Skip to content

Commit

Permalink
Use cmdj instead of cmd #6
Browse files Browse the repository at this point in the history
  • Loading branch information
@dark-lbp
dark-lbp committed Oct 18, 2019
1 parent 9879eb8 commit 267d185
Show file tree
Hide file tree
Showing 2 changed files with 47 additions and 32 deletions.
39 changes: 23 additions & 16 deletions firmware_tools/vxhunter_r2_py2.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -653,6 +653,7 @@ def demangle_function(demangle_string):
def autodetect_vxworks_version(r2p):
''' Naive way to autodetect VxWorks version '''
vx_version = None
# TODO: replace with cmdj and izzzj later, currently izzzj is not stable.
vx_version_r2p = r2p.cmd("izz~VxWorks")
if 'VxWorks5' in vx_version_r2p:
vx_version = 5
Expand Down Expand Up @@ -705,10 +706,9 @@ def manual_vxworks_version():
print("vx_version:{}".format(vx_version))

# only use first file
opened_file_data = r2p.cmd("o*")
firmware_path = r2p.cmd("o*").split()[1]
opened_file_data = r2p.cmdj("oj*")[0]
firmware_path = opened_file_data['uri']
print("firmware_path: {}".format(firmware_path))
current_load_address = r2p.cmd("o*").split()[2]

firmware = open(firmware_path, 'rb').read()
target = VxTarget(firmware=firmware, vx_version=vx_version)
Expand Down Expand Up @@ -736,7 +736,8 @@ def manual_vxworks_version():
# close all open files
r2p.cmd("o--")
# backup current asm bits
current_asm_bits = r2p.cmd("e asm.bits")
current_conf = r2p.cmdj("ej")
current_asm_bits = current_conf['asm.bits']
# map image to correct load address
r2_command = "o {} {} r-x".format(firmware_path, hex(image_load_address))
print("Rebase with r2 command: {}".format(r2_command))
Expand Down Expand Up @@ -764,12 +765,12 @@ def manual_vxworks_version():
while ea < symbol_table_end_address:
symbol_name_string = None
offset = 4
r2_command = "pv4 @0x{:08X}".format(ea + symbol_interval - 4)
symbol_flag = int(r2p.cmd(r2_command).strip('\n'), 16)
r2_command = "pv4 @0x{:08X}".format(ea + offset)
symbol_name_address = int(r2p.cmd(r2_command).strip('\n'), 16)
r2_command = "pv4 @0x{:08X}".format(ea + offset + 4)
symbol_dest_address = int(r2p.cmd(r2_command).strip('\n'), 16)
r2_command = "pv4j @0x{:08X}".format(ea + symbol_interval - 4)
symbol_flag = r2p.cmdj(r2_command)[0]['value']
r2_command = "pv4j @0x{:08X}".format(ea + offset)
symbol_name_address = r2p.cmdj(r2_command)[0]['value']
r2_command = "pv4j @0x{:08X}".format(ea + offset + 4)
symbol_dest_address = r2p.cmdj(r2_command)[0]['value']
# print("symbol_flag: 0x{:08X}".format(symbol_flag))
# print("symbol_name_address: 0x{:08X}".format(symbol_name_address))
# print("symbol_dest_address: 0x{:08X}".format(symbol_dest_address))
Expand All @@ -779,9 +780,8 @@ def manual_vxworks_version():

# Get symbol name
try:
r2_command = "pvz @0x{:08X}".format(symbol_name_address)
symbol_name_string = r2p.cmd(r2_command).strip('\n')
# print("symbol_name_string: {}".format(symbol_name_string))
r2_command = "pszj @0x{:08X}".format(symbol_name_address)
symbol_name_string = r2p.cmdj(r2_command)['string']

except Exception as err:
print("Exception: {}".format(err))
Expand All @@ -804,7 +804,14 @@ def manual_vxworks_version():
# Need find how to do it.
ea += symbol_interval

r2_command = "?E3 Finished, let's see how many functions we found ^_^"
flags = r2p.cmdj("fsj")
function_count = 0
symbol_count = 0
for flag in flags:
if flag['name'] == "functions":
function_count = flag["count"]
elif flag['name'] == "symbols":
symbol_count = flag["count"]

r2_command = "?E3 Finished, VxHunter found {} functions and {} symbols ^_^".format(function_count, symbol_count)
print("\n{}".format(r2p.cmd(r2_command)))
flags = r2p.cmd("fs")
print(flags)
40 changes: 24 additions & 16 deletions firmware_tools/vxhunter_r2_py3.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -656,6 +656,7 @@ def demangle_function(demangle_string):
def autodetect_vxworks_version(r2p):
''' Naive way to autodetect VxWorks version '''
vx_version = None
# TODO: replace with cmdj and izzzj later, currently izzzj is not stable.

This comment has been minimized.

Sign in to view

Copy link
@Maijin

Maijin Oct 31, 2019

Use izzj and open an issue in the radare2 tracker with that information because that's a critical command of radare2

This comment has been minimized.

Sign in to view

Copy link
@dark-lbp

dark-lbp Oct 31, 2019

Author Contributor

Issue opened radareorg/radare2#15392

This comment has been minimized.

Sign in to view

Copy link
@Maijin

Maijin Oct 31, 2019

thanks!
vx_version_r2p = r2p.cmd("izz~VxWorks")
if 'VxWorks5' in vx_version_r2p:
vx_version = 5
Expand Down Expand Up @@ -708,10 +709,9 @@ def manual_vxworks_version():
print("vx_version:{}".format(vx_version))

# only use first file
opened_file_data = r2p.cmd("o*")
firmware_path = r2p.cmd("o*").split()[1]
opened_file_data = r2p.cmdj("oj*")[0]
firmware_path = opened_file_data['uri']
print("firmware_path: {}".format(firmware_path))
current_load_address = r2p.cmd("o*").split()[2]

firmware = open(firmware_path, 'rb').read()
target = VxTarget(firmware=firmware, vx_version=vx_version)
Expand Down Expand Up @@ -739,7 +739,9 @@ def manual_vxworks_version():
# close all open files
r2p.cmd("o--")
# backup current asm bits
current_asm_bits = r2p.cmd("e asm.bits")
current_conf = r2p.cmdj("ej")
current_asm_bits = current_conf['asm.bits']
print('Current asm.bits={}'.format(current_asm_bits))
# map image to correct load address
r2_command = "o {} {} r-x".format(firmware_path, hex(image_load_address))
print("Rebase with r2 command: {}".format(r2_command))
Expand Down Expand Up @@ -767,12 +769,12 @@ def manual_vxworks_version():
while ea < symbol_table_end_address:
symbol_name_string = None
offset = 4
r2_command = "pv4 @0x{:08X}".format(ea + symbol_interval - 4)
symbol_flag = int(r2p.cmd(r2_command).strip('\n'), 16)
r2_command = "pv4 @0x{:08X}".format(ea + offset)
symbol_name_address = int(r2p.cmd(r2_command).strip('\n'), 16)
r2_command = "pv4 @0x{:08X}".format(ea + offset + 4)
symbol_dest_address = int(r2p.cmd(r2_command).strip('\n'), 16)
r2_command = "pv4j @0x{:08X}".format(ea + symbol_interval - 4)
symbol_flag = r2p.cmdj(r2_command)[0]['value']
r2_command = "pv4j @0x{:08X}".format(ea + offset)
symbol_name_address = r2p.cmdj(r2_command)[0]['value']
r2_command = "pv4j @0x{:08X}".format(ea + offset + 4)
symbol_dest_address = r2p.cmdj(r2_command)[0]['value']
# print("symbol_flag: 0x{:08X}".format(symbol_flag))
# print("symbol_name_address: 0x{:08X}".format(symbol_name_address))
# print("symbol_dest_address: 0x{:08X}".format(symbol_dest_address))
Expand All @@ -782,9 +784,8 @@ def manual_vxworks_version():

# Get symbol name
try:
r2_command = "pvz @0x{:08X}".format(symbol_name_address)
symbol_name_string = r2p.cmd(r2_command).strip('\n')
# print("symbol_name_string: {}".format(symbol_name_string))
r2_command = "pszj @0x{:08X}".format(symbol_name_address)
symbol_name_string = r2p.cmdj(r2_command)['string']

except Exception as err:
print("Exception: {}".format(err))
Expand All @@ -807,7 +808,14 @@ def manual_vxworks_version():
# Need find how to do it.
ea += symbol_interval

r2_command = "?E3 Finished, let's see how many functions we found ^_^"
flags = r2p.cmdj("fsj")
function_count = 0
symbol_count = 0
for flag in flags:
if flag['name'] == "functions":
function_count = flag["count"]
elif flag['name'] == "symbols":
symbol_count = flag["count"]

r2_command = "?E3 Finished, VxHunter found {} functions and {} symbols ^_^".format(function_count, symbol_count)
print("\n{}".format(r2p.cmd(r2_command)))
flags = r2p.cmd("fs")
print(flags)

0 comments on commit 267d185

Please sign in to comment.