jsenin/find_mips_global_pointer_ida.py

## find_mips_global_pointer_ida.py
# Script for IDA
# find for MIPS global pointer and try to create a function
#
# conversion hex to opcode at https://www.eg.bucknell.edu/~csci320/mips_web/
# 0x3c1c8064
# LUI $gp 0x8064
#
# 0x279c1c70
# ADDIU $gp $gp 0x1C70

def extract_lui_gp(curr_addr, end_addr):

    def _defined_function_at(addr):
        return GetFunctionAttr(curr_addr, FUNCATTR_START) != BADADDR

    def _is_addiu_gp_at(addr):
        # 0x279c1c70
        # ADDIU $gp $gp 0x1C70
        addiu_gp_opcode = '0x279c'
        return hex(Word(addr)) == addiu_gp_opcode

    def _extract_global_pointer_method_1(addr):
        gp = Word(curr_addr + 2)

        if _is_addiu_gp_at(curr_addr + 4):
            lower = Word(curr_addr + 6)
            gp = (gp << 16) + lower

        return gp

    def _extract_global_pointer_method_2(addr):
        return GetOperandValue(addr, 1)

    if curr_addr > end_addr:
        print "Invalid end address of CODE segment!"
        return n

    lui_gp = "3C 1C" # 3C 1C XX XX lui  $sp, 0xXXXXX
    n = 0
    curr_addr = FindBinary(curr_addr, SEARCH_DOWN, lui_gp)
    while curr_addr != BADADDR:

        gp = _extract_global_pointer_method_1(curr_addr)
        print ("possible global pointer method 1", hex(gp))

        gp = _extract_global_pointer_method_2(curr_addr)
        print ("possible global pointer method 2", hex(gp))

        if not _defined_function_at(curr_addr):
            if MakeFunction(curr_addr):
                print("Created function at", hex(curr_addr))
                n += 1
            else:
                print 'MakeFunction(0x%x) failed - running 2nd time maybe fixes this' % curr_addr

        curr_addr += 1
        curr_addr = FindBinary(curr_addr, SEARCH_DOWN, lui_gp)

    print "Created %d new functions\n" % n
    return n

# curr_addr = ScreenEA() & 0xFFFFFFFC # makes sure start address is 4-byte aligned
curr_addr = 0x0000000
end_addr = AskAddr(0, "Enter end address of CODE segment.")
print "mipsb searching global points between: 0x%X and 0x%x" % (curr_addr, end_addr)
extract_lui_gp(curr_addr, end_addr)
	# Script for IDA
	# find for MIPS global pointer and try to create a function
	#
	# conversion hex to opcode at https://www.eg.bucknell.edu/~csci320/mips_web/
	# 0x3c1c8064
	# LUI $gp 0x8064
	#
	# 0x279c1c70
	# ADDIU $gp $gp 0x1C70

	def extract_lui_gp(curr_addr, end_addr):

	def _defined_function_at(addr):
	return GetFunctionAttr(curr_addr, FUNCATTR_START) != BADADDR

	def _is_addiu_gp_at(addr):
	# 0x279c1c70
	# ADDIU $gp $gp 0x1C70
	addiu_gp_opcode = '0x279c'
	return hex(Word(addr)) == addiu_gp_opcode

	def _extract_global_pointer_method_1(addr):
	gp = Word(curr_addr + 2)

	if _is_addiu_gp_at(curr_addr + 4):
	lower = Word(curr_addr + 6)
	gp = (gp << 16) + lower

	return gp

	def _extract_global_pointer_method_2(addr):
	return GetOperandValue(addr, 1)

	if curr_addr > end_addr:
	print "Invalid end address of CODE segment!"
	return n

	lui_gp = "3C 1C" # 3C 1C XX XX lui $sp, 0xXXXXX
	n = 0
	curr_addr = FindBinary(curr_addr, SEARCH_DOWN, lui_gp)
	while curr_addr != BADADDR:

	gp = _extract_global_pointer_method_1(curr_addr)
	print ("possible global pointer method 1", hex(gp))

	gp = _extract_global_pointer_method_2(curr_addr)
	print ("possible global pointer method 2", hex(gp))

	if not _defined_function_at(curr_addr):
	if MakeFunction(curr_addr):
	print("Created function at", hex(curr_addr))
	n += 1
	else:
	print 'MakeFunction(0x%x) failed - running 2nd time maybe fixes this' % curr_addr

	curr_addr += 1
	curr_addr = FindBinary(curr_addr, SEARCH_DOWN, lui_gp)

	print "Created %d new functions\n" % n
	return n

	# curr_addr = ScreenEA() & 0xFFFFFFFC # makes sure start address is 4-byte aligned
	curr_addr = 0x0000000
	end_addr = AskAddr(0, "Enter end address of CODE segment.")
	print "mipsb searching global points between: 0x%X and 0x%x" % (curr_addr, end_addr)
	extract_lui_gp(curr_addr, end_addr)