sudhackar/cartarget.cpp Secret

## cartarget.cpp
#include "pin.H"
#include <fstream>
#include <iostream>
using namespace std;

KNOB<string> KnobOutputFile(KNOB_MODE_WRITEONCE, "pintool", "o", "pin.out",
                            "specify output file name");
std::ofstream outFile;
ADDRINT l, h;
AFUNPTR rename_ptr = 0;
AFUNPTR salsa_crypt_ptr = 0;
AFUNPTR srandom_ptr = 0;
AFUNPTR rand_ptr = 0;

char keyspace[] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx"
                  "yz!@#$%^&<>,.*()-+=;%?";
char key[0x40];
const char ct[] = "\x87\x75\x41\x7d\x7c\x5f\x69\xee\xa2";
const char pt[] = "Sudhakar\n";
const char kkey[] = "gL5L=5f)=eOPUGFLuwjMj%cGWhrYjtF7";

// samples
// t : 0x63a55862
// p : 0x2794
// s : 0xcc0e06a8
// k : NubT5C<>BY=Sm=oXX%E%5=A,$u>$4RfU

char ctw[9];
VOID foo_start(THREADID tid, CONTEXT *ctxt) {
  fprintf(stdout, "callsetup\n");
  unsigned int ret;
  int _time = 1671563042; // 2022-12-20 19:04:02.88 +0000
  for (unsigned delta = 0; delta < 24 * 60 * 60; delta++) {
    int time = delta + _time;
    fprintf(stdout, "delta : %x\n", delta);
    for (unsigned int pid = 1; pid < 0x8000; pid++) {
      int seed = time * pid;
      // PIN_CallApplicationFunction(ctxt, tid, CALLINGSTD_DEFAULT, srandom_ptr,
      // NULL, PIN_PARG(unsigned int), &ret, PIN_PARG(unsigned int), seed,
      // PIN_PARG_END());
      srand(seed);
      for (int i = 0; i < 32; i++) {
        // PIN_CallApplicationFunction(ctxt, tid, CALLINGSTD_DEFAULT, rand_ptr,
        // NULL, PIN_PARG(unsigned int), &ret, PIN_PARG_END()); ASSERT(rand() ==
        // (int)ret, "rand misbehaves"); key[i] = keyspace[ret % 0x52];
        key[i] = keyspace[rand() % 0x52];
      }
      // fprintf(stdout, "key : %s\n", key);
      if (!memcmp(key, kkey, 32)) {
        fprintf(stdout, "seed : %x\n", seed);
        return;
      } else {
        continue;
      }
      memcpy(ctw, ct, 9);
      PIN_CallApplicationFunction(
          ctxt, tid, CALLINGSTD_DEFAULT, salsa_crypt_ptr, NULL,
          PIN_PARG(unsigned int), &ret, PIN_PARG(char *), key, PIN_PARG(int), 0,
          PIN_PARG(char *), ctw, PIN_PARG(int), 9, PIN_PARG_END());
      if (!memcmp(ctw, pt, 9)) {
        std::cout << std::hex << seed << endl;
        return;
      }
    }
  }
}

AFUNPTR rtn_addr(IMG img, const char *rtnName) {
  RTN r = RTN_FindByName(img, rtnName);
  ASSERT(RTN_Valid(r), "Failed to find RTN " + rtnName);
  return (AFUNPTR)RTN_Address(r);
}

VOID img_load(IMG img, VOID *v) {
  if (!IMG_IsMainExecutable(img)) {
    return;
  }

  rename_ptr = rtn_addr(img, "_Z22salsa20_256_yes_renamePv");
  salsa_crypt_ptr = rtn_addr(img, "_Z14s20_crypt256_2PhjS_j");
  srandom_ptr = rtn_addr(img, "srandom");
  rand_ptr = rtn_addr(img, "rand");

  RTN main_rtn = RTN_FindByName(img, "main");
  ASSERTX(RTN_Valid(main_rtn));

  RTN_Open(main_rtn);
  RTN_InsertCall(main_rtn, IPOINT_AFTER, AFUNPTR(foo_start), IARG_THREAD_ID,
                 IARG_CONTEXT, IARG_END);
  RTN_Close(main_rtn);
}

// VOID dump(UINT64 insAddr, std::string insDis) {
//   std::cout << std::hex << insAddr << " : " << insDis << std::endl;
// }

// VOID callback_instruction(INS ins, VOID *v) {
//   if (INS_Address(ins) >= l && INS_Address(ins) <= h) {
//     INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)dump, IARG_ADDRINT,
//                    INS_Address(ins), IARG_PTR, new string(INS_Disassemble(ins)),
//                    IARG_END);
//   }
// }

// VOID fini(INT32 code, VOID *v) { outFile.close(); }
int main(int argc, char *argv[]) {
  PIN_Init(argc, argv);
  PIN_InitSymbols();

  IMG_AddInstrumentFunction(img_load, 0);
  // INS_AddInstrumentFunction(callback_instruction, 0);
  // PIN_AddFiniFunction(fini, 0);
  PIN_StartProgram();

  PIN_ExitApplication(0);
  return 0;
}

## makefile
##############################################################
#
#                   DO NOT EDIT THIS FILE!
#
##############################################################

# If the tool is built out of the kit, PIN_ROOT must be specified in the make invocation and point to the kit root.
ifdef PIN_ROOT
CONFIG_ROOT := $(PIN_ROOT)/source/tools/Config
else
CONFIG_ROOT := ../Config
endif
include $(CONFIG_ROOT)/makefile.config
include makefile.rules
include $(TOOLS_ROOT)/Config/makefile.default.rules

##############################################################
#
#                   DO NOT EDIT THIS FILE!
#
##############################################################

## makefile.rules
##############################################################
#
# This file includes all the test targets as well as all the
# non-default build rules and test recipes.
#
##############################################################


##############################################################
#
# Test targets
#
##############################################################

###### Place all generic definitions here ######

# This defines tests which run tools of the same name.  This is simply for convenience to avoid
# defining the test name twice (once in TOOL_ROOTS and again in TEST_ROOTS).
# Tests defined here should not be defined in TOOL_ROOTS and TEST_ROOTS.
TEST_TOOL_ROOTS := cartarget

# This defines the tests to be run that were not already defined in TEST_TOOL_ROOTS.
TEST_ROOTS :=

# This defines a list of tests that should run in the "short" sanity. Tests in this list must also
# appear either in the TEST_TOOL_ROOTS or the TEST_ROOTS list.
# If the entire directory should be tested in sanity, assign TEST_TOOL_ROOTS and TEST_ROOTS to the
# SANITY_SUBSET variable in the tests section below (see example in makefile.rules.tmpl).
SANITY_SUBSET :=

# This defines the tools which will be run during the the tests, and were not already defined in
# TEST_TOOL_ROOTS.
TOOL_ROOTS :=

# This defines the static analysis tools which will be run during the the tests. They should not
# be defined in TEST_TOOL_ROOTS. If a test with the same name exists, it should be defined in
# TEST_ROOTS.
# Note: Static analysis tools are in fact executables linked with the Pin Static Analysis Library.
# This library provides a subset of the Pin APIs which allows the tool to perform static analysis
# of an application or dll. Pin itself is not used when this tool runs.
SA_TOOL_ROOTS :=

# This defines all the applications that will be run during the tests.
APP_ROOTS :=

# This defines any additional object files that need to be compiled.
OBJECT_ROOTS :=

# This defines any additional dlls (shared objects), other than the pintools, that need to be compiled.
DLL_ROOTS :=

# This defines any static libraries (archives), that need to be built.
LIB_ROOTS :=


##############################################################
#
# Test recipes
#
##############################################################

# This section contains recipes for tests other than the default.
# See makefile.default.rules for the default test rules.
# All tests in this section should adhere to the naming convention: <testname>.test


##############################################################
#
# Build rules
#
##############################################################

# This section contains the build rules for all binaries that have special build rules.
# See makefile.default.rules for the default build rules.
	#include "pin.H"
	#include <fstream>
	#include <iostream>
	using namespace std;

	KNOB<string> KnobOutputFile(KNOB_MODE_WRITEONCE, "pintool", "o", "pin.out",
	"specify output file name");
	std::ofstream outFile;
	ADDRINT l, h;
	AFUNPTR rename_ptr = 0;
	AFUNPTR salsa_crypt_ptr = 0;
	AFUNPTR srandom_ptr = 0;
	AFUNPTR rand_ptr = 0;

	char keyspace[] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx"
	"yz!@#$%^&<>,.*()-+=;%?";
	char key[0x40];
	const char ct[] = "\x87\x75\x41\x7d\x7c\x5f\x69\xee\xa2";
	const char pt[] = "Sudhakar\n";
	const char kkey[] = "gL5L=5f)=eOPUGFLuwjMj%cGWhrYjtF7";

	// samples
	// t : 0x63a55862
	// p : 0x2794
	// s : 0xcc0e06a8
	// k : NubT5C<>BY=Sm=oXX%E%5=A,$u>$4RfU

	char ctw[9];
	VOID foo_start(THREADID tid, CONTEXT *ctxt) {
	fprintf(stdout, "callsetup\n");
	unsigned int ret;
	int _time = 1671563042; // 2022-12-20 19:04:02.88 +0000
	for (unsigned delta = 0; delta < 24 * 60 * 60; delta++) {
	int time = delta + _time;
	fprintf(stdout, "delta : %x\n", delta);
	for (unsigned int pid = 1; pid < 0x8000; pid++) {
	int seed = time * pid;
	// PIN_CallApplicationFunction(ctxt, tid, CALLINGSTD_DEFAULT, srandom_ptr,
	// NULL, PIN_PARG(unsigned int), &ret, PIN_PARG(unsigned int), seed,
	// PIN_PARG_END());
	srand(seed);
	for (int i = 0; i < 32; i++) {
	// PIN_CallApplicationFunction(ctxt, tid, CALLINGSTD_DEFAULT, rand_ptr,
	// NULL, PIN_PARG(unsigned int), &ret, PIN_PARG_END()); ASSERT(rand() ==
	// (int)ret, "rand misbehaves"); key[i] = keyspace[ret % 0x52];
	key[i] = keyspace[rand() % 0x52];
	}
	// fprintf(stdout, "key : %s\n", key);
	if (!memcmp(key, kkey, 32)) {
	fprintf(stdout, "seed : %x\n", seed);
	return;
	} else {
	continue;
	}
	memcpy(ctw, ct, 9);
	PIN_CallApplicationFunction(
	ctxt, tid, CALLINGSTD_DEFAULT, salsa_crypt_ptr, NULL,
	PIN_PARG(unsigned int), &ret, PIN_PARG(char *), key, PIN_PARG(int), 0,
	PIN_PARG(char *), ctw, PIN_PARG(int), 9, PIN_PARG_END());
	if (!memcmp(ctw, pt, 9)) {
	std::cout << std::hex << seed << endl;
	return;
	}
	}
	}
	}

	AFUNPTR rtn_addr(IMG img, const char *rtnName) {
	RTN r = RTN_FindByName(img, rtnName);
	ASSERT(RTN_Valid(r), "Failed to find RTN " + rtnName);
	return (AFUNPTR)RTN_Address(r);
	}

	VOID img_load(IMG img, VOID *v) {
	if (!IMG_IsMainExecutable(img)) {
	return;
	}

	rename_ptr = rtn_addr(img, "_Z22salsa20_256_yes_renamePv");
	salsa_crypt_ptr = rtn_addr(img, "_Z14s20_crypt256_2PhjS_j");
	srandom_ptr = rtn_addr(img, "srandom");
	rand_ptr = rtn_addr(img, "rand");

	RTN main_rtn = RTN_FindByName(img, "main");
	ASSERTX(RTN_Valid(main_rtn));

	RTN_Open(main_rtn);
	RTN_InsertCall(main_rtn, IPOINT_AFTER, AFUNPTR(foo_start), IARG_THREAD_ID,
	IARG_CONTEXT, IARG_END);
	RTN_Close(main_rtn);
	}

	// VOID dump(UINT64 insAddr, std::string insDis) {
	// std::cout << std::hex << insAddr << " : " << insDis << std::endl;
	// }

	// VOID callback_instruction(INS ins, VOID *v) {
	// if (INS_Address(ins) >= l && INS_Address(ins) <= h) {
	// INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)dump, IARG_ADDRINT,
	// INS_Address(ins), IARG_PTR, new string(INS_Disassemble(ins)),
	// IARG_END);
	// }
	// }

	// VOID fini(INT32 code, VOID *v) { outFile.close(); }
	int main(int argc, char *argv[]) {
	PIN_Init(argc, argv);
	PIN_InitSymbols();

	IMG_AddInstrumentFunction(img_load, 0);
	// INS_AddInstrumentFunction(callback_instruction, 0);
	// PIN_AddFiniFunction(fini, 0);
	PIN_StartProgram();

	PIN_ExitApplication(0);
	return 0;
	}
	##############################################################
	#
	# DO NOT EDIT THIS FILE!
	#
	##############################################################

	# If the tool is built out of the kit, PIN_ROOT must be specified in the make invocation and point to the kit root.
	ifdef PIN_ROOT
	CONFIG_ROOT := $(PIN_ROOT)/source/tools/Config
	else
	CONFIG_ROOT := ../Config
	endif
	include $(CONFIG_ROOT)/makefile.config
	include makefile.rules
	include $(TOOLS_ROOT)/Config/makefile.default.rules

	##############################################################
	#
	# DO NOT EDIT THIS FILE!
	#
	##############################################################
	##############################################################
	#
	# This file includes all the test targets as well as all the
	# non-default build rules and test recipes.
	#
	##############################################################


	##############################################################
	#
	# Test targets
	#
	##############################################################

	###### Place all generic definitions here ######

	# This defines tests which run tools of the same name. This is simply for convenience to avoid
	# defining the test name twice (once in TOOL_ROOTS and again in TEST_ROOTS).
	# Tests defined here should not be defined in TOOL_ROOTS and TEST_ROOTS.
	TEST_TOOL_ROOTS := cartarget

	# This defines the tests to be run that were not already defined in TEST_TOOL_ROOTS.
	TEST_ROOTS :=

	# This defines a list of tests that should run in the "short" sanity. Tests in this list must also
	# appear either in the TEST_TOOL_ROOTS or the TEST_ROOTS list.
	# If the entire directory should be tested in sanity, assign TEST_TOOL_ROOTS and TEST_ROOTS to the
	# SANITY_SUBSET variable in the tests section below (see example in makefile.rules.tmpl).
	SANITY_SUBSET :=

	# This defines the tools which will be run during the the tests, and were not already defined in
	# TEST_TOOL_ROOTS.
	TOOL_ROOTS :=

	# This defines the static analysis tools which will be run during the the tests. They should not
	# be defined in TEST_TOOL_ROOTS. If a test with the same name exists, it should be defined in
	# TEST_ROOTS.
	# Note: Static analysis tools are in fact executables linked with the Pin Static Analysis Library.
	# This library provides a subset of the Pin APIs which allows the tool to perform static analysis
	# of an application or dll. Pin itself is not used when this tool runs.
	SA_TOOL_ROOTS :=

	# This defines all the applications that will be run during the tests.
	APP_ROOTS :=

	# This defines any additional object files that need to be compiled.
	OBJECT_ROOTS :=

	# This defines any additional dlls (shared objects), other than the pintools, that need to be compiled.
	DLL_ROOTS :=

	# This defines any static libraries (archives), that need to be built.
	LIB_ROOTS :=


	##############################################################
	#
	# Test recipes
	#
	##############################################################

	# This section contains recipes for tests other than the default.
	# See makefile.default.rules for the default test rules.
	# All tests in this section should adhere to the naming convention: <testname>.test


	##############################################################
	#
	# Build rules
	#
	##############################################################

	# This section contains the build rules for all binaries that have special build rules.
	# See makefile.default.rules for the default build rules.