Disassemble a MIPS 32bit ELF executable

cea-sec / miasm

Reverse engineering framework in Python

https://miasm.re/

GNU General Public License v2.0

3.49k stars 475 forks source link

Disassemble a MIPS 32bit ELF executable #562

Closed vinatgit closed 7 years ago

vinatgit commented 7 years ago

I have a MIPS 32 bit ELF executable but I can't really figure out how to disassemble it. No matter what start address I provide, I'm always getting the following warning WARNING: cannot disasm (guess) at 400930 WARNING: cannot disasm at 400930 I'm trying to go through this blog " https://doar-e.github.io/blog/2014/10/11/taiming-a-wild-nanomite-protected-mips-binary-with-symbolic-execution-no-such-crackme/ " but I'm stuck on the first example (I can get the binary stream of crackmips using bin_stream_str, need help with disassembling)

serpilliere commented 7 years ago

Hi! I am trying to "guess" your trouble: The "nop" in mips32 is "\x00\x00\x00\x00" and Miasm has an option (like in IDA for some architectures) to not disassemble nul starting basic block.

So If you disassemble a binary on mips which has a nop starting basic block, it will stop disassembling. To overwrite this behaviour, you can use the -z option to allow disassembling a nul starting block. For example:

python2 miasm/example/disasm/full.py  busybox-mips -z

An empty response from you will be taken has a positive result :smile:

vinatgit commented 7 years ago

I want to disassemble a basic block using miasm but it is disassembling correctly using full.py. I tried using the -z option but I guess it isn't the problem here. My code for it is as follows:

import sys

from miasm2.analysis.machine import Machine
from miasm2.core.bin_stream import bin_stream_str
from miasm2.ir.symbexec import symbexec

bs = bin_stream_str(open(sys.argv[1]).read())

machine = Machine("mips32l")
dis_engine = machine.dis_engine

mdis = dis_engine(bs)

mdis.dont_dis = [0x00400938]
block = mdis.dis_bloc(0x00400930)

for i in map(str,block.lines):
        print i

Also, when I run the following command python ../miasm/example/disasm/full.py -m mips32l crackmips I get this flow nowatchdog

serpilliere commented 7 years ago

Hi!

Yes, you used the bin_stream_str which is used to work on str input (str like in shellcode, no format like PE or ELF).

If you work on ELF or PR, I advise you to use the Container api:

import sys

from miasm2.analysis.machine import Machine
from miasm2.analysis.binary import Container

with open(sys.argv[1]) as fdesc:
        cont = Container.from_stream(fdesc)

bs = cont.bin_stream

machine = Machine("mips32l")
dis_engine = machine.dis_engine

mdis = dis_engine(bs)

mdis.dont_dis = [0x00400938]
block = mdis.dis_bloc(0x00400930)

for i in map(str,block.lines):
        print i

Ouput:

ADDU       ZERO, RA, ZERO
BAL        loc_000000000040093C:0x0040093c

By the way, as the Container read the elf, the architecture of the elf is contained in the returned object, so it avoids you to give the architecture. You can write:

...
machine = Machine(cont.arch)
...

Is it ok for you?

vinatgit commented 7 years ago

Hey! Thanks a lot for the quick and detailed responses, I realised my mistake.