Advertisement
Guest User

Untitled

a guest
Jun 28th, 2016
80
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.55 KB | None | 0 0
  1. #!/usr/bin/python
  2.  
  3. import sys
  4. from keystone import *
  5. from unicorn import *
  6. from unicorn.arm_const import *
  7. from capstone import *
  8. from capstone.arm import *
  9. from capstone.x86 import *
  10.  
  11. # architectures and modes for the assembler, disassembler, and emulator
  12. ks_arch = KS_ARCH_ARM
  13. ks_mode = KS_MODE_THUMB
  14. cs_arch = CS_ARCH_ARM
  15. cs_mode = CS_MODE_THUMB
  16. emu_arch = UC_ARCH_ARM
  17. emu_mode = UC_MODE_THUMB
  18.  
  19. # declare assembler, disassembler, and emulator objects
  20. ks = Ks(ks_arch, ks_mode)
  21. cs = Cs(cs_arch, cs_mode)
  22. cs_arm = Cs(cs_arch, CS_MODE_ARM)
  23. emu = Uc(emu_arch, emu_mode)
  24.  
  25. # the program
  26. code = 'eors r0, r0;'
  27. code += 'adds r0, #0x42;'
  28. code += 'mov r1, #0x1111;'
  29. code += 'movt r1, #0x1111;'
  30. code += 'mov r2, #0x2222;'
  31. code += 'movt r2, #0x2222;'
  32. code += 'push {r0, r1, r2};'
  33. code += 'pop {r3};'
  34.  
  35. # callback for tracing instructions
  36. def hook_code(uc, address, size, user_data):
  37. #global cs
  38. #print 'address = 0x{:x}, size = {}'.format(address, size)
  39. code = uc.mem_read(address, size)
  40. code = ''.join(map(chr, code))
  41. asm = list(cs.disasm(code, size))
  42. if len(asm) == 0:
  43. print '>>> 0x{:x}\t{}\tdisasm failure'.format(address, code.encode('hex'))
  44. for ins in asm:
  45. print '>>> 0x{:x}\t{}\t{} {}'.format(address, code.encode('hex'), ins.mnemonic, ins.op_str)
  46.  
  47. def hook_intr(uc, intno, user_data):
  48. print 'Interrupt 0x{:x}'.format(intno)
  49.  
  50. def dumpSimple(mu):
  51. sp = mu.reg_read(UC_ARM_REG_SP)
  52. pc = mu.reg_read(UC_ARM_REG_PC)
  53. lr = mu.reg_read(UC_ARM_REG_LR)
  54. r0 = mu.reg_read(UC_ARM_REG_R0)
  55. r1 = mu.reg_read(UC_ARM_REG_R1)
  56. r2 = mu.reg_read(UC_ARM_REG_R2)
  57. r3 = mu.reg_read(UC_ARM_REG_R3)
  58. print 'SP = 0x{:08x}'.format(sp)
  59. print 'PC = 0x{:08x}'.format(pc)
  60. print 'LR = 0x{:08x}'.format(lr)
  61. print 'R0 = 0x{:08x}'.format(r0)
  62. print 'R1 = 0x{:08x}'.format(r1)
  63. print 'R2 = 0x{:08x}'.format(r2)
  64. print 'R3 = 0x{:08x}'.format(r3)
  65.  
  66. def dumpMem(mu, addr, size):
  67. x = mu.mem_read(addr, size)
  68. x = ''.join(map(chr, x))
  69. wrap = 16
  70. group = 4
  71. for i in xrange(0, len(x), wrap):
  72. k = i + wrap if i + wrap < len(x) else len(x)
  73. sys.stdout.write('0x{:x} | '.format(addr+i))
  74. for j in xrange(i, k):
  75. sys.stdout.write('{}'.format(x[j].encode('hex')))
  76. if j % group == group-1: sys.stdout.write(' ')
  77. sys.stdout.write('\n')
  78.  
  79. # assemble the program
  80. thumb_code, count = ks.asm(code)
  81. # convert list to str for emulator
  82. thumb_code = ''.join(map(chr, thumb_code))
  83.  
  84. # emulator setup
  85. emu.hook_add(UC_HOOK_CODE, hook_code)
  86. emu.hook_add(UC_HOOK_INTR, hook_intr)
  87. text_base = 0x1000
  88. text_size = 0x1000
  89. stack_base = 0xf000
  90. stack_size = 0x1000
  91. emu.mem_map(text_base, text_size)
  92. emu.mem_write(text_base, thumb_code)
  93. emu.mem_map(stack_base, stack_size)
  94. emu.mem_write(stack_base, '\x00'*stack_size)
  95. # initialize registers
  96. emu.reg_write(UC_ARM_REG_SP, stack_base + 0xff0)
  97. emu.reg_write(UC_ARM_REG_R0, 0x1234)
  98. emu.reg_write(UC_ARM_REG_R1, 0x5678)
  99. emu.reg_write(UC_ARM_REG_R2, 0xdead)
  100. emu.reg_write(UC_ARM_REG_R3, 0xbeef)
  101. emu.reg_write(UC_ARM_REG_R4, 0xcafe)
  102. emu.reg_write(UC_ARM_REG_R5, 0xbabe)
  103. emu.reg_write(UC_ARM_REG_R6, 0x1337)
  104. emu.reg_write(UC_ARM_REG_R7, 0xfeed)
  105. emu.reg_write(UC_ARM_REG_R8, 0xface)
  106. emu.reg_write(UC_ARM_REG_R9, 0xbaad)
  107. emu.reg_write(UC_ARM_REG_R10, 0xd00d)
  108. emu.reg_write(UC_ARM_REG_R11, 0xcaa7)
  109.  
  110. print '--- Start context ---'
  111. dumpSimple(emu)
  112. dumpMem(emu, stack_base + 0xfd0, 0x20)
  113. print '\nStarting emulator...'
  114. emu.emu_start(text_base, text_base + len(thumb_code))
  115. print '\n--- End context ---'
  116. dumpSimple(emu)
  117. print '\n--- Stack View ---'
  118. dumpMem(emu, stack_base + 0xfd0, 0x20)
  119.  
  120. print '\n--- Dead listing ---'
  121. asm = list(cs.disasm(thumb_code, len(thumb_code)))
  122. for ins in asm:
  123. print '>>> {} {}'.format(ins.mnemonic, ins.op_str)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement