Functions all start out with some type of prologue. Powerpc is no different. I was recently taking apart some firmware when I discovered the need to have an IDA Script take care of some function creations. Since the firmware was so large I didn’t really want to continue scrolling down and manually converting the data to code by pressing ‘c’.

In order to have Ida Python create functions automatically you can use two functions.

FindBinary
and
MakeFunction

the concept is to use FindBinary to locate the standard function prologue byte code and from there, create a function using MakeFunction. Using a python while loop you can create a short IdaPython script to expand your disassembly. I ran it on a fairly large piece of firmware and it ended up handling a lot of the disassembly that Ida’s auto analysis failed to complete due to the lack of a true entry point.

When it comes to PowerPC our prologue is going to look something like this

mflr r0 ; Save the link register to r0
stw r0, 4(rsp) ; Save r0 to register commonly used as stack pointer
stwu rsp,-16(rsp) ; Create frame
stw r31, 12(rsp); Save r31

For the particular piece of firmware I was playing with it was not saving the link register. Our prologue began with a stwu instruction. So, we use FindBinary to locate all instances of 0×9421. Although the method is not perfect, on a large scale it’s much easier to automate the creation of functions via IdaPython or IDC and have a few errors, than it is to manually create all the functions.

In terms of a prologue, you are usually left with some type of branching instruction. For most functions it just be a BLR instruction which is “Branch to Link Register”

Been working through PowerPC assembly and Mysql as of Late.

As I was browsing through the book store hanging out with my son I noticed a copy of the database hackers handbook for less than $9.00, Figured I can’t go wrong at that price. I never really had an interest in databases but as I flipped through the book I realized that aside from a general ability to run through SQL commands I didn’t really have a good understanding of database systems. I created a nice syllabus to run through Mysql for the moment. Towards the latter half I’ll actually get into SQL Injections so if you’ve got some decent tuts in your link base drop it!

Anyway, PowerPC assembly is Hot, still a bit vexing since I’m used to Intel. However I see how PPC is much cleaner and more efficient. For those interested I’ve been taking notes as I follow through a syllabus for learning PPC that I created. I modeled it off the Professional Assembly programming book by Wrox publishing (which mind you is an awesome book for the Intel architecture). Right now I’ve only dropped the architecture overview notes, I am working through Moving data around and Stacks. PPC is really interesting when you get to stacks since it doesn’t necessarily have hardware support for one. However, using registers and some instructions you can create a stack and manipulate it. However, there are no formally defined instructions for it such as Intel’s PUSH and POP.

Notes are in Here.