Uncategorized

IDA Pro 7.0 released

https://www.hex-rays.com/products/ida/7.0/index.shtml

https://hex-rays.com/products/decompiler/news.shtml#170914

Standard
Uncategorized

Anti-disassembly on ARM with IDA

[…]So what else is cool about this is, this is just one combination of invalid bytes that creates a PLD instruction the processor can ingest. There’s all sorts of combinations that will cause this same thing to happen

https://kbdsmoke.me/anti-disassembly-on-arm-ida-specifically/

Standard
Uncategorized

BootStomp: Android bootloader vulnerability finder

BootStomp is a boot-loader bug finder. It looks for two different class of bugs: memory corruption and state storage vulnerabilities. For more info please refer to the BootStomp paper. To run BootStomp’s analyses, please read the following instructions. Note that BootStomp works with boot-loaders compiled for ARM architectures (32 and 64 bits both) and that results might slightly vary depending on angr and Z3’s versions. This is because of the time angr takes to analyze basic blocks and to Z3’s expression concretization results.[…]

https://seclab.cs.ucsb.edu/academic/publishing/#bootstomp-security-bootloaders-mobile-devices-2017

https://github.com/ucsb-seclab/BootStomp/blob/master/tools/huawei_tools/oeminfo_exploit.py

https://github.com/ucsb-seclab/BootStomp

print [!] Usage: + sys.argv[0] + <oeminfo.img> <exploit_oeminfo.img>\n

Lots of links to read at the end of the github readme web page.

 

Standard
Uncategorized

uEmu: Unicorn-based emulator plugin for IDA

uEmu is a tiny cute emulator plugin for IDA based on unicorn engine.

Supports following architectures out of the box: x86, x64, ARM, ARM64.

What is it GOOD for?
* Emulate bare metal code (bootloaders, embedded firmware etc)
* Emulate standalone functions

https://github.com/alexhude/uEmu

Standard
Uncategorized

Unicorn-based EFI emulator?

OSX Reverser has a new blog post on Apple EFI firmware passwords:

[…] This is when I had an idea! How about creating an EFI emulator and debugger using the Unicorn Engine framework? I had a feeling this wouldn’t be extremely hard and time consuming because the EFI environment is self contained – for example no linkers and syscalls to emulate. I also knew that this binary was more or less isolated, only using a few Boot and RunTime services and very few external protocols. Since the total number of Boot and RunTime services are very small this meant that there wasn’t a lot of code to be emulated. And with a couple of days work the EFI DXE Emulator was born. To my surprise I was finally able to run and debug an EFI binary in userland, speeding the reverse engineering process up immensely and quickly providing insight to previously tricky code. […]

Apple EFI firmware passwords and the SCBO myth

Apple EFI firmware passwords and the SCBO myth

Looking forward to an URL to this EFISwissKnife IDA plugin, and ESPECIALLY this new Unicorn-based EFI emulator! I can’t find an URL yet, though. 😦

Standard