SiD3W4y/bootload_emu.py

## bootload_emu.py
from unicorn import *
from unicorn.x86_const import *

import struct

class FlagStream:
    flag = "flag"

    def __init__(self,pattern):
        self.flag += pattern
        self.index = 0

        if len(self.flag) < 0x13:
            self.flag += "A"*(0x13-len(self.flag))
        else:
            self.flag = self.flag[0:0x13]

    def get_next(self):
        if self.index > (len(self.flag)-1):
            return ord("a")
        char = self.flag[self.index]
        self.index += 1
        return ord(char)

fs = FlagStream("just_a_test_flag")
was_redirected = False

def hook_interrupt(mu,intno,user_data):
    #mu.emu_stop()
    int_addr = mu.reg_read(UC_X86_REG_EIP)
    ah = (mu.reg_read(UC_X86_REG_EAX) >> 8) & 0xf
    eax = mu.reg_read(UC_X86_REG_EAX)
    #print "[+] Interrupt {} at {} [ah : {}]".format(hex(intno),hex(int_addr),ah)

    if intno == 0x16:
        if ah == 1:
            char = fs.get_next()
            counter = ord(mu.mem_read(0x7dc8,1))
            unknown = ord(mu.mem_read(0x7c00,1))

            if counter == 0x13:
                mu.emu_stop()
                input_flag = mu.mem_read(0x1234,0x13)
                print "[+] Max bytes already sent"
                print "\n =========== DEBUG INFO =========== "
                print " Input flag (0x1234) : {}".format(input_flag)
                print " Unknown (0x7c00) : {}".format(hex(unknown))
                print " Dumping memory to file ..."
                data = mu.mem_read(0,1024*1024)
                open("dump.bin","wb").write(data)
            else:
                #print "EAX -> {}".format(hex(eax))
                eax = ((eax >> 8) << 8) | char # Setting up al register with our char
                #print "EAX MOD -> {}".format(hex(eax))
                mu.reg_write(UC_X86_REG_EAX,eax)

def hook_addrs(mu,addr,size,user_data):
    global was_redirected

    if addr == 0x6b: # cmp oddly does not work correctly so we replace it with emulation
        counter = ord(mu.mem_read(0x7dc8,1))
        if counter == 0x13 and was_redirected == False:
            was_redirected = True
            mu.reg_write(UC_X86_REG_EIP,0x6f)
    if addr ==  0xb2: # cmp after computations
        edi = mu.reg_read(UC_X86_REG_EDI)
        edx = mu.reg_read(UC_X86_REG_EDX)
        expected = struct.unpack("I",mu.mem_read(edx+0x7da8,4))[0]

        print "[+] Comparing edi:{} = dword [edx+0x7da8]:{}".format(hex(edi),hex(expected))


check_addr = 0x006f

print "CSAW-2017 - Realism"

print "[+] Setting up emulator"
mu = Uc(UC_ARCH_X86,UC_MODE_16)
mu.mem_map(0,1024 * 1024)

mu.hook_add(UC_HOOK_INTR,hook_interrupt)
mu.hook_add(UC_HOOK_CODE,hook_addrs)

print "[+] Loading code"
code = open("main.bin","rb").read()
mu.mem_write(0,code)

print "[+] Executing !"
mu.emu_start(0,len(code))
	from unicorn import *
	from unicorn.x86_const import *

	import struct

	class FlagStream:
	flag = "flag"

	def __init__(self,pattern):
	self.flag += pattern
	self.index = 0

	if len(self.flag) < 0x13:
	self.flag += "A"*(0x13-len(self.flag))
	else:
	self.flag = self.flag[0:0x13]

	def get_next(self):
	if self.index > (len(self.flag)-1):
	return ord("a")
	char = self.flag[self.index]
	self.index += 1
	return ord(char)

	fs = FlagStream("just_a_test_flag")
	was_redirected = False

	def hook_interrupt(mu,intno,user_data):
	#mu.emu_stop()
	int_addr = mu.reg_read(UC_X86_REG_EIP)
	ah = (mu.reg_read(UC_X86_REG_EAX) >> 8) & 0xf
	eax = mu.reg_read(UC_X86_REG_EAX)
	#print "[+] Interrupt {} at {} [ah : {}]".format(hex(intno),hex(int_addr),ah)

	if intno == 0x16:
	if ah == 1:
	char = fs.get_next()
	counter = ord(mu.mem_read(0x7dc8,1))
	unknown = ord(mu.mem_read(0x7c00,1))

	if counter == 0x13:
	mu.emu_stop()
	input_flag = mu.mem_read(0x1234,0x13)
	print "[+] Max bytes already sent"
	print "\n =========== DEBUG INFO =========== "
	print " Input flag (0x1234) : {}".format(input_flag)
	print " Unknown (0x7c00) : {}".format(hex(unknown))
	print " Dumping memory to file ..."
	data = mu.mem_read(0,1024*1024)
	open("dump.bin","wb").write(data)
	else:
	#print "EAX -> {}".format(hex(eax))
	eax = ((eax >> 8) << 8) \| char # Setting up al register with our char
	#print "EAX MOD -> {}".format(hex(eax))
	mu.reg_write(UC_X86_REG_EAX,eax)

	def hook_addrs(mu,addr,size,user_data):
	global was_redirected

	if addr == 0x6b: # cmp oddly does not work correctly so we replace it with emulation
	counter = ord(mu.mem_read(0x7dc8,1))
	if counter == 0x13 and was_redirected == False:
	was_redirected = True
	mu.reg_write(UC_X86_REG_EIP,0x6f)
	if addr == 0xb2: # cmp after computations
	edi = mu.reg_read(UC_X86_REG_EDI)
	edx = mu.reg_read(UC_X86_REG_EDX)
	expected = struct.unpack("I",mu.mem_read(edx+0x7da8,4))[0]

	print "[+] Comparing edi:{} = dword [edx+0x7da8]:{}".format(hex(edi),hex(expected))


	check_addr = 0x006f

	print "CSAW-2017 - Realism"

	print "[+] Setting up emulator"
	mu = Uc(UC_ARCH_X86,UC_MODE_16)
	mu.mem_map(0,1024 * 1024)

	mu.hook_add(UC_HOOK_INTR,hook_interrupt)
	mu.hook_add(UC_HOOK_CODE,hook_addrs)

	print "[+] Loading code"
	code = open("main.bin","rb").read()
	mu.mem_write(0,code)

	print "[+] Executing !"
	mu.emu_start(0,len(code))