qiling icon indicating copy to clipboard operation
qiling copied to clipboard

Published 20 hours ago verified publisher icon qilingframework

ida plugin: 'NoneType' object is not subscriptable.

Open busmaker opened this issue 3 years ago • 9 comments

Hey, I got an error from ida plugin when using Deflat function.

  ....
  File "s:\Python\Python37\Lib\site-packages\qiling\extensions\idaplugin\qilingida.py", line 2332, in <listcomp>
    [x.handler() for x in self.menuitems if x.action == action]
  File "s:\Python\Python37\Lib\site-packages\qiling\extensions\idaplugin\qilingida.py", line 2043, in ql_deflat
    if not self._search_path():
  File "s:\Python\Python37\Lib\site-packages\qiling\extensions\idaplugin\qilingida.py", line 1803, in _search_path
    self.deflatqlemu.start()
  File "s:\Python\Python37\Lib\site-packages\qiling\extensions\idaplugin\qilingida.py", line 991, in start
    **kwargs)
  File "S:\Python\Python37\lib\site-packages\qiling\core.py", line 144, in __init__
    if not os.path.exists(str(self._argv[0])):
TypeError: 'NoneType' object is not subscriptable

I used Deflat against JNI_Onload got this error.

libnative-lib.zip (about 623KB)

IDA: 7.5 pro Windows Qiling: 1.2.4.dev0 (latest commit)

busmaker avatar May 25 '21 13:05 busmaker

Okay, I would have a look later, probably this weekend. Being busy these days.

wtdcode avatar May 25 '21 13:05 wtdcode

@wtdcode Very appreciate your hard work, Qiling is a great tool. Anyway It seems like the path was missing, after setting the [get_input_file_path()] to the self.argv it's okay now.

After then I got this unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED) error at

mrs x8, tpidr_el0
ldr x8, [x8, #28]

Do I have to set something to the memory to make it work or it's a bug?

Thanks for your time.

busmaker avatar May 25 '21 14:05 busmaker

Looks like a bug indeed. Will check it in details later. BTW, you may make a PR if you would like to.

From: LBJ-the-GOAT @.> Sent: Tuesday, May 25, 2021 10:15:46 PM To: qilingframework/qiling @.> Cc: lazymio @.>; Mention @.> Subject: Re: [qilingframework/qiling] ida plugin: 'NoneType' object is not subscriptable. (#804)

@wtdcodehttps://github.com/wtdcode Very appreciate your hard work, Qiling is a great tool. Anyway It seems like the path was missing, after setting the [get_input_file_path()] to the self.argv it's okay now.

After then I got this unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED) error on this instruction sturb w11, [x29, #-0x39] .

Do I have to set something to the memory to make it work or it's a bug?

Thanks for your time.

― You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/qilingframework/qiling/issues/804#issuecomment-847907554, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AHJULO2AL3ZKEAA4NXLXWZTTPOWJFANCNFSM45PNCFCQ.

wtdcode avatar May 25 '21 16:05 wtdcode

you may make a PR if you would like to.

I am not familiar with Qiling code now, so I prefer to leave it to the pro.

And I was wrong, looks like the tpidr_el0 register wasn't being handled and just returned with 0 to x8 which caused the read error.

mrs x8, tpidr_el0
ldr x8, [x8, #28]

busmaker avatar May 25 '21 19:05 busmaker

And I was wrong, looks like the tpidr_el0 register wasn't being handled and just returned with 0 to x8 which caused the read error.

If so, you need to make ld.so set that for you. For example, firstly run to main and then set PC to the function you would like to deflat.

wtdcode avatar May 26 '21 01:05 wtdcode

@wtdcode Well this file is a shared object file so I set PC at the start function but the tpidr_el0 is still 0, however I managed to set it manually, but I believe I must have done something wrong, is there any reason it's not initialized? here's my code:

def my_sandbox(path, rootfs):
    ql = Qiling(path, rootfs, verbose=QL_VERBOSE.DUMP)
    fc_start = 0x52b0
    base_ptr = ql.mem.get_mapinfo()[0][0]
    ql.hook_address(hook_shit, base_ptr + fc_start)
    ql.run()
    pass


def hook_shit(ql: Qiling, *argv, **kwargs):
    base_ptr = ql.mem.get_mapinfo()[0][0]
    ql.uc.reg_write(arm64_const.UC_ARM64_REG_TPIDR_EL0,
                    0x7ffffffde000)  # set tpidr_el0 manually otherwise it's 0
    fc_jni_onload = 0x7c958
    ql.reg.arch_pc = base_ptr + fc_jni_onload
    pass


if __name__ == "__main__":
    my_sandbox([
        "s:/gitbook/owasp-mstg-master/Crackmes/Android/Level_04/libnative-lib.so"
    ], "s:/sources/qiling/examples/rootfs")

busmaker avatar May 26 '21 09:05 busmaker

tpidr_el0 is typically used for the thread local storage, which lots of libc functionalities rely on. Usually there is some complex setup in ld.so to finish that.

I haven't checked your lib but you may skip such instructions if they are not necessary.

BTW, I like your hook_shit naming. ; )

wtdcode avatar May 26 '21 09:05 wtdcode

Hello, I tested your binary and fix some related bugs. However, for your case, the microcode generated by IDA seems quite strange and further investigation needs to be done.

wtdcode avatar May 31 '21 01:05 wtdcode

@wtdcode Thank you very much!

the microcode generated by IDA seems quite strange

Yes, it's a crakeme obfuscated by ollvm, I'm trying solve it.

Have a good day.

busmaker avatar May 31 '21 01:05 busmaker

Will you be able to try the latest version of Qiling and see if you still face same issue. There is lots of rework since 2021. Feel free to open a new issue if you have any similar problem.

xwings avatar Oct 06 '22 03:10 xwings