User talk:Pokechu22

IOS MessageQueue

do you have any experience RE'ing the IOS kernel message queue? I have a few problems figuring out some stuff from the queue object structure... -DacoTaco (talk) 21:52, 13 June 2021 (CEST)

I don't, unfortunately. --Pokechu22 (talk) 21:26, 14 June 2021 (CEST)

Small request for Wikipedia

I’m not registered on Wikipedia, and the Kiwi Farms page is semi-protected; can you add information about Near’s suicide to the controversies section of the Kiwi Farms page? Hallowizer (talk) 09:22, 28 June 2021 (CEST)

It's been added and removed a few times. There's currently a discussion on the talk page about it, but it seems like currently the intention is to wait a bit for further coverage. --Pokechu22 (talk) 17:58, 28 June 2021 (CEST)

Disassembling IOS binaries

I just got the ELF of IOS9v778 with the script on the ARM Binaries page, and the section header size seems to be corrupted. Are you familiar with how to fix this issue? Hallowizer (talk) 08:16, 7 August 2021 (CEST)

I'd never noticed that before, but Ghidra does note "Skipping PT_LOAD segment[49, Loadable segment] with invalid file offset" (though everything else seems to import fine). arm-none-eabi-objdump -x 00000004.elf gives this:

   LOAD off    0x0017c9c6 vaddr 0xffff8c00 paddr 0xffff8c00 align 2**5
        filesz 0x00000000 memsz 0x000071e8 flags rw-

which seems to match the output for other sections (filesz is 0 for uninitialized ones, and the offset is the previous offset plus the previous filesz). The offset seems to be at the very end of the file, but that seems reasonable for a 0-initialized-byte section at the end. However, arm-none-eabi-objdump -D 00000004.elf doesn't work right, so something about it annoys other tools.

Appending an additional 0-byte to the end of the file allows ghirda to import it without any warnings (though the section is all zeros, which is the same as it was without making this change). objdump stil doesn't like it though. --Pokechu22 (talk) 19:25, 11 August 2021 (CEST)

My main problem with Ghidra is that it was made by the NSA. Any alternatives? Hallowizer (talk) 01:04, 12 August 2021 (CEST)

I've only ever used Ghidra. The other existing tools are IDA Pro (which is closed-source and expensive (~$365/yr/processor and no free trial for either PowerPC or ARM as far as I can tell), but there is IOS/Syscall IDAPython) and Radare2 (which I've never worked with).

It's fair to be skeptical of the NSA, but Ghidra is completely open-source. You can look through it (though it's a large pile of government code that was written over many years, so some parts are not that well written) and build it yourself, and I'm pretty sure people have audited it. And if you're particularly paranoid, you can run it in a VM or even on a separate machine. (I'm not that paranoid and I use their stock build on my regular machine, though I have also built it myself for contributing various things.) --Pokechu22 (talk) 06:21, 12 August 2021 (CEST)

Yeah, that's what 4TU just told me. I'm compiling it myself to be safe. Hallowizer (talk) 06:36, 12 August 2021 (CEST)

S flag in Starlet plugin for Ghidra

DacoTaco and I noticed that the ADD and ADDS (as well as SUB and SUBS) are displayed identically, despite clearly being different in the bytecode. I think this might be a problem with your Starlet language, since it still displays properly with the normal ARM9 settings. Hallowizer (talk) 19:05, 16 October 2021 (CEST)

I based it on the ARM5t_be file which might not be right - I had trouble determining exactly which ARM version Starlet is using. Adding some of the defines in the ARM8_be file might fix it. --Pokechu22 (talk) 08:02, 17 October 2021 (CEST)

What processor definition were you comparing the instructions to hallowizer? maybe pokechu22 can rip the defines from there hehe.DacoTaco (talk) 11:35, 17 October 2021 (CEST)

Hey, i noticed another problem with the sub/add instruction. not sure if its related. the mini elfloader has an instruction 'sub r4, pc, #8' which is compiled into 0xE24F4008. however, its read as "adr r4,0x10". im starting to think this is a ghidra/arm bug?