marche147/re500.c

## re500.c
#include <stdio.h>
#include <sys/mman.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <stdint.h>

// dirty hack of re500
// compile : gcc -shared -pie -fPIC -ore500.so re500.c
// use : LD_PRELOAD=./re500.so ./secret checker

struct vmstate_t {
	uint64_t r0;
	uint64_t r1;
	uint64_t r2;
	uint64_t r3;
	uint64_t r4;
	uint64_t r5;
	uint64_t r6;
	uint64_t r7;
	uint64_t r8;
	uint64_t r9;
	uint64_t r10;
	uint64_t pc;
	uint64_t r12;
};

FILE* fp;

uint64_t g_ret;

void trampoline();

__asm(
		".globl trampoline\n"
		"trampoline:\n"
		"push %rdi\r\n"
                "push %rsi\r\n"
                "callq hook_vmexec\r\n"
                "pop %rsi\r\n"
                "pop %rdi\r\n"
                "push %rbp\r\n"
                "mov %rsp, %rbp\r\n"
                "sub $0x20, %rsp\r\n"
		"mov $0x4019E3, %rax\r\n"
                "jmp *%rax\r\n"
     );

/*
void __attribute__((naked)) trampoline()
{
	asm(
			"push %rdi\r\n"
			"push %rsi\r\n"
			"callq hook_vmexec\r\n"
			"pop %rsi\r\n"
			"pop %rdi\r\n"
			"push %rbp\r\n"
			"mov %rsp, %rbp\r\n"
			"sub $0x20, %rsp\r\n"
			"jmp g_ret\r\n");
}
*/
void dumpvmstate(struct vmstate_t* vstate)
{
	printf("r0 = %llx\n", vstate->r0);
	printf("r1 = %llx\n", vstate->r1);
	printf("r2 = %llx\n", vstate->r2);
	printf("r3 = %llx\n", vstate->r3);
	printf("r4 = %llx\n", vstate->r4);
	printf("r5 = %llx\n", vstate->r5);
	printf("r6 = %llx\n", vstate->r6);
	printf("r7 = %llx\n", vstate->r7);
	printf("r8 = %llx\n", vstate->r8);
	printf("r9 = %llx\n", vstate->r9);
	printf("r10 = %llx\n", vstate->r10);
	printf("pc = %llx\n", vstate->pc);
	printf("r12 = %llx\n", vstate->r12);
	return;
}

void hook_vmexec(struct vmstate_t* vstate, unsigned int opcode)
{
	int i;
	printf("-------------------------------\n");
	dumpvmstate(vstate);
	printf("opcode = %x\n", opcode);
	printf("possible instructions : ");
	unsigned char* p = vstate->pc;
	for(i=0;i<0x10; i++)
		printf("%02x ", p[i]);
	puts("");
	printf("-------------------------------\n");
	return;
}

void __attribute__((constructor)) _ctor()
{
	fp = fopen("state_dump.txt", "w");
	if( !fp ) printf("cannot create file\n"), exit(-1);
	// do hook
	if( mprotect((void*)0x400000, 0x3000, 7) < 0 )
		perror("mprotect"), exit(-1);
	mmap((void*)0x8000000, 0x1000, 7, 50, -1, 0);
	unsigned char* pn = 0x8000000;
	unsigned char* p = 0x4019DB;
	g_ret = 0x4019E3;
	p[0] = 0xe9;
	*(uint32_t*)(p+1) = ((uint32_t)pn - (uint32_t)p - 5);
	*(unsigned char*)0x4019e3 = 0x48; 	// fix
	pn[0] = 0x48; pn[1] = 0xb8; 	// movabs rax, xxxx
	*(uint64_t*)(pn+2) = (uint64_t)trampoline;
	pn[10] = 0xff; pn[11] = 0xe0;
	printf("Hooked\n");
	getchar();
	return;
}

int main()
{
	printf("Hook module\n");
	return 0;
}
	#include <stdio.h>
	#include <sys/mman.h>
	#include <unistd.h>
	#include <stdlib.h>
	#include <string.h>
	#include <sys/types.h>
	#include <stdint.h>

	// dirty hack of re500
	// compile : gcc -shared -pie -fPIC -ore500.so re500.c
	// use : LD_PRELOAD=./re500.so ./secret checker

	struct vmstate_t {
	uint64_t r0;
	uint64_t r1;
	uint64_t r2;
	uint64_t r3;
	uint64_t r4;
	uint64_t r5;
	uint64_t r6;
	uint64_t r7;
	uint64_t r8;
	uint64_t r9;
	uint64_t r10;
	uint64_t pc;
	uint64_t r12;
	};

	FILE* fp;

	uint64_t g_ret;

	void trampoline();

	__asm(
	".globl trampoline\n"
	"trampoline:\n"
	"push %rdi\r\n"
	"push %rsi\r\n"
	"callq hook_vmexec\r\n"
	"pop %rsi\r\n"
	"pop %rdi\r\n"
	"push %rbp\r\n"
	"mov %rsp, %rbp\r\n"
	"sub $0x20, %rsp\r\n"
	"mov $0x4019E3, %rax\r\n"
	"jmp *%rax\r\n"
	);

	/*
	void __attribute__((naked)) trampoline()
	{
	asm(
	"push %rdi\r\n"
	"push %rsi\r\n"
	"callq hook_vmexec\r\n"
	"pop %rsi\r\n"
	"pop %rdi\r\n"
	"push %rbp\r\n"
	"mov %rsp, %rbp\r\n"
	"sub $0x20, %rsp\r\n"
	"jmp g_ret\r\n");
	}
	*/
	void dumpvmstate(struct vmstate_t* vstate)
	{
	printf("r0 = %llx\n", vstate->r0);
	printf("r1 = %llx\n", vstate->r1);
	printf("r2 = %llx\n", vstate->r2);
	printf("r3 = %llx\n", vstate->r3);
	printf("r4 = %llx\n", vstate->r4);
	printf("r5 = %llx\n", vstate->r5);
	printf("r6 = %llx\n", vstate->r6);
	printf("r7 = %llx\n", vstate->r7);
	printf("r8 = %llx\n", vstate->r8);
	printf("r9 = %llx\n", vstate->r9);
	printf("r10 = %llx\n", vstate->r10);
	printf("pc = %llx\n", vstate->pc);
	printf("r12 = %llx\n", vstate->r12);
	return;
	}

	void hook_vmexec(struct vmstate_t* vstate, unsigned int opcode)
	{
	int i;
	printf("-------------------------------\n");
	dumpvmstate(vstate);
	printf("opcode = %x\n", opcode);
	printf("possible instructions : ");
	unsigned char* p = vstate->pc;
	for(i=0;i<0x10; i++)
	printf("%02x ", p[i]);
	puts("");
	printf("-------------------------------\n");
	return;
	}

	void __attribute__((constructor)) _ctor()
	{
	fp = fopen("state_dump.txt", "w");
	if( !fp ) printf("cannot create file\n"), exit(-1);
	// do hook
	if( mprotect((void*)0x400000, 0x3000, 7) < 0 )
	perror("mprotect"), exit(-1);
	mmap((void*)0x8000000, 0x1000, 7, 50, -1, 0);
	unsigned char* pn = 0x8000000;
	unsigned char* p = 0x4019DB;
	g_ret = 0x4019E3;
	p[0] = 0xe9;
	(uint32_t)(p+1) = ((uint32_t)pn - (uint32_t)p - 5);
	(unsigned char)0x4019e3 = 0x48; // fix
	pn[0] = 0x48; pn[1] = 0xb8; // movabs rax, xxxx
	(uint64_t)(pn+2) = (uint64_t)trampoline;
	pn[10] = 0xff; pn[11] = 0xe0;
	printf("Hooked\n");
	getchar();
	return;
	}

	int main()
	{
	printf("Hook module\n");
	return 0;
	}