├── LICENSE
├── README.md
├── binutils
    ├── README.md
    ├── findmagic.py
    ├── getinfo.py
    ├── nm.py
    ├── nxo64.py
    └── strings.py
├── ipcclient
    ├── README.md
    ├── demangling.py
    ├── genidaclientscript.py
    ├── ipcclient.py
    ├── itanium_demangler.py
    └── nxo64.py
├── ipcserver
    ├── README.md
    ├── demangling.py
    ├── hashes.py
    ├── ipcserver_classic.py
    ├── ipcserver_modern.py
    ├── itanium_demangler.py
    ├── nxo64.py
    └── unicornhelpers.py
├── loader
    ├── README.md
    └── hthh_nxo64.py
├── pattern
    ├── README.md
    ├── applypattern.py
    ├── arm64.py
    ├── makepattern.py
    └── nxo64.py
└── swipc-gen
    ├── README.md
    ├── data610.py
    ├── demangling.py
    ├── generatehashes.py
    ├── hashes.py
    ├── hashes_gen.py
    ├── ipcclient.py
    ├── ipcserver.py
    ├── itanium_demangler.py
    ├── nxo64.py
    └── unicornhelpers.py


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2017-2019 hthh and contributors
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # switch-reversing
 2 | 
 3 | These are my personal Switch reversing scripts.
 4 | 
 5 | This is all a bit messy and chaotic, but I'm going to try to push my personal RE scripts and tools a bit more, since they can be pretty useful. Use at your own risk, no warranty, etc.
 6 | 
 7 | * `swipc-gen` is code for automated extraction of IPC information used to generate these diffs: https://gist.github.com/hthh/bb896c743878a2c0c337f41febdc0426
 8 | * `binutils` has simple utilities for dumping information from Switch binaries.
 9 | * `pattern` is a pair of scripts for identifying and naming common library code in 64-bit binaries (where you have one file with the code with symbols, and another with the same code, but without symbols).
10 | * `ipcserver` contains scripts for automatically finding the implementations of IPC commands in sysmodule binaries.
11 | * `ipcclient` contains a script I use to generate vtable structures for IPC client code using IDA and the Hex-Rays decompiler.
12 | * `loader` contains my personal fork of the ReSwitched loader with a number of other useful features.


--------------------------------------------------------------------------------
/binutils/README.md:
--------------------------------------------------------------------------------
  1 | # binutils
  2 | 
  3 | Useful scripts for inspecting at switch binaries.
  4 | 
  5 | `nxo64.py` as always does the hard work of parsing the binaries, so each of the other scripts is under 100 lines and should be easy to modify if needed.
  6 | 
  7 | 
  8 | ## getinfo.py
  9 | 
 10 | This is my most used one. I use it to check an `sdk` version, check if it's 64-bit or not, check what library a  `subsdk` binary is, or check what static libraries are linked into a game:
 11 | 
 12 | ```
 13 | % python getinfo.py sdk    
 14 | File: sdk
 15 | Module: nnSdk
 16 | 64-bit
 17 | FS SDK Version: 3.5.1
 18 | Number of Symbols: 19850
 19 | SDK MW+Nintendo+NintendoSDK_libz-3_5_1-Release
 20 | SDK MW+Nintendo+NintendoSdk_nnSdk-3_5_1-Release
 21 | SDK MW+Nintendo+NintendoSDK_NVN-3_5_1-Release
 22 | 
 23 | % python getinfo.py main
 24 | File: main
 25 | Module: D:\home\Project\Blitz_MasterVer27\App\Rom\NX64\Product\code\Blitz.nss
 26 | 64-bit
 27 | Number of Symbols: 24
 28 | SDK MW+Nintendo+PiaCommon-5_9_1
 29 | SDK MW+Nintendo+Pia-5_9_1
 30 | SDK MW+Nintendo+PiaInet-5_9_1
 31 | SDK MW+Nintendo+PiaNat-5_9_1
 32 | SDK MW+Nintendo+PiaLan-5_9_1
 33 | SDK MW+Nintendo+PiaSession-5_9_1
 34 | SDK MW+Nintendo+PiaTransport-5_9_1
 35 | SDK MW+Nintendo+NEX-4_3_10-appblz
 36 | SDK MW+Nintendo+NintendoSDK_libcurl-3_4_1-Release
 37 | SDK MW+Nintendo+NintendoSDK_gfx-3_4_1-Release
 38 | SDK MW+Nintendo+NintendoWare_G3d-3_4_1-Release
 39 | SDK MW+Nintendo+NintendoWare_Vfx-3_4_1-Release
 40 | SDK MW+Nintendo+NintendoWare_Atk-3_4_1-Release
 41 | SDK MW+Nintendo+NintendoSDK_libz-3_4_1-Release
 42 | SDK MW+Nintendo+NEX_MM-4_3_10
 43 | SDK MW+Nintendo+NEX_DS-4_3_10
 44 | SDK MW+Nintendo+NEX_RK-4_3_10
 45 | SDK MW+Nintendo+NEX_UT-4_3_10
 46 | SDK MW+Nintendo+NEX_CO-4_3_10
 47 | SDK MW+Nintendo+PiaChat-5_9_1
 48 | SDK MW+Nintendo+PiaClone-5_9_1
 49 | SDK MW+Nintendo+PiaLocal-5_9_1
 50 | SDK MW+Nintendo+NintendoWare_Ui2d-3_4_1-Release
 51 | SDK MW+Nintendo+NintendoWare_Font-3_4_1-Release
 52 | 
 53 | % python getinfo.py subsdk0 
 54 | File: subsdk0
 55 | Module: libz
 56 | 64-bit
 57 | Number of Symbols: 66
 58 | ```
 59 | 
 60 | ## findmagic.py
 61 | 
 62 | Search for a 4-byte magic number or an error code in binaries. Often misses things, but can save a lot of time when it finds them.
 63 | 
 64 | Note that you have to manually look for pairs with both halves of the value close together:
 65 | 
 66 | ```
 67 | % python findmagic.py NCA3 3.0.0-10.0/*
 68 | 3.0.0-10.0/fs(7100049E64): MOVK W9, 0x434E # 'NC'
 69 | 3.0.0-10.0/fs(7100049E74): MOVK W9, 0x434E # 'NC'
 70 | 3.0.0-10.0/fs(7100049E88): MOVK W9, 0x434E # 'NC'
 71 | 3.0.0-10.0/fs(7100049E94): MOVZ W9, 0x33410000 # 'A3'
 72 | 3.0.0-10.0/fs(7100049E98): MOVK W9, 0x434E # 'NC'
 73 | 3.0.0-10.0/fs(710004BCF4): MOVZ W9, 0x33410000 # 'A3'
 74 | 3.0.0-10.0/fs(710004BCF8): MOVK W9, 0x434E # 'NC'
 75 | 
 76 | % python findmagic.py 0x234E02 3.0.0-10.0/fs 
 77 | 3.0.0-10.0/fs(7100018C50): MOVZ W21, 0x230000 # '#\x00'
 78 | 3.0.0-10.0/fs(710001BC54): MOVZ W8, 0x230000 # '#\x00'
 79 | 3.0.0-10.0/fs(7100036630): MOVZ W19, 0x230000 # '#\x00'
 80 | 3.0.0-10.0/fs(710003727C): MOVZ W22, 0x230000 # '#\x00'
 81 | 3.0.0-10.0/fs(7100038B34): MOVZ W26, 0x230000 # '#\x00'
 82 | 3.0.0-10.0/fs(710003DBEC): MOVK W24, 0x4E02 # '\x02N'
 83 | 3.0.0-10.0/fs(7100049E44): MOVZ W23, 0x230000 # '#\x00'
 84 | 3.0.0-10.0/fs(710004A040): MOVZ W8, 0x230000 # '#\x00'
 85 | 3.0.0-10.0/fs(710004A048): MOVK W8, 0x4E02 # '\x02N'
 86 | [snip]
 87 | ```
 88 | 
 89 | 
 90 | ## strings.py
 91 | 
 92 | This dumps strings with a filename and address prefix. I dump strings from every binary from a version to one huge file and grep for whatever I'm looking for:
 93 | 
 94 | ```
 95 | % python strings.py 4.0.1/*/main > 4.0.1-strings.txt
 96 | % grep http 4.0.1-strings.txt
 97 | 4.0.1/010000000000000C-bcat/main(71001E0C61): https://%s/api/nx/v1/list/%s
 98 | 4.0.1/010000000000000C-bcat/main(71001E1349): https://%s/api/nx/v1/list/%s?l=%s%s%s
 99 | 4.0.1/010000000000000C-bcat/main(71001E18C4): https://%s/api/nx/v1/titles/%016llx/topics?l=%s%s%s
100 | [snip]
101 | 4.0.1/0100000000001013-myPage/main(7100524878): # http://curl.haxx.se/docs/http-cookies.html
102 | 4.0.1/0100000000001013-myPage/main(710052908B): https://mii-secure-%%.cdn.nintendo.net/%s_normal_face.png
103 | 4.0.1/0100000000001013-myPage/main(7100583FA0): N2nn2sf4cmif6client6detail13CmifProxyImplINS_7account4http15IOAuthProcedureENS2_15CmifDomainProxyINS0_4hipc6client38Hipc2ClientSessionManagedProxyKindBaseINSA_18Hipc2ProxyKindBaseILNS9_6detail11MessageTypeE4EEEEEEENS0_25StatelessAllocationPolicyINS0_22ExpHeapStaticAllocatorILm2048ENS5_6detail12ObjectHolder24ObjectHolderAllocatorTagEEEEENS5_3nas40IOAuthProcedureForNintendoAccountLinkageEEE
104 | 4.0.1/0100000000001013-myPage/main(7100584170): N2nn7account4http15IOAuthProcedureE
105 | ```
106 | 
107 | 
108 | ## nm.py
109 | 
110 | Just lists symbols:
111 | 
112 | ```
113 | % python nm.py 3.0.0-10.0/fs
114 |            DEFAULT   NOTYPE  LOCAL    0        0 
115 | 00000000 T DEFAULT   SECTION LOCAL    1        0 
116 |            DEFAULT   NOTYPE  WEAK     0        0 __rel_plt_start
117 |            DEFAULT   NOTYPE  WEAK     0        0 __got_end
118 |            DEFAULT   NOTYPE  WEAK     0        0 __rela_dyn_end
119 |            DEFAULT   NOTYPE  WEAK     0        0 __rela_plt_end
120 | [snip]
121 | 00e887d0 B DEFAULT   OBJECT  WEAK    21     4030 _ZN2nn2sf22ExpHeapStaticAllocatorILm16384ENS_8settings22IFactorySettingsServerEE8_globalsE
122 | 00e8c840 B DEFAULT   OBJECT  GLOBAL  21       10 _ZN3nne7prfile212pf_allocatorE
123 | 00e8c850 B DEFAULT   OBJECT  GLOBAL  21       10 _ZN3nne7prfile214pf_deallocatorE
124 | 00e8c860 B DEFAULT   OBJECT  GLOBAL  21      490 _ZN3nne7prfile212pdm_disk_setE
125 | 00e8ccf0 B DEFAULT   OBJECT  GLOBAL  21        4 _ZN3nne7prfile210pf_sys_setE
126 | 00e8ce48 B DEFAULT   OBJECT  GLOBAL  21        8 __cxa_new_handler
127 | 00e8dda0 B DEFAULT   OBJECT  GLOBAL  21        4 __horizon_max_num_modules
128 | 00e8dda8 B DEFAULT   OBJECT  GLOBAL  21        8 nnmuslThreadPointerInitializer
129 | 00e8ddb0 B DEFAULT   OBJECT  GLOBAL  21        8 nnmuslThreadPointerDestroyer
130 | 00e8e000 ? DEFAULT   NOTYPE  GLOBAL  21        0 end
131 | ```


--------------------------------------------------------------------------------
/binutils/findmagic.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import struct
 3 | import re
 4 | from nxo64 import load_nxo
 5 | 
 6 | def get_hw(d): return (d >> 21) & 3
 7 | def get_imm16(d): return (d >> 5) & 0xFFFF
 8 | 
 9 | def is_MOVZ_32_movewide(d): return (d & 0xff800000) == 0x52800000
10 | def is_MOVK_32_movewide(d): return (d & 0xff800000) == 0x72800000
11 | def get_Rd(d): return (d >> 0) & 0x1F
12 | 
13 | def main(magicstr, filenames):
14 | 	for filename in filenames:
15 | 		find_magic(magicstr, filename)
16 | 
17 | def find_magic_in_file(filename, text, data_as_string, f, magic):
18 | 
19 | 	magic_high = magic >> 16
20 | 	magic_low = magic & 0xFFFF
21 | 
22 | 	load_base = 0x7100000000
23 | 
24 | 	for i in xrange(0, len(text), 4):
25 | 		d = struct.unpack_from('<I', text, i)[0]
26 | 		if magic_high:
27 | 			if is_MOVZ_32_movewide(d) and get_hw(d) == 1 and get_imm16(d) == magic_high:
28 | 				print '%s(%X): MOVZ W%d, 0x%X # %r' % (filename, load_base + i, get_Rd(d), magic_high << 16, struct.pack('<H', magic_high))
29 | 			if is_MOVK_32_movewide(d) and get_hw(d) == 0 and get_imm16(d) == magic_low:
30 | 				print '%s(%X): MOVK W%d, 0x%X # %r' % (filename, load_base + i, get_Rd(d), magic_low, struct.pack('<H', magic_low))
31 | 		else:
32 | 			if is_MOVZ_32_movewide(d) and get_hw(d) == 0 and get_imm16(d) == magic_low:
33 | 				print '%s(%X): MOVZ W%d, 0x%X # %r' % (filename, load_base + i, get_Rd(d), magic_low, struct.pack('<H', magic_low))
34 | 
35 | 	pattern = struct.pack('<I', magic)
36 | 	strs = re.finditer(re.escape(pattern), data_as_string)
37 | 	for i in strs:
38 | 		start = i.start() + f.rodataoff + 0x7100000000
39 | 		print '%s(%X): DCD 0x%X # %s' % (filename, start, magic, pattern)
40 | 
41 | def find_magic(magicstr, filename):
42 | 	try:
43 | 		with open(filename, 'rb') as li:
44 | 			f = load_nxo(li)
45 | 	except Exception as e:
46 | 		print filename, e
47 | 		return
48 | 	f.binfile.seek(0)
49 | 	text = f.binfile.read(f.textsize)
50 | 
51 | 	f.binfile.seek(f.rodataoff)
52 | 	data_as_string = f.binfile.read_to_end()
53 | 
54 | 	if magicstr.startswith('0x'):
55 | 		magic = int(magicstr, 16)
56 | 		find_magic_in_file(filename, text, data_as_string, f, magic)
57 | 	else:
58 | 		for fmt in ('<I', '>I'):
59 | 			magic = struct.unpack(fmt, magicstr)[0]
60 | 			find_magic_in_file(filename, text, data_as_string, f, magic)
61 | 
62 | 		#print hex(magic)
63 | 
64 | if __name__ == '__main__':
65 | 	main(sys.argv[1], sys.argv[2:])


--------------------------------------------------------------------------------
/binutils/getinfo.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import struct
 3 | import re
 4 | from nxo64 import load_nxo
 5 | 
 6 | def main(filenames):
 7 | 	for filename in filenames:
 8 | 		print 'File:', filename
 9 | 		with open(filename, 'rb') as li:
10 | 			f = load_nxo(li)
11 | 
12 | 		path = None
13 | 		for off, end, name, class_ in f.sections:
14 | 			if name == '.rodata' and end-off < 0x1000 and end-off > 8:
15 | 				id_ = f.binfile.read_from(end-off, off)
16 | 				length = struct.unpack_from('<I', id_, 4)[0]
17 | 				if length + 8 <= len(id_):
18 | 					id_ = id_[8:length + 8]
19 | 					path = id_
20 | 				break
21 | 
22 | 		f.binfile.seek(f.rodataoff)
23 | 		as_string = f.binfile.read(f.rodatasize)
24 | 
25 | 		if path is None:
26 | 			strs = re.findall(r'[a-z]:[\\/][ -~]{5,}\.n[rs]s', as_string, flags=re.IGNORECASE)
27 | 			if strs:
28 | 				path = strs[-1]
29 | 
30 | 		if path is not None:
31 | 			print 'Module:', path
32 | 		print '%d-bit' % (32 if f.armv7 else 64,)
33 | 		sdk_version = re.findall(r'sdk_version: ([0-9.]*)', as_string)
34 | 		if sdk_version:
35 | 			print 'FS SDK Version:', sdk_version[0]
36 | 
37 | 		symbol_count = 0
38 | 		for s in f.symbols:
39 | 			if s.shndx and s.name:
40 | 				symbol_count += 1
41 | 		print 'Number of Symbols:', symbol_count
42 | 
43 | 		for i in re.findall(r'SDK MW[ -~]*', as_string):
44 | 			print i
45 | 		print
46 | 
47 | if __name__ == '__main__':
48 | 	main(sys.argv[1:])


--------------------------------------------------------------------------------
/binutils/nm.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import re
 3 | from nxo64 import load_nxo
 4 | 
 5 | def visibility_str(vis):
 6 | 	return [
 7 | 		'DEFAULT  ', # Default symbol visibility rules
 8 | 		'INTERNAL ', # Processor specific hidden class
 9 | 		'HIDDEN   ', # Sym unavailable in other modules
10 | 		'PROTECTED', # Not preemptible, not exported
11 | 	][vis]
12 | 
13 | def type_str(t):
14 | 	return {
15 | 		0: 'NOTYPE ', # Symbol type is unspecified
16 | 		1: 'OBJECT ', # Symbol is a data object
17 | 		2: 'FUNC   ', # Symbol is a code object
18 | 		3: 'SECTION', # Symbol associated with a section
19 | 		4: 'FILE   ', # Symbol's name is file name
20 | 		5: 'COMMON ', # Symbol is a common data object
21 | 		6: 'TLS    ', # Symbol is thread-local data object
22 | 	}.get(t, 'type=%-2d'%t)
23 | 
24 | def bind_str(b):
25 | 	return {
26 | 		0: 'LOCAL ',
27 | 		1: 'GLOBAL',
28 | 		2: 'WEAK  ',
29 | 	}.get(b, 'bind%d' % b)
30 | 
31 | def as_int16(v):
32 | 	v &= 0xFFFF
33 | 	if v & 0x8000:
34 | 		v |= ~0xFFFF
35 | 	return v
36 | 
37 | def main(filenames):
38 | 	for filename in filenames:
39 | 		with open(filename, 'rb') as li:
40 | 			f = load_nxo(li)
41 | 
42 | 		for s in sorted(f.symbols, key=lambda sym: sym.value):
43 | 			line = ''
44 | 			value = s.value
45 | 			if s.shndx or s.value:
46 | 				line += '%08x ' % (s.value,)
47 | 				if value < f.rodataoff:
48 | 					line += 'T'
49 | 				elif value < f.dataoff:
50 | 					line += 'R'
51 | 				elif value < f.bssoff:
52 | 					line += 'D'
53 | 				elif value < f.bssoff + f.bsssize:
54 | 					line += 'B'
55 | 				else:
56 | 					line += '?'
57 | 				line += ' '
58 | 			else:
59 | 				line += ' ' * 11
60 | 
61 | 			line += '%s ' % (visibility_str(s.vis),)
62 | 			line += '%s ' % (type_str(s.type),)
63 | 			line += '%s ' % (bind_str(s.bind),)
64 | 			line += '%3d ' % (as_int16(s.shndx),)
65 | 			line += '%8x ' % (s.size,)
66 | 			line += '%s' % (s.name,)
67 | 			print line
68 | 
69 | if __name__ == '__main__':
70 |     main(sys.argv[1:])


--------------------------------------------------------------------------------
/binutils/strings.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import re
 3 | from nxo64 import load_nxo
 4 | 
 5 | SEARCH_ALL_SECTIONS = False
 6 | 
 7 | def main(filenames):
 8 | 	for filename in filenames:
 9 | 		try:
10 | 			with open(filename, 'rb') as li:
11 | 				f = load_nxo(li)
12 | 		except Exception as e:
13 | 			print filename, e
14 | 			continue
15 | 		if SEARCH_ALL_SECTIONS:
16 | 			f.binfile.seek(0)
17 | 			as_string = f.binfile.read_to_end()
18 | 		else:
19 | 			f.binfile.seek(f.rodataoff)
20 | 			as_string = f.binfile.read(f.rodatasize)
21 | 		strs = re.finditer(r'[ -~]{5,}', as_string)
22 | 		for i in strs:
23 | 			start = i.start() + f.rodataoff + 0x7100000000
24 | 			print '%s(%X): %s' % (filename, start, i.group(0))
25 | 
26 | if __name__ == '__main__':
27 |     main(sys.argv[1:])


--------------------------------------------------------------------------------
/ipcclient/README.md:
--------------------------------------------------------------------------------
  1 | # ipcclient
  2 | 
  3 | This one is insanely useful, but it's a bit of a hassle to use.
  4 | 
  5 | ## Usage
  6 | 
  7 | First we load the binary we're reversing in IDA, then we generate the IDAPython client script.
  8 | 
  9 | ```
 10 | % python genidaclientscript.py sdk-3.5.0 > sdk-3.5.0-client-script.py
 11 | % grep decompile sdk-3.5.0-client-script.py | wc -l
 12 |      608
 13 | ```
 14 | 
 15 | In IDA, I right-click in the "Output window" and click "Clear" - the type information will be output there as the script runs. Then just run the script and wait. (This script needs to decompile every serialization function and IPC client vtable function to get the types right, so it'll take a minute or two to run.)
 16 | 
 17 | The output looks like this:
 18 | 
 19 | ```
 20 | struct nn::fssrv::sf::IFileSystemProxy::DomainClient;
 21 | struct nn::fssrv::sf::IFileSystemProxy::DomainClient::vt { /* 71008ce158-71008ce358 */
 22 |   /* 71000527E4 */ __int64 (*__fastcall AddReference)(nn::fssrv::sf::IFileSystemProxy::DomainClient *this);
 23 |   /* 71000527EC */ __int64 (*__fastcall Release)(nn::fssrv::sf::IFileSystemProxy::DomainClient *this);
 24 |   /* 7100052868 */ __int64 (*__fastcall GetProxyInfo)(nn::fssrv::sf::IFileSystemProxy::DomainClient *this);
 25 |   /* 7100042380 */ __int64 (*__fastcall GetInterfaceTypeInfo)(nn::fssrv::sf::IFileSystemProxy::DomainClient *this);
 26 |   /* 7100052870 */ unsigned int (*__fastcall Cmd1)(nn::fssrv::sf::IFileSystemProxy::DomainClient *this, __int64 a2);
 27 |   /* 7100052890 */ unsigned int (*__fastcall Cmd2)(nn::fssrv::sf::IFileSystemProxy::DomainClient *this, __int64 *a2);
 28 |   /* 7100052914 */ unsigned int (*__fastcall Cmd7)(nn::fssrv::sf::IFileSystemProxy::DomainClient *this, __int64 *a2, __int64 a3, int a4);
 29 |   /* 71000529B0 */ unsigned int (*__fastcall Cmd8)(nn::fssrv::sf::IFileSystemProxy::DomainClient *this, __int64 *a2, __int64 a3, __int64 a4, int a5);
 30 |   /* 7100052A5C */ unsigned int (*__fastcall Cmd9)(nn::fssrv::sf::IFileSystemProxy::DomainClient *this, __int64 *a2, __int64 a3);
 31 |   ...
 32 | };
 33 | struct nn::fssrv::sf::IFileSystemProxy::DomainClient {
 34 |   nn::fssrv::sf::IFileSystemProxy::DomainClient::vt *_v;
 35 |   _BYTE byte8;
 36 |   _BYTE byte9;
 37 |   unsigned int handle;
 38 |   void *_vt10;
 39 |   _DWORD dword18;
 40 |   _QWORD qword20;
 41 | };
 42 | ```
 43 | 
 44 | Or, if there are symbols in the binary for that IPC service, they get included:
 45 | 
 46 | ```
 47 | struct nn::account::baas::IGuestLoginRequest::DomainClient;
 48 | struct nn::account::baas::IGuestLoginRequest::DomainClient::vt { /* 71008d21b8-71008d2210 */
 49 |   /* 71000AFD08 */ __int64 (*__fastcall AddReference)(nn::account::baas::IGuestLoginRequest::DomainClient *this);
 50 |   /* 71000AFD10 */ __int64 (*__fastcall Release)(nn::account::baas::IGuestLoginRequest::DomainClient *this);
 51 |   /* 71000AFD84 */ __int64 (*__fastcall GetProxyInfo)(nn::account::baas::IGuestLoginRequest::DomainClient *this);
 52 |   /* 7100042380 */ __int64 (*__fastcall GetInterfaceTypeInfo)(nn::account::baas::IGuestLoginRequest::DomainClient *this);
 53 |   /* 71000AFD8C */ unsigned int (*__fastcall Cmd0_GetSessionId)(nn::account::baas::IGuestLoginRequest::DomainClient *this, _QWORD *a2);
 54 |   /* 71000AFDAC */ unsigned int (*__fastcall Cmd12_GetAccountId)(nn::account::baas::IGuestLoginRequest::DomainClient *this, _QWORD *a2);
 55 |   /* 71000AFDCC */ unsigned int (*__fastcall Cmd13_GetLinkedNintendoAccountId)(nn::account::baas::IGuestLoginRequest::DomainClient *this, _QWORD *a2);
 56 |   /* 71000AFDEC */ unsigned int (*__fastcall Cmd14_GetNickname)(nn::account::baas::IGuestLoginRequest::DomainClient *this, __int64 *a2);
 57 |   /* 71000AFE14 */ unsigned int (*__fastcall Cmd15_GetProfileImage)(nn::account::baas::IGuestLoginRequest::DomainClient *this, _DWORD *a2, __int64 *a3);
 58 |   /* 71000AFE3C */ unsigned int (*__fastcall Cmd21_LoadIdTokenCache)(nn::account::baas::IGuestLoginRequest::DomainClient *this, _DWORD *a2, __int64 *a3);
 59 |   /* 71000AFE64 */ __int64 (*__fastcall GetCmifBaseObject)(nn::account::baas::IGuestLoginRequest::DomainClient *this);
 60 | };
 61 | struct nn::account::baas::IGuestLoginRequest::DomainClient {
 62 |   nn::account::baas::IGuestLoginRequest::DomainClient::vt *_v;
 63 |   _BYTE byte8;
 64 |   _BYTE byte9;
 65 |   unsigned int handle;
 66 |   void *_vt10;
 67 |   _DWORD dword18;
 68 |   _QWORD qword20;
 69 | };
 70 | ```
 71 | 
 72 | Next I open the "Local types" window, right-click "Insert..." and paste the whole lot in. (In case you get syntax errors you may have to split it up to bisect where the output is wrong, but I didn't have that issue today.)
 73 | 
 74 | Now in IDA where you see something like:
 75 | 
 76 | ```
 77 | int __fastcall nn::fs::GetGlobalAccessLogMode(unsigned int *a1)
 78 | {
 79 |   unsigned int *v1; // x19
 80 |   unsigned int v2; // w19
 81 |   __int64 v4; // [xsp+0h] [xbp-20h]
 82 |   __int64 v5; // [xsp+8h] [xbp-18h]
 83 | 
 84 |   v1 = a1;
 85 |   nn::fs::detail::GetFileSystemProxyServiceObject(&v5);
 86 |   v2 = (*(__int64 (__fastcall **)(__int64, unsigned int *))(*(_QWORD *)v5 + 488LL))(v5, v1);
 87 | ```
 88 | 
 89 | You can just click on `v5` and press `y` and change the type to `nn::fssrv::sf::IFileSystemProxy::DomainClient*` to get:
 90 | 
 91 | ```
 92 | int __fastcall nn::fs::GetGlobalAccessLogMode(unsigned int *a1)
 93 | {
 94 |   unsigned int *v1; // x19
 95 |   unsigned int v2; // w19
 96 |   __int64 v4; // [xsp+0h] [xbp-20h]
 97 |   nn::fssrv::sf::IFileSystemProxy::DomainClient *v5; // [xsp+8h] [xbp-18h]
 98 | 
 99 |   v1 = a1;
100 |   nn::fs::detail::GetFileSystemProxyServiceObject(&v5);
101 |   v2 = v5->_v->Cmd1005(v5, v1);
102 | ```
103 | 
104 | ## Missing symbols
105 | 
106 | The script silently ignores anything it can't figure out the name of. To list all ignored methods, run:
107 | 
108 | ```
109 | % python ipcclient.py 7.0.0-5.0/ns | grep IUnknown
110 |   'IUnknown_2deb984d_0x7100223578': {
111 |   'IUnknown_6218fa21_0x71002236D0': {
112 |   'IUnknown_f4e4f171_0x71002256F8': {
113 |   'IUnknown_b171b62c_0x7100225758': {
114 |   'IUnknown_c72d14a7_0x71002257C8': {
115 |   'IUnknown_cc86b99b_0x71002258B8': {
116 |   'IUnknown_0868914f_0x7100225950': {
117 |   'IUnknown_f4e4f171_0x71002284E0': {
118 |   'IUnknown_cc86b99b_0x7100228540': {
119 |   'IUnknown_0868914f_0x710022C4F8': {
120 |   'IUnknown_d22f428b_0x710022C560': {
121 |   'IUnknown_2cc737b7_0x710022EF20': {
122 |   'IUnknown_ef63a7f7_0x710022F288': {
123 |   'IUnknown_9c8f78df_0x7100237A40': {
124 | ```
125 | 
126 | Figure out the name by reversing, guessing from the command numbers in the `ipcclient.py` output, or just making up something useful, then add an entry to the `MANUAL_NAME_LOOKUP` table at the top of `ipcclient.py`:
127 | 
128 | ```
129 | MANUAL_NAME_LOOKUP = {
130 | 	'IUnknown_2deb984d_0x7100223578': 'FooBar',
131 | }
132 | ```
133 | 
134 | Run it again and your entry will appear:
135 | 
136 | ```
137 | % python genidaclientscript.py 7.0.0-5.0/ns | grep FooBar
138 | client_vtable('FooBar::Client', 0x7100223578, 0x71002236A8, ['AddReference', 'Release', 'GetProxyInfo', 'GetInterfaceTypeInfo', 'Cmd1', 'Cmd2', 'Cmd3', 'Cmd4', 'Cmd5', 'Cmd7', 'Cmd21', 'Cmd23', 'Cmd25', 'Cmd26', 'Cmd101', 'Cmd102', 'Cmd103', 'Cmd104', 'Cmd111', 'Cmd120', 'Cmd6', 'Cmd11', 'Cmd12', 'Cmd13', 'Cmd22', 'Cmd24', 'Cmd31', 'Cmd32', 'Cmd33', 'Cmd34', 'Cmd105', 'Cmd112', 'Cmd113', 'Cmd114', 'Cmd115', 'Cmd201', 'Cmd202', 'GetCmifBaseObject'])
139 | ```
140 | 
141 | (if you prefer to have the IUnknown names in the output delete the line `if 'IUnknown' in interface: continue` from `genidaclientscript.py`)
142 | 
143 | ## Notes
144 | 
145 | The `DomainClient` structure is wrong.
146 | 
147 | Some of the really big command IDs (>65536) show up incorrectly.
148 | 
149 | It'd be practical and useful to embed command names from an `sdk` binary (or https://switchbrew.org ) when running on sysmodules and applets that don't have symbols.
150 | 
151 | 


--------------------------------------------------------------------------------
/ipcclient/demangling.py:
--------------------------------------------------------------------------------
  1 | import subprocess
  2 | import itanium_demangler
  3 | import sys
  4 | 
  5 | CHECK_CXX_FILT = False
  6 | 
  7 | def itanium_demangle_filter(s):
  8 | 	if s.startswith('N'):
  9 | 		s = 'Z' + s
 10 | 	if not s.startswith('_'):
 11 | 		s = '_' + s
 12 | 	return s
 13 | 
 14 | def itanium_demangle(s):
 15 | 	python_result = itanium_demangler.parse(itanium_demangle_filter(s))
 16 | 	if python_result is not None:
 17 | 		python_result = str(python_result)
 18 | 	return python_result
 19 | 
 20 | demangle_cache = {}
 21 | def get_demangled(s):
 22 | 	if s not in demangle_cache:
 23 | 		#python_result = itanium_demangle(s)
 24 | 		#if python_result is None:
 25 | 		#	#print 'demangler failed:', repr(s)
 26 | 		#	python_result = s
 27 | 		demangle_cache[s] = subprocess.check_output(['c++filt', '-n', s]).strip()
 28 | 		#if CHECK_CXX_FILT:
 29 | 		#	value = subprocess.check_output(['c++filt', '-n', s]).strip()
 30 | 		#	if python_result != value:
 31 | 		#		sys.stderr.write('\n')
 32 | 		#		sys.stderr.write('mangled: %r\n' % s)
 33 | 		#		sys.stderr.write('python:  %r\n' % python_result)
 34 | 		#		sys.stderr.write('c++filt: %r\n' % value)
 35 | 	return demangle_cache[s]
 36 | 
 37 | class Demangler(object):
 38 | 	def __init__(self, name):
 39 | 		print name
 40 | 		self.pos = 0
 41 | 		self.name = name
 42 | 
 43 | 	def peek(self):
 44 | 		return self.name[self.pos]
 45 | 	
 46 | 	def getchar(self):
 47 | 		self.pos += 1
 48 | 		return self.name[self.pos-1]
 49 | 
 50 | 	def getchars(self, n):
 51 | 		return ''.join(self.getchar() for i in xrange(n))
 52 | 
 53 | 	def read_string_length(self):
 54 | 		assert self.peek().isdigit()
 55 | 		l = ''
 56 | 		while self.peek().isdigit():
 57 | 			l += self.getchar()
 58 | 		return int(l)
 59 | 
 60 | 	def read_string(self):
 61 | 		l = self.read_string_length()
 62 | 		return self.getchars(l)
 63 | 
 64 | 	def read_template(self):
 65 | 		assert self.getchar() == 'I'
 66 | 		parts = []
 67 | 		while self.peek() != 'E':
 68 | 			print 'read_template:', self.name[self.pos:]
 69 | 			parts.append(self.parse())
 70 | 			print 'read_template:', parts
 71 | 		assert self.getchar() == 'E'
 72 | 		return '<%s>' % ', '.join(parts)
 73 | 
 74 | 	def read_name(self):
 75 | 		assert self.getchar() == 'N'
 76 | 		parts = []
 77 | 		while self.peek() != 'E':
 78 | 			parts.append(self.parse())
 79 | 			print 'read_name:', parts
 80 | 		assert self.getchar() == 'E'
 81 | 		return '::'.join(parts)
 82 | 
 83 | 	def parse_backref(self):
 84 | 		assert self.getchar() == 'S'
 85 | 		backref = ''
 86 | 		while self.peek() != '_':
 87 | 			if not self.peek().isdigit():
 88 | 				print 'TODO in parse_back_ref: %r (%r)' % (self.peek(), self.name[self.pos:])
 89 | 				return ''
 90 | 			backref += self.getchar()
 91 | 		assert self.getchar() == '_'
 92 | 		result = 'BACKREF_%s_TODO' % backref
 93 | 		print 'parse_backref:', result
 94 | 		return result
 95 | 
 96 | 	def parse_literal(self):
 97 | 		assert self.getchar() == 'L'
 98 | 		kind = self.parse()
 99 | 		#print 'TODO in parse_back_ref: %r (%r)' % (self.peek(), self.name[self.pos:])
100 | 		value = self.read_string_length()
101 | 		assert self.getchar() == 'E'
102 | 		return '(%s)%d' % (kind, value)
103 | 
104 | 
105 | 
106 | 	def parse(self):
107 | 		c = self.peek()
108 | 		if c == 'N':
109 | 			return self.read_name()
110 | 		elif c == 'I':
111 | 			return self.read_template()
112 | 		elif c == 'S':
113 | 			return self.parse_backref()
114 | 		elif c == 'L':
115 | 			return self.parse_literal()
116 | 		elif c.isdigit():
117 | 			return self.read_string()
118 | 		else:
119 | 			print 'TODO in parse: %r (%r)' % (self.peek(), self.name[self.pos:])
120 | 			return self.getchar()
121 | 
122 | 
123 | def main():
124 | 	tests = [
125 | 		('N2nn2sf4cmif6server22CmifDomainServerObject23CmifDomainServerMessageE',
126 | 		 'nn::sf::cmif::server::CmifDomainServerObject::CmifDomainServerMessage'),
127 | 		('N2nn2sf4cmif6client6detail13CmifProxyImplINS_8settings22IFactorySettingsServerENS0_4hipc6client18Hipc2ProxyKindBaseILNS7_6detail11MessageTypeE4EEENS0_25StatelessAllocationPolicyINS0_22ExpHeapStaticAllocatorILm16384ES6_EEEES6_EE',
128 | 		 'nn::sf::cmif::client::detail::CmifProxyImpl<nn::settings::IFactorySettingsServer, nn::sf::hipc::client::Hipc2ProxyKindBase<(nn::sf::hipc::detail::MessageType)4>, nn::sf::StatelessAllocationPolicy<nn::sf::ExpHeapStaticAllocator<16384ul, nn::settings::IFactorySettingsServer> >, nn::settings::IFactorySettingsServer>'),
129 | 		('N2nn2sf4hipc6client12_GLOBAL__N_119HipcManagerAccessorE',
130 | 		 'nn::sf::hipc::client::(anonymous namespace)::HipcManagerAccessor'),
131 | 		('_ZTVN2nn5fssrv35MemoryResourceFromStandardAllocatorE',
132 | 		 'vtable for nn::fssrv::MemoryResourceFromStandardAllocator'),
133 | 		('_ZN2nn7nlibsdk4heap12TlsHeapCache17ReallocFunc_Mode0INSt3__117integral_constantIbLb1EEEEEiPS2_PvmPS8_',
134 | 		 'int nn::nlibsdk::heap::TlsHeapCache::ReallocFunc_Mode0<std::__1::integral_constant<bool, true> >(nn::nlibsdk::heap::TlsHeapCache*, void*, unsigned long, void**)'),
135 | 		('_ZN2nn2gc6detail11AsicHandlerD2Ev',
136 | 		 'nn::gc::detail::AsicHandler::~AsicHandler()'),
137 | 		('_ZN3nne7prfile224PFCODE_CP932_Unicode2OEMEPKtPa',
138 | 		 'nne::prfile2::PFCODE_CP932_Unicode2OEM(unsigned short const*, signed char*)'),
139 | 	]
140 | 
141 | 	d = Demangler('N2nn2sf4cmif6server22CmifDomainServerObject23CmifDomainServerMessageE')
142 | 	print d.read_name()
143 | 
144 | 	d = Demangler('N2nn2sf4hipc6client12_GLOBAL__N_119HipcManagerAccessorE')
145 | 	print d.read_name()
146 | 
147 | 	d = Demangler('N2nn2sf4cmif6client6detail13CmifProxyImplINS_8settings22IFactorySettingsServerENS0_4hipc6client18Hipc2ProxyKindBaseILNS7_6detail11MessageTypeE4EEENS0_25StatelessAllocationPolicyINS0_22ExpHeapStaticAllocatorILm16384ES6_EEEES6_EE')
148 | 	print d.read_name()
149 | 
150 | if __name__ == '__main__':
151 | 	main()
152 | 


--------------------------------------------------------------------------------
/ipcclient/genidaclientscript.py:
--------------------------------------------------------------------------------
  1 | import sys
  2 | 
  3 | from nxo64 import load_nxo
  4 | from ipcclient import iter_vtables_in_nxo, demangle
  5 | 
  6 | IDA_BASE = 0x7100000000
  7 | 
  8 | def gen_ida_script(fname):
  9 | 	with open(fname, 'rb') as li:
 10 | 		f = load_nxo(li)
 11 | 
 12 | 	print '# output of genidaclientscript.py'
 13 | 	print r'''
 14 | already_named = set()
 15 | def client_vtable(interface, vtstart, vtend, names):
 16 | 	global already_named
 17 | 	if interface in already_named:
 18 | 		return # TODO
 19 | 	already_named.add(interface)
 20 | 	vtname = interface + '::vt'
 21 | 
 22 | 	vtoldname = Name(vtstart)
 23 | 	if not vtoldname or vtoldname.startswith('off_'):
 24 | 		MakeName(vtstart, interface + '::vtable')
 25 | 
 26 | 	print 'struct %s;' % interface
 27 | 	print 'struct %s { /* %x-%x */' % (vtname, vtstart, vtend)
 28 | 
 29 | 	for vtea, funcname in zip(range(vtstart, vtend, 8), names):
 30 | 		funcea = Qword(vtea)
 31 | 		cfunc = idaapi.decompile(funcea)
 32 | 		functype = str(cfunc.type)
 33 | 
 34 | 		if functype.count('__fastcall') == 0:
 35 | 			ret, args = functype.split('(', 1)
 36 | 			args = '(' + args
 37 | 		else:
 38 | 			assert functype.count('__fastcall') == 1,  '%X %s' % (funcea, functype)
 39 | 			ret, args = functype.split('__fastcall')
 40 | 
 41 | 		if 'Cmd' in funcname:
 42 | 			ret = 'unsigned int '
 43 | 
 44 | 		args = args[1:-1].split(',')
 45 | 		args = [interface + ' *this'] + args[1:]
 46 | 
 47 | 		if '::DomainProxy::' in funcname:
 48 | 			name = funcname.split('::')[-3] + '_' + funcname.split('::')[-1]
 49 | 		else:
 50 | 			name = '_'.join(funcname.split('::')[-2:])
 51 | 
 52 | 		functype = ret + '(*__fastcall ' + name + ')' + '(' + ','.join(args) + ')'
 53 | 
 54 | 		functype = functype.replace(', double a2, double a3, double a4, double a5, double a6, double a7, double a8, double a9', '')
 55 | 		print '  /* %X */ %s;' % (funcea, functype)
 56 | 	print '};'
 57 | 	print 'struct %s {' % interface
 58 | 	print '  %s *_v;' % vtname
 59 | 	print '  _BYTE byte8;'
 60 | 	print '  _BYTE byte9;'
 61 | 	print '  unsigned int handle;'
 62 | 	print '  void *_vt10;'
 63 | 	print '  _DWORD dword18;'
 64 | 	print '  _QWORD qword20;'
 65 | 	print '};'
 66 | 
 67 | '''
 68 | 	print '# decompile all process functions first'
 69 | 	already_decompiled = set()
 70 | 
 71 | 	vtables = []
 72 | 	for vtable in iter_vtables_in_nxo(f):
 73 | 		vtables.append(vtable)
 74 | 		for i, entry in enumerate(vtable.entries):
 75 | 			if entry.process_function and entry.process_function not in already_decompiled:
 76 | 				print 'idaapi.decompile(0x%X)' % (IDA_BASE + entry.process_function)
 77 | 				already_decompiled.add(entry.process_function)
 78 | 
 79 | 	for vtable in vtables:
 80 | 		interface = vtable.interface
 81 | 		if vtable.is_domain:
 82 | 			interface += '::DomainClient'
 83 | 		else:
 84 | 			interface += '::Client'
 85 | 
 86 | 		names = []
 87 | 		for i, entry in enumerate(vtable.entries):
 88 | 			if entry.cmd is not None:
 89 | 				funcname = 'Cmd%d' % entry.cmd
 90 | 				if entry.funcptr in f.addr_to_name:
 91 | 					ipcname = demangle(f.addr_to_name[entry.funcptr]).split('>::_nn_sf_sync_')[-1].split('(')[0]
 92 | 					funcname += '_' + ipcname					
 93 | 			else:
 94 | 				funcname = {
 95 | 					0: 'AddReference',
 96 | 					1: 'Release',
 97 | 					2: 'GetProxyInfo',
 98 | 					3: 'GetInterfaceTypeInfo',
 99 | 				}.get(i)
100 | 				if funcname is None:
101 | 					if i == len(vtable.entries) - 1:
102 | 						funcname = 'GetCmifBaseObject'
103 | 					else:
104 | 						funcname = 'func%X' % (i * 8)
105 | 			names.append(funcname)
106 | 
107 | 		if 'IUnknown' in interface: continue
108 | 		print 'client_vtable(%r, 0x%X, 0x%X, %r)' % (interface, IDA_BASE+vtable.start, IDA_BASE+vtable.end, names)
109 | 
110 | 
111 | 
112 | def main():
113 | 	for fname in sys.argv[1:2]:
114 | 		gen_ida_script(fname)
115 | 
116 | 
117 | if __name__ == '__main__':
118 | 	main()
119 | 


--------------------------------------------------------------------------------
/ipcclient/ipcclient.py:
--------------------------------------------------------------------------------
  1 | import struct
  2 | from collections import Counter
  3 | import hashlib
  4 | import re
  5 | 
  6 | from capstone import *
  7 | from capstone.arm64 import *
  8 | 
  9 | from nxo64 import load_nxo
 10 | from demangling import get_demangled
 11 | IDA_BASE = 0x7100000000
 12 | 
 13 | MANUAL_NAME_LOOKUP = {
 14 | #	# 4.0.1 loader:
 15 | #	"IUnknown_b171b62c_0x7100051A28": "nn::lr::ILocationResolverManager",
 16 | #	"IUnknown_bd070344_0x7100051A98": "nn::lr::ILocationResolver",
 17 | #	"IUnknown_788b7338_0x7100051B38": "nn::lr::IRegisteredLocationResolver",
 18 | #	"IUnknown_0868914f_0x7100051BC8": "nn::lr::IAddOnContentLocationResolver",
 19 | #
 20 | #	# 4.0.1 fs:
 21 | #	"IUnknown_b171b62c_0x71001CC688": "nn::lr::ILocationResolverManager",
 22 | #	"IUnknown_bd070344_0x71001CC6F8": "nn::lr::ILocationResolver",
 23 | #	"IUnknown_788b7338_0x71001CC798": "nn::lr::IRegisteredLocationResolver",
 24 | #	"IUnknown_0868914f_0x71001CC828": "nn::lr::IAddOnContentLocationResolver",
 25 | #	"IUnknown_dfd5f913_0x71001CC890": "nn::psc::sf::IPmService",
 26 | #	"IUnknown_b171b62c_0x71001CC8E8": "nn::psc::sf::IPmModule",
 27 | #	"IUnknown_0b7cc0c3_0x71001CC4E0": "nn::tma::IFileManager",
 28 | #	"IUnknown_9329709d_0x71001CC590": "nn::tma::IFile",
 29 | #	"IUnknown_b171b62c_0x71001CC618": "nn::tma::IDirectory",
 30 | #	"IUnknown_dfd5f913_0x71001CC378": "nn::pinmux::IManager",
 31 | #	"IUnknown_0868914f_0x71001CC3D0": "nn::pinmux::ISession",
 32 | #
 33 | #	# 4.0.1 pm:
 34 | #	"IUnknown_b171b62c_0x710004B8F8": "nn::ldr::detail::IProcessManagerInterface",
 35 | #
 36 | #	# 4.0.1 nvservices:
 37 | #	"IUnknown_dfd5f913_0x710011A940": "nn::psc::sf::IPmService",
 38 | #	"IUnknown_dfd5f913_0x710011A998": "nn::psc::sf::IPmModule",
 39 | #
 40 | #	# 4.0.1 ns:
 41 | #	"IUnknown_560d510c_0x7100191930": "nn::nim::detail::INetworkInstallManager",
 42 | #	"IUnknown_0868914f_0x7100191C18": "nn::nim::detail::IAsyncResult",
 43 | #	"IUnknown_b171b62c_0x7100191C80": "nn::nim::detail::IAsyncValue",
 44 | #	"IUnknown_ef63a7f7_0x7100191CF0": "nn::nim::detail::IAsyncData",
 45 | #	"IUnknown_a2ec7c94_0x7100189400": "nn::es::IETicketService",
 46 | #	"IUnknown_f4e4f171_0x710018A7E0": "nn::ldr::detail::IShellInterface",
 47 | #	"IUnknown_b171b62c_0x710018A840": "nn::lr::ILocationResolverManager",
 48 | #	"IUnknown_bd070344_0x710018A8B0": "nn::lr::ILocationResolver",
 49 | #	"IUnknown_788b7338_0x710018A950": "nn::lr::IRegisteredLocationResolver",
 50 | #	"IUnknown_0868914f_0x710018A9E0": "nn::lr::IAddOnContentLocationResolver",
 51 | #	"IUnknown_f4e4f171_0x710018F1B0": "nn::pm::detail::IBootModeInterface",
 52 | #	"IUnknown_bd070344_0x710018F210": "nn::pm::detail::IShellInterface",
 53 | #	"IUnknown_5c4120bd_0x7100195E60": "nn::pdm::detail::INotifyService",
 54 | #
 55 | #	# 4.0.1 fatal:
 56 | #	"IUnknown_0ee18a67_0x7100159718": "nn::spsm::detail::IPowerStateInterface",
 57 | #	"IUnknown_dfd5f913_0x710015DCA8": "nn::pm::detail::IInformationInterface",
 58 | #
 59 | #
 60 | #	# 4.0.1 friends:
 61 | #	'IUnknown_271cf7f3_0x71001C4390': 'nn::pdm::detail::IQueryService',
 62 | 
 63 | }
 64 | 
 65 | def demangle(s):
 66 | 	value = get_demangled(s)
 67 | 	if '<nn::sf::cmif::client::CmifProxyFactory<' in value:
 68 | 		value = value.split('<nn::sf::cmif::client::CmifProxyFactory<')[1].split(', ')[0]
 69 | 	elif '<nn::sf::cmif::client::detail::CmifProxy<' in  value:
 70 | 		value = value.split('<nn::sf::cmif::client::detail::CmifProxy<')[1].split(', ')[0]
 71 | 
 72 | 	if 'nn::sf::UnmanagedServiceObject<' in value:
 73 | 		value = value.split('nn::sf::UnmanagedServiceObject<')[1].split(', ')[0]
 74 | 
 75 | 	return value
 76 | 
 77 | def find_ret(binstring, func_start):
 78 | 	offset = func_start
 79 | 	while struct.unpack_from('<I', binstring, offset)[0] != 0xd65f03c0:
 80 | 		offset += 4
 81 | 	return offset
 82 | 
 83 | lookup = {}
 84 | 
 85 | def get_last_immediate_argument(insns):
 86 | 	immregs = [None] * 32
 87 | 
 88 | 	stores = {}
 89 | 	for i in insns:
 90 | 		if i.mnemonic == 'orr' and i.op_str.split(', ')[1] == 'wzr':
 91 | 			immregs[int(i.op_str.split(', ')[0][1:])] = i.operands[2].value.imm
 92 | 		elif i.mnemonic == 'mov':
 93 | 			src = i.op_str.split(', ')[1]
 94 | 			dest = int(i.op_str.split(', ')[0][1:])
 95 | 			if src == 'wzr' or src == 'xzr':
 96 | 				immregs[dest] = 0
 97 | 			elif src == 'sp':
 98 | 				immregs[dest] = None
 99 | 			else:
100 | 				immregs[dest] = immregs[int(src[1:])]
101 | 		elif i.mnemonic == 'movz':
102 | 			if i.op_str.endswith(', lsl #16'):
103 | 				immregs[int(i.op_str.split(', ')[0][1:])] = i.operands[1].value.imm << 16
104 | 			else:
105 | 				immregs[int(i.op_str.split(', ')[0][1:])] = i.operands[1].value.imm
106 | 		elif i.mnemonic == 'movk':
107 | 			immregs[int(i.op_str.split(', ')[0][1:])] |= i.operands[1].value.imm
108 | 		elif i.mnemonic == 'str' and i.reg_name(i.operands[1].value.mem.base) == 'sp':
109 | 			reg = i.reg_name(i.operands[0].value.mem.base)
110 | 			if reg == 'wzr':
111 | 				value = 0
112 | 			else:
113 | 				value = immregs[int(reg[1:])]
114 | 			stores[i.operands[1].value.mem.disp] = value
115 | 		elif i.mnemonic == 'stp' and i.reg_name(i.operands[2].value.mem.base) == 'sp':
116 | 			reg = i.reg_name(i.operands[0].value.mem.base)
117 | 			if reg == 'wzr':
118 | 				value = 0
119 | 			else:
120 | 				value = immregs[int(reg[1:])]
121 | 			stores[i.operands[2].value.mem.disp] = value
122 | 
123 | 			reg = i.reg_name(i.operands[1].value.mem.base)
124 | 			if reg == 'wzr':
125 | 				value = 0
126 | 			else:
127 | 				value = immregs[int(reg[1:])]
128 | 			stores[i.operands[2].value.mem.disp + 8] = value
129 | 
130 | 	if stores:
131 | 		last_store = None
132 | 		end = sorted(stores.keys())[-1] + 8
133 | 		for off in range(0, end, 8):
134 | 			if off not in stores:
135 | 				break
136 | 			val = stores[off]
137 | 			if val is not None:
138 | 				last_store = val
139 | 		if last_store is not None:
140 | 			return last_store
141 | 
142 | 	for i in range(8, -1, -1):
143 | 		if immregs[i] is not None:
144 | 			return immregs[i]
145 | 
146 | 	return None
147 | 
148 | 
149 | 
150 | is_process_function_cache = {}
151 | def is_process_function(binstring, func_start):
152 | 	#print hex(func_start)
153 | 	if func_start in is_process_function_cache:
154 | 		return is_process_function_cache[func_start]
155 | 	md = Cs(CS_ARCH_ARM64, CS_MODE_ARM)
156 | 	counter = 0
157 | 	try:
158 | 		i = func_start
159 | 		instr = md.disasm(binstring[i:i+4], i).next()
160 | 		while instr.mnemonic not in ('ret',):
161 | 			#if instr.mnemonic in ('movz', 'movk'):
162 | 			#	print instr.mnemonic, repr(instr.op_str), instr.op_str.endswith(', #0x4653')
163 | 			#print instr.mnemonic
164 | 			if instr.mnemonic in ('movz', 'movk') and instr.op_str.endswith(', #0x4943, lsl #16'):
165 | 				counter += 1
166 | 				#print '...'
167 | 			elif instr.mnemonic in ('movz', 'movk') and instr.op_str.endswith(', #0x4f43, lsl #16'):
168 | 				#print '..'
169 | 				counter += 1
170 | 			elif instr.mnemonic in ('movz', 'movk') and instr.op_str.endswith(', #0x4653'):
171 | 				#print '.'
172 | 				counter += 1
173 | 			i += 4
174 | 			instr = md.disasm(binstring[i:i+4], i).next()
175 | 		func_end = i + 4
176 | 	except StopIteration:
177 | 		is_process_function_cache[func_start] = False
178 | 		return False
179 | 	#print counter
180 | 	is_process_function_cache[func_start] = (counter in (2,4))
181 | 	return (counter in (2,4))
182 | 
183 | def get_function_cmd_id_old(binstring, func_start, func_end, rostart, roend):
184 | 	md = Cs(CS_ARCH_ARM64, CS_MODE_ARM)
185 | 	counter = 0
186 | 	got_movz = False
187 | 	got_movk = False
188 | 	for i in range(func_start, func_end, 4):
189 | 		try:
190 | 			instr = md.disasm(binstring[i:i+4], i).next()
191 | 		except StopIteration:
192 | 			return None
193 | 		if instr.mnemonic == 'movz' and instr.op_str.endswith(', #0x4f43, lsl #16'):
194 | 			got_movz = True
195 | 		elif instr.mnemonic == 'movk' and instr.op_str.endswith(', #0x4653'):
196 | 			got_movk = True
197 | 		if got_movk and got_movz:
198 | 			break
199 | 
200 | 	if not got_movz and got_movk:
201 | 		return None
202 | 
203 | 
204 | 	md.detail = True
205 | 	constants = {}
206 | 	for i in range(func_start, func_end, 4):
207 | 		try:
208 | 			instr = md.disasm(binstring[i:i+4], i).next()
209 | 		except StopIteration:
210 | 			return None
211 | 
212 | 		if instr.mnemonic == 'adrp':
213 | 			reg_name = instr.reg_name(instr.operands[0].value.reg)
214 | 			constants[reg_name] = instr.operands[1].value.imm
215 | 		elif instr.mnemonic == 'add' and instr.operands[2].type == ARM64_OP_IMM:
216 | 			reg_name = instr.reg_name(instr.operands[1].value.reg)
217 | 			if reg_name in constants:
218 | 				loc = instr.operands[2].value.imm + constants[reg_name]
219 | 				if rostart <= loc <= roend-0x10:
220 | 					if binstring[loc:loc+8] == 'SFCI\0\0\0\0':
221 | 						return struct.unpack_from('<Q', binstring, loc + 8)[0]
222 | 				if instr.reg_name(instr.operands[1].value.reg) == reg_name:
223 | 					del constants[reg_name]
224 | 		elif instr.mnemonic in ('bl', 'blr'):
225 | 			constants = {}
226 | 
227 | 	return None
228 | 
229 | def get_function_cmd_id(binstring, func_start, plt_lookup, rostart, roend):
230 | 	md = Cs(CS_ARCH_ARM64, CS_MODE_ARM)
231 | 	md.detail = True
232 | 
233 | 	func_end = find_ret(binstring, func_start) + 4
234 | 	#print 'func_end: 0x%X' % func_end
235 | 	calls = 0
236 | 	block_starts = set()
237 | 	block_starts.add(func_start)
238 | 	for i in range(func_start, func_end, 4):
239 | 		try:
240 | 			insn = md.disasm(binstring[i:i+4], i).next()
241 | 		except StopIteration:
242 | 			break
243 | 		if insn.mnemonic in ('bl', 'blr'):
244 | 			calls += 1
245 | 			block_starts.add(i+4)
246 | 		elif insn.mnemonic == 'cbz':
247 | 			block_starts.add(i+4)
248 | 			block_starts.add(insn.operands[1].value.imm)
249 | 
250 | 	if calls >= 4:
251 | 		cmd_id_old = get_function_cmd_id_old(binstring, func_start, func_end, rostart, roend)
252 | 		if cmd_id_old is not None:
253 | 			return cmd_id_old, None
254 | 
255 | 	#print block_starts
256 | 	if len(block_starts) < 2 or len(block_starts) > 7:
257 | 		return None
258 | 
259 | 	blocks = []
260 | 	for i in range(func_start, func_end, 4):
261 | 		try:
262 | 			insn = md.disasm(binstring[i:i+4], i).next()
263 | 		except StopIteration:
264 | 			break
265 | 		if i in block_starts:
266 | 			blocks.append([])
267 | 		blocks[-1].append(insn)
268 | 
269 | 	argsblock = None
270 | 	for block in blocks[::-1]:
271 | 		if block[-1].mnemonic == 'bl':
272 | 			argsblock = block
273 | 			break
274 | 	if not argsblock:
275 | 		return None
276 | 	process_function = argsblock[-1].operands[0].value.imm
277 | 	process_function = plt_lookup.get(process_function, process_function)
278 | 	if not is_process_function(binstring, process_function):
279 | 		#print 'not_process_function'
280 | 		return None
281 | 
282 | 	# keep it simple by skipping all instructions that do not generate immediates
283 | 	pos = 0
284 | 	while (pos < len(argsblock) and
285 | 		   argsblock[pos].mnemonic in ('stp', 'mov', 'str', 'add', 'ldr', 'and', 'ldp') and
286 | 		   'wzr' not in argsblock[pos].op_str):
287 | 		pos += 1
288 | 
289 | 	result = get_last_immediate_argument(block[pos:])
290 | 	#if result is None:
291 | 	#	print block[pos:]
292 | 
293 | 	return result, process_function
294 | 
295 | import sys
296 | 
297 | def shorten(s):
298 | 	for i in ('nn::sf::hipc::detail::', 'nn::sf::hipc::client::', 'nn::sf::cmif::client::', 'nn::sf::cmif::detail::', 'std::__1::', 'nn::sf::'):
299 | 		s = s.replace(i, '')
300 | 	return s
301 | 
302 | def get_method_info_part(s):
303 | 	start = s.index('CoreMethodInfo<') + len('CoreMethodInfo<')
304 | 	p = start
305 | 	depth = 1
306 | 	while depth:
307 | 		if s[p] == '>':
308 | 			depth -= 1
309 | 		elif s[p] == '<':
310 | 			depth += 1
311 | 		p += 1
312 | 	return s[start:p-1]
313 | 
314 | def hexify(s):
315 | 	def matchfunc(o):
316 | 		v = int(o.group(1))
317 | 		if v < 10:
318 | 			return '%d' % v
319 | 		else:
320 | 			return '0x%X' % v
321 | 	return re.sub('([0-9]+)u?l?', matchfunc, s)
322 | 
323 | def get_display_method_info(name):
324 | 	tup, inbytes, outbytes, sendpid = hexify(shorten(get_method_info_part(demangle(name)))).rsplit(', ', 3)
325 | 	tup = tup[6:-1].strip().replace('ArgumentInfo<', '<').replace(', ', ',').replace('>,', '>, ')
326 | 	parts = [inbytes + ' bytes in', outbytes + ' bytes out']
327 | 	if sendpid == 'true':
328 | 		parts.append('takes pid')
329 | 	if tup:
330 | 		parts.append(tup)
331 | 	return ' - '.join(parts)
332 | 
333 | 
334 | def get_method_data(name):
335 | 	tup, inbytes, outbytes, sendpid = hexify(shorten(get_method_info_part(demangle(name)))).rsplit(', ', 3)
336 | 
337 | 	tup = tup[6:-1].strip().replace('ArgumentInfo<', '<').replace(', ', ',').replace('>,', '>, ')
338 | 
339 | 	data = {}
340 | 	data["inbytes"] = int(inbytes,16)
341 | 	data["outbytes"] = int(outbytes,16)
342 | 	if sendpid == 'true':
343 | 		data["pid"] = True
344 | 
345 | 	data['arginfo'] = tup
346 | 	return data
347 | 
348 | def get_cmd_id_hash(vt):
349 | 	return hashlib.sha224(','.join('%d' % i for i in vt if i is not None)).hexdigest()[:8]
350 | 
351 | 
352 | class IpcClientVtableEntry(object):
353 | 	def __init__(self, cmd, process_function, funcptr):
354 | 		self.cmd = cmd
355 | 		self.process_function = process_function
356 | 		self.funcptr = funcptr
357 | 
358 | 
359 | class IpcClientVtable(object):
360 | 	def __init__(self, start, end, interface, entries, is_domain):
361 | 		self.start = start
362 | 		self.end = end
363 | 		self.interface = interface
364 | 		self.entries = entries
365 | 		self.is_domain = is_domain
366 | 
367 | 
368 | def iter_vtables_in_nxo(f):
369 | 	assert f.textoff == 0
370 | 	f.binfile.seek(f.textoff)
371 | 	binstring = f.binfile.read(f.dataoff + f.datasize)
372 | 
373 | 
374 | 	fptr_syms = {}
375 | 	data_syms = {}
376 | 	for offset, r_type, sym, addend in f.relocations:
377 | 		if f.dataoff <= offset < f.dataoff + f.datasize:
378 | 			if sym and sym.shndx and sym.value < f.textsize:
379 | 				fptr_syms[offset] = sym.value
380 | 			elif addend and addend < f.textsize:
381 | 				fptr_syms[offset] = addend
382 | 			elif sym and sym.shndx and sym.value:
383 | 				data_syms[offset] = sym.value
384 | 			elif addend:
385 | 				data_syms[offset] = addend
386 | 
387 | 	#print hex(f.dataoff), f.dataoff < 0xCE7AA8
388 | 	#print struct.unpack_from('<q', binstring, 0xCE7AA8)[0]
389 | 	for i in range(f.dataoff, len(binstring), 8):
390 | 		#print hex(i), hex(len(binstring))
391 | 		value = struct.unpack_from('<q', binstring, i)[0]
392 | 		if value in (-0x10, -0x20):
393 | 			#if i == 0xCE7AA8:
394 | 			#	print hex(i)
395 | 			end = i
396 | 			start = end
397 | 			while start - 8 in fptr_syms:
398 | 				start -= 8
399 | 
400 | 			process_functions = [None] * ((end-start)/8)
401 | 
402 | 			vt = []
403 | 			funcptrs = []
404 | 			for j in range(start, end, 8):
405 | 				entry = fptr_syms[j]
406 | 				cmd_id = get_function_cmd_id(binstring, entry, f.plt_lookup, f.rodataoff, f.dataoff)
407 | 				if cmd_id is not None:
408 | 					cmd_id, process_function = cmd_id
409 | 					process_functions[(j-start)/8] = process_function
410 | 				vt.append(cmd_id)
411 | 				funcptrs.append(entry)
412 | 
413 | 
414 | 			if len(vt) > 4 and all(i is None for i in vt[:4] + vt[-1:]) and not any(i is None for i in vt[4:-1]):
415 | 				interface = ''
416 | 				raw_vtable_name = ''
417 | 				if start-8 in data_syms:
418 | 					rtti_string = data_syms[data_syms[start-8]+8]
419 | 					raw_vtable_name = binstring[rtti_string:binstring.index('\0',rtti_string)]
420 | 					interface = demangle(raw_vtable_name)
421 | 				elif start-16 in f.addr_to_name:
422 | 					raw_vtable_name = f.addr_to_name[start-16]
423 | 					interface = demangle(raw_vtable_name)
424 | 				else:
425 | 					interface = 'IUnknown_%s_0x%X' % (get_cmd_id_hash(vt), start + IDA_BASE)
426 | 					interface = MANUAL_NAME_LOOKUP.get(interface, interface)
427 | 
428 | 				is_domain = False
429 | 				if 'CmifDomainProxy' in raw_vtable_name:
430 | 					is_domain = True
431 | 
432 | 				entries = []
433 | 				for cmd, process_function, funcptr in zip(vt, process_functions, funcptrs):
434 | 					entries.append(IpcClientVtableEntry(cmd, process_function, funcptr))
435 | 				yield IpcClientVtable(start, end, interface, entries, is_domain)
436 | 
437 | 
438 | def dump_vtables(fname):
439 | 	with open(fname, 'rb') as li:
440 | 		f = load_nxo(li)
441 | 
442 | 	#for name in  '_nn_sf_sync_' 
443 | 	for vtable in iter_vtables_in_nxo(f):
444 | 		#print '?'
445 | 		#continue
446 | 		print '  %r: {' % vtable.interface
447 | 		for entry in vtable.entries:
448 | 			if entry.cmd is not None:
449 | 				data = {}
450 | 				if entry.funcptr in f.addr_to_name:
451 | 					demangled = demangle(f.addr_to_name[entry.funcptr])
452 | 					name, args = demangled.split('>::_nn_sf_sync_')[-1].split('(', 1)
453 | 					args = args[:-1]
454 | 					#parts.append('%r: %r' % ('name', name))
455 | 					#parts.append('%r: %r' % ('args', args))
456 | 					data['name'] = name
457 | 					data['args'] = shorten(args)
458 | 
459 | 
460 | 				if entry.process_function is not None and entry.process_function in f.addr_to_name:
461 | 					#parts.append('%r: %r' % ('data', ))
462 | 					data.update(get_method_data(f.addr_to_name[entry.process_function]))
463 | 					#s += (' | ' + )
464 | 
465 | 				parts = []
466 | 				for i in ['inbytes', 'outbytes', 'name', 'pid', 'args', 'arginfo']:
467 | 					if i not in data: continue
468 | 					v = data[i]
469 | 					if isinstance(v, (list, bool, str)):
470 | 						v = repr(v)
471 | 					else:
472 | 						if v >= 10:
473 | 							v = '0x%X' % v
474 | 						else:
475 | 							v = str(v)
476 | 						v = v.rjust(5)
477 | 					parts.append('"%s": %s' % (i, v))
478 | 				print '    %5d: {%s},' % (entry.cmd, ', '.join(parts))
479 | 
480 | 		print '  },'
481 | 
482 | 
483 | #from wherever import namez # or just paste it here
484 | 
485 | def dump_structs(fname):
486 | 	with open(fname, 'rb') as li:
487 | 		f = load_nxo(li)
488 | 		#for k,v in namez.iteritems():
489 | 		#	f.
490 | 
491 | 	for vtable in iter_vtables_in_nxo(f):
492 | 		interface = vtable.interface
493 | 
494 | 		#if 'CmifDomainProxy' in tail:
495 | 		#	interface += '::DomainProxy'
496 | 
497 | 		print
498 | 		print 'struct %s;' % interface
499 | 
500 | 		print 'struct %s::vt' % interface
501 | 		print '{'
502 | 		for i, entry in enumerate(vtable.entries):
503 | 			if entry.cmd is not None:
504 | 				funcname = 'Cmd%d' % entry.cmd
505 | 				if entry.funcptr in f.addr_to_name:
506 | 					ipcname = demangle(f.addr_to_name[entry.funcptr]).split('>::_nn_sf_sync_')[-1].split('(')[0]
507 | 					funcname += '_' + ipcname					
508 | 			else:
509 | 				funcname = {
510 | 					0: 'AddReference',
511 | 					1: 'Release',
512 | 					2: 'GetProxyInfo',
513 | 					3: 'GetInterfaceTypeInfo',
514 | 				}.get(i)
515 | 				if funcname is None:
516 | 					if i == len(vtable.entries) - 1:
517 | 						funcname = 'GetCmifBaseObject'
518 | 					else:
519 | 						funcname = 'func%X' % (i * 8)
520 | 			print '  _DWORD (*__fastcall %s)(%s *this, ...);' % (funcname, interface)
521 | 
522 | 		print '};'
523 | 		print 'struct %s' % interface
524 | 		print '{'
525 | 		print '  %s::vt *_vt;' % interface
526 | 		print '  _BYTE byte8;'
527 | 		print '  _BYTE byte9;'
528 | 		print '  unsigned int handle;'
529 | 		print '  void *_vt10;'
530 | 		print '  _DWORD dword18;'
531 | 		print '  _QWORD qword20;'
532 | 		print '};'
533 | 
534 | 
535 | 
536 | def dump_unique_ids(fnames):
537 | 	all_cmds = set()
538 | 	for fname in sys.argv[1:]:
539 | 		with open(fname, 'rb') as li:
540 | 			f = load_nxo(li)
541 | 		new = False
542 | 		for vtable in iter_vtables_in_nxo(f):
543 | 			interface = vtable.interface
544 | 
545 | 			for i, entry in enumerate(vtable.entries):
546 | 				if entry.cmd is not None and entry.cmd not in all_cmds:
547 | 					print entry.cmd
548 | 					new = True
549 | 					all_cmds.add(entry.cmd)
550 | 		if new:
551 | 			print all_cmds
552 | 
553 | 
554 | def main():
555 | 	dump_vtables(sys.argv[1])
556 | 	#dump_structs(sys.argv[1])
557 | 	#dump_unique_ids(sys.argv[1:])
558 | 	#for fname in sys.argv[1:]:
559 | 	#	dump_structs(fname)
560 | 
561 | 
562 | if __name__ == '__main__':
563 | 	main()
564 | 
565 | 
566 | 


--------------------------------------------------------------------------------
/ipcclient/itanium_demangler.py:
--------------------------------------------------------------------------------
  1 | # encoding:utf-8
  2 | # Copyright (C) 2018 whitequark@whitequark.org
  3 | # 
  4 | # Permission to use, copy, modify, and/or distribute this software for
  5 | # any purpose with or without fee is hereby granted.
  6 | # 
  7 | # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  8 | # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  9 | # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 10 | # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 11 | # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
 12 | # AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 13 | # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 14 | """
 15 | This module implements a C++ Itanium ABI demangler.
 16 | 
 17 | The demangler provides a single entry point, `demangle`, and returns either `None`
 18 | or an abstract syntax tree. All nodes have, at least, a `kind` field.
 19 | 
 20 | Name nodes:
 21 |     * `name`: `node.value` (`str`) holds an unqualified name
 22 |     * `ctor`: `node.value` is one of `"complete"`, `"base"`, or `"allocating"`, specifying
 23 |       the type of constructor
 24 |     * `dtor`: `node.value` is one of `"deleting"`, `"complete"`, or `"base"`, specifying
 25 |       the type of destructor
 26 |     * `oper`: `node.value` (`str`) holds a symbolic operator name, without the keyword
 27 |       "operator"
 28 |     * `oper_cast`: `node.value` holds a type node
 29 |     * `tpl_args`: `node.value` (`tuple`) holds a sequence of type nodes
 30 |     * `qual_name`: `node.value` (`tuple`) holds a sequence of `name` and `tpl_args` nodes,
 31 |       possibly ending in a `ctor`, `dtor` or `operator` node
 32 |     * `abi`: `node.value` holds a name node, `node.qual` (`frozenset`) holds a set of ABI tags
 33 | 
 34 | Type nodes:
 35 |     * `name` and `qual_name` specify a type by its name
 36 |     * `builtin`: `node.value` (`str`) specifies a builtin type by its name
 37 |     * `pointer`, `lvalue` and `rvalue`: `node.value` holds a pointee type node
 38 |     * `cv_qual`: `node.value` holds a type node, `node.qual` (`frozenset`) is any of
 39 |       `"const"`, `"volatile"`, or `"restrict"`
 40 |     * `literal`: `node.value` (`str`) holds the literal representation as-is,
 41 |       `node.ty` holds a type node specifying the type of the literal
 42 |     * `function`: `node.name` holds a name node specifying the function name,
 43 |       `node.ret_ty` holds a type node specifying the return type of a template function,
 44 |       if any, or `None`, ``node.arg_tys` (`tuple`) holds a sequence of type nodes
 45 |       specifying thefunction arguments
 46 | 
 47 | Special nodes:
 48 |     * `vtable`, `vtt`, `typeinfo`, and `typeinfo_name`: `node.value` holds a type node
 49 |       specifying the type described by this RTTI data structure
 50 |     * `nonvirt_thunk`, `virt_thunk`: `node.value` holds a function node specifying
 51 |       the function to which the thunk dispatches
 52 | """
 53 | 
 54 | import re
 55 | from collections import namedtuple
 56 | 
 57 | 
 58 | class _Cursor:
 59 |     def __init__(self, raw, pos=0):
 60 |         self._raw = raw
 61 |         self._pos = pos
 62 |         self._substs = {}
 63 | 
 64 |     def at_end(self):
 65 |         return self._pos == len(self._raw)
 66 | 
 67 |     def accept(self, delim):
 68 |         if self._raw[self._pos:self._pos + len(delim)] == delim:
 69 |             self._pos += len(delim)
 70 |             return True
 71 | 
 72 |     def advance(self, amount):
 73 |         if self._pos + amount > len(self._raw):
 74 |             return None
 75 |         result = self._raw[self._pos:self._pos + amount]
 76 |         self._pos += amount
 77 |         return result
 78 | 
 79 |     def advance_until(self, delim):
 80 |         new_pos = self._raw.find(delim, self._pos)
 81 |         if new_pos == -1:
 82 |             return None
 83 |         result = self._raw[self._pos:new_pos]
 84 |         self._pos = new_pos + len(delim)
 85 |         return result
 86 | 
 87 |     def match(self, pattern):
 88 |         match = pattern.match(self._raw, self._pos)
 89 |         if match:
 90 |             self._pos = match.end(0)
 91 |         return match
 92 | 
 93 |     def add_subst(self, node):
 94 |         # print("S[{}] = {}".format(len(self._substs), str(node)))
 95 |         if not node in self._substs.values():
 96 |             self._substs[len(self._substs)] = node
 97 | 
 98 |     def resolve_subst(self, seq_id):
 99 |         if seq_id in self._substs:
100 |             return self._substs[seq_id]
101 | 
102 |     def __repr__(self):
103 |         return "_Cursor({}, {})".format(self._raw[:self._pos] + '→' + self._raw[self._pos:],
104 |                                         self._pos)
105 | 
106 | 
107 | class Node(namedtuple('Node', 'kind value')):
108 |     def __repr__(self):
109 |         return "<Node {} {}>".format(self.kind, repr(self.value))
110 | 
111 |     def __str__(self):
112 |         if self.kind in ('name', 'builtin'):
113 |             if self.value == '_GLOBAL__N_1':
114 |                 return '(anonymous namespace)'
115 |             return self.value
116 |         elif self.kind == 'qual_name':
117 |             result = ''
118 |             for node in self.value:
119 |                 if result != '' and node.kind != 'tpl_args':
120 |                     result += '::'
121 |                 result += str(node)
122 |             return result
123 |         elif self.kind == 'tpl_args':
124 |             result = '<' + ', '.join(map(str, self.value))
125 |             if result.endswith('>'):
126 |                 result += ' '
127 |             result += '>'
128 |             return result
129 |         elif self.kind == 'ctor':
130 |             if self.value == 'complete':
131 |                 return '{ctor}'
132 |             elif self.value == 'base':
133 |                 return '{base ctor}'
134 |             elif self.value == 'allocating':
135 |                 return '{allocating ctor}'
136 |             else:
137 |                 assert False
138 |         elif self.kind == 'dtor':
139 |             if self.value == 'deleting':
140 |                 return '{deleting dtor}'
141 |             elif self.value == 'complete':
142 |                 return '{dtor}'
143 |             elif self.value == 'base':
144 |                 return '{base dtor}'
145 |             else:
146 |                 assert False
147 |         elif self.kind == 'oper':
148 |             if self.value.startswith('new') or self.value.startswith('delete'):
149 |                 return 'operator ' + self.value
150 |             else:
151 |                 return 'operator' + self.value
152 |         elif self.kind == 'oper_cast':
153 |             return 'operator ' + str(self.value)
154 |         elif self.kind == 'pointer':
155 |             return str(self.value) + '*'
156 |         elif self.kind == 'lvalue':
157 |             return str(self.value) + '&'
158 |         elif self.kind == 'rvalue':
159 |             return str(self.value) + '&&'
160 |         elif self.kind == 'tpl_param':
161 |             return '{T' + str(self.value) + '}'
162 |         elif self.kind == 'subst':
163 |             return '{S' + str(self.value) + '}'
164 |         elif self.kind == 'vtable':
165 |             return 'vtable for ' + str(self.value)
166 |         elif self.kind == 'vtt':
167 |             return 'vtt for ' + str(self.value)
168 |         elif self.kind == 'typeinfo':
169 |             return 'typeinfo for ' + str(self.value)
170 |         elif self.kind == 'typeinfo_name':
171 |             return 'typeinfo name for ' + str(self.value)
172 |         elif self.kind == 'nonvirt_thunk':
173 |             return 'non-virtual thunk for ' + str(self.value)
174 |         elif self.kind == 'virt_thunk':
175 |             return 'virtual thunk for ' + str(self.value)
176 |         else:
177 |             return repr(self)
178 | 
179 |     def map(self, f):
180 |         if self.kind in ('oper_cast', 'pointer', 'lvalue', 'rvalue', 'expand_arg_pack',
181 |                          'vtable', 'vtt', 'typeinfo', 'typeinfo_name'):
182 |             return self._replace(value=f(self.value))
183 |         elif self.kind in ('qual_name', 'tpl_args', 'tpl_arg_pack'):
184 |             return self._replace(value=tuple(map(f, self.value)))
185 |         else:
186 |             return self
187 | 
188 | 
189 | class QualNode(namedtuple('QualNode', 'kind value qual')):
190 |     def __repr__(self):
191 |         return "<QualNode {} {} {}>".format(self.kind, repr(self.qual), repr(self.value))
192 | 
193 |     def __str__(self):
194 |         if self.kind == 'abi':
195 |             return str(self.value) + "".join(['[abi:' + tag + ']' for tag in self.qual])
196 |         elif self.kind == 'cv_qual':
197 |             return ' '.join([str(self.value)] + list(self.qual))
198 |         else:
199 |             return repr(self)
200 | 
201 |     def map(self, f):
202 |         if self.kind == 'cv_qual':
203 |             return self._replace(value=f(self.value))
204 |         else:
205 |             return self
206 | 
207 | 
208 | class CastNode(namedtuple('CastNode', 'kind value ty')):
209 |     def __repr__(self):
210 |         return "<CastNode {} {} {}>".format(self.kind, repr(self.ty), repr(self.value))
211 | 
212 |     def __str__(self):
213 |         if self.kind == 'literal':
214 |             ty = str(self.ty)
215 |             suffixes = {
216 |                 'long': 'l',
217 |                 'unsigned long': 'ul',
218 |                 'int': ''
219 |             }
220 |             value = str(self.value)
221 |             if ty in suffixes:
222 |                 return value + suffixes[ty]
223 |             if ty == 'bool' and value in ('0', '1'):
224 |                 return { '0': 'false', '1': 'true' }[value]
225 |             return '(' + ty + ')' + value
226 |         else:
227 |             return repr(self)
228 | 
229 |     def map(self, f):
230 |         if self.kind == 'literal':
231 |             return self._replace(ty=f(self.ty))
232 |         else:
233 |             return self
234 | 
235 | 
236 | class FuncNode(namedtuple('FuncNode', 'kind name arg_tys ret_ty')):
237 |     def __repr__(self):
238 |         return "<FuncNode {} {} {} {}>".format(self.kind, repr(self.name),
239 |                                                repr(self.arg_tys), repr(self.ret_ty))
240 | 
241 |     def __str__(self):
242 |         if self.kind == 'func':
243 |             result = ""
244 |             if self.ret_ty is not None:
245 |                 result += str(self.ret_ty) + ' '
246 |             if self.name is not None:
247 |                 result += str(self.name)
248 |             if self.arg_tys == (Node('builtin', 'void'),):
249 |                 result += '()'
250 |             else:
251 |                 result += '(' + ', '.join(map(str, self.arg_tys)) + ')'
252 |             return result
253 |         else:
254 |             return repr(self)
255 | 
256 |     def map(self, f):
257 |         if self.kind == 'func':
258 |             return self._replace(name=f(self.name) if self.name else None,
259 |                                  arg_tys=tuple(map(f, self.arg_tys)),
260 |                                  ret_ty=f(self.ret_ty) if self.ret_ty else None)
261 |         else:
262 |             return self
263 | 
264 | 
265 | _ctor_dtor_map = {
266 |     'C1': 'complete',
267 |     'C2': 'base',
268 |     'C3': 'allocating',
269 |     'D0': 'deleting',
270 |     'D1': 'complete',
271 |     'D2': 'base'
272 | }
273 | 
274 | _std_names = {
275 |     'St': [Node('name', 'std')],
276 |     'Sa': [Node('name', 'std'), Node('name', 'allocator')],
277 |     'Sb': [Node('name', 'std'), Node('name', 'basic_string')],
278 |     'Ss': [Node('name', 'std'), Node('name', 'string')],
279 |     'Si': [Node('name', 'std'), Node('name', 'istream')],
280 |     'So': [Node('name', 'std'), Node('name', 'ostream')],
281 |     'Sd': [Node('name', 'std'), Node('name', 'iostream')],
282 | }
283 | 
284 | _operators = {
285 |     'nw': 'new',
286 |     'na': 'new[]',
287 |     'dl': 'delete',
288 |     'da': 'delete[]',
289 |     'ps': '+', # (unary)
290 |     'ng': '-', # (unary)
291 |     'ad': '&', # (unary)
292 |     'de': '*', # (unary)
293 |     'co': '~',
294 |     'pl': '+',
295 |     'mi': '-',
296 |     'ml': '*',
297 |     'dv': '/',
298 |     'rm': '%',
299 |     'an': '&',
300 |     'or': '|',
301 |     'eo': '^',
302 |     'aS': '=',
303 |     'pL': '+=',
304 |     'mI': '-=',
305 |     'mL': '*=',
306 |     'dV': '/=',
307 |     'rM': '%=',
308 |     'aN': '&=',
309 |     'oR': '|=',
310 |     'eO': '^=',
311 |     'ls': '<<',
312 |     'rs': '>>',
313 |     'lS': '<<=',
314 |     'rS': '>>=',
315 |     'eq': '==',
316 |     'ne': '!=',
317 |     'lt': '<',
318 |     'gt': '>',
319 |     'le': '<=',
320 |     'ge': '>=',
321 |     'nt': '!',
322 |     'aa': '&&',
323 |     'oo': '||',
324 |     'pp': '++', # (postfix in <expression> context)
325 |     'mm': '--', # (postfix in <expression> context)
326 |     'cm': ',',
327 |     'pm': '->*',
328 |     'pt': '->',
329 |     'cl': '()',
330 |     'ix': '[]',
331 |     'qu': '?',
332 | }
333 | 
334 | _builtin_types = {
335 |     'v':  'void',
336 |     'w':  'wchar_t',
337 |     'b':  'bool',
338 |     'c':  'char',
339 |     'a':  'signed char',
340 |     'h':  'unsigned char',
341 |     's':  'short',
342 |     't':  'unsigned short',
343 |     'i':  'int',
344 |     'j':  'unsigned int',
345 |     'l':  'long',
346 |     'm':  'unsigned long',
347 |     'x':  'long long',
348 |     'y':  'unsigned long long',
349 |     'n':  '__int128',
350 |     'o':  'unsigned __int128',
351 |     'f':  'float',
352 |     'd':  'double',
353 |     'e':  '__float80',
354 |     'g':  '__float128',
355 |     'z':  '...',
356 |     'Di': 'char32_t',
357 |     'Ds': 'char16_t',
358 |     'Da': 'auto',
359 | }
360 | 
361 | 
362 | def _handle_cv(qualifiers, node):
363 |     qualifier_set = set()
364 |     if 'r' in qualifiers:
365 |         qualifier_set.add('restrict')
366 |     if 'V' in qualifiers:
367 |         qualifier_set.add('volatile')
368 |     if 'K' in qualifiers:
369 |         qualifier_set.add('const')
370 |     if qualifier_set:
371 |         return QualNode('cv_qual', node, frozenset(qualifier_set))
372 |     return node
373 | 
374 | def _handle_indirect(qualifier, node):
375 |     if qualifier == 'P':
376 |         return Node('pointer', node)
377 |     elif qualifier == 'R':
378 |         return Node('lvalue', node)
379 |     elif qualifier == 'O':
380 |         return Node('rvalue', node)
381 |     return node
382 | 
383 | 
384 | def _parse_seq_id(cursor):
385 |     seq_id = cursor.advance_until('_')
386 |     if seq_id is None:
387 |         return None
388 |     if seq_id == '':
389 |         return 0
390 |     else:
391 |         return 1 + int(seq_id, 36)
392 | 
393 | def _parse_until_end(cursor, kind, fn):
394 |     nodes = []
395 |     while not cursor.accept('E'):
396 |         node = fn(cursor)
397 |         if node is None or cursor.at_end():
398 |             return None
399 |         nodes.append(node)
400 |     return Node(kind, tuple(nodes))
401 | 
402 | 
403 | _SOURCE_NAME_RE = re.compile(r"\d+")
404 | 
405 | def _parse_source_name(cursor):
406 |     match = cursor.match(_SOURCE_NAME_RE)
407 |     name_len = int(match.group(0))
408 |     name = cursor.advance(name_len)
409 |     if name is None:
410 |         return None
411 |     return name
412 | 
413 | 
414 | _NAME_RE = re.compile(r"""
415 | (?P<source_name>        (?= \d)) |
416 | (?P<ctor_name>          C[123]) |
417 | (?P<dtor_name>          D[012]) |
418 | (?P<std_name>           S[absiod]) |
419 | (?P<operator_name>      nw|na|dl|da|ps|ng|ad|de|co|pl|mi|ml|dv|rm|an|or|
420 |                         eo|aS|pL|mI|mL|dV|rM|aN|oR|eO|ls|rs|lS|rS|eq|ne|
421 |                         lt|gt|le|ge|nt|aa|oo|pp|mm|cm|pm|pt|cl|ix|qu) |
422 | (?P<operator_cv>        cv) |
423 | (?P<std_prefix>         St) |
424 | (?P<substitution>       S) |
425 | (?P<nested_name>        N (?P<cv_qual> [rVK]*) (?P<ref_qual> [RO]?)) |
426 | (?P<template_param>     T) |
427 | (?P<template_args>      I) |
428 | (?P<constant>           L)
429 | """, re.X)
430 | 
431 | def _parse_name(cursor, is_nested=False):
432 |     match = cursor.match(_NAME_RE)
433 |     if match is None:
434 |         return None
435 |     elif match.group('source_name') is not None:
436 |         name = _parse_source_name(cursor)
437 |         if name is None:
438 |             return None
439 |         node = Node('name', name)
440 |     elif match.group('ctor_name') is not None:
441 |         node = Node('ctor', _ctor_dtor_map[match.group('ctor_name')])
442 |     elif match.group('dtor_name') is not None:
443 |         node = Node('dtor', _ctor_dtor_map[match.group('dtor_name')])
444 |     elif match.group('std_name') is not None:
445 |         node = Node('qual_name', _std_names[match.group('std_name')])
446 |     elif match.group('operator_name') is not None:
447 |         node = Node('oper', _operators[match.group('operator_name')])
448 |     elif match.group('operator_cv') is not None:
449 |         ty = _parse_type(cursor)
450 |         if ty is None:
451 |             return None
452 |         node = Node('oper_cast', ty)
453 |     elif match.group('std_prefix') is not None:
454 |         name = _parse_name(cursor, is_nested=True)
455 |         if name is None:
456 |             return None
457 |         if name.kind == 'qual_name':
458 |             node = Node('qual_name', (Node('name', 'std'),) + name.value)
459 |         else:
460 |             node = Node('qual_name', (Node('name', 'std'), name))
461 |     elif match.group('substitution') is not None:
462 |         seq_id = _parse_seq_id(cursor)
463 |         if seq_id is None:
464 |             return None
465 |         node = cursor.resolve_subst(seq_id)
466 |         if node is None:
467 |             return None
468 |     elif match.group('nested_name') is not None:
469 |         nodes = []
470 |         while True:
471 |             name = _parse_name(cursor, is_nested=True)
472 |             if name is None or cursor.at_end():
473 |                 return None
474 |             if name.kind == 'qual_name':
475 |                 nodes += name.value
476 |             else:
477 |                 nodes.append(name)
478 |             if cursor.accept('E'):
479 |                 break
480 |             else:
481 |                 cursor.add_subst(Node('qual_name', tuple(nodes)))
482 |         node = Node('qual_name', tuple(nodes))
483 |         node = _handle_cv(match.group('cv_qual'), node)
484 |         node = _handle_indirect(match.group('ref_qual'), node)
485 |     elif match.group('template_param') is not None:
486 |         seq_id = _parse_seq_id(cursor)
487 |         if seq_id is None:
488 |             return None
489 |         node = Node('tpl_param', seq_id)
490 |         cursor.add_subst(node)
491 |     elif match.group('template_args') is not None:
492 |         node = _parse_until_end(cursor, 'tpl_args', _parse_type)
493 |     elif match.group('constant') is not None:
494 |         # not in the ABI doc, but probably means `const`
495 |         return _parse_name(cursor, is_nested)
496 |     if node is None:
497 |         return None
498 | 
499 |     abi_tags = []
500 |     while cursor.accept('B'):
501 |         abi_tags.append(_parse_source_name(cursor))
502 |     if abi_tags:
503 |         node = QualNode('abi', node, frozenset(abi_tags))
504 | 
505 |     if not is_nested and cursor.accept('I') and (
506 |             node.kind == 'name' or
507 |             match.group('std_prefix') is not None or
508 |             match.group('std_name') is not None or
509 |             match.group('substitution') is not None):
510 |         if node.kind == 'name' or match.group('std_prefix') is not None:
511 |             cursor.add_subst(node) # <unscoped-template-name> ::= <substitution>
512 |         templ_args = _parse_until_end(cursor, 'tpl_args', _parse_type)
513 |         if templ_args is None:
514 |             return None
515 |         node = Node('qual_name', (node, templ_args))
516 |         if (match.group('std_prefix') is not None or
517 |                 match.group('std_name') is not None):
518 |             cursor.add_subst(node)
519 | 
520 |     return node
521 | 
522 | 
523 | _TYPE_RE = re.compile(r"""
524 | (?P<builtin_type>       v|w|b|c|a|h|s|t|i|j|l|m|x|y|n|o|f|d|e|g|z|
525 |                         Dd|De|Df|Dh|DF|Di|Ds|Da|Dc|Dn) |
526 | (?P<qualified_type>     [rVK]+) |
527 | (?P<indirect_type>      [PRO]) |
528 | (?P<function_type>      F) |
529 | (?P<expression>         X) |
530 | (?P<expr_primary>       (?= L)) |
531 | (?P<template_arg_pack>  J) |
532 | (?P<arg_pack_expansion> Dp) |
533 | (?P<decltype>           D[tT])
534 | """, re.X)
535 | 
536 | def _parse_type(cursor):
537 |     match = cursor.match(_TYPE_RE)
538 |     if match is None:
539 |         node = _parse_name(cursor)
540 |         cursor.add_subst(node)
541 |     elif match.group('builtin_type') is not None:
542 |         node = Node('builtin', _builtin_types[match.group('builtin_type')])
543 |     elif match.group('qualified_type') is not None:
544 |         ty = _parse_type(cursor)
545 |         if ty is None:
546 |             return None
547 |         node = _handle_cv(match.group('qualified_type'), ty)
548 |         cursor.add_subst(node)
549 |     elif match.group('indirect_type') is not None:
550 |         ty = _parse_type(cursor)
551 |         if ty is None:
552 |             return None
553 |         node = _handle_indirect(match.group('indirect_type'), ty)
554 |         cursor.add_subst(node)
555 |     elif match.group('function_type') is not None:
556 |         ret_ty = _parse_type(cursor)
557 |         if ret_ty is None:
558 |             return None
559 |         arg_tys = []
560 |         while not cursor.accept('E'):
561 |             arg_ty = _parse_type(cursor)
562 |             if arg_ty is None:
563 |                 return None
564 |             arg_tys.append(arg_ty)
565 |         node = FuncNode('func', None, tuple(arg_tys), ret_ty)
566 |         cursor.add_subst(node)
567 |     elif match.group('expression') is not None:
568 |         raise NotImplementedError("expressions are not supported")
569 |     elif match.group('expr_primary') is not None:
570 |         node = _parse_expr_primary(cursor)
571 |     elif match.group('template_arg_pack') is not None:
572 |         node = _parse_until_end(cursor, 'tpl_arg_pack', _parse_type)
573 |     elif match.group('arg_pack_expansion') is not None:
574 |         node = _parse_type(cursor)
575 |         node = Node('expand_arg_pack', node)
576 |     elif match.group('decltype') is not None:
577 |         raise NotImplementedError("decltype is not supported")
578 |     else:
579 |         return None
580 |     return node
581 | 
582 | 
583 | _EXPR_PRIMARY_RE = re.compile(r"""
584 | (?P<mangled_name>       L (?= _Z)) |
585 | (?P<literal>            L)
586 | """, re.X)
587 | 
588 | def _parse_expr_primary(cursor):
589 |     match = cursor.match(_EXPR_PRIMARY_RE)
590 |     if match is None:
591 |         return None
592 |     elif match.group('mangled_name') is not None:
593 |         mangled_name = cursor.advance_until('E')
594 |         return _parse_mangled_name(_Cursor(mangled_name))
595 |     elif match.group('literal') is not None:
596 |         ty = _parse_type(cursor)
597 |         if ty is None:
598 |             return None
599 |         value = cursor.advance_until('E')
600 |         if value is None:
601 |             return None
602 |         return CastNode('literal', value, ty)
603 | 
604 | 
605 | def _expand_template_args(func):
606 |     if func.name.kind == 'qual_name':
607 |         name_suffix = func.name.value[-1]
608 |         if name_suffix.kind == 'tpl_args':
609 |             tpl_args = name_suffix.value
610 |             def mapper(node):
611 |                 if node.kind == 'tpl_param' and node.value < len(tpl_args):
612 |                     return tpl_args[node.value]
613 |                 return node.map(mapper)
614 |             return mapper(func)
615 |     return func
616 | 
617 | def _parse_encoding(cursor):
618 |     name = _parse_name(cursor)
619 |     if name is None:
620 |         return None
621 |     if cursor.at_end():
622 |         return name
623 | 
624 |     if name.kind == 'qual_name' and name.value[-1].kind == 'tpl_args':
625 |         ret_ty = _parse_type(cursor)
626 |         if ret_ty is None:
627 |             return None
628 |     else:
629 |         ret_ty = None
630 | 
631 |     arg_tys = []
632 |     while not cursor.at_end():
633 |         arg_ty = _parse_type(cursor)
634 |         if arg_ty is None:
635 |             return None
636 |         arg_tys.append(arg_ty)
637 | 
638 |     if arg_tys:
639 |         func = FuncNode('func', name, tuple(arg_tys), ret_ty)
640 |         return _expand_template_args(func)
641 |     else:
642 |         return name
643 | 
644 | 
645 | _SPECIAL_RE = re.compile(r"""
646 | (?P<rtti>               T (?P<kind> [VTIS])) |
647 | (?P<nonvirtual_thunk>   Th (?P<nv_offset> n? \d+) _) |
648 | (?P<virtual_thunk>      Tv (?P<v_offset> n? \d+) _ (?P<vcall_offset> n? \d+) _) |
649 | (?P<covariant_thunk>    Tc)
650 | """, re.X)
651 | 
652 | def _parse_special(cursor):
653 |     match = cursor.match(_SPECIAL_RE)
654 |     if match is None:
655 |         return None
656 |     elif match.group('rtti') is not None:
657 |         name = _parse_type(cursor)
658 |         if name is None:
659 |             return None
660 |         if match.group('kind') == 'V':
661 |             return Node('vtable', name)
662 |         elif match.group('kind') == 'T' is not None:
663 |             return Node('vtt', name)
664 |         elif match.group('kind') == 'I' is not None:
665 |             return Node('typeinfo', name)
666 |         elif match.group('kind') == 'S' is not None:
667 |             return Node('typeinfo_name', name)
668 |     elif match.group('nonvirtual_thunk') is not None:
669 |         func = _parse_encoding(cursor)
670 |         if func is None:
671 |             return None
672 |         return Node('nonvirt_thunk', func)
673 |     elif match.group('virtual_thunk') is not None:
674 |         func = _parse_encoding(cursor)
675 |         if func is None:
676 |             return None
677 |         return Node('virt_thunk', func)
678 |     elif match.group('covariant_thunk') is not None:
679 |         raise NotImplementedError("covariant thunks are not supported")
680 | 
681 | 
682 | _MANGLED_NAME_RE = re.compile(r"""
683 | (?P<mangled_name>       _?_Z)
684 | """, re.X)
685 | 
686 | def _parse_mangled_name(cursor):
687 |     match = cursor.match(_MANGLED_NAME_RE)
688 |     if match is None:
689 |         return None
690 |     else:
691 |         special = _parse_special(cursor)
692 |         if special is not None:
693 |             return special
694 | 
695 |         return _parse_encoding(cursor)
696 | 
697 | 
698 | def _expand_arg_packs(ast):
699 |     def mapper(node):
700 |         if node.kind == 'tpl_args':
701 |             exp_args = []
702 |             for arg in node.value:
703 |                 if arg.kind in ['tpl_arg_pack', 'tpl_args']:
704 |                     exp_args += arg.value
705 |                 else:
706 |                     exp_args.append(arg)
707 |             return Node('tpl_args', tuple(map(mapper, exp_args)))
708 |         elif node.kind == 'func':
709 |             node = node.map(mapper)
710 |             exp_arg_tys = []
711 |             for arg_ty in node.arg_tys:
712 |                 if arg_ty.kind == 'expand_arg_pack' and \
713 |                         arg_ty.value.kind == 'rvalue' and \
714 |                             arg_ty.value.value.kind in ['tpl_arg_pack', 'tpl_args']:
715 |                     exp_arg_tys += arg_ty.value.value.value
716 |                 else:
717 |                     exp_arg_tys.append(arg_ty)
718 |             return node._replace(arg_tys=tuple(exp_arg_tys))
719 |         else:
720 |             return node.map(mapper)
721 |     return mapper(ast)
722 | 
723 | def parse(raw):
724 |     ast = _parse_mangled_name(_Cursor(raw))
725 |     if ast is not None:
726 |         ast = _expand_arg_packs(ast)
727 |     return ast
728 | 
729 | # ================================================================================================
730 | 
731 | import unittest
732 | 
733 | 
734 | class TestDemangler(unittest.TestCase):
735 |     def assertParses(self, mangled, ast):
736 |         result = parse(mangled)
737 |         self.assertEqual(result, ast)
738 | 
739 |     def assertDemangles(self, mangled, demangled):
740 |         result = parse(mangled)
741 |         if result is not None:
742 |             result = str(result)
743 |         self.assertEqual(result, demangled)
744 | 
745 |     def test_name(self):
746 |         self.assertDemangles('_Z3foo', 'foo')
747 |         self.assertDemangles('_Z3x', None)
748 | 
749 |     def test_ctor_dtor(self):
750 |         self.assertDemangles('_ZN3fooC1E', 'foo::{ctor}')
751 |         self.assertDemangles('_ZN3fooC2E', 'foo::{base ctor}')
752 |         self.assertDemangles('_ZN3fooC3E', 'foo::{allocating ctor}')
753 |         self.assertDemangles('_ZN3fooD0E', 'foo::{deleting dtor}')
754 |         self.assertDemangles('_ZN3fooD1E', 'foo::{dtor}')
755 |         self.assertDemangles('_ZN3fooD2E', 'foo::{base dtor}')
756 | 
757 |     def test_operator(self):
758 |         for op in _operators:
759 |             if _operators[op] in ['new', 'new[]', 'delete', 'delete[]']:
760 |                 continue
761 |             self.assertDemangles('_Z' + op, 'operator' + _operators[op])
762 |         self.assertDemangles('_Znw', 'operator new')
763 |         self.assertDemangles('_Zna', 'operator new[]')
764 |         self.assertDemangles('_Zdl', 'operator delete')
765 |         self.assertDemangles('_Zda', 'operator delete[]')
766 |         self.assertDemangles('_Zcvi', 'operator int')
767 | 
768 |     def test_std_substs(self):
769 |         self.assertDemangles('_ZSt3foo', 'std::foo')
770 |         self.assertDemangles('_ZStN3fooE', 'std::foo')
771 |         self.assertDemangles('_ZSs', 'std::string')
772 |         self.assertParses('_ZSt', None)
773 |         self.assertDemangles('_Z3fooISt6vectorE', 'foo<std::vector>')
774 |         self.assertDemangles('_ZSaIhE', 'std::allocator<unsigned char>')
775 | 
776 |     def test_nested_name(self):
777 |         self.assertDemangles('_ZN3fooE', 'foo')
778 |         self.assertDemangles('_ZN3foo5bargeE', 'foo::barge')
779 |         self.assertDemangles('_ZN3fooIcE5bargeE', 'foo<char>::barge')
780 |         self.assertDemangles('_ZNK3fooE', 'foo const')
781 |         self.assertDemangles('_ZNV3fooE', 'foo volatile')
782 |         self.assertDemangles('_ZNKR3fooE', 'foo const&')
783 |         self.assertDemangles('_ZNKO3fooE', 'foo const&&')
784 |         self.assertParses('_ZNKO3foo', None)
785 | 
786 |     def test_template_args(self):
787 |         self.assertDemangles('_Z3fooIcE', 'foo<char>')
788 |         self.assertDemangles('_ZN3fooIcEE', 'foo<char>')
789 |         self.assertParses('_Z3fooI', None)
790 | 
791 |     def test_builtin_types(self):
792 |         for ty in _builtin_types:
793 |             self.assertDemangles('_Z1fI' + ty + 'E', 'f<' + _builtin_types[ty] + '>')
794 | 
795 |     def test_qualified_type(self):
796 |         self.assertDemangles('_Z1fIriE', 'f<int restrict>')
797 |         self.assertDemangles('_Z1fIKiE', 'f<int const>')
798 |         self.assertDemangles('_Z1fIViE', 'f<int volatile>')
799 |         self.assertDemangles('_Z1fIVVViE', 'f<int volatile>')
800 | 
801 |     def test_function_type(self):
802 |         self.assertDemangles('_Z1fv', 'f()')
803 |         self.assertDemangles('_Z1fi', 'f(int)')
804 |         self.assertDemangles('_Z1fic', 'f(int, char)')
805 |         self.assertDemangles('_ZN1fEic', 'f(int, char)')
806 |         self.assertDemangles('_ZN1fIEEic', 'int f<>(char)')
807 |         self.assertDemangles('_ZN1fIEC1Eic', 'f<>::{ctor}(int, char)')
808 | 
809 |     def test_indirect_type(self):
810 |         self.assertDemangles('_Z1fIPiE', 'f<int*>')
811 |         self.assertDemangles('_Z1fIRiE', 'f<int&>')
812 |         self.assertDemangles('_Z1fIOiE', 'f<int&&>')
813 |         self.assertDemangles('_Z1fIKRiE', 'f<int& const>')
814 |         self.assertDemangles('_Z1fIRKiE', 'f<int const&>')
815 | 
816 |     def test_literal(self):
817 |         self.assertDemangles('_Z1fILi1EE', 'f<(int)1>')
818 |         self.assertDemangles('_Z1fIL_Z1gEE', 'f<g>')
819 | 
820 |     def test_argpack(self):
821 |         self.assertDemangles('_Z1fILb0EJciEE', 'f<(bool)0, char, int>')
822 |         self.assertDemangles('_Z1fILb0EIciEE', 'f<(bool)0, char, int>')
823 |         self.assertDemangles('_Z1fIJciEEvDpOT_', 'void f<char, int>(char, int)')
824 |         self.assertDemangles('_Z1fIIciEEvDpOT_', 'void f<char, int>(char, int)')
825 | 
826 |     def test_special(self):
827 |         self.assertDemangles('_ZTV1f', 'vtable for f')
828 |         self.assertDemangles('_ZTT1f', 'vtt for f')
829 |         self.assertDemangles('_ZTI1f', 'typeinfo for f')
830 |         self.assertDemangles('_ZTS1f', 'typeinfo name for f')
831 |         self.assertDemangles('_ZThn16_1fv', 'non-virtual thunk for f()')
832 |         self.assertDemangles('_ZTv16_8_1fv', 'virtual thunk for f()')
833 | 
834 |     def test_template_param(self):
835 |         self.assertDemangles('_ZN1fIciEEvT_PT0_', 'void f<char, int>(char, int*)')
836 |         self.assertParses('_ZN1fIciEEvT_PT0', None)
837 | 
838 |     def test_substitution(self):
839 |         self.assertDemangles('_Z3fooIEvS_', 'void foo<>(foo)')
840 |         self.assertDemangles('_ZN3foo3barIES_E', 'foo::bar<>::foo')
841 |         self.assertDemangles('_ZN3foo3barIES0_E', 'foo::bar<>::foo::bar')
842 |         self.assertDemangles('_ZN3foo3barIES1_E', 'foo::bar<>::foo::bar<>')
843 |         self.assertParses('_ZN3foo3barIES_ES2_', None)
844 |         self.assertDemangles('_Z3fooIS_E', 'foo<foo>')
845 |         self.assertDemangles('_ZSt3fooIS_E', 'std::foo<std::foo>')
846 |         self.assertDemangles('_Z3fooIPiEvS0_', 'void foo<int*>(int*)')
847 |         self.assertDemangles('_Z3fooISaIcEEvS0_',
848 |                              'void foo<std::allocator<char>>(std::allocator<char>)')
849 |         self.assertDemangles('_Z3fooI3barS0_E', 'foo<bar, bar>')
850 |         self.assertDemangles('_ZN2n11fEPNS_1bEPNS_2n21cEPNS2_2n31dE',
851 |                              'n1::f(n1::b*, n1::n2::c*, n1::n2::n3::d*)')
852 |         self.assertDemangles('_ZN1f1gES_IFvvEE', 'f::g(f<void ()>)')
853 | 
854 |     def test_abi_tag(self):
855 |         self.assertDemangles('_Z3fooB5cxx11v', 'foo[abi:cxx11]()')
856 | 
857 |     def test_const(self):
858 |         self.assertDemangles('_ZL3foo', 'foo')
859 | 
860 | 
861 | if __name__ == '__main__':
862 |     import sys
863 |     if len(sys.argv) == 1:
864 |         while True:
865 |             name = sys.stdin.readline()
866 |             if not name:
867 |                 break
868 |             print(parse(name.strip()))
869 |     else:
870 |         for name in sys.argv[1:]:
871 |             ast = parse(name)
872 |             print(repr(ast))
873 |             print(ast)


--------------------------------------------------------------------------------
/ipcserver/README.md:
--------------------------------------------------------------------------------
 1 | # ipcserver
 2 | 
 3 | I always use these scripts when reversing IPC service implementations. They automatically find the implementation of each IPC command.
 4 | 
 5 | There are two scripts, `ipcserver_classic.py` and `ipcserver_modern.py`.
 6 | 
 7 | 
 8 | ## ipcserver_classic.py
 9 | 
10 | This works on system software versions 1.0 to 3.0.2 and generates an IDAPython script to name the functions. It's pretty slow, but the results are excellent.
11 | 
12 | If your reversing problem can be solved by looking at a 3.0 binary instead of the latest, I recommend starting there.
13 | 
14 | ```
15 | % time python ipcserver_classic.py 3.0.2-0.0/fs > 3.0.2-0.0/fs-server.py
16 | python ipcserver_classic.py 3.0.2-0.0/fs > 3.0.2-0.0/fs-server.py  50.93s user 0.45s system 99% cpu 51.728 total
17 | % tail 3.0.2-0.0/fs-server.py 
18 | MakeName(0x7100032474,'CmifProcessFunctionTableGetterImpl__nn::fssrv::sf::IFileSystemProxyForLoader__::Process_Cmd1')
19 | MakeName(0x7100032830,'CmifProcessFunctionTableGetterImpl__nn::fssrv::sf::IProgramRegistry__::Process_Cmd0')
20 | MakeName(0x71000329F0,'CmifProcessFunctionTableGetterImpl__nn::fssrv::sf::IProgramRegistry__::Process_Cmd256')
21 | MakeName(0x7100035F30,'nn::fssrv::sf::IFile_IpcObj_nn::fssrv::detail::FileInterfaceAdapter::Cmd0')
22 | MakeName(0x7100036040,'nn::fssrv::sf::IFile_IpcObj_nn::fssrv::detail::FileInterfaceAdapter::Cmd1')
23 | MakeName(0x71000360D4,'nn::fssrv::sf::IFile_IpcObj_nn::fssrv::detail::FileInterfaceAdapter::Cmd2')
24 | MakeName(0x71000360F8,'nn::fssrv::sf::IFile_IpcObj_nn::fssrv::detail::FileInterfaceAdapter::Cmd3')
25 | MakeName(0x710003612C,'nn::fssrv::sf::IFile_IpcObj_nn::fssrv::detail::FileInterfaceAdapter::Cmd4')
26 | MakeName(0x7100036260,'nn::fssrv::sf::IDirectory_IpcObj_nn::fssrv::detail::DirectoryInterfaceAdapter::Cmd0')
27 | MakeName(0x7100036338,'nn::fssrv::sf::IDirectory_IpcObj_nn::fssrv::detail::DirectoryInterfaceAdapter::Cmd1')
28 | ```
29 | 
30 | Load the script into IDA via "File -> Script File" and reverse any IPC command quickly and easily.
31 | 
32 | 
33 | ## ipcserver_modern.py
34 | 
35 | On 4.0 and later the symbols used by `ipcserver_classic.py` are missing. I worked around this in `swipc-gen` to dump the type information, but it still couldn't find the implementations. SciresM then developed a heuristic to find the implementations (matching the implementation by vtable length, with a bit of extra magic), which is implemented in `ipcserver_modern.py`:
36 | 
37 | ```
38 | % python ipcserver_modern.py /Users/dougallj/Projects/switch-research/system-software/sysmodules/7.0.0-5.0/fs 
39 | 'fs': {
40 |   '0x71000B98F0': { # single hash match 'nn::fssrv::sf::IFileSystemProxy'
41 |       1:     {"vt":  0x20, "func": 0x7100082230, "lr": 0x71000BA458, "inbytes":     8, "outbytes":     0, "pid": True},
42 |       2:     {"vt":  0x28, "func": 0x7100082250, "lr": 0x71000BA5F0, "inbytes":     0, "outbytes":     0, "outinterfaces": ['0x71000C5340']},
43 |       7:     {"vt":  0x30, "func": 0x7100082280, "lr": 0x71000BA7C4, "inbytes":  0x10, "outbytes":     0, "outinterfaces": ['0x71000C5340']},
44 |       8:     {"vt":  0x38, "func": 0x71000822B0, "lr": 0x71000BA9DC, "inbytes":  0x10, "outbytes":     0, "buffers": [25], "outinterfaces": ['0x71000C5340']},
45 |       9:     {"vt":  0x40, "func": 0x71000822E0, "lr": 0x71000BAC24, "inbytes":     8, "outbytes":     0, "outinterfaces": ['0x71000C5340']},
46 |       11:    {"vt":  0x48, "func": 0x7100082310, "lr": 0x71000BAE3C, "inbytes":     4, "outbytes":     0, "buffers": [25], "outinterfaces": ['0x71000C5340']},
47 |       12:    {"vt":  0x50, "func": 0x7100082340, "lr": 0x71000BB074, "inbytes":     4, "outbytes":     0, "outinterfaces": ['0x71000C8240']},
48 | ...
49 |   '0x71000C71F0': { # , vtable size 6, possible vtables [0x7100230B90 6, 0x71002300C0 6, 0x7100244D78 6]
50 |       0:     {"vt":  0x20, "lr": 0x71000C7438, "inbytes":  0x18, "outbytes":     8, "buffers": [70]},
51 |       1:     {"vt":  0x28, "lr": 0x71000C7644, "inbytes":  0x18, "outbytes":     0, "buffers": [69]},
52 |       2:     {"vt":  0x30, "lr": 0x71000C77F8, "inbytes":     0, "outbytes":     0},
53 |       3:     {"vt":  0x38, "lr": 0x71000C794C, "inbytes":     8, "outbytes":     0},
54 |       4:     {"vt":  0x40, "lr": 0x71000C7ABC, "inbytes":     0, "outbytes":     8},
55 |       5:     {"vt":  0x48, "lr": 0x71000C7C40, "inbytes":  0x18, "outbytes":  0x40},
56 |   },
57 | ```
58 | 
59 | This doesn't always work, and doesn't generate a script, but when it works, the "func" field tells you where the to find the implementation of each command.
60 | 
61 | 
62 | ## Notes
63 | 
64 | These are forked/duplicated from the `swipc-gen` code. There's tons of room for improvement, and I think there are bugfixes in `swipc-gen` that should be ported over. But these are the scripts as I've been using them, and they're good enough to save a ton of time.
65 | 


--------------------------------------------------------------------------------
/ipcserver/demangling.py:
--------------------------------------------------------------------------------
  1 | import subprocess
  2 | import itanium_demangler
  3 | import sys
  4 | 
  5 | CHECK_CXX_FILT = False
  6 | 
  7 | def itanium_demangle_filter(s):
  8 | 	if s.startswith('N'):
  9 | 		s = 'Z' + s
 10 | 	if not s.startswith('_'):
 11 | 		s = '_' + s
 12 | 	return s
 13 | 
 14 | def itanium_demangle(s):
 15 | 	python_result = itanium_demangler.parse(itanium_demangle_filter(s))
 16 | 	if python_result is not None:
 17 | 		python_result = str(python_result)
 18 | 	return python_result
 19 | 
 20 | demangle_cache = {}
 21 | def get_demangled(s):
 22 | 	if s not in demangle_cache:
 23 | 		#python_result = itanium_demangle(s)
 24 | 		#if python_result is None:
 25 | 		#	#print 'demangler failed:', repr(s)
 26 | 		#	python_result = s
 27 | 		demangle_cache[s] = subprocess.check_output(['c++filt', '-n', s]).strip()
 28 | 		#if CHECK_CXX_FILT:
 29 | 		#	value = subprocess.check_output(['c++filt', '-n', s]).strip()
 30 | 		#	if python_result != value:
 31 | 		#		sys.stderr.write('\n')
 32 | 		#		sys.stderr.write('mangled: %r\n' % s)
 33 | 		#		sys.stderr.write('python:  %r\n' % python_result)
 34 | 		#		sys.stderr.write('c++filt: %r\n' % value)
 35 | 	return demangle_cache[s]
 36 | 
 37 | class Demangler(object):
 38 | 	def __init__(self, name):
 39 | 		print name
 40 | 		self.pos = 0
 41 | 		self.name = name
 42 | 
 43 | 	def peek(self):
 44 | 		return self.name[self.pos]
 45 | 	
 46 | 	def getchar(self):
 47 | 		self.pos += 1
 48 | 		return self.name[self.pos-1]
 49 | 
 50 | 	def getchars(self, n):
 51 | 		return ''.join(self.getchar() for i in xrange(n))
 52 | 
 53 | 	def read_string_length(self):
 54 | 		assert self.peek().isdigit()
 55 | 		l = ''
 56 | 		while self.peek().isdigit():
 57 | 			l += self.getchar()
 58 | 		return int(l)
 59 | 
 60 | 	def read_string(self):
 61 | 		l = self.read_string_length()
 62 | 		return self.getchars(l)
 63 | 
 64 | 	def read_template(self):
 65 | 		assert self.getchar() == 'I'
 66 | 		parts = []
 67 | 		while self.peek() != 'E':
 68 | 			print 'read_template:', self.name[self.pos:]
 69 | 			parts.append(self.parse())
 70 | 			print 'read_template:', parts
 71 | 		assert self.getchar() == 'E'
 72 | 		return '<%s>' % ', '.join(parts)
 73 | 
 74 | 	def read_name(self):
 75 | 		assert self.getchar() == 'N'
 76 | 		parts = []
 77 | 		while self.peek() != 'E':
 78 | 			parts.append(self.parse())
 79 | 			print 'read_name:', parts
 80 | 		assert self.getchar() == 'E'
 81 | 		return '::'.join(parts)
 82 | 
 83 | 	def parse_backref(self):
 84 | 		assert self.getchar() == 'S'
 85 | 		backref = ''
 86 | 		while self.peek() != '_':
 87 | 			if not self.peek().isdigit():
 88 | 				print 'TODO in parse_back_ref: %r (%r)' % (self.peek(), self.name[self.pos:])
 89 | 				return ''
 90 | 			backref += self.getchar()
 91 | 		assert self.getchar() == '_'
 92 | 		result = 'BACKREF_%s_TODO' % backref
 93 | 		print 'parse_backref:', result
 94 | 		return result
 95 | 
 96 | 	def parse_literal(self):
 97 | 		assert self.getchar() == 'L'
 98 | 		kind = self.parse()
 99 | 		#print 'TODO in parse_back_ref: %r (%r)' % (self.peek(), self.name[self.pos:])
100 | 		value = self.read_string_length()
101 | 		assert self.getchar() == 'E'
102 | 		return '(%s)%d' % (kind, value)
103 | 
104 | 
105 | 
106 | 	def parse(self):
107 | 		c = self.peek()
108 | 		if c == 'N':
109 | 			return self.read_name()
110 | 		elif c == 'I':
111 | 			return self.read_template()
112 | 		elif c == 'S':
113 | 			return self.parse_backref()
114 | 		elif c == 'L':
115 | 			return self.parse_literal()
116 | 		elif c.isdigit():
117 | 			return self.read_string()
118 | 		else:
119 | 			print 'TODO in parse: %r (%r)' % (self.peek(), self.name[self.pos:])
120 | 			return self.getchar()
121 | 
122 | 
123 | def main():
124 | 	tests = [
125 | 		('N2nn2sf4cmif6server22CmifDomainServerObject23CmifDomainServerMessageE',
126 | 		 'nn::sf::cmif::server::CmifDomainServerObject::CmifDomainServerMessage'),
127 | 		('N2nn2sf4cmif6client6detail13CmifProxyImplINS_8settings22IFactorySettingsServerENS0_4hipc6client18Hipc2ProxyKindBaseILNS7_6detail11MessageTypeE4EEENS0_25StatelessAllocationPolicyINS0_22ExpHeapStaticAllocatorILm16384ES6_EEEES6_EE',
128 | 		 'nn::sf::cmif::client::detail::CmifProxyImpl<nn::settings::IFactorySettingsServer, nn::sf::hipc::client::Hipc2ProxyKindBase<(nn::sf::hipc::detail::MessageType)4>, nn::sf::StatelessAllocationPolicy<nn::sf::ExpHeapStaticAllocator<16384ul, nn::settings::IFactorySettingsServer> >, nn::settings::IFactorySettingsServer>'),
129 | 		('N2nn2sf4hipc6client12_GLOBAL__N_119HipcManagerAccessorE',
130 | 		 'nn::sf::hipc::client::(anonymous namespace)::HipcManagerAccessor'),
131 | 		('_ZTVN2nn5fssrv35MemoryResourceFromStandardAllocatorE',
132 | 		 'vtable for nn::fssrv::MemoryResourceFromStandardAllocator'),
133 | 		('_ZN2nn7nlibsdk4heap12TlsHeapCache17ReallocFunc_Mode0INSt3__117integral_constantIbLb1EEEEEiPS2_PvmPS8_',
134 | 		 'int nn::nlibsdk::heap::TlsHeapCache::ReallocFunc_Mode0<std::__1::integral_constant<bool, true> >(nn::nlibsdk::heap::TlsHeapCache*, void*, unsigned long, void**)'),
135 | 		('_ZN2nn2gc6detail11AsicHandlerD2Ev',
136 | 		 'nn::gc::detail::AsicHandler::~AsicHandler()'),
137 | 		('_ZN3nne7prfile224PFCODE_CP932_Unicode2OEMEPKtPa',
138 | 		 'nne::prfile2::PFCODE_CP932_Unicode2OEM(unsigned short const*, signed char*)'),
139 | 	]
140 | 
141 | 	d = Demangler('N2nn2sf4cmif6server22CmifDomainServerObject23CmifDomainServerMessageE')
142 | 	print d.read_name()
143 | 
144 | 	d = Demangler('N2nn2sf4hipc6client12_GLOBAL__N_119HipcManagerAccessorE')
145 | 	print d.read_name()
146 | 
147 | 	d = Demangler('N2nn2sf4cmif6client6detail13CmifProxyImplINS_8settings22IFactorySettingsServerENS0_4hipc6client18Hipc2ProxyKindBaseILNS7_6detail11MessageTypeE4EEENS0_25StatelessAllocationPolicyINS0_22ExpHeapStaticAllocatorILm16384ES6_EEEES6_EE')
148 | 	print d.read_name()
149 | 
150 | if __name__ == '__main__':
151 | 	main()
152 | 


--------------------------------------------------------------------------------
/ipcserver/ipcserver_classic.py:
--------------------------------------------------------------------------------
  1 | import gzip, math, os, re, struct, sys
  2 | from unicorn import *
  3 | from unicorn.arm64_const import *
  4 | from capstone import *
  5 | 
  6 | from io import BytesIO
  7 | from cStringIO import StringIO
  8 | 
  9 | import nxo64
 10 | from demangling import get_demangled
 11 | 
 12 | '''
 13 | TODO: try to turn into mangled symbols:
 14 | 
 15 | ; nn::sf::cmif::server::detail::CmifProcessFunctionTableGetterImplBase<nn::mmnv::IRequest>::ProcessServerMessage(nn::sf::IServiceObject *, nn::sf::cmif::server::CmifServerMessage *, nn::sf::detail::PointerAndSize const&)
 16 | _ZN2nn2sf4cmif6server6detail38CmifProcessFunctionTableGetterImplBaseINS_4mmnv8IRequestEE20ProcessServerMessageEPNS0_14IServiceObjectEPNS2_17CmifServerMessageERKNS0_6detail14PointerAndSizeE
 17 | 
 18 | 
 19 | ; nn::sf::cmif::server::detail::CmifProcessFunctionTableGetterImpl<nn::mmnv::IRequest>::DispatchServerMessage(nn::sf::cmif::CmifOutHeader **, nn::mmnv::IRequest*, nn::sf::cmif::server::CmifServerMessage *, unsigned int, nn::sf::detail::PointerAndSize &&)
 20 | _ZN2nn2sf4cmif6server6detail34CmifProcessFunctionTableGetterImplINS_4mmnv8IRequestEE21DispatchServerMessageEPPNS1_13CmifOutHeaderEPS6_PNS2_17CmifServerMessageEjONS0_6detail14PointerAndSizeE
 21 | 
 22 | 
 23 | ; nn::sf::cmif::server::detail::CmifProcessFunctionTableGetterImpl<nn::mmnv::IRequest>::Process_Initialize(nn::sf::cmif::CmifOutHeader **, nn::mmnv::IRequest*, nn::sf::cmif::server::CmifServerMessage *, nn::sf::detail::PointerAndSize &&)
 24 | _ZN2nn2sf4cmif6server6detail34CmifProcessFunctionTableGetterImplINS_4mmnv8IRequestEE18Process_InitializeEPPNS1_13CmifOutHeaderEPS6_PNS2_17CmifServerMessageEONS0_6detail14PointerAndSizeE
 25 | '''
 26 | 
 27 | ALL_COMMAND_IDS = set([0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 4201, 106, 107, 108, 4205, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 20501, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 2413, 8216, 150, 151, 2201, 2202, 2203, 2204, 2205, 2207, 10400, 2209, 8219, 8220, 8221, 30900, 30901, 30902, 8223, 90300, 190, 8224, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 220, 20701, 222, 223, 230, 231, 250, 251, 252, 2301, 2302, 255, 256, 10500, 261, 2312, 280, 290, 291, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 311, 312, 313, 314, 2101, 20800, 20801, 322, 323, 2102, 8250, 350, 2400, 2401, 2402, 2403, 2404, 2405, 10600, 10601, 2411, 2412, 2450, 2414, 8253, 10610, 2451, 2421, 2422, 2424, 8255, 2431, 8254, 2433, 2434, 406, 8257, 400, 401, 402, 403, 404, 405, 10300, 407, 408, 409, 410, 411, 2460, 20900, 8252, 412, 2501, 10700, 10701, 10702, 8200, 1106, 1107, 500, 501, 502, 503, 504, 505, 506, 507, 508, 510, 511, 512, 513, 520, 521, 90200, 8201, 90201, 540, 30810, 542, 543, 544, 545, 546, 30811, 30812, 8202, 8203, 8291, 600, 601, 602, 603, 604, 605, 606, 607, 608, 609, 610, 611, 612, 613, 614, 8295, 620, 8204, 8296, 630, 105, 640, 4203, 8225, 2050, 109, 30830, 2052, 8256, 700, 701, 702, 703, 704, 705, 706, 707, 708, 709, 8207, 20600, 8208, 49900, 751, 11000, 127, 8209, 800, 801, 802, 803, 804, 805, 806, 821, 822, 823, 824, 8211, 850, 851, 852, 7000, 2055, 900, 901, 902, 903, 904, 905, 906, 907, 908, 909, 3000, 3001, 3002, 160, 8012, 8217, 8013, 320, 997, 998, 999, 1000, 1001, 1002, 1003, 1004, 1005, 1006, 1007, 1008, 1009, 1010, 1011, 1012, 1013, 1020, 1031, 1032, 1033, 1034, 1035, 1036, 1037, 1038, 1039, 1040, 1041, 1042, 1043, 1044, 1045, 1046, 1047, 1061, 1062, 1063, 21000, 1100, 1101, 1102, 2053, 5202, 5203, 8218, 3200, 3201, 3202, 3203, 3204, 3205, 3206, 3207, 3208, 3209, 3210, 3211, 3214, 3215, 3216, 3217, 40100, 40101, 541, 1200, 1201, 1202, 1203, 1204, 1205, 1206, 1207, 1208, 8292, 547, 20500, 8293, 2054, 2601, 8294, 40200, 40201, 1300, 1301, 1302, 1303, 1304, 8227, 20700, 221, 8228, 8297, 8229, 4206, 1400, 1401, 1402, 1403, 1404, 1405, 1406, 1411, 1421, 1422, 1423, 1424, 30100, 30101, 30102, 1431, 1432, 30110, 30120, 30121, 1451, 1452, 1453, 1454, 1455, 1456, 1457, 1458, 1471, 1472, 1473, 1474, 1500, 1501, 1502, 1503, 1504, 1505, 2300, 30200, 30201, 30202, 30203, 30204, 30205, 30210, 30211, 30212, 30213, 30214, 30215, 30216, 30217, 260, 1600, 1601, 1602, 1603, 60001, 60002, 30300, 2051, 20100, 20101, 20102, 20103, 20104, 20110, 1700, 1701, 1702, 1703, 8222, 30400, 30401, 30402, 631, 20200, 20201, 1800, 1801, 1802, 1803, 2008, 10011, 30500, 7992, 7993, 7994, 7995, 7996, 7997, 7998, 7999, 8000, 8001, 8002, 8011, 20300, 20301, 8021, 1900, 1901, 1902, 6000, 6001, 6002, 10100, 10101, 10102, 10110, 30820, 321, 1941, 1951, 1952, 1953, 8100, 20400, 20401, 8210, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 10200, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 10211, 2020, 2021, 30700, 2030, 2031, 8251, 90100, 90101, 90102])
 28 | 
 29 | #ALL_COMMAND_IDS = set(range(30))
 30 | 
 31 | def load_nxo_to_capstone(mu, fn, loadbase):
 32 | 	with open(fn, 'rb') as fileobj:
 33 | 		f = nxo64.load_nxo(fileobj)
 34 | 
 35 | 	stables = []
 36 | 	for sym in f.symbols:
 37 | 		if 's_Table' in sym.name:
 38 | 			stables.append((sym.name, loadbase + sym.value))
 39 | 		if sym.shndx:
 40 | 			sym.resolved = loadbase + sym.value
 41 | 		else:
 42 | 			sym.resolved = 0
 43 | 
 44 | 	resultw = StringIO()
 45 | 	f.binfile.seek(0)
 46 | 	resultw.write(f.binfile.read_to_end())
 47 | 
 48 | 	def write_qword(ea, val):
 49 | 		resultw.seek(ea - loadbase)
 50 | 		resultw.write(struct.pack('<Q', val))
 51 | 
 52 | 	for offset, r_type, sym, addend in f.relocations:
 53 | 		ea = loadbase + offset
 54 | 
 55 | 		if r_type == nxo64.R_AARCH64_RELATIVE:
 56 | 			assert sym is None, 'R_AARCH64_RELATIVE with sym?'
 57 | 			newval = (loadbase + addend)
 58 | 			write_qword(ea, newval)
 59 | 		elif r_type == nxo64.R_AARCH64_JUMP_SLOT or r_type == nxo64.R_AARCH64_GLOB_DAT:
 60 | 			assert sym is not None
 61 | 			assert addend == 0
 62 | 			newval = sym.resolved
 63 | 			write_qword(ea, newval)
 64 | 		elif r_type == nxo64.R_AARCH64_ABS64:
 65 | 			assert sym is not None
 66 | 			newval = sym.resolved
 67 | 			if addend != 0:
 68 | 				#assert sym.shndx # huge mess if we do this on an extern
 69 | 				newval += addend
 70 | 			write_qword(ea, newval)
 71 | 		else:
 72 | 			print prefix, 'TODO: r_type=0x%x sym=%r ea=%X addend=%X' % (r_type, sym, ea, addend)
 73 | 			continue
 74 | 
 75 | 	binary = resultw.getvalue()
 76 | 	mu.mem_map(loadbase, (len(binary) + 0xFFF) & ~0xFFF) 
 77 | 	mu.mem_write(loadbase, binary)
 78 | 	return stables, f.symbols, f.textsize
 79 | 
 80 | 	
 81 | import glob
 82 | 
 83 | ADDRESS = 0x7100000000
 84 | 
 85 | STACK = 0x1000000
 86 | STACK_SIZE = 1024*1024
 87 | 
 88 | MEM = STACK + STACK_SIZE + 0x1000
 89 | MEM_SIZE = 1024*1024
 90 | 
 91 | md = Cs(CS_ARCH_ARM64, CS_MODE_ARM)
 92 | 
 93 | def demangle(s):
 94 | 	value = get_demangled(s)
 95 | 	pre = 'nn::sf::cmif::server::detail::CmifProcessFunctionTableGetter<'
 96 | 	post = ', void>::s_Table'
 97 | 	if value.startswith(pre) and value.endswith(post):
 98 | 		value = value[len(pre):-len(post)]
 99 | 	return value
100 | 
101 | from struct import unpack as up
102 | def parse_npdm(npdm):
103 |     aci0_off, aci0_size, acid_off, acid_size = up('<IIII', npdm[0x70:0x80])
104 |     aci0, acid = npdm[aci0_off:aci0_off+aci0_size], npdm[acid_off:acid_off+acid_size]
105 |     title_name = npdm[0x20:npdm.index('\x00', 0x20)]
106 |     title_id = up('<Q', aci0[0x10:0x18])[0]
107 |     fs_off, fs_sz, srv_off, srv_sz, k_off, k_sz = up('<IIIIII', acid[0x220:0x238])
108 |     return title_name
109 | 
110 | for i in sys.argv[1:]:
111 | 	print '###', i.replace('/Volumes/BOOTCAMP/switch-titles/', '').replace('../switch-builtins/', '')
112 | 	name = i
113 | 	if os.path.exists(i+'.npdm'):
114 | 		with open(i+'.npdm', 'rb') as f:
115 | 			name = parse_npdm(f.read())
116 | 	elif i.endswith('.kip'):
117 | 		with open(i, 'rb') as f:
118 | 			f.seek(4)
119 | 			name = f.read(12)
120 | 			name = name[:name.index('\0')]
121 | 	else:
122 | 		name = name.split('/')[-1].split('_')[0].split('-')[0].split('.')[0].lower()
123 | 	#title_id = i.split('/')[-3]
124 | 
125 | 	print '#%r: {' % (name,)
126 | 
127 | 	fname = i
128 | 	mu = Uc(UC_ARCH_ARM64, UC_MODE_ARM)
129 | 
130 | 
131 | 	stables, symbols, text_size = load_nxo_to_capstone(mu, i, ADDRESS)
132 | 	#for i in stables:
133 | 	#	print ' s_table for', demangle(i[0]), hex(i[1]), '->', hex(struct.unpack('<Q', mu.mem_read(i[1], 8))[0])
134 | 
135 | 
136 | 	mu.mem_map(STACK, STACK_SIZE)
137 | 	mu.mem_map(MEM, MEM_SIZE)
138 | 
139 | 	# enable FP
140 | 	addr = 0x1000
141 | 	mu.reg_write(UC_ARM64_REG_X0, 3 << 20)
142 | 	mu.mem_map(addr, 0x1000)
143 | 	fpstartinstrs = '\x41\x10\x38\xd5\x00\x00\x01\xaa\x40\x10\x18\xd5\x40\x10\x38\xd5\xc0\x03\x5f\xd6'
144 | 	mu.mem_write(addr, fpstartinstrs)
145 | 	mu.emu_start(addr, addr+len(fpstartinstrs)-4)
146 | 	mu.mem_unmap(addr, 0x1000)
147 | 
148 | 	malloc_ptr = MEM
149 | 	def malloc(sz):
150 | 		global malloc_ptr
151 | 		o = malloc_ptr
152 | 		malloc_ptr += (sz + 15) & ~15
153 | 		return o
154 | 	MAGIC = 0x49434653
155 | 
156 | 	def copy_in(buf):
157 | 		pointer = malloc(len(buf))
158 | 		mu.mem_write(pointer, buf)
159 | 		return pointer
160 | 
161 | 	def dump_regs():
162 | 		values = []
163 | 		for i in range(28):
164 | 			values.append(('X%d' % i, mu.reg_read(UC_ARM64_REG_X0+i)))
165 | 		values.append(('X29', mu.reg_read(UC_ARM64_REG_X29)))
166 | 		values.append(('X30', mu.reg_read(UC_ARM64_REG_X30)))
167 | 		values.append(('SP', mu.reg_read(UC_ARM64_REG_SP)))
168 | 		values.append(('PC', mu.reg_read(UC_ARM64_REG_PC)))
169 | 		print ', '.join('%s=%X' % i for i in values)
170 | 
171 | 	message_data = struct.pack('<QQ', MAGIC, 1600) + ''.join(struct.pack('<Q', 0) for i in range(512))
172 | 	message = copy_in(message_data)
173 | 
174 | 
175 | 	message_struct_data = struct.pack('<QQ', message, len(message_data))
176 | 	message_struct = copy_in(message_struct_data)
177 | 
178 | 	RET0 = 0x25F44002A8 
179 | 	ipc_vtable = copy_in(''.join(struct.pack('<Q', 0x800000000+i*8) for i in range(512)))
180 | 	ipc_object = copy_in(struct.pack('<QQ', ipc_vtable, 0))
181 | 
182 | 	target_vtable = copy_in(''.join(struct.pack('<Q', 0x900000000+i*8) for i in range(512)))
183 | 	target_object = copy_in(struct.pack('<QQ', target_vtable, 0))
184 | 
185 | 	bufbuf = malloc(0x1000)
186 | 
187 | 	outbuf = malloc(0x1000)
188 | 	from collections import defaultdict
189 | 	names = defaultdict(set)
190 | 
191 | 	def hook_code(uc, address, size, user_data):
192 | 		global message_buffer
193 | 		global actual_result_thing
194 | 		i = md.disasm(str(mu.mem_read(address, 4)), address).next()
195 | 		if i.mnemonic == 'cmp' and i.op_str.endswith(', x9') and len(actual_result_thing['ininterfaces']) == 1 and actual_result_thing['ininterfaces'][0] is None:
196 | 			assert i.op_str == 'x8, x9'
197 | 			x9 = mu.reg_read(UC_ARM64_REG_X9)
198 | 			mu.reg_write(UC_ARM64_REG_X8, x9)
199 | 			mu.reg_write(UC_ARM64_REG_NZCV, 0b0100)
200 | 			actual_result_thing['ininterfaces'][0] = demangle([a for a,b in stables if b == x9][0])
201 | 			#print '# 0x%X: %s' % (address, i.mnemonic + ' ' + i.op_str), hex(x9), )
202 | 		if i.mnemonic == 'bl':
203 | 			if mu.reg_read(UC_ARM64_REG_X3) != current_cmd and mu.reg_read(UC_ARM64_REG_X1) == target_object and mu.reg_read(UC_ARM64_REG_X2) == ipc_object:
204 | 				if 0:
205 | 					lines.append("  %X: %s %s (%X, %X, %X, %X)" % (address, i.mnemonic, i.op_str, 
206 | 						mu.reg_read(UC_ARM64_REG_X0),
207 | 						mu.reg_read(UC_ARM64_REG_X1),
208 | 						mu.reg_read(UC_ARM64_REG_X2),
209 | 						mu.reg_read(UC_ARM64_REG_X3),
210 | 						))
211 | 				message_buffer = mu.reg_read(UC_ARM64_REG_X3)
212 | #				print hex(int(i.op_str[1:],16)), '%s::Process_Cmd%d' % (demangled_interface_name, current_cmd)
213 | 				pfuncname = 'CmifProcessFunctionTableGetterImpl__%s__::Process_%s' % (str(demangled_interface_name), str(cmd_name))
214 | 				names[int(i.op_str[1:],16)].add(pfuncname)
215 | 		#print(">>> Tracing instruction at 0x%x: %s %s" % (address, i.mnemonic, i.op_str))
216 | 
217 | 	buffercount = None
218 | 	def PrepareForProcess():
219 | 		existing.append(current_cmd)
220 | 		global buffercount
221 | 		global actual_result_thing
222 | 		arg = mu.reg_read(UC_ARM64_REG_X1)
223 | 		desc = [dword(arg+i) for i in range(0,0x90,4)]
224 | 		buffercount = desc[0x18/4]
225 | 		bytes_in = desc[8/4] - 0x10
226 | 		bytes_out = desc[0x10/4] - 0x10
227 | 		actual_result_thing = {
228 | 			'inbytes': bytes_in,
229 | 			'outbytes': bytes_out,
230 | 			'ininterfaces': [None]*desc[0x1c/4],
231 | 			'outinterfaces': [None]*desc[0x20/4],
232 | 			'inhandles': desc[0x4C/4:0x4C/4+desc[0x24/4]],
233 | 			'outhandles': desc[0x6C/4:0x6C/4+desc[0x28/4]],
234 | 			'buffers': desc[0x2c/4:0x2c/4+desc[0x18/4]],
235 | 			'pid': desc[0] == 1,
236 | 
237 | 			'lr': mu.reg_read(UC_ARM64_REG_LR),
238 | 		}
239 | 		#print desc
240 | 		assert desc[0] in (0,1)
241 | 		if True:
242 | 			for i in ['outinterfaces', 'inhandles', 'outhandles', 'buffers', 'pid', 'ininterfaces']:
243 | 				if not actual_result_thing[i]:
244 | 					del actual_result_thing[i]
245 | 		#if desc[0x20/4] != 0:
246 | 		#	print repr()
247 | 		#if True: # desc[0]:
248 | 			#print repr((INTERFACE_NAME, current_cmd, desc)) + ','
249 | 			#print 'PrepareForProcess:', repr((demangle(INTERFACE_NAME), current_cmd, desc)) + ','
250 | 
251 | 		mu.reg_write(UC_ARM64_REG_X0, 0)
252 | 		mu.reg_write(UC_ARM64_REG_PC, mu.reg_read(UC_ARM64_REG_LR))
253 | 		return True #desc[0x20/4] != 0
254 | 			
255 | 		#return False
256 | 
257 | 	def OverwriteClientProcessId():
258 | 		o = mu.reg_read(UC_ARM64_REG_X1)
259 | 		mu.mem_write(o, struct.pack('<Q', 0))
260 | 		#print' OverwriteClientProcessId', hex(struct.unpack('<Q', mu.mem_read(mu.reg_read(UC_ARM64_REG_X1), 8))[0])
261 | 		mu.reg_write(UC_ARM64_REG_X0, 0)
262 | 		mu.reg_write(UC_ARM64_REG_PC, mu.reg_read(UC_ARM64_REG_LR))
263 | 		return True
264 | 
265 | 	def GetBuffers():
266 | 		#print' GetBuffers'
267 | 		outptr = mu.reg_read(UC_ARM64_REG_X1)
268 | 		for i in xrange(outptr, outptr+buffercount*0x10, 0x10):
269 | 			# necessary for 'nn::nifm::detail::IGeneralService' cmd 26
270 | 			mu.mem_write(i, struct.pack('<QQ', bufbuf, 0x1000))
271 | 		mu.mem_write(bufbuf, struct.pack('<Q', 1))
272 | 		mu.reg_write(UC_ARM64_REG_X0, 0)
273 | 		mu.reg_write(UC_ARM64_REG_PC, mu.reg_read(UC_ARM64_REG_LR))
274 | 		return True
275 | 
276 | 	def GetInNativeHandles():
277 | 		#print' GetInObjects'
278 | 		mu.reg_write(UC_ARM64_REG_X0, 0)
279 | 		mu.reg_write(UC_ARM64_REG_PC, mu.reg_read(UC_ARM64_REG_LR))
280 | 		return True
281 | 
282 | 	def BeginPreparingForReply():
283 | 		#print' BeginPreparingForReply'
284 | 		o = mu.reg_read(UC_ARM64_REG_X1)
285 | 		mu.mem_write(o, struct.pack('<QQ', outbuf, 0x1000))
286 | 		mu.reg_write(UC_ARM64_REG_X0, 0)
287 | 		mu.reg_write(UC_ARM64_REG_PC, mu.reg_read(UC_ARM64_REG_LR))
288 | 		return True
289 | 	
290 | 	def EndPreparingForReply():
291 | 		#print' EndPreparingForReply'
292 | 		mu.reg_write(UC_ARM64_REG_X0, 0)
293 | 		mu.reg_write(UC_ARM64_REG_PC, mu.reg_read(UC_ARM64_REG_LR))
294 | 		return False
295 | 
296 | 	def SetBuffers():
297 | 		#print' SetBuffers'
298 | 		mu.reg_write(UC_ARM64_REG_X0, 0)
299 | 		mu.reg_write(UC_ARM64_REG_PC, mu.reg_read(UC_ARM64_REG_LR))
300 | 		return True
301 | 
302 | 	def SetOutNativeHandles():
303 | 		#print' SetOutNativeHandles'
304 | 		mu.reg_write(UC_ARM64_REG_X0, 0)
305 | 		mu.reg_write(UC_ARM64_REG_PC, mu.reg_read(UC_ARM64_REG_LR))
306 | 		return True
307 | 
308 | 	def SetOutObjects():
309 | 		value = struct.unpack('<Q', mu.mem_read(mu.reg_read(UC_ARM64_REG_X1)+8, 8))[0]
310 | 		actual_result_thing['outinterfaces'][0] = demangle([a for a,b in stables if b == value][0])
311 | #		print' SetOutObjects %d %s' % (current_cmd, demangle([a for a,b in stables if b == value][0]))
312 | 		##printvalue, 
313 | 		#exit(1)
314 | 		#, map(hex, ))
315 | 		#exit(1)		
316 | 		mu.reg_write(UC_ARM64_REG_X0, 0)
317 | 		mu.reg_write(UC_ARM64_REG_PC, mu.reg_read(UC_ARM64_REG_LR))
318 | 		return False
319 | 
320 | 	def BeginPreparingForErrorReply():
321 | 		#actual_result_thing[-1].append(None)
322 | 		#print ' Error? %d (%X)' % (current_cmd, mu.reg_read(UC_ARM64_REG_LR))
323 | 		return False
324 | 
325 | 
326 | 	def GetInObjects():
327 | 		#print' GetInObjects'
328 | 		mu.reg_write(UC_ARM64_REG_X0, 0)
329 | 		mu.reg_write(UC_ARM64_REG_PC, mu.reg_read(UC_ARM64_REG_LR))
330 | 		return True
331 | 
332 | 
333 | 	def dword(ptr):
334 | 		return struct.unpack('I', mu.mem_read(ptr, 4))[0]
335 | 	def qword(ptr):
336 | 		return struct.unpack('Q', mu.mem_read(ptr, 8))[0]
337 | 
338 | 	funcs = {
339 | 		0x800000000: PrepareForProcess,           # PrepareForProcess(nn::sf::cmif::CmifMessageMetaInfo const&)
340 | 		0x800000008: OverwriteClientProcessId,    # OverwriteClientProcessId(ulong *)
341 | 		0x800000010: GetBuffers,                  # GetBuffers(nn::sf::detail::PointerAndSize *)
342 | 		0x800000018: GetInNativeHandles,          # GetInNativeHandles(nn::sf::NativeHandle *)
343 | 		0x800000020: GetInObjects,                # GetInObjects(nn::sf::cmif::server::CmifServerObjectInfo *)
344 | 		0x800000028: BeginPreparingForReply,      # BeginPreparingForReply(nn::sf::detail::PointerAndSize *)
345 | 		0x800000030: SetBuffers,                  # SetBuffers(nn::sf::detail::PointerAndSize *)
346 | 		0x800000038: SetOutObjects,               # SetOutObjects(nn::sf::cmif::server::CmifServerObjectInfo *)
347 | 		0x800000040: SetOutNativeHandles,         # SetOutNativeHandles(nn::sf::NativeHandle *)
348 | 		0x800000048: BeginPreparingForErrorReply, # BeginPreparingForErrorReply(nn::sf::detail::PointerAndSize *,ulong)
349 | 		0x800000050: EndPreparingForReply,        # EndPreparingForReply(void)
350 | 	}
351 | 
352 | 	mu.hook_add(UC_HOOK_CODE, hook_code)
353 | 
354 | 	for INTERFACE_NAME, stable in stables:
355 | 		try:
356 | 			TABLEFUNC = qword(stable)
357 | 			qword(TABLEFUNC)
358 | 		except UcError:
359 | 			continue
360 | 		if 'CmifDomainServerObject' in INTERFACE_NAME: continue
361 | 		#if 'ICommonStateGetter' not in INTERFACE_NAME: continue
362 | 
363 | 
364 | 		demangled_interface_name = demangle(INTERFACE_NAME)
365 | 		if 'nn::sf::hipc::detail::IHipcManager' == demangled_interface_name: continue
366 | 		vtaddr = None
367 | 		vtcandidates = []
368 | 		for sym in symbols:
369 | 			if demangled_interface_name.split('::')[-1] not in sym.name: continue
370 | 			if demangle(sym.name).startswith((
371 | 				'vtable for nn::sf::detail::ObjectImplFactoryWithStatelessAllocator<nn::sf::impl::detail::ImplTemplateBase<' + demangled_interface_name + ',',
372 | 				'vtable for nn::sf::detail::ObjectImplFactoryWithStatefulAllocator<nn::sf::impl::detail::ImplTemplateBase<' + demangled_interface_name + ',',
373 | 				'vtable for nn::sf::UnmanagedServiceObject<' + demangled_interface_name + ',',
374 | 				'vtable for nn::sf::UnmanagedServiceObjectByPointer<' + demangled_interface_name + ',')):
375 | 
376 | 				vtaddr = ADDRESS + sym.value
377 | 				while not (ADDRESS <= struct.unpack('<Q', mu.mem_read(vtaddr, 8))[0] < ADDRESS + text_size):
378 | 					vtaddr += 8
379 | 					assert vtaddr < ADDRESS + sym.value + 0x40
380 | 				 
381 | 				print '#', demangle(sym.name)
382 | 				vtname = demangled_interface_name
383 | 				if 'nn::sf::detail::EmplacedImplHolder<' in demangle(sym.name):
384 | 					vtname = demangled_interface_name + '_IpcObj_' + demangle(sym.name).split('nn::sf::detail::EmplacedImplHolder<')[1].split('>')[0]
385 | 				elif 'nn::sf::detail::StdSmartPtrHolder<std::__1::unique_ptr<' in demangle(sym.name):
386 | 					vtname = demangled_interface_name + '_IpcPtrObj_' + demangle(sym.name).split('nn::sf::detail::StdSmartPtrHolder<std::__1::unique_ptr<')[1].split('>')[0].split(',')[0]
387 | 				elif 'nn::sf::UnmanagedServiceObject<' in demangle(sym.name):
388 | 					vtname = demangled_interface_name + '_IpcService_' + demangle(sym.name).split('nn::sf::UnmanagedServiceObject<')[1].split('>')[0].split(', ')[1]
389 | 
390 | 				#print 'vtable: %X %s (from %r)' % (vtaddr, vtname, demangle(sym.name))
391 | 				vtcandidates.append((vtaddr, vtname))
392 | 		print '##', vtcandidates
393 | 		print '#  ' + repr(demangled_interface_name) + ': {'
394 | 		#print '    %r: {' % ('cmds')
395 | 
396 | 		existing = []
397 | 
398 | 		for current_cmd in ALL_COMMAND_IDS:
399 | 			if '_ZN2nn2sf4cmif6server6detail30CmifProcessFunctionTableGetterINS_5fssrv2sf11IFileSystemEvE7s_TableE' in INTERFACE_NAME and current_cmd == 7: continue
400 | 
401 | 			cmd_name = None #namesdb.get(demangle(INTERFACE_NAME), {}).get(str(current_cmd), {}).get('name')
402 | 			if cmd_name is None:
403 | 				cmd_name = 'Cmd%d' % (current_cmd,)
404 | 			else:
405 | 				cmd_name = 'Cmd%d_%s' % (current_cmd, cmd_name)
406 | 			actual_result_thing = None
407 | 			lines = []
408 | 			message_data = struct.pack('<QQ', MAGIC, current_cmd)
409 | 			mu.mem_write(message, message_data)
410 | 			mu.mem_write(message_struct, message_struct_data)
411 | 
412 | 			mu.reg_write(UC_ARM64_REG_X0, target_object)
413 | 			mu.reg_write(UC_ARM64_REG_X1, ipc_object)
414 | 			mu.reg_write(UC_ARM64_REG_X2, message_struct)
415 | 			for i in range(3, 28):
416 | 				mu.reg_write(UC_ARM64_REG_X0+i, 0)
417 | 			mu.reg_write(UC_ARM64_REG_X30, 0x700000000)
418 | 			mu.reg_write(UC_ARM64_REG_SP, STACK + STACK_SIZE)
419 | 			mu.reg_write(UC_ARM64_REG_PC, TABLEFUNC)
420 | 
421 | 			message_buffer = None
422 | 			while True:
423 | 				try:
424 | 					#help(mu.emu_start)
425 | 					mu.emu_start(mu.reg_read(UC_ARM64_REG_PC), 0, count=1)
426 | 				except UcError as e:
427 | 					pc = mu.reg_read(UC_ARM64_REG_PC)
428 | 					#print '@ pc 0x%X'
429 | 					if pc in funcs:
430 | 						if funcs[pc]():
431 | 							continue
432 | 					elif 0x900000000 <= pc < 0xA00000000:
433 | 						#print' vcall: pc=%X lr=%X' % (pc, mu.reg_read(UC_ARM64_REG_LR))
434 | 						actual_result_thing['vt'] = pc - 0x900000000
435 | 						if actual_result_thing.get('outinterfaces'):
436 | #							break
437 | 							mu.reg_write(UC_ARM64_REG_X0, 0)
438 | 							mu.reg_write(UC_ARM64_REG_PC, mu.reg_read(UC_ARM64_REG_LR))
439 | 							continue
440 | 
441 | 						#for i in lines: print i
442 | #						existing.append(current_cmd)
443 | 					elif pc == 0x700000000:
444 | 						error = mu.reg_read(UC_ARM64_REG_X0)
445 | 						if False:
446 | 							if error != 0: # and error != 0x1BA0A:
447 | 								#for i in lines: print i
448 | 								print '#  error = 0x%X' % error
449 | 					else:
450 | 						for i in lines: print '#', i
451 | 						print '#', e
452 | 						dump_regs()
453 | 						exit(0)
454 | 				else:
455 | 					if mu.reg_read(UC_ARM64_REG_PC) != 0:
456 | 
457 | 						continue
458 | 				if actual_result_thing:
459 | 					line = '      ' + ('%d: ' % current_cmd).ljust(7) + '{'
460 | 					parts = []
461 | 					for my_vtaddr, vtname in vtcandidates:
462 | 						if my_vtaddr is not None and 'vt' in actual_result_thing:
463 | 							actual_result_thing['func'] = struct.unpack('<Q', mu.mem_read(my_vtaddr + actual_result_thing['vt'], 8))[0]
464 | 							names[actual_result_thing['func']].add(vtname + '::' + cmd_name)
465 | 
466 | 					#for i in ['vt', 'lr', 'func', 'inbytes', 'outbytes', 'buffers', 'inhandles', 'outhandles', 'outinterfaces', 'pid', 'ininterfaces']:
467 | 					for i in ['inbytes', 'outbytes', 'buffers', 'inhandles', 'outhandles', 'outinterfaces', 'pid', 'ininterfaces']:
468 | 						if i not in actual_result_thing: continue
469 | 						#if i in ('vt', 'lr'): continue
470 | 						v = actual_result_thing[i]
471 | 						if isinstance(v, list):
472 | 							v = repr(v)
473 | 						else:
474 | 							if v >= 10:
475 | 								v = '0x%X' % v
476 | 							else:
477 | 								v = str(v)
478 | 							v = v.rjust(5)
479 | 						parts.append('"%s": %s' % (i, v))
480 | 					line += ', '.join(parts)
481 | 					#print names
482 | 
483 | 					line += '},'
484 | 					print '#', line #'{%r,' % (current_cmd, actual_result_thing)
485 | 				break
486 | 
487 | 		#print '    },'
488 | 		print '#  },'
489 | 	print '#},'
490 | 
491 | 	if True:
492 | 		for k, v in sorted(names.items()):
493 | 			if len(v) != 1:
494 | 				print '#', hex(k), v
495 | 			else:
496 | 				print 'MakeName(0x%X,%r)' % (k, str(list(v)[0]))
497 | 


--------------------------------------------------------------------------------
/ipcserver/itanium_demangler.py:
--------------------------------------------------------------------------------
  1 | # encoding:utf-8
  2 | # Copyright (C) 2018 whitequark@whitequark.org
  3 | # 
  4 | # Permission to use, copy, modify, and/or distribute this software for
  5 | # any purpose with or without fee is hereby granted.
  6 | # 
  7 | # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  8 | # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  9 | # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 10 | # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 11 | # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
 12 | # AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 13 | # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 14 | """
 15 | This module implements a C++ Itanium ABI demangler.
 16 | 
 17 | The demangler provides a single entry point, `demangle`, and returns either `None`
 18 | or an abstract syntax tree. All nodes have, at least, a `kind` field.
 19 | 
 20 | Name nodes:
 21 |     * `name`: `node.value` (`str`) holds an unqualified name
 22 |     * `ctor`: `node.value` is one of `"complete"`, `"base"`, or `"allocating"`, specifying
 23 |       the type of constructor
 24 |     * `dtor`: `node.value` is one of `"deleting"`, `"complete"`, or `"base"`, specifying
 25 |       the type of destructor
 26 |     * `oper`: `node.value` (`str`) holds a symbolic operator name, without the keyword
 27 |       "operator"
 28 |     * `oper_cast`: `node.value` holds a type node
 29 |     * `tpl_args`: `node.value` (`tuple`) holds a sequence of type nodes
 30 |     * `qual_name`: `node.value` (`tuple`) holds a sequence of `name` and `tpl_args` nodes,
 31 |       possibly ending in a `ctor`, `dtor` or `operator` node
 32 |     * `abi`: `node.value` holds a name node, `node.qual` (`frozenset`) holds a set of ABI tags
 33 | 
 34 | Type nodes:
 35 |     * `name` and `qual_name` specify a type by its name
 36 |     * `builtin`: `node.value` (`str`) specifies a builtin type by its name
 37 |     * `pointer`, `lvalue` and `rvalue`: `node.value` holds a pointee type node
 38 |     * `cv_qual`: `node.value` holds a type node, `node.qual` (`frozenset`) is any of
 39 |       `"const"`, `"volatile"`, or `"restrict"`
 40 |     * `literal`: `node.value` (`str`) holds the literal representation as-is,
 41 |       `node.ty` holds a type node specifying the type of the literal
 42 |     * `function`: `node.name` holds a name node specifying the function name,
 43 |       `node.ret_ty` holds a type node specifying the return type of a template function,
 44 |       if any, or `None`, ``node.arg_tys` (`tuple`) holds a sequence of type nodes
 45 |       specifying thefunction arguments
 46 | 
 47 | Special nodes:
 48 |     * `vtable`, `vtt`, `typeinfo`, and `typeinfo_name`: `node.value` holds a type node
 49 |       specifying the type described by this RTTI data structure
 50 |     * `nonvirt_thunk`, `virt_thunk`: `node.value` holds a function node specifying
 51 |       the function to which the thunk dispatches
 52 | """
 53 | 
 54 | import re
 55 | from collections import namedtuple
 56 | 
 57 | 
 58 | class _Cursor:
 59 |     def __init__(self, raw, pos=0):
 60 |         self._raw = raw
 61 |         self._pos = pos
 62 |         self._substs = {}
 63 | 
 64 |     def at_end(self):
 65 |         return self._pos == len(self._raw)
 66 | 
 67 |     def accept(self, delim):
 68 |         if self._raw[self._pos:self._pos + len(delim)] == delim:
 69 |             self._pos += len(delim)
 70 |             return True
 71 | 
 72 |     def advance(self, amount):
 73 |         if self._pos + amount > len(self._raw):
 74 |             return None
 75 |         result = self._raw[self._pos:self._pos + amount]
 76 |         self._pos += amount
 77 |         return result
 78 | 
 79 |     def advance_until(self, delim):
 80 |         new_pos = self._raw.find(delim, self._pos)
 81 |         if new_pos == -1:
 82 |             return None
 83 |         result = self._raw[self._pos:new_pos]
 84 |         self._pos = new_pos + len(delim)
 85 |         return result
 86 | 
 87 |     def match(self, pattern):
 88 |         match = pattern.match(self._raw, self._pos)
 89 |         if match:
 90 |             self._pos = match.end(0)
 91 |         return match
 92 | 
 93 |     def add_subst(self, node):
 94 |         # print("S[{}] = {}".format(len(self._substs), str(node)))
 95 |         if not node in self._substs.values():
 96 |             self._substs[len(self._substs)] = node
 97 | 
 98 |     def resolve_subst(self, seq_id):
 99 |         if seq_id in self._substs:
100 |             return self._substs[seq_id]
101 | 
102 |     def __repr__(self):
103 |         return "_Cursor({}, {})".format(self._raw[:self._pos] + '→' + self._raw[self._pos:],
104 |                                         self._pos)
105 | 
106 | 
107 | class Node(namedtuple('Node', 'kind value')):
108 |     def __repr__(self):
109 |         return "<Node {} {}>".format(self.kind, repr(self.value))
110 | 
111 |     def __str__(self):
112 |         if self.kind in ('name', 'builtin'):
113 |             if self.value == '_GLOBAL__N_1':
114 |                 return '(anonymous namespace)'
115 |             return self.value
116 |         elif self.kind == 'qual_name':
117 |             result = ''
118 |             for node in self.value:
119 |                 if result != '' and node.kind != 'tpl_args':
120 |                     result += '::'
121 |                 result += str(node)
122 |             return result
123 |         elif self.kind == 'tpl_args':
124 |             result = '<' + ', '.join(map(str, self.value))
125 |             if result.endswith('>'):
126 |                 result += ' '
127 |             result += '>'
128 |             return result
129 |         elif self.kind == 'ctor':
130 |             if self.value == 'complete':
131 |                 return '{ctor}'
132 |             elif self.value == 'base':
133 |                 return '{base ctor}'
134 |             elif self.value == 'allocating':
135 |                 return '{allocating ctor}'
136 |             else:
137 |                 assert False
138 |         elif self.kind == 'dtor':
139 |             if self.value == 'deleting':
140 |                 return '{deleting dtor}'
141 |             elif self.value == 'complete':
142 |                 return '{dtor}'
143 |             elif self.value == 'base':
144 |                 return '{base dtor}'
145 |             else:
146 |                 assert False
147 |         elif self.kind == 'oper':
148 |             if self.value.startswith('new') or self.value.startswith('delete'):
149 |                 return 'operator ' + self.value
150 |             else:
151 |                 return 'operator' + self.value
152 |         elif self.kind == 'oper_cast':
153 |             return 'operator ' + str(self.value)
154 |         elif self.kind == 'pointer':
155 |             return str(self.value) + '*'
156 |         elif self.kind == 'lvalue':
157 |             return str(self.value) + '&'
158 |         elif self.kind == 'rvalue':
159 |             return str(self.value) + '&&'
160 |         elif self.kind == 'tpl_param':
161 |             return '{T' + str(self.value) + '}'
162 |         elif self.kind == 'subst':
163 |             return '{S' + str(self.value) + '}'
164 |         elif self.kind == 'vtable':
165 |             return 'vtable for ' + str(self.value)
166 |         elif self.kind == 'vtt':
167 |             return 'vtt for ' + str(self.value)
168 |         elif self.kind == 'typeinfo':
169 |             return 'typeinfo for ' + str(self.value)
170 |         elif self.kind == 'typeinfo_name':
171 |             return 'typeinfo name for ' + str(self.value)
172 |         elif self.kind == 'nonvirt_thunk':
173 |             return 'non-virtual thunk for ' + str(self.value)
174 |         elif self.kind == 'virt_thunk':
175 |             return 'virtual thunk for ' + str(self.value)
176 |         else:
177 |             return repr(self)
178 | 
179 |     def map(self, f):
180 |         if self.kind in ('oper_cast', 'pointer', 'lvalue', 'rvalue', 'expand_arg_pack',
181 |                          'vtable', 'vtt', 'typeinfo', 'typeinfo_name'):
182 |             return self._replace(value=f(self.value))
183 |         elif self.kind in ('qual_name', 'tpl_args', 'tpl_arg_pack'):
184 |             return self._replace(value=tuple(map(f, self.value)))
185 |         else:
186 |             return self
187 | 
188 | 
189 | class QualNode(namedtuple('QualNode', 'kind value qual')):
190 |     def __repr__(self):
191 |         return "<QualNode {} {} {}>".format(self.kind, repr(self.qual), repr(self.value))
192 | 
193 |     def __str__(self):
194 |         if self.kind == 'abi':
195 |             return str(self.value) + "".join(['[abi:' + tag + ']' for tag in self.qual])
196 |         elif self.kind == 'cv_qual':
197 |             return ' '.join([str(self.value)] + list(self.qual))
198 |         else:
199 |             return repr(self)
200 | 
201 |     def map(self, f):
202 |         if self.kind == 'cv_qual':
203 |             return self._replace(value=f(self.value))
204 |         else:
205 |             return self
206 | 
207 | 
208 | class CastNode(namedtuple('CastNode', 'kind value ty')):
209 |     def __repr__(self):
210 |         return "<CastNode {} {} {}>".format(self.kind, repr(self.ty), repr(self.value))
211 | 
212 |     def __str__(self):
213 |         if self.kind == 'literal':
214 |             ty = str(self.ty)
215 |             suffixes = {
216 |                 'long': 'l',
217 |                 'unsigned long': 'ul',
218 |                 'int': ''
219 |             }
220 |             value = str(self.value)
221 |             if ty in suffixes:
222 |                 return value + suffixes[ty]
223 |             if ty == 'bool' and value in ('0', '1'):
224 |                 return { '0': 'false', '1': 'true' }[value]
225 |             return '(' + ty + ')' + value
226 |         else:
227 |             return repr(self)
228 | 
229 |     def map(self, f):
230 |         if self.kind == 'literal':
231 |             return self._replace(ty=f(self.ty))
232 |         else:
233 |             return self
234 | 
235 | 
236 | class FuncNode(namedtuple('FuncNode', 'kind name arg_tys ret_ty')):
237 |     def __repr__(self):
238 |         return "<FuncNode {} {} {} {}>".format(self.kind, repr(self.name),
239 |                                                repr(self.arg_tys), repr(self.ret_ty))
240 | 
241 |     def __str__(self):
242 |         if self.kind == 'func':
243 |             result = ""
244 |             if self.ret_ty is not None:
245 |                 result += str(self.ret_ty) + ' '
246 |             if self.name is not None:
247 |                 result += str(self.name)
248 |             if self.arg_tys == (Node('builtin', 'void'),):
249 |                 result += '()'
250 |             else:
251 |                 result += '(' + ', '.join(map(str, self.arg_tys)) + ')'
252 |             return result
253 |         else:
254 |             return repr(self)
255 | 
256 |     def map(self, f):
257 |         if self.kind == 'func':
258 |             return self._replace(name=f(self.name) if self.name else None,
259 |                                  arg_tys=tuple(map(f, self.arg_tys)),
260 |                                  ret_ty=f(self.ret_ty) if self.ret_ty else None)
261 |         else:
262 |             return self
263 | 
264 | 
265 | _ctor_dtor_map = {
266 |     'C1': 'complete',
267 |     'C2': 'base',
268 |     'C3': 'allocating',
269 |     'D0': 'deleting',
270 |     'D1': 'complete',
271 |     'D2': 'base'
272 | }
273 | 
274 | _std_names = {
275 |     'St': [Node('name', 'std')],
276 |     'Sa': [Node('name', 'std'), Node('name', 'allocator')],
277 |     'Sb': [Node('name', 'std'), Node('name', 'basic_string')],
278 |     'Ss': [Node('name', 'std'), Node('name', 'string')],
279 |     'Si': [Node('name', 'std'), Node('name', 'istream')],
280 |     'So': [Node('name', 'std'), Node('name', 'ostream')],
281 |     'Sd': [Node('name', 'std'), Node('name', 'iostream')],
282 | }
283 | 
284 | _operators = {
285 |     'nw': 'new',
286 |     'na': 'new[]',
287 |     'dl': 'delete',
288 |     'da': 'delete[]',
289 |     'ps': '+', # (unary)
290 |     'ng': '-', # (unary)
291 |     'ad': '&', # (unary)
292 |     'de': '*', # (unary)
293 |     'co': '~',
294 |     'pl': '+',
295 |     'mi': '-',
296 |     'ml': '*',
297 |     'dv': '/',
298 |     'rm': '%',
299 |     'an': '&',
300 |     'or': '|',
301 |     'eo': '^',
302 |     'aS': '=',
303 |     'pL': '+=',
304 |     'mI': '-=',
305 |     'mL': '*=',
306 |     'dV': '/=',
307 |     'rM': '%=',
308 |     'aN': '&=',
309 |     'oR': '|=',
310 |     'eO': '^=',
311 |     'ls': '<<',
312 |     'rs': '>>',
313 |     'lS': '<<=',
314 |     'rS': '>>=',
315 |     'eq': '==',
316 |     'ne': '!=',
317 |     'lt': '<',
318 |     'gt': '>',
319 |     'le': '<=',
320 |     'ge': '>=',
321 |     'nt': '!',
322 |     'aa': '&&',
323 |     'oo': '||',
324 |     'pp': '++', # (postfix in <expression> context)
325 |     'mm': '--', # (postfix in <expression> context)
326 |     'cm': ',',
327 |     'pm': '->*',
328 |     'pt': '->',
329 |     'cl': '()',
330 |     'ix': '[]',
331 |     'qu': '?',
332 | }
333 | 
334 | _builtin_types = {
335 |     'v':  'void',
336 |     'w':  'wchar_t',
337 |     'b':  'bool',
338 |     'c':  'char',
339 |     'a':  'signed char',
340 |     'h':  'unsigned char',
341 |     's':  'short',
342 |     't':  'unsigned short',
343 |     'i':  'int',
344 |     'j':  'unsigned int',
345 |     'l':  'long',
346 |     'm':  'unsigned long',
347 |     'x':  'long long',
348 |     'y':  'unsigned long long',
349 |     'n':  '__int128',
350 |     'o':  'unsigned __int128',
351 |     'f':  'float',
352 |     'd':  'double',
353 |     'e':  '__float80',
354 |     'g':  '__float128',
355 |     'z':  '...',
356 |     'Di': 'char32_t',
357 |     'Ds': 'char16_t',
358 |     'Da': 'auto',
359 | }
360 | 
361 | 
362 | def _handle_cv(qualifiers, node):
363 |     qualifier_set = set()
364 |     if 'r' in qualifiers:
365 |         qualifier_set.add('restrict')
366 |     if 'V' in qualifiers:
367 |         qualifier_set.add('volatile')
368 |     if 'K' in qualifiers:
369 |         qualifier_set.add('const')
370 |     if qualifier_set:
371 |         return QualNode('cv_qual', node, frozenset(qualifier_set))
372 |     return node
373 | 
374 | def _handle_indirect(qualifier, node):
375 |     if qualifier == 'P':
376 |         return Node('pointer', node)
377 |     elif qualifier == 'R':
378 |         return Node('lvalue', node)
379 |     elif qualifier == 'O':
380 |         return Node('rvalue', node)
381 |     return node
382 | 
383 | 
384 | def _parse_seq_id(cursor):
385 |     seq_id = cursor.advance_until('_')
386 |     if seq_id is None:
387 |         return None
388 |     if seq_id == '':
389 |         return 0
390 |     else:
391 |         return 1 + int(seq_id, 36)
392 | 
393 | def _parse_until_end(cursor, kind, fn):
394 |     nodes = []
395 |     while not cursor.accept('E'):
396 |         node = fn(cursor)
397 |         if node is None or cursor.at_end():
398 |             return None
399 |         nodes.append(node)
400 |     return Node(kind, tuple(nodes))
401 | 
402 | 
403 | _SOURCE_NAME_RE = re.compile(r"\d+")
404 | 
405 | def _parse_source_name(cursor):
406 |     match = cursor.match(_SOURCE_NAME_RE)
407 |     name_len = int(match.group(0))
408 |     name = cursor.advance(name_len)
409 |     if name is None:
410 |         return None
411 |     return name
412 | 
413 | 
414 | _NAME_RE = re.compile(r"""
415 | (?P<source_name>        (?= \d)) |
416 | (?P<ctor_name>          C[123]) |
417 | (?P<dtor_name>          D[012]) |
418 | (?P<std_name>           S[absiod]) |
419 | (?P<operator_name>      nw|na|dl|da|ps|ng|ad|de|co|pl|mi|ml|dv|rm|an|or|
420 |                         eo|aS|pL|mI|mL|dV|rM|aN|oR|eO|ls|rs|lS|rS|eq|ne|
421 |                         lt|gt|le|ge|nt|aa|oo|pp|mm|cm|pm|pt|cl|ix|qu) |
422 | (?P<operator_cv>        cv) |
423 | (?P<std_prefix>         St) |
424 | (?P<substitution>       S) |
425 | (?P<nested_name>        N (?P<cv_qual> [rVK]*) (?P<ref_qual> [RO]?)) |
426 | (?P<template_param>     T) |
427 | (?P<template_args>      I) |
428 | (?P<constant>           L)
429 | """, re.X)
430 | 
431 | def _parse_name(cursor, is_nested=False):
432 |     match = cursor.match(_NAME_RE)
433 |     if match is None:
434 |         return None
435 |     elif match.group('source_name') is not None:
436 |         name = _parse_source_name(cursor)
437 |         if name is None:
438 |             return None
439 |         node = Node('name', name)
440 |     elif match.group('ctor_name') is not None:
441 |         node = Node('ctor', _ctor_dtor_map[match.group('ctor_name')])
442 |     elif match.group('dtor_name') is not None:
443 |         node = Node('dtor', _ctor_dtor_map[match.group('dtor_name')])
444 |     elif match.group('std_name') is not None:
445 |         node = Node('qual_name', _std_names[match.group('std_name')])
446 |     elif match.group('operator_name') is not None:
447 |         node = Node('oper', _operators[match.group('operator_name')])
448 |     elif match.group('operator_cv') is not None:
449 |         ty = _parse_type(cursor)
450 |         if ty is None:
451 |             return None
452 |         node = Node('oper_cast', ty)
453 |     elif match.group('std_prefix') is not None:
454 |         name = _parse_name(cursor, is_nested=True)
455 |         if name is None:
456 |             return None
457 |         if name.kind == 'qual_name':
458 |             node = Node('qual_name', (Node('name', 'std'),) + name.value)
459 |         else:
460 |             node = Node('qual_name', (Node('name', 'std'), name))
461 |     elif match.group('substitution') is not None:
462 |         seq_id = _parse_seq_id(cursor)
463 |         if seq_id is None:
464 |             return None
465 |         node = cursor.resolve_subst(seq_id)
466 |         if node is None:
467 |             return None
468 |     elif match.group('nested_name') is not None:
469 |         nodes = []
470 |         while True:
471 |             name = _parse_name(cursor, is_nested=True)
472 |             if name is None or cursor.at_end():
473 |                 return None
474 |             if name.kind == 'qual_name':
475 |                 nodes += name.value
476 |             else:
477 |                 nodes.append(name)
478 |             if cursor.accept('E'):
479 |                 break
480 |             else:
481 |                 cursor.add_subst(Node('qual_name', tuple(nodes)))
482 |         node = Node('qual_name', tuple(nodes))
483 |         node = _handle_cv(match.group('cv_qual'), node)
484 |         node = _handle_indirect(match.group('ref_qual'), node)
485 |     elif match.group('template_param') is not None:
486 |         seq_id = _parse_seq_id(cursor)
487 |         if seq_id is None:
488 |             return None
489 |         node = Node('tpl_param', seq_id)
490 |         cursor.add_subst(node)
491 |     elif match.group('template_args') is not None:
492 |         node = _parse_until_end(cursor, 'tpl_args', _parse_type)
493 |     elif match.group('constant') is not None:
494 |         # not in the ABI doc, but probably means `const`
495 |         return _parse_name(cursor, is_nested)
496 |     if node is None:
497 |         return None
498 | 
499 |     abi_tags = []
500 |     while cursor.accept('B'):
501 |         abi_tags.append(_parse_source_name(cursor))
502 |     if abi_tags:
503 |         node = QualNode('abi', node, frozenset(abi_tags))
504 | 
505 |     if not is_nested and cursor.accept('I') and (
506 |             node.kind == 'name' or
507 |             match.group('std_prefix') is not None or
508 |             match.group('std_name') is not None or
509 |             match.group('substitution') is not None):
510 |         if node.kind == 'name' or match.group('std_prefix') is not None:
511 |             cursor.add_subst(node) # <unscoped-template-name> ::= <substitution>
512 |         templ_args = _parse_until_end(cursor, 'tpl_args', _parse_type)
513 |         if templ_args is None:
514 |             return None
515 |         node = Node('qual_name', (node, templ_args))
516 |         if (match.group('std_prefix') is not None or
517 |                 match.group('std_name') is not None):
518 |             cursor.add_subst(node)
519 | 
520 |     return node
521 | 
522 | 
523 | _TYPE_RE = re.compile(r"""
524 | (?P<builtin_type>       v|w|b|c|a|h|s|t|i|j|l|m|x|y|n|o|f|d|e|g|z|
525 |                         Dd|De|Df|Dh|DF|Di|Ds|Da|Dc|Dn) |
526 | (?P<qualified_type>     [rVK]+) |
527 | (?P<indirect_type>      [PRO]) |
528 | (?P<function_type>      F) |
529 | (?P<expression>         X) |
530 | (?P<expr_primary>       (?= L)) |
531 | (?P<template_arg_pack>  J) |
532 | (?P<arg_pack_expansion> Dp) |
533 | (?P<decltype>           D[tT])
534 | """, re.X)
535 | 
536 | def _parse_type(cursor):
537 |     match = cursor.match(_TYPE_RE)
538 |     if match is None:
539 |         node = _parse_name(cursor)
540 |         cursor.add_subst(node)
541 |     elif match.group('builtin_type') is not None:
542 |         node = Node('builtin', _builtin_types[match.group('builtin_type')])
543 |     elif match.group('qualified_type') is not None:
544 |         ty = _parse_type(cursor)
545 |         if ty is None:
546 |             return None
547 |         node = _handle_cv(match.group('qualified_type'), ty)
548 |         cursor.add_subst(node)
549 |     elif match.group('indirect_type') is not None:
550 |         ty = _parse_type(cursor)
551 |         if ty is None:
552 |             return None
553 |         node = _handle_indirect(match.group('indirect_type'), ty)
554 |         cursor.add_subst(node)
555 |     elif match.group('function_type') is not None:
556 |         ret_ty = _parse_type(cursor)
557 |         if ret_ty is None:
558 |             return None
559 |         arg_tys = []
560 |         while not cursor.accept('E'):
561 |             arg_ty = _parse_type(cursor)
562 |             if arg_ty is None:
563 |                 return None
564 |             arg_tys.append(arg_ty)
565 |         node = FuncNode('func', None, tuple(arg_tys), ret_ty)
566 |         cursor.add_subst(node)
567 |     elif match.group('expression') is not None:
568 |         raise NotImplementedError("expressions are not supported")
569 |     elif match.group('expr_primary') is not None:
570 |         node = _parse_expr_primary(cursor)
571 |     elif match.group('template_arg_pack') is not None:
572 |         node = _parse_until_end(cursor, 'tpl_arg_pack', _parse_type)
573 |     elif match.group('arg_pack_expansion') is not None:
574 |         node = _parse_type(cursor)
575 |         node = Node('expand_arg_pack', node)
576 |     elif match.group('decltype') is not None:
577 |         raise NotImplementedError("decltype is not supported")
578 |     else:
579 |         return None
580 |     return node
581 | 
582 | 
583 | _EXPR_PRIMARY_RE = re.compile(r"""
584 | (?P<mangled_name>       L (?= _Z)) |
585 | (?P<literal>            L)
586 | """, re.X)
587 | 
588 | def _parse_expr_primary(cursor):
589 |     match = cursor.match(_EXPR_PRIMARY_RE)
590 |     if match is None:
591 |         return None
592 |     elif match.group('mangled_name') is not None:
593 |         mangled_name = cursor.advance_until('E')
594 |         return _parse_mangled_name(_Cursor(mangled_name))
595 |     elif match.group('literal') is not None:
596 |         ty = _parse_type(cursor)
597 |         if ty is None:
598 |             return None
599 |         value = cursor.advance_until('E')
600 |         if value is None:
601 |             return None
602 |         return CastNode('literal', value, ty)
603 | 
604 | 
605 | def _expand_template_args(func):
606 |     if func.name.kind == 'qual_name':
607 |         name_suffix = func.name.value[-1]
608 |         if name_suffix.kind == 'tpl_args':
609 |             tpl_args = name_suffix.value
610 |             def mapper(node):
611 |                 if node.kind == 'tpl_param' and node.value < len(tpl_args):
612 |                     return tpl_args[node.value]
613 |                 return node.map(mapper)
614 |             return mapper(func)
615 |     return func
616 | 
617 | def _parse_encoding(cursor):
618 |     name = _parse_name(cursor)
619 |     if name is None:
620 |         return None
621 |     if cursor.at_end():
622 |         return name
623 | 
624 |     if name.kind == 'qual_name' and name.value[-1].kind == 'tpl_args':
625 |         ret_ty = _parse_type(cursor)
626 |         if ret_ty is None:
627 |             return None
628 |     else:
629 |         ret_ty = None
630 | 
631 |     arg_tys = []
632 |     while not cursor.at_end():
633 |         arg_ty = _parse_type(cursor)
634 |         if arg_ty is None:
635 |             return None
636 |         arg_tys.append(arg_ty)
637 | 
638 |     if arg_tys:
639 |         func = FuncNode('func', name, tuple(arg_tys), ret_ty)
640 |         return _expand_template_args(func)
641 |     else:
642 |         return name
643 | 
644 | 
645 | _SPECIAL_RE = re.compile(r"""
646 | (?P<rtti>               T (?P<kind> [VTIS])) |
647 | (?P<nonvirtual_thunk>   Th (?P<nv_offset> n? \d+) _) |
648 | (?P<virtual_thunk>      Tv (?P<v_offset> n? \d+) _ (?P<vcall_offset> n? \d+) _) |
649 | (?P<covariant_thunk>    Tc)
650 | """, re.X)
651 | 
652 | def _parse_special(cursor):
653 |     match = cursor.match(_SPECIAL_RE)
654 |     if match is None:
655 |         return None
656 |     elif match.group('rtti') is not None:
657 |         name = _parse_type(cursor)
658 |         if name is None:
659 |             return None
660 |         if match.group('kind') == 'V':
661 |             return Node('vtable', name)
662 |         elif match.group('kind') == 'T' is not None:
663 |             return Node('vtt', name)
664 |         elif match.group('kind') == 'I' is not None:
665 |             return Node('typeinfo', name)
666 |         elif match.group('kind') == 'S' is not None:
667 |             return Node('typeinfo_name', name)
668 |     elif match.group('nonvirtual_thunk') is not None:
669 |         func = _parse_encoding(cursor)
670 |         if func is None:
671 |             return None
672 |         return Node('nonvirt_thunk', func)
673 |     elif match.group('virtual_thunk') is not None:
674 |         func = _parse_encoding(cursor)
675 |         if func is None:
676 |             return None
677 |         return Node('virt_thunk', func)
678 |     elif match.group('covariant_thunk') is not None:
679 |         raise NotImplementedError("covariant thunks are not supported")
680 | 
681 | 
682 | _MANGLED_NAME_RE = re.compile(r"""
683 | (?P<mangled_name>       _?_Z)
684 | """, re.X)
685 | 
686 | def _parse_mangled_name(cursor):
687 |     match = cursor.match(_MANGLED_NAME_RE)
688 |     if match is None:
689 |         return None
690 |     else:
691 |         special = _parse_special(cursor)
692 |         if special is not None:
693 |             return special
694 | 
695 |         return _parse_encoding(cursor)
696 | 
697 | 
698 | def _expand_arg_packs(ast):
699 |     def mapper(node):
700 |         if node.kind == 'tpl_args':
701 |             exp_args = []
702 |             for arg in node.value:
703 |                 if arg.kind in ['tpl_arg_pack', 'tpl_args']:
704 |                     exp_args += arg.value
705 |                 else:
706 |                     exp_args.append(arg)
707 |             return Node('tpl_args', tuple(map(mapper, exp_args)))
708 |         elif node.kind == 'func':
709 |             node = node.map(mapper)
710 |             exp_arg_tys = []
711 |             for arg_ty in node.arg_tys:
712 |                 if arg_ty.kind == 'expand_arg_pack' and \
713 |                         arg_ty.value.kind == 'rvalue' and \
714 |                             arg_ty.value.value.kind in ['tpl_arg_pack', 'tpl_args']:
715 |                     exp_arg_tys += arg_ty.value.value.value
716 |                 else:
717 |                     exp_arg_tys.append(arg_ty)
718 |             return node._replace(arg_tys=tuple(exp_arg_tys))
719 |         else:
720 |             return node.map(mapper)
721 |     return mapper(ast)
722 | 
723 | def parse(raw):
724 |     ast = _parse_mangled_name(_Cursor(raw))
725 |     if ast is not None:
726 |         ast = _expand_arg_packs(ast)
727 |     return ast
728 | 
729 | # ================================================================================================
730 | 
731 | import unittest
732 | 
733 | 
734 | class TestDemangler(unittest.TestCase):
735 |     def assertParses(self, mangled, ast):
736 |         result = parse(mangled)
737 |         self.assertEqual(result, ast)
738 | 
739 |     def assertDemangles(self, mangled, demangled):
740 |         result = parse(mangled)
741 |         if result is not None:
742 |             result = str(result)
743 |         self.assertEqual(result, demangled)
744 | 
745 |     def test_name(self):
746 |         self.assertDemangles('_Z3foo', 'foo')
747 |         self.assertDemangles('_Z3x', None)
748 | 
749 |     def test_ctor_dtor(self):
750 |         self.assertDemangles('_ZN3fooC1E', 'foo::{ctor}')
751 |         self.assertDemangles('_ZN3fooC2E', 'foo::{base ctor}')
752 |         self.assertDemangles('_ZN3fooC3E', 'foo::{allocating ctor}')
753 |         self.assertDemangles('_ZN3fooD0E', 'foo::{deleting dtor}')
754 |         self.assertDemangles('_ZN3fooD1E', 'foo::{dtor}')
755 |         self.assertDemangles('_ZN3fooD2E', 'foo::{base dtor}')
756 | 
757 |     def test_operator(self):
758 |         for op in _operators:
759 |             if _operators[op] in ['new', 'new[]', 'delete', 'delete[]']:
760 |                 continue
761 |             self.assertDemangles('_Z' + op, 'operator' + _operators[op])
762 |         self.assertDemangles('_Znw', 'operator new')
763 |         self.assertDemangles('_Zna', 'operator new[]')
764 |         self.assertDemangles('_Zdl', 'operator delete')
765 |         self.assertDemangles('_Zda', 'operator delete[]')
766 |         self.assertDemangles('_Zcvi', 'operator int')
767 | 
768 |     def test_std_substs(self):
769 |         self.assertDemangles('_ZSt3foo', 'std::foo')
770 |         self.assertDemangles('_ZStN3fooE', 'std::foo')
771 |         self.assertDemangles('_ZSs', 'std::string')
772 |         self.assertParses('_ZSt', None)
773 |         self.assertDemangles('_Z3fooISt6vectorE', 'foo<std::vector>')
774 |         self.assertDemangles('_ZSaIhE', 'std::allocator<unsigned char>')
775 | 
776 |     def test_nested_name(self):
777 |         self.assertDemangles('_ZN3fooE', 'foo')
778 |         self.assertDemangles('_ZN3foo5bargeE', 'foo::barge')
779 |         self.assertDemangles('_ZN3fooIcE5bargeE', 'foo<char>::barge')
780 |         self.assertDemangles('_ZNK3fooE', 'foo const')
781 |         self.assertDemangles('_ZNV3fooE', 'foo volatile')
782 |         self.assertDemangles('_ZNKR3fooE', 'foo const&')
783 |         self.assertDemangles('_ZNKO3fooE', 'foo const&&')
784 |         self.assertParses('_ZNKO3foo', None)
785 | 
786 |     def test_template_args(self):
787 |         self.assertDemangles('_Z3fooIcE', 'foo<char>')
788 |         self.assertDemangles('_ZN3fooIcEE', 'foo<char>')
789 |         self.assertParses('_Z3fooI', None)
790 | 
791 |     def test_builtin_types(self):
792 |         for ty in _builtin_types:
793 |             self.assertDemangles('_Z1fI' + ty + 'E', 'f<' + _builtin_types[ty] + '>')
794 | 
795 |     def test_qualified_type(self):
796 |         self.assertDemangles('_Z1fIriE', 'f<int restrict>')
797 |         self.assertDemangles('_Z1fIKiE', 'f<int const>')
798 |         self.assertDemangles('_Z1fIViE', 'f<int volatile>')
799 |         self.assertDemangles('_Z1fIVVViE', 'f<int volatile>')
800 | 
801 |     def test_function_type(self):
802 |         self.assertDemangles('_Z1fv', 'f()')
803 |         self.assertDemangles('_Z1fi', 'f(int)')
804 |         self.assertDemangles('_Z1fic', 'f(int, char)')
805 |         self.assertDemangles('_ZN1fEic', 'f(int, char)')
806 |         self.assertDemangles('_ZN1fIEEic', 'int f<>(char)')
807 |         self.assertDemangles('_ZN1fIEC1Eic', 'f<>::{ctor}(int, char)')
808 | 
809 |     def test_indirect_type(self):
810 |         self.assertDemangles('_Z1fIPiE', 'f<int*>')
811 |         self.assertDemangles('_Z1fIRiE', 'f<int&>')
812 |         self.assertDemangles('_Z1fIOiE', 'f<int&&>')
813 |         self.assertDemangles('_Z1fIKRiE', 'f<int& const>')
814 |         self.assertDemangles('_Z1fIRKiE', 'f<int const&>')
815 | 
816 |     def test_literal(self):
817 |         self.assertDemangles('_Z1fILi1EE', 'f<(int)1>')
818 |         self.assertDemangles('_Z1fIL_Z1gEE', 'f<g>')
819 | 
820 |     def test_argpack(self):
821 |         self.assertDemangles('_Z1fILb0EJciEE', 'f<(bool)0, char, int>')
822 |         self.assertDemangles('_Z1fILb0EIciEE', 'f<(bool)0, char, int>')
823 |         self.assertDemangles('_Z1fIJciEEvDpOT_', 'void f<char, int>(char, int)')
824 |         self.assertDemangles('_Z1fIIciEEvDpOT_', 'void f<char, int>(char, int)')
825 | 
826 |     def test_special(self):
827 |         self.assertDemangles('_ZTV1f', 'vtable for f')
828 |         self.assertDemangles('_ZTT1f', 'vtt for f')
829 |         self.assertDemangles('_ZTI1f', 'typeinfo for f')
830 |         self.assertDemangles('_ZTS1f', 'typeinfo name for f')
831 |         self.assertDemangles('_ZThn16_1fv', 'non-virtual thunk for f()')
832 |         self.assertDemangles('_ZTv16_8_1fv', 'virtual thunk for f()')
833 | 
834 |     def test_template_param(self):
835 |         self.assertDemangles('_ZN1fIciEEvT_PT0_', 'void f<char, int>(char, int*)')
836 |         self.assertParses('_ZN1fIciEEvT_PT0', None)
837 | 
838 |     def test_substitution(self):
839 |         self.assertDemangles('_Z3fooIEvS_', 'void foo<>(foo)')
840 |         self.assertDemangles('_ZN3foo3barIES_E', 'foo::bar<>::foo')
841 |         self.assertDemangles('_ZN3foo3barIES0_E', 'foo::bar<>::foo::bar')
842 |         self.assertDemangles('_ZN3foo3barIES1_E', 'foo::bar<>::foo::bar<>')
843 |         self.assertParses('_ZN3foo3barIES_ES2_', None)
844 |         self.assertDemangles('_Z3fooIS_E', 'foo<foo>')
845 |         self.assertDemangles('_ZSt3fooIS_E', 'std::foo<std::foo>')
846 |         self.assertDemangles('_Z3fooIPiEvS0_', 'void foo<int*>(int*)')
847 |         self.assertDemangles('_Z3fooISaIcEEvS0_',
848 |                              'void foo<std::allocator<char>>(std::allocator<char>)')
849 |         self.assertDemangles('_Z3fooI3barS0_E', 'foo<bar, bar>')
850 |         self.assertDemangles('_ZN2n11fEPNS_1bEPNS_2n21cEPNS2_2n31dE',
851 |                              'n1::f(n1::b*, n1::n2::c*, n1::n2::n3::d*)')
852 |         self.assertDemangles('_ZN1f1gES_IFvvEE', 'f::g(f<void ()>)')
853 | 
854 |     def test_abi_tag(self):
855 |         self.assertDemangles('_Z3fooB5cxx11v', 'foo[abi:cxx11]()')
856 | 
857 |     def test_const(self):
858 |         self.assertDemangles('_ZL3foo', 'foo')
859 | 
860 | 
861 | if __name__ == '__main__':
862 |     import sys
863 |     if len(sys.argv) == 1:
864 |         while True:
865 |             name = sys.stdin.readline()
866 |             if not name:
867 |                 break
868 |             print(parse(name.strip()))
869 |     else:
870 |         for name in sys.argv[1:]:
871 |             ast = parse(name)
872 |             print(repr(ast))
873 |             print(ast)


--------------------------------------------------------------------------------
/ipcserver/unicornhelpers.py:
--------------------------------------------------------------------------------
 1 | import struct
 2 | from cStringIO import StringIO
 3 | 
 4 | from unicorn import *
 5 | from unicorn.arm64_const import *
 6 | 
 7 | import nxo64
 8 | 
 9 | def load_nxo_to_unicorn(uc, f, loadbase):
10 |     for sym in f.symbols:
11 |         if sym.shndx:
12 |             sym.resolved = loadbase + sym.value
13 |         else:
14 |             sym.resolved = 0
15 | 
16 |     resultw = StringIO()
17 |     f.binfile.seek(0)
18 |     resultw.write(f.binfile.read_to_end())
19 | 
20 |     def write_qword(ea, val):
21 |         resultw.seek(ea - loadbase)
22 |         resultw.write(struct.pack('<Q', val))
23 | 
24 |     for offset, r_type, sym, addend in f.relocations:
25 |         ea = loadbase + offset
26 | 
27 |         if r_type == nxo64.R_AARCH64_RELATIVE:
28 |             assert sym is None, 'R_AARCH64_RELATIVE with sym?'
29 |             newval = (loadbase + addend)
30 |             write_qword(ea, newval)
31 |         elif r_type == nxo64.R_AARCH64_JUMP_SLOT or r_type == nxo64.R_AARCH64_GLOB_DAT:
32 |             assert sym is not None
33 |             assert addend == 0
34 |             newval = sym.resolved
35 |             write_qword(ea, newval)
36 |         elif r_type == nxo64.R_AARCH64_ABS64:
37 |             assert sym is not None
38 |             newval = sym.resolved
39 |             if addend != 0:
40 |                 #assert sym.shndx # huge mess if we do this on an extern
41 |                 newval += addend
42 |             write_qword(ea, newval)
43 |         else:
44 |             print 'TODO: r_type=0x%x sym=%r ea=%X addend=%X' % (r_type, sym, ea, addend)
45 |             continue
46 | 
47 |     binary = resultw.getvalue()
48 |     uc.mem_map(loadbase, (max(len(binary),f.bssend) + 0xFFF) & ~0xFFF) 
49 |     uc.mem_write(loadbase, binary)
50 | 
51 | def create_unicorn_arm64(): # enables float
52 | 	mu = Uc(UC_ARCH_ARM64, UC_MODE_ARM)
53 | 
54 | 	addr = 0x1000
55 | 	mu.reg_write(UC_ARM64_REG_X0, 3 << 20)
56 | 	mu.mem_map(addr, 0x1000)
57 | 	fpstartinstrs = '\x41\x10\x38\xd5\x00\x00\x01\xaa\x40\x10\x18\xd5\x40\x10\x38\xd5\xc0\x03\x5f\xd6'
58 | 	mu.mem_write(addr, fpstartinstrs)
59 | 	mu.emu_start(addr, addr+len(fpstartinstrs)-4)
60 | 	mu.mem_unmap(addr, 0x1000)
61 | 
62 | 	return mu
63 | 


--------------------------------------------------------------------------------
/loader/README.md:
--------------------------------------------------------------------------------
 1 | # loader
 2 | 
 3 | I wrote the original version of the ReSwitched loader (https://github.com/reswitched/loaders/ ), but this version has been extended with a number of other features:
 4 | 
 5 | * Support for loading binaries dumped from memory (mostly of historical interest, as we got DMA before we got keys)
 6 | * Improved ELF section identification to get `.hash`, `.gnu.hash`, `.eh_frame_hdr` and (unfortunately, all but the last entry of) `.eh_frame`.
 7 | * Loading the builtin IDA `eh_parse` plugin, which annotates the assembly to show exception handlers (and `; __unwind {` blocks and stuff).
 8 | * Loading multiple files (originally for use with CageTheUnicorn/Mephisto, might work with other emulators, or you could update it for that).
 9 | * SDK "arm64 .plt call rewriting hack". Usually every call in an SDK binary goes via the `.plt`. This is annoying for reversing, so this rewrites every `call` instruction that points to the `.plt` to instead point to the actual target function.
10 | * Experimental "type guessing" (only enabled when ".plt call rewriting hack" is enabled). Usually when IDA sees the mangled symbol `nn::fs::detail::Allocate(u64)` it assumes the type is `nn::fs::detail::Allocate(nn::fs::detail *this, u64)`. In reality `nn::fs::detail` is a namespace (but IDA can't know this, the mangled symbol is the same as if it were a class). These incorrect types can get propagated all over the place by the decompiler. I find any mangled symbols in the `nn` namespace, where the class name would start with a lowercase letter, and provide a guess of the type name without the "this" argument. Results are very promising so far.
11 | 
12 | My personal copy of the loader has always had one or two "experimental" features or changes, like the type guessing described above. I've avoided releasing, because they might cause people problems. But instead I'm just going to aim to keep this repository up to date with whatever version of the loader I'm currently using.
13 | 
14 | (It may also be missing some features of the official loader, like patching support, sorry! It forked off a long time ago and I've just brought over fixes as I've run into issues.)
15 | 
16 | ## Usage
17 | 
18 | Same as https://github.com/reswitched/loaders


--------------------------------------------------------------------------------
/pattern/README.md:
--------------------------------------------------------------------------------
 1 | # pattern
 2 | 
 3 | This is my alternative to FLIRT signatures or Diaphora for symbol porting. It tries to address the shortcomings of FLIRT on arm64. It is comically slow and simple, but generally gets more names (about 75% more in the one test I bothered doing). On the other hand, FLIRT may be superior when using a mismatched `sdk` version, just because it's less careful about checking the code matches exactly. I didn't look into this. There are some false-positives, but I ran into those with FLIRT too. 
 4 | 
 5 | You will need an nnSdk (`sdk`) binary matching the target binary as closely as possible. I have also used it to port symbols from `subsdk` binaries and games (that have symbols for statically linked libraries) to the system software.
 6 | 
 7 | The technique used is simple, and painfully slow, but effective. I didn't want to release this because I've been trying for ages to replace it with a better approach, but it's still the best I've got.
 8 | 
 9 | 
10 | ## Usage
11 | 
12 | First use `makepattern.py` on a file with symbols (usually an `sdk` binary) to generate a pattern file. This may take a few minutes:
13 | 
14 | ```
15 | % time python makepattern.py sdk-0.16.29 > pattern-100.txt
16 | python makepattern.py sdk-0.16.29 > pattern-100.txt  345.02s user 3.12s system 99% cpu 5:48.98 total
17 | % wc -l pattern-100.txt
18 |     6403 pattern-100.txt
19 | ```
20 | 
21 | Then use `applypattern.py` to match the symbols:
22 | 
23 | ```
24 | % time python applypattern.py pattern-100.txt ns-1.0
25 | python applypattern.py pattern-100.txt ns-1.0  27.41s user 0.21s system 99% cpu 27.727 total
26 | % wc -l ns-1.0-sdk-syms.py 
27 |      897 ns-1.0-sdk-syms.py
28 | ```
29 | 
30 | The generated `ns-1.0-sdk-syms.py` is an IDAPython script which is loaded via File -> Script File.
31 | 
32 | `applypattern.py` can run on multiple files, its output is always written to a file of the same name plus the `-sdk-syms.py` suffix. Since it takes 30+ seconds to run, I like to run it ahead of time on every binary, e.g. `python applypattern.py pattern-100.txt 1.0.0/*`
33 | 
34 | 
35 | ## How it works
36 | 
37 | Functions are generally byte-for-byte identical in the nnSdk and the system software statically linked against the same version. The exception is instructions modified by the linker, so we ignore these instructions, and match on everything else in the function.
38 | 
39 | How can we match a pattern where we only care about some of the bytes? Regular expressions.
40 | 
41 | Yes, this tool creates a list of over six thousand regular expressions and runs each, in sequence, across the binary you pass in.
42 | 
43 | I really hate it, but it's been extremely useful. I hope to replace it soon™.
44 | 


--------------------------------------------------------------------------------
/pattern/applypattern.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import re
 3 | import nxo64
 4 | 
 5 | def main(pattern, filename):
 6 | 	f = nxo64.load_nxo(open(filename, 'rb'))
 7 | 
 8 | 	f.binfile.seek(0)
 9 | 	target_text = f.binfile.read(f.textsize)
10 | 
11 | 	rows = eval('[' + open(pattern).read() + ']')
12 | 	with open(filename + '-sdk-syms.py', 'wb') as f:
13 | 
14 | 		f.write('syms = [\n')
15 | 		for value, size, regex, name in rows:
16 | 			#print '(0x%X, 0x%X, %r, %r),' % (sym.value, sym.size, regex, sym.name)
17 | 			positions = [m.start() for m in re.finditer(regex, target_text)]
18 | 			if len(positions) == 1:
19 | 				f.write('(0x%X, %r),\n' % (0x7100000000 + positions[0], name))
20 | 		f.write(''']
21 | 
22 | for addr, sym in syms:
23 | 	oldname = Name(addr)
24 | 	if oldname.startswith('sub_'):
25 | 		MakeName(addr, sym)
26 | 		MakeComm(addr, 'name from regex match')
27 | 	elif oldname.startswith('loc_'):
28 | 		MakeName(addr, sym)
29 | 		MakeComm(addr, 'name from regex match')
30 | 		print '%X %s %s' % (addr, oldname, sym)
31 | 	elif oldname != sym:
32 | 		print '%X %s %s' % (addr, oldname, sym)
33 | ''')
34 | 
35 | 			
36 | if __name__ == '__main__':
37 | 	if len(sys.argv) < 2:
38 | 		print 'usage: applypattern.py pattern.txt [nxo files...]'
39 | 		print 'writes output to input filename + "-sdk-syms.py"'
40 | 	for filename in sys.argv[2:]:
41 | 		main(sys.argv[1], filename)
42 | 


--------------------------------------------------------------------------------
/pattern/makepattern.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import struct
 3 | 
 4 | from nxo64 import load_nxo, STT_FUNC
 5 | import arm64
 6 | 
 7 | def main(filenames):
 8 | 	import re
 9 | 
10 | 	with open(filenames[0], 'rb') as li:
11 | 		f = load_nxo(li)
12 | 
13 | 	f.binfile.seek(0)
14 | 	textstr = f.binfile.read(f.textsize)
15 | 
16 | 
17 | 	important = set()
18 | 	for sym in f.symbols:
19 | 		if sym.type != STT_FUNC: continue
20 | 		if sym.shndx and sym.value and sym.size:
21 | 			adrp_regs = set()
22 | 			mask = [0xFFFFFFFF for i in range(0, sym.size, 4)]
23 | 
24 | 
25 | 			f.binfile.seek(sym.value)
26 | 			instrs = [f.binfile.read('I') for i in range(0, sym.size, 4)]
27 | 
28 | 			for i, instr in enumerate(instrs):
29 | 				if arm64.is_ADRP_only_pcreladdr(instr):
30 | 					mask[i] &= ~((0x7FFFF << 5) | (3 << 29))
31 | 					adrp_regs.add(arm64.get_Rd(instr))
32 | 
33 | 				if arm64.is_branch_imm(instr):
34 | 					target = (i + arm64.get_imm26_s(instr)) * 4 
35 | 					if target < 0 or target >= sym.size:
36 | 						mask[i] &= ~0x3FFFFFF
37 | 
38 | 			if adrp_regs:
39 | 				for i, instr in enumerate(instrs):
40 | 					if arm64.is_ADD_64_addsub_imm(instr):
41 | 						mask[i] &= ~(0xFFF << 10)
42 | 
43 | 					# not sure if valid, would fail on adrp / mov / add
44 | 					if arm64.is_ldst_pos(instr):
45 | 						if arm64.get_Rn(instr) in adrp_regs:
46 | 							mask[i] &= ~(0xFFF << 10)
47 | 
48 | 			mask_str = ''.join(struct.pack('<I', m) for m in mask)
49 | 			bits = ''.join(struct.pack('<I', i&m) for i,m in zip(instrs, mask))
50 | 			regex = ''.join((re.escape(i) if m == '\xFF' else r'[\0-\xff]') for i, m in zip(bits, mask_str))
51 | 
52 | 			positions = [m.start() for m in re.finditer(regex, textstr)]
53 | 			assert len(positions) >= 1, hex(sym.value + 0x7100000000)
54 | 			if len(positions) > 1:
55 | 				pass
56 | 
57 | 			if len(positions) == 1: # probably good?
58 | 				print '(0x%X, 0x%X, %r, %r),' % (sym.value, sym.size, regex, sym.name)
59 | 
60 | 
61 | if __name__ == '__main__':
62 | 	main(sys.argv[1:])
63 | 


--------------------------------------------------------------------------------
/swipc-gen/README.md:
--------------------------------------------------------------------------------
 1 | # How to use for a new version
 2 | 
 3 | *Step 1:* Extract all the sysmodule NSO and KIP files, using their name as their filename. Extract all the applet NSOs to a separate directory:
 4 | 
 5 | ```
 6 | % ls 7.0.0-5.0
 7 | Bus             boot            erpt            grc             ncm             nvservices      psc             spl
 8 | LogManager.Prod boot2.ProdBoot  es              hid             nfc             olsc            ptm             ssl
 9 | account         bsdsocket       eupld           jpegdec         nifm            pcie.withoutHb  ro              tma.stub
10 | am              btm             fatal           lbl             nim             pctl            safemode        usb
11 | audio           capsrv          friends         ldn             npns            pcv             sdb             vi
12 | bcat            creport         fs              ldr             ns              pm              settings        wlan
13 | bluetooth       eclct           glue            migration       nvnflinger      ppc             sm
14 | % ls 7.0.0-5.0-applets 
15 | LibAppletAuth   LibAppletShop   cabinet         error           myPage          photoViewer     starter
16 | LibAppletLns    LibAppletWeb    controller      maintenance     netConnect      playerSelect    swkbd
17 | LibAppletOff    auth            dataErase       miiEdit         overlayDisp     qlaunch
18 | ```
19 | 
20 | *Step 2:* Update `hashes_gen.py` by running `generatehashes.py` on both sysmodules and applets. If you have an nnSdk binary matching the version you should include it as well. This may take several minutes.
21 | 
22 | ```
23 | % time python generatehashes.py 7.0.0-5.0/* 7.0.0-5.0-applets/*
24 | doing '7.0.0-5.0/Bus'...
25 | doing '7.0.0-5.0/LogManager.Prod'...
26 | doing '7.0.0-5.0/account'...
27 | TODO: UcError:  Unhandled CPU exception (UC_ERR_EXCEPTION)
28 | [snip]
29 | doing '7.0.0-5.0-applets/starter'...
30 | TODO: UcError:  Unhandled CPU exception (UC_ERR_EXCEPTION)
31 | TODO: UcError:  Unhandled CPU exception (UC_ERR_EXCEPTION)
32 | TODO: UcError:  Unhandled CPU exception (UC_ERR_EXCEPTION)
33 | TODO: UcError:  Unhandled CPU exception (UC_ERR_EXCEPTION)
34 | bad 24565 90100
35 | bad 24565 90100
36 | doing '7.0.0-5.0-applets/swkbd'...
37 | TODO: UcError:  Unhandled CPU exception (UC_ERR_EXCEPTION)
38 | TODO: UcError:  Unhandled CPU exception (UC_ERR_EXCEPTION)
39 | TODO: UcError:  Unhandled CPU exception (UC_ERR_EXCEPTION)
40 | TODO: UcError:  Unhandled CPU exception (UC_ERR_EXCEPTION)
41 | bad 24565 90100
42 | python generatehashes.py 7.0.0-5.0/* 7.0.0-5.0-applets/*  182.18s user 14.90s system 99% cpu 3:17.64 total
43 | 
44 | % python
45 | >>> from hashes_gen import all_hashes
46 | >>> len(all_hashes)
47 | 248
48 | ```
49 | 
50 | (The errors printed are normal, I hope they'll only cause missing names.)
51 | 
52 | *Step 3:* Run `ipcserver.py` on the sysmodules (now takes only about 15 seconds for everything, assuming you decompress the NSOs with hactool first!)
53 | 
54 | ```
55 | % time python ipcserver.py 7.0.0-5.0/* > data700.py
56 | python ipcserver.py 7.0.0-5.0/* > data700.py  14.36s user 0.39s system 98% cpu 15.024 total
57 | ```
58 | 
59 | The output should start something like this, with some names missing but others recovered. The `hash:` comments suggest possible names when there are multiple hits for a single hash.
60 | 
61 | ```
62 | # 7.0.0-5.0/Bus
63 | # hash:  0x710000C690 ['nn::visrv::sf::IApplicationRootService', 'nn::sasbus::IManager', 'nn::fan::detail::IManager', 'nn::mii::detail::IStaticService']
64 | # hash:  0x710002AFD0 ['nn::visrv::sf::IApplicationRootService', 'nn::sasbus::IManager', 'nn::fan::detail::IManager', 'nn::mii::detail::IStaticService']
65 | 'Bus': {
66 |   '0x710000C690': {
67 |     0:      {"inbytes":     4, "outbytes":     0, "outinterfaces": ['0x710000C9C0']},
68 |   },
69 |   '0x710000C9C0': {
70 |     0:      {"inbytes":     4, "outbytes":     0},
71 |     1:      {"inbytes":     0, "outbytes":     4},
72 |     2:      {"inbytes":     4, "outbytes":     0},
73 |   },
74 |   'nn::sf::hipc::detail::IHipcManager': {
75 |     0:      {"inbytes":     0, "outbytes":     4},
76 |     1:      {"inbytes":     4, "outbytes":     0, "outhandles": [2]},
77 |     2:      {"inbytes":     0, "outbytes":     0, "outhandles": [2]},
78 |     3:      {"inbytes":     0, "outbytes":     2},
79 |     4:      {"inbytes":     4, "outbytes":     0, "outhandles": [2]},
80 |   },
81 |   'nn::gpio::IManager': {
82 |     0:      {"inbytes":     4, "outbytes":     0, "outinterfaces": ['nn::gpio::IPadSession']},
83 |     1:      {"inbytes":     4, "outbytes":     0, "outinterfaces": ['nn::gpio::IPadSession']},
84 |     2:      {"inbytes":     4, "outbytes":     0, "outinterfaces": ['nn::gpio::IPadSession']},
85 |     6:      {"inbytes":     4, "outbytes":     0},
86 |     7:      {"inbytes":     8, "outbytes":     0, "outinterfaces": ['nn::gpio::IPadSession']},
87 |     8:      {"inbytes":     4, "outbytes":     1},
88 |     9:      {"inbytes":     8, "outbytes":     0},
89 |     10:     {"inbytes":     8, "outbytes":     0},
90 |   },
91 | ```
92 | 
93 | *Step 4:* Add the `data700 = {` and `}` lines to the start and end of the resulting `.py` file, and clean up manually by comparing with the previous version by hand, and reversing where necessary. Diff with the previous version and read through it to find cases where the wrong name has been used.
94 | 


--------------------------------------------------------------------------------
/swipc-gen/demangling.py:
--------------------------------------------------------------------------------
  1 | import subprocess
  2 | import itanium_demangler
  3 | import sys
  4 | 
  5 | CHECK_CXX_FILT = False
  6 | 
  7 | def itanium_demangle_filter(s):
  8 | 	if s.startswith('N'):
  9 | 		s = 'Z' + s
 10 | 	if not s.startswith('_'):
 11 | 		s = '_' + s
 12 | 	return s
 13 | 
 14 | def itanium_demangle(s):
 15 | 	python_result = itanium_demangler.parse(itanium_demangle_filter(s))
 16 | 	if python_result is not None:
 17 | 		python_result = str(python_result)
 18 | 	return python_result
 19 | 
 20 | demangle_cache = {}
 21 | def get_demangled(s):
 22 | 	if s not in demangle_cache:
 23 | 		#python_result = itanium_demangle(s)
 24 | 		#if python_result is None:
 25 | 		#	#print 'demangler failed:', repr(s)
 26 | 		#	python_result = s
 27 | 		demangle_cache[s] = subprocess.check_output(['c++filt', '-n', s]).strip()
 28 | 		#if CHECK_CXX_FILT:
 29 | 		#	value = subprocess.check_output(['c++filt', '-n', s]).strip()
 30 | 		#	if python_result != value:
 31 | 		#		sys.stderr.write('\n')
 32 | 		#		sys.stderr.write('mangled: %r\n' % s)
 33 | 		#		sys.stderr.write('python:  %r\n' % python_result)
 34 | 		#		sys.stderr.write('c++filt: %r\n' % value)
 35 | 	return demangle_cache[s]
 36 | 
 37 | class Demangler(object):
 38 | 	def __init__(self, name):
 39 | 		print name
 40 | 		self.pos = 0
 41 | 		self.name = name
 42 | 
 43 | 	def peek(self):
 44 | 		return self.name[self.pos]
 45 | 	
 46 | 	def getchar(self):
 47 | 		self.pos += 1
 48 | 		return self.name[self.pos-1]
 49 | 
 50 | 	def getchars(self, n):
 51 | 		return ''.join(self.getchar() for i in xrange(n))
 52 | 
 53 | 	def read_string_length(self):
 54 | 		assert self.peek().isdigit()
 55 | 		l = ''
 56 | 		while self.peek().isdigit():
 57 | 			l += self.getchar()
 58 | 		return int(l)
 59 | 
 60 | 	def read_string(self):
 61 | 		l = self.read_string_length()
 62 | 		return self.getchars(l)
 63 | 
 64 | 	def read_template(self):
 65 | 		assert self.getchar() == 'I'
 66 | 		parts = []
 67 | 		while self.peek() != 'E':
 68 | 			print 'read_template:', self.name[self.pos:]
 69 | 			parts.append(self.parse())
 70 | 			print 'read_template:', parts
 71 | 		assert self.getchar() == 'E'
 72 | 		return '<%s>' % ', '.join(parts)
 73 | 
 74 | 	def read_name(self):
 75 | 		assert self.getchar() == 'N'
 76 | 		parts = []
 77 | 		while self.peek() != 'E':
 78 | 			parts.append(self.parse())
 79 | 			print 'read_name:', parts
 80 | 		assert self.getchar() == 'E'
 81 | 		return '::'.join(parts)
 82 | 
 83 | 	def parse_backref(self):
 84 | 		assert self.getchar() == 'S'
 85 | 		backref = ''
 86 | 		while self.peek() != '_':
 87 | 			if not self.peek().isdigit():
 88 | 				print 'TODO in parse_back_ref: %r (%r)' % (self.peek(), self.name[self.pos:])
 89 | 				return ''
 90 | 			backref += self.getchar()
 91 | 		assert self.getchar() == '_'
 92 | 		result = 'BACKREF_%s_TODO' % backref
 93 | 		print 'parse_backref:', result
 94 | 		return result
 95 | 
 96 | 	def parse_literal(self):
 97 | 		assert self.getchar() == 'L'
 98 | 		kind = self.parse()
 99 | 		#print 'TODO in parse_back_ref: %r (%r)' % (self.peek(), self.name[self.pos:])
100 | 		value = self.read_string_length()
101 | 		assert self.getchar() == 'E'
102 | 		return '(%s)%d' % (kind, value)
103 | 
104 | 
105 | 
106 | 	def parse(self):
107 | 		c = self.peek()
108 | 		if c == 'N':
109 | 			return self.read_name()
110 | 		elif c == 'I':
111 | 			return self.read_template()
112 | 		elif c == 'S':
113 | 			return self.parse_backref()
114 | 		elif c == 'L':
115 | 			return self.parse_literal()
116 | 		elif c.isdigit():
117 | 			return self.read_string()
118 | 		else:
119 | 			print 'TODO in parse: %r (%r)' % (self.peek(), self.name[self.pos:])
120 | 			return self.getchar()
121 | 
122 | 
123 | def main():
124 | 	tests = [
125 | 		('N2nn2sf4cmif6server22CmifDomainServerObject23CmifDomainServerMessageE',
126 | 		 'nn::sf::cmif::server::CmifDomainServerObject::CmifDomainServerMessage'),
127 | 		('N2nn2sf4cmif6client6detail13CmifProxyImplINS_8settings22IFactorySettingsServerENS0_4hipc6client18Hipc2ProxyKindBaseILNS7_6detail11MessageTypeE4EEENS0_25StatelessAllocationPolicyINS0_22ExpHeapStaticAllocatorILm16384ES6_EEEES6_EE',
128 | 		 'nn::sf::cmif::client::detail::CmifProxyImpl<nn::settings::IFactorySettingsServer, nn::sf::hipc::client::Hipc2ProxyKindBase<(nn::sf::hipc::detail::MessageType)4>, nn::sf::StatelessAllocationPolicy<nn::sf::ExpHeapStaticAllocator<16384ul, nn::settings::IFactorySettingsServer> >, nn::settings::IFactorySettingsServer>'),
129 | 		('N2nn2sf4hipc6client12_GLOBAL__N_119HipcManagerAccessorE',
130 | 		 'nn::sf::hipc::client::(anonymous namespace)::HipcManagerAccessor'),
131 | 		('_ZTVN2nn5fssrv35MemoryResourceFromStandardAllocatorE',
132 | 		 'vtable for nn::fssrv::MemoryResourceFromStandardAllocator'),
133 | 		('_ZN2nn7nlibsdk4heap12TlsHeapCache17ReallocFunc_Mode0INSt3__117integral_constantIbLb1EEEEEiPS2_PvmPS8_',
134 | 		 'int nn::nlibsdk::heap::TlsHeapCache::ReallocFunc_Mode0<std::__1::integral_constant<bool, true> >(nn::nlibsdk::heap::TlsHeapCache*, void*, unsigned long, void**)'),
135 | 		('_ZN2nn2gc6detail11AsicHandlerD2Ev',
136 | 		 'nn::gc::detail::AsicHandler::~AsicHandler()'),
137 | 		('_ZN3nne7prfile224PFCODE_CP932_Unicode2OEMEPKtPa',
138 | 		 'nne::prfile2::PFCODE_CP932_Unicode2OEM(unsigned short const*, signed char*)'),
139 | 	]
140 | 
141 | 	d = Demangler('N2nn2sf4cmif6server22CmifDomainServerObject23CmifDomainServerMessageE')
142 | 	print d.read_name()
143 | 
144 | 	d = Demangler('N2nn2sf4hipc6client12_GLOBAL__N_119HipcManagerAccessorE')
145 | 	print d.read_name()
146 | 
147 | 	d = Demangler('N2nn2sf4cmif6client6detail13CmifProxyImplINS_8settings22IFactorySettingsServerENS0_4hipc6client18Hipc2ProxyKindBaseILNS7_6detail11MessageTypeE4EEENS0_25StatelessAllocationPolicyINS0_22ExpHeapStaticAllocatorILm16384ES6_EEEES6_EE')
148 | 	print d.read_name()
149 | 
150 | if __name__ == '__main__':
151 | 	main()
152 | 


--------------------------------------------------------------------------------
/swipc-gen/generatehashes.py:
--------------------------------------------------------------------------------
  1 | import sys
  2 | import struct
  3 | 
  4 | from unicorn import *
  5 | from unicorn.arm64_const import *
  6 | from capstone import *
  7 | 
  8 | import nxo64
  9 | from ipcclient import iter_vtables_in_nxo, demangle
 10 | 
 11 | from unicornhelpers import load_nxo_to_unicorn, create_unicorn_arm64
 12 | 
 13 | class Simulator(object):
 14 |     def __init__(self, f, verbose=False):
 15 |         self.verbose = verbose
 16 |         self.uc = uc = create_unicorn_arm64()
 17 |         uc.hook_add(UC_HOOK_CODE, self.hook_code)
 18 | 
 19 |         self.loadbase = 0x7100000000
 20 |         self.return_magic = 0xAA00000000
 21 |         uc.mem_map(self.return_magic, 0x1000)
 22 |         load_nxo_to_unicorn(uc, f, self.loadbase)
 23 | 
 24 |         stack = 0x100000000
 25 |         stack_size = 0x2000
 26 |         uc.mem_map(stack, stack_size)
 27 |         self.stack_top = stack
 28 |         self.stack_base = stack + stack_size
 29 | 
 30 |         self.mem = mem = 0x200000000
 31 |         mem_size = 0x5000
 32 |         uc.mem_map(mem, mem_size)
 33 | 
 34 |         self.tls = 0x300000000
 35 |         tls_size = 0x1000
 36 |         uc.mem_map(self.tls, tls_size)
 37 |         uc.mem_write(self.tls + 0x1f8, struct.pack('<Q', self.tls))
 38 | 
 39 |         self.heap = heap = 0x400000000
 40 |         self.heap_size = heap_size = 0x4000
 41 |         uc.mem_map(heap, heap_size)
 42 |         self.heap_ptr = heap
 43 | 
 44 |         self.stack_args = 6
 45 |         self.arg_scratch = 0x10000000
 46 |         self.arg_scratch_size = (9+self.stack_args) * 0x1000
 47 |         uc.mem_map(self.arg_scratch, self.arg_scratch_size)
 48 | 
 49 |         hax_code_ptr = 0x500000000
 50 |         hax_code_size = 0x1000
 51 |         uc.mem_map(hax_code_ptr, hax_code_size)
 52 |         uc.mem_write(hax_code_ptr, struct.pack('<II', 0xd65f03c0, 0xd65f03c0)) #0xd65f03c0))
 53 | 
 54 |         self.ret_instruction_ptr = hax_code_ptr # self.loadbase + 0x15C
 55 |         self.alloc_instruction_ptr = hax_code_ptr + 4 # self.loadbase + 0x15C
 56 | 
 57 |         uc.mem_write(mem, ''.join(struct.pack('<I', 0x41000000 + (i<<16)) for i in range(64)))
 58 |         uc.mem_write(mem + 0x1000, ''.join(struct.pack('<I', 0x42000000 + (i<<16)) for i in range(64)))
 59 |         uc.mem_write(mem + 0x2000, ''.join(struct.pack('<I', 0x43000000 + (i<<16)) for i in range(64)))
 60 |         uc.mem_write(mem + 0x3000, ''.join(struct.pack('<I', 0x44000000 + (i<<16)) for i in range(64)))
 61 |         uc.mem_write(mem + 0x4000, ''.join(struct.pack('<I', 0x45000000 + (i<<16)) for i in range(64)))
 62 | 
 63 |         uc.mem_write(mem + 8, struct.pack('<Q', 0x0101010101010101))
 64 |         uc.mem_write(mem + 0x10, struct.pack('<Q', mem + 0x1000))
 65 |         uc.mem_write(mem + 0x1000, struct.pack('<Q', mem + 0x2000))
 66 |         uc.mem_write(mem + 0x2000, struct.pack('<Q', self.ret_instruction_ptr))
 67 |         uc.mem_write(mem + 0x2008, struct.pack('<Q', self.ret_instruction_ptr))
 68 |         uc.mem_write(mem + 0x2010, struct.pack('<Q', self.ret_instruction_ptr))
 69 | 
 70 |         uc.mem_write(mem + 0x20, struct.pack('<Q', mem + 0x3000))
 71 |         uc.mem_write(mem + 0x30, struct.pack('<Q', mem + 0x3000))
 72 |         uc.mem_write(mem + 0x3000, struct.pack('<Q', mem + 0x4000))
 73 |         uc.mem_write(mem + 0x4000 + 0x10, struct.pack('<Q', self.alloc_instruction_ptr))
 74 | 
 75 |         self.malloc_funcs = {
 76 |             self.alloc_instruction_ptr: UC_ARM64_REG_X1,
 77 |         }
 78 |         # free funcs and mutex lock/unlock
 79 |         self.skip_funcs = []
 80 | 
 81 |         self.current_run = None
 82 | 
 83 |         if False:
 84 |             uc.hook_add(UC_HOOK_MEM_READ, self.hook_mem_read)
 85 |             uc.hook_add(UC_HOOK_MEM_WRITE, self.hook_mem_write)
 86 | 
 87 |     def hook_mem_read(self, uc, e, addr, sz, *args):
 88 |         #print 'hook_mem_read:', hex(addr), sz
 89 |         if self.arg_scratch <= addr < self.arg_scratch + self.arg_scratch_size:
 90 |             print 'read from arg:', ((addr - self.arg_scratch) / 0x1000) + 1, '@ + 0x%X-0x%X' % (addr & 0xFFF, (addr & 0xFFF) + sz)
 91 | 
 92 |     def hook_mem_write(self, uc, e, addr, sz, *args):
 93 |         #print 'hook_mem_read:', hex(addr), sz
 94 |         if self.arg_scratch <= addr < self.arg_scratch + self.arg_scratch_size:
 95 |             print 'write to arg:', ((addr - self.arg_scratch) / 0x1000) + 1, '@ + 0x%X-0x%X' % (addr & 0xFFF, (addr & 0xFFF) + sz)
 96 | 
 97 | 
 98 |     def dump_regs(self, uc):
 99 |         values = []
100 |         for i in range(28):
101 |             values.append(('X%d' % i, uc.reg_read(UC_ARM64_REG_X0+i)))
102 |         values.append(('X29', uc.reg_read(UC_ARM64_REG_X29)))
103 |         values.append(('X30', uc.reg_read(UC_ARM64_REG_X30)))
104 |         values.append(('SP', uc.reg_read(UC_ARM64_REG_SP)))
105 |         values.append(('PC', uc.reg_read(UC_ARM64_REG_PC)))
106 |         print '', ', '.join('%s=%X' % i for i in values)
107 | 
108 |     def dump_state(self, uc, pc):
109 |         md = Cs(CS_ARCH_ARM64, CS_MODE_ARM)
110 |         i = md.disasm(str(uc.mem_read(pc, 4)), pc).next()
111 |         print " " + "_" * 80
112 |         print " instruction @ 0x%X: %7s %s" % (pc, i.mnemonic, i.op_str)
113 |         self.dump_regs(uc)
114 | 
115 |     def hook_code(self, uc, address, size, user_data):
116 |         if address == self.return_magic:
117 |             uc.emu_stop()
118 |             return
119 |         if self.verbose:
120 |             self.dump_state(uc, address)
121 |         instr = struct.unpack('<I', uc.mem_read(address, 4))[0]
122 | 
123 | 
124 |         if 0xD53BD060 <= instr <= 0xd53bd07e: # mov x?, tls
125 |             uc.reg_write(UC_ARM64_REG_X0 + (instr-0xD53BD060), self.tls)
126 |             uc.reg_write(UC_ARM64_REG_PC, address+4)
127 |         if instr == 0xd4000421: # svc 0x22
128 |             if self.current_run is not None:
129 |                self.current_run.ipcbuf = self.read(self.tls, 0x100)
130 |             uc.emu_stop()
131 |             return
132 |             #uc.reg_write(UC_ARM64_REG_X0, 0)
133 |             #uc.reg_write(UC_ARM64_REG_PC, address+4)
134 |         if instr & (0b111111 << 26) == (0b100101 << 26):
135 |             self.check_bl_for_malloc(uc)
136 |             self.check_bl_for_WriteBufferDataImpl(uc)
137 |             self.check_bl_for_bad_mutex(uc)
138 |             
139 | 
140 |         if address in self.malloc_funcs:
141 |             size_reg = self.malloc_funcs[address]
142 |             size = uc.reg_read(size_reg)
143 |             out = self.heap_ptr
144 |             self.heap_ptr += (size + 0xF) & ~0xF
145 |             #print ' malloc hook (0x%X) -> 0x%X' % (size, out)
146 |             uc.reg_write(UC_ARM64_REG_X0, out)
147 |             uc.reg_write(UC_ARM64_REG_PC, uc.reg_read(UC_ARM64_REG_X30))
148 |         if address in self.skip_funcs:
149 |             uc.reg_write(UC_ARM64_REG_PC, uc.reg_read(UC_ARM64_REG_X30))
150 | 
151 |     def check_bl_for_bad_mutex(self, uc):
152 |         if uc.reg_read(UC_ARM64_REG_X0) == 0x200003008:
153 |             #print 'SKIPPING MUTEX'
154 |             uc.reg_write(UC_ARM64_REG_PC, uc.reg_read(UC_ARM64_REG_PC) + 4)
155 | 
156 | 
157 |     def check_bl_for_malloc(self, uc):
158 |         self.bl_count += 1
159 |         if self.verbose:
160 |             print 'BL COUNT ', self.bl_count, uc.reg_read(UC_ARM64_REG_X0), uc.reg_read(UC_ARM64_REG_X1)
161 |         if self.bl_count == 2 and uc.reg_read(UC_ARM64_REG_X0) in (0x20, 0x30, 0x38):
162 |             #print 'MATCHED MALLOC'
163 |             size = uc.reg_read(UC_ARM64_REG_X0)
164 |             out = self.heap_ptr
165 |             self.heap_ptr += (size + 0xF) & ~0xF
166 |             uc.reg_write(UC_ARM64_REG_X0, out)
167 |             uc.reg_write(UC_ARM64_REG_PC, uc.reg_read(UC_ARM64_REG_PC) + 4)
168 |         elif self.bl_count == 4 and uc.reg_read(UC_ARM64_REG_X1) in (0x20, 0x30, 0x38) and uc.reg_read(UC_ARM64_REG_X0) in (0, 0x200004000):
169 |             #print 'MATCHED AllocateFromExpHeap'
170 |             size = uc.reg_read(UC_ARM64_REG_X1)
171 |             out = self.heap_ptr
172 |             self.heap_ptr += (size + 0xF) & ~0xF
173 |             uc.reg_write(UC_ARM64_REG_X0, out)
174 |             uc.reg_write(UC_ARM64_REG_PC, uc.reg_read(UC_ARM64_REG_PC) + 4)
175 | 
176 | 
177 |     def check_bl_for_WriteBufferDataImpl(self, uc):
178 |         #  nn::sf::hipc::client::Hipc2ClientCoreProcessorImpl::WriteBufferDataImpl
179 |         # nn::sf::hipc::detail::HipcMessageWriter *
180 |         arg0 = uc.reg_read(UC_ARM64_REG_X0)
181 |         if arg0 < self.stack_top or arg0 > self.stack_base:
182 |             return
183 |         # int
184 |         arg1 = uc.reg_read(UC_ARM64_REG_X1) & 0xFFFFFFFF
185 |         if arg1 == 0 or arg1 > 32:
186 |             return
187 |         # nn::sf::detail::PointerAndSize const*
188 |         arg2 = uc.reg_read(UC_ARM64_REG_X2)
189 |         if arg2 < self.stack_top or arg2 > self.stack_base:
190 |             return
191 |         # int const*
192 |         arg3 = uc.reg_read(UC_ARM64_REG_X3)
193 |         if arg3 < self.stack_top or arg3 > self.stack_base:
194 |             return
195 |         # unsigned long
196 |         arg4 = uc.reg_read(UC_ARM64_REG_X4)
197 |         if arg4 > 0xFFFF:
198 |             return
199 |         # unsigned long
200 |         arg5 = uc.reg_read(UC_ARM64_REG_X5)
201 |         if arg5 > 0x1000:
202 |             return
203 | 
204 |         if self.current_run is not None:
205 |             self.current_run.buffers = [self.dword(arg3 + i*4) for i in xrange(arg1)]
206 | 
207 |         uc.reg_write(UC_ARM64_REG_X4, 0xF000)
208 | 
209 | 
210 |     def _do_call(self, func, arg0):
211 |         self.heap_ptr = self.heap
212 |         self.bl_count = 0
213 |         self.uc.mem_write(self.heap, '\0' * self.heap_size)
214 |         self.uc.mem_write(self.arg_scratch, '\0' * self.arg_scratch_size)
215 |         self.uc.mem_write(self.tls, '\0' * 0x100)
216 | 
217 |         self.uc.reg_write(UC_ARM64_REG_SP, self.stack_base-(self.stack_args*8))
218 |         self.uc.reg_write(UC_ARM64_REG_X0, arg0)
219 |         self.uc.reg_write(UC_ARM64_REG_X30, self.return_magic)
220 | 
221 |         for i in range(1, 9+self.stack_args):
222 |             arg = self.arg_scratch + (i-1) * 0x1000
223 |             self.uc.mem_write(arg, struct.pack('<Q', arg + 0x800))
224 |             self.uc.mem_write(arg + 0x800, struct.pack('<Q', self.mem + 0x2000))
225 |             if i < 9:
226 |                 self.uc.reg_write(UC_ARM64_REG_X0+i, arg)
227 |             else:
228 |                 i -= 9
229 |                 ap = self.stack_base-(self.stack_args*8) + i*8
230 |                 self.uc.mem_write(ap, struct.pack('<Q', arg))
231 | 
232 |         try:
233 |             self.uc.emu_start(self.loadbase + func, 0)
234 |         except UcError as e:
235 |             print 'TODO: UcError (around 0x%X): %s' %  (self.uc.reg_read(UC_ARM64_REG_PC), e)
236 | 
237 |     def call(self, func, arg0):
238 |         assert self.current_run is None
239 |         run = RunData()
240 |         self.current_run = run
241 |         self._do_call(func, arg0)
242 |         self.current_run = None
243 |         return run
244 | 
245 |     def read(self, addr, size):
246 |         return self.uc.mem_read(addr, size).decode('latin-1').encode('latin-1')
247 | 
248 |     def qword(self, addr):
249 |         return struct.unpack('<Q', self.uc.mem_read(addr, 8))[0]
250 |     def dword(self, addr):
251 |         return struct.unpack('<I', self.uc.mem_read(addr, 4))[0]
252 | 
253 | class RunData(object):
254 |     def __init__(self):
255 |         self.buffers = []
256 |         self.ipcbuf = None
257 | 
258 | def pretty_hex(v):
259 |     assert v >= 0
260 |     if v < 10:
261 |         return '%d' % v
262 |     return '0x%X' % v
263 | 
264 | all_hashes = {}
265 | 
266 | import hashlib
267 | def sim_filename(fname):
268 |     with open(fname, 'rb') as fileobj:
269 |         f = nxo64.load_nxo(fileobj)
270 | 
271 |     if 0:
272 |         sim = Simulator(f, True)
273 |     else:
274 |         sim = Simulator(f, False)
275 | 
276 |     for vtable in iter_vtables_in_nxo(f):
277 |         ## blacklist some things which abort because idk what to do atm
278 |         #if 'nn::am::service::IApplicationAccessor' in vtable.interface: continue
279 |         #if 'nn::am::service::IAppletAccessor' in vtable.interface: continue
280 |         #if 'nn::am::service::ILibraryAppletAccessor' in vtable.interface: continue
281 | 
282 |         if 'IUnknown_' in vtable.interface:
283 |             continue # skip anything we can't name
284 | 
285 |         display = False # 'IUnknown_' in vtable.interface
286 |         if display:
287 |             print
288 |             print vtable.interface
289 |             print '=' * len(vtable.interface)
290 |         else:
291 |             pass
292 |             print vtable.interface
293 |         
294 |         hash_code = ''
295 |         prior_rets = {}
296 |         for entry in vtable.entries:
297 |             #print '%r (%x)' % (entry.cmd, 0x7100000000+ entry.funcptr)
298 |             if entry.cmd is None: continue
299 | 
300 |             run_data = sim.call(entry.funcptr, sim.mem)
301 |             ipcbuf = run_data.ipcbuf
302 |             buffers = run_data.buffers
303 | 
304 |             if False:
305 |                 for addr in range(sim.arg_scratch, sim.arg_scratch + sim.arg_scratch_size - 0x1000, 0x1000):
306 |                     val = sim.qword(addr)
307 |                     if val != addr + 0x800:
308 |                         print 'value in arg', ((addr - sim.arg_scratch) / 0x1000) + 1, hex(val)
309 | 
310 |             parts = []
311 | 
312 | 
313 |             if buffers:
314 |                 parts.append('buffers types ' + ', '.join(map(pretty_hex, buffers)))
315 | 
316 |             if ipcbuf is None:
317 |                 continue
318 |             assert ipcbuf is not None
319 |             assert ipcbuf.count('SFCI') == 1
320 | 
321 |             w0, w1 = struct.unpack_from('<II', ipcbuf, 0)
322 |             #print hex(w0)
323 |             assert (w0 & 0xFFFF) in (4, 6)
324 |             x_count = (w0 >> 16) & 0xF
325 |             a_count = (w0 >> 20) & 0xF
326 |             b_count = (w0 >> 24) & 0xF
327 |             w_count = (w0 >> 28)
328 |             assert not w_count
329 | 
330 |             inline_data_length = (w1 & 0x3FF) * 4
331 |             aligned_data_length = inline_data_length - 0x10
332 |             has_handle_desc = (w1 >> 31) == 1
333 |             header_words = 2
334 |             if has_handle_desc:
335 |                 w2 = struct.unpack_from('<I', ipcbuf, header_words * 4)[0]
336 |                 header_words += 1
337 | 
338 |                 has_pid = (w2 & 1) == 1
339 |                 copy_count = (w2 >> 1) & 0xf
340 |                 move_count = (w2 >> 5) & 0xf
341 |                 if has_pid:
342 |                     header_words += 2
343 |                     parts.append('send pid')
344 |                     #print ' has pid'
345 |                 if copy_count: parts.append('%d copied handles in' % copy_count)
346 |                 if move_count: parts.append('%d moved handles in' % move_count) # print ' move_count', move_count
347 |                 header_words += copy_count + move_count
348 | 
349 |             header_words += x_count * 2 + a_count * 3 + b_count * 3
350 | 
351 |             while header_words & 3:
352 |                 header_words += 1
353 | 
354 |             data = ipcbuf[header_words*4:header_words*4+aligned_data_length]
355 |             assert data[0:4] == 'SFCI' or data[0x10:0x14] == 'SFCI'
356 |             if data[0x10:0x14] == 'SFCI':
357 |                 in_objects = struct.unpack_from('B', data, 1)[0]
358 |                 if in_objects:
359 |                     parts.append('%d in objects' % in_objects)
360 |                     #print ' in_objects:', in_objects
361 |                 in_size_exact = struct.unpack_from('H', data, 2)[0]
362 |                 in_size = in_size_exact - 0x10
363 |                 parts.append('%s bytes in' % pretty_hex(in_size))
364 |             else:
365 |                 in_size = len(data) - 0x10
366 |                 if len(data) == 0x10:
367 |                     parts.append('0 bytes in')
368 |                 else:
369 |                     parts.append('~%s bytes in' % pretty_hex(in_size))
370 | 
371 |             if entry.cmd != struct.unpack_from('<Q', data, data.index('SFCI') + 8)[0]:
372 |                 print 'bad', entry.cmd, struct.unpack_from('<Q', data, data.index('SFCI') + 8)[0], hex(entry.funcptr)
373 |                 entry.cmd = struct.unpack_from('<Q', data, data.index('SFCI') + 8)[0]
374 | 
375 |             out_obj = struct.unpack('<Q', sim.uc.mem_read(sim.heap, 8))[0]
376 |             if not out_obj:
377 |                 assert sim.heap_ptr == sim.heap
378 |             suffix = ''
379 |             if out_obj:
380 |                 rtti = sim.qword(out_obj-8)
381 |                 if rtti > sim.loadbase:
382 |                     name = sim.read(sim.qword(rtti+8), 512)
383 |                     while '\0' not in name:
384 |                         name += sim.read(sim.qword(rtti+8) + len(name), 512)
385 |                     name = name[:name.index('\0')]
386 | 
387 |                     out_obj_name = demangle(name)
388 |                 elif out_obj - sim.loadbase - 16 in f.addr_to_name:
389 |                     out_obj_name = demangle(f.addr_to_name[out_obj - sim.loadbase - 16])
390 |                 else:
391 |                     out_obj_name = 'unk_0x%X' % out_obj
392 |                 if out_obj_name not in prior_rets:
393 |                     prior_rets[out_obj_name] = len(prior_rets)
394 |                 suffix = ';o%d' % prior_rets[out_obj_name]
395 |                 
396 |                 parts.append('returns interface %s' % out_obj_name)
397 | 
398 |             row =  '0x%X || %5d || ' % (0x7100000000 + entry.funcptr, entry.cmd,) # sim.loadbase + entry.funcptr)
399 | 
400 |             if entry.funcptr in f.addr_to_name:
401 |                 row += demangle(f.addr_to_name[entry.funcptr]).split('>::_nn_sf_sync_')[-1].split('(')[0].ljust(len('ProxyProcedureToAcquireApplicationAuthorizationForNintendoAccount'))
402 |             row += ' || '
403 | 
404 |             if display:
405 |                 print row + ' - '.join(parts) + ' ||'
406 | 
407 |             hash_code += '%d(%d%s' % (entry.cmd, (in_size+3)/4, suffix)
408 |             if buffers:
409 |                 hash_code += ';b' + ','.join('%d' % i for i in buffers)
410 |             hash_code += ')'
411 | 
412 |         if True:        
413 | 
414 |             hashed = hashlib.sha224(hash_code).hexdigest()[:16]
415 | 
416 |             #print hashed, repr(hash_code)
417 |             if 'IUnknown_' not in vtable.interface:
418 |                 if vtable.interface not in all_hashes.get(hashed, []):
419 |                     all_hashes.setdefault(hashed, []).append(vtable.interface)
420 |     #print all_hashes
421 | 
422 | def main():
423 |     for i in sys.argv[1:]:
424 |         print 'doing %r...' % (i,)
425 |         sim_filename(i)
426 |     with open('hashes_gen.py', 'w') as f:
427 |         f.write('all_hashes = %r\n' % all_hashes)
428 | 
429 | if __name__ == '__main__':
430 |     main()
431 | 
432 | 


--------------------------------------------------------------------------------
/swipc-gen/hashes_gen.py:
--------------------------------------------------------------------------------
1 | all_hashes = {'9dbc3be4561e89d1': ['nn::ncm::IContentManager'], 'ef572d053fbe0dd0': ['nn::spl::detail::IFsInterface'], '2171a2a3f43a01e2': ['nn::account::nas::IOAuthProcedureForUserRegistration'], '6072a19a5a95b12b': ['nn::bcat::detail::ipc::IDeliveryCacheProgressService'], '6a677c7d9d17ff0a': ['nn::pl::detail::ISharedFontManager'], 'a207109123aa9ee6': ['nn::am::service::IHomeMenuFunctions'], 'aa0c2c207c1ad820': ['nn::nfp::detail::ISystem'], '9a735d669435e452': ['nn::npns::INpnsUser'], '54eb1a88a4c29c49': ['nn::fssrv::sf::IFileSystemProxy'], '3eced0a96862ad10': ['nn::audio::detail::IFinalOutputRecorderManager'], '736d36f862942a6f': ['nn::account::profile::IProfile'], '9598cbef138ebfbf': ['nn::avm::srv::IAvmService'], 'b001441e42b94817': ['nn::clkrst::IClkrstManager'], 'dde489cb9efa1a59': ['nn::ssl::sf::ISslContext'], '7e7ca6d0175ba7bf': ['nn::npns::INpnsSystem'], '3066e14681acfab6': ['nn::ldn::detail::ISystemLocalCommunicationService'], '0fe24d77cf284316': ['nn::account::nas::IOAuthProcedureForExternalNsa'], '84f7f20db4ecb151': ['nn::nifm::detail::IRequest'], 'b8ca6e5433e79cb2': ['nn::timesrv::detail::service::IStaticService'], 'b3bb4bde9ecb224d': ['nn::arp::detail::IWriter'], '705b8aca306f6ff2': ['nn::ns::detail::IApplicationManagerInterface'], '5a6508384258ea2c': ['nns::hosbinder::IHOSBinderDriver'], 'b2da156762209730': ['nn::bcat::detail::ipc::IDeliveryCacheStorageService'], '72c4bcf58cf47efe': ['nn::fssrv::sf::ISaveDataDivisionExporter'], '1f088477c9a99fc8': ['nn::ns::detail::IFactoryResetInterface'], 'd14a028c2a3a2bc9': ['nn::sasbus::IManager', 'nn::fssrv::sf::ISaveDataTransferProhibiter', 'nn::ns::detail::IGameCardStopper', 'nn::ns::detail::IRequestServerStopper', 'nn::olsc::srv::IStopperObject', 'nn::friends::detail::ipc::IDaemonSuspendSessionService', 'nn::am::service::IWindow'], 'f97608292cb9e45a': ['nn::pctl::detail::ipc::IParentalControlServiceFactory'], 'ad95cda1f17d02d4': ['nn::gpio::IPadSession'], 'e3bfdfd72ff62112': ['nn::am::service::IMovieMaker'], '973f73b5a4c23f12': ['nn::account::baas::IManagerForSystemService'], '366ccafd9a88612d': ['nn::ovln::IReceiver'], 'd370e691cf84b160': ['nn::fssrv::sf::ISaveDataChunkExporter'], '47baca73a040292e': ['nn::ns::detail::IApplicationVersionInterface'], '074dc39d711d350c': ['nn::audio::detail::IAudioRendererManagerForApplet'], '52d58b4987c8e6a2': ['nn::nim::detail::IShopServiceManager'], '01526d24fab313d1': ['nn::am::service::IWindowController'], 'c7f6882dbbe76192': ['nn::am::service::ILibraryAppletAccessor'], '6c80c86b931a5598': ['nn::fgm::sf::IRequest'], '4653755c14f961f7': ['nn::erpt::sf::IReport', 'nn::erpt::sf::IAttachment'], 'b74095cc54d5fac2': ['nn::grcsrv::IGrcService'], 'a202525b1a8a98a9': ['nn::ldn::detail::ISystemLocalCommunicationService'], '98c3a246e850be98': ['nn::bgtc::IStateControlService'], '3675d0c8d0312f92': ['nn::capsrv::sf::IScreenShotService'], '86f2c1d0ef9ce65a': ['nn::settings::ISettingsServer'], '2e4ff497ce2ed08e': ['nn::am::service::ICommonStateGetter'], '1af536efc15cfa46': ['nn::am::service::IAudioController'], '7bad1b4f5bcfd278': ['nn::nifm::detail::IGeneralService'], '69547c20efe089af': ['nn::bluetooth::IBluetoothDriver'], 'a09e4f8e00d4e789': ['nn::i2c::ISession'], '09e11edc25c5fddc': ['nn::bcat::detail::ipc::IServiceCreator'], '7de5842c233a5940': ['nn::apm::ISystemManager'], 'd07c250ec43981d7': ['nn::fssrv::sf::ISaveDataExporter'], 'dd2e74efbec1b336': ['nn::hid::IHidServer'], 'a10e408d2022ffae': ['nn::olsc::srv::IOlscServiceForSystemService'], '562a2fb12839614a': ['nn::i2c::IManager'], '2f929cedb08800d2': ['nn::visrv::sf::IManagerRootService'], '3c3c0d8e93ea8fbd': ['nn::audio::detail::IAudioInManagerForDebugger', 'nn::audio::detail::IAudioOutManagerForDebugger', 'nn::audio::detail::IAudioRendererManagerForDebugger'], '9e41fd46d4b7a93f': ['nn::nfc::am::detail::IAmManager', 'nn::btm::IBtmSystem', 'nn::ldn::detail::ISystemServiceCreator', 'nn::fgm::sf::ISession', 'nn::ldn::detail::IMonitorServiceCreator', 'nn::nfc::detail::ISystemManager', 'nn::nfp::detail::ISystemManager', 'nn::ovln::IReceiverService'], '6f9db4402cc791f7': ['nn::capsrv::sf::IAlbumAccessorService'], 'e39cfdb37d61fa5d': ['nn::lm::ILogService', 'nn::am::service::IApplicationProxyService'], '3cf13869c273d105': ['nn::am::service::ISelfController'], '2f555efa2f8d506a': ['nn::hidbus::IHidbusSystemServer'], 'b70ca143ff309821': ['nn::ns::detail::IAsyncValue', 'nn::nim::detail::IAsyncValue'], 'd9d1a213c68756ea': ['nn::migration::savedata::IServer'], '44eafd8c5082b661': ['nn::nsd::detail::IManager'], 'cee0689a9a0b11ba': ['nn::audioctrl::detail::IAudioController'], 'f3824a893af85c91': ['nn::spl::detail::ISslInterface'], '09e103475160adc4': ['nn::bcat::detail::ipc::IDeliveryCacheFileService'], '8fa19d2fc41ca255': ['nn::pwm::IManager'], '942c96c0df18d3fd': ['nn::irsensor::IIrSensorSystemServer'], 'd297f7f4c55f2a99': ['nn::ns::detail::IDevelopInterface'], 'c2a342bd87e77823': ['nn::ntc::detail::service::IStaticService'], '76e2b39f1ee08dad': ['nn::fssrv::sf::ISaveDataTransferManagerWithDivision'], 'b947f9dbc37d5322': ['nn::grcsrv::IGameMovieTrimmer'], 'fb356508a0535b77': ['nn::am::service::ILibraryAppletSelfAccessor'], '311160d735d1918d': ['nn::ns::detail::IServiceGetterInterface'], 'e40baf330c502c08': ['nn::capsrv::sf::IAlbumControlSession'], '4c68e46daece7a9a': ['nn::olsc::srv::ITransferTaskListController'], '5eab6ed6bcdcc324': ['nn::sm::detail::IUserInterface'], '61346617995cb585': ['nn::fatalsrv::IService'], '66070958073744f1': ['nn::fssrv::sf::IFileSystemProxy'], 'f53b458f6e874c1b': ['nn::audio::detail::IAudioOutManager'], 'ffb1ed1d3467e2a7': ['nn::am::service::IGlobalStateController'], '247e674c7d7c9942': ['nn::ns::detail::IDynamicRightsInterface'], '443a5456dfc61051': ['nn::pctl::detail::ipc::IParentalControlService'], 'a8ee81247c3a9384': ['nn::am::service::IProcessWindingController'], '78ba94f758d51102': ['nn::prepo::detail::ipc::IPrepoService'], 'a86c6f7cb5a6d7e7': ['nn::spl::detail::IGeneralInterface'], 'ea5e8ecd4fa6e4bd': ['nn::settings::IFactorySettingsServer'], 'ed64283144cce438': ['nn::timesrv::detail::service::ISystemClock'], 'de50b78b3b860d4f': ['nn::ns::detail::IReadOnlyApplicationRecordInterface'], 'fb9dd96747bea4c4': ['nn::account::baas::IAsyncContextForLoginForOnlinePlay', 'nn::migration::detail::IAsyncSaveDataMigrationPolicyInfoContext'], '16ff6a82ff0ff103': ['nn::hid::IHidSystemServer'], 'f5519e62e121008f': ['nn::am::service::IDisplayController'], '0743a7edc095b7e0': ['nn::lm::ILogger'], '79a058bc9c6317dc': ['nn::socket::resolver::IResolver'], 'f217ca661a52836a': ['nn::account::baas::IGuestLoginRequest'], '49027abdb751d433': ['nn::spl::detail::ICryptoInterface'], 'e8774ee6ae68f5b0': ['nn::ssl::sf::ISslService'], 'b8df11e25c5458ae': ['nn::ovln::ISenderService'], 'abeacc4a646ad7ca': ['nn::account::IAccountServiceForAdministrator'], '07e8757f9fc2697c': ['nn::fssrv::sf::ISaveDataDivisionImporter'], '8ae9f33a76d9d281': ['nn::fssrv::sf::IFileSystemProxyForLoader'], 'aa880cb1496e9ded': ['nn::account::nas::IAuthorizationRequest'], 'e11bbfff93a9ecbe': ['nn::am::service::IApplicationCreator'], '485b4d67666e8e4a': ['nn::audio::detail::IAudioOut'], 'faa980e4d4917414': ['nn::gpio::IManager'], '2d35498adea83db4': ['nn::sasbus::ISession'], '9bc89aed8f15cc88': ['nn::news::detail::ipc::INewsDataService'], 'd2b84173c21b2361': ['nn::fssrv::sf::IStorage'], 'a5441bae3cdffc00': ['nn::btm::IBtm'], 'f405e7cc8d9d8020': ['nn::mii::detail::IImageDatabaseService'], 'f0a18bbdf50f8eb8': ['nn::am::service::ISelfController'], '0212a598d1e8125d': ['nn::dauth::detail::IService'], '4c9bf3e216c217f4': ['nn::ncm::IContentStorage'], 'be53d4498f2ab253': ['nns::hosbinder::IHOSBinderDriver'], '899bac0f033326fa': ['nn::audio::detail::IAudioRendererManager'], '5f9a68bcde03c8ea': ['nn::fssrv::sf::IProgramRegistry'], 'ca01926746ce7096': ['nn::olsc::srv::IDaemonController'], 'cefef7d38d0df976': ['nn::migration::user::IService'], '42297b8bafbeadd2': ['nn::grcsrv::IMovieMaker'], '96a5e651c106c4cd': ['nn::apm::ISession'], '70240b01a9865c3e': ['nn::visrv::sf::IManagerDisplayService'], '13b0c7617249b16f': ['nn::audio::detail::IAudioOutManagerForApplet'], 'c238fb7bfeb26bba': ['nn::psm::IPsmServer'], '2a1ed120563f1553': ['nn::socket::sf::IClient'], '2bdab1c969211ee3': ['nn::ro::detail::IRoInterface'], '898b516ade69b3f0': ['nn::hid::IHidSystemServer'], '7e1c9c0fe4f2a35d': ['nn::settings::ISystemSettingsServer'], '3626e2bd982b86f7': ['nn::capsrv::sf::IAlbumControlService'], '5df308fef6e890fb': ['nn::fssrv::sf::IDirectory'], '1e0c42da4a8e5c5f': ['nn::fssrv::sf::IFile'], 'fda693c0c9a8af50': ['nn::visrv::sf::IManagerDisplayService'], '1b449f8c623d7144': ['nn::am::service::IDebugFunctions'], 'a5dcc30cc04403e6': ['nn::pwm::IChannelSession'], 'b38c9250276e3f12': ['nn::fssrv::sf::IFileSystemProxy'], '655f9549829d5a6a': ['nn::friends::detail::ipc::INotificationService'], '8ff813fe4df151bf': ['nn::nifm::detail::IGeneralService'], '7e29f4a30d982df9': ['nn::fssrv::sf::ISaveDataTransferManager'], '34236f7ff3e2e0e5': ['nv::gemcontrol::INvGemControl'], '5f370d9245ddcccb': ['nn::am::service::ICommonStateGetter'], 'eec92b1678d09c46': ['nn::news::detail::ipc::IServiceCreator'], '92f51b2ce1fc1fe9': ['nn::capsrv::sf::IAlbumAccessorSession'], '20114ce0f01eba55': ['nn::fssrv::sf::IDeviceOperator'], '4875e024ec9e0522': ['nn::nfc::detail::ISystem'], '0498e1c15d5f1b60': ['nn::nifm::detail::INetworkProfile'], '80df875455597a17': ['nn::am::service::IOverlayFunctions'], '362fb4c55ec8b00a': ['nn::fssrv::sf::IFileSystemProxy'], '6a3e3f99e719d99e': ['nn::am::service::IApplicationAccessor'], 'aabc6a86dcefad36': ['nn::settings::ISystemSettingsServer'], 'e8228d2b01a6f6df': ['nn::am::service::IAppletAccessor'], 'f183cedfd4bc9151': ['nn::visrv::sf::IApplicationDisplayService'], 'bf797334c54581d2': ['nn::erpt::sf::IManager'], '6082c9fcf9ae88ce': ['nn::am::service::IAppletCommonFunctions'], '26ad622dd70169b7': ['nn::account::baas::IFloatingRegistrationRequest'], 'd5a760ae52f58e6c': ['nn::fssrv::sf::ISaveDataChunkImporter'], '07f921ea3bb51294': ['nn::fssrv::sf::IDeviceOperator'], '4404b42704f07bfe': ['nn::am::service::IApplicationAccessor'], '84bfddaa69efd59f': ['nn::account::IBaasAccessTokenAccessor'], '998451bfbac45b6f': ['nn::ns::detail::IDownloadTaskInterface'], 'b175ab3039854b8d': ['nn::am::service::ISystemAppletProxy'], 'b3837c70870c5181': ['nn::fssrv::sf::IEventNotifier', 'nn::account::detail::INotifier', 'nn::fatalsrv::IPrivateService', 'nn::olsc::srv::INativeHandleHolder', 'nn::hid::IAppletResource', 'nn::bcat::detail::ipc::INotifierService', 'nn::bcat::detail::ipc::IDeliveryTaskSuspensionService', 'nn::news::detail::ipc::INewlyArrivedEventHolder', 'nn::news::detail::ipc::IOverwriteEventHolder'], '7368439e01b81da1': ['nn::friends::detail::ipc::IServiceCreator'], 'b9bd0d1b4fbe9950': ['nn::sm::detail::IManagerInterface'], '41a5b015fd7b2974': ['nn::news::detail::ipc::INewsDatabaseService'], '18ca865f9fadfb40': ['nn::ns::detail::IProgressMonitorForDeleteUserSaveDataAll'], '28032a2a86978fee': ['nn::regulator::IRegulatorManager'], '8b3d2a6cd1c5a1ca': ['nn::am::service::ILibraryAppletSelfAccessor'], 'e6bb8599ea001b76': ['nn::olsc::srv::IRemoteStorageController'], '4418757e9e8d2871': ['nn::gpio::IManager'], 'b7dbe08acbd75365': ['nn::friends::detail::ipc::IFriendService'], '62f3d257ca284243': ['nn::uart::IPortSession'], '80364747ff4a018f': ['nn::lbl::detail::ILblController'], 'b4925f1abba2be6f': ['nn::ns::detail::ISystemUpdateControl'], '1b7066fc2a402917': ['nn::migration::user::IClient'], '1e1b4340508e40b2': ['nn::ns::detail::IAsyncResult', 'nn::nim::detail::IAsyncResult'], '03f0ea6f9335575c': ['nn::fssrv::sf::ISaveDataInfoReader', 'nn::spl::detail::IRandomInterface'], '5652230574111fa7': ['nn::am::service::ILibraryAppletProxy', 'nn::am::service::IOverlayAppletProxy'], '75f43c56308cd7b6': ['nn::nifm::detail::IScanRequest'], '9392f1ee90235c69': ['nn::uart::IManager'], 'ef36fa28640afe99': ['nn::eupld::sf::IRequest'], '438792474de8dba6': ['nn::fssrv::sf::ISaveDataChunkIterator'], 'a0be9886cc1eaa59': ['nv::gemcoredump::INvGemCoreDump'], 'b9edb1600b89ceac': ['nn::ssl::sf::ISslConnection'], '26e44709faf92ed0': ['nn::am::service::ILibraryAppletCreator'], 'c77bcca6437b27a6': ['nn::timesrv::detail::service::ISteadyClock'], '7aea8734a0f840ff': ['nn::bcat::detail::ipc::IDeliveryCacheDirectoryService'], '5b6e9df3d3b58471': ['nn::fssrv::sf::IFileSystem'], 'd74fdf70159290ac': ['nn::srepo::detail::ipc::ISrepoService'], '812f005802818484': ['nn::ns::detail::IProgressAsyncResult'], 'b3913dcf1653eb90': ['nn::audio::detail::IAudioRenderer'], '678e5715bbf73012': ['nn::account::nas::IOAuthProcedureForNintendoAccountLinkage'], '391522848c1f6043': ['nn::fssrv::sf::IFileSystemProxy'], '17749092dc6fb853': ['nn::clkrst::IClkrstSession'], '1500deb9a7b0c914': ['nn::am::service::IApplicationProxy'], '388802cf41c41bce': ['nn::account::baas::IAdministrator'], 'e78fd383329c1e63': ['nn::ns::detail::IDocumentInterface'], '5216949a0ceebb5f': ['nn::fssrv::sf::IMultiCommitManager'], 'fbbbc6514394774e': ['nn::socket::sf::IClient'], '72cd1a5e3a3c7f4d': ['nn::account::IAccountServiceForSystemService'], 'a70b98ccc3299f80': ['nn::visrv::sf::IApplicationRootService', 'nn::sasbus::IManager', 'nn::fan::detail::IManager', 'nn::mii::detail::IStaticService'], 'feafd8f56bfb6c79': ['nn::am::service::IStorageChannel'], '9b1f77d36f593b6a': ['nn::regulator::IRegulatorSession'], 'c6fa95d83771352c': ['nn::mii::detail::IDatabaseService'], 'ff182bb207d2b5a5': ['nn::erpt::sf::IContext'], 'b47f55ada5e6b225': ['nn::eupld::sf::IControl'], '3b5390a64705a065': ['nns::nvdrv::INvDrvServices'], '38596578645fafba': ['nn::dauth::detail::IAsyncResult', 'nn::account::detail::IAsyncContext', 'nn::olsc::srv::IAsyncResult', 'nn::migration::detail::IAsyncContext', 'nn::news::detail::ipc::IDownloadContext'], 'bb4a6a9db65360e5': ['nn::am::service::ILockAccessor'], '6826a1702a669c81': ['nn::bcat::detail::ipc::IBcatService'], '122ed7b9d8b764a4': ['nn::ovln::ISender'], '78ecb0e1ac578c6c': ['nn::visrv::sf::ISystemDisplayService'], 'cf1de82e5d258edb': ['nn::audio::detail::IAudioDevice'], 'be0c9d3c0945d8e8': ['nn::erpt::sf::ISession'], 'f474a636d785a723': ['nn::grcsrv::IContinuousRecorder'], 'cd5711d486a56f56': ['nn::ns::detail::ISystemUpdateInterface'], '011d3a57dac18e69': ['nn::npns::INotificationReceiver'], '60b2072cf75e98e9': ['nn::fssrv::sf::ISaveDataImporter'], '45ac41ac041971b7': ['nn::ns::detail::IVulnerabilityManagerInterface'], 'd7a91bbf777d68e6': ['nn::news::detail::ipc::INewsService'], 'd5276e9a369a02d4': ['nn::bgtc::ITaskService'], '5cc15656aa779039': ['nn::am::service::IStorageAccessor'], 'b8f2b4fed4f9dd19': ['nn::am::service::IAppletCommonFunctions'], 'f9cae162fd25a500': ['nn::account::detail::ISessionObject'], 'e95f80443466e96f': ['nn::ns::detail::IECommerceInterface'], '78cfe7a902912164': ['nn::mmnv::IRequest'], '4958f97e2c248677': ['nn::timesrv::detail::service::ITimeZoneService'], '5fe31c4ba5458e86': ['nn::nifm::detail::IStaticService'], '9ff0846fa9d9bfbe': ['nn::am::service::IApplicationFunctions'], '51c707b04050f17d': ['nn::hid::IActiveVibrationDeviceList', 'nn::pcv::IArbitrationManager'], '1c3ea2497ad14abd': ['nn::am::service::ITransferStorageAccessor'], '11611b1034a052c8': ['nn::fan::detail::IController'], 'a1eb9b617884b06e': ['nn::account::profile::IProfileEditor'], '79f9bddeea176bff': ['nn::ncm::IContentStorage'], '1e6aaa6e9c1d263c': ['nn::hid::IHidDebugServer'], 'ed990669d25d5086': ['nn::olsc::srv::IForbiddenSaveDataIndication'], 'c88c3118b02ec25b': ['nn::pl::detail::IPlatformServiceManager'], 'a0e6c9339df87581': ['nn::nfc::am::detail::IAm'], 'de74463cee165833': ['nn::migration::user::IServer'], '34c74f65e1610cf7': ['nn::pcv::detail::IPcvService'], '4fac7e300a84232b': ['nn::capsrv::sf::IScreenShotControlService'], '8e9938e174daf0bd': ['nn::ncm::IContentMetaDatabase'], '61a91fdb411efe4a': ['nn::nim::detail::IAsyncProgressResult'], 'e89b11adefffbfd4': ['nn::avm::srv::IVersionListImporter'], 'c3ebc917c3fbe907': ['nn::tc::IManager'], '771fa4a8fb46317f': ['nn::account::baas::IManagerForApplication'], 'e870d6c9931ac281': ['nn::btm::IBtmSystemCore'], '545040c28142bc5b': ['nn::psm::IPsmSession'], '75bd73bde1f6c923': ['nv::MemoryProfiler::IMemoryProfiler'], 'f07ce1118432e8ee': ['nn::pcv::detail::IPcvService'], '0370161c5a92ca25': ['nn::ldn::detail::IMonitorService'], '26f4c471b9b5b453': ['nn::account::http::IOAuthProcedure'], '97cac48103b20231': ['nn::account::IAccountServiceForApplication'], '927a357138944f57': ['nn::ntc::detail::service::IEnsureNetworkClockAvailabilityService'], '78e1342e6626dfa1': ['nn::migration::savedata::IClient'], 'a2eeab79ddf3035a': ['nn::grcsrv::IOffscreenRecorder'], 'be3851481ba76f64': ['nn::ns::detail::IAccountProxyInterface'], '02c66976480a90b3': ['nn::visrv::sf::ISystemRootService'], '8ca323a7f3a293c5': ['nn::audio::detail::IAudioInManagerForApplet'], 'cfef8b4ffcd68bd4': ['nn::arp::detail::IReader'], '5f3424303dd51d50': ['nn::ns::detail::IReadOnlyApplicationControlDataInterface'], '99a880037575580a': ['nn::hid::IHidDebugServer'], '4eeb8c6cb84b38c4': ['nn::apm::IManager'], '3de251fa2ea20236': ['nn::ns::detail::IContentManagementInterface'], 'f9b56db27c746e3d': ['nn::arp::detail::IRegistrar']}
2 | 


--------------------------------------------------------------------------------
/swipc-gen/ipcclient.py:
--------------------------------------------------------------------------------
  1 | import struct
  2 | from collections import Counter
  3 | import hashlib
  4 | import re
  5 | 
  6 | from capstone import *
  7 | from capstone.arm64 import *
  8 | 
  9 | from nxo64 import load_nxo
 10 | from demangling import get_demangled
 11 | IDA_BASE = 0x7100000000
 12 | 
 13 | MANUAL_NAME_LOOKUP = {
 14 | 	# 4.0.1 loader:
 15 | 	"IUnknown_b171b62c_0x7100051A28": "nn::lr::ILocationResolverManager",
 16 | 	"IUnknown_bd070344_0x7100051A98": "nn::lr::ILocationResolver",
 17 | 	"IUnknown_788b7338_0x7100051B38": "nn::lr::IRegisteredLocationResolver",
 18 | 	"IUnknown_0868914f_0x7100051BC8": "nn::lr::IAddOnContentLocationResolver",
 19 | 
 20 | 	# 4.0.1 fs:
 21 | 	"IUnknown_b171b62c_0x71001CC688": "nn::lr::ILocationResolverManager",
 22 | 	"IUnknown_bd070344_0x71001CC6F8": "nn::lr::ILocationResolver",
 23 | 	"IUnknown_788b7338_0x71001CC798": "nn::lr::IRegisteredLocationResolver",
 24 | 	"IUnknown_0868914f_0x71001CC828": "nn::lr::IAddOnContentLocationResolver",
 25 | 	"IUnknown_dfd5f913_0x71001CC890": "nn::psc::sf::IPmService",
 26 | 	"IUnknown_b171b62c_0x71001CC8E8": "nn::psc::sf::IPmModule",
 27 | 	"IUnknown_0b7cc0c3_0x71001CC4E0": "nn::tma::IFileManager",
 28 | 	"IUnknown_9329709d_0x71001CC590": "nn::tma::IFile",
 29 | 	"IUnknown_b171b62c_0x71001CC618": "nn::tma::IDirectory",
 30 | 	"IUnknown_dfd5f913_0x71001CC378": "nn::pinmux::IManager",
 31 | 	"IUnknown_0868914f_0x71001CC3D0": "nn::pinmux::ISession",
 32 | 
 33 | 	# 4.0.1 pm:
 34 | 	"IUnknown_b171b62c_0x710004B8F8": "nn::ldr::detail::IProcessManagerInterface",
 35 | 
 36 | 	# 4.0.1 nvservices:
 37 | 	"IUnknown_dfd5f913_0x710011A940": "nn::psc::sf::IPmService",
 38 | 	"IUnknown_dfd5f913_0x710011A998": "nn::psc::sf::IPmModule",
 39 | 
 40 | 	# 4.0.1 ns:
 41 | 	"IUnknown_560d510c_0x7100191930": "nn::nim::detail::INetworkInstallManager",
 42 | 	"IUnknown_0868914f_0x7100191C18": "nn::nim::detail::IAsyncResult",
 43 | 	"IUnknown_b171b62c_0x7100191C80": "nn::nim::detail::IAsyncValue",
 44 | 	"IUnknown_ef63a7f7_0x7100191CF0": "nn::nim::detail::IAsyncData",
 45 | 	"IUnknown_a2ec7c94_0x7100189400": "nn::es::IETicketService",
 46 | 	"IUnknown_f4e4f171_0x710018A7E0": "nn::ldr::detail::IShellInterface",
 47 | 	"IUnknown_b171b62c_0x710018A840": "nn::lr::ILocationResolverManager",
 48 | 	"IUnknown_bd070344_0x710018A8B0": "nn::lr::ILocationResolver",
 49 | 	"IUnknown_788b7338_0x710018A950": "nn::lr::IRegisteredLocationResolver",
 50 | 	"IUnknown_0868914f_0x710018A9E0": "nn::lr::IAddOnContentLocationResolver",
 51 | 	"IUnknown_f4e4f171_0x710018F1B0": "nn::pm::detail::IBootModeInterface",
 52 | 	"IUnknown_bd070344_0x710018F210": "nn::pm::detail::IShellInterface",
 53 | 	"IUnknown_5c4120bd_0x7100195E60": "nn::pdm::detail::INotifyService",
 54 | 
 55 | 	# 4.0.1 fatal:
 56 | 	"IUnknown_0ee18a67_0x7100159718": "nn::spsm::detail::IPowerStateInterface",
 57 | 	"IUnknown_dfd5f913_0x710015DCA8": "nn::pm::detail::IInformationInterface",
 58 | 
 59 | 
 60 | 	# 4.0.1 friends:
 61 | 	'IUnknown_271cf7f3_0x71001C4390': 'nn::pdm::detail::IQueryService',
 62 | 
 63 | 
 64 | 	# 3.0.0 fs:
 65 | 	#"IUnknown_0b7cc0c3_0x71001C2640": "nn::tma::IFileManager",
 66 | 
 67 | 
 68 | 
 69 | }
 70 | 
 71 | MANUAL_NAME_LOOKUP = {
 72 | 	
 73 | 
 74 | }
 75 | 
 76 | 
 77 | def demangle(s):
 78 | 	value = get_demangled(s)
 79 | 	if '<nn::sf::cmif::client::CmifProxyFactory<' in value:
 80 | 		value = value.split('<nn::sf::cmif::client::CmifProxyFactory<')[1].split(', ')[0]
 81 | 	elif '<nn::sf::cmif::client::detail::CmifProxy<' in  value:
 82 | 		value = value.split('<nn::sf::cmif::client::detail::CmifProxy<')[1].split(', ')[0]
 83 | 
 84 | 	if 'nn::sf::UnmanagedServiceObject<' in value:
 85 | 		value = value.split('nn::sf::UnmanagedServiceObject<')[1].split(', ')[0]
 86 | 
 87 | 	return value
 88 | 
 89 | def find_ret(binstring, func_start):
 90 | 	offset = func_start
 91 | 	while struct.unpack_from('<I', binstring, offset)[0] != 0xd65f03c0:
 92 | 		offset += 4
 93 | 	return offset
 94 | 
 95 | lookup = {}
 96 | 
 97 | def get_last_immediate_argument(insns):
 98 | 	immregs = [None] * 32
 99 | 
100 | 	stores = {}
101 | 	for i in insns:
102 | 		#print ':', i.mnemonic, i.op_str
103 | 		if i.mnemonic == 'orr' and i.op_str.split(', ')[1] == 'wzr':
104 | 			immregs[int(i.op_str.split(', ')[0][1:])] = i.operands[2].value.imm
105 | 		elif i.mnemonic == 'mov':
106 | 			src = i.op_str.split(', ')[1]
107 | 			dest = int(i.op_str.split(', ')[0][1:])
108 | 			if src == 'wzr' or src == 'xzr':
109 | 				immregs[dest] = 0
110 | 			elif src == 'sp':
111 | 				immregs[dest] = None
112 | 			else:
113 | 				immregs[dest] = immregs[int(src[1:])]
114 | 		elif i.mnemonic == 'movz':
115 | 			if i.op_str.endswith(', lsl #16'):
116 | 				immregs[int(i.op_str.split(', ')[0][1:])] = i.operands[1].value.imm << 16
117 | 			else:
118 | 				immregs[int(i.op_str.split(', ')[0][1:])] = i.operands[1].value.imm
119 | 		elif i.mnemonic == 'movk':
120 | 			if i.op_str.endswith(', lsl #16'):
121 | 				immregs[int(i.op_str.split(', ')[0][1:])] |= i.operands[1].value.imm << 16
122 | 			else:
123 | 				immregs[int(i.op_str.split(', ')[0][1:])] |= i.operands[1].value.imm
124 | 		elif i.mnemonic == 'str' and i.reg_name(i.operands[1].value.mem.base) == 'sp':
125 | 			reg = i.reg_name(i.operands[0].value.mem.base)
126 | 			if reg == 'wzr':
127 | 				value = 0
128 | 			else:
129 | 				value = immregs[int(reg[1:])]
130 | 			stores[i.operands[1].value.mem.disp] = value
131 | 		elif i.mnemonic == 'stp' and i.reg_name(i.operands[2].value.mem.base) == 'sp':
132 | 			reg = i.reg_name(i.operands[0].value.mem.base)
133 | 			if reg == 'wzr':
134 | 				value = 0
135 | 			else:
136 | 				value = immregs[int(reg[1:])]
137 | 			stores[i.operands[2].value.mem.disp] = value
138 | 
139 | 			reg = i.reg_name(i.operands[1].value.mem.base)
140 | 			if reg == 'wzr':
141 | 				value = 0
142 | 			else:
143 | 				value = immregs[int(reg[1:])]
144 | 			stores[i.operands[2].value.mem.disp + 8] = value
145 | 
146 | 	if stores:
147 | 		last_store = None
148 | 		end = sorted(stores.keys())[-1] + 8
149 | 		for off in range(0, end, 8):
150 | 			if off not in stores:
151 | 				break
152 | 			val = stores[off]
153 | 			if val is not None:
154 | 				last_store = val
155 | 		if last_store is not None:
156 | 			return last_store
157 | 
158 | 	for i in range(8, -1, -1):
159 | 		if immregs[i] is not None:
160 | 			return immregs[i]
161 | 
162 | 	return None
163 | 
164 | 
165 | 
166 | is_process_function_cache = {}
167 | def is_process_function(binstring, func_start):
168 | 	#print hex(func_start)
169 | 	if func_start in is_process_function_cache:
170 | 		return is_process_function_cache[func_start]
171 | 	md = Cs(CS_ARCH_ARM64, CS_MODE_ARM)
172 | 	counter = 0
173 | 	try:
174 | 		i = func_start
175 | 		instr = md.disasm(binstring[i:i+4], i).next()
176 | 		while instr.mnemonic not in ('ret',):
177 | 			#if instr.mnemonic in ('movz', 'movk'):
178 | 			#	print instr.mnemonic, repr(instr.op_str), instr.op_str.endswith(', #0x4653')
179 | 			#print instr.mnemonic
180 | 			if instr.mnemonic in ('movz', 'movk') and instr.op_str.endswith(', #0x4943, lsl #16'):
181 | 				counter += 1
182 | 				#print '...'
183 | 			elif instr.mnemonic in ('movz', 'movk') and instr.op_str.endswith(', #0x4f43, lsl #16'):
184 | 				#print '..'
185 | 				counter += 1
186 | 			elif instr.mnemonic in ('movz', 'movk') and instr.op_str.endswith(', #0x4653'):
187 | 				#print '.'
188 | 				counter += 1
189 | 			i += 4
190 | 			instr = md.disasm(binstring[i:i+4], i).next()
191 | 		func_end = i + 4
192 | 	except StopIteration:
193 | 		is_process_function_cache[func_start] = False
194 | 		return False
195 | 	#print counter
196 | 	is_process_function_cache[func_start] = (counter in (2,4))
197 | 	return (counter in (2,4))
198 | 
199 | def get_function_cmd_id_old(binstring, func_start, func_end, rostart, roend):
200 | 	md = Cs(CS_ARCH_ARM64, CS_MODE_ARM)
201 | 	counter = 0
202 | 	got_movz = False
203 | 	got_movk = False
204 | 	for i in range(func_start, func_end, 4):
205 | 		try:
206 | 			instr = md.disasm(binstring[i:i+4], i).next()
207 | 		except StopIteration:
208 | 			return None
209 | 		if instr.mnemonic == 'movz' and instr.op_str.endswith(', #0x4f43, lsl #16'):
210 | 			got_movz = True
211 | 		elif instr.mnemonic == 'movk' and instr.op_str.endswith(', #0x4653'):
212 | 			got_movk = True
213 | 		if got_movk and got_movz:
214 | 			break
215 | 
216 | 	if not got_movz and got_movk:
217 | 		return None
218 | 
219 | 
220 | 	md.detail = True
221 | 	constants = {}
222 | 	for i in range(func_start, func_end, 4):
223 | 		try:
224 | 			instr = md.disasm(binstring[i:i+4], i).next()
225 | 		except StopIteration:
226 | 			return None
227 | 
228 | 		if instr.mnemonic == 'adrp':
229 | 			reg_name = instr.reg_name(instr.operands[0].value.reg)
230 | 			constants[reg_name] = instr.operands[1].value.imm
231 | 		elif instr.mnemonic == 'add' and instr.operands[2].type == ARM64_OP_IMM:
232 | 			reg_name = instr.reg_name(instr.operands[1].value.reg)
233 | 			if reg_name in constants:
234 | 				loc = instr.operands[2].value.imm + constants[reg_name]
235 | 				if rostart <= loc <= roend-0x10:
236 | 					if binstring[loc:loc+8] == 'SFCI\0\0\0\0':
237 | 						return struct.unpack_from('<Q', binstring, loc + 8)[0]
238 | 				if instr.reg_name(instr.operands[1].value.reg) == reg_name:
239 | 					del constants[reg_name]
240 | 		elif instr.mnemonic in ('bl', 'blr'):
241 | 			constants = {}
242 | 
243 | 	return None
244 | 
245 | def get_function_cmd_id(binstring, func_start, plt_lookup, rostart, roend):
246 | 	md = Cs(CS_ARCH_ARM64, CS_MODE_ARM)
247 | 	md.detail = True
248 | 
249 | 	func_end = find_ret(binstring, func_start) + 4
250 | 	#print 'func_end: 0x%X' % func_end
251 | 	calls = 0
252 | 	block_starts = set()
253 | 	block_starts.add(func_start)
254 | 	for i in range(func_start, func_end, 4):
255 | 		try:
256 | 			insn = md.disasm(binstring[i:i+4], i).next()
257 | 		except StopIteration:
258 | 			break
259 | 		if insn.mnemonic in ('bl', 'blr'):
260 | 			calls += 1
261 | 			block_starts.add(i+4)
262 | 		elif insn.mnemonic == 'cbz':
263 | 			block_starts.add(i+4)
264 | 			block_starts.add(insn.operands[1].value.imm)
265 | 
266 | 	if calls >= 4:
267 | 		cmd_id_old = get_function_cmd_id_old(binstring, func_start, func_end, rostart, roend)
268 | 		if cmd_id_old is not None:
269 | 			return cmd_id_old, None
270 | 
271 | 	#print block_starts
272 | 	if len(block_starts) < 2 or len(block_starts) > 7:
273 | 		return None
274 | 
275 | 	blocks = []
276 | 	for i in range(func_start, func_end, 4):
277 | 		try:
278 | 			insn = md.disasm(binstring[i:i+4], i).next()
279 | 		except StopIteration:
280 | 			break
281 | 		if i in block_starts:
282 | 			blocks.append([])
283 | 		blocks[-1].append(insn)
284 | 
285 | 	#if True:
286 | 	#	for b in blocks:
287 | 	#		print '='
288 | 	#		for i in b:
289 | 	#			print i.mnemonic + ' ' + i.op_str #for i in b]
290 | 
291 | 	argsblock = None
292 | 	for block in blocks[::-1]:
293 | 		if block[-1].mnemonic == 'bl':
294 | 			argsblock = block
295 | 			break
296 | 	if not argsblock:
297 | 		return None
298 | 	process_function = argsblock[-1].operands[0].value.imm
299 | 	process_function = plt_lookup.get(process_function, process_function)
300 | 	if not is_process_function(binstring, process_function):
301 | 		#print 'not_process_function'
302 | 		return None
303 | 
304 | 	# keep it simple by skipping all instructions that do not generate immediates
305 | 	pos = 0
306 | 	while (pos < len(argsblock) and
307 | 		   argsblock[pos].mnemonic in ('stp', 'mov', 'str', 'add', 'ldr', 'and', 'ldp') and
308 | 		   'wzr' not in argsblock[pos].op_str):
309 | 		pos += 1
310 | 
311 | 	result = get_last_immediate_argument(block[pos:])
312 | 	#if result is None:
313 | 	#	print block[pos:]
314 | 
315 | 	return result, process_function
316 | 
317 | import sys
318 | 
319 | def shorten(s):
320 | 	for i in ('nn::sf::hipc::detail::', 'nn::sf::hipc::client::', 'nn::sf::cmif::client::', 'nn::sf::cmif::detail::', 'std::__1::', 'nn::sf::'):
321 | 		s = s.replace(i, '')
322 | 	return s
323 | 
324 | def get_method_info_part(s):
325 | 	start = s.index('CoreMethodInfo<') + len('CoreMethodInfo<')
326 | 	p = start
327 | 	depth = 1
328 | 	while depth:
329 | 		if s[p] == '>':
330 | 			depth -= 1
331 | 		elif s[p] == '<':
332 | 			depth += 1
333 | 		p += 1
334 | 	return s[start:p-1]
335 | 
336 | def hexify(s):
337 | 	def matchfunc(o):
338 | 		v = int(o.group(1))
339 | 		if v < 10:
340 | 			return '%d' % v
341 | 		else:
342 | 			return '0x%X' % v
343 | 	return re.sub('([0-9]+)u?l?', matchfunc, s)
344 | 
345 | def get_display_method_info(name):
346 | 	tup, inbytes, outbytes, sendpid = hexify(shorten(get_method_info_part(demangle(name)))).rsplit(', ', 3)
347 | 	tup = tup[6:-1].strip().replace('ArgumentInfo<', '<').replace(', ', ',').replace('>,', '>, ')
348 | 	parts = [inbytes + ' bytes in', outbytes + ' bytes out']
349 | 	if sendpid == 'true':
350 | 		parts.append('takes pid')
351 | 	if tup:
352 | 		parts.append(tup)
353 | 	return ' - '.join(parts)
354 | 
355 | 
356 | def get_method_data(name):
357 | 	tup, inbytes, outbytes, sendpid = hexify(shorten(get_method_info_part(demangle(name)))).rsplit(', ', 3)
358 | 
359 | 	tup = tup[6:-1].strip().replace('ArgumentInfo<', '<').replace(', ', ',').replace('>,', '>, ')
360 | 
361 | 	data = {}
362 | 	data["inbytes"] = int(inbytes,16)
363 | 	data["outbytes"] = int(outbytes,16)
364 | 	if sendpid == 'true':
365 | 		data["pid"] = True
366 | 
367 | 	data['arginfo'] = tup
368 | 	return data
369 | 
370 | def get_cmd_id_hash(vt):
371 | 	return hashlib.sha224(','.join('%d' % i for i in vt if i is not None)).hexdigest()[:8]
372 | 
373 | 
374 | class IpcClientVtableEntry(object):
375 | 	def __init__(self, cmd, process_function, funcptr):
376 | 		self.cmd = cmd
377 | 		self.process_function = process_function
378 | 		self.funcptr = funcptr
379 | 
380 | 
381 | class IpcClientVtable(object):
382 | 	def __init__(self, start, end, interface, entries, is_domain):
383 | 		self.start = start
384 | 		self.end = end
385 | 		self.interface = interface
386 | 		self.entries = entries
387 | 		self.is_domain = is_domain
388 | 
389 | 
390 | def iter_vtables_in_nxo(f):
391 | 	assert f.textoff == 0
392 | 	f.binfile.seek(f.textoff)
393 | 	binstring = f.binfile.read(f.dataoff + f.datasize)
394 | 
395 | 
396 | 	fptr_syms = {}
397 | 	data_syms = {}
398 | 	for offset, r_type, sym, addend in f.relocations:
399 | 		if f.dataoff <= offset < f.dataoff + f.datasize:
400 | 			if sym and sym.shndx and sym.value < f.textsize:
401 | 				fptr_syms[offset] = sym.value
402 | 			elif addend and addend < f.textsize:
403 | 				fptr_syms[offset] = addend
404 | 			elif sym and sym.shndx and sym.value:
405 | 				data_syms[offset] = sym.value
406 | 			elif addend:
407 | 				data_syms[offset] = addend
408 | 
409 | 	#print hex(f.dataoff), f.dataoff < 0xCE7AA8
410 | 	#print struct.unpack_from('<q', binstring, 0xCE7AA8)[0]
411 | 	for i in range(f.dataoff, len(binstring), 8):
412 | 		#print hex(i), hex(len(binstring))
413 | 		value = struct.unpack_from('<q', binstring, i)[0]
414 | 		if value in (-0x10, -0x20):
415 | 			#if i == 0xCE7AA8:
416 | 			#	print hex(i)
417 | 			end = i
418 | 			start = end
419 | 			while start - 8 in fptr_syms:
420 | 				start -= 8
421 | 
422 | 			process_functions = [None] * ((end-start)/8)
423 | 
424 | 			vt = []
425 | 			funcptrs = []
426 | 			for j in range(start, end, 8):
427 | 				entry = fptr_syms[j]
428 | 				cmd_id = get_function_cmd_id(binstring, entry, f.plt_lookup, f.rodataoff, f.dataoff)
429 | 				if cmd_id is not None:
430 | 					cmd_id, process_function = cmd_id
431 | 					process_functions[(j-start)/8] = process_function
432 | 				vt.append(cmd_id)
433 | 				funcptrs.append(entry)
434 | 
435 | 
436 | 			if len(vt) > 4 and all(i is None for i in vt[:4] + vt[-1:]) and not any(i is None for i in vt[4:-1]):
437 | 				interface = ''
438 | 				raw_vtable_name = ''
439 | 				if start-8 in data_syms:
440 | 					rtti_string = data_syms[data_syms[start-8]+8]
441 | 					raw_vtable_name = binstring[rtti_string:binstring.index('\0',rtti_string)]
442 | 					interface = demangle(raw_vtable_name)
443 | 				elif start-16 in f.addr_to_name:
444 | 					raw_vtable_name = f.addr_to_name[start-16]
445 | 					interface = demangle(raw_vtable_name)
446 | 				else:
447 | 					interface = 'IUnknown_%s_0x%X' % (get_cmd_id_hash(vt), start + IDA_BASE)
448 | 					interface = MANUAL_NAME_LOOKUP.get(interface, interface)
449 | 
450 | 				is_domain = False
451 | 				if 'CmifDomainProxy' in raw_vtable_name:
452 | 					is_domain = True
453 | 
454 | 				entries = []
455 | 				for cmd, process_function, funcptr in zip(vt, process_functions, funcptrs):
456 | 					entries.append(IpcClientVtableEntry(cmd, process_function, funcptr))
457 | 				yield IpcClientVtable(start, end, interface, entries, is_domain)
458 | 
459 | 
460 | def dump_vtables(fname):
461 | 	with open(fname, 'rb') as li:
462 | 		f = load_nxo(li)
463 | 
464 | 	#for name in  '_nn_sf_sync_' 
465 | 	for vtable in iter_vtables_in_nxo(f):
466 | 		#print '?'
467 | 		#continue
468 | 		print '  %r: {' % vtable.interface
469 | 		for entry in vtable.entries:
470 | 			if entry.cmd is not None:
471 | 				data = {}
472 | 				if entry.funcptr in f.addr_to_name:
473 | 					demangled = demangle(f.addr_to_name[entry.funcptr])
474 | 					name, args = demangled.split('>::_nn_sf_sync_')[-1].split('(', 1)
475 | 					args = args[:-1]
476 | 					#parts.append('%r: %r' % ('name', name))
477 | 					#parts.append('%r: %r' % ('args', args))
478 | 					data['name'] = name
479 | 					data['args'] = shorten(args)
480 | 
481 | 
482 | 				if entry.process_function is not None and entry.process_function in f.addr_to_name:
483 | 					#parts.append('%r: %r' % ('data', ))
484 | 					data.update(get_method_data(f.addr_to_name[entry.process_function]))
485 | 					#s += (' | ' + )
486 | 
487 | 				parts = []
488 | 				for i in ['inbytes', 'outbytes', 'name', 'pid', 'args', 'arginfo']:
489 | 					if i not in data: continue
490 | 					v = data[i]
491 | 					if isinstance(v, (list, bool, str)):
492 | 						v = repr(v)
493 | 					else:
494 | 						if v >= 10:
495 | 							v = '0x%X' % v
496 | 						else:
497 | 							v = str(v)
498 | 						v = v.rjust(5)
499 | 					parts.append('"%s": %s' % (i, v))
500 | 				print '    %5d: {%s},' % (entry.cmd, ', '.join(parts))
501 | 
502 | 		print '  },'
503 | 
504 | 
505 | #from wherever import namez # or just paste it here
506 | 
507 | def dump_structs(fname):
508 | 	with open(fname, 'rb') as li:
509 | 		f = load_nxo(li)
510 | 		#for k,v in namez.iteritems():
511 | 		#	f.
512 | 
513 | 	for vtable in iter_vtables_in_nxo(f):
514 | 		interface = vtable.interface
515 | 
516 | 		#if 'CmifDomainProxy' in tail:
517 | 		#	interface += '::DomainProxy'
518 | 
519 | 		print
520 | 		print 'struct %s;' % interface
521 | 
522 | 		print 'struct %s::vt' % interface
523 | 		print '{'
524 | 		for i, entry in enumerate(vtable.entries):
525 | 			if entry.cmd is not None:
526 | 				funcname = 'Cmd%d' % entry.cmd
527 | 				if entry.funcptr in f.addr_to_name:
528 | 					ipcname = demangle(f.addr_to_name[entry.funcptr]).split('>::_nn_sf_sync_')[-1].split('(')[0]
529 | 					funcname += '_' + ipcname					
530 | 			else:
531 | 				funcname = {
532 | 					0: 'AddReference',
533 | 					1: 'Release',
534 | 					2: 'GetProxyInfo',
535 | 					3: 'GetInterfaceTypeInfo',
536 | 				}.get(i)
537 | 				if funcname is None:
538 | 					if i == len(vtable.entries) - 1:
539 | 						funcname = 'GetCmifBaseObject'
540 | 					else:
541 | 						funcname = 'func%X' % (i * 8)
542 | 			print '  _DWORD (*__fastcall %s)(%s *this, ...);' % (funcname, interface)
543 | 
544 | 		print '};'
545 | 		print 'struct %s' % interface
546 | 		print '{'
547 | 		print '  %s::vt *_vt;' % interface
548 | 		print '  _BYTE byte8;'
549 | 		print '  _BYTE byte9;'
550 | 		print '  unsigned int handle;'
551 | 		print '  void *_vt10;'
552 | 		print '  _DWORD dword18;'
553 | 		print '  _QWORD qword20;'
554 | 		print '};'
555 | 
556 | 
557 | 
558 | def dump_unique_ids(fnames):
559 | 	all_cmds = set()
560 | 	for fname in sys.argv[1:]:
561 | 		with open(fname, 'rb') as li:
562 | 			f = load_nxo(li)
563 | 		new = False
564 | 		for vtable in iter_vtables_in_nxo(f):
565 | 			interface = vtable.interface
566 | 
567 | 			for i, entry in enumerate(vtable.entries):
568 | 				if entry.cmd is not None and entry.cmd not in all_cmds:
569 | 					print entry.cmd
570 | 					new = True
571 | 					all_cmds.add(entry.cmd)
572 | 		if new:
573 | 			print all_cmds
574 | 
575 | 
576 | def main():
577 | 	dump_vtables(sys.argv[1])
578 | 	#dump_structs(sys.argv[1])
579 | 	#dump_unique_ids(sys.argv[1:])
580 | 	#for fname in sys.argv[1:]:
581 | 	#	dump_structs(fname)
582 | 
583 | 
584 | if __name__ == '__main__':
585 | 	main()
586 | 
587 | 
588 | 


--------------------------------------------------------------------------------
/swipc-gen/unicornhelpers.py:
--------------------------------------------------------------------------------
 1 | import struct
 2 | from cStringIO import StringIO
 3 | 
 4 | from unicorn import *
 5 | from unicorn.arm64_const import *
 6 | 
 7 | import nxo64
 8 | 
 9 | def load_nxo_to_unicorn(uc, f, loadbase):
10 |     for sym in f.symbols:
11 |         if sym.shndx:
12 |             sym.resolved = loadbase + sym.value
13 |         else:
14 |             sym.resolved = 0
15 | 
16 |     resultw = StringIO()
17 |     f.binfile.seek(0)
18 |     resultw.write(f.binfile.read_to_end())
19 | 
20 |     def write_qword(ea, val):
21 |         resultw.seek(ea - loadbase)
22 |         resultw.write(struct.pack('<Q', val))
23 | 
24 |     for offset, r_type, sym, addend in f.relocations:
25 |         ea = loadbase + offset
26 | 
27 |         if r_type == nxo64.R_AARCH64_RELATIVE:
28 |             assert sym is None, 'R_AARCH64_RELATIVE with sym?'
29 |             newval = (loadbase + addend)
30 |             write_qword(ea, newval)
31 |         elif r_type == nxo64.R_AARCH64_JUMP_SLOT or r_type == nxo64.R_AARCH64_GLOB_DAT:
32 |             assert sym is not None
33 |             assert addend == 0
34 |             newval = sym.resolved
35 |             write_qword(ea, newval)
36 |         elif r_type == nxo64.R_AARCH64_ABS64:
37 |             assert sym is not None
38 |             newval = sym.resolved
39 |             if addend != 0:
40 |                 #assert sym.shndx # huge mess if we do this on an extern
41 |                 newval += addend
42 |             write_qword(ea, newval)
43 |         else:
44 |             print 'TODO: r_type=0x%x sym=%r ea=%X addend=%X' % (r_type, sym, ea, addend)
45 |             continue
46 | 
47 |     binary = resultw.getvalue()
48 |     uc.mem_map(loadbase, (max(len(binary),f.bssend) + 0xFFF) & ~0xFFF) 
49 |     uc.mem_write(loadbase, binary)
50 | 
51 | def create_unicorn_arm64(): # enables float
52 | 	mu = Uc(UC_ARCH_ARM64, UC_MODE_ARM)
53 | 
54 | 	addr = 0x1000
55 | 	mu.reg_write(UC_ARM64_REG_X0, 3 << 20)
56 | 	mu.mem_map(addr, 0x1000)
57 | 	fpstartinstrs = '\x41\x10\x38\xd5\x00\x00\x01\xaa\x40\x10\x18\xd5\x40\x10\x38\xd5\xc0\x03\x5f\xd6'
58 | 	mu.mem_write(addr, fpstartinstrs)
59 | 	mu.emu_start(addr, addr+len(fpstartinstrs)-4)
60 | 	mu.mem_unmap(addr, 0x1000)
61 | 
62 | 	return mu
63 | 


--------------------------------------------------------------------------------