Freakston/emu.py

## emu.py
# rootfs https://github.com/qilingframework/rootfs
# Link: https://www.shielder.it/blog/2021/07/qilinglab-release/

from qiling.os.mapper import QlFsMappedObject
from qiling import Qiling
from qiling.const import QL_VERBOSE
import sys
import struct

def challenge1(ql:Qiling):
    a = bytearray.fromhex("0539")
    a.reverse()
    a = bytes(a)
    ql.mem.write(0x1337, a)

def uname_hook(ql: Qiling, address, *args, **kw):
    buf =  b''
    buf += b'QilingOS'.ljust(65, b'\x00')
    buf += b'ql_vm'.ljust(65, b'\x00')
    buf += b'69.0-RELEASE'.ljust(65, b'\x00')
    buf += b'ChallengeStart'.ljust(65, b'\x00')
    buf += b'ql_processor'.ljust(65, b'\x00')
    buf += b''.ljust(65, b'\x00')
    ql.mem.write(address, buf)
    regreturn = 0
    return regreturn

def challenge3(ql:Qiling):
    # Write a random byte ?
    a = bytes(bytearray.fromhex("5a"))
    ql.mem.write(ql.reg.rsi,a)

def getrand_hook(ql: Qiling, address, *args, **kw):
    data = ql.mem.read(0x80000000dd20, 0x20)
    data = bytes(data)
    ql.mem.write(address, data)

def debug_shiz(ql: Qiling):
    print("Debug:")
    print(ql.reg.rax)
    print("Debug: END")

def challenge4(ql: Qiling):
    a = bytearray.fromhex("01")
    a.reverse()
    a = bytes(a)
    ql.mem.write(ql.reg.rbp-0x8,a)

def challenge6(ql: Qiling):
    ql.mem.write(ql.reg.rbp-0x5,bytes(1))

def challenge9(ql:Qiling):
    ql.mem.write(ql.reg.rdx,bytes(ql.mem.read(ql.reg.rax, 27)))

def sleep_hook(ql: Qiling):
    ql.reg.rdi = 0

def challenge11(ql: Qiling):
    ql.reg.rsi = 0x696C6951
    ql.reg.rcx = 0x614C676E
    ql.reg.rax = 0x20202062

def my_rand(ql: Qiling):
    # we hook call to rand and make sure it returns only 0's
    ql.reg.rax = 0

def challenge8(ql: Qiling):
    data = ql.mem.read(ql.reg.rax, 24)
    target = struct.unpack("<Q", data[0x10:])[0]
    ql.mem.write(target, b'\x01')

class cmdline(QlFsMappedObject):
    def read(self, size):
        return b'qilinglab'
    def fstat(self):
        return -1
    def close(self):
        return 0

def run_sandbox(path, rootfs, verbose):
    ql = Qiling(path, rootfs, verbose=verbose,console=False)
    ql.hook_address(challenge1, 0x555555554B92)
    ql.hook_address(challenge3, 0x555555554D91)
    ql.hook_address(challenge4, 0x555555554E33)
    ql.hook_address(challenge6, 0x555555554F12)
    ql.hook_address(sleep_hook, 0x555555554F3C)
    ql.hook_address(challenge8, 0x555555554FB5)
    ql.hook_address(challenge9, 0x555555555051)
    ql.add_fs_mapper("/proc/self/cmdline", cmdline()) # challenge 10
    ql.hook_address(challenge11, 0x555555555195)

    ql.set_api('rand', my_rand)

    # ql.hook_address(debug_shiz, 0x555555554F16)

    ql.mem.map(0x1337//4096*4096, 4096)
    ql.set_syscall("uname", uname_hook)
    ql.set_syscall("getrandom", getrand_hook)

    #ql.debugger = True
    ql.run()

if __name__ == "__main__":
    file = sys.argv[1]
    run_sandbox([file], "rootfs/x8664_linux", QL_VERBOSE.DEBUG)
	# rootfs https://github.com/qilingframework/rootfs
	# Link: https://www.shielder.it/blog/2021/07/qilinglab-release/

	from qiling.os.mapper import QlFsMappedObject
	from qiling import Qiling
	from qiling.const import QL_VERBOSE
	import sys
	import struct

	def challenge1(ql:Qiling):
	a = bytearray.fromhex("0539")
	a.reverse()
	a = bytes(a)
	ql.mem.write(0x1337, a)

	def uname_hook(ql: Qiling, address, args, *kw):
	buf = b''
	buf += b'QilingOS'.ljust(65, b'\x00')
	buf += b'ql_vm'.ljust(65, b'\x00')
	buf += b'69.0-RELEASE'.ljust(65, b'\x00')
	buf += b'ChallengeStart'.ljust(65, b'\x00')
	buf += b'ql_processor'.ljust(65, b'\x00')
	buf += b''.ljust(65, b'\x00')
	ql.mem.write(address, buf)
	regreturn = 0
	return regreturn

	def challenge3(ql:Qiling):
	# Write a random byte ?
	a = bytes(bytearray.fromhex("5a"))
	ql.mem.write(ql.reg.rsi,a)

	def getrand_hook(ql: Qiling, address, args, *kw):
	data = ql.mem.read(0x80000000dd20, 0x20)
	data = bytes(data)
	ql.mem.write(address, data)

	def debug_shiz(ql: Qiling):
	print("Debug:")
	print(ql.reg.rax)
	print("Debug: END")

	def challenge4(ql: Qiling):
	a = bytearray.fromhex("01")
	a.reverse()
	a = bytes(a)
	ql.mem.write(ql.reg.rbp-0x8,a)

	def challenge6(ql: Qiling):
	ql.mem.write(ql.reg.rbp-0x5,bytes(1))

	def challenge9(ql:Qiling):
	ql.mem.write(ql.reg.rdx,bytes(ql.mem.read(ql.reg.rax, 27)))

	def sleep_hook(ql: Qiling):
	ql.reg.rdi = 0

	def challenge11(ql: Qiling):
	ql.reg.rsi = 0x696C6951
	ql.reg.rcx = 0x614C676E
	ql.reg.rax = 0x20202062

	def my_rand(ql: Qiling):
	# we hook call to rand and make sure it returns only 0's
	ql.reg.rax = 0

	def challenge8(ql: Qiling):
	data = ql.mem.read(ql.reg.rax, 24)
	target = struct.unpack("<Q", data[0x10:])[0]
	ql.mem.write(target, b'\x01')

	class cmdline(QlFsMappedObject):
	def read(self, size):
	return b'qilinglab'
	def fstat(self):
	return -1
	def close(self):
	return 0

	def run_sandbox(path, rootfs, verbose):
	ql = Qiling(path, rootfs, verbose=verbose,console=False)
	ql.hook_address(challenge1, 0x555555554B92)
	ql.hook_address(challenge3, 0x555555554D91)
	ql.hook_address(challenge4, 0x555555554E33)
	ql.hook_address(challenge6, 0x555555554F12)
	ql.hook_address(sleep_hook, 0x555555554F3C)
	ql.hook_address(challenge8, 0x555555554FB5)
	ql.hook_address(challenge9, 0x555555555051)
	ql.add_fs_mapper("/proc/self/cmdline", cmdline()) # challenge 10
	ql.hook_address(challenge11, 0x555555555195)

	ql.set_api('rand', my_rand)

	# ql.hook_address(debug_shiz, 0x555555554F16)

	ql.mem.map(0x1337//4096*4096, 4096)
	ql.set_syscall("uname", uname_hook)
	ql.set_syscall("getrandom", getrand_hook)

	#ql.debugger = True
	ql.run()

	if __name__ == "__main__":
	file = sys.argv[1]
	run_sandbox([file], "rootfs/x8664_linux", QL_VERBOSE.DEBUG)