Created
September 17, 2017 12:48
-
-
Save SiD3W4y/81d3c0f449260cb339446a1c10143c1e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from unicorn import * | |
from unicorn.x86_const import * | |
import struct | |
class FlagStream: | |
flag = "flag" | |
def __init__(self,pattern): | |
self.flag += pattern | |
self.index = 0 | |
if len(self.flag) < 0x13: | |
self.flag += "A"*(0x13-len(self.flag)) | |
else: | |
self.flag = self.flag[0:0x13] | |
def get_next(self): | |
if self.index > (len(self.flag)-1): | |
return ord("a") | |
char = self.flag[self.index] | |
self.index += 1 | |
return ord(char) | |
fs = FlagStream("just_a_test_flag") | |
was_redirected = False | |
def hook_interrupt(mu,intno,user_data): | |
#mu.emu_stop() | |
int_addr = mu.reg_read(UC_X86_REG_EIP) | |
ah = (mu.reg_read(UC_X86_REG_EAX) >> 8) & 0xf | |
eax = mu.reg_read(UC_X86_REG_EAX) | |
#print "[+] Interrupt {} at {} [ah : {}]".format(hex(intno),hex(int_addr),ah) | |
if intno == 0x16: | |
if ah == 1: | |
char = fs.get_next() | |
counter = ord(mu.mem_read(0x7dc8,1)) | |
unknown = ord(mu.mem_read(0x7c00,1)) | |
if counter == 0x13: | |
mu.emu_stop() | |
input_flag = mu.mem_read(0x1234,0x13) | |
print "[+] Max bytes already sent" | |
print "\n =========== DEBUG INFO =========== " | |
print " Input flag (0x1234) : {}".format(input_flag) | |
print " Unknown (0x7c00) : {}".format(hex(unknown)) | |
print " Dumping memory to file ..." | |
data = mu.mem_read(0,1024*1024) | |
open("dump.bin","wb").write(data) | |
else: | |
#print "EAX -> {}".format(hex(eax)) | |
eax = ((eax >> 8) << 8) | char # Setting up al register with our char | |
#print "EAX MOD -> {}".format(hex(eax)) | |
mu.reg_write(UC_X86_REG_EAX,eax) | |
def hook_addrs(mu,addr,size,user_data): | |
global was_redirected | |
if addr == 0x6b: # cmp oddly does not work correctly so we replace it with emulation | |
counter = ord(mu.mem_read(0x7dc8,1)) | |
if counter == 0x13 and was_redirected == False: | |
was_redirected = True | |
mu.reg_write(UC_X86_REG_EIP,0x6f) | |
if addr == 0xb2: # cmp after computations | |
edi = mu.reg_read(UC_X86_REG_EDI) | |
edx = mu.reg_read(UC_X86_REG_EDX) | |
expected = struct.unpack("I",mu.mem_read(edx+0x7da8,4))[0] | |
print "[+] Comparing edi:{} = dword [edx+0x7da8]:{}".format(hex(edi),hex(expected)) | |
check_addr = 0x006f | |
print "CSAW-2017 - Realism" | |
print "[+] Setting up emulator" | |
mu = Uc(UC_ARCH_X86,UC_MODE_16) | |
mu.mem_map(0,1024 * 1024) | |
mu.hook_add(UC_HOOK_INTR,hook_interrupt) | |
mu.hook_add(UC_HOOK_CODE,hook_addrs) | |
print "[+] Loading code" | |
code = open("main.bin","rb").read() | |
mu.mem_write(0,code) | |
print "[+] Executing !" | |
mu.emu_start(0,len(code)) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment