Merge pull request #691 from commial/fix/start-ppc

Fix/start ppc
cea-sec · Mar 5, 2018 · 33b13d0 · 33b13d0
2 parents 342614c + a635e3e
commit 33b13d0
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 28 deletions.
diff --git a/example/symbol_exec/dse_crackme.py b/example/symbol_exec/dse_crackme.py
@@ -195,7 +195,7 @@ def xxx___libc_start_main_symb(dse):
     main_addr = dse.eval_expr(regs.RDI)
     argc = dse.eval_expr(regs.RSI)
     argv = dse.eval_expr(regs.RDX)
-    hlt_addr = ExprInt(0x1337beef, 64)
+    hlt_addr = ExprInt(sb.CALL_FINISH_ADDR, 64)
 
     dse.update_state({
         ExprMem(top_stack, 64): hlt_addr,

diff --git a/miasm2/analysis/sandbox.py b/miasm2/analysis/sandbox.py
@@ -284,6 +284,7 @@ def __init__(self, custom_methods, *args, **kwargs):
 
         # Library calls handler
         self.jitter.add_lib_handler(self.libs, methods)
+        linux_stdlib.ABORT_ADDR = self.CALL_FINISH_ADDR
 
         # Arguments
         self.argv = [self.PROGRAM_PATH]
@@ -329,6 +330,7 @@ def __init__(self, custom_methods, *args, **kwargs):
 
         # Library calls handler
         self.jitter.add_lib_handler(libs, methods)
+        linux_stdlib.ABORT_ADDR = self.CALL_FINISH_ADDR
 
         # Arguments
         self.argv = [self.PROGRAM_PATH]
@@ -458,10 +460,10 @@ def __init__(self, *args, **kwargs):
         self.jitter.push_uint32_t(2)
         self.jitter.push_uint32_t(1)
         self.jitter.push_uint32_t(0)
-        self.jitter.push_uint32_t(0x1337beef)
+        self.jitter.push_uint32_t(self.CALL_FINISH_ADDR)
 
         # Set the runtime guard
-        self.jitter.add_breakpoint(0x1337beef, self.__class__.code_sentinelle)
+        self.jitter.add_breakpoint(self.CALL_FINISH_ADDR, self.__class__.code_sentinelle)
 
     def run(self, addr=None):
         """
@@ -491,10 +493,10 @@ def __init__(self, *args, **kwargs):
             self.jitter.push_uint64_t(0)
 
         # Pre-stack return address
-        self.jitter.push_uint64_t(0x1337beef)
+        self.jitter.push_uint64_t(self.CALL_FINISH_ADDR)
 
         # Set the runtime guard
-        self.jitter.add_breakpoint(0x1337beef, self.__class__.code_sentinelle)
+        self.jitter.add_breakpoint(self.CALL_FINISH_ADDR, self.__class__.code_sentinelle)
 
     def run(self, addr=None):
         """
@@ -536,7 +538,7 @@ def __init__(self, *args, **kwargs):
                 self.jitter.vm.set_mem(ptr, arg)
                 argv_ptrs.append(ptr)
 
-            self.jitter.push_uint32_t(0x1337beef)
+            self.jitter.push_uint32_t(self.CALL_FINISH_ADDR)
             self.jitter.push_uint32_t(0)
             for ptr in reversed(env_ptrs):
                 self.jitter.push_uint32_t(ptr)
@@ -545,10 +547,10 @@ def __init__(self, *args, **kwargs):
                 self.jitter.push_uint32_t(ptr)
             self.jitter.push_uint32_t(len(self.argv))
         else:
-            self.jitter.push_uint32_t(0x1337beef)
+            self.jitter.push_uint32_t(self.CALL_FINISH_ADDR)
 
         # Set the runtime guard
-        self.jitter.add_breakpoint(0x1337beef, self.__class__.code_sentinelle)
+        self.jitter.add_breakpoint(self.CALL_FINISH_ADDR, self.__class__.code_sentinelle)
 
     def run(self, addr=None):
         """
@@ -591,7 +593,7 @@ def __init__(self, *args, **kwargs):
                 self.jitter.vm.set_mem(ptr, arg)
                 argv_ptrs.append(ptr)
 
-            self.jitter.push_uint64_t(0x1337beef)
+            self.jitter.push_uint64_t(self.CALL_FINISH_ADDR)
             self.jitter.push_uint64_t(0)
             for ptr in reversed(env_ptrs):
                 self.jitter.push_uint64_t(ptr)
@@ -600,10 +602,10 @@ def __init__(self, *args, **kwargs):
                 self.jitter.push_uint64_t(ptr)
             self.jitter.push_uint64_t(len(self.argv))
         else:
-            self.jitter.push_uint64_t(0x1337beef)
+            self.jitter.push_uint64_t(self.CALL_FINISH_ADDR)
 
         # Set the runtime guard
-        self.jitter.add_breakpoint(0x1337beef, self.__class__.code_sentinelle)
+        self.jitter.add_breakpoint(self.CALL_FINISH_ADDR, self.__class__.code_sentinelle)
 
     def run(self, addr=None):
         """
@@ -653,10 +655,10 @@ def __init__(self, *args, **kwargs):
                 self.jitter.push_uint32_t(ptr)
             self.jitter.push_uint32_t(len(self.argv))
 
-        self.jitter.cpu.LR = 0x1337beef
+        self.jitter.cpu.LR = self.CALL_FINISH_ADDR
 
         # Set the runtime guard
-        self.jitter.add_breakpoint(0x1337beef, self.__class__.code_sentinelle)
+        self.jitter.add_breakpoint(self.CALL_FINISH_ADDR, self.__class__.code_sentinelle)
 
     def run(self, addr=None):
         if addr is None and self.options.address is None:
@@ -678,10 +680,10 @@ class Sandbox_Linux_armb_str(Sandbox, Arch_armb, OS_Linux_str):
     def __init__(self, *args, **kwargs):
         Sandbox.__init__(self, *args, **kwargs)
 
-        self.jitter.cpu.LR = 0x1337beef
+        self.jitter.cpu.LR = self.CALL_FINISH_ADDR
 
         # Set the runtime guard
-        self.jitter.add_breakpoint(0x1337beef, self.__class__.code_sentinelle)
+        self.jitter.add_breakpoint(self.CALL_FINISH_ADDR, self.__class__.code_sentinelle)
 
     def run(self, addr=None):
         if addr is None and self.options.address is not None:
@@ -694,10 +696,10 @@ class Sandbox_Linux_arml_str(Sandbox, Arch_arml, OS_Linux_str):
     def __init__(self, *args, **kwargs):
         Sandbox.__init__(self, *args, **kwargs)
 
-        self.jitter.cpu.LR = 0x1337beef
+        self.jitter.cpu.LR = self.CALL_FINISH_ADDR
 
         # Set the runtime guard
-        self.jitter.add_breakpoint(0x1337beef, self.__class__.code_sentinelle)
+        self.jitter.add_breakpoint(self.CALL_FINISH_ADDR, self.__class__.code_sentinelle)
 
     def run(self, addr=None):
         if addr is None and self.options.address is not None:
@@ -735,10 +737,10 @@ def __init__(self, *args, **kwargs):
                 self.jitter.push_uint64_t(ptr)
             self.jitter.push_uint64_t(len(self.argv))
 
-        self.jitter.cpu.LR = 0x1337beef
+        self.jitter.cpu.LR = self.CALL_FINISH_ADDR
 
         # Set the runtime guard
-        self.jitter.add_breakpoint(0x1337beef, self.__class__.code_sentinelle)
+        self.jitter.add_breakpoint(self.CALL_FINISH_ADDR, self.__class__.code_sentinelle)
 
     def run(self, addr=None):
         if addr is None and self.options.address is None:

diff --git a/miasm2/os_dep/linux_stdlib.py b/miasm2/os_dep/linux_stdlib.py
@@ -1,5 +1,6 @@
 #-*- coding:utf-8 -*-
 
+import struct
 from sys import stdout
 from string import printable
 
@@ -31,21 +32,51 @@ def xxx___libc_start_main(jitter):
     Note:
      - init, fini, rtld_fini are ignored
      - return address is forced to ABORT_ADDR, to avoid calling abort/hlt/...
+     - in powerpc, signature is:
+
+    int __libc_start_main (int argc, char **argv, char **ev, ElfW (auxv_t) *
+                       auxvec, void (*rtld_fini) (void), struct startup_info
+                       *stinfo, char **stack_on_entry)
 
     """
     global ABORT_ADDR
-    ret_ad, args = jitter.func_args_systemv(["main", "argc", "ubp_av", "init",
-                                             "fini", "rtld_fini", "stack_end"])
+    if jitter.arch.name == "ppc32":
+        ret_ad, args = jitter.func_args_systemv(
+            ["argc", "argv", "ev", "aux_vec", "rtld_fini", "st_info",
+             "stack_on_entry"]
+        )
+
+        # Mimic glibc implementation
+        if args.stack_on_entry != 0:
+            argc = struct.unpack(">I",
+                                 jitter.vm.get_mem(args.stack_on_entry, 4))[0]
+            argv = args.stack_on_entry + 4
+            envp = argv + ((argc + 1) * 4)
+        else:
+            argc = args.argc
+            argv = args.argv
+            envp = args.ev
+        # sda_base, main, init, fini
+        _, main, _, _ = struct.unpack(">IIII",
+                                      jitter.vm.get_mem(args.st_info, 4 * 4))
+
+    else:
+        ret_ad, args = jitter.func_args_systemv(
+            ["main", "argc", "ubp_av", "init", "fini", "rtld_fini", "stack_end"]
+        )
+
+        main = args.main
+        # done by __libc_init_first
+        size = jitter.ir_arch.pc.size / 8
+        argc = args.argc
+        argv = args.ubp_av
+        envp = argv + (args.argc + 1) * size
 
-    # done by __libc_init_first
-    size = jitter.ir_arch.pc.size / 8
-    argv = args.ubp_av
-    envp = argv + (args.argc + 1) * size
 
     # Call int main(int argc, char** argv, char** envp)
-    jitter.func_ret_systemv(args.main)
+    jitter.func_ret_systemv(main)
     ret_ad = ABORT_ADDR
-    jitter.func_prepare_systemv(ret_ad, args.argc, argv, envp)
+    jitter.func_prepare_systemv(ret_ad, argc, argv, envp)
     return True
 
 

diff --git a/test/test_all.py b/test/test_all.py
@@ -686,7 +686,7 @@ class ExampleJitterNoPython(ExampleJitter):
                       Example.get_sample("md5_aarch64l"), "--mimic-env"],
                      []),
                     (["sandbox_elf_ppc32.py",
-                      Example.get_sample("md5_ppc32b"), "-a", "0x1000087C"],
+                      Example.get_sample("md5_ppc32b"), "--mimic-env"],
                      []),
                     (["msp430.py", Example.get_sample("msp430_sc.bin"), "0"],
                      [test_msp430]),