search

cea-sec / Sibyl

A Miasm2 based function divination.
Other
531 stars 55 forks source link

Can not dissamble and find function that is here:( #89

Closed Vitaly-Protasov closed 5 years ago

Vitaly-Protasov commented 5 years ago

Hi, I faced the question that i can't solve. Yeah, it is a firmware. First, that i want to start is why sibyl can not even launch test at some addresses? For example, I launch sibyl for one address and after debugging I guessed that launch_tests was not started:


**sibyl find -p -v -t string task 0x103D0                                                                      
Guessed architecture: arml
Found 1 addresses
Found 3 test cases
1 / 1
Address  | Candidates**

After debugging I figured out that, for addresses, which sibyl can work with, in emulation process(qemu), unicorn returned END_ADDR of emulation ( 0x1337babe), 


**> /home/vitalym60/.local/lib/python2.7/site-packages/unicorn/unicorn.py(340)reg_read()->322419390L
-> return reg.value
(Pdb) s
--Return--
> /usr/local/lib/python2.7/dist-packages/sibyl/engine/qemu.py(226)__getattr__()->322419390L
-> return self.mu.reg_read(self.pc_reg_value)
(Pdb) getattr(self.cpu, self.ira.pc.name)
322419390L**

and after it, tests are launched. But for some functions( example above), unicorn return only started address and emulation stopped and tests for guessing wouldn't be started:

if getattr(self.cpu, self.ira.pc.name) != END_ADDR:
   raise UnexpectedStopException()

Because of that sibyl can't find function that is there, for example: IDA shows that at ROM:00182412 memcpy AND after decompiling this function in pseudo C code and building in binary - sibyl detect memcpy. But now:

 **~/Downloads/test  sibyl find -p -v -j python -t string -a arml ware.bin 0x00182412                                    
Found 1 addresses
Found 3 test cases
WARNING: cannot disasm at 182412
WARNING: cannot disasm at 182412
WARNING: cannot disasm at 182412
WARNING: cannot disasm at 182412
WARNING: cannot disasm at 182412
WARNING: cannot disasm at 182412
1 / 1
Address  | Candidates  

 ~/Downloads/test  sibyl find -p -v -j qemu -t string -a arml ware.bin 0x00182412                                      
Found 1 addresses
Found 3 test cases
1 / 1
Address  | Candidates**  

 ~/Downloads/test  sibyl find -p -v -j gcc -t string -a arml ware.bin 0x00182412                                   
Found 1 addresses
Found 3 test cases
WARNING: cannot disasm at 182412
WARNING: cannot disasm at 182412
WARNING: cannot disasm at 182412
WARNING: cannot disasm at 182412
WARNING: cannot disasm at 182412
WARNING: cannot disasm at 182412
1 / 1
Address  | Candidates

Exactly for this binary, Sibyl can't find any functions.

What the hell is going on?)

commial commented 5 years ago

Hello,

I'm not sure to correctly understand your issue. Regarding Sibyl running or not with the qemu engine, you can use the verbose_mode API to add tracing capabilities to unicorn (and see if it is actually running or not code).

For the last example, it seems Miasm is unable to disassemble at 0x00182412. Are you sure of the address? What is the format of the file (raw, ELF, PE, ...)? If so, can you dump the bytes at this address?

Vitaly-Protasov commented 5 years ago

Hello, I figured out that this problem txactly with unicorn :(

This file is firmware.

Ofc I' m sure about this address, in ida it looks like memcpy and after exctracting C-code and compyling binary file, sibyl find memcpy.

But for this firmware It returns me some kind of FETCH problem ( UC_ERR_FETCH_UNMAPPED). Due to lucks of knowledge I don't undestand it.

Thanks for your help

Vitaly-Protasov commented 5 years ago

Hello,

I'm not sure to correctly understand your issue. Regarding Sibyl running or not with the qemu engine, you can use the verbose_mode API to add tracing capabilities to unicorn (and see if it is actually running or not code).

For the last example, it seems Miasm is unable to disassemble at 0x00182412. Are you sure of the address? What is the format of the file (raw, ELF, PE, ...)? If so, can you dump the bytes at this address?

If it clearer, Sibyl can't work with binary in Thumb2 mode, because unicorn can't emulate it in right way. May be you know why?

Vitaly-Protasov commented 5 years ago

Regards to https://github.com/cea-sec/miasm/issues/686 and https://github.com/unicorn-engine/unicorn/issues/681 it is the common problem.

Sorry for disturbing. By the way, it's not sibyl's problem :)

commial commented 5 years ago

Yep, the engines on which Sibyl relies may lack a few instructions. It should go better with time, and they are open to contributor if you want to give it a try