From 25923e673338d3c07a5f58bed423ec8e61e7d9ae Mon Sep 17 00:00:00 2001 From: Ben Lubar Date: Tue, 18 Feb 2020 15:58:01 -0600 Subject: [PATCH] add Ghidra script that labels DF globals --- reversing/find_df_globals.java | 75 ++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 reversing/find_df_globals.java diff --git a/reversing/find_df_globals.java b/reversing/find_df_globals.java new file mode 100644 index 000000000..e526fa671 --- /dev/null +++ b/reversing/find_df_globals.java @@ -0,0 +1,75 @@ +import ghidra.app.script.*; +import ghidra.program.model.address.*; +import ghidra.program.model.data.*; +import ghidra.program.model.mem.*; + +public class find_df_globals extends GhidraScript { + public void run() throws Exception { + int ptrSize = currentProgram.getDefaultPointerSize(); + byte[] dfInit = new byte[ptrSize * 2]; + int i = 0; + dfInit[i++] = 0x78; + dfInit[i++] = 0x56; + dfInit[i++] = 0x34; + dfInit[i++] = 0x12; + if (ptrSize >= 8) { + dfInit[i++] = 0x78; + dfInit[i++] = 0x56; + dfInit[i++] = 0x34; + dfInit[i++] = 0x12; + dfInit[i++] = 0x21; + dfInit[i++] = 0x43; + dfInit[i++] = 0x65; + dfInit[i++] = (byte)0x87; + } + dfInit[i++] = 0x21; + dfInit[i++] = 0x43; + dfInit[i++] = 0x65; + dfInit[i++] = (byte)0x87; + byte[] mask = new byte[ptrSize * 2]; + for (i = 0; i < ptrSize * 2; i++) { + mask[i] = (byte)0xff; + } + + DataTypeManager dtm = currentProgram.getDataTypeManager(); + StructureDataType dfGlobalsMapElement = new StructureDataType("df_globals_map_element", 0); + dfGlobalsMapElement.add(new PointerDataType(CharDataType.dataType, ptrSize), "name", null); + dfGlobalsMapElement.add(new PointerDataType(DataType.DEFAULT, ptrSize), "addr", null); + StructureDataType dfGlobalsMap = new StructureDataType("df_globals_map", 0); + dfGlobalsMap.add(DWordDataType.dataType, "magic0", "12345678"); + if (ptrSize < 8) { + dfGlobalsMap.add(DWordDataType.dataType, "magic1", "87654321"); + } else { + dfGlobalsMap.add(DWordDataType.dataType, "magic1", "12345678"); + dfGlobalsMap.add(DWordDataType.dataType, "magic2", "87654321"); + dfGlobalsMap.add(DWordDataType.dataType, "magic3", "87654321"); + } + + Memory mem = currentProgram.getMemory(); + Address globalAddr = mem.findBytes(currentProgram.getMinAddress(), dfInit, mask, true, monitor); + + int globalCount = 0; + while (mem.getLong(globalAddr.add((globalCount + 1) * ptrSize * 2)) != 0) { + globalCount++; + Address nameAddr; + Address dataAddr; + if (ptrSize >= 8) { + nameAddr = globalAddr.getNewAddress(mem.getLong(globalAddr.add(globalCount * ptrSize * 2))); + dataAddr = globalAddr.getNewAddress(mem.getLong(globalAddr.add(globalCount * ptrSize * 2 + ptrSize))); + } else { + nameAddr = globalAddr.getNewAddress(mem.getInt(globalAddr.add(globalCount * ptrSize * 2))); + dataAddr = globalAddr.getNewAddress(mem.getInt(globalAddr.add(globalCount * ptrSize * 2 + ptrSize))); + } + + String name = StringDataInstance.getStringDataInstance(currentProgram.getListing().createData(nameAddr, TerminatedStringDataType.dataType)).getStringValue(); + + createLabel(dataAddr, name, true); + } + dfGlobalsMap.add(new ArrayDataType(dfGlobalsMapElement, globalCount, ptrSize * 2), "globals", null); + + dtm.addDataType(dfGlobalsMapElement, DataTypeConflictHandler.DEFAULT_HANDLER); + dtm.addDataType(dfGlobalsMap, DataTypeConflictHandler.DEFAULT_HANDLER); + + currentProgram.getListing().createData(globalAddr, dfGlobalsMap); + } +}