-
-
Save withzombies/39ccc075ec8830f054bf4e7f5e125790 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
import sys | |
import binaryninja | |
# 4 years ago we had to specify the loader format and sleep while analysis | |
# finished | |
target = sys.argv[1] | |
bv = binaryninja.BinaryViewType.get_view_of_file(target, update_analysis=True) | |
# start is our entry point and has two calls, the second call is main | |
# grabbing start isn't too different than before | |
start = bv.get_function_at(bv.entry_point) | |
start_blocks = list(start.high_level_il) # start only has one block | |
start_calls = [x for x in start_blocks[0] if x.operation == binaryninja.HighLevelILOperation.HLIL_CALL] | |
call_main = start_calls[1] # second call is main | |
# Main has a single call to our handler function | |
main = bv.get_function_at(call_main.dest.constant) | |
main_blocks = list(main.high_level_il) # main only has one block | |
main_calls = [x for x in main_blocks[0] if x.operation == binaryninja.HighLevelILOperation.HLIL_CALL] | |
call_handler = main_calls[0] # first call is handler | |
# Here's where the real improvements lie | |
# Handler has our cookie, which is compared with memcmp in the | |
# last call of the first block, but our call is folded into the if condition | |
handler = bv.get_function_at(call_handler.dest.constant) | |
handler_blocks = list(handler.high_level_il) | |
# grab all the HLIL_IF instructions out of the first block, which there should only be one. | |
if_insn = [x for x in handler_blocks[0] if x.operation == binaryninja.HighLevelILOperation.HLIL_IF] | |
# The call to memcmp is the left side of the condition, the right side is '0': | |
# if(memcmp(buf, "cookie", 4) == 0) | |
call_memcmp = if_insn[0].condition.left | |
# Now pull the cookie's data pointer out of the call to memcmp | |
# arg0 is our input buffer | |
# arg1 is the cookie data pointer | |
# arg2 is the size of the compare | |
cookie_ptr = call_memcmp.params[1].constant | |
# Read the first 4 bytes to get the cookie value, we could also use the | |
# count of the memcmp here | |
cookie = bv.read(cookie_ptr, 4) | |
print(f"Cookie: {cookie}") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment