IDA plugin to enable nanoMIPS processor support.

Related tags

Integrated Development Environment nmips
Overview

nmips

IDA plugin to enable nanoMIPS processor support. This is not limited to simple disassembly, but fully supports decompilation and even fixes up the stack in certain functions using custom microcode optimizers. It also supports relocations and automatic ELF detection (even though the UI might not show it, it kinda works). Debugging also works thanks to GDB and it also does some other stuff, such as automatic switch detections.

Tested on IDA 7.6.

To see how well it works, with the mipscoder binary from 0CTF, see below :) You can disassemble, decompile and even debug it!

mipscoder main decompiled mipscoder rotate switch mipscoder start disassembled

Installation

OS Download
Linux Download
macOS (ARM might be broken) Download
Windows Download

Download the corresponding version for your OS and put the plugin inside ~/.idapro/plugins. Done! If you open a nanoMIPS ELF file, you should be able to just mash through some of the dialogs and get it working (yes metaPC should work fine if selected and yes it will show unknown arch, that's an IDA limitation unfortunately :/. Just keep mashing enter and you should be good ;)).

If you want to e.g. apply this to a flat binary file, you can instead just load it as a little endian MIPS file. Then, select this plugin from Edit > Plugins > nanoMIPS Processor Support. This will force it on, and it should start to disassemble stuff!

Functionality

Currently, the following works:

  • debugging
  • creating relocations for libraries (e.g. libc) ``
  • decompiling and disassembling (not all instructions are currently implemented)
  • custom hexrays optimizer to fix stack variables being messed up
  • automatic switch statement detection
  • more stuff I probably forgot

NOTE: For debugging to work, you need to modify the gdb config file. Fortunately, this plugin can automatically do this for you. Unfortunately, due to a limitation of the gdb plugin, this will override the normal mips configuration. The plugin can automatically remove the changes again. To automatically change the configuration, either use Edit > Configure GDB for nanoMIPS or Ctrl+Shift+Meta+G.

Implementation

The basic idea behind the plugin is, to still load the binary with the MIPS processor module. The plugin registers a bunch of plugin hooks, so that it can then give IDA the illusion of working on a "normal" MIPS binary. To that end, the binary translates any nanoMIPS instruction into the equivalent MIPS version, or - if it does not exist - implement it itself.

In case the instruction is translated to MIPS, it will be decompiled automatically without any issues (well that is if the operands are correctly set. Quite some instructions have a complex operand encoding inside IDA and don't work out of the box.). Otherwise, decompiler hooks emit the correct hexrays microcode, so that these instructions can also be decompiled correctly.

If you are wondering how most of this was made possible, the answer is simple: A lot of reversing of IDA itself ;). Mostly the GDB and mips plugin, but also libida.

## Building

Make sure you have meson installed. Then inside the plugin directory, just run:

meson setup builddir -Didasdk=$IDA_SDK -Dhexrays_sdk=$IDA_BIN/plugins/hexrays_sdk
meson compile -C builddir

TODOs

  • implement assembler -> actually not possible atm :/
  • fix debugging to be nicer
  • rework plugin to be nicer
You might also like...
IDA Debugger Module to Dynamically Synchronize Memory and Registers with third-party Backends (Tenet, Unicorn, GDB, etc.)
IDA Debugger Module to Dynamically Synchronize Memory and Registers with third-party Backends (Tenet, Unicorn, GDB, etc.)

IDA Debug Bridge IDA Debugger Module to Dynamically Synchronize Memory and Registers with third-party Backends (Tenet, Unicorn, GDB, etc.) By synchron

null 9 Sep 5, 2022
A FREE Windows C development course where we will learn the Win32API and reverse engineer each step utilizing IDA Free in both an x86 and x64 environment.
A FREE Windows C development course where we will learn the Win32API and reverse engineer each step utilizing IDA Free in both an x86 and x64 environment.

FREE Reverse Engineering Self-Study Course HERE Hacking Windows The book and code repo for the FREE Hacking Windows book by Kevin Thomas. FREE Book Do

Kevin Thomas 1.1k Dec 27, 2022
A virtual processor with a unique instruction set written in C++

Processor-Project A virtual processor with an instruction set similar to ARM made in C++. How it works This virtual processor allows the user to write

null 20 May 27, 2022
[WIP] A Riru module tries to enable Magisk hide for isolated processes.

Riru-IsolatedMagiskHider Background Many applications now detect Magisk for security, Magisk provided "Magisk Hide" to prevent detection, but isolated

残页 562 Jan 3, 2023
A Beacon Object File (BOF) for Cobalt Strike which uses direct system calls to enable WDigest credential caching.
A Beacon Object File (BOF) for Cobalt Strike which uses direct system calls to enable WDigest credential caching.

WdToggle A Proof of Concept Cobalt Strike Beacon Object File which uses direct system calls to enable WDigest credential caching and circumvent Creden

Outflank B.V. 205 Dec 3, 2022
Want a faster ML processor? Do it yourself! -- A framework for playing with custom opcodes to accelerate TensorFlow Lite for Microcontrollers (TFLM).

CFU Playground Want a faster ML processor? Do it yourself! This project provides a framework that an engineer, intern, or student can use to design an

Google 331 Jan 1, 2023
TensorVox is an application designed to enable user-friendly and lightweight neural speech synthesis in the desktop
TensorVox is an application designed to enable user-friendly and lightweight neural speech synthesis in the desktop

TensorVox is an application designed to enable user-friendly and lightweight neural speech synthesis in the desktop, aimed at increasing accessibility to such technology.

null 143 Dec 15, 2022
jq is a lightweight and flexible command-line JSON processor.

jq is a lightweight and flexible command-line JSON processor.

Stephen Dolan 23.9k Dec 31, 2022
A curated list of awesome things built with the JSON processor and turing-complete functional language jq.
A curated list of awesome things built with the JSON processor and turing-complete functional language jq.

A curated list of awesome things built with the JSON processor and turing-complete functional language jq.

fiatjaf 578 Jan 3, 2023
Enable LoRaWAN communications on your Raspberry Pi Pico or any RP2040 based board. 📡

pico-lorawan Enable LoRaWAN communications on your Raspberry Pi Pico or any RP2040 based board using a Semtech SX1276 radio module. Based on the Semte

Sandeep Mistry 76 Dec 30, 2022
CMake project for BL602 RISC-V processor
CMake project for BL602 RISC-V processor

bl602_cmake_base CMake project for BL602 RISC-V processor How to build NOTE : This project uses a pre-compiled version of the Buffalo SDK (bl_iot_sdk)

null 9 Jan 6, 2022
CERBERUS 2080™, the amazing multi-processor 8-bit microcomputer
CERBERUS 2080™, the amazing multi-processor 8-bit microcomputer

CERBERUS 2080™ CERBERUS 2080™, the amazing multi-processor 8-bit microcomputer: a fully open-source project available for anyone to peruse, build, mod

The Byte Attic 84 Dec 14, 2022
Inter-process communication library to enable allocation between processes/threads and send/receive of allocated regions between producers/consumer processes or threads using this ipc buffer.

This is a relatively simple IPC buffer that allows multiple processes and threads to share a dynamic heap allocator, designate "channels" between processes, and share that memory between producer/consumer pairs on those channels.

RaftLib 8 Aug 20, 2022
This program designed to stress both the processor and memory.

StressTest What it is This program designed to stress both the processor and memory. Firstly it comlete data into memory so the memory load upto 90%(d

null 2 Oct 17, 2021
Enoki: structured vectorization and differentiation on modern processor architectures
Enoki: structured vectorization and differentiation on modern processor architectures

Enoki: structured vectorization and differentiation on modern processor architectures

Mitsuba Physically Based Renderer 1.2k Dec 25, 2022
To recreate the board game Scotland yard and enable a single player to play the game by letting one of the roles being played by the computer based on written algorithm
To recreate the board game Scotland yard and enable a single player to play the game by letting one of the roles being played by the computer based on written algorithm

Scotland Yard GAME OF SCOTLAND YARD This is a custom version of the classic board game, Scotland Yard .The game uses the London map used in the origin

Brshank 2 Nov 11, 2021
Compressed Log Processor (CLP) is a free tool capable of compressing text logs and searching the compressed logs without decompression.

CLP Compressed Log Processor (CLP) is a tool capable of losslessly compressing text logs and searching the compressed logs without decompression. To l

null 516 Dec 30, 2022
Recode the printf function. This project is of moderate difficulty. It will enable you to discover variadic functions in C.

100/100 🚀 Introduction to ft_printf This is the third project in the 42 Cadet Curriculum. This project is pretty straight forward, recode the printf

Paulo Rafael Ramalho 0 Apr 5, 2022
IOTBOT, which is designed as an Internet-oriented robotic coding training kit and powered by the ESP32 processor
IOTBOT, which is designed as an Internet-oriented robotic coding training kit and powered by the ESP32 processor

IOTBOT-Firmware! Test Series IOTBOT, which is designed as an Internet-oriented robotic coding training kit and powered by the ESP32 processor, knows n

null 1 Dec 29, 2021
Comments
  • The download link of windows installation package is invalid

    The download link of windows installation package is invalid

    Hi 0rganizers, The download link of the following windows installation package is invalid. https://nightly.link/0rganizers/nmips/workflows/main/main/nmips_windows.zip

    Can you upload the download package directly to git?

    opened by superhaowei 1
  • Crashes when trying to decomile babymips

    Crashes when trying to decomile babymips

    It disassembles fine but crashes immediately when I press F5. The target binary is the babymips included in the repo. My ida version is Version 7.6.210427 Linux x86_64 (32-bit address size)

    The log looks like this:

    $ ida
2021-10-27 15:13:45.448 (   0.000s) [        3CB76880]              nmips.cpp:462   INFO| Logging to log file (null)
2021-10-27 15:13:45.448 (   0.000s) [        3CB76880]            elf_ldr.cpp:24    INFO| relocation storage does not exist
2021-10-27 15:13:48.622 (   3.173s) [        3CB76880]              nmips.cpp:198   INFO| loader_elf_machine(0xf9)
2021-10-27 15:13:48.622 (   3.173s) [        3CB76880]              nmips.cpp:200   INFO| nanoMIPS elf detected!
2021-10-27 15:13:48.622 (   3.173s) [        3CB76880]              nmips.cpp:587   INFO| Processor: 0
2021-10-27 15:13:51.361 (   5.912s) [        3CB76880]            elf_ldr.cpp:178   INFO| handle_relocation(0x4200bc, 0x420108, 0x420108, t: 10): , _ITM_deregisterTMCloneTable, 0x420108
2021-10-27 15:13:51.361 (   5.912s) [        3CB76880]            elf_ldr.cpp:119   INFO| patching symbol _ITM_deregisterTMCloneTable 0x4200bc = 0x420108
2021-10-27 15:13:52.014 (   6.565s) [        3CB76880]            elf_ldr.cpp:178   INFO| handle_relocation(0x4200c0, 0x42010c, 0x42010c, t: 10): , _ITM_registerTMCloneTable, 0x42010c
2021-10-27 15:13:52.014 (   6.565s) [        3CB76880]            elf_ldr.cpp:119   INFO| patching symbol _ITM_registerTMCloneTable 0x4200c0 = 0x42010c
2021-10-27 15:13:52.014 (   6.565s) [        3CB76880]            elf_ldr.cpp:178   INFO| handle_relocation(0x4200c4, 0x420110, 0x420110, t: 10): , __deregister_frame_info, 0x420110
2021-10-27 15:13:52.014 (   6.565s) [        3CB76880]            elf_ldr.cpp:119   INFO| patching symbol __deregister_frame_info 0x4200c4 = 0x420110
2021-10-27 15:13:52.014 (   6.565s) [        3CB76880]            elf_ldr.cpp:178   INFO| handle_relocation(0x4200c8, 0x420114, 0x420114, t: 10): , __register_frame_info, 0x420114
2021-10-27 15:13:52.014 (   6.565s) [        3CB76880]            elf_ldr.cpp:119   INFO| patching symbol __register_frame_info 0x4200c8 = 0x420114
2021-10-27 15:13:52.014 (   6.565s) [        3CB76880]            elf_ldr.cpp:178   INFO| handle_relocation(0x4200cc, 0x420118, 0x420118, t: 10): , _Jv_RegisterClasses, 0x420118
2021-10-27 15:13:52.014 (   6.565s) [        3CB76880]            elf_ldr.cpp:119   INFO| patching symbol _Jv_RegisterClasses 0x4200cc = 0x420118
2021-10-27 15:13:52.014 (   6.565s) [        3CB76880]            elf_ldr.cpp:178   INFO| handle_relocation(0x4200d0, 0x420120, 0x420120, t: 11): , read, 0x420120
2021-10-27 15:13:52.014 (   6.565s) [        3CB76880]            elf_ldr.cpp:119   INFO| patching symbol read 0x4200d0 = 0x420120
2021-10-27 15:13:52.014 (   6.565s) [        3CB76880]            elf_ldr.cpp:178   INFO| handle_relocation(0x4200d4, 0x420124, 0x420124, t: 11): , strncmp, 0x420124
2021-10-27 15:13:52.014 (   6.565s) [        3CB76880]            elf_ldr.cpp:119   INFO| patching symbol strncmp 0x4200d4 = 0x420124
2021-10-27 15:13:52.014 (   6.565s) [        3CB76880]            elf_ldr.cpp:178   INFO| handle_relocation(0x4200d8, 0x420128, 0x420128, t: 11): , puts, 0x420128
2021-10-27 15:13:52.014 (   6.565s) [        3CB76880]            elf_ldr.cpp:119   INFO| patching symbol puts 0x4200d8 = 0x420128
2021-10-27 15:13:52.014 (   6.565s) [        3CB76880]            elf_ldr.cpp:178   INFO| handle_relocation(0x4200dc, 0x42011c, 0x42011c, t: 11): , memset, 0x42011c
2021-10-27 15:13:52.014 (   6.565s) [        3CB76880]            elf_ldr.cpp:119   INFO| patching symbol memset 0x4200dc = 0x42011c
2021-10-27 15:13:52.014 (   6.565s) [        3CB76880]            elf_ldr.cpp:178   INFO| handle_relocation(0x4200e0, 0x420104, 0x420104, t: 11): , __libc_start_main, 0x420104
2021-10-27 15:13:52.014 (   6.565s) [        3CB76880]            elf_ldr.cpp:119   INFO| patching symbol __libc_start_main 0x4200e0 = 0x420104
2021-10-27 15:13:52.141 (   6.692s) [        3CB76880]               mgen.cpp:127   INFO| saving temp 320.16 (t0)
2021-10-27 15:13:52.141 (   6.692s) [        3CB76880]               mgen.cpp:127   INFO| saving temp 336.16 (t1)
2021-10-27 15:13:52.141 (   6.692s) [        3CB76880]               mgen.cpp:127   INFO| saving temp 352.16 (t2)
2021-10-27 15:13:52.141 (   6.692s) [        3CB76880]               mgen.cpp:127   INFO| saving temp 368.16 (t3)
2021-10-27 15:13:52.141 (   6.692s) [        3CB76880]              nmips.cpp:528   INFO| Successfully installed mgen filter!
2021-10-27 15:13:52.141 (   6.692s) [        3CB76880]              nmips.cpp:534   INFO| Found got segment: 0x4200ac
2021-10-27 15:13:52.141 (   6.692s) [        3CB76880]              nmips.cpp:541   INFO| Successfully set default sreg value to: 0x4200ac
2021-10-27 15:13:52.419 (   6.971s) [        3CB76880]                emu.cpp:302   INFO| [0x4004fa] is_switch = true
2021-10-27 15:13:52.516 (   7.067s) [        3CB76880]                emu.cpp:302   INFO| [0x4004fa] is_switch = true
Oops, IDA has almost crashed! (signum=11)
    opened by Kyle-Kyle 0
Owner
null
GitHub
C/C++ language server supporting multi-million line code base, powered by libclang. Emacs, Vim, VSCode, and others with language server protocol support. Cross references, completion, diagnostics, semantic highlighting and more

Archived cquery is no longer under development. clangd and ccls are both good replacements. cquery cquery is a highly-scalable, low-latency language s

Jacob Dufault 2.3k Jan 7, 2023
Rule Processor Y is a next-gen Rule processor with complex multibyte character support

ruleprocessorY Rule Processor Y is a next-gen Rule processor with multibyte character support. It applies rules to wordlists in order to transform the

null 11 Sep 23, 2022
Simulation code for the specific PDP-10 serial number 32 at the Stanford A. I. Lab in 1974 as a solo processor with all the I/O devices simulated as on the PDP-10. Omit the co-processor PDP-6 sn16.

KA10 sn32 Synopsis This repository contains software and documentation for running the unique PDP-10 KA serial number 32 that was at Stanford in July

Saildart Archive 4 Aug 7, 2021
A simple processor emulator written in c++ that can parse and execute x32 code. x32 is binary code made by me for this processor.

A SIMPLE PROCESSOR EMULATOR AND CODE EXECUTOR The Repository This is a fairly new project and is still heavy in development. If you find and bugs feel

Luka Golob 4 Jan 20, 2022
IDA StrikeOut: A Hex-Rays decompiler plugin to patch the Ctree

StrikeOut is an plugin for the Hex-Rays Decompiler. It allows you to delete (hide) statements from the AST, thus simplifying the pseudocode output. This is a useful scenario when you are dealing with lots of junk code or code that don't necessarily increase your understanding of the pseudocode.

Elias Bachaalany 82 Dec 6, 2022
GreenLambert macOS IDA plugin to deobfuscate strings

Delambert An IDA plugin to deobfuscate strings from The Lamberts macOS malware sample af7c395426649c57e44eac0bb6c6a109ac649763065ff5b2b23db71839bac655

fG! 9 Mar 14, 2022
Enable eGFX for Thunderbolt Macs with SIP, ART & FileVault support.

Kryptonite enables external GPUs on Macs using Thunderbolt 1 and 2 without compromising on Mac security features such as System Integrity Protection, FileVault, and Authenticated-Root.

Mayank Kumar 143 Jan 3, 2023
IDAShell is a shell extension for launching IDA from the context menu of executables.

IDAShell About IDAShell is a shell extension for launching IDA from the context menu of executables. Usage Just install and it works. If you moved IDA

null 174 Dec 18, 2022
IDA Pro key checker tool

IDA Key Checker IDA Pro (6.x-7.x) key checker tool Usage A list of available options can be retrieved using: ida_key_checker --help Arguments: Option

null 58 Dec 26, 2022
Yet Another Ghidra Integration for IDA

Yagi Yet Another Ghidra Integration for IDA Overview Yagi intends to include the wonderful Ghidra decompiler into both IDA pro and IDA Free. ?? You ca

Airbus CERT 390 Dec 8, 2022