some scripts to help exefs reverse engineering

Discussion in '3DS - ROM Hacking, Translations and Utilities' started by banxian, Dec 28, 2014.

  1. banxian
    OP

    banxian Member

    Newcomer
    40
    63
    Oct 30, 2014
    Switzerland
    If you want to patch exefs after decrypt, you need more and more symbols.
    sadly bindiff have problem to merge svc related functions.

    if function A called nn::svc::SendSyncRequest and function B inlined it with SVC 0x32, then you will get low similar than 0.7.
    and if two functions have different svc number in same line, it maybe treat as same opcode.
    just strange.

    then I try to wrote a pair idapython scripts to get around this problem.

    here is the simple readme:

    first you need to extract all obj files from .a in leaked CTR_SDK libraries folder.
    I attached a extract_all_nnlibs.sh that can do this job under msys. you may need to change hard coded path to match your own hdd.

    then you can to make signature file for each obj file which contains _ZN2nn3svc15SendSyncRequestENS_6HandleE call (I use 010 Editor's "find in files" to figure them out) using nnsvc_sigmaker3.py, and load the signature using nncvc_matchsig3.py on your exefs.elf database.

    here is some log from MH4G.idb.

    Code:
    segbegin: 0x00100000, segend: 0x00DC0000, segname: .text
    0x0010859C _ZN2nn6applet3CTR6detail6APPLET10InitializeEjjPNS_6HandleES5_ is already renamed.
    0x001085EC sub_1085EC -> _ZN2nn6applet3CTR6detail6APPLET13GetLockHandleEPNS_6HandleEjPjS6_ .
    0x0010AFF4 sub_10AFF4 -> _ZN2nn6applet3CTR6detail6APPLET12IsRegisteredEjPb .
    0x0010B038 sub_10B038 -> _ZN2nn6applet3CTR6detail6APPLET16CloseApplicationEPKhjNS_6HandleE .
    0x0010B08C sub_10B08C -> _ZN2nn6applet3CTR6detail6APPLET19CancelLibraryAppletEb .
    0x0010B0C8 sub_10B0C8 -> _ZN2nn6applet3CTR6detail6APPLET25PrepareToCloseApplicationEb .
    0x0010B104 sub_10B104 -> _ZN2nn6applet3CTR6detail6APPLET26SetApplicationCpuTimeLimitEii .
    BL other sub routines from 0x0010C980 to 0x0010D508 (sub_10D508)
    0x0010D038 sub_10D038 -> _ZN2nn6applet3CTR6detail6APPLET11SleepSystemEy .
    0x0010D070 sub_10D070 -> _ZN2nn6applet3CTR6detail6APPLET19InquireNotificationEjPNS1_12NotificationE .
    BL other sub routines from 0x0010DE8C to 0x0010EA8C (sub_10EA8C)
    0x0010E31C sub_10E31C -> _ZN2nn6applet3CTR6detail6APPLET12NotifyToWaitEj .
    0x0010E354 sub_10E354 -> _ZN2nn6applet3CTR6detail6APPLET13SendParameterEjjjPKhjNS_6HandleE .
    0x0010E3AC sub_10E3AC -> _ZN2nn6applet3CTR6detail6APPLET15CancelParameterEbjbjPb .
    0x0010E408 sub_10E408 -> _ZN2nn6applet3CTR6detail6APPLET15GlanceParameterEPjjS4_PhjPiPNS_6HandleE .
    0x0010E494 sub_10E494 -> _ZN2nn6applet3CTR6detail6APPLET15ReplySleepQueryEjNS1_10QueryReplyE .
    0x0010E4D8 sub_10E4D8 -> _ZN2nn6applet3CTR6detail6APPLET30ReplySleepNotificationCompleteEj .
    0x0010F7B0 sub_10F7B0 -> _ZN2nn6applet3CTR6detail6APPLET13AppletUtilityEjPKhjPhjPi .
    0x0010F82C sub_10F82C -> _ZN2nn6applet3CTR6detail6APPLET16ReceiveParameterEPjjS4_PhjPiPNS_6HandleE .
    0x00462544 _ZN2nn2ir3CTR6detail5Irnop19ReleaseReceivedDataEi vs _ZN2nn6applet3CTR6detail6APPLET26PrepareToStartSystemAppletEj wrong exists name?!
    BL other sub routines from 0x005118D0 to 0x00300824 (__aeabi_memcpy)
    0x005118E0 sub_5118E0 -> _ZN2nn6applet3CTR6detail6APPLET23OrderToCloseApplicationEv .
    BL other sub routines from 0x00511A70 to 0x003030D0 (strlen)
    BL other sub routines from 0x00511E1C to 0x00300824 (__aeabi_memcpy)
    BL other sub routines from 0x00511FA0 to 0x003030D0 (strlen)
    0x0054923C sub_54923C -> _ZN2nn6applet3CTR6detail6APPLET26PrepareToCloseSystemAppletEv .
    0x0054926C sub_54926C -> _ZN2nn6applet3CTR6detail6APPLET23PrepareToJumpToHomeMenuEv .
    BL other sub routines from 0x0054DB00 to 0x0010F770 (sub_10F770)
    BL other sub routines from 0x0054DB7C to 0x0010F770 (sub_10F770)
    BL other sub routines from 0x0054DCA8 to 0x0010F770 (sub_10F770)
    0x0054F79C sub_54F79C -> _ZN2nn6applet3CTR6detail6APPLET14JumpToHomeMenuEPKhjNS_6HandleE .
    0x0054F7F0 sub_54F7F0 -> _ZN2nn6applet3CTR6detail6APPLET16GetAppletManInfoENS1_9AppletPosEPS4_PjS6_S6_ .
    0x0054F860 sub_54F860 -> _ZN2nn6applet3CTR6detail6APPLET17DoApplicationJumpEPKhjS5_j .
    0x0054F8C4 sub_54F8C4 -> _ZN2nn6applet3CTR6detail6APPLET17StartSystemAppletEjPKhjNS_6HandleE .
    0x0054F914 sub_54F914 -> _ZN2nn6applet3CTR6detail6APPLET18StartLibraryAppletEjPKhjNS_6HandleE .
    0x0054F964 sub_54F964 -> _ZN2nn6applet3CTR6detail6APPLET21SendCaptureBufferInfoEPKhj .
    0x0054F9B0 sub_54F9B0 is duplicate with 0x0054926C _ZN2nn6applet3CTR6detail6APPLET23PrepareToJumpToHomeMenuEv .
    0x0054FA20 sub_54FA20 -> _ZN2nn6applet3CTR6detail6APPLET26PrepareToDoApplicationJumpENS1_11AppJumpTypeEyNS_2fs9MediaTypeE .
    0x0054FA6C sub_54FA6C -> _ZN2nn6applet3CTR6detail6APPLET26PrepareToStartSystemAppletEj .
    0x0054FAA4 sub_54FAA4 -> _ZN2nn6applet3CTR6detail6APPLET27PrepareToStartLibraryAppletEj .
    0x0054FADC sub_54FADC -> _ZN2nn6applet3CTR6detail6APPLET6EnableEj .
    BL other sub routines from 0x00558DA8 to 0x00CE6F98 (__ARM_common_memcpy4_5)
    segbegin: 0x00DC0000, segend: 0x00E91000, segname: .rodata
     
    Database has been saved
    segbegin: 0x00100000, segend: 0x00DC0000, segname: .text
    0x00106B50 sub_106B50 -> _ZN2nn3srv6detail7Service14RegisterClientEv
    0x00108070 sub_108070 -> _ZN2nn3srv6detail7Service18EnableNotificationEPNS_6HandleE
    0x0010A0CC sub_10A0CC -> _ZN2nn3srv6detail7Service19ReceiveNotificationEPj
    0x0010A108 sub_10A108 -> _ZN2nn3srv6detail7Service9SubscribeEj
    BL other sub routines from 0x0010C980 to 0x0010D508 (__ARM_common_memcpy4_8)
    0x0010C958 sub_10C958 -> _ZN2nn3srv6detail7Service16GetServiceHandleEPNS_6HandleEPKcij
    BL other sub routines from 0x0010DE8C to 0x0010EA8C (sub_10EA8C)
    BL other sub routines from 0x005118D0 to 0x00300824 (__aeabi_memcpy)
    BL other sub routines from 0x00511A70 to 0x003030D0 (strlen)
    BL other sub routines from 0x00511E1C to 0x00300824 (__aeabi_memcpy)
    BL other sub routines from 0x00511FA0 to 0x003030D0 (strlen)
    0x00545A8C sub_545A8C -> _ZN2nn3srv6detail7Service11UnsubscribeEj
    0x00545AC4 sub_545AC4 -> _ZN2nn3srv6detail7Service19PublishToSubscriberEjj
    BL other sub routines from 0x0054DB00 to 0x0010F770 (sub_10F770)
    BL other sub routines from 0x0054DB7C to 0x0010F770 (sub_10F770)
    BL other sub routines from 0x0054DCA8 to 0x0010F770 (sub_10F770)
    BL other sub routines from 0x00558DA8 to 0x00CE6F98 (__ARM_common_memcpy4_5)
    segbegin: 0x00DC0000, segend: 0x00E91000, segname: .rodata
    
    functions have same request number (store to Rx+0x80) and same branch targets will be matched.

    TODO: add CloseHandle for SVC 0x23 to support fs_UserFileSystem.o
     

    Attached Files:

    cearp and _eyCaRambA_ like this.
  2. NCDyson

    NCDyson Hello Boys...

    Member
    271
    113
    Nov 9, 2009
    United States
    What version of idapro are you using this with? i'm getting an error:

    Code:
    File "nncvc_matchsig3.py", line 210, in main
        hx = binascii.hexlify(item['stickysig'])
    TypeError: b2a_hex() argument 1 must be string or read-only buffer, not bytearray
    and I don't feel like poking around in your code.
     
  3. banxian
    OP

    banxian Member

    Newcomer
    40
    63
    Oct 30, 2014
    Switzerland
    idapro 6.6, idapython 1.7.0 Final, python 2.7.3 32bit,
    I can verify in python commandline by type binascii.hexlify(bytearray([1,2,3,4]))

    Code:
    >>> repr(bytearray([1,2,3,4]))
    "bytearray(b'\\x01\\x02\\x03\\x04')"
    >>> import binascii
    >>> binascii.hexlify(bytearray([1,2,3,4]))
    '01020304'
    >>> binascii.hexlify(str(bytearray([1,2,3,4])))
    '01020304'
    >>>
    here is a quick workaround for this but I think there maybe something wrong in python itself.

    hx = binascii.hexlify(str(item['stickysig']))
    I found this in python website:
    Note
    a2b_* functions accept Unicode strings containing only ASCII characters. Other functions only accept bytes-like objects (such as bytes, bytearray and other objects that support the buffer protocol).