- \n
- Types (aliases, structures, enumerations, etc.) and prototypes (~function pointers)<\/li>\n
- Publicly exported routines<\/li>\n
- Constants<\/li>\n<\/ul>\n
JEB ships with typelibs for major sub-systems (such as Windows win32 (user-mode), Windows Driver Kit (kernel), Linux GNU, Linux Android, etc.) running on the most popular architectures (x86, x86-64, arm, aarch64, mips).<\/p>\n
Let’s see how types can be used to ease your reverse-engineering tasks.<\/p>\n
Using native types with the UI client<\/h2>\n
Applying types<\/h3>\n
Using types with JEB is straightforward. If your file’s target environment was identified (or partially identified), then, matching typelibs will be loaded and their types be made available to the user.<\/p>\n
The file shown below is an x86 file compiled for Windows 32-bit:<\/p>\n
![\"\"](\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2018\/11\/7dca73b1f2eea3234f918f457936adb2.png\")
<\/a><\/p>\nAs such,\u00a0 win32 typelibs were loaded. You can verify that by clicking File, Engines, Type Libraries…:<\/p>\n
![\"\"](\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2018\/11\/7a0be9e3c5fe885bfbcbb69a99889004.png\")
<\/a><\/p>\nLet’s define the bytes at address 0x403000 as belonging to a FILETIME<\/a> structure. You may right-click and select Edit Type (Y)<\/em>:<\/p>\n
![\"\"](\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2018\/11\/26cf8d6bf827ec0464b3b5745a3d299f.png\")
<\/a><\/p>\nand input the exact type name: (the type must exist)<\/p>\n
![\"\"](\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2018\/11\/37a769ba2631e5ca04bed52b22758111.png\")
<\/a><\/p>\nAlternatively, it is easier to select a type using Select Type (T)<\/em>. A list of available types is displayed. Filter on “FILETIME”:<\/p>\n
![\"\"](\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2018\/11\/7425183438645c9d72462c033c14cf95.png\")
<\/a><\/p>\nAnd apply it.<\/p>\n
The resulting updated disassembly listing will be:<\/p>\n
![\"\"](\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2018\/11\/e7a1fd18ab2ae0d5cfbb8d2a54cdcc31.png\")
<\/a><\/p>\nType editor<\/h3>\n
JEB features a powerful native type editor, that allows the modification of existing “complex” types (that is, structure and derivative) and the definition of new types. Open it with Ctrl+Alt+T (macOS: Cmd+Alt+T).<\/p>\n
Below, we are selecting an existing well-known Windows type, IMAGE_DOS_HEADER.<\/p>\n
![\"\"](\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2018\/11\/fc72efc9019fbab039a89825d4c32c13.png\")
<\/a>The left panel allows you to define the exact structure layout. The right panel is a C-like view of the structure, with actual offsets.<\/figcaption><\/figure>\n Let’s create a new type.<\/p>\n
To create a structure type, click Create, and input a name, such as MyStruc1. The type editor will display your empty structure:<\/p>\n
![\"\"](\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2018\/11\/ce4b4808c9b66edaae788b183164257f.png\")
<\/a><\/p>\nYou may then add or remove fields, using the following hotkeys:<\/p>\n
![\"\"](\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2018\/11\/24e3429f2afd3d542baee469c53ffce9.png\")
<\/a><\/p>\nHere, we define MyStruc1 to be as such: a structure containing primitives, a nested structure, and arrays.<\/p>\n
![\"\"](\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2018\/11\/12a9bf5e30647e8a0451889acaa407ad.png\")
<\/a><\/p>\nAs seen earlier, we can apply our type MyStruc1\u00a0 anywhere on bytes, eg at offset 0x403027:<\/p>\n
![\"\"](\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2018\/11\/84ec3fe7d0b22f9790cd1c3941e1d281.png\")
<\/a><\/p>\nConstants<\/h3>\n
Typelib files also bundle well-known constants, generally defined in header files with #DEFINE pre-processor commands. You may use them to replace immediate values in your assembly or decompiler views.<\/p>\n
Here is an example, again, coming from a Windows win32 file. The following decompiled method makes use of SendMessage<\/a>\u00a0routine:<\/p>\n
![\"\"](\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2018\/11\/2c40de31f32e400e1839ebf0b65458f0.png\")
<\/a><\/p>\nNote that the second parameter is the message id. The MSDN provides a long list of well-known ids<\/a>; Most of them are bundled with Windows typelibs shipping with JEB.<\/p>\n
Right click on the immediate value (176), and select Replace<\/em> to see what is offered:<\/p>\n
![\"\"](\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2018\/11\/611425296bd97dbb2fceab36e621c38c.png\")
<\/a><\/p>\nClick OK to perform the replacement:<\/p>\n
![\"\"](\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2018\/11\/095c5057bbc711cd23e7a5cf7be1da89.png\")
<\/a><\/p>\nMore readable, isn’t it?<\/p>\n
Custom typelibs<\/h2>\n
There exist scenarios where users will want to create their own typelibs, generally when many custom types would have to be created and\/or may need to be reused later. Examples:<\/p>\n
- \n
- Analysis of a Windows kernel component making use of Driver Kit headers whose types were not added to JEB’s pre-built WDK typelibs (our own\u00a0wdk10-<arch>.typelib<\/em> files do not contain all WDK components, although they do contain the most important ones).<\/li>\n
- The types of platform X were not compiled for a given architecture (eg, JEB does not ship with Linux types specific to Atmel AVR microcontrollers).<\/li>\n
- The binary to be analyzed makes use of a third-party SDK and the program is dynamically linked to that SDK. In that scenario, a user may want to generate typelibs for the SDK for the platform of their choosing.<\/li>\n<\/ul>\n
Creating custom typelibs<\/h3>\n
Creating a custom typelib file is a fairly simple process: the generator is called by executing your JEB startup script (eg, jeb_wincon.bat) with the following flags:<\/p>\n
$ jeb - c --typelibgen=<typelib_configuration_file><\/pre>\n
JEB ships with a sample typelib cfg file: typelibs\/custom\/sample-typelib.cfg<\/strong>. This key-value file is mostly self-explanatory, please refer to it for reference. (Below, we focus solely on the two most important entries, hdrsrc<\/em> and cstsrc<\/em>.)<\/p>\n
![\"\"](\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2018\/11\/3ad0a45eea45a6943ce54c81eb34d0a0.png\")
<\/a><\/p>\nYou may want to copy the sample configuration file and adjust it to match your requirements.<\/p>\n
The input files can be either or both of the following:<\/p>\n
- \n
- An aggregated, preprocessed header file: it should contain C types and exported methods<\/li>\n
- A constant file containing a list of named constants<\/li>\n<\/ul>\n
Types and public routines<\/h3>\n
The aggregated header can be generated by pre-processing a simple C file including your target header file(s).<\/p>\n
Example: let’s say we want to generate types for stdio.h, on Windows ARM64 platform. We can use Microsoft Compiler’s \/P flag to pre-process a sample file, 1.c including the target headers:<\/p>\n
\/\/ 1.c\r\n#include \"stdio.h\"\r\nint main(void) {return 0;}<\/pre>\n$ cl.exe\" \/P 1.c \/D \"WIN32\" \/D \"NDEBUG\" \/D \"_CONSOLE\" \/D \"_UNICODE\" \/D \"UNICODE\"\u00a0\/D \"_ARM64_WINAPI_PARTITION_DESKTOP_SDK_AVAILABLE=1\"<\/pre>\n
The resulting file will be quite large – and is likely to contain much more than just stdio.h type information (all headers recursively-included by stdio.h would be processed as well).<\/p>\n
We can rename that file as hdr.h and feed it to JEB’s Typelib Generator. (entry: hdrsrc)<\/p>\n
Quick reference: To preprocess a file with…<\/p>\n
- \n
- MSVC: use the \/P flag<\/a><\/li>\n
- GCC\/Clang: use the -E flag<\/a><\/li>\n<\/ul>\n
JEB’s built-in C declaration parser<\/h4>\n
Our C parser is C11 based, and supports most standard C declarations, as well as common MSVC and GCC extensions. Two important caveats to remember:<\/p>\n
- \n
- anonymous structure bitfields are not supported: things like “int :4” will need to be massaged to, eg, “int _:4”<\/li>\n
- anonymous aliased parameter for single-parameter methods are not supported: things like “void foo(X)” will need to be massaged to, eg, “void foo(X _)”<\/li>\n<\/ul>\n
Predefined constants<\/h3>\n
As seen earlier, typelib files can also contain list of named constants – generally, they will be those constants that are #DEFINE’d in header files.<\/p>\n
They can be scraped from C\/C++ header files. JEB ships with a handy Python script that will help you do that quickly: see typelibs\/custom\/collectDefines.py<\/strong> (other tools exist, such as GCC’s dM flag, but they may not generate all constants, only those that are preprocessed with a given set of precompilation parameters).<\/p>\n
Example:<\/p>\n
$ .\/collectDefines.py -r w10ddk\r\nCDF_DVCR_625_50_BLOCK_PERIOD:3276\r\nCDF_DVCR_625_50_BLOCK_PERIOD_REMAINDER:800000000\r\nCDROM_AUDIO_CONTROL_PAGE:14\r\nCDROM_CD_TEXT_PACK_ALBUM_NAME:128\r\nCDROM_CD_TEXT_PACK_ARRANGER:132\r\n...\r\n...<\/pre>\n
We can save that file as, eg cst.txt, and feed it to JEB’s Typelib Generator. (entry: cstsrc)<\/p>\n
Loading custom typelibs<\/h3>\n
If your typelib configuration matches your input files (most notably, the groupid<\/em> and processor<\/em> fields), then JEB will load it automatically during analysis of your input file.<\/p>\n
Example, with the sample typelib shipping with JEB (groupid=GROUPID_TYPELIB_WIN32, processor=X86):<\/p>\n
![\"\"](\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2018\/11\/abcb6fd41bc69da967513be9cf0b20b5.png\")
<\/a><\/p>\nObviously, you may decide to force-load a type lib by ticking the “Loaded” checkbox.<\/p>\n
Programmatic access with JEB API<\/h2>\n
Native types, like any other component of JEB, can be accessed with the API. Scripts and plugins can use the API to programmatically retrieve, define, apply types, as well as manipulate type libraries.<\/p>\n
The two single most important classes are:<\/p>\n
- \n
- ITypeManager<\/a>: manager of native types for a given INativeCodeUnit<\/li>\n
- TypeLibraryService<\/a>: the single entry-point to all typelibs<\/li>\n<\/ul>\n
Below is a reference to a sample JEB Python script that will get you started with the API. It shows how to define the following custom type:<\/p>\n
struct MyStruct1 {\r\n int a;\r\n unsigned char[3][2] b;\r\n};<\/pre>\nSource: https:\/\/github.com\/pnfsoftware\/jeb2-samplecode\/blob\/master\/scripts\/AddCustomNativeTypes.py<\/a><\/p>\n
We shall upload more sample scripts in the future. Feel free to share your contributions with us as well.<\/p>\n
Conclusion<\/h2>\n
If you have questions, comments or suggestions, feel free to:<\/p>\n
- \n
- leave a comment on this post<\/li>\n
- email contact@pnfsoftware.com<\/a><\/li>\n
- message us on Slack<\/a><\/li>\n
- or send us a Tweet @jebdec<\/a><\/li>\n<\/ul>\n
JEB3 is still in Beta, for a few more weeks. General availability should be expected during the first or second week of January. If you haven’t done so, feel free to ask for a Beta build right away.<\/p>\n
Once again, thank you to all our users, we are very grateful for your feedback and support. Finally, a special thank you note to our user “Andy P.” who pushed JEB’s boundaries relatively far (!) and allowed us to uncover interesting corner cases when working with large firmware binaries.<\/p>\n","protected":false},"excerpt":{"rendered":"
JEB 3.0.7 ships with our internal type library generation tool. In this post, we will show how to use native types with the client and API, and how power-users can generate custom type libraries. Type libraries (typelibs) Type libraries are *.typelib files stored in the JEB’s\u00a0typelibs\/ folder. They contain type information for a given component … Continue reading Native types and type libraries<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18,13],"tags":[],"class_list":["post-946","post","type-post","status-publish","format-standard","hentry","category-jeb3","category-native-code"],"_links":{"self":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/946","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/comments?post=946"}],"version-history":[{"count":0,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/946\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/media?parent=946"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/categories?post=946"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/tags?post=946"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- message us on Slack<\/a><\/li>\n
- TypeLibraryService<\/a>: the single entry-point to all typelibs<\/li>\n<\/ul>\n
- ITypeManager<\/a>: manager of native types for a given INativeCodeUnit<\/li>\n
- GCC\/Clang: use the -E flag<\/a><\/li>\n<\/ul>\n
- MSVC: use the \/P flag<\/a><\/li>\n
- Analysis of a Windows kernel component making use of Driver Kit headers whose types were not added to JEB’s pre-built WDK typelibs (our own\u00a0wdk10-<arch>.typelib<\/em> files do not contain all WDK components, although they do contain the most important ones).<\/li>\n