skochinsky

; found JEFF at 0x00022C04?
; JEFF length=00020D94
; class 0/235
.class public super abstract com/intel/crypto/CertificateChain
.super java/lang/Object
   .const [o304] = Int 16384 ; 0x00004000


.field protected static final MAX_CERTIFICATE_CHAIN_LENGTH I

skochinsky

; class 0/41
.class public super com/intel/dal/ipt/framework/AppletImpl
.super com/intel/util/IntelApplet


.field protected mIptf Lcom/intel/dal/ipt/framework/IptFramework;

.field  mReplyBuffer [B

.field  mInitialized Z

skochinsky

.version 49 0 

.class public super com/intel/crypto/NotInitializedException 
.super com/intel/crypto/CryptoException 

.method public <init> : ()V 
    .code stack 1 locals 1 
L0:     aload_0 
L1:     invokespecial Method com/intel/crypto/CryptoException <init> ()V 
L4:     return 

skochinsky

; AMI
[GUID_FILE]
; ACPI tables
16D0A23E-C09C-407d-A14A-AD058FDD0CA1=ACPI
11D8AC35-FB8A-44d1-8D09-0B5606D321B9=DSDT
95DFCAE5-BB28-4d6b-B1E2-3AF3A6BF434F=PTID
FB045DB2-598E-485A-BA30-5D7B1B1BD54D=AOAC
60AC3A8F-4D66-4CD4-895A-C3F06E6665EE=iFfsAcpiTables
5B232086-350A-42c7-A70E-3497B5765D85=OEMSSDT
299141BB-211A-48a5-92C0-6F9A0A3A006E=PPMACPI

skochinsky

{
  real_time:956280.161440 global_time:588919, event:`SYSCALL: socketcall' (state:ENTERING_SYSCALL) tid:18704, ticks:260023746443
 eax:0xffffffda ecx:0xbfb415f4 edx:0x0 ebx:0x11 esp:0xbfb414fc ebp:0x80f48ef8 esi:0xb5f50000 edi:0x0 eip:0x70000002 eflags:0x246 xcs:0x73 xss:0x7b xds:0x7b xes:0x7b xfs:0x0 xgs:0x33 orig_eax:0x66
}
{
  real_time:956280.161458 global_time:588920, event:`SYSCALLBUF_RESET' tid:18704, ticks:260023746443
}
{
  real_time:956280.161644 global_time:588921, event:`SYSCALL: socketcall' (state:EXITING_SYSCALL) tid:18704, ticks:260023746443
 eax:0xfffffff5 ecx:0xbfb415f4 edx:0x0 ebx:0x11 esp:0xbfb414fc ebp:0x80f48ef8 esi:0xb5f50000 edi:0x0 eip:0x70000002 eflags:0x246 xcs:0x73 xss:0x7b xds:0x7b xes:0x7b xfs:0x0 xgs:0x33 orig_eax:0x66

skochinsky

struct PFRegionEntry
{
  UINT32 FileOffset;
  UINT32 Size;
  UINT64 FlashAddress;
  UINT32 NameOffset; //absolute offset
};

struct PFHeader
{

skochinsky

# based on code from http://trendystephen.blogspot.be/2008/01/rich-header.html
import sys
import struct

# I'm trying not to bury the magic number...
CHECKSUM_MASK = 0x536e6144 # DanS (actuall SnaD)
RICH_TEXT = 'Rich'
RICH_TEXT_LENGTH = len(RICH_TEXT)
PE_START = 0x3c
PE_FIELD_LENGTH = 4

skochinsky

# convert Intel firmware update capsules to plain binaries

import sys
import os.path
import struct

fn = sys.argv[1]
inf = open(fn, "rb")
inf.seek(0xC8)
e=[]

skochinsky

## parse and dump Qt resources in current IDB
from PyQt5  import QtCore
import os.path
f = LocByName("?qRegisterResourceData@@YA_NHPBE00@Z")
for x in XrefsTo(f, idaapi.XREF_ALL):
  if x.type==fl_CN:
    callea = x.frm
    push1 = DecodePreviousInstruction(callea)
    if push1.itype != idaapi.NN_push:
      print "no push at %08X!"% push1.ea

skochinsky

/*scan for far jumps or calls and print their location and destinations
 jmp: 1= search for jumps(0= calls)
 low16: only consider destinations with offset < 16
*/
static scan_jmp_call(jmp, low16)
{
    // start at the minimal address
    auto a = 0;
    auto x, seg, offs, dest;
    for (a = 0; x != BADADDR; a = x + 5 )// skip 5 bytes (size of far jmp/call opcode)