceptions, Breakpoints, Step thru code
* Hardware breakpoints (DABR)
* Threads and Modules
* Read/Write memory
* Works with official Sony's Reference Tools and Debug Stations (DECR/DECH)
* Also works with custom firmwares
 
== Notes ==
It uses ProDG's TMAPI for communication over deci3 protocol with ps3. Its pretty good and even if deci3 specification docs are leaked its saved alot of time. Therefor, its supports only Windows platform.
 
== Compilation ==
Copy content of "C:\Program Files (x86)\SN Systems\PS3\sdk" of your ProDG installation to project folder
 
== Installation ==
Copy deci3dbg.plw and deci3dbg.p64 to plugins folder inside your Ida Pro installation.
 
== How to use ==
# Load PPC binary in Ida Pro
# Debugger -> Select debugger... -> DECI3 debugger plugin
# Debugger -> Attach to process...
# Select target and press OK (target may be showed as 'disconnected', bug of TMAPI)
# Select process
 
https://github.com/oct0xor/deci3dbg / https://github.com/oct0xor/deci3dbg/tree/master/build
 
= Recommended IDA references =
* [http://www.amazon.com/IDA-Pro-Book-Unofficial-Disassembler/dp/1593271786/ref=sr_1_1?ie=UTF8&qid=1328764116&sr=8-1 The IDA Pro Book - The Unofficial Guide to the World's Most Popular Disassembler - by Chris Eagle] / August 2008, 640 pp. $59.95 / ISBN-10 1-59327-178-6 / ISBN-13 978-1-59327-178-7
 
= Scripts =
==vmlinux kallsyms==
 
This kallsyms.py script resolves all kallsyms symbols from the kernel in \opt\ibm\systemsim-cell\images\cell\vmlinux
 
<source lang="python">
# Linux kernel kallsyms unpacker
# Version 0.1ps3
# Copyright (c) 2010 Igor Skochinsky
#
# This software is provided 'as-is', without any express or implied
# warranty. In no event will the authors be held liable for any damages
# arising from the use of this software.
#
# Permission is granted to anyone to use this software for any purpose,
# including commercial applications, and to alter it and redistribute it
# freely, subject to the following restrictions:
#
#    1. The origin of this software must not be misrepresented; you must not
#    claim that you wrote the original software. If you use this software
#    in a product, an acknowledgment in the product documentation would be
#    appreciated but is not required.
#
#    2. Altered source versions must be plainly marked as such, and must not be
#    misrepresented as being the original software.
#
#    3. This notice may not be removed or altered from any source
#    distribution.
#
#
# * IBM Full-System Simulator for the CBE Processor vmlinux support added by mysis
 
def do_kallsyms(do_rename, do_dump):
  token_idxs = LocByName("kallsyms_token_index")
  tokens = LocByName("kallsyms_token_table")
  names = LocByName("kallsyms_names")
  addrs = LocByName("kallsyms_addresses")
  namecnt = LocByName("kallsyms_num_syms")
  if namecnt == BADADDR:
    Warning("kallsyms_num_syms is not defined!");
    return
  #namecnt = Dword(namecnt)
  namecnt = Qword(namecnt)
  if tokens == BADADDR:
    Warning("kallsyms_token_table is not defined!");
    return
  if token_idxs == BADADDR:
    Warning("kallsyms_token_index is not defined!");
    return
  if names == BADADDR:
    Warning("kallsyms_names is not defined!");
    return
  if addrs == BADADDR:
    Warning("kallsyms_addresses is not defined!");
    return
  nametbl = []
  tokentbl = []
  for i in range(256):
    idx = Word(token_idxs+i*2)
    #idx = Qword(token_idxs+i*8)
    token = GetString(tokens+idx, -1, 0)
    #print "token %d: %s"%(i, token)
    if token == None: token=""
    tokentbl.append(token)
 
  if do_dump:
    dump = file("ksym","w")
  if names != BADADDR:
    for i in range(namecnt):
      nlen = Byte(names)
      names += 1
      name = ""
      while nlen>0:
        j = Byte(names)
        #print "j: %d, token: %s"%(j, tokentbl[j])
        name += tokentbl[j]
        names += 1
        nlen -= 1
      print "Name %d: %s"%(i, name)
      #nametbl.append(name)
      #addr = Dword(addrs+i*4)
      addr = Qword(addrs+i*8)
      if do_dump:
        dump.write("%08X %s %s\n"%(addr, name[0], name[1:]))
      if do_rename and name.find(".") == -1:
        print "%08X: %s"%(addr, name[1:])
        if isTail(GetFlags(addr)):
            MakeUnkn(addr, DOUNK_SIMPLE)
        if Qword(addr) > 0xC000000000000000 and Qword(addr) < 0xC0000000004ACA6C or Qword(addr) > 0xC000000000660000 and Qword(addr) < 0xC0000000006A3D40 :
            MakeNameEx(Qword(addr), name[1:], SN_NOWARN)
        else:
            MakeNameEx(addr, name[1:], SN_NOWARN)
       
 
  if do_dump:
    dump.close()
 
# you will need to find the kallsyms_num_syms value in the kernel image
# and all other tables mentioned below
# consult kallsyms.c from the kernel sources
# after that the script can parse the tables and create the symbols list
 
a = 0xC000000000545600
MakeName(a, "kallsyms_num_syms")
n = Qword(a)
b = (a - n*8) & ~0xFF
MakeName(b, "kallsyms_addresses")
MakeName(0xC000000000545700, "kallsyms_names")
 


6. Profit
MakeName(0xC0000000005C8600, "kallsyms_token_table")
MakeName(0xC0000000005C8A00, "kallsyms_token_index")
do_kallsyms(True, True)
</source>
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude>

Latest revision as of 14:38, 22 May 2024

Many of you might work for a company/university that has access to IDA pro or maybe you just downloaded their free version IDA homepage and need some help getting started.

Extra tools[edit | edit source]

First you should get all the tools you can get to make your life easier.

following tools are recommended

Essential[edit | edit source]

  • Plugins
    • PPCJT
    • SPU - To be able to disassemble SPU code
  • IDC scripts

All this can be found here:

Main branch https://github.com/kakaroto/ps3ida // https://github.com/kakaroto/ps3ida/zipball/master (backup: kakaroto-ps3ida-a6e7f17.zip (199.91 KB))

mirror/old: http://git-hacks.com/ps3free/ps3ida http://git-hacks.com/~psicoleo/ps3free/psicoleos-ps3ida

optimized scripts: http://rghost.net/46957385

  • PPCJT plugin v0.3:
    • - Fixed bug causing crash Ida Pro 6.1 ("oops! internal error 189")
    • - Fixed memory leak
    • + Added several new structures for constructing jump tables

Plugin tested on the eboot.bin file from the F.E.A.R.2: found and successfully created 137 jump tables.

Source code and precompiled plugins: http://www.ps3hax.net/attachment.php?attachmentid=3039&d=1376890580 found on hax in forum, you may wish to relocate

Mirror: http://akitel.com/download/ppcjt.rar


Fixed downloads for PPCJT v0.3:

Optional[edit | edit source]

Compiling the tools[edit | edit source]

Many of the tools are opensource, the idc script do not have to be compiled but the plugins must be.

To compile the latest plugins you will need Visual Studio and IDA sdk

The code itself should compile correctly, but there are many options that are specific for you PC ... In Visual Studio, you have to correctly set the paths to where you have the sdk installed and so on.

You will see there are options for 32/64 bits.. debug and release..

For that you can google, the instructions.. compile a "hello world" for ida, and then try to compile this.

If you want the latest version of the jump table plugin you can use this precompiled http://www.multiupload.com/07RP8RSDF3

Continuing your or someone else's work in another database[edit | edit source]

You might stump with someone's IDA database and you would like to continue their work. Or you found that there is a new great plugin/script that makes everything easier, but you don´t want to lose your work.

Continuing graf_chokolo's work[edit | edit source]

I will take this as an example, the elf that runs in procs 6 (the one that has to do with QA flag, dongleaut, etc)

You might find some "coolstuff" but IDA doesnt find the xrefs and it is partially analyzed.

Isolate what you want to copy[edit | edit source]

1. Step identify what you want to extract from that database, in this case:


  • comments
  • function names

2. Produce File -> Database to idc


Assuming you produced a file named DATABASE.IDC

This file contains all what they have done to their database. We only want their function renames and comments so in linux we do

grep "MakeComm" DATABASE.IDC
grep "MakeName" DATABASE.IDC

Copy this lines to another file. as an example COMMANDS.TXT

Create your own database[edit | edit source]

Extract the same elf from lv1.self (the elf we are using as an example is embedded in lv1 (look for matches and extrat that elf with a hex editor)

1. Load the elf you want (the one that runs in proces 6) // With the auto-analysis option disabled

I built a script that makes a good analyze of it and most of the embedded elfs.

analize_lv1_embedded_elf.idc

this script works only if you have an elf with all its segment properly named (like the ones embedded in lv1)

2. Run the script

3. Enable auto-analysis

Merge the databases[edit | edit source]

1. Paste the commands you copied in COMMANDS.TXT in the IDC window (or create an IDC script out of it)

2. Run the script

3. Profit

deci3dbg - Ida Pro debugger module for Playstation 3[edit | edit source]

deci3dbg screenshot

Source: http://oct0xor.github.io/2014/05/30/deci3dbg/

Whoever used to debug on Playstation 3 knows that there is only one debugger available - SN Systems ProDG. It has some nice features (that I even miss in others debuggers) but overall... its not that good. There also was a gdb client but it was pulled around 1.xx sdk (specification changed, there is no more step cmd, etc). So after some time that I spent with ProDG I realized that it just dont works for me and decided to get host debugger to communicate with Ida. It would have allowed me to use all those nice features like scripts, plugins, tracing, leaving comments in place, interface and hotkeys to which I am used to over the years.

Okay, I hear that someone of you is asking why I did Ida module and not some kind of gdb proxy instead, and reasons are simple:

  • I already have experience of making gdb proxys and hosts, but not had experience of making Ida debugger modules (actually not much who did this)
  • Ida's gdb client is not open source
  • ppc stub is buggy in 6.1. I do own the latest build of Ida Pro, but lets be honest here, most dont. So I was making this code around this version of Ida. Do not need to mention that Ida Pro 6.5 is backward compatible with 6.1, and even debugger module compiled with idasdk61 would work just fine (much better) with 6.5.

So I did it and it works pretty well. Was testing it for months, catching bugs. At the last time fixed some remaining bugs around half year ago, so it should be much better, but not used it much since then.

Features[edit | edit source]

  • PPU debugging
  • General and Float registers
  • Exceptions, Breakpoints, Step thru code
  • Hardware breakpoints (DABR)
  • Threads and Modules
  • Read/Write memory
  • Works with official Sony's Reference Tools and Debug Stations (DECR/DECH)
  • Also works with custom firmwares

Notes[edit | edit source]

It uses ProDG's TMAPI for communication over deci3 protocol with ps3. Its pretty good and even if deci3 specification docs are leaked its saved alot of time. Therefor, its supports only Windows platform.

Compilation[edit | edit source]

Copy content of "C:\Program Files (x86)\SN Systems\PS3\sdk" of your ProDG installation to project folder

Installation[edit | edit source]

Copy deci3dbg.plw and deci3dbg.p64 to plugins folder inside your Ida Pro installation.

How to use[edit | edit source]

  1. Load PPC binary in Ida Pro
  2. Debugger -> Select debugger... -> DECI3 debugger plugin
  3. Debugger -> Attach to process...
  4. Select target and press OK (target may be showed as 'disconnected', bug of TMAPI)
  5. Select process

https://github.com/oct0xor/deci3dbg / https://github.com/oct0xor/deci3dbg/tree/master/build

Recommended IDA references[edit | edit source]

Scripts[edit | edit source]

vmlinux kallsyms[edit | edit source]

This kallsyms.py script resolves all kallsyms symbols from the kernel in \opt\ibm\systemsim-cell\images\cell\vmlinux

# Linux kernel kallsyms unpacker
# Version 0.1ps3
# Copyright (c) 2010 Igor Skochinsky
#
# This software is provided 'as-is', without any express or implied
# warranty. In no event will the authors be held liable for any damages
# arising from the use of this software.
#
# Permission is granted to anyone to use this software for any purpose,
# including commercial applications, and to alter it and redistribute it
# freely, subject to the following restrictions:
#
#    1. The origin of this software must not be misrepresented; you must not
#    claim that you wrote the original software. If you use this software
#    in a product, an acknowledgment in the product documentation would be
#    appreciated but is not required.
#
#    2. Altered source versions must be plainly marked as such, and must not be
#    misrepresented as being the original software.
#
#    3. This notice may not be removed or altered from any source
#    distribution.
#
#
# * IBM Full-System Simulator for the CBE Processor vmlinux support added by mysis

def do_kallsyms(do_rename, do_dump):
  token_idxs = LocByName("kallsyms_token_index")
  tokens = LocByName("kallsyms_token_table")
  names = LocByName("kallsyms_names")
  addrs = LocByName("kallsyms_addresses")
  namecnt = LocByName("kallsyms_num_syms")
  if namecnt == BADADDR:
    Warning("kallsyms_num_syms is not defined!");
    return
  #namecnt = Dword(namecnt)
  namecnt = Qword(namecnt)
  if tokens == BADADDR:
    Warning("kallsyms_token_table is not defined!");
    return
  if token_idxs == BADADDR:
    Warning("kallsyms_token_index is not defined!");
    return
  if names == BADADDR:
    Warning("kallsyms_names is not defined!");
    return
  if addrs == BADADDR:
    Warning("kallsyms_addresses is not defined!");
    return
  nametbl = []
  tokentbl = []
  for i in range(256):
    idx = Word(token_idxs+i*2)
    #idx = Qword(token_idxs+i*8)
    token = GetString(tokens+idx, -1, 0)
    #print "token %d: %s"%(i, token)
    if token == None: token=""
    tokentbl.append(token)

  if do_dump:
    dump = file("ksym","w")
  if names != BADADDR:
    for i in range(namecnt):
      nlen = Byte(names)
      names += 1
      name = ""
      while nlen>0:
        j = Byte(names)
        #print "j: %d, token: %s"%(j, tokentbl[j])
        name += tokentbl[j]
        names += 1
        nlen -= 1
      print "Name %d: %s"%(i, name)
      #nametbl.append(name)
      #addr = Dword(addrs+i*4)
      addr = Qword(addrs+i*8)
      if do_dump:
        dump.write("%08X %s %s\n"%(addr, name[0], name[1:]))
      if do_rename and name.find(".") == -1:
        print "%08X: %s"%(addr, name[1:])
        if isTail(GetFlags(addr)):
            MakeUnkn(addr, DOUNK_SIMPLE)
        if Qword(addr) > 0xC000000000000000 and Qword(addr) < 0xC0000000004ACA6C or Qword(addr) > 0xC000000000660000 and Qword(addr) < 0xC0000000006A3D40 :
            MakeNameEx(Qword(addr), name[1:], SN_NOWARN)
        else:
            MakeNameEx(addr, name[1:], SN_NOWARN)
        
  
  if do_dump:
    dump.close()

# you will need to find the kallsyms_num_syms value in the kernel image
# and all other tables mentioned below
# consult kallsyms.c from the kernel sources
# after that the script can parse the tables and create the symbols list

a = 0xC000000000545600
MakeName(a, "kallsyms_num_syms")
n = Qword(a)
b = (a - n*8) & ~0xFF
MakeName(b, "kallsyms_addresses")
MakeName(0xC000000000545700, "kallsyms_names")


MakeName(0xC0000000005C8600, "kallsyms_token_table")
MakeName(0xC0000000005C8A00, "kallsyms_token_index")
do_kallsyms(True, True)