Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

PC relative search for newest kernels from MuscleNerd

  • Loading branch information...
commit 1f8c5207cf783ed2f87cd0a6a5fae7655648caff 1 parent a7ba631
pod2g authored February 08, 2013
2  idc-ios-boot-args/README
@@ -286,4 +286,4 @@ Sample output:
286 286
 80A03166 boot-arg: cameraclocks
287 287
 80A03248 boot-arg: torchcltm0
288 288
 
289  
-~pod2g
  289
+~MuscleNerd, ~pod2g
83  idc-ios-boot-args/idc-ios-boot-args.idc
... ...
@@ -1,21 +1,72 @@
1  
-// idc-ios-boot-args.idc ~pod2g 2013
  1
+// MuscleNerd, based on ida scripts from KennyTM~ and ~pod2g
2 2
 
3 3
 #include <idc.idc>
4 4
 
  5
+static update(ea, reg)
  6
+{
  7
+  auto opcode, instr, val;
  8
+  val = 0;
  9
+  opcode = GetMnem(ea);
  10
+  instr = DecodeInstruction(ea);
  11
+  if (instr[0].type == o_reg && instr[0].reg == reg) {
  12
+    if (opcode == "MOVT" || opcode == "movt") {
  13
+      if (instr[1].type == o_imm && instr[1].value != 0)
  14
+	val = instr[1].value << 16;
  15
+    } else if (opcode == "MOV" || opcode == "mov" || opcode == "MOVW" || opcode == "movw") {
  16
+      if (instr[1].type == o_imm)
  17
+	val = instr[1].value;
  18
+    } else if (opcode == "LDR" || opcode == "ldr") {
  19
+      val = Dword(GetOperandValue(ea, 1));
  20
+    }
  21
+  }
  22
+  //if (val) Message("%X %s added %x\n", ea, opcode, val);
  23
+  return val;
  24
+}
  25
+
  26
+static backtrack_update(reg, start, min)
  27
+{
  28
+  auto ea, pc_addr, val, cur, found, prev;
  29
+  pc_addr = start + (GetReg(start, "T") ? 4 : 8);
  30
+  val = 0;  found = 0;  prev = 0;
  31
+  for (ea = start; (ea!=BADADDR && ea>min); ea = PrevHead(ea, min)) {
  32
+    cur = update(ea, reg);
  33
+    if (cur) {
  34
+      val = val + cur;
  35
+      prev = cur;
  36
+      found = found + 1;
  37
+      if (found==2 || ((cur & 0xffff) && (cur && 0xffff0000))) {
  38
+	val = val + pc_addr;
  39
+	//Message("After %d ops, add PC to get 0x%x\n", found, val);
  40
+	return val;
  41
+      }
  42
+    }
  43
+  }
  44
+  Message("Failed to find R0 for %X\n", start);
  45
+  return 0;
  46
+}
  47
+
5 48
 static main() {
6  
-	auto ref, i, instr, symb;
7  
-	symb = LocByName("_PE_parse_boot_argn");
8  
-	ref = RfirstB(symb);
9  
-	
10  
-	while (ref != BADADDR) {
11  
-		instr = ref;
12  
-		for (i = 0; i < 10; i = i + 1) {
13  
-			instr = PrevHead(instr, instr - 0x40); // up one instr
14  
-			if (GetMnem(instr) == "LDR" && GetOpnd(instr, 0) == "R0") {
15  
-				Message("%X boot-arg: %s\n", ref, GetString(Dword(GetOperandValue(instr, 1)), -1, 0));
16  
-				break;
17  
-			}
18  
-		}
19  
-		ref = RnextB(symb, ref);
20  
-	}
  49
+  auto ref, i, instr, symb, reg, val;
  50
+  symb = LocByName("_PE_parse_boot_argn");
  51
+  if (symb == BADADDR) {
  52
+    Message("Couldn't find _PE_parse_boot_argn() in this database\n");
  53
+    return;
  54
+  }
  55
+  Message("_PE_parse_boot_argn() is at %X\n", symb);
  56
+  ref = RfirstB(symb);
  57
+  while (ref != BADADDR) {
  58
+    instr = ref;
  59
+    for (i = 0; i < 20; i = i + 1) {
  60
+      instr = PrevHead(instr, instr - 0x40); // up one instr
  61
+      if ((GetMnem(instr) == "LDR" && GetOpnd(instr, 0) == "R0")) {
  62
+	Message("%X boot-arg: %s\n", ref, GetString(Dword(GetOperandValue(instr, 1)), -1, 0));
  63
+	break;
  64
+      } else if (GetMnem(instr) == "ADD" && GetOpnd(instr, 0) == "R0") {
  65
+	val = backtrack_update(0, instr, instr-100);
  66
+	Message("%X boot-arg: %s\n", ref, GetString(val, -1, 0));
  67
+	break;
  68
+      }
  69
+    }
  70
+    ref = RnextB(symb, ref);
  71
+  }
21 72
 }

0 notes on commit 1f8c520

Please sign in to comment.
Something went wrong with that request. Please try again.