Created
June 13, 2022 12:21
-
-
Save patryk4815/8ae5f9329c554baef13d3f18934326ab to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import typing | |
| import zipfile | |
| import sys | |
| import os | |
| import io | |
| import zlib | |
| from Crypto.Cipher import PKCS1_v1_5, AES | |
| from Crypto.PublicKey import RSA | |
| from Crypto.Signature import pkcs1_15, pss | |
| from Crypto.Hash import SHA1 | |
| from pwn import * | |
| from pwnlib.util import packing | |
| from unicorn import * | |
| from unicorn.arm_const import * | |
| from capstone import * | |
| import struct | |
| import binascii | |
| ''' | |
| pip install: | |
| pycryptodome | |
| capstone | |
| unicorn | |
| pwntools | |
| ''' | |
| def bn_bytes(v, have_ext=False): | |
| ext = 0 | |
| if have_ext: | |
| ext = 1 | |
| return ((v.bit_length() + 7) // 8) + ext | |
| def bn2bin(v): | |
| s = bytearray() | |
| i = bn_bytes(v) | |
| while i > 0: | |
| s.append((v >> ((i - 1) * 8)) & 0xff) | |
| i -= 1 | |
| return s | |
| def u8(*args, **kwargs): | |
| return packing.u8(*args, **kwargs) | |
| def u16(*args, **kwargs): | |
| return packing.u16(*args, **kwargs) | |
| def u32(*args, **kwargs): | |
| return packing.u32(*args, **kwargs) | |
| def p32(*args, **kwargs): | |
| return packing.p32(*args, **kwargs) | |
| def replace_bytes(v: bytes, offset: int, data: bytes): | |
| part2 = bytearray(v) | |
| part2[offset:offset + len(data)] = data | |
| return bytes(part2) | |
| def bytes_to_bstr(b: bytes) -> bytes: | |
| try: | |
| n = b.index(b'\x00') | |
| except ValueError: | |
| n = -1 | |
| if n == -1: | |
| return b | |
| return b[:n] | |
| def bstr_to_bytes(b: bytes) -> bytes: | |
| return b + b'\x00' | |
| def fix_rpad(b: bytes) -> bytes: | |
| n = int(b[-1]) | |
| if len(b) < n: | |
| return b | |
| if b[-n:].count(bytes(bytearray([n]))) != n: | |
| return b | |
| return b[:-n] | |
| def pkcs7padding(data, block_size=16): | |
| if type(data) != bytearray and type(data) != bytes: | |
| raise TypeError("Only support bytearray/bytes !") | |
| pl = block_size - (len(data) % block_size) | |
| return bytes(data + bytearray([pl for i in range(pl)])) | |
| def pkcs5padding(data): | |
| return pkcs7padding(data, 8) | |
| class convert_secret_to_key_iv(object): | |
| def __init__(self, crypto_key): | |
| self.crypto_key = crypto_key | |
| self.mu = Uc(UC_ARCH_ARM, UC_MODE_ARM) | |
| self.code_0 = binascii.unhexlify( | |
| 'f04f2de95c6b03e3026040e35cd04de20050a0e10140a0e1207096e5000057e33a00001a600307e30217a0e3010040e3afebffeb008050e2440000ba0300a0e30810a0e10d20a0e11becffeb000050e3080000ba2c209de5200052e3050000ca0800a0e10610a0e162ebffeb2c309de5030050e10200000a0800a0e154ebffeb340000ea0800a0e106b0a0e150ebffeb2ca09de50600a0e10710a0e1e22fa0e30a90a0e1800059e30980a0318080a023000058e30f00000a01e04be2087080e001c0fee5011081e2ff0051e30010a0c3963c8ce222c42ce0a33083e2032082e07cc0efe6e22fa0c301c0c0e4070050e1f2ffff1a08b08be0089059e0e8ffff1a00005ae3130000ba0130a0e3203086e55ccb03e300e0a0e302c040e30f00bce8000085e5041085e5082085e50c3085e50f00bce8000084e50e00a0e1041084e5082084e50c3084e55cd08de2f08fbde8010078e3c7ffff1a00e0e0e30e00a0e15cd08de2f08fbde8') | |
| self.data_0 = binascii.unhexlify( | |
| '00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000') | |
| self.data_1 = binascii.unhexlify( | |
| '0100a0e10250a0e104408de508408de50c408de510408de514408de518408de51c408de520408de524408de528408de52c408de515efffeb010050e31200000a020050e31600000a040050e108309d051000000a0d20a0e30d30e0e30c008de90600a0e10510a0e147f5ffeb103f01e304108de2023040e32c20a0e3000093e5e0efffeb30d08de27080bde808309de50620a0e304208de5000053e3f2ffff0aeeffffea0c30a0e318008de9eeffffea10402de908d04de20030e0e308008de2043020e526f0ffeb000050e30b0000baec4b0fe3f02f0ee3024040e3002040e30030a0e304109de5000094e51ef3ffeb0010a0e1000094e576f3ffeb0100a0e308d08de21080bde804e02de51cd04de200c0a0e30ce08de20c30a0e10220d2e500e08de50cc08de510c08de514c08de59d0000eb1cd08de204f09de431eeffea343f01e370402de9023040e360d04de20040a0e30d10a0e1000093e52c20a0e300408de504408de508408de50c408de510408de514408de518408de51c408de520408de524408de528408de5d4eeffeb2c0050e30100000a60d08de27080bde800309de5050053e33400000a0a0053e3f8ffff1ae85b0fe3741d06e3025040e3c42b0fe300c095e5a83e06e32c008de2011040e3022040e3013040e30260dce52c408de530408de534408de538408de53c408de540408de544408de548408de54c408de550408de554408de558408de5bc45cde184efffeb0a0056e32000008a0120a0e30b3400e31266a0e1063003e0000053e31f00001a030c16e31800000a2c008de2002095e50c108de24bffffeb000050e3cfffffca1200001a0b30a0e300308de5103f01e30d10a0e1023040e32c20a0e3000093e562efffebc5ffffeae83b0fe3023040e3000093e50230d0e5000053e30c00000a0630a0e300308de5efffffea1500e0e30d30a0e304008de500308de5eaffffea2c008de2002095e50c108de2f9feffebe0ffffeacffeffeb000050e3afffffcaf2ffff1aedffffea30402de94bdf4de20c008de5ebeeffeb10008de20010a0e38defffeb005050e22300001a10008de2ec4b0fe3fbeeffeb7af2ffeb341f01e340210fe3021040e3002040e30530a0e1024040e300508de5001091e5000084e58bf2ffeb0010a0e1000094e5e3f2ffeba2fbffeb000050e3ec4b0fe30c209d150230a0030c209d050d30a0130c109de5024040e304008215003082e5103f01e3023040e32c20a0e3000093e51fefffeb000094e53ff3ffebfcffffea4c3f01e30020e0e3023040e310008de2002083e5dbedffebf0432de900c0a0e34cd04de20180a0e10217a0e30250a0e10370a0e108c08de50cc08de528c08de52cc08de530c08de534c08de538c08de53cc08de540c08de544c08de510c08de514c08de518c08de51cc08de520c08de524c08de574eeffeb004050e2230000ba7560efe628108de20620a0e1c2fcffeb005050e20b00000a0c009de5000050e30000000aa2edffeb010074e30500a0010200000a0400a0e11beeffeb0500a0e14cd08de2f083bde8b634dde1010053e30d50e013efffff1a1000a0e3d2eeffeb009050e20b00000a0400a0e10910a0e11020a0e315eeffeb100050e30150e0130600000a0900a0e189edffebe1ffffea0050e0e3dfffffea0350e0e3ddffffea48108de20c308de204708de50620a0e1409021e50400a0e100308de510308de2e9fcffeb005050e2edffff1a10008de20c109de568209de539edffeb005050e2e7ffff1a0400a0e1efedffeb0900a0e16fedffeb0c009de5000050e30000000a6bedffeb002098e5443b03e3023040e30000a0e3012082e2002088e5002093e5012082e2002083e5c4ffffea38402de94c4f01e3024040e3e0220fe30030a0e1002040e30400a0e10010a0e3cfeeffeb005050e20300001a000094e52aedffeb0500a0e13880bde80b50e0e3fbffffea10402de94c4f01e3024040e3000094e5010070e31080bd0860eeffeb0030e0e3003084e51080bde830402de90140a0e10010a0e324d04de20050a0e10120a0e10400a0e15beeffeb0d10a0e10400a0e12020a0e3c84e06e3c0edffeb014040e30d20a0e10d00a0e12010a0e340edffeb0410a0e1042085e204008de2b9eeffeb0410a0e1082085e208008de2b5eeffeb0410a0e10c2085e20c008de2b1eeffeb0100a0e324d08de23080bde8f04f2de90090a0e12cd04de21800a0e301b0a0e10380a0e104208de554709de55aeeffeb005050e24d00000a0020a0e30530a0e1042083e4043083e2042085e50260a0e1042083e408408de2042083e410a085e2042083e4002083e550309de5002093e5003098e5018082e2038088e0110000ea070094e8070085e8d01e06e30a20a0e1011040e314008de28aeeffeb0500a0e10910a0e178eeffeb000050e30120a0e30700a0e11100000a101095e515eeffeb060058e10d00009a0410a0e12020a0e30700a0e1016086e278edffeb0030a0e10420a0e1200053e30400a0e10310a0e10200001a320300eb000050e3dfffffaa104095e50400a0e123eeffeb000050e30010a0e100008be50340e0030a00000a0700a0e10420a0e164edffeb103095e5030050e10900000a00009be52640e0e3000050e30000000ad5ecffeb0500a0e1d3ecffeb0400a0e12cd08de2f08fbde804309de50040a0e3000083e5f6ffffea0300e0e3f7ffffea302f01e370402de9022040e3c0d04de20040a0e310108de2000092e52c20a0e30350a0e110408de514408de518408de51c408de520408de524408de528408de52c408de530408de534408de538408de53cedffeb2c0050e30100000ac0d08de27080bde810309de5030053e32e00000a070053e3f8ffff1a1000a0e308408de50c408de5e6edffeb006050e25b00000a0510a0e15dffffeb0410a0e15020a0e370008de2fdecffebe41e06e324208de2011040e31c309de570008de2f3edffeb0c3086e270008de200308de508108de204508de50c208de2083086e26cffffeb004050e25000000a08009de5000050e30000000a8cecffeb0600a0e18aecffeb000054e33e0000ba103f01e309c0a0e3023040e310108de2000093e52c20a0e310c08de5d0edffebcbffffea1000a0e308408de50c408de5b9edffeb006050e22e00000a0510a0e130ffffebd81e06e320209de5011040e33c008de23c408de540408de544408de548408de54c408de550408de554408de558408de55c408de560408de564408de568408de5bc46cde1beedffeb0c3086e23c008de200308de508108de204508de50c208de2083086e237ffffeb004050e23600000a08009de5000050e30000000a57ecffeb0600a0e155ecffeb000054e3090000ba103f01e304c0a0e3023040e310108de2000093e52c20a0e310c08de59bedffeb96ffffea0340e0e3103f01e30dc0a0e3023040e310108de2000093e52c20a0e314408de510c08de590edffeb8bffffea741d06e3c42b0fe3a43e06e3011040e3022040e3013040e33c008de23c408de540408de544408de548408de54c408de550408de554408de558408de55c408de560408de564408de568408de5bc46cde183edffeb3c008de208109de50c209de5e50700eb0040a0e193ffffea741e06e3c42b0fe3011040e3022040e320309de570008de270408de574408de578408de57c408de580408de584408de588408de58c408de590408de594408de598408de59c408de5b04acde169edffeb70008de208109de50c209de5cb0700eb0040a0e1aeffffea70402de9a2df4de20c008de5fcecffeb170e8de20010a0e39eedffeb004050e2b500001a170e8de20dedffeb0410a0e170008de2012ca0e358ecffeb183f01e3023040e3003093e5040053e31700000a1c3f01e370008de2023040e3003093e5030053e36200000ad71900eb000050e36300000a0140e0e30ce09de5103f01e3023040e30d20a0e3000093e504408ee50e10a0e100208ee52c20a0e332edffeb170e8de2a5edffeb0000a0e3f6ebffeb243f01e3023040e3003093e5030053e35d00000af0ee06e370c08de201e040e30f00bee80f00ace80f009ee80700ace80030cce50010a0e35820a0e318008de22aecffeb18208de270108de20300a0e328edffeb000050e35800001a70008de2830200eb004050e2d6ffff1a70008de20217a0e386ecffeb005050e24b0000ba1000a0e310408de514408de5f8ecffeb006050e27200000a0510a0e16ffeffeb0c3086e2100f06e300308de5010040e304508de510108de214208de2083086e287feffeb004050e21000001a0410a0e13220a0e318008de204ecffeb741d06e3c42b0fe3643e06e3011040e3022040e3013040e318008de2f8ecffeb18008de210109de514209de55a0700eb0040a0e110009de5000050e30000000a96ebffeb000056e30100000a0600a0e192ebffeb000054e32d00000a0500a0e10cecffeba0ffffeaad1900eb000050e39cffff1ab7ffffea70008de2cbecffeb043f06e370108de2013040e3002081e000c0a0e10300b3e870e08de20030d3e50c008ee7041082e50830c2e5a9ffffea283f01e3023040e30000d3e570ecffeb001050e287ffff0a70008de22aecffeba0ffffea010075e32640e0e3deffff1a81ffffea183f01e3023040e3003093e5040053e37bffff1a243f01e3023040e3003093e5030053e376ffff1a6340e0e375ffffea0c109de5103f01e3023040e32c20a0e3000093e5004081e5abecffebe8efffeb303f01e39c270fe3023040e30040a0e100508de5002040e3001093e50130a0e3faefffeb0010a0e10400a0e152f0ffeb0400a0e1bef0ffebfcffffea503f01e30020e0e3023040e3170e8de2002083e55aebffeb0340e0e3a8ffffea38402de9504f01e3024040e39c2a0fe30030a0e1002040e30400a0e10010a0e3b1ecffeb005050e20300001a000094e50cebffeb0500a0e13880bde80b00e0e33880bde810402de9504f01e3024040e3000094e5010070e31080bd0842ecffeb0030e0e3003084e51080bde8f04f2de914d04de23c609de50180a0e102a0a0e103b0a0e10070a0e138509de59cecffeb0040a0e150ebffeb0090a0e10400a0e18febffeb00808de50910a0e104608de50730a0e10400a0e10020a0e364ebffeb010050e31700001a00b08de50a30a0e10c208de20400a0e10510a0e113ecffeb010050e30f00001a0c609de50c208de20400a0e1061085e00aebffeb010050e30800001a0c309de50400a0e1036086e073ebffeb0400a0e152ecffeb0600a0e114d08de2f08fbde80000e0e314d08de2f08fbde8f04f2de95c6b03e3026040e35cd04de20050a0e10140a0e1207096e5000057e33a00001a600307e30217a0e3010040e3afebffeb008050e2440000ba0300a0e30810a0e10d20a0e11becffeb000050e3080000ba2c209de5200052e3050000ca0800a0e10610a0e162ebffeb2c309de5030050e10200000a0800a0e154ebffeb340000ea0800a0e106b0a0e150ebffeb2ca09de50600a0e10710a0e1e22fa0e30a90a0e1800059e30980a0318080a023000058e30f00000a01e04be2087080e001c0fee5011081e2ff0051e30010a0c3963c8ce222c42ce0a33083e2032082e07cc0efe6e22fa0c301c0c0e4070050e1f2ffff1a08b08be0089059e0e8ffff1a00005ae3130000ba0130a0e3203086e55ccb03e3') | |
| self.data_2 = binascii.unhexlify( | |
| 'faa8b5356c98b242d6c9bbdb40f9bcace36cd832755cdf45cf0dd6dc593dd1abac30d9263a00de518051d7c81661d0bfb5f4b42123c4b3569995bacf0fa5bdb89eb802280888055fb2d90cc624e90bb1877c6f2f114c6858ab1d61c13d2d66b69041dc760671db01bc20d2982a10d5ef8985b1711fb5b606a5e4bf9f33d4b8e8a2c9077834f9000f8ea8099618980ee1bb0d6a7f2d3d6d08976c6491015c63e6f4516b6b62616c1cd83065854e0062f2ed95066c7ba5011bc1f4088257c40ff5c6d9b06550e9b712eab8be8b7c88b9fcdf1ddd62492dda15f37cd38c654cd4fb5861b24dce51b53a7400bca3e230bbd441a5df4ad795d83d6dc4d1a4fbf4d6d36ae96943fcd96e34468867add0b860da732d0444e51d03335f4c0aaac97c0ddd3c710550aa41022710100bbe86200cc925b56857b3856f2009d466b99fe461ce0ef9de5e98c9d9292298d0b0b4a8d7c7173db359810db42e3b5cbdb7ad6cbac02083b8edb6b3bf9a0ce2b6039ad2b1743947d5eaaf77d29d1526db048316dc73120b63e3843b64943e6a6d0da85a6a7a0bcf0ee49dff099327ae000ab19e077d44930ff0d2a3088768f2011efec206695d5762f7cb67658071366c19e7066b6e761bd4fee02bd3895a7ada10cc4add676fdfb9f9f9efbe8e43beb717d58eb060e8a3d6d67e93d1a1c4c2d83852f2df4ff167bbd16757bca6dd06b53f4b36b248da2b0dd84c1b0aaff64a0336607a0441c3ef60df55df67a8ef8e6e3179be69468cb361cb1a8366bca0d26f2536e2685295770ccc03470bbbb91602222f260555be3bbac5280bbdb2925ab42b046ab35ca7ffd7c231cfd0b58b9ed92c1daede5bb0c2649b26f263ec9ca36a750a936d02a906099c3f360eeb8567077213570005824abf95147ab8e2ae2bb17b381bb60c9b8ed2920dbed5e5b7efdc7c21dfdb0bd4d2d38642e2d4f1f8b3dd686e83da1fcd16be815b26b9f6e177b06f7747b718e65a0888706a0fffca3b06665c0b0111ff9e658f69ae62f8d3ff6b6145cf6c1678e20aa0eed20dd75483044ec2b30339612667a7f71660d04d476949db776e3e4a6ad1aedc5ad6d9660bdf40f03bd83753aebca9c59ebbde7fcfb247e9ffb5301cf2bdbd8ac2baca3093b353a6a3b4240536d0ba9306d7cd2957de54bf67d9232e7a66b3b84a61c4021b685d942b6f2a37be0bb4a18e0cc31bdf055a8def022d2f7573722f6c6f63616c2f637573746f6d65725f646c2f63727970746f5f6b6579000000444543525950542e746d70002f7573722f6c6f63616c2f637573746f6d65725f646c2f7369675f6b657900005349472e746d70002f6e762f6e6574646c2f76657273696f6e5f636865636b5f726573756c74000076657263686b5f636f6e6669670000006e6574646c5f636865636b002f6e762f6e6574646c0000002f6e762f6e6574646c2f76657273696f6e5f636865636b5f726573756c742e746d7000002f6e762f6e6574646c2f6e77646c5f72736e6f74652e746d700000002f6e762f6e6574646c2f6e77646c5f72736e6f74652e7478740000006e6574646c5f7665725f63686b000000010000000500000003000000040000002f7573722f7461726765742f76657273696f6e2e74787400662e66666600000025782e2578257825780000007461720078667a002d2d6e6f2d73616d652d6f776e6572002d6d00002f7573722f62696e2f746172000000002f7573722f6c6f63616c2f646f776e6c6f61642f757064617465722e736800002f7573722f6c6f63616c2f646f776e6c6f61642f444c444154415f4c4953542e545854004c435f414c4c0000430000006d6b66732e657874340000002d4600002f7573722f7362696e2f6d6b66732e65787434006d6f756e740000002d6f00006173796e632c6e6f6174696d650000002d74000065787434000000002f7573722f62696e2f6d6f756e74000025732f25732e74677a00000025732f25735f25642e74677a000000002f746d702f646f776e6c6f616400000000010000253032783a253032783a253032783a253032783a253032783a2530327800000025732f253038782000000000253032782d253032782d253032782d2530387800253032782530327825303278253038780000000076ffffff7affffff7affffff75ffffff73ffffff2f7573722f6c6f63616c2f637573746f6d65725f646c2f64656661756c745f75726c00002573202573000000782d646174613a2025730000763a555249000000763a546172676574000000006e616d6500000000763a4e65787454696d650000763a50726f6d6f74696f6e4d65737361676500007472756500000000434f554e545259004a50000077650000436f6e6e656374696f6e3a204b6565702d416c69766500002f7573722f6c6f63616c2f637573746f6d65725f646c2f6361636572742e70656d000000582d444c2d4d6f6465000000782d696e666f3a20257300002f6465762f6e756c6c0000002f7072677265732e62696e002f72656c6e6f74652e62696e00000000434f554e5452592f257320504f53545f4e4f2f2573204d41435f414444522f25732049465f4e414d452f257320495056345f49505f414444522f257320495056345f4e45544d41534b2f257320495056345f474154455741592f257320495056365f49505f414444522f257320495056365f5052454649585f4c454e2f256420495056365f474154455741592f25732050524f58592f25732050524f58595f504f52542f25642044574c445f4d4f44452f2564205354415455532f257300000053544152540000002f776f726b2f70726f78790070726f78796164647200000070726f7879706f727400000076657273696f6e5f636865636b5f75726c00000072656c656173655f6e6f74655f75726c000000006c6f675f75726c006572726f725f6c6f675f75726c0000005553000025732563256325303464000020302038203120330000000020302035203220350000000020302038203220370000000025303278253032780000000025733a25730000004142434445464748494a4b4c4d4e4f505152535455565758595a0000434f554e5452592f257320504f53545f4e4f2f2573204d41435f414444522f25732049465f4e414d452f257320495056345f49505f414444522f257320495056345f4e45544d41534b2f257320495056345f474154455741592f257320495056365f49505f414444522f257320495056365f5052454649585f4c454e2f256420495056365f474154455741592f25732050524f58592f25732050524f58595f504f52542f25642044574c445f4d4f44452f2564205354415455532f2573204552524f525f4e4f2f256400000046494e4953480000434f554e5452592f257320504f53545f4e4f2f2573204d41435f414444522f25732049465f4e414d452f257320495056345f49505f414444522f257320495056345f4e45544d41534b2f257320495056345f474154455741592f257320495056365f49505f414444522f257320495056365f5052454649585f4c454e2f256420495056365f474154455741592f25732050524f58592f25732050524f58595f504f52542f25642044574c445f4d4f44452f2564205354415455532f2573204552524f525f4e4f2f25642050484153452f2564204355524c5f434f44452f256420485454505f434f44452f256400000000434f554e5452592f257320504f53545f4e4f2f2573204d41435f414444522f25732049465f4e414d452f257320495056345f49505f414444522f257320495056345f4e45544d41534b2f257320495056345f474154455741592f257320495056365f49505f414444522f257320495056365f5052454649585f4c454e2f256420495056365f474154455741592f25732050524f58592f25732050524f58595f504f52542f25642044574c445f4d4f44452f2564205354415455532f2573204552524f525f4e4f2f25642050484153452f256400004552524f520000002f746d702f646f776e6c6f61645f666c61736877726974655f70726f67726573730000002873657466202a574954482d4255494c542d494e2d42442a207429286c6f616420222f7573722f6c6f63616c2f676c6973702f646f776e6c6f61642f6e65742d646f776e6c6f61642d77616974696e672d66756e2e6c737022290000286c6f616420222f7573722f6c6f63616c2f676c6973702f646f776e6c6f61642f6e65742d646f776e6c6f61642d77616974696e672d66756e2e6c7370222900286e6574646c2d77616974696e672d6672616d652d7365742025642900000000286c6f616420222f7573722f6c6f63616c2f676c6973702f646f776e6c6f61642f6e65742d646f776e6c6f61642d756e6e65636573736172792d66756e2e6c7370222900286e6574646c2d756e6e65636573736172792d6672616d652d736574202225732220222573222900286c6f616420222f7573722f6c6f63616c2f676c6973702f646f776e6c6f61642f6e65742d646f776e6c6f61642d756e65787065637465642d6572722d66756e2e6c737022290000286e6574646c2d756e65787065637465642d6572722d6672616d652d7365742025642900286c6f616420222f7573722f6c6f63616c2f676c6973702f646f776e6c6f61642f6e65742d646f776e6c6f61642d6e65636573736172792d66756e2e6c73702229000000286c6f616420222f7573722f6c6f63616c2f676c6973702f646f776e6c6f61642f6e65742d646f776e6c6f61642d636f6e6669726d2d66756e2e6c73702229002873657466206e6574646c2d666f726365642d70726f67726573732d6d6f6465207429002873657466206e6574646c2d666f726365642d70726f67726573732d6d6f6465206e696c29000000286d61702d6672616d6520276e6574646c2d6e65636573736172792d6672616d65290000287768656e20283d206e6574646c2d626173652d7465726d696e6174652d666c6167206e696c29202864726177206e6574646c2d6e65636573736172792d6672616d652929000000287768656e20283d206e6574646c2d626173652d7465726d696e6174652d666c6167206e696c2920286e6574646c2d6e65636573736172792d6d6573736167652d7265647261772022257322202225732220222573222929000000002864726177206e6574646c2d6e65636573736172792d6672616d65292028756e6d61702d6672616d6520276e6574646c2d636f6e6669726d2d6672616d652900286c6f616420222f7573722f6c6f63616c2f676c6973702f646f776e6c6f61642f6e65742d646f776e6c6f61642d70726f672d66756e2e6c7370222900000000286d61702d6672616d6520276e6574646c2d70726f672d6672616d6529000000286e6574646c2d70726f672d647261772d6261722025642900000000286c6f616420222f7573722f6c6f63616c2f676c6973702f646f776e6c6f61642f6e65742d646f776e6c6f61642d66696e6973682d66756e2e6c737022290000286e6574646c2d66696e6973682d6672616d652d7365742025642900286c6f616420222f7573722f6c6f63616c2f676c6973702f646f776e6c6f61642f6e65742d646f776e6c6f61642d73746f702d66756e2e6c7370222900000000286e6574646c2d73') | |
| self.data_3 = binascii.unhexlify( | |
| '0000000012000000510600003caf000000000000120000004b09000048af00000000000012000000c70a000054af00000000000012000000a80b0000781f020000000000100018005706000060af00000000000012000000470a00006caf00000000000012000000af03000078af00000000000012000000f40600000c3b02000800000011001800ca0b0000fcfb02000000000010001800520b000084af00000000000012000000c503000090af00000000000012000000920700009caf000000000000120000000b0b0000a8af000000000000120000008a0a0000b4af000000000000120000009c0b0000781f02000000000010001800a00a0000c0af00000000000012000000d5030000ccaf000000000000120000004e0a0000d8af00000000000012000000ea030000e4af00000000000012000000140b0000f0af00000000000012000000910a0000fcaf00000000000012000000eb04000008b000000000000012000000fd03000014b000000000000012000000ba08000020b000000000000012000000b60900002cb000000000000012000000760900000000000000000000120000009b08000038b0000000000000120000005a0b000044b0000000000000120000001204000050b000000000000012000000240400005cb000000000000012000000c1060000143b02000800000011001800300b000068b000000000000012000000b009000074b0000000000000120000004604000080b000000000000012000000880600008cb000000000000012000000520400001c3b020004000000110018006404000098b000000000000012000000c7050000a4b0000000000000120000006e0b0000b0b00000000000001200000088080000bcb0000000000000120000003e090000c8b0000000000000120000002a060000d4b000000000000012000000da070000e0b000000000000012000000dc0a0000ecb0000000000000120000007804000000000000000000002000000094040000f8b000000000000012000000620a000004b100000000000012000000a904000010b100000000000012000000e50600001cb1000000000000120000005f090000000000000000000012000000ea08000028b100000000000012000000780a000034b100000000000012000000c104000040b100000000000012000000260800004cb100000000000012000000f00a000058b100000000000012000000d204000064b100000000000012000000f208000070b100000000000012000000840a00007cb100000000000012000000d50a000088b100000000000012000000750b000094b100000000000012000000e6040000a0b100000000000012000000f1040000000000000000000020000000280b0000b8b10000000000001200000000050000000000000000000020000000450b0000c4b100000000000012000000ae080000d0b100000000000012000000de060000203b020004000000110018008e060000dcb100000000000012000000b50a0000e8b1000000000000120000001a050000f4b1000000000000120000006e0a000000b200000000000012000000cc0900000cb200000000000012000000006c6962646f776e6c6f61646c69622e736f2e3000646c5f79616d735f66640064776c645f6d6f64756c655f6578656300646c5f636f6d70616e696f6e5f616674657200646c5f736c6565705f62795f6e616e6f736c65657000646c5f617465726d5f7365740064776c645f726561645f6c696e650076657273696f6e5f7265616400646c5f79616d5f726561645f69706e6574645f7374617475730064776c645f73656366696c655f646c6265666f72650064776c645f756d6f756e745f73797374656d00646c5f6d6f64656c5f6366670064776c645f66696c655f756e6d617000646c5f7461726765745f696e665f6e756d00646563697068657200646c5f77726974655f7072696f0064776c645f636c6561725f6f666674696d65720064776c645f636c65616e5f6469720064776c645f66696c655f6d61700064776c645f656570726561645f73645f646f776e6c6f61645f6d6f646500646c5f646f776e6c6f61645f6b696e640064776c645f656570726561645f6e65745f76657263686b5f696e74657276616c0064776c645f6c65645f737461727400646c5f79616d736861725f636c6f73650064776c645f6c65645f66696e69736800646c5f636f6d7061746961626c655f7665725f636865636b0064776c645f7065616b735f66696e69736800646c5f756e6c6f636b5f79616d7368617265005f66696e6900646c5f636f6d70616e696f6e5f6576656e745f68616e646c65720064776c645f656570726561645f6e65745f76657263686b5f746573746d6f646500646c5f646f776e6c6f61645f696e69740077726974655f636172655f45494e54520064776c645f61667465725f666c6700646c5f6c6f636b5f79616d73686172650064776c645f6c65645f65727200646c5f6d6f64656c5f69645f6c6973745f6765745f696e660064776c645f726573657400646c5f79616d5f77617463685f757362645f6469736b5f696e666f00646c5f77726974655f746f5f79616d7368617265006765745f385f6461746100636c6f73655f636172655f45494e54520064776c645f656570726561645f6e65745f76657273696f6e5f636865636b0064776c645f726d7264697200646c5f7461726765745f696e660064776c645f616c6c5f7369676e616c5f626c6f636b005f4a765f5265676973746572436c617373657300646c5f696e69745f646f776e6c6f61645f70617468006765745f33325f646174610064776c645f656570726561645f6f615f646f776e6c6f61645f6d6f646500646c5f617465726d5f636c6f736500646c5f726561645f66726f6d5f79616d736861726500646c5f79616d736861725f6f70656e00646c5f6765745f79616d5f6b65795f696e64657800646c5f6765745f6e6f775f76657273696f6e0064776c645f73656366696c655f646c616674657200646c5f6d6f64656c5f69645f636865636b0064776c645f65657077726974655f6e65745f76657263686b5f696e74657276616c006765745f31365f6461746100646c5f77726974655f7072696f5f6e756d00646c5f79616d5f726561645f73797374696d65005f49544d5f64657265676973746572544d436c6f6e655461626c6500646c5f636865636b5f7461726765745f6d61736b0064776c645f616c6c5f7369676e616c5f756e626c6f636b0064776c645f7363726970745f6578656300646c5f636f6d70616e696f6e5f6265666f72650064776c645f7772697465005f5f676d6f6e5f73746172745f5f005f49544d5f7265676973746572544d436c6f6e655461626c6500646c5f646f776e6c6f61645f66696e616c006c6962746977696e2e736f2e30006c69626d6973632e736f2e30006c69626963756c782e736f2e3539006c69626963752d6c652d68622e736f2e30006c69626861726662757a7a2e736f2e30006c696266726565747970652e736f2e36006c6962706e6731322e736f2e30006c696269637575632e736f2e3539006c6962696375646174612e736f2e3539006c6962737464632b2b2e736f2e3600707468726561645f63726561746500707468726561645f646574616368006c69626d2e736f2e36006c6962707468726561642e736f2e3000707468726561645f63616e63656c00707468726561645f73657463616e63656c73746174650077616974005f5f6572726e6f5f6c6f636174696f6e005f5f707468726561645f756e77696e645f6e657874006c7365656b00636f6e6e6563740077616974706964005f5f707468726561645f72656769737465725f63616e63656c00707468726561645f65786974005f5f707468726561645f756e72656769737465725f63616e63656c0066636e746c006c6962747673685f7379732e736f2e30006d6f6e5f64656c5f7265715f68656164005f64656672656164666473005f6d61786664006d6f6e69746f725f64656c657465006d6f6e69746f725f68656164006d6f6e69746f725f616464006c6962747673682e736f2e30006c69626375726c2e736f2e34006375726c5f656173795f706572666f726d006375726c5f656173795f676574696e666f006375726c5f656173795f696e6974006375726c5f736c6973745f617070656e64006375726c5f656173795f636c65616e7570006375726c5f736c6973745f667265655f616c6c006375726c5f656173795f7365746f7074006c69626e6768747470322e736f2e3134006c696273736c2e736f2e312e31006c69627a2e736f2e31006c696265787061742e736f2e3100584d4c5f50617273657243726561746500584d4c5f5365744368617261637465724461746148616e646c657200584d4c5f5061727365724672656500584d4c5f536574557365724461746100584d4c5f506172736500584d4c5f536574456c656d656e7448616e646c6572006c696263727970746f2e736f2e312e31004556505f436970686572557064617465004556505f4349504845525f4354585f7265736574005253415f766572696679004556505f4349504845525f4354585f6e6577004d44355f496e6974004d44355f46696e616c00534841315f557064617465004556505f4349504845525f4354585f6672656500424e5f62696e32626e004556505f436970686572496e69745f6578005253415f6e6577005253415f66726565004d44355f55706461746500534841315f496e697400534841315f46696e616c004556505f43697068657246696e616c5f6578004556505f6165735f3132385f636263005253415f736574305f6b6579007261697365006c69626763635f732e736f2e31005f5f61656162695f756e77696e645f6370705f707230005f5f61656162695f756e77696e645f6370705f707231006c6962632e736f2e36007374726361736573747200736f636b65740073747263707900657865637600737072696e746600666f70656e007374726e636d700070697065005f5f73747264757000636c6f736564697200696e65745f6e746f6100696e65745f6e746f70007369676e616c00756e6c696e6b0073656c656374006d6b646972007265616c6c6f630061626f727400737472746f6c6c00676574706964006b696c6c006c6f63616c74696d655f7200737472746f6c00657865636c70007374726c656e006d656d736574006368646972006d656d636d7000647570320076736e7072696e7466005f5f7369677365746a6d70006670757473006d656d6370790066636c6f736500737472746f756c006d616c6c6f63007374726361740072656d6f7665005f5f7374726e647570006f70656e646972005f5f63747970655f625f6c6f6300676574656e7600737363616e66006f707461726700696f63746c00616c61726d006765746f70745f6c6f6e67005f5f786d6b6e6f64005f5f667873746174006765746377640067657474696d656f666461790072656e616d65007372616e646f6d00636c6f636b5f67657474696d65007374726368720076666f726b00756d6f756e7432005f5f7873746174006163636573730073796e6300737472636d70005f5f6c') | |
| self.mu.mem_map(0x9000, 0x4000) # 0x9 -> 0x | |
| self.mu.mem_map(0xf000, 0x1000) | |
| self.mu.mem_map(0x10000, 0x4000) | |
| self.mu.mem_map(0x17000, 0x4000) | |
| self.mu.mem_map(0x23000, 0x4000) | |
| self.mu.mem_map(0x7ffff000, 0x200000) | |
| self.mu.mem_map(0x1000 * 1, 0x1000) | |
| self.mu.mem_map(0x1000 * 2, 0x1000) | |
| self.mu.mem_write(0x23000, self.data_0) | |
| self.mu.mem_write(0xf000, self.data_1) | |
| self.mu.mem_write(0x17000, self.data_2) | |
| self.mu.mem_write(0x9000, self.data_3) | |
| self.mu.mem_write(0xfeec, self.code_0) | |
| self.hookdict = {0xff20: ['hook_open', 4], 0xff38: ['hook___fxstat', 4], 0xff6c: ['hook_close', 4], | |
| 0xff58: ['hook_read', 4], 0xff7c: ['hook_close', 4]} | |
| def hook_open(self): | |
| self.mu.reg_write(UC_ARM_REG_R0, 0x1337) | |
| def hook___fxstat(self): | |
| self.mu.reg_write(UC_ARM_REG_R0, 0) | |
| reg = self.mu.reg_read(UC_ARM_REG_R2) | |
| self.mu.mem_write(reg + (0x80 - 0x54), b'\x20\x00\x00\x00') # TODO: p32(len(self.crypto_key)) | |
| def hook_close(self): | |
| self.mu.reg_write(UC_ARM_REG_R0, 0) | |
| def hook_read(self): | |
| fp_reg = self.mu.reg_read(UC_ARM_REG_R0) | |
| reg = self.mu.reg_read(UC_ARM_REG_R1) | |
| self.mu.reg_write(UC_ARM_REG_R0, len(self.crypto_key)) | |
| self.mu.mem_write(reg, self.crypto_key) | |
| def _start_unicorn(self, startaddr): | |
| try: | |
| self.mu.emu_start(startaddr, 0) | |
| except Exception as e: | |
| if self.mu.reg_read(UC_ARM_REG_PC) == 4: | |
| return | |
| retAddr = self.mu.reg_read(UC_ARM_REG_LR) | |
| if retAddr in self.hookdict.keys(): | |
| getattr(self, self.hookdict[retAddr][0])() | |
| self._start_unicorn(retAddr) | |
| else: | |
| print('[!] Exception occured - Emulator state (arm):') | |
| print("UC_ARM_REG_R0 : %X" % (self.mu.reg_read(UC_ARM_REG_R0))) | |
| print("UC_ARM_REG_R1 : %X" % (self.mu.reg_read(UC_ARM_REG_R1))) | |
| print("UC_ARM_REG_R2 : %X" % (self.mu.reg_read(UC_ARM_REG_R2))) | |
| print("UC_ARM_REG_R3 : %X" % (self.mu.reg_read(UC_ARM_REG_R3))) | |
| print("UC_ARM_REG_R4 : %X" % (self.mu.reg_read(UC_ARM_REG_R4))) | |
| print("UC_ARM_REG_R5 : %X" % (self.mu.reg_read(UC_ARM_REG_R5))) | |
| print("UC_ARM_REG_R6 : %X" % (self.mu.reg_read(UC_ARM_REG_R6))) | |
| print("UC_ARM_REG_R7 : %X" % (self.mu.reg_read(UC_ARM_REG_R7))) | |
| print("UC_ARM_REG_R8 : %X" % (self.mu.reg_read(UC_ARM_REG_R8))) | |
| print("UC_ARM_REG_R9 : %X" % (self.mu.reg_read(UC_ARM_REG_R9))) | |
| print("UC_ARM_REG_R10 : %X" % (self.mu.reg_read(UC_ARM_REG_R10))) | |
| print("UC_ARM_REG_R11 : %X" % (self.mu.reg_read(UC_ARM_REG_R11))) | |
| print("UC_ARM_REG_R12 : %X" % (self.mu.reg_read(UC_ARM_REG_R12))) | |
| print("UC_ARM_REG_R13 : %X" % (self.mu.reg_read(UC_ARM_REG_R13))) | |
| print("UC_ARM_REG_R14 : %X" % (self.mu.reg_read(UC_ARM_REG_R14))) | |
| print("UC_ARM_REG_R15 : %X" % (self.mu.reg_read(UC_ARM_REG_R15))) | |
| raise e | |
| def run(self): | |
| # def hook_code(uc, address, size, user_data): | |
| # instr = None | |
| # for c in Cs(CS_ARCH_ARM, CS_MODE_ARM).disasm(self.mu.mem_read(address, size), address, size): | |
| # instr = c | |
| # print(">>> Tracing instruction at 0x%x intr=%s" % (address, instr)) | |
| # | |
| # self.mu.hook_add(UC_HOOK_CODE, hook_code) | |
| self.mu.reg_write(UC_ARM_REG_SP, 0x7fffff00) | |
| self.mu.reg_write(UC_ARM_REG_LR, 0x4) | |
| argAddr_0 = (1 * 0x1000) | |
| # self.mu.mem_write(argAddr_0, arg_0_out) | |
| self.mu.reg_write(UC_ARM_REG_R0, argAddr_0) | |
| argAddr_1 = (2 * 0x1000) | |
| # self.mu.mem_write(argAddr_1, arg_1_out) | |
| self.mu.reg_write(UC_ARM_REG_R1, argAddr_1) | |
| self._start_unicorn(0xfeec) | |
| ret = self.mu.reg_read(UC_ARM_REG_R0) | |
| if ret != 0: | |
| raise ValueError('invalid key;/') | |
| key = self.mu.mem_read(argAddr_0, 16) | |
| iv = self.mu.mem_read(argAddr_1, 16) | |
| return key, iv | |
| class cipher(object): | |
| def __init__(self): | |
| self.mu = Uc(UC_ARCH_ARM, UC_MODE_ARM) | |
| self.code_0 = binascii.unhexlify('f0402de90030a0e3e2efa0e3800051e30170a0318070a023000057e30f00000a015040e2076082e00140f5e596cc8ee2013083e2a3c08ce2ff0053e30030a0c32ee424e07e40efe6e2efa0c304e08cd00140c2e4060052e1f2ffff1a070080e0071051e0e8ffff1a0100a0e1f080bde8') | |
| self.data_0 = binascii.unhexlify('7f454c4601010100000000000000000003002800010000007033000034000000a4a500000200000534002000050028001b001a0001000070509600005096000050960000d0030000d0030000040000000400000001000000000000000000000000000000249a0000249a000005000000008000000100000000a00000002001000020010050040000d81e0000060000000080000002000000d4a00000d4200100d42001006801000068010000060000000400000051e5746400000000000000000000000000000000000000000600000004000000c5000000e8000000ae0000008a00000000000000b30000004300000000000000a8000000000000000000000000000000dc000000000000006c000000b600000060000000000000009b0000005c000000cb000000cf0000002e00000000000000bc000000960000009a000000800000005e0000000000000000000000560000003c00000062000000b10000000000000000000000970000007700000000000000e200000004000000d80000000000000072000000db000000d300000000000000df00000000000000b50000003900000065000000af00000099000000000000000000000067000000d6000000ab000000b80000004000000017000000bd00000052000000880000009f0000007f000000ce000000ca0000000000000000000000c9000000e100000000000000de000000e70000003200000069000000bf0000008c00000000000000da00000000000000cd0000006300000092000000000000008f00000000000000000000007b00000000000000c400000045000000a6000000e4000000360000005d00000000000000c80000004d00000027000000120000008500000018000000000000007100000074000000d90000004f00000095000000be000000e000000000000000a300000000000000b9000000c000000000000000d1000000ba00000000000000000000000500000000000000cc00000006000000000000000000000083000000d2000000150000009400000042000000a2000000000000004b000000c1000000e60000004700000000000000870000005000000000000000510000000000000010000000130000000000000000000000e3000000080000002f0000006d0000005a000000c20000003300000048000000000000000000000000000000d00000002c0000008b0000006f000000680000000000000000000000bb00000029000000000000007a000000d400000070000000e5000000820000006a00000000000000d5000000d70000005900000073000000b000000000000000000000004c0000000000000000000000ac0000008600000000000000c300000091000000310000000000000000000000b7000000c600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f00000000000000110000000000000000000000000000000a000000000000000000000000000000000000000000000000000000000000001600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000140000000000000000000000000000000000000000000000000000000000000037000000000000000000000000000000340000002b0000000000000023000000000000000000000000000000000000000000000000000000000000000000000000000000000000002600000000000000000000000000000000000000380000000000000000000000000000000000000000000000000000000b00000000000000000000001c0000004a000000000000000000000000000000000000002800000007000000000000001d000000190000000000000000000000640000000e0000000000000000000000610000000000000000000000000000006b000000000000006600000000000000000000000000000000000000220000002d000000350000000000000000000000000000000000000057000000000000000000000000000000530000007d000000000000007e00000000000000810000000c000000000000002100000084000000460000002500000078000000200000001a000000000000007c0000000000000000000000900000005400000000000000000000000000000098000000000000003b000000000000008e000000000000000000000000000000000000009c000000000000004100000075000000000000003000000009000000a9000000ad000000a700000000000000a0000000000000009e0000005b0000000d0000000000000079000000030000004900000000000000000000009d00000089000000b40000003e00000000000000240000000000000000000000000000003d0000000000000093000000aa0000004e0000003f0000001b0000003a000000b20000008d00000000000000440000005800000000000000000000001f0000005f000000a50000006e000000000000007600000000000000a1000000c700000000000000dd0000001e000000000000005500000000000000c5000000a40000002a0000000000000000000000000000000000000000000000000000004c2e0000000000000300080000000000082001000000000003001200a90000000000000000000000120000002f020000242401000400000011001600f10d0000c47b00004404000012000a00e0020000983f00000c01000012000a00c70d0000187900005c00000012000a00f7000000e03600006000000012000a00d20900005c5e00000400000012000a006c0400004c5000000c00000012000a00940b00000000000000000000120000004e010000786400003c00000012000a006d090000905a0000a002000012000a00660b0000f86500004400000012000a0076020000443d00009000000012000a003f050000a45100004c00000012000a00cf0b0000ac680000c400000012000a00590b0000c8630000b000000012000a00ab020000783e00009000000012000a0014010000203800005400000012000a00090f0000cc8800008c00000012000a00850e0000708000001400000012000a00271000005024010000000000100016000c0800002c5600008c01000012000a00a8070000445500003c00000012000a0010060000d05200003c00000012000a00620a0000000000000000000012000000a4040000a85000005000000012000a009d03000080240100561a000011001700a9090000505e00000400000012000a0028080000b85700003400000012000a00bf0b00007c6800003000000012000a00430c0000000000000000000012000000120d0000149400000400000011000c00c9000000e4350000fc00000012000a00460d0000d47700005c00000012000a00360d0000807600005401000012000a000b010000403700007000000012000a00440a00008c5e00003800000012000a00ee0c00001c9400001800000011000c00c3070000805500007c00000012000a00e7030000000000000000000012000000d7070000fc5500002400000012000a004b0b0000706300005800000012000a007f0b00003c6600006c00000012000a00620c00009c6d0000b800000012000a00b80800002c5800002800000012000a00b6000000000000000000000012000000a80b0000d0670000ac00000012000a00590c000000000000000000001200000050040000405000000c00000012000a004b0c000000000000000000001200000054100000d83e01000000000010001700f2050000c45200000c00000012000a00fe0a00004c2401000400000011001600180c0000000000000000000012000000d30500009c5200002800000012000a008209000000000000000000001200000087070000385500000c00000012000a00e5060000405400002800000012000a00750d000074740000b400000012000a003a020000ec3b00003800000012000a00bd030000544900001005000012000a00be0000000000000000000000120000004d03000058430000c401000012000a00840d000028750000ac00000012000a000f0b0000a06200005000000012000a00b5050000605200003c00000012000a005a01000000000000000000001200000088040000585000005000000012000a00980e0000388600004c01000012000a001b0300000000000000000000120000003b0c0000000000000000000012000000b6010000343a00000c00000012000a009d000000e43400000001000012000a00ba0d0000000000000000000012000000520c000000000000000000001200000010000000408e00000000000012000b00e5090000605e00000800000012000a002e0a0000745e00001800000012000a00ef030000644e00009800000012000a0048100000d83e0100000000001000170092090000000000000000000012000000b4060000b85300004c00000012000a0025070000145500000c00000012000a00380300002c4200002c01000012000a0002010000508e00000004000011000c00e4000000000000000000000012000000610b0000000000000000000012000000b60c0000d46e00002c00000012000a00f4080000b45800005c00000012000a0049100000d83e01000000000010001700ff0b0000000000000000000012000000d7000000000000000000000012000000c5020000083f00009000000012000a00d6030000346500008000000012000a008d010000000000000000000012000000510e0000088000005400000012000a0093010000e43900002800000012000a00940d0000d4750000ac00000012000a008601000000000000000000001200000042090000000000000000000012000000670a0000c45e00008000000012000a00600e00005c8000001400000012000a008f020000d43d0000a400000012000a00aa03000084460000d002000012000a0048080000ec5700000c00000012000a00ef070000205600000c00000012000a00aa0a0000386000008000000012000a002a020000000000000000000012000000c9010000403a00005400000012000a00b20d000000000000000000001200000011090000105900006000000012000a00ec000000000000000000000012000000400b0000506300002000000012000a000207000068540000ac00000012000a00cd060000045400003c00000012000a0017040000a04f00009400000012000a0006020000283b00006000000012000a00c30e00008c8700000400000012000a00340e000084890000c800000012000a00c10c00004c2e000000000000120008002a010000b46500004400000012000a0046070000205500000c00000012000a006b0e00000000000000000000120000002d090000705900008c00000012000a002f0c0000806c00001c01000012000a009c0a0000442001009000000011001300780b0000000000000000000012000000ac0d0000000000000000000012000000170a0000705e00000400000012000a0022030000fc5900001400000012000a0003040000fc4e0000a400000012000a0006050000705100002800000012000a00') | |
| self.data_1 = binascii.unhexlify('f35da9994440689d9d662b902a7bea94e71db4e0500075e4892636e93e3bf7ed3b6bb0f38c7671f7555032fae24df3fe5ff0bcc6e8ed7dc231cb3ecf86d6ffcb8386b8d5349b79d1edbd3adc5aa0fbd8eee00c6959fdcd6d80db8e6037c64f643296087a858bc97e5cad8a73ebb04b77560d044fe110c54b383686468f2b47428a7b005c3d66c158e4408255535d43519e3b1d252926dc21f0009f2c471d5e28424d1936f550d8322c769b3f9b6b5a3b26d6150391cbd40748ed970afff0560efaa011104dbdd014949b93192386521d0e562ff1b94beef5606dadf8d7706cfcd2202be2653deae6bc1ba9eb0b0668efb6bb27d701a6e6d3d880a5de6f9d64da6acd23c4ddd0e2c004f6a1cdb3eb60c97e8d3ebdc990ffb910b6bcb4a7ab7db0a2fb3aae15e6fbaaccc0b8a77bdd79a3c660369b717df79fa85bb4921f4675961a163288ad0bf38c742db081c330718599908a5d2e8d4b59f7ab085440b6c95045e68e4ef2fb4f4a2bdd0c479cc0cd43217d827b9660437f4f460072f85bc176fd0b86684a16476c93300461242dc565e94b9b115e565a1587701918306dd81c353d9f0282205e065b061d0bec1bdc0f51a69337e6bb52333f9d113e8880d03a8dd097243acd5620e3eb152d54f6d4297926a9c5ce3b68c1171d2bcca000eac8a550add6124d6cd2cb6b2fdf7c76eedbc1cba1e376d660e7aff023ea18ede2ee1dbda5f0aaa064f4738627f9c49be6fd09fdb889bee0798d67c63a80d0dbfb84d58bbc9a62967d9ebbb03e930cadff97b110b0af060d71abdf2b32a66836f3a26d66b4bcda7b75b8035d36b5b440f7b12f6465762f6474762f737973636f6d31000000002f6465762f6474762f79616d73686172300000006972645f737461747573000073797374696d650079616d5f706f776572000000757362645f7374617475730069706e6574645f73746174757300000069706e6574645f726571756573740000747673685f6966002f746d702f706e6c5f646174615f66696c650000414c4c002f6465762f6474762f62656c73695f7770000000090100002f6465762f6474762f656570726f6d31000000002f746d702f4d4f44454c5f434f4e4649470000002f6465762f636e6f64655f61646a00002f6465762f6474762f617465726d30005b7375726665725d202f6465762f6474762f617465726d30206f70656e206572720000005b7375726665725d202f6465762f6474762f617465726d206f70656e71727920657272002f6465762f6474762f617465726d2564000000002f6465762f6969632564000025732e746d7000002f0000002e0000002e2e00002f746d702f64776c645f746573745f66696c6500010000000300000000040000080000000001000000020000000800000100000003000000010000000300000000040000080000000001000001000000030000000c0000000600000000000000010000000a0000000300000009000000080000002f7573722f7461726765742f6763782f5344444c2e534543000000002f7573722f7461726765742f6e6f766174656b2f5344444c2e534543000000002f7573722f7461726765742f6d737461722f5344444c2e53454300005045414b530000005045414b53424f4f540000005045414b53204c5349444154410000005045414b532046494c450000474358004e4f564154454b005045414b5320454550524f4d00000000434f4d50414e494f4e0000002f7573722f7461726765742f76657273696f6e2e747874006d6f756e740000002f7362696e2f6d6f756e74002f6465762f6d6d63626c6b30702564002f776f726b2f646f776e6c6f61645f7363726970742e6461740000002f6465762f6d6d63626c6b307031000000000000000000000000000000000000000020002f6465762f6d6d63626c6b30626f6f7430000000000000000000000000000000000001002f6465762f6d6d63626c6b30000000002f7573722f6c6f63616c2f646f776e6c6f61642f5344444c2e544d50000000002f7573722f6c6f63616c2f646f776e6c6f61642f5344444c2e5345430000000025732f25730000002f7573722f6c6f63616c2f646f776e6c6f61640008b10181b0b000840000000008b10181b0b0008400000000dcb20181b0b0ad0300000000cab20181b0b0ab010000000008b10181b0b000840000000008b10181b0b000840000000008b10181b0b000840000000008b10181b0b0008400000000449dff7fb0b0b080dc9dff7f94ffff7f3c9eff7f98ffff7f7c9eff7fb0ac0d8070a0ff7fb0b0a880c8a0ff7fb0b0ab80a0a1ff7fb0a80180eca1ff7fb0a90280eca2ff7fb0aa07804ca3ff7fa908b18094a3ff7fb0b0b08098a3ff7f0084048078a4ff7fb0aa0980d0a4ff7fb0b0a8802ca5ff7fa908b1805ca5ff7fb0ab0280c8a8ff7f34ffff7fcca9ff7faf7eb280fcaaff7fa908b18044abff7fab08b18068acff7faf3f2a8024aeff7fb0ac2b8054b2ff7faf3f30805cb7ff7fab08b18024b9ff7fb0b0b08040b9ff7fb0a80180d8b9ff7fb0b0a88024baff7fb0b0b08040baff7f0084028060baff7fb0b0b08064baff7fb0a90280a8baff7fa908b180dcbaff7f00840280fcbaff7fb0b0b08000bbff7fa908b18034bbff7f0084028054bbff7fb0b0b08058bbff7fa908b1808cbbff7fb0b0b08088bbff7f00840280a8bbff7fb0a90280ecbbff7f008402800cbcff7fb0b0b08010bcff7fb0a9028054bcff7fa908b18088bcff7f00840280a8bcff7fb0aa01804cbdff7fb0b0b08074bdff7fa908b180a8bdff7fb0a902801cbeff7f0084028038beff7fb0b0b0803cbeff7f20feff7fc0bfff7f00840280ecbfff7fb0b0b080fcbfff7f00840280a4c0ff7f0084048058c1ff7fb0ab0280dcc1ff7fb0b0b080e8c1ff7fa93f048060c2ff7fb0af3a80f8c4ff7fa908b18028c5ff7fb0ab048008c6ff7fb0b0b0803cc6ff7fa908b1806cc6ff7fb0008480e4c6ff7fb0b0aa80d0c7ff7fb0b0a88048c8ff7fb0a8038080c8ff7fb0ab048020caff7fb0a8058068caff7fb0b0a8809ccaff7fb0b0b080d8caff7fb000848028cbff7fb0aa0180d0cbff7fb0a8018004ccff7fad08b180fcccff7fb0b0aa8038cdff7fab08b180e0cdff7fb0b0ac8050ceff7fb0b0b08090ceff7fb0b0a880b4ceff7fa908b180e8ceff7fb0aa17808ccfff7fa908b180b4cfff7fad08b18070d0ff7fb0b0ac80e0d0ff7fac3f17803cd2ff7fb0ae158068d3ff7faf3f02807cd4ff7fb0ac3f802cd5ff7fb0b0aa809cd5ff7fb0b0b0809cd5ff7fe4fcff7fc0d5ff7fb0b0b08084d6ff7fb000848098d8ff7fb0b0b08040daff7f0084028014dbff7fa908b18018ddff7fb0ab028064deff7fb0a90280b8deff7f0084088098dfff7fb0b0aa80ecdfff7fb0af1080a8e1ff7fab7cb2802ce2ff7faf479b8068e6ff7fb0b0a880b4e6ff7f80fcff7fc0e6ff7f84fcff7fcce6ff7fb0b0b08038e7ff7fb0af0a8060ebff7fa908b180bcebff7fb0a8018060ecff7fb0ac1180a4edff7fb0b0b080a8edff7f00840280c0edff7fb0a82580d4eeff7fa908b18058efff7f40fcff7f7cefff7fab08b1803cf0ff7faf44b280d8f1ff7f0100000000000000') | |
| self.mu.mem_map(0x0,0x3000) | |
| self.mu.mem_map(0x3000,0x4000) | |
| self.mu.mem_map(0x9000,0x4000) | |
| self.param_start = 0x00_01_f0_00 | |
| self.param_size = 0xa0_00_00 | |
| self.mu.mem_map(self.param_start + (self.param_size * 0), self.param_size) | |
| self.mu.mem_map(self.param_start + (self.param_size * 1), self.param_size) | |
| self.mu.mem_map(0x7ffff000,0x20_00_00) | |
| self.mu.mem_write(0x0, self.data_0) | |
| self.mu.mem_write(0x9000, self.data_1) | |
| self.mu.mem_write(0x37b0, self.code_0) | |
| def _start_unicorn(self, startaddr): | |
| try: | |
| self.mu.emu_start(startaddr, 0) | |
| except Exception as e: | |
| if self.mu.reg_read(UC_ARM_REG_PC) == 4: | |
| return | |
| else: | |
| print ('[!] Exception occured - Emulator state (arm):') | |
| print ("UC_ARM_REG_R0 : %X" % (self.mu.reg_read(UC_ARM_REG_R0))) | |
| print ("UC_ARM_REG_R1 : %X" % (self.mu.reg_read(UC_ARM_REG_R1))) | |
| print ("UC_ARM_REG_R2 : %X" % (self.mu.reg_read(UC_ARM_REG_R2))) | |
| print ("UC_ARM_REG_R3 : %X" % (self.mu.reg_read(UC_ARM_REG_R3))) | |
| print ("UC_ARM_REG_R4 : %X" % (self.mu.reg_read(UC_ARM_REG_R4))) | |
| print ("UC_ARM_REG_R5 : %X" % (self.mu.reg_read(UC_ARM_REG_R5))) | |
| print ("UC_ARM_REG_R6 : %X" % (self.mu.reg_read(UC_ARM_REG_R6))) | |
| print ("UC_ARM_REG_R7 : %X" % (self.mu.reg_read(UC_ARM_REG_R7))) | |
| print ("UC_ARM_REG_R8 : %X" % (self.mu.reg_read(UC_ARM_REG_R8))) | |
| print ("UC_ARM_REG_R9 : %X" % (self.mu.reg_read(UC_ARM_REG_R9))) | |
| print ("UC_ARM_REG_R10 : %X" % (self.mu.reg_read(UC_ARM_REG_R10))) | |
| print ("UC_ARM_REG_R11 : %X" % (self.mu.reg_read(UC_ARM_REG_R11))) | |
| print ("UC_ARM_REG_R12 : %X" % (self.mu.reg_read(UC_ARM_REG_R12))) | |
| print ("UC_ARM_REG_R13 : %X" % (self.mu.reg_read(UC_ARM_REG_R13))) | |
| print ("UC_ARM_REG_R14 : %X" % (self.mu.reg_read(UC_ARM_REG_R14))) | |
| print ("UC_ARM_REG_R15 : %X" % (self.mu.reg_read(UC_ARM_REG_R15))) | |
| raise e | |
| def run(self, input: bytes, size: int): | |
| # def hook_code(uc, address, size, user_data): | |
| # instr = None | |
| # for c in Cs(CS_ARCH_ARM, CS_MODE_ARM).disasm(self.mu.mem_read(address, size), address, size): | |
| # instr = c | |
| # print(">>> Tracing instruction at 0x%x intr=%s" % (address, instr)) | |
| # | |
| # self.mu.hook_add(UC_HOOK_CODE, hook_code) | |
| self.mu.reg_write(UC_ARM_REG_SP, 0x7fffff00) | |
| self.mu.reg_write(UC_ARM_REG_LR, 0x4) | |
| argAddr_0 = self.param_start + (self.param_size * 0) | |
| self.mu.mem_write(argAddr_0, input) | |
| self.mu.reg_write(UC_ARM_REG_R0, argAddr_0) | |
| self.mu.reg_write(UC_ARM_REG_R1, size) | |
| argAddr_2 = self.param_start + (self.param_size * 1) | |
| self.mu.reg_write(UC_ARM_REG_R2, argAddr_2) | |
| self._start_unicorn(0x37b0) | |
| ret = self.mu.reg_read(UC_ARM_REG_R0) | |
| if ret != 0: | |
| raise ValueError('invalid response :/') | |
| out = self.mu.mem_read(argAddr_2, size) | |
| return out | |
| class decipher(object): | |
| def __init__(self): | |
| self.mu = Uc(UC_ARCH_ARM, UC_MODE_ARM) | |
| self.code_0 = binascii.unhexlify('f0402de9e2cfa0e300e0a0e3800051e30170a0318070a023000057e30f00000a015040e2076082e00140f5e501e08ee2ff005ee300e0a0c3963c84e22c4424e0a33083e203c08ce07440efe6e2cfa0c30140c2e4060052e1f2ffff1a070080e0071051e0e8ffff1a0100a0e1f080bde8') | |
| self.data_0 = binascii.unhexlify('7f454c4601010100000000000000000003002800010000007033000034000000a4a500000200000534002000050028001b001a0001000070509600005096000050960000d0030000d0030000040000000400000001000000000000000000000000000000249a0000249a000005000000008000000100000000a00000002001000020010050040000d81e0000060000000080000002000000d4a00000d4200100d42001006801000068010000060000000400000051e5746400000000000000000000000000000000000000000600000004000000c5000000e8000000ae0000008a00000000000000b30000004300000000000000a8000000000000000000000000000000dc000000000000006c000000b600000060000000000000009b0000005c000000cb000000cf0000002e00000000000000bc000000960000009a000000800000005e0000000000000000000000560000003c00000062000000b10000000000000000000000970000007700000000000000e200000004000000d80000000000000072000000db000000d300000000000000df00000000000000b50000003900000065000000af00000099000000000000000000000067000000d6000000ab000000b80000004000000017000000bd00000052000000880000009f0000007f000000ce000000ca0000000000000000000000c9000000e100000000000000de000000e70000003200000069000000bf0000008c00000000000000da00000000000000cd0000006300000092000000000000008f00000000000000000000007b00000000000000c400000045000000a6000000e4000000360000005d00000000000000c80000004d00000027000000120000008500000018000000000000007100000074000000d90000004f00000095000000be000000e000000000000000a300000000000000b9000000c000000000000000d1000000ba00000000000000000000000500000000000000cc00000006000000000000000000000083000000d2000000150000009400000042000000a2000000000000004b000000c1000000e60000004700000000000000870000005000000000000000510000000000000010000000130000000000000000000000e3000000080000002f0000006d0000005a000000c20000003300000048000000000000000000000000000000d00000002c0000008b0000006f000000680000000000000000000000bb00000029000000000000007a000000d400000070000000e5000000820000006a00000000000000d5000000d70000005900000073000000b000000000000000000000004c0000000000000000000000ac0000008600000000000000c300000091000000310000000000000000000000b7000000c600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f00000000000000110000000000000000000000000000000a000000000000000000000000000000000000000000000000000000000000001600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000140000000000000000000000000000000000000000000000000000000000000037000000000000000000000000000000340000002b0000000000000023000000000000000000000000000000000000000000000000000000000000000000000000000000000000002600000000000000000000000000000000000000380000000000000000000000000000000000000000000000000000000b00000000000000000000001c0000004a000000000000000000000000000000000000002800000007000000000000001d000000190000000000000000000000640000000e0000000000000000000000610000000000000000000000000000006b000000000000006600000000000000000000000000000000000000220000002d000000350000000000000000000000000000000000000057000000000000000000000000000000530000007d000000000000007e00000000000000810000000c000000000000002100000084000000460000002500000078000000200000001a000000000000007c0000000000000000000000900000005400000000000000000000000000000098000000000000003b000000000000008e000000000000000000000000000000000000009c000000000000004100000075000000000000003000000009000000a9000000ad000000a700000000000000a0000000000000009e0000005b0000000d0000000000000079000000030000004900000000000000000000009d00000089000000b40000003e00000000000000240000000000000000000000000000003d0000000000000093000000aa0000004e0000003f0000001b0000003a000000b20000008d00000000000000440000005800000000000000000000001f0000005f000000a50000006e000000000000007600000000000000a1000000c700000000000000dd0000001e000000000000005500000000000000c5000000a40000002a0000000000000000000000000000000000000000000000000000004c2e0000000000000300080000000000082001000000000003001200a90000000000000000000000120000002f020000242401000400000011001600f10d0000c47b00004404000012000a00e0020000983f00000c01000012000a00c70d0000187900005c00000012000a00f7000000e03600006000000012000a00d20900005c5e00000400000012000a006c0400004c5000000c00000012000a00940b00000000000000000000120000004e010000786400003c00000012000a006d090000905a0000a002000012000a00660b0000f86500004400000012000a0076020000443d00009000000012000a003f050000a45100004c00000012000a00cf0b0000ac680000c400000012000a00590b0000c8630000b000000012000a00ab020000783e00009000000012000a0014010000203800005400000012000a00090f0000cc8800008c00000012000a00850e0000708000001400000012000a00271000005024010000000000100016000c0800002c5600008c01000012000a00a8070000445500003c00000012000a0010060000d05200003c00000012000a00620a0000000000000000000012000000a4040000a85000005000000012000a009d03000080240100561a000011001700a9090000505e00000400000012000a0028080000b85700003400000012000a00bf0b00007c6800003000000012000a00430c0000000000000000000012000000120d0000149400000400000011000c00c9000000e4350000fc00000012000a00460d0000d47700005c00000012000a00360d0000807600005401000012000a000b010000403700007000000012000a00440a00008c5e00003800000012000a00ee0c00001c9400001800000011000c00c3070000805500007c00000012000a00e7030000000000000000000012000000d7070000fc5500002400000012000a004b0b0000706300005800000012000a007f0b00003c6600006c00000012000a00620c00009c6d0000b800000012000a00b80800002c5800002800000012000a00b6000000000000000000000012000000a80b0000d0670000ac00000012000a00590c000000000000000000001200000050040000405000000c00000012000a004b0c000000000000000000001200000054100000d83e01000000000010001700f2050000c45200000c00000012000a00fe0a00004c2401000400000011001600180c0000000000000000000012000000d30500009c5200002800000012000a008209000000000000000000001200000087070000385500000c00000012000a00e5060000405400002800000012000a00750d000074740000b400000012000a003a020000ec3b00003800000012000a00bd030000544900001005000012000a00be0000000000000000000000120000004d03000058430000c401000012000a00840d000028750000ac00000012000a000f0b0000a06200005000000012000a00b5050000605200003c00000012000a005a01000000000000000000001200000088040000585000005000000012000a00980e0000388600004c01000012000a001b0300000000000000000000120000003b0c0000000000000000000012000000b6010000343a00000c00000012000a009d000000e43400000001000012000a00ba0d0000000000000000000012000000520c000000000000000000001200000010000000408e00000000000012000b00e5090000605e00000800000012000a002e0a0000745e00001800000012000a00ef030000644e00009800000012000a0048100000d83e0100000000001000170092090000000000000000000012000000b4060000b85300004c00000012000a0025070000145500000c00000012000a00380300002c4200002c01000012000a0002010000508e00000004000011000c00e4000000000000000000000012000000610b0000000000000000000012000000b60c0000d46e00002c00000012000a00f4080000b45800005c00000012000a0049100000d83e01000000000010001700ff0b0000000000000000000012000000d7000000000000000000000012000000c5020000083f00009000000012000a00d6030000346500008000000012000a008d010000000000000000000012000000510e0000088000005400000012000a0093010000e43900002800000012000a00940d0000d4750000ac00000012000a008601000000000000000000001200000042090000000000000000000012000000670a0000c45e00008000000012000a00600e00005c8000001400000012000a008f020000d43d0000a400000012000a00aa03000084460000d002000012000a0048080000ec5700000c00000012000a00ef070000205600000c00000012000a00aa0a0000386000008000000012000a002a020000000000000000000012000000c9010000403a00005400000012000a00b20d000000000000000000001200000011090000105900006000000012000a00ec000000000000000000000012000000400b0000506300002000000012000a000207000068540000ac00000012000a00cd060000045400003c00000012000a0017040000a04f00009400000012000a0006020000283b00006000000012000a00c30e00008c8700000400000012000a00340e000084890000c800000012000a00c10c00004c2e000000000000120008002a010000b46500004400000012000a0046070000205500000c00000012000a006b0e00000000000000000000120000002d090000705900008c00000012000a002f0c0000806c00001c01000012000a009c0a0000442001009000000011001300780b0000000000000000000012000000ac0d0000000000000000000012000000170a0000705e00000400000012000a0022030000fc5900001400000012000a0003040000fc4e0000a400000012000a0006050000705100002800000012000a00') | |
| self.data_1 = binascii.unhexlify('f35da9994440689d9d662b902a7bea94e71db4e0500075e4892636e93e3bf7ed3b6bb0f38c7671f7555032fae24df3fe5ff0bcc6e8ed7dc231cb3ecf86d6ffcb8386b8d5349b79d1edbd3adc5aa0fbd8eee00c6959fdcd6d80db8e6037c64f643296087a858bc97e5cad8a73ebb04b77560d044fe110c54b383686468f2b47428a7b005c3d66c158e4408255535d43519e3b1d252926dc21f0009f2c471d5e28424d1936f550d8322c769b3f9b6b5a3b26d6150391cbd40748ed970afff0560efaa011104dbdd014949b93192386521d0e562ff1b94beef5606dadf8d7706cfcd2202be2653deae6bc1ba9eb0b0668efb6bb27d701a6e6d3d880a5de6f9d64da6acd23c4ddd0e2c004f6a1cdb3eb60c97e8d3ebdc990ffb910b6bcb4a7ab7db0a2fb3aae15e6fbaaccc0b8a77bdd79a3c660369b717df79fa85bb4921f4675961a163288ad0bf38c742db081c330718599908a5d2e8d4b59f7ab085440b6c95045e68e4ef2fb4f4a2bdd0c479cc0cd43217d827b9660437f4f460072f85bc176fd0b86684a16476c93300461242dc565e94b9b115e565a1587701918306dd81c353d9f0282205e065b061d0bec1bdc0f51a69337e6bb52333f9d113e8880d03a8dd097243acd5620e3eb152d54f6d4297926a9c5ce3b68c1171d2bcca000eac8a550add6124d6cd2cb6b2fdf7c76eedbc1cba1e376d660e7aff023ea18ede2ee1dbda5f0aaa064f4738627f9c49be6fd09fdb889bee0798d67c63a80d0dbfb84d58bbc9a62967d9ebbb03e930cadff97b110b0af060d71abdf2b32a66836f3a26d66b4bcda7b75b8035d36b5b440f7b12f6465762f6474762f737973636f6d31000000002f6465762f6474762f79616d73686172300000006972645f737461747573000073797374696d650079616d5f706f776572000000757362645f7374617475730069706e6574645f73746174757300000069706e6574645f726571756573740000747673685f6966002f746d702f706e6c5f646174615f66696c650000414c4c002f6465762f6474762f62656c73695f7770000000090100002f6465762f6474762f656570726f6d31000000002f746d702f4d4f44454c5f434f4e4649470000002f6465762f636e6f64655f61646a00002f6465762f6474762f617465726d30005b7375726665725d202f6465762f6474762f617465726d30206f70656e206572720000005b7375726665725d202f6465762f6474762f617465726d206f70656e71727920657272002f6465762f6474762f617465726d2564000000002f6465762f6969632564000025732e746d7000002f0000002e0000002e2e00002f746d702f64776c645f746573745f66696c6500010000000300000000040000080000000001000000020000000800000100000003000000010000000300000000040000080000000001000001000000030000000c0000000600000000000000010000000a0000000300000009000000080000002f7573722f7461726765742f6763782f5344444c2e534543000000002f7573722f7461726765742f6e6f766174656b2f5344444c2e534543000000002f7573722f7461726765742f6d737461722f5344444c2e53454300005045414b530000005045414b53424f4f540000005045414b53204c5349444154410000005045414b532046494c450000474358004e4f564154454b005045414b5320454550524f4d00000000434f4d50414e494f4e0000002f7573722f7461726765742f76657273696f6e2e747874006d6f756e740000002f7362696e2f6d6f756e74002f6465762f6d6d63626c6b30702564002f776f726b2f646f776e6c6f61645f7363726970742e6461740000002f6465762f6d6d63626c6b307031000000000000000000000000000000000000000020002f6465762f6d6d63626c6b30626f6f7430000000000000000000000000000000000001002f6465762f6d6d63626c6b30000000002f7573722f6c6f63616c2f646f776e6c6f61642f5344444c2e544d50000000002f7573722f6c6f63616c2f646f776e6c6f61642f5344444c2e5345430000000025732f25730000002f7573722f6c6f63616c2f646f776e6c6f61640008b10181b0b000840000000008b10181b0b0008400000000dcb20181b0b0ad0300000000cab20181b0b0ab010000000008b10181b0b000840000000008b10181b0b000840000000008b10181b0b000840000000008b10181b0b0008400000000449dff7fb0b0b080dc9dff7f94ffff7f3c9eff7f98ffff7f7c9eff7fb0ac0d8070a0ff7fb0b0a880c8a0ff7fb0b0ab80a0a1ff7fb0a80180eca1ff7fb0a90280eca2ff7fb0aa07804ca3ff7fa908b18094a3ff7fb0b0b08098a3ff7f0084048078a4ff7fb0aa0980d0a4ff7fb0b0a8802ca5ff7fa908b1805ca5ff7fb0ab0280c8a8ff7f34ffff7fcca9ff7faf7eb280fcaaff7fa908b18044abff7fab08b18068acff7faf3f2a8024aeff7fb0ac2b8054b2ff7faf3f30805cb7ff7fab08b18024b9ff7fb0b0b08040b9ff7fb0a80180d8b9ff7fb0b0a88024baff7fb0b0b08040baff7f0084028060baff7fb0b0b08064baff7fb0a90280a8baff7fa908b180dcbaff7f00840280fcbaff7fb0b0b08000bbff7fa908b18034bbff7f0084028054bbff7fb0b0b08058bbff7fa908b1808cbbff7fb0b0b08088bbff7f00840280a8bbff7fb0a90280ecbbff7f008402800cbcff7fb0b0b08010bcff7fb0a9028054bcff7fa908b18088bcff7f00840280a8bcff7fb0aa01804cbdff7fb0b0b08074bdff7fa908b180a8bdff7fb0a902801cbeff7f0084028038beff7fb0b0b0803cbeff7f20feff7fc0bfff7f00840280ecbfff7fb0b0b080fcbfff7f00840280a4c0ff7f0084048058c1ff7fb0ab0280dcc1ff7fb0b0b080e8c1ff7fa93f048060c2ff7fb0af3a80f8c4ff7fa908b18028c5ff7fb0ab048008c6ff7fb0b0b0803cc6ff7fa908b1806cc6ff7fb0008480e4c6ff7fb0b0aa80d0c7ff7fb0b0a88048c8ff7fb0a8038080c8ff7fb0ab048020caff7fb0a8058068caff7fb0b0a8809ccaff7fb0b0b080d8caff7fb000848028cbff7fb0aa0180d0cbff7fb0a8018004ccff7fad08b180fcccff7fb0b0aa8038cdff7fab08b180e0cdff7fb0b0ac8050ceff7fb0b0b08090ceff7fb0b0a880b4ceff7fa908b180e8ceff7fb0aa17808ccfff7fa908b180b4cfff7fad08b18070d0ff7fb0b0ac80e0d0ff7fac3f17803cd2ff7fb0ae158068d3ff7faf3f02807cd4ff7fb0ac3f802cd5ff7fb0b0aa809cd5ff7fb0b0b0809cd5ff7fe4fcff7fc0d5ff7fb0b0b08084d6ff7fb000848098d8ff7fb0b0b08040daff7f0084028014dbff7fa908b18018ddff7fb0ab028064deff7fb0a90280b8deff7f0084088098dfff7fb0b0aa80ecdfff7fb0af1080a8e1ff7fab7cb2802ce2ff7faf479b8068e6ff7fb0b0a880b4e6ff7f80fcff7fc0e6ff7f84fcff7fcce6ff7fb0b0b08038e7ff7fb0af0a8060ebff7fa908b180bcebff7fb0a8018060ecff7fb0ac1180a4edff7fb0b0b080a8edff7f00840280c0edff7fb0a82580d4eeff7fa908b18058efff7f40fcff7f7cefff7fab08b1803cf0ff7faf44b280d8f1ff7f0100000000000000') | |
| self.mu.mem_map(0x0,0x3000) | |
| self.mu.mem_map(0x3000,0x4000) | |
| self.mu.mem_map(0x9000,0x4000) | |
| self.param_start = 0x00_01_f0_00 | |
| self.param_size = 0xa0_00_00 | |
| self.mu.mem_map(self.param_start + (self.param_size * 0), self.param_size) | |
| self.mu.mem_map(self.param_start + (self.param_size * 1), self.param_size) | |
| self.mu.mem_map(0x7ffff000,0x20_00_00) | |
| self.mu.mem_write(0x0, self.data_0) | |
| self.mu.mem_write(0x9000, self.data_1) | |
| self.mu.mem_write(0x3740, self.code_0) | |
| def _start_unicorn(self, startaddr): | |
| try: | |
| self.mu.emu_start(startaddr, 0) | |
| except Exception as e: | |
| if self.mu.reg_read(UC_ARM_REG_PC) == 4: | |
| return | |
| else: | |
| print ('[!] Exception occured - Emulator state (arm):') | |
| print ("UC_ARM_REG_R0 : %X" % (self.mu.reg_read(UC_ARM_REG_R0))) | |
| print ("UC_ARM_REG_R1 : %X" % (self.mu.reg_read(UC_ARM_REG_R1))) | |
| print ("UC_ARM_REG_R2 : %X" % (self.mu.reg_read(UC_ARM_REG_R2))) | |
| print ("UC_ARM_REG_R3 : %X" % (self.mu.reg_read(UC_ARM_REG_R3))) | |
| print ("UC_ARM_REG_R4 : %X" % (self.mu.reg_read(UC_ARM_REG_R4))) | |
| print ("UC_ARM_REG_R5 : %X" % (self.mu.reg_read(UC_ARM_REG_R5))) | |
| print ("UC_ARM_REG_R6 : %X" % (self.mu.reg_read(UC_ARM_REG_R6))) | |
| print ("UC_ARM_REG_R7 : %X" % (self.mu.reg_read(UC_ARM_REG_R7))) | |
| print ("UC_ARM_REG_R8 : %X" % (self.mu.reg_read(UC_ARM_REG_R8))) | |
| print ("UC_ARM_REG_R9 : %X" % (self.mu.reg_read(UC_ARM_REG_R9))) | |
| print ("UC_ARM_REG_R10 : %X" % (self.mu.reg_read(UC_ARM_REG_R10))) | |
| print ("UC_ARM_REG_R11 : %X" % (self.mu.reg_read(UC_ARM_REG_R11))) | |
| print ("UC_ARM_REG_R12 : %X" % (self.mu.reg_read(UC_ARM_REG_R12))) | |
| print ("UC_ARM_REG_R13 : %X" % (self.mu.reg_read(UC_ARM_REG_R13))) | |
| print ("UC_ARM_REG_R14 : %X" % (self.mu.reg_read(UC_ARM_REG_R14))) | |
| print ("UC_ARM_REG_R15 : %X" % (self.mu.reg_read(UC_ARM_REG_R15))) | |
| raise e | |
| def run(self, input: bytes, size: int): | |
| # def hook_code(uc, address, size, user_data): | |
| # instr = None | |
| # for c in Cs(CS_ARCH_ARM, CS_MODE_ARM).disasm(self.mu.mem_read(address, size), address, size): | |
| # instr = c | |
| # print(">>> Tracing instruction at 0x%x intr=%s" % (address, instr)) | |
| # | |
| # self.mu.hook_add(UC_HOOK_CODE, hook_code) | |
| self.mu.reg_write(UC_ARM_REG_SP, 0x7fffff00) | |
| self.mu.reg_write(UC_ARM_REG_LR, 0x4) | |
| argAddr_0 = self.param_start + (self.param_size * 0) | |
| self.mu.mem_write(argAddr_0, input) | |
| self.mu.reg_write(UC_ARM_REG_R0, argAddr_0) | |
| self.mu.reg_write(UC_ARM_REG_R1, size) | |
| argAddr_2 = self.param_start + (self.param_size * 1) | |
| # self.mu.mem_write(argAddr_2, arg_2) | |
| self.mu.reg_write(UC_ARM_REG_R2, argAddr_2) | |
| self._start_unicorn(0x3740) | |
| ret = self.mu.reg_read(UC_ARM_REG_R0) | |
| if ret != 0: | |
| raise ValueError('invalid response :/') | |
| out = self.mu.mem_read(argAddr_2, size) | |
| return out | |
| class crc_calc(object): | |
| def __init__(self): | |
| self.mu = Uc(UC_ARCH_ARM, UC_MODE_ARM) | |
| self.code_0 = binascii.unhexlify('10402de9000051e348e09fe50ee08fe00e00000a40409fe500c0a0e30c30a0e10020e0e304409ee70ce0d0e7013083e2010053e103c0a0e122ec2ee00ee194e702242ee0f7ffff1a0200a0e11080bde80020e0e3fbffffea') | |
| self.data_0 = binascii.unhexlify('ccf2bce500c68fe20fca8ce2c4f2bce500c68fe20fca8ce2bcf2bce500c68fe20fca8ce2b4f2bce500c68fe20fca8ce2acf2bce500c68fe20fca8ce2a4f2bce500c68fe20fca8ce29cf2bce500c68fe20fca8ce294f2bce500c68fe20fca8ce28cf2bce500c68fe20fca8ce284f2bce500c68fe20fca8ce27cf2bce500c68fe20fca8ce274f2bce500c68fe20fca8ce26cf2bce500c68fe20fca8ce264f2bce500c68fe20fca8ce25cf2bce500c68fe20fca8ce254f2bce500c68fe20fca8ce24cf2bce500c68fe20fca8ce244f2bce500c68fe20fca8ce23cf2bce500c68fe20fca8ce234f2bce500c68fe20fca8ce22cf2bce500c68fe20fca8ce224f2bce500c68fe20fca8ce21cf2bce500c68fe20fca8ce214f2bce500c68fe20fca8ce20cf2bce500c68fe20fca8ce204f2bce500c68fe20fca8ce2fcf1bce500c68fe20fca8ce2f4f1bce500c68fe20fca8ce2ecf1bce500c68fe20fca8ce2e4f1bce500c68fe20fca8ce2dcf1bce500c68fe20fca8ce2d4f1bce500c68fe20fca8ce2ccf1bce500c68fe20fca8ce2c4f1bce500c68fe20fca8ce2bcf1bce500c68fe20fca8ce2b4f1bce500c68fe20fca8ce2acf1bce500c68fe20fca8ce2a4f1bce500c68fe20fca8ce29cf1bce500c68fe20fca8ce294f1bce500c68fe20fca8ce28cf1bce500c68fe20fca8ce284f1bce500c68fe20fca8ce27cf1bce500c68fe20fca8ce274f1bce500c68fe20fca8ce26cf1bce500c68fe20fca8ce264f1bce500c68fe20fca8ce25cf1bce500c68fe20fca8ce254f1bce500c68fe20fca8ce24cf1bce500c68fe20fca8ce244f1bce500c68fe20fca8ce23cf1bce500c68fe20fca8ce234f1bce500c68fe20fca8ce22cf1bce500c68fe20fca8ce224f1bce500c68fe20fca8ce21cf1bce500c68fe20fca8ce214f1bce500c68fe20fca8ce20cf1bce500c68fe20fca8ce204f1bce500c68fe20fca8ce2fcf0bce500c68fe20fca8ce2f4f0bce500c68fe20fca8ce2ecf0bce500c68fe20fca8ce2e4f0bce500c68fe20fca8ce2dcf0bce500c68fe20fca8ce2d4f0bce500c68fe20fca8ce2ccf0bce500c68fe20fca8ce2c4f0bce500c68fe20fca8ce2bcf0bce500c68fe20fca8ce2b4f0bce500c68fe20fca8ce2acf0bce500c68fe20fca8ce2a4f0bce500c68fe20fca8ce29cf0bce500c68fe20fca8ce294f0bce500c68fe20fca8ce28cf0bce500c68fe20fca8ce284f0bce514309fe514209fe503308fe0022093e7000052e31eff2f01ecffffeabcee0000d801000034209fe534009fe534309fe502208fe000008fe0032082e2022060e003308fe0060052e31eff2f9118209fe5023093e7000053e31eff2f0113ff2fe1a8f00000a4f0000084ee0000d40100003c309fe53c009fe53c209fe503308fe000008fe0033060e002208fe04331a0e1a33f83e0c330b0e11eff2f011c109fe5012092e7000052e31eff2f010310a0e112ff2fe15cf0000058f000003cee0000dc0100004c209fe508402de948309fe502208fe00020d2e503308fe0000052e30880bd1834209fe5023093e7000053e30200000a28309fe503009fe7b9ffffebc7ffffeb1c309fe50120a0e303308fe00020c3e50880bde808f00000eced0000e0010000b0ef0000ccef000034009fe508402de930309fe500008fe0002090e503308fe0000052e30400000a1c209fe5023093e7000053e30000000a33ff2fe10840bde8c1ffffea58eb000084ed0000d0010000f0412de90270a0e1ec209fe538d04de200c0a0e30080a0e10150a0e10360a0e10d00a0e10010e0e302208fe03830a0e300c08de504c08de508c08de50cc08de510c08de514c08de518c08de51cc08de520c08de524c08de528c08de52cc08de530c08de534c08de546feffeb000050e31500001a05c0a0e104508de500808de510608de50c708de5080000ea67feffeb010050e30f00000a000050e30a00001a10209de5000052e30400000a04c09de500005ce30d00a0e10410a0e3f2ffff1a0100e0e338d08de2f081bde80000e0e338d08de2f081bde810309de50d00a0e1066063e069feffeb000050e3f6ffff1a0600a0e138d08de2f081bde834590000f0412de90150a0e1e8109fe538d04de200c0a0e30080a0e10270a0e10d00a0e101108fe03820a0e30360a0e100c08de504c08de508c08de50cc08de510c08de514c08de518c08de51cc08de520c08de524c08de528c08de52cc08de530c08de534c08de579feffeb000050e31500001a05c0a0e104508de500808de510608de50c708de5080000ea67feffeb010050e30f00000a000050e30a00001a10209de5000052e30400000a04c09de50010a0e30d00a0e101005ce1f2ffff1a0100e0e338d08de2f081bde80000e0e338d08de2f081bde810309de50d00a0e1066063e078feffeb000050e3f6ffff1a0600a0e138d08de2f081bde83c58000010402de9000051e348e09fe50ee08fe00e00000a40409fe500c0a0e30c30a0e10020e0e304409ee70ce0d0e7013083e2010053e103c0a0e122ec2ee00ee194e702242ee0f7ffff1a0200a0e11080bde80020e0e3fbffffea48eb0000c8010000f0402de9e2cfa0e300e0a0e3800051e30170a0318070a023000057e30f00000a015040e2076082e00140f5e501e08ee2ff005ee300e0a0c3963c84e22c4424e0a33083e203c08ce07440efe6e2cfa0c30140c2e4060052e1f2ffff1a070080e0071051e0e8ffff1a0100a0e1f080bde8f0402de90030a0e3e2efa0e3800051e30170a0318070a023000057e30f00000a015040e2076082e00140f5e596cc8ee2013083e2a3c08ce2ff0053e30030a0c32ee424e07e40efe6e2efa0c304e08cd00140c2e4060052e1f2ffff1a070080e0071051e0e8ffff1a0100a0e1f080bde848009fe50210a0e310402de9081040e308d04de200008fe012feffeb004050e2080000ba0dc0a0e35a30a0e304108de20220a0e304c0cde50530cde578feffeb0400a0e119feffeb08d08de21080bde8145a000030402de90040a0e16c009fe50210a0e30cd04de2081040e300008fe0fcfdffeb005050e2110000ba2030a0e304108de20220a0e30540cde50430cde563feffeb0040a0e10500a0e103feffeb020054e30600001ae11ca0e30000a0e3f51540e370fdffeb0000a0e30cd08de23080bde85700e0e30cd08de23080bde8bc5900007c009fe50210a0e330402de9081040e30cd04de200008fe0ddfdffeb004050e2140000ba0be0a0e301c0a0e36830a0e304108de20320a0e304e0cde505c0cde50630cde541feffeb0050a0e10400a0e1e1fdffeb030055e30600001ae11ca0e30000a0e3f51540e34efdffeb0000a0e30cd08de23080bde85700e0e30cd08de23080bde840590000000051e31300000a70402de920d04de20240a0e104208de20050a0e10200a0e10360a0e1affdffeb051c04e30020a0e11c104ce30500a0e114408de518608de5a2fdffeb010070e30400000a1c009de520d08de27080bde80000e0e31eff2fe10000e0e3f9ffffea38402de90050a0e10140a0e10500a0e1021c04e30420a0e192fdffeb000050e3f9ffff1a3880bde838402de90050a0e10140a0e10500a0e1011c04e30420a0e188fdffeb000050e3f9ffff1a3880bde80120a0e1031c04e382fdffea000053e30000521302c0a0e10100001a0000a0e31eff2fe104e02de514d04de20c308de501e0a0e110208de2061c04e318309de5101044e310e022e50d20a0e108c08de504308de56ffdffeb14d08de204f09de4000053e30000521302c0a0e10100001a0000a0e31eff2fe104e02de514d04de20c308de501e0a0e110208de2071c04e318309de5101044e310e022e50d20a0e108c08de504308de55afdffeb14d08de204f09de400c052e20100001a0c00a0e11eff2fe104e02de514d04de201e0a0e110208de2081c04e30ce022e50c1044e30cc08de508308de54afdffeb14d08de204f09de470402de90140a0e128d04de20a1c04e3281048e30260a0e10d20a0e10350a0e13ffdffeb04109de5040051e10200000a0000a0e328d08de27080bde808309de5050053e1f9ffffba060085e0000053e10000a0a30100a0b328d08de27080bde850309fe550209fe510402de903308fe0024093e7000094e5010070e31080bd1838009fe50210a0e3081040e300008fe032fdffeb010070e30030a0e10300000a000050e3000084e50000e0b31080bde8003084e51080bde8a0e60000b8010000a856000038402de924309fe524209fe503308fe0025093e7004095e5010074e33880bd180400a0e1f8fcffeb004085e53880bde83ce60000b80100007cc09fe50b20a0e3f0402de90030a0e370e09fe50cd04de20cc08fe00070a0e164109fe50e409ce701108fe0000094e571fdffeb005050e20f0000ba0510a0e10060a0e3000094e5f9fcffeb000094e50720a0e10510a0e10b30a0e300608de544fdffeb000094e50510a0e1c9fcffeb0600a0e10cd08de2f080bde80000e0e3fbffffeaf8e50000b8010000245600007cc09fe50c20a0e3f0402de90030a0e370e09fe50cd04de20cc08fe00070a0e164109fe50e409ce701108fe0000094e54dfdffeb005050e20f0000ba0510a0e10060a0e3000094e5d5fcffeb000094e50720a0e10510a0e10c30a0e300608de520fdffeb000094e50510a0e1a5fcffeb0600a0e10cd08de2f080bde80000e0e3fbffffea68e50000b8010000a05500007cc09fe50420a0e3f0402de90030a0e370e09fe50cd04de20cc08fe00070a0e164109fe50e409ce701108fe0000094e529fdffeb005050e20f0000ba0510a0e10060a0e3000094e5b1fcffeb000094e50720a0e10510a0e10430a0e300608de5fcfcffeb000094e50510a0e181fcffeb0600a0e10cd08de2f080bde80000e0e3fbffffead8e40000b80100001855000090c09fe50c20a0e3f0402de90030a0e384e09fe50cd04de20cc08fe00070a0e178109fe50e409ce701108fe0000094e505fdffeb005050e2140000ba0c20a0e30030a0e30510a0e1000094e53afdffeb0060a0e30510a0e1000094e588fcffeb000094e50720a0e10510a0e10c30a0e300608de5d3fcffeb000094e50510a0e158fcffeb0600a0e10cd08de2f080bde80000e0e3fbffffea48e40000b8010000945400007cc09fe5e82c00e3f0402de90030a0e370e09fe50cd04de20cc08fe00070a0e164109fe50e409ce701108fe0000094e5dcfcffeb005050e20f0000ba0510a0e10060a0e3000094e564fcffeb000094e50720a0e10510a0e1e83c00e300608de5affcffeb000094e50510a0e134fcffeb0600a0e10cd08de2f080bde80000e0e3fbffffeaa4e30000b8010000fc5300007cc09fe5642900e3f0402de90030a0e370e09fe50cd04de20cc08fe00070a0e164109fe50e409ce701108fe0000094e5b8fcffeb005050e20f0000ba0510a0e10060a0e3000094e540fcffeb000094e50720a0e10510a0e1643900e300608de58bfcffeb000094e50510a0e110fcffeb0600a0e10cd08de2f080bde80000e0e3fbffffea14e30000b80100007c530000f8c09fe5642900e3f0432de90040a0e1ece09fe50180a0e10cc08fe097de4de20c00a0e1dc109fe50e5090e704d04de20030a0e301108fe0000095e591fcffeb006050e22b0000ba0070a0e30610a0e10c908de2000095e518fcffeb088268e0000095e50920a0e1') | |
| self.data_1 = binascii.unhexlify('9c34000034340000000000000c94000002000000f893000005000000d493000007000000f093000002000000d493000007000000d493000000000000d4930000000000008c9400000000000080760000949400000000000080760000909500001f00000000000000a09400000000000080760000b09400000400000080760000909500001f00000000000000909500001f00000000000000909500001f00000000000000bc940000080000001c450000c09400000900000084460000c89400000a000000d4770000d89400000b000000505e0000010000003c0f000001000000490f0000010000005a0f000001000000680f000001000000750f000001000000840f000001000000960f000001000000a70f000001000000b80f000001000000c60f000001000000d00f000001000000df0f000001000000f00f000001000000ff0f0000010000000f100000010000001d1000000e000000611000000f000000751000000c0000004c2e00000d000000408e000019000000002001001b000000040000001a000000042001001c0000000400000004000000d4000000050000001016000006000000900700000a000000741100000b00000010000000030000003c2201000200000058030000140000001100000017000000f42a0000110000009429000012000000600100001300000008000000feffff6f54290000ffffff6f02000000f0ffff6f84270000faffff6f1900000000000000000000000000000000000000000000000000000000000000000000000000000000000000d42001000000000000000000203f0100e03600004c500000303f010078640000443d0000203800002c3f0100a8500000843f0100e4350000403700008c5e0000a83f0100183f0100143f010040500000983f0100b03f01009c520000783f0100544900001c3f0100584300006c3f0100585000005c3f0100743f0100343a0000283f0100883f0100745e0000644e0000103f01002c420000343f0100803f0100b83f01003c3f010034650000403f0100e43900009c3f0100643f0100c45e0000703f0100403a0000c03f0100383f0100a04f000084890000b4650000483f010070590000806c00000c3f0100bc3f0100705e0000fc590000fc4e000070510000603f010034500000903f0100443f01007c3f010044670000243f0100943a0000b43f0100a43f010064510000fc3e0100b4640000f4380000f8800000583f0100e86900004c3f01007c390000a03f0100683f0100a8660000c43f0100046f0000943f010058510000043f0100f86000004c8a0000083f0100f83e0100105a0000503f0100ac3f010020670000543f01008480000098730000e83a0000cc6f00000c530000f8500000003f01008c3f0100f43e0100685e000024240100802401001c9400004c240100508e000044200100e83e0100e03e0100003f0100e43e0100f43e010020240100ffffffffffffffffffffffffffffffff30240100010000002c240100020000002824010003000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000') | |
| self.data_2 = binascii.unhexlify('7f454c4601010100000000000000000003002800010000007033000034000000a4a500000200000534002000050028001b001a0001000070509600005096000050960000d0030000d0030000040000000400000001000000000000000000000000000000249a0000249a000005000000008000000100000000a00000002001000020010050040000d81e0000060000000080000002000000d4a00000d4200100d42001006801000068010000060000000400000051e5746400000000000000000000000000000000000000000600000004000000c5000000e8000000ae0000008a00000000000000b30000004300000000000000a8000000000000000000000000000000dc000000000000006c000000b600000060000000000000009b0000005c000000cb000000cf0000002e00000000000000bc000000960000009a000000800000005e0000000000000000000000560000003c00000062000000b10000000000000000000000970000007700000000000000e200000004000000d80000000000000072000000db000000d300000000000000df00000000000000b50000003900000065000000af00000099000000000000000000000067000000d6000000ab000000b80000004000000017000000bd00000052000000880000009f0000007f000000ce000000ca0000000000000000000000c9000000e100000000000000de000000e70000003200000069000000bf0000008c00000000000000da00000000000000cd0000006300000092000000000000008f00000000000000000000007b00000000000000c400000045000000a6000000e4000000360000005d00000000000000c80000004d00000027000000120000008500000018000000000000007100000074000000d90000004f00000095000000be000000e000000000000000a300000000000000b9000000c000000000000000d1000000ba00000000000000000000000500000000000000cc00000006000000000000000000000083000000d2000000150000009400000042000000a2000000000000004b000000c1000000e60000004700000000000000870000005000000000000000510000000000000010000000130000000000000000000000e3000000080000002f0000006d0000005a000000c20000003300000048000000000000000000000000000000d00000002c0000008b0000006f000000680000000000000000000000bb00000029000000000000007a000000d400000070000000e5000000820000006a00000000000000d5000000d70000005900000073000000b000000000000000000000004c0000000000000000000000ac0000008600000000000000c300000091000000310000000000000000000000b7000000c600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f00000000000000110000000000000000000000000000000a000000000000000000000000000000000000000000000000000000000000001600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000140000000000000000000000000000000000000000000000000000000000000037000000000000000000000000000000340000002b0000000000000023000000000000000000000000000000000000000000000000000000000000000000000000000000000000002600000000000000000000000000000000000000380000000000000000000000000000000000000000000000000000000b00000000000000000000001c0000004a000000000000000000000000000000000000002800000007000000000000001d000000190000000000000000000000640000000e0000000000000000000000610000000000000000000000000000006b000000000000006600000000000000000000000000000000000000220000002d000000350000000000000000000000000000000000000057000000000000000000000000000000530000007d000000000000007e00000000000000810000000c000000000000002100000084000000460000002500000078000000200000001a000000000000007c0000000000000000000000900000005400000000000000000000000000000098000000000000003b000000000000008e000000000000000000000000000000000000009c000000000000004100000075000000000000003000000009000000a9000000ad000000a700000000000000a0000000000000009e0000005b0000000d0000000000000079000000030000004900000000000000000000009d00000089000000b40000003e00000000000000240000000000000000000000000000003d0000000000000093000000aa0000004e0000003f0000001b0000003a000000b20000008d00000000000000440000005800000000000000000000001f0000005f000000a50000006e000000000000007600000000000000a1000000c700000000000000dd0000001e000000000000005500000000000000c5000000a40000002a0000000000000000000000000000000000000000000000000000004c2e0000000000000300080000000000082001000000000003001200a90000000000000000000000120000002f020000242401000400000011001600f10d0000c47b00004404000012000a00e0020000983f00000c01000012000a00c70d0000187900005c00000012000a00f7000000e03600006000000012000a00d20900005c5e00000400000012000a006c0400004c5000000c00000012000a00940b00000000000000000000120000004e010000786400003c00000012000a006d090000905a0000a002000012000a00660b0000f86500004400000012000a0076020000443d00009000000012000a003f050000a45100004c00000012000a00cf0b0000ac680000c400000012000a00590b0000c8630000b000000012000a00ab020000783e00009000000012000a0014010000203800005400000012000a00090f0000cc8800008c00000012000a00850e0000708000001400000012000a00271000005024010000000000100016000c0800002c5600008c01000012000a00a8070000445500003c00000012000a0010060000d05200003c00000012000a00620a0000000000000000000012000000a4040000a85000005000000012000a009d03000080240100561a000011001700a9090000505e00000400000012000a0028080000b85700003400000012000a00bf0b00007c6800003000000012000a00430c0000000000000000000012000000120d0000149400000400000011000c00c9000000e4350000fc00000012000a00460d0000d47700005c00000012000a00360d0000807600005401000012000a000b010000403700007000000012000a00440a00008c5e00003800000012000a00ee0c00001c9400001800000011000c00c3070000805500007c00000012000a00e7030000000000000000000012000000d7070000fc5500002400000012000a004b0b0000706300005800000012000a007f0b00003c6600006c00000012000a00620c00009c6d0000b800000012000a00b80800002c5800002800000012000a00b6000000000000000000000012000000a80b0000d0670000ac00000012000a00590c000000000000000000001200000050040000405000000c00000012000a004b0c000000000000000000001200000054100000d83e01000000000010001700f2050000c45200000c00000012000a00fe0a00004c2401000400000011001600180c0000000000000000000012000000d30500009c5200002800000012000a008209000000000000000000001200000087070000385500000c00000012000a00e5060000405400002800000012000a00750d000074740000b400000012000a003a020000ec3b00003800000012000a00bd030000544900001005000012000a00be0000000000000000000000120000004d03000058430000c401000012000a00840d000028750000ac00000012000a000f0b0000a06200005000000012000a00b5050000605200003c00000012000a005a01000000000000000000001200000088040000585000005000000012000a00980e0000388600004c01000012000a001b0300000000000000000000120000003b0c0000000000000000000012000000b6010000343a00000c00000012000a009d000000e43400000001000012000a00ba0d0000000000000000000012000000520c000000000000000000001200000010000000408e00000000000012000b00e5090000605e00000800000012000a002e0a0000745e00001800000012000a00ef030000644e00009800000012000a0048100000d83e0100000000001000170092090000000000000000000012000000b4060000b85300004c00000012000a0025070000145500000c00000012000a00380300002c4200002c01000012000a0002010000508e00000004000011000c00e4000000000000000000000012000000610b0000000000000000000012000000b60c0000d46e00002c00000012000a00f4080000b45800005c00000012000a0049100000d83e01000000000010001700ff0b0000000000000000000012000000d7000000000000000000000012000000c5020000083f00009000000012000a00d6030000346500008000000012000a008d010000000000000000000012000000510e0000088000005400000012000a0093010000e43900002800000012000a00940d0000d4750000ac00000012000a008601000000000000000000001200000042090000000000000000000012000000670a0000c45e00008000000012000a00600e00005c8000001400000012000a008f020000d43d0000a400000012000a00aa03000084460000d002000012000a0048080000ec5700000c00000012000a00ef070000205600000c00000012000a00aa0a0000386000008000000012000a002a020000000000000000000012000000c9010000403a00005400000012000a00b20d000000000000000000001200000011090000105900006000000012000a00ec000000000000000000000012000000400b0000506300002000000012000a000207000068540000ac00000012000a00cd060000045400003c00000012000a0017040000a04f00009400000012000a0006020000283b00006000000012000a00c30e00008c8700000400000012000a00340e000084890000c800000012000a00c10c00004c2e000000000000120008002a010000b46500004400000012000a0046070000205500000c00000012000a006b0e00000000000000000000120000002d090000705900008c00000012000a002f0c0000806c00001c01000012000a009c0a0000442001009000000011001300780b0000000000000000000012000000ac0d0000000000000000000012000000170a0000705e00000400000012000a0022030000fc5900001400000012000a0003040000fc4e0000a400000012000a0006050000705100002800000012000a00') | |
| self.data_3 = binascii.unhexlify('00000000b71dc1046e3b8209d926430ddc7604136b6bc517b24d861a0550471eb8ed08260ff0c922d6d68a2f61cb4b2b649b0c35d386cd310aa08e3cbdbd4f3870db114cc7c6d0481ee09345a9fd5241acad155f1bb0d45bc2969756758b5652c836196a7f2bd86ea60d9b6311105a6714401d79a35ddc7d7a7b9f70cd665e74e0b6239857abe29c8e8da191399060953cc0278b8bdde68f52fba582e5e66486585b2bbeef46eaba3660a9b7817d68b3842d2fad3330eea9ea16ada45d0b6ca0906d32d42770f3d0fe56b0dd494b71d94c1b36c7fb06f7c32220b4ce953d75ca28803af29f9dfbf646bbb8fbf1a679fff4f63ee143ebffe59acdbce82dd07dec77708634c06d4730194b043dae56c539ab0682271c1b4323c53d002e7220c12acf9d8e1278804f16a1a60c1b16bbcd1f13eb8a01a4f64b057dd00808cacdc90c07ab9778b0b6567c69901571de8dd475dbdd936b6cc0526fb5e6116202fbd066bf469f5e085b5e5ad17d1d576660dc5363309b4dd42d5a490d0b1944ba16d84097c6a5ac20db64a8f9fd27a54ee0e6a14bb0a1bffcad60bb258b23b69296e2b22f2bad8a98366c8e41102f83f60dee87f35da9994440689d9d662b902a7bea94e71db4e0500075e4892636e93e3bf7ed3b6bb0f38c7671f7555032fae24df3fe5ff0bcc6e8ed7dc231cb3ecf86d6ffcb8386b8d5349b79d1edbd3adc5aa0fbd8eee00c6959fdcd6d80db8e6037c64f643296087a858bc97e5cad8a73ebb04b77560d044fe110c54b383686468f2b47428a7b005c3d66c158e4408255535d43519e3b1d252926dc21f0009f2c471d5e28424d1936f550d8322c769b3f9b6b5a3b26d6150391cbd40748ed970afff0560efaa011104dbdd014949b93192386521d0e562ff1b94beef5606dadf8d7706cfcd2202be2653deae6bc1ba9eb0b0668efb6bb27d701a6e6d3d880a5de6f9d64da6acd23c4ddd0e2c004f6a1cdb3eb60c97e8d3ebdc990ffb910b6bcb4a7ab7db0a2fb3aae15e6fbaaccc0b8a77bdd79a3c660369b717df79fa85bb4921f4675961a163288ad0bf38c742db081c330718599908a5d2e8d4b59f7ab085440b6c95045e68e4ef2fb4f4a2bdd0c479cc0cd43217d827b9660437f4f460072f85bc176fd0b86684a16476c93300461242dc565e94b9b115e565a1587701918306dd81c353d9f0282205e065b061d0bec1bdc0f51a69337e6bb52333f9d113e8880d03a8dd097243acd5620e3eb152d54f6d4297926a9c5ce3b68c1171d2bcca000eac8a550add6124d6cd2cb6b2fdf7c76eedbc1cba1e376d660e7aff023ea18ede2ee1dbda5f0aaa064f4738627f9c49be6fd09fdb889bee0798d67c63a80d0dbfb84d58bbc9a62967d9ebbb03e930cadff97b110b0af060d71abdf2b32a66836f3a26d66b4bcda7b75b8035d36b5b440f7b1') | |
| self.mu.mem_map(0x0,0x4000) | |
| self.mu.mem_map(0x4000,0x4000) | |
| self.mu.mem_map(0x8000,0x4000) | |
| self.mu.mem_map(0x12000,0x4000) | |
| self.mu.mem_map(0x7ffff000,0x200000) | |
| self.mu.mem_map(0x1e000, 0x1000) | |
| self.mu.mem_map(0x1f000 * 1, 0xa0_00_00) | |
| self.mu.mem_write(0x0, self.data_2) | |
| self.mu.mem_write(0x36e0, self.code_0) | |
| self.mu.mem_write(0x3000, self.data_0) | |
| self.mu.mem_write(0x12000, self.data_1) | |
| self.mu.mem_write(0x8e50, self.data_3) | |
| def _start_unicorn(self, startaddr): | |
| try: | |
| self.mu.emu_start(startaddr, 0x372c) | |
| except Exception as e: | |
| if self.mu.reg_read(UC_ARM_REG_PC) == 4: | |
| return | |
| else: | |
| print ('[!] Exception occured - Emulator state (arm):') | |
| print ("UC_ARM_REG_R0 : %X" % (self.mu.reg_read(UC_ARM_REG_R0))) | |
| print ("UC_ARM_REG_R1 : %X" % (self.mu.reg_read(UC_ARM_REG_R1))) | |
| print ("UC_ARM_REG_R2 : %X" % (self.mu.reg_read(UC_ARM_REG_R2))) | |
| print ("UC_ARM_REG_R3 : %X" % (self.mu.reg_read(UC_ARM_REG_R3))) | |
| print ("UC_ARM_REG_R4 : %X" % (self.mu.reg_read(UC_ARM_REG_R4))) | |
| print ("UC_ARM_REG_R5 : %X" % (self.mu.reg_read(UC_ARM_REG_R5))) | |
| print ("UC_ARM_REG_R6 : %X" % (self.mu.reg_read(UC_ARM_REG_R6))) | |
| print ("UC_ARM_REG_R7 : %X" % (self.mu.reg_read(UC_ARM_REG_R7))) | |
| print ("UC_ARM_REG_R8 : %X" % (self.mu.reg_read(UC_ARM_REG_R8))) | |
| print ("UC_ARM_REG_R9 : %X" % (self.mu.reg_read(UC_ARM_REG_R9))) | |
| print ("UC_ARM_REG_R10 : %X" % (self.mu.reg_read(UC_ARM_REG_R10))) | |
| print ("UC_ARM_REG_R11 : %X" % (self.mu.reg_read(UC_ARM_REG_R11))) | |
| print ("UC_ARM_REG_R12 : %X" % (self.mu.reg_read(UC_ARM_REG_R12))) | |
| print ("UC_ARM_REG_R13 : %X" % (self.mu.reg_read(UC_ARM_REG_R13))) | |
| print ("UC_ARM_REG_R14 : %X" % (self.mu.reg_read(UC_ARM_REG_R14))) | |
| print ("UC_ARM_REG_R15 : %X" % (self.mu.reg_read(UC_ARM_REG_R15))) | |
| print ("UC_ARM_REG_PC : %X" % (self.mu.reg_read(UC_ARM_REG_PC))) | |
| raise e | |
| def run(self, arg_0: bytes, arg_1: int): | |
| # def hook_code(uc, address, size, user_data): | |
| # instr = None | |
| # for c in Cs(CS_ARCH_ARM, CS_MODE_ARM).disasm(self.mu.mem_read(address, size), address, size): | |
| # instr = c | |
| # print(">>> Tracing instruction at 0x%x intr=%s" % (address, instr)) | |
| # | |
| # self.mu.hook_add(UC_HOOK_CODE, hook_code) | |
| self.mu.reg_write(UC_ARM_REG_SP, 0x7fffff00) | |
| self.mu.reg_write(UC_ARM_REG_LR, 0x4) | |
| # argAddr_0 = self.param_start + (self.param_size * 0) | |
| argAddr_0 = 0x1f000 | |
| self.mu.mem_write(argAddr_0, bytes(arg_0)) | |
| self.mu.reg_write(UC_ARM_REG_R0, argAddr_0) | |
| # argAddr_1 = 0x1e000 | |
| # self.mu.mem_write(argAddr_1, p32(0)) | |
| # self.mu.reg_write(UC_ARM_REG_R1, argAddr_1) | |
| self.mu.reg_write(UC_ARM_REG_R1, arg_1) | |
| self._start_unicorn(0x36e0) | |
| ret = self.mu.reg_read(UC_ARM_REG_R0) | |
| return ret | |
| class FirmwareFile: | |
| def __init__(self, file: io.BytesIO, crypto_key: bytes, tmp_name: str, sig_key: bytes=None): | |
| self.tmp_name = tmp_name.split('.')[0] | |
| self.sig_key = sig_key | |
| self.crypto_key = crypto_key | |
| self._set_data(file) | |
| self._set_key_and_iv() | |
| def _set_data(self, file): | |
| with zipfile.ZipFile(file, 'r') as f: | |
| print(f.filelist) | |
| self.input = io.BytesIO(f.read(f.filelist[0].filename)) | |
| def _set_key_and_iv(self): | |
| self.aes_key, self.aes_iv = convert_secret_to_key_iv(self.crypto_key).run() | |
| def _cipher(self, b: bytes) -> bytes: | |
| return bytes(cipher().run(b, len(b))) | |
| def _decripter(self, b: bytes) -> bytes: | |
| return bytes(decipher().run(b, len(b))) | |
| def _decrypt_bytes(self, b: bytes) -> bytes: | |
| x = AES.new(key=self.aes_key, mode=AES.MODE_CBC, iv=self.aes_iv) | |
| return fix_rpad(x.decrypt(b)) | |
| def _encrypt_bytes(self, new_key: bytes, b: bytes) -> bytes: | |
| aes_key, aes_iv = convert_secret_to_key_iv(new_key).run() | |
| x = AES.new(key=aes_key, mode=AES.MODE_CBC, iv=aes_iv) | |
| return x.encrypt(pkcs7padding(b)) | |
| def decode_all(self) -> typing.List[dict]: | |
| self.input.seek(0, 0) | |
| info_dec = self.input.read(0x20) | |
| info_dec = self._decripter(info_dec) | |
| a = int(info_dec[1*0x4:][:0x4]) | |
| b = int(info_dec[2*0x4:][:0x4]) | |
| c = int(info_dec[3*0x4:][:0x4]) | |
| max_files = b + c + 1 | |
| idx = 0 | |
| output = [] | |
| while max_files > idx: | |
| idx += 1 | |
| part = self._decrypt_bytes(self.input.read(0x20)) | |
| print('part:', part) | |
| filename = bytes_to_bstr(part[:3*0x4]) | |
| offset = int(part[0x10:]) | |
| next_pos = self.input.tell() + offset | |
| file_data = self._decrypt_bytes(self.input.read(offset)) | |
| print('file_data:', file_data[:0x100]) | |
| # print(filename, offset) | |
| # print(file_data[:0x100]) | |
| output.append({ | |
| 'filename': filename, | |
| 'data': file_data, | |
| }) | |
| self.input.seek(next_pos, 0) | |
| return output | |
| def parser_sdit(self, input: io.BytesIO): | |
| header = input.read(8) | |
| print('header', header) | |
| # part = input.read(4) | |
| # print('part', part) | |
| # print('part', part[:2]) | |
| # part = input.read(0x1c) | |
| # print('part', part) | |
| # 0x30 | |
| data = input.read() | |
| print('data:', data) | |
| for i in range(0, len(data), 0x30): | |
| print('data_part', data[i:i+0x30].hex()) | |
| def parser_PEAKS(self, input: io.BytesIO, filename: str): | |
| print() | |
| print('[#]filename:', filename) | |
| header = input.read(0x20) | |
| # int32_t var_3c = r5 + 4 | |
| # get_8_data(&var_3c, out + 4) | |
| # get_8_data(&var_3c, out + 5) | |
| # get_8_data(&var_3c, out + 6) | |
| # get_8_data(&var_3c, out + 7) | |
| # get_32_data(&var_3c, out + 8) | |
| # get_32_data(&var_3c, out + 0xc) | |
| # get_32_data(&var_3c, out + 0x10) | |
| # get_32_data(&var_3c, out + 0x14) | |
| # get_32_data(&var_3c, out + 0x18) | |
| # get_16_data(&var_3c, out + 0x1c) | |
| header = header[0x4:0x1c+0x2] | |
| print('[#]header:', header) | |
| part = input.read(0x10) | |
| # (+0x10) - 0x200 lub 0x0 | |
| # get_16_data(indata, &var_30) # 0x0 0x2 (+0) | |
| # get_8_data(indata, &var_30:2) # 0x2 0x1 (+2) | |
| # get_8_data(indata, &var_30:3) # 0x3 0x1 (+3) | |
| # get_32_data(indata, &rsize) # 0x4 0x4 (+4) (-arg4) -0x200 | -0x0 | |
| # get_32_data(indata, &crclen) # 0x8 0x4 (+8) | |
| # get_32_data(indata, &crc) # 0xc 0x4 (+0xc) | |
| flags = part[0x2:][:0x1] | |
| flags = u8(flags, endian='big') | |
| print('[#]flags:', flags) | |
| need_decipher = flags & 2 != 0 | |
| need_decompress = flags & 1 != 0 | |
| print('[#]need_decipher:', need_decipher) | |
| print('[#]need_decompress:', need_decompress) | |
| file_type = part[0x3:][:0x1] | |
| file_type = u8(file_type, endian='big') | |
| print('[#]file_type:', file_type) | |
| size = part[0x4:][:0x4] | |
| size = u32(size, endian='big') | |
| print('[#]size:', hex(size), size) | |
| crclen = part[0x8:][:0x4] | |
| crclen = u32(crclen, endian='big') | |
| print('[#]crclen:', hex(crclen), crclen) | |
| crchash = part[0xc:][:0x4] | |
| crchash = u32(crchash, endian='big') | |
| print('[#]crc:', hex(crchash), crchash) | |
| file_buf = input.read(size) | |
| print('[#]buf_size:', hex(len(file_buf)), len(file_buf)) | |
| print('[1]file_buf:', hex(len(file_buf)), file_buf[:0x20]) | |
| if need_decipher: | |
| file_buf = self._decripter(file_buf) | |
| print('[2]file_buf:', hex(len(file_buf)), file_buf[:0x20]) | |
| if need_decompress: | |
| file_buf = zlib.decompress(file_buf) | |
| print('[3]file_buf:', hex(len(file_buf)), file_buf[:0x20]) | |
| crchash_check = crc_calc().run(file_buf, crclen) | |
| is_crc_correct = crchash == crchash_check | |
| print('[*]crc', hex(crchash_check), crchash_check, is_crc_correct) | |
| if not is_crc_correct: | |
| raise ValueError('crc not valid') | |
| return file_buf | |
| def verify_bin(self) -> bool: | |
| self.input.seek(-0x80, 2) | |
| sig_expected = self.input.read(0x80) | |
| print('sig_expected', sig_expected) | |
| self.input.seek(0, 0) | |
| if sig_expected == b'\x00'*0x80: # fake sig | |
| return True | |
| calc_sig = SHA1.new() | |
| calc_sig.update(self.input.getvalue()[:-0x80]) | |
| n = int('0x'+self.sig_key[:0x80].hex(), 16) | |
| e = int('0x'+self.sig_key[0x80:].hex(), 16) | |
| rsa_key = RSA.construct((n, e)) | |
| hash_verify = pkcs1_15.new(rsa_key) | |
| try: | |
| hash_verify.verify(calc_sig, sig_expected) | |
| except ValueError: | |
| return False | |
| return True | |
| def run(self): | |
| v = self.verify_bin() | |
| print('[#]verify_bin:', v) | |
| if not v: | |
| raise ValueError('not valid verify!!!') | |
| # SDIT.FDI -> ENC_SDIT.TDI -> DECRYPT.tmp -> SDIT.TDI | |
| list_parts = self.decode_all() | |
| out_alls = [] | |
| for row in list_parts: | |
| if row['filename'] == b'SDIT.FDI': | |
| elif bytes(row['filename']).startswith(b'PEAKS.F'): | |
| payload_decoded = self.parser_PEAKS(io.BytesIO(row['data']), row['filename'].decode()) | |
| out_alls.append(payload_decoded) | |
| out_all = b'' | |
| for data in out_alls: | |
| print('part_header:', data[:14].hex()) | |
| out_all += data[14:] | |
| open('/tmp/decoded.blob', 'wb').write(out_all) | |
| # binwalk /tmp/decoded.blob | |
| # python3 -c "open('/tmp/root.squashfs', 'wb').write(open('/tmp/decoded.blob', 'rb').read()[0x1600000:])" | |
| # sqfs2tar /tmp/root.squashfs > /tmp/root.tar | |
| # 7z l /tmp/root.tar | grep flag | |
| # 7z e /tmp/root.tar flag.txt.zlib | |
| # python3 -c "import zlib; print(zlib.decompress(open('flag.txt.zlib', 'rb').read()))" | |
| # /tmp/firmware.blob = d777f3b2f372d0ccf840beb0d7d5a66d | |
| FirmwareFile( | |
| file=io.BytesIO(open('/tmp/firmware.blob', 'rb').read()), | |
| tmp_name='firmware.blob', | |
| crypto_key=b'\xc8>n@C\x97\x0b%J\xa4\x8d\xc7\x88\xb9\t\x15$\x7f\x01F\xb1\x03\xf4\x82\x9f\r\t\x0c\xfcn[\x99', | |
| ).run() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment