We have many news this time, but let us start with the most desired and requested one: support for ARM v8.3 instructions. With the advent of the new iPhone XS many reverse engineers started to stumble on these new instructions. Besides, they include a new security mechanism: Pointer Authentication Code. It makes exploiting software vulnerabilities much more difficult but it requires modifications in our file parsing and analysis methods.[…]
“With this version of IDA we publish the decompiler intermediate language: the microcode. We were planning to do it since very long time but the microcode was constantly evolving, we could not do it. After ten years of evolution it looks mature and ready to be published. We believe that it will permit our users to implement much more powerful and higher level analysis algorithms than before. In the future we plan to use the microcode in IDA too: if the decompiler is present, the analysis will be improved automatically. “
The freeware version of IDA v7.0 has the following limitations:
no commercial use is allowed
lacks all features introduced in IDA > v7.0
lacks support for many processors, file formats, debugging etc…
comes without technical support
Cutter 1.0 has been released:
“REmatch, a complete binary diffing framework that is free and strives to be open source and community driven.
REmatch, a simple binary diffing utility that just works. At least, we hope it will be. Rematch is still a work in progress and is not fully functional at the moment. We’re currently working on bringing up basic functionality. Check us out again soon or watch for updates! It is intended to be used by reverse engineers by revealing and identifying previously reverse engineered similar functions and migrating documentation and annotations to current IDB. It does that by locally collecting data about functions in your IDB and uploading that information to a web service (which you’re supposed to set up as well). Upon request, the web service can match your functions against all (or part) of previously uploaded functions and provide matches. A secondary goal of this (which is not currently pursued) is to allow synchronization between multiple reverse engineers working on the same file. The goal of REmatch is to act as a maintained, extendable, open source tool for advanced assembly function-level binary comparison and matching. Rematch will be a completely open source and free (as in speech) community-driven tool. We support buttom-up organizational methods and desire Rematch to be heavily influenced by it’s users (both in decision making and development).[…]”
[…]So what else is cool about this is, this is just one combination of invalid bytes that creates a PLD instruction the processor can ingest. There’s all sorts of combinations that will cause this same thing to happen
BootStomp is a boot-loader bug finder. It looks for two different class of bugs: memory corruption and state storage vulnerabilities. For more info please refer to the BootStomp paper. To run BootStomp’s analyses, please read the following instructions. Note that BootStomp works with boot-loaders compiled for ARM architectures (32 and 64 bits both) and that results might slightly vary depending on angr and Z3’s versions. This is because of the time angr takes to analyze basic blocks and to Z3’s expression concretization results.[…]
print “[!] Usage: “ + sys.argv + “ <oeminfo.img> <exploit_oeminfo.img>\n“
Lots of links to read at the end of the github readme web page.
uEmu is a tiny cute emulator plugin for IDA based on unicorn engine.
Supports following architectures out of the box: x86, x64, ARM, ARM64.
What is it GOOD for?
* Emulate bare metal code (bootloaders, embedded firmware etc)
* Emulate standalone functions
meloader is an Intel Management Engine a.k.a Intel ME firmware loader plugin for IDA.[…]
Konstantin Yurchenko has a new project to help IDA Pro users with UEFI blobs:
OSX Reverser has a new blog post on Apple EFI firmware passwords:
[…] This is when I had an idea! How about creating an EFI emulator and debugger using the Unicorn Engine framework? I had a feeling this wouldn’t be extremely hard and time consuming because the EFI environment is self contained – for example no linkers and syscalls to emulate. I also knew that this binary was more or less isolated, only using a few Boot and RunTime services and very few external protocols. Since the total number of Boot and RunTime services are very small this meant that there wasn’t a lot of code to be emulated. And with a couple of days work the EFI DXE Emulator was born. To my surprise I was finally able to run and debug an EFI binary in userland, speeding the reverse engineering process up immensely and quickly providing insight to previously tricky code. […]
Looking forward to an URL to this EFISwissKnife IDA plugin, and ESPECIALLY this new Unicorn-based EFI emulator! I can’t find an URL yet, though. 😦
“ARMPwn: Repository to train/learn memory corruption exploitation on the ARM platform. This is the material of a workshop I prepared for my CTF Team”
ARMPWN challenge write-up:
A few weeks ago, I came accross @5aelo repo called armpwn for people wanting to have a bit of ARM fun. I had recently spent some time adding new features and perfectionning old ones to my exploit helper gdb-gef and I saw there a perfect practice case. On top of that, I had nothing better to do yesterday ☺ This challenge was really fun, and made so much easier thanks to gef especially to defeat real life protections (NX/ASLR/PIC/Canary), and on a different architecture (Intel is so ‘90). This is mostly why I’m doing this write-up, but feel curious and do it by yourself. Fun time ahead guaranteed ☺ […]
If you use IDA, check out the Hex-Rays Decompiler plugin is very powerful, and now available for Mac OS X users.
The Hex-Rays Decompiler plugin for better code navigation in RE process. CodeXplorer automates code REconstruction of C++ applications or modern malware.
It has multiple experienced contributors:
Alex Matrosov (@matrosov)
Eugene Rodionov (@rodionov)
Rodrigo Branco (@rrbranco)
Gabriel Barbosa (@gabrielnb)
ret-sync stands for Reverse-Engineering Tools synchronization. It’s a set of plugins that help to synchronize a debugging session (WinDbg/GDB/LLDB/OllyDbg2/x64dbg) with IDA disassembler. The underlying idea is simple: take the best from both worlds (static and dynamic analysis).
From debuggers and dynamic analysis we got:
local view, with live dynamic context (registers, memory, etc.)
built-in specialized features/API (ex: Windbg’s !peb, !drvobj, !address, etc.)
From IDA and static analysis we got:
macro view over modules
code analysis, signatures, types, etc.
fancy graph view
persistent storage of knowledge within IDBs
Pass data (comment, command output) from debugger to disassembler (IDA)
Multiple IDBs can be synced at the same time allowing to easily trace through multiple modules
No need to deal with ALSR, addresses are rebased on-the-fly
IDBs and debugger can be on different hosts
ret-sync is a fork of qb-sync that I developed and maintained during my stay at Quarkslab.
It has AArch64 support!
There’s another comment on Twitter from The Rootless Monster, wondering about UEFI TE support in the latest release, unclear if TE support has changed in 6.9:
We’ve had 7 contestants this year! All plugins were interesting, but we had to choose three. Here’s the final ranking:
* First prize (1900 USD): Yaniv Balmas, Dynamic IDA Enrichment (DIE) framework
* Second prize (950 USD): Steven H. H. Ding, Kam1n0
* Third prize (450 USD): Alexander Matrosov, Eugene Rodionov, Rodrigo Branco & Gabriel Barbosa, HexRaysCodeXplorer
Note that one of the winners is from firmware security researchers! Congratulations!
The other day I posted a pointer to a new list of IDA plugins:
Here are a few more IDA plugins for UEFI, the new list only mentions Danse-Macbre’s IDA-EFItools project:
Also see chapter 4 and 22 (at least) of this new book:
Does anyone know of any others? If so, please leave a Comment (see left) or send email (see upper right). Thanks.