为CHIP-8编写IDA processor module


在对嵌入式设备进行逆向分析的过程中,偶尔会遇到一些比较小众或专业性较强的处理器,使用ida默认不支持的指令集。这时为了愉快的使用ida pro逆向就需要编写对应的处理器模块。出于学习目的,找一个非常简单的指令集来探路,CHIP-8再合适不过了。




  • 多数时候其解释器需要占据内存空间的前512个字节,所以程序通常加载在0x200处,且不会用到前512字节地址。
  • CHIP-8使用16个8bit的数据寄存器,命名为V0-VF。其中VF寄存器在执行某些指令时作为状态寄存器。有一个16位的地址寄存器I。
  • CHIP-8有两个定时器,延时寄存器(Delay timer)与声音寄存器(Sound timer)。
  • 唯一使用栈的地方是call的时候存储返回地址其他信息可以在wikipedia上了解:https://en.wikipedia.org/wiki/CHIP-8


初探ida处理器模块(IDA Pro 7.0)

ida处理器模块的样例可以在sdk中modules目录下找到,一打开目录映入眼帘的就是许多的c++写的处理器模块。在module/script下有三个python的处理器模块,包含一个proctemplate.py模板。这里选择使用python编写,在模板文件中可以看到主要代码为PROCESSOR_ENTRY方法返回一个继承自processor_t的sample_proccesst,类中有许多的notify开头的回调方法,每个都有少量对其应该负责的工作的注释。 通过注释可以知道其中notify_emu``notify_out_operand notify_out_insn notify_ana几个方法是强制性的。



notify_ana(self, insn)中,需要做的是读取数据并解析成指令。根据opcode找到对应的指令,读取并设置好指令的参数与属性。其中insn为一个insn_t类型的变量,即为要设置的指令对象。调用insn.get_next_byte()系列方法可以获取到当前的数据,也就是下一步要解析的指令或操作数。设置insn的itype属性为指令的itype,根据操作数数量设置insn.Op1insn.Op2的系列属性如type(操作数类型):o_imm(立即数)/o_reg(寄存器)/o_mem(内存)……、dtype(操作数大小):dt_byte/dt_word/dt_dword和value(操作数的值)。


体现在notify_emu(self)中,用于设置数据与代码之间的关系,例如当前指令执行完毕后如果顺序执行下一条指令就要通过add_cref(insn.ea, insn.ea + insn.size, fl_F)来告诉ida这条指令的下一条在哪。其中第一个参数为出发点,多数时候为当前指令地址,第二个参数为将跳到的地址,第三个参数有可能为 fl_F(顺序),fl_JN/fl_JF(跳转)以及fl_CN/fl_CF(调用)。以及使用add_dref(op.addr, op.offb, dr_O)类似指令来添加数据的引用信息。如果有对栈数据的分析也在模拟过程中处理,可参考ebc.py中emu回调所调用的trace_sp方法。再笔者的理解中,除了个别情况,大多数修改ida数据库中数据的操作都在模拟部分进行。


体现在notify_out_operand(self, ctx, op)notify_out_insn(self, ctx)两个方法。notify_out_operand用来输出参数,notify_out_insn用来输出指令。注释中特意指出在这两个方法中不应该有任何操作数据库,修改标志位等操作。笔者认为与output操作执行次数较多有关。



char __fastcall sub_13006100(__int64 a1, __int64 a2, _BYTE *a3, __int64 a4)
  _QWORD *v4; // rbx
  _BYTE *v5; // rsi
  unsigned __int8 (__fastcall *v6)(_BYTE *, __int64, _QWORD *); // r9
  __int64 v7; // rdi

  v4 = (_QWORD *)a4;
  v5 = a3;
  v6 = *(unsigned __int8 (__fastcall **)(_BYTE *, __int64, _QWORD *))(a1 + 112);
  v7 = a1;
  if ( v6 )
    if ( !v6(a3, a2, v4) )
      return 0;
    if ( !(*(unsigned __int8 (__fastcall **)(__int64, _QWORD *))(a1 + 48))(a2, v4) )
      return 0;
    if ( !(*(unsigned __int8 (__fastcall **)(_QWORD, _QWORD, const char *))(v7 + 88))(0i64, 0i64, "PROCESSOR_ENTRY") )
      sub_13003EA0(v4, "PROCESSOR_ENTRY attribute was not found");
      return 0;
    if ( !(*(unsigned __int8 (__fastcall **)(_BYTE *, const char *, _QWORD, _QWORD, _QWORD *))(v7 + 56))(
            v4) )
      return 0;
  if ( *v5 == 5 )
    return 1;
  sub_13003EA0(v4, "should return an object!");
  return 0;


    if ( !(unsigned __int8)sub_13005FD0(off_1300ABE8[v2], &unk_1300F150) )
      sub_13005260(v1, "Processor module script: missing callback '%s'", off_1300ABE8[v2]);
      return 0;
  while ( v2 < 4 );


__int64 __fastcall sub_13004C90(__int64 a1, __int64 a2, __int64 a3, __int64 a4)
  __int64 v4; // rbx
  unsigned __int8 v5; // si
  int v6; // eax
  __int64 v7; // rdx
  __int64 v8; // r8
  size_t v9; // rbx
  unsigned __int64 v10; // rdi
  __int64 v11; // rax
  char *v12; // rax
  char *v13; // rcx
  __int64 v14; // r8
  __int64 v15; // r8
  __int64 v16; // r8
  char v18; // [rsp+20h] [rbp-448h]
  int v19; // [rsp+28h] [rbp-440h]
  __int64 v20; // [rsp+40h] [rbp-428h]
  char Src[1024]; // [rsp+50h] [rbp-418h]

  v20 = -2i64;
  v4 = a1;
  qword_1300F478 = (__int64)off_1300A800;
  v5 = 0;
  v18 = 2;
  v19 = 0;
  LOBYTE(a4) = 1;
  v6 = sub_13005B80(off_1300A800, &xmmword_1300F250, a1, a4, *(_QWORD *)&v18, *(_QWORD *)&v19);
  if ( v6 < 0 )
    LODWORD(xmmword_1300F250) = 700;
    if ( !(_DWORD)xmmword_1300F290 )
      LODWORD(xmmword_1300F290) = sub_130061E0(*((_QWORD **)&xmmword_1300F280 + 1));
    if ( (unsigned __int8)sub_13006A20(v4, (__int64)"assembler", (__int64)&v18) && (unsigned __int8)sub_13004A90(&v18) )
      if ( (unsigned __int8)sub_13006A20(v4, (__int64)"codestart", (__int64)&v18)
        && (LOBYTE(v14) = 1, (unsigned __int8)sub_13006200(&v18, &qword_1300F4D0, v14)) )
        *((_QWORD *)&xmmword_1300F2A0 + 1) = qword_1300F4D0;
        *((_QWORD *)&xmmword_1300F2A0 + 1) = 0i64;
      if ( (unsigned __int8)sub_13006A20(v4, (__int64)"retcodes", (__int64)&v18)
        && (LOBYTE(v15) = 1, (unsigned __int8)sub_13006200(&v18, &qword_1300F4B8, v15)) )
        *(_QWORD *)&xmmword_1300F2B0 = qword_1300F4B8;
        *(_QWORD *)&xmmword_1300F2B0 = 0i64;
      if ( (unsigned __int8)sub_13006A20(v4, (__int64)"instruc", (__int64)&v18)
        && (unsigned __int8)sub_130063C0((__int64)&v18, &qword_1300F488, v16) )
        *(_QWORD *)&xmmword_1300F2C0 = qword_1300F488;
        *(_QWORD *)&xmmword_1300F280 = sub_130021F0;
        v5 = 1;
        sub_13003EA0(&Dst, "Missing processor instructions definition");

最重要的地方是13003b51h处的call,hook_to_notification_point(3i64, sub_130041E0)。查看ida sdk include/idp.hpp可以看到对hook_to_notification_point说明和函数原型:

/// Register a callback for a class of events in IDA

idaman bool ida_export hook_to_notification_point(
        hook_type_t hook_type,
        hook_cb_t *cb,
        void *user_data = NULL);


enum hook_type_t
  HT_IDP,         ///< Hook to the processor module.
                  ///< The callback will receive all processor_t::event_t events.
  HT_UI,          ///< Hook to the user interface.
                  ///< The callback will receive all ::ui_notification_t events.
  HT_DBG,         ///< Hook to the debugger.
                  ///< The callback will receive all ::dbg_notification_t events.
  HT_IDB,         ///< Hook to the database events.
                  ///< These events are separated from the ::HT_IDP group
                  ///< to speed things up (there are too many plugins and
                  ///< modules hooking to the ::HT_IDP). Some essential events
                  ///< are still generated in th ::HT_IDP group:
                  ///< make_code, make_data
                  ///< This list is not exhaustive.
                  ///< A common trait of all events in this group: the kernel
                  ///< does not expect any reaction to the event and does not
                  ///< check the return code. For event names, see ::idb_event.
  HT_DEV,         ///< Internal debugger events.
                  ///< Not stable and undocumented for the moment
  HT_VIEW,        ///< Custom/IDA views notifications.
                  ///< Refer to ::view_notification_t
                  ///< for notification codes
  HT_OUTPUT,      ///< Output window notifications.
                  ///< Refer to ::msg_notification_t
                  ///< (::view_notification_t)
  HT_GRAPH,       ///< Handling graph operations
                  ///< (::graph_notification_t)

第一个参数为3,即HT_IDB,从注释看出make_code, make_data等事件会触发回调。回调函数的原型如下

typedef ssize_t idaapi hook_cb_t(void *user_data, int notification_code, va_list va);










def init_registers(self):
    # register names
    self.reg_names = [
        # General purpose registers
        "PC",# Instruction pointer
        "I", # Index register 12bit
        "DT",# Delay timer
        "ST",# Sound timer
        # Fake segment registers
    # number of registers (optional: deduced from the len(reg_names))
    self.regs_num = len(self.reg_names)
    # Segment register information (use virtual CS and DS registers if your
    # processor doesn't have segment registers):
    self.reg_first_sreg = 19 # index of CS
    self.reg_last_sreg  = 20 # index of DS
    # size of a segment register in bytes
    self.segreg_size = 0
    # You should define 2 virtual segment registers for CS and DS.
    # number of CS/DS registers
    self.reg_code_sreg = 19
    self.reg_data_sreg = 20



def init_instruction(self):
    class idef:
        def __init__(self, opcode, mask, name, cf, d, cmt = None):
            self.opcode = opcode
            self.mask = mask
            self.name = name 
            self.cf = cf
            self.d = d
            self.cmt = cmt

    self.itable = [
        idef(opcode=0x00E0, mask=0xffff, name="CLS",  d=self.decode_OP, cf=0, cmt="Clear video memory"),
        idef(opcode=0x00EE, mask=0xffff, name="RET",  d=self.decode_OP, cf=CF_STOP, cmt="Return from subroutine"),
        idef(opcode=0x0000, mask=0xf000, name="SYS",  d=self.decode_NNN_mem, cf=CF_USE1, cmt="Call CDP1802 subroutine at NNN"),
        idef(opcode=0x1000, mask=0Xf000, name="JP",   d=self.decode_NNN_mem, cf=CF_USE1|CF_JUMP, cmt="Jump to address NNN"),
        idef(opcode=0x2000, mask=0xf000, name="CALL", d=self.decode_NNN_mem, cf=CF_USE1|CF_CALL, cmt="Call CHIP-8 subroutine at NNN"),
        idef(opcode=0x3000, mask=0xf000, name="SE",   d=self.decode_XNN, cf=CF_USE1|CF_USE2|CF_JUMP, cmt="Skip next instruction if VX == NN"),
        idef(opcode=0x4000, mask=0xf000, name="SNE",  d=self.decode_XNN, cf=CF_USE1|CF_USE2|CF_JUMP, cmt="Skip next instruction if VX != NN"),
        idef(opcode=0x5000, mask=0xf00f, name="SE",   d=self.decode_XY, cf=CF_USE1|CF_USE2|CF_JUMP, cmt="Skip next instruction if VX == VY"),
        idef(opcode=0x6000, mask=0xf000, name="LD",   d=self.decode_XNN, cf=CF_USE1|CF_CHG1|CF_USE2, cmt="VX = NN"),
        idef(opcode=0x7000, mask=0xf000, name="ADD",  d=self.decode_XNN, cf=CF_USE1|CF_CHG1|CF_USE2, cmt="VX = VX + NN"),
        idef(opcode=0x8000, mask=0xf00f, name="LD",   d=self.decode_XY, cf=CF_USE1|CF_CHG1|CF_USE2, cmt="VX = VY"),
        idef(opcode=0x8001, mask=0xf00f, name="OR",   d=self.decode_XY, cf=CF_USE1|CF_CHG1|CF_USE2, cmt="VX = VX OR VY"),
        idef(opcode=0x8002, mask=0xf00f, name="AND",  d=self.decode_XY, cf=CF_USE1|CF_CHG1|CF_USE2, cmt="VX = VX AND VY"),
        idef(opcode=0x8003, mask=0xf00f, name="XOR",  d=self.decode_XY, cf=CF_USE1|CF_CHG1|CF_USE2, cmt="VX = VX XOR VY"),
        idef(opcode=0x8004, mask=0xf00f, name="ADD",  d=self.decode_XY, cf=CF_USE1|CF_CHG1|CF_USE2, cmt="VX = VX + VY; VF = 1 if overflow else 0"),
        idef(opcode=0x8005, mask=0xf00f, name="SUB",  d=self.decode_XY, cf=CF_USE1|CF_CHG1|CF_USE2, cmt="VX = VX - VY; VF = 1 if not borrow else 0"),
        idef(opcode=0x8006, mask=0xf00f, name="SHR",  d=self.decode_XY, cf=CF_USE1|CF_CHG1|CF_USE2, cmt="VF = LSB(VX); VX = VX » 1 (** see note)"),
        idef(opcode=0x8007, mask=0xf00f, name="SUBN", d=self.decode_XY, cf=CF_USE1|CF_CHG1|CF_USE2, cmt="VX = VY - VX; VF = 1 if not borrow else 0"),
        idef(opcode=0x800E, mask=0xf00f, name="SHL",  d=self.decode_XY, cf=CF_USE1|CF_CHG1|CF_USE2, cmt="VF = MSB(VX); VX = VX « 1 (** see note)"),
        idef(opcode=0x9000, mask=0xf00f, name="SNE",  d=self.decode_XY, cf=CF_USE1|CF_USE2|CF_JUMP, cmt="Skip next instruction if VX != VY"),
        idef(opcode=0xA000, mask=0xf000, name="LD",   d=self.decode_LD_I, cf=CF_USE1, cmt="I = NNN"),
        idef(opcode=0xB000, mask=0xf000, name="JP",   d=self.decode_JP_V0, cf=CF_USE1|CF_JUMP, cmt="Jump to address NNN + V0"),
        idef(opcode=0xC000, mask=0xf000, name="RND",  d=self.decode_XY, cf=CF_USE1|CF_CHG1|CF_USE2, cmt="VX = RND() AND NN"),
        idef(opcode=0xD000, mask=0xf000, name="DRW",  d=self.decode_XYN, cf=CF_USE1|CF_USE2|CF_USE3, cmt="Draw 8xN sprite at I to VX, VY; VF = 1 if collision else 0"),
        idef(opcode=0xE09E, mask=0xf0ff, name="SKP",  d=self.decode_X, cf=CF_USE1|CF_JUMP, cmt="Skip next instruction if key(VX) is pressed"),
        idef(opcode=0xE0A1, mask=0xf0ff, name="SKNP", d=self.decode_X, cf=CF_USE1|CF_JUMP, cmt="Skip next instruction if key(VX) is not pressed"),
        idef(opcode=0xF007, mask=0xf0ff, name="LD",   d=self.decode_LD_VX_DT, cf=CF_USE1|CF_CHG1, cmt="LD VX, DT;Sets VX to the value of the delay timer."),
        idef(opcode=0xF00A, mask=0xf0ff, name="LD",   d=self.decode_LD_K, cf=CF_USE1|CF_CHG1, cmt="Wait for key press, store key pressed in VX"),
        idef(opcode=0xF015, mask=0xf0ff, name="LD",   d=self.decode_LD_DT_VX, cf=CF_USE1, cmt="DT = VX;Sets the delay timer to VX."),
        idef(opcode=0xF018, mask=0xf0ff, name="LD",   d=self.decode_LD_ST, cf=CF_USE1, cmt="ST = VX;Sets the sound timer to VX."),
        idef(opcode=0xF01E, mask=0xf0ff, name="ADD",  d=self.decode_ADD_I, cf=CF_USE1, cmt="I = I + VX; VF = 1 if I > 0xFFF else 0"),
        idef(opcode=0xF029, mask=0xf0ff, name="LD",   d=None, cf=CF_USE1, cmt="I = address of 4x5 font character in VX (0..F) (* see note)"),
        idef(opcode=0xF033, mask=0xf0ff, name="BCD",  d=self.decode_X, cf=CF_USE1, cmt="set_BCD(Vx);*(I+0)=BCD(3);*(I+1)=BCD(2);*(I+2)=BCD(1);Store BCD representation of VX at I (100), I+1 (10), and I+2 (1); I remains unchanged"),
        idef(opcode=0xF055, mask=0xf0ff, name="LD",   d=self.decode_STORE_I, cf=CF_USE1, cmt="Store V0..VX (inclusive) to memory starting at I; I remains unchanged"),
        idef(opcode=0xF065, mask=0xf0ff, name="LD",   d=self.decode_LOAD_I, cf=CF_USE1, cmt="Load V0..VX (inclusive) from memory starting at I; I remains unchanged")
    Instructions = []
    i = 0
    for x in self.itable:
        d = dict(name=x.name, feature=x.cf)
        if x.cmt != None:
            d['cmt'] = x.cmt
        setattr(self, 'itype_' + ("%04X" % x.opcode), i)
        i += 1
    # icode of the first instruction
    self.instruc_start = 0
    # icode of the last instruction + 1
    self.instruc_end = len(Instructions) + 1
    # Array of instructions
    self.instruc = Instructions
    # Icode of return instruction. It is ok to give any of possible return
    # instructions
    self.icode_return = self.itype_00EE



首先要实现notify_ana(self, insn),这里因为实现了单独的解析函数并设置好了指令表,直接获取两字节数据与掩码and后查表即可,如果遇到不认识的操作数,return 0告诉ida识别出现了问题。识别正常则返回解析指令及操作数的大小。

def get_idef(self, opcode):
    for i in self.itable:
        if opcode & i.mask == i.opcode:
            return i
    return None
def notify_ana(self, insn):
      Decodes an instruction into insn
      Returns: insn.size (=the size of the decoded instruction) or zero
      opcode = insn.get_next_word()
      ins = self.get_idef(opcode)
      if ins == None:
          return 0
          ins.d(insn, opcode)
      insn.itype = getattr(self,"itype_" + ("%04X" % ins.opcode) )
       # Return decoded instruction size or zero
      return insn.size


def decode_XY(self, insn, opcode):
    insn.Op1.type = o_reg
    insn.Op1.reg = (opcode & 0x0f00)>>8
    insn.Op2.type = o_reg
    insn.Op2.reg = (opcode & 0x00f0)>>4
def decode_NNN_mem(self, insn, opcode):
    insn.Op1.type = o_near
    insn.Op1.dtype = dt_word
    insn.Op1.addr = opcode & 0xfff


然后实现notify_out_operand(self, ctx, op)notify_out_insn(self, ctx)两个方法,一个负责输出操作数,一个负责输出指令。

def notify_out_insn(self, ctx):
    Generate text representation of an instruction in 'ctx.insn' structure.
    This function shouldn't change the database, flags or anything else.
    All these actions should be performed only by u_emu() function.
    Returns: nothing
    for i in range(1, 4):
            op = ctx.insn[i]
            if op.type == o_void:
            ctx.out_char(' ')

在notify_out_insn中调用ctx.out_mnemonic来输出instruc中指令的name。之后调用ctx.out_one_operand(i)输出操作数,此方法会调用到下面的notify_out_operand(self, ctx, op)回调来输出操作数信息。其中op参数会携带指令操作数信息,在分析时可以设置specval属性来携带额外信息给输出方法。

def notify_out_operand(self, ctx, op):
    Generate text representation of an instructon operand.
    This function shouldn't change the database, flags or anything else.
    All these actions should be performed only by u_emu() function.
    The output text is placed in the output buffer initialized with init_output_buffer()
    This function uses out_...() functions from ua.hpp to generate the operand text
    Returns: 1-ok, 0-operand is hidden.
    optype = op.type
    fl     = op.specval
    if optype == o_reg:
    elif optype == o_imm:
        # for immediate loads, use the transfer width (type of first operand)
        # if op.n == 1:
        #     width = self.dt_to_width(ctx.insn.Op1.dtype)
        # else:
        #     width = OOFW_32 if self.PTRSZ == 4 else OOFW_64
    elif optype in [o_near, o_mem]:
        r = ctx.out_name_expr(op, op.addr, BADADDR)
        if not r:
            ctx.out_btoa(op.addr, 4)
            remember_problem(PR_NONAME, ctx.insn.ea)
    elif optype == o_displ:
        if fl & self.FL_K == self.FL_K:
        return False
    return True





def notify_emu(self, insn):
    Emulate instruction, create cross-references, plan to analyze
    subsequent instructions, modify flags etc. Upon entrance to this function
    all information about the instruction is in 'insn' structure.
    If zero is returned, the kernel will delete the instruction.
    feature = insn.get_canon_feature()
    flow = (feature & CF_STOP) == 0
    if feature & CF_JUMP:
        remember_problem(PR_JUMP, insn.ea)
    if insn.itype == self.itype_1000:
        add_cref(insn.ea, insn.Op1.addr, fl_JN)
        flow = False
    elif insn.itype == self.itype_2000:
        add_cref(insn.ea, insn.Op1.addr, fl_CN)
    elif insn.itype in (self.itype_3000, self.itype_4000, self.itype_5000, self.itype_9000):
        add_cref(insn.ea, insn.ea + insn.size*2, fl_JN)
    if flow:
        add_cref(insn.ea, insn.ea + insn.size, fl_F)
    return 1





