Yesterday we saw the PS4 1.01 Dlclose Exploit release, and today @zecoxao returns with a PlayStation 4 1.01 Memory Dump and IDA Interactive Disassembler IDC Script for populating the Kernel's Symbols so developers can examine it!
Download: 0xffffffff80000000-1.01.7z (8.9 MB) / symbols.idc (2.9 MB) / SceEapCore.elf (3.95 MB - from 1.01 containing all function names and variables) / PS4_4_71_Symbols.rar
To quote from zecoxao: 1.01 memory dump. first kernel at 0x0700000, second kernel at 0x2200000. this is for the devs who are curious about 1.01 kernel. using the following script will fill the names of up to 99% of the kernel's symbols.
rizzo signatures for 4.05 (taken from 1.01 full symbols kernel)
Download: holy_grail.riz (15.76 MB)
use this plugin together with IDA Pro to apply the signatures:
Code:########################################################################## # An IDAPython plugin that generates "fuzzy" function signatures that can # be shared and applied amongst different IDBs. # # There are multiple sets of signatures that are generated: # # o "Formal" signatures, where functions must match exactly # o "Fuzzy" signatures, where functions must only resemble each other # in terms of data/call references. # o String-based signatures, where functions are identified based on # unique string references. # o Immediate-based signatures, where functions are identified based # on immediate value references. # # These signatures are applied based on accuracy, that is, formal # signatures are applied first, then string and immediate based # signatures, and finally fuzzy signatures. # # Further, functions are identified based on call references. Consider, # for example, two functions, one named 'foo', the other named 'bar'. # The 'foo' function is fairly unique and a reliable signature is easily # generated for it, but the 'bar' function is more difficult to reliably # identify. However, 'foo' calls 'bar', and thus once 'foo' is identified, # 'bar' can also be identified by association. # # Craig Heffner # @devttys0 ########################################################################## import idc import idaapi import idautils import os import sys import time import pickle # http://natashenka.ca/pickle/ import collections class RizzoSignatures(object): ''' Simple wrapper class for storing signature info. ''' SHOW = [] def __init__(self): self.fuzzy = {} self.formal = {} self.strings = {} self.functions = {} self.immediates = {} self.fuzzydups = set() self.formaldups = set() self.stringdups = set() self.immediatedups = set() def show(self): if not self.SHOW: return print "\n\nGENERATED FORMAL SIGNATURES FOR:" for (key, ea) in self.formal.iteritems(): func = RizzoFunctionDescriptor(self.formal, self.functions, key) if func.name in self.SHOW: print func.name print "\n\nGENERATRED FUZZY SIGNATURES FOR:" for (key, ea) in self.fuzzy.iteritems(): func = RizzoFunctionDescriptor(self.fuzzy, self.functions, key) if func.name in self.SHOW: print func.name class RizzoStringDescriptor(object): ''' Wrapper class for easily accessing necessary string information. ''' def __init__(self, string): self.ea = string.ea self.value = str(string) self.xrefs = [x.frm for x in idautils.XrefsTo(self.ea)] class RizzoBlockDescriptor(object): ''' Code block info is stored in tuples, which minimize pickle storage space. This class provides more Pythonic (and sane) access to values of interest for a given block. ''' def __init__(self, block): self.formal = block[0] self.fuzzy = block[1] self.immediates = block[2] self.functions = block[3] def match(self, nblock, fuzzy=False): # TODO: Fuzzy matching at the block level gets close, but produces a higher number of # false positives; for example, it confuses hmac_md5 with hmac_sha1. #return ((self.formal == nblock.formal or (fuzzy and self.fuzzy == nblock.fuzzy)) and return (self.formal == nblock.formal and len(self.immediates) == len(nblock.immediates) and len(self.functions) == len(nblock.functions)) class RizzoFunctionDescriptor(object): ''' Function signature info is stored in dicts and tuples, which minimize pickle storage space. This class provides more Pythonic (and sane) access to values of interest for a given function. ''' def __init__(self, signatures, functions, key): self.ea = signatures[key] self.name = functions[self.ea][0] self.blocks = functions[self.ea][1] class Rizzo(object): ''' Workhorse class which performs the primary logic and functionality. ''' DEFAULT_SIGNATURE_FILE = "rizzo.sig" def __init__(self, sigfile=None): if sigfile: self.sigfile = sigfile else: self.sigfile = self.DEFAULT_SIGNATURE_FILE # Useful for quickly identifying string xrefs from individual instructions self.strings = {} for string in idautils.Strings(): self.strings[string.ea] = RizzoStringDescriptor(string) start = time.time() self.signatures = self.generate() end = time.time() print "Generated %d formal signatures and %d fuzzy signatures for %d functions in %.2f seconds." % (len(self.signatures.formal), len(self.signatures.fuzzy), len(self.signatures.functions), (end-start)) def save(self): print ("Saving signatures to %s..." % self.sigfile), fp = open(self.sigfile, "wb") pickle.dump(self.signatures, fp) fp.close() print "done." def load(self): print ("Loading signatures from %s..." % self.sigfile), fp = open(self.sigfile, "rb") sigs = pickle.load(fp) fp.close() print "done." return sigs def sighash(self, value): return hash(str(value)) & 0xFFFFFFFF def block(self, block): ''' Returns a tuple: ([formal, block, signatures], [fuzzy, block, signatures], set([unique, immediate, values]), [called, function, names]) ''' formal = [] fuzzy = [] functions = [] immediates = [] ea = block.startEA while ea < block.endEA: idaapi.decode_insn(ea) # Get a list of all data/code references from the current instruction drefs = [x for x in idautils.DataRefsFrom(ea)] crefs = [x for x in idautils.CodeRefsFrom(ea, False)] # Add all instruction mnemonics to the formal block hash formal.append(idc.GetMnem(ea)) # If this is a call instruction, be sure to note the name of the function # being called. This is used to apply call-based signatures to functions. # # For fuzzy signatures, we can't use the actual name or EA of the function, # but rather just want to note that a function call was made. # # Formal signatures already have the call instruction mnemonic, which is more # specific than just saying that a call was made. if idaapi.is_call_insn(ea): for cref in crefs: func_name = idc.Name(cref) if func_name: functions.append(func_name) fuzzy.append("funcref") # If there are data references from the instruction, check to see if any of them # are strings. These are looked up in the pre-generated strings dictionary. # # String values are easily identifiable, and are used as part of both the fuzzy # and the formal signatures. # # It is more difficult to determine if non-string values are constants or not; # for both fuzzy and formal signatures, just use "data" to indicate that some data # was referenced. elif drefs: for dref in drefs: if self.strings.has_key(dref): formal.append(self.strings[dref].value) fuzzy.append(self.strings[dref].value) else: formal.append("dataref") fuzzy.append("dataref") # If there are no data or code references from the instruction, use every operand as # part of the formal signature. # # Fuzzy signatures are only concerned with interesting immediate values, that is, values # that are greater than 65,535, are not memory addresses, and are not displayed as # negative values. elif not drefs and not crefs: for n in range(0, len(idaapi.cmd.Operands)): opnd_text = idc.GetOpnd(ea, n) formal.append(opnd_text) if idaapi.cmd.Operands[n].type == idaapi.o_imm and not opnd_text.startswith('-'): if idaapi.cmd.Operands[n].value >= 0xFFFF: if idaapi.getFlags(idaapi.cmd.Operands[n].value) == 0: fuzzy.append(str(idaapi.cmd.Operands[n].value)) immediates.append(idaapi.cmd.Operands[n].value) ea = idc.NextHead(ea) return (self.sighash(''.join(formal)), self.sighash(''.join(fuzzy)), immediates, functions) def function(self, func): ''' Returns a list of blocks. ''' blocks = [] for block in idaapi.FlowChart(func): blocks.append(self.block(block)) return blocks def generate(self): signatures = RizzoSignatures() # Generate unique string-based function signatures for (ea, string) in self.strings.iteritems(): # Only generate signatures on reasonably long strings with one xref if len(string.value) >= 8 and len(string.xrefs) == 1: func = idaapi.get_func(string.xrefs[0]) if func: strhash = self.sighash(string.value) # Check for and remove string duplicate signatures (the same # string can appear more than once in an IDB). # If no duplicates, add this to the string signature dict. if signatures.strings.has_key(strhash): del signatures.strings[strhash] signatures.stringdups.add(strhash) elif strhash not in signatures.stringdups: signatures.strings[strhash] = func.startEA # Generate formal, fuzzy, and immediate-based function signatures for ea in idautils.Functions(): func = idaapi.get_func(ea) if func: # Generate a signature for each block in this function blocks = self.function(func) # Build function-wide formal and fuzzy signatures by simply # concatenating the individual function block signatures. formal = self.sighash(''.join([str(e) for (e, f, i, c) in blocks])) fuzzy = self.sighash(''.join([str(f) for (e, f, i, c) in blocks])) # Add this signature to the function dictionary. signatures.functions[func.startEA] = (idc.Name(func.startEA), blocks) # Check for and remove formal duplicate signatures. # If no duplicates, add this to the formal signature dict. if signatures.formal.has_key(formal): del signatures.formal[formal] signatures.formaldups.add(formal) elif formal not in signatures.formaldups: signatures.formal[formal] = func.startEA # Check for and remove fuzzy duplicate signatures. # If no duplicates, add this to the fuzzy signature dict. if signatures.fuzzy.has_key(fuzzy): del signatures.fuzzy[fuzzy] signatures.fuzzydups.add(fuzzy) elif fuzzy not in signatures.fuzzydups: signatures.fuzzy[fuzzy] = func.startEA # Check for and remove immediate duplicate signatures. # If no duplicates, add this to the immediate signature dict. for (e, f, immediates, c) in blocks: for immediate in immediates: if signatures.immediates.has_key(immediate): del signatures.immediates[immediate] signatures.immediatedups.add(immediate) elif immediate not in signatures.immediatedups: signatures.immediates[immediate] = func.startEA # These need not be maintained across function calls, # and only add to the size of the saved signature file. signatures.fuzzydups = set() signatures.formaldups = set() signatures.stringdups = set() signatures.immediatedups = set() # DEBUG signatures.show() return signatures def match(self, extsigs): fuzzy = {} formal = {} strings = {} immediates = {} # Match formal function signatures start = time.time() for (extsig, ext_func_ea) in extsigs.formal.iteritems(): if self.signatures.formal.has_key(extsig): newfunc = RizzoFunctionDescriptor(extsigs.formal, extsigs.functions, extsig) curfunc = RizzoFunctionDescriptor(self.signatures.formal, self.signatures.functions, extsig) formal[curfunc] = newfunc end = time.time() print "Found %d formal matches in %.2f seconds." % (len(formal), (end-start)) # Match fuzzy function signatures start = time.time() for (extsig, ext_func_ea) in extsigs.fuzzy.iteritems(): if self.signatures.fuzzy.has_key(extsig): curfunc = RizzoFunctionDescriptor(self.signatures.fuzzy, self.signatures.functions, extsig) newfunc = RizzoFunctionDescriptor(extsigs.fuzzy, extsigs.functions, extsig) # Only accept this as a valid match if the functions have the same number of basic code blocks if len(curfunc.blocks) == len(newfunc.blocks): fuzzy[curfunc] = newfunc end = time.time() print "Found %d fuzzy matches in %.2f seconds." % (len(fuzzy), (end-start)) # Match string based function signatures start = time.time() for (extsig, ext_func_ea) in extsigs.strings.iteritems(): if self.signatures.strings.has_key(extsig): curfunc = RizzoFunctionDescriptor(self.signatures.strings, self.signatures.functions, extsig) newfunc = RizzoFunctionDescriptor(extsigs.strings, extsigs.functions, extsig) strings[curfunc] = newfunc end = time.time() print "Found %d string matches in %.2f seconds." % (len(strings), (end-start)) # Match immediate baesd function signatures start = time.time() for (extsig, ext_func_ea) in extsigs.immediates.iteritems(): if self.signatures.immediates.has_key(extsig): curfunc = RizzoFunctionDescriptor(self.signatures.immediates, self.signatures.functions, extsig) newfunc = RizzoFunctionDescriptor(extsigs.immediates, extsigs.functions, extsig) immediates[curfunc] = newfunc end = time.time() print "Found %d immediate matches in %.2f seconds." % (len(immediates), (end-start)) # Return signature matches in the order we want them applied # The second tuple of each match is set to True if it is a fuzzy match, e.g.: # # ((match, fuzzy), (match, fuzzy), ...) return ((formal, False), (strings, False), (immediates, False), (fuzzy, True)) def rename(self, ea, name): # Don't rely on the name in curfunc, as it could have already been renamed curname = idc.Name(ea) # Don't rename if the name is a special identifier, or if the ea has already been named # TODO: What's a better way to check for reserved name prefixes? if curname.startswith('sub_') and name.split('_')[0] not in set(['sub', 'loc', 'unk', 'dword', 'word', 'byte']): # Don't rename if the name already exists in the IDB if idc.LocByName(name) == idc.BADADDR: if idc.MakeName(ea, name): idc.SetFunctionFlags(ea, (idc.GetFunctionFlags(ea) | idc.FUNC_LIB)) #print "%s => %s" % (curname, name) return 1 #else: # print "WARNING: Attempted to rename '%s' => '%s', but '%s' already exists!" % (curname, name, name) return 0 def apply(self, extsigs): count = 0 start = time.time() # This applies formal matches first, then fuzzy matches for (match, fuzzy) in self.match(extsigs): # Keeps track of all function names that we've identified candidate functions for rename = {} for (curfunc, newfunc) in match.iteritems(): if not rename.has_key(newfunc.name): rename[newfunc.name] = [] # Attempt to rename this function rename[newfunc.name].append(curfunc.ea) bm = {} duplicates = set() # Search for unique matching code blocks inside this function for nblock in newfunc.blocks: nblock = RizzoBlockDescriptor(nblock) for cblock in curfunc.blocks: cblock = RizzoBlockDescriptor(cblock) if cblock.match(nblock, fuzzy): if bm.has_key(cblock): del bm[cblock] duplicates.add(cblock) elif cblock not in duplicates: bm[cblock] = nblock # Rename known function calls from each unique identified code block for (cblock, nblock) in bm.iteritems(): for n in range(0, len(cblock.functions)): ea = idc.LocByName(cblock.functions[n]) if ea != idc.BADADDR: if rename.has_key(nblock.functions[n]): rename[nblock.functions[n]].append(ea) else: rename[nblock.functions[n]] = [ea] # Rename the identified functions for (name, candidates) in rename.iteritems(): if candidates: winner = collections.Counter(candidates).most_common(1)[0][0] count += self.rename(winner, name) end = time.time() print "Renamed %d functions in %.2f seconds." % (count, (end-start)) def RizzoBuild(sigfile=None): print "Building Rizzo signatures, this may take a few minutes..." start = time.time() r = Rizzo(sigfile) r.save() end = time.time() print "Built signatures in %.2f seconds" % (end-start) def RizzoApply(sigfile=None): print "Applying Rizzo signatures, this may take a few minutes..." start = time.time() r = Rizzo(sigfile) s = r.load() r.apply(s) end = time.time() print "Signatures applied in %.2f seconds" % (end-start) class RizzoPlugin(idaapi.plugin_t): flags = 0 comment = "Function signature" help = "" wanted_name = "Rizzo" wanted_hotkey = "" NAME = "rizzo.py" def init(self): self.menu_context_load = idaapi.add_menu_item("File/Load file/", "Rizzo signature file...", "", 0, self.rizzo_load, (None,)) self.menu_context_produce = idaapi.add_menu_item("File/Produce file/", "Rizzo signature file...", "", 0, self.rizzo_produce, (True,)) return idaapi.PLUGIN_KEEP def term(self): idaapi.del_menu_item(self.menu_context_load) idaapi.del_menu_item(self.menu_context_produce) return None def run(self, arg): return None def rizzo_script(self): idaapi.IDAPython_ExecScript(self.script, globals()) def rizzo_produce(self, arg): fname = idc.AskFile(1, "*.riz", "Save signature file as") if fname: if '.' not in fname: fname += ".riz" RizzoBuild(fname) return None def rizzo_load(self, arg): fname = idc.AskFile(0, "*.riz", "Load signature file") if fname: RizzoApply(fname) return None def PLUGIN_ENTRY(): return RizzoPlugin()
Collection of IDA Python plugins/scripts/modules.
Github: https://github.com/AlexAltea/ida
Thanks to @Figure03 for the news tip in the PSXHAX Shoutbox earlier on!
-
About the Author: PSXHAX"Live in Your World, HAX in Ours!"Hello World! I've been reporting on Sony PlayStation hacking news since 2000 and started PSXHAX in 2015 to cover PlayStation (PSX), PlayStation 2 (PS2), PlayStation 3 (PS3), PlayStation 4 (PS4), PlayStation Portable (PSP), PlayStation Vita (PS Vita) and PlayStation TV (PS TV) platforms along with anything else of interest.
Click on my UserName author link above and you'll be able to view a filtered list of all of the articles I've contributed thus far to PSXHAX.COM.
If you enjoy gaming and would like to write (unpaid) for this site, Contact Us and we'll be happy to have ya join our Staff!
-
Comments
-