Unicorn-Engine on PseudorandomDog's Blog https://binarydog.top/tags/unicorn-engine/ Recent content in Unicorn-Engine on PseudorandomDog's Blog Hugo zh-CN Mon, 22 May 2023 00:00:00 +0000 AntCTF-D3CTF2023 RE Writeup https://binarydog.top/posts/ctf/antctf-d3ctf2023-re-writeup/ Mon, 22 May 2023 00:00:00 +0000 https://binarydog.top/posts/ctf/antctf-d3ctf2023-re-writeup/ <h2 class="heading" id="d3sky"> d3sky <a class="anchor" href="#d3sky">#</a> </h2> <pre tabindex="0"><code>Beautiful sky~ </code></pre><p>main 函数很简单,sub_401190 是 RC4</p> <ul> <li>数据的位宽是两字节,XOR 时只解密最低字节</li> <li>每次调用加密函数 i 和 j 都会重新设置,但 sbox 的状态是继承的</li> </ul> <p> <figure class=""> <div class="img-container" > <img loading="lazy" alt="" src="https://binarydog.top/images/image-1761224724309.webp" > </div> </figure> </p> <p>对 sbox 做交叉引用可以找到一个 TLS 回调函数 <em>sub_401050</em></p> <p>该函数里引用了 RC4 的密钥,并通过除零异常触发 SEH 拼接最终的密钥 YunZh1JunAlkaid</p> <p> <figure class=""> <div class="img-container" > <img loading="lazy" alt="" src="https://binarydog.top/images/image-1761224767680.webp" > </div> </figure> </p> <p> <figure class=""> <div class="img-container" > <img loading="lazy" alt="" src="https://binarydog.top/images/image-1761224772461.webp" > </div> </figure> </p> <p>回看 main 函数可以看到 data 数组其实是一个状态机,这个状态机除了输入、输出之外只有一种指令 NAND</p> <p>回顾一下 NAND 的自足性:</p> <ul> <li>$\neg A \equiv \neg(A \land A)$</li> <li>$A \land B \equiv \neg (\neg (A \land B))$</li> <li>$A \lor B \equiv \neg(\neg A \land \neg B)$</li> </ul> <p>所以实际上作者的设计就是一个单指令的虚拟机</p> <p>手动打 log</p> <div class="highlight"><pre tabindex="0" style="color:#abb2bf;background-color:#282c34;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#c678dd">from</span> <span style="color:#e06c75">pwn</span> <span style="color:#c678dd">import</span> <span style="color:#e06c75">u16</span> </span></span><span style="display:flex;"><span><span style="color:#c678dd">from</span> <span style="color:#e06c75">Crypto.Util.number</span> <span style="color:#c678dd">import</span> <span style="color:#e06c75">long_to_bytes</span> </span></span><span style="display:flex;"><span><span style="color:#c678dd">import</span> <span style="color:#e06c75">z3</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#e06c75">fp</span> <span style="color:#56b6c2">=</span> <span style="color:#e5c07b">open</span>(<span style="color:#98c379">&#34;data.bin&#34;</span>, <span style="color:#98c379">&#34;rb&#34;</span>) </span></span><span style="display:flex;"><span><span style="color:#e06c75">data</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">fp</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">read</span>() </span></span><span style="display:flex;"><span><span style="color:#e06c75">fp</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">close</span>() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#e06c75">state</span> <span style="color:#56b6c2">=</span> [<span style="color:#e06c75">u16</span>(<span style="color:#e06c75">data</span>[<span style="color:#e06c75">i</span> : <span style="color:#e06c75">i</span> <span style="color:#56b6c2">+</span> <span style="color:#d19a66">2</span>]) <span style="color:#c678dd">for</span> <span style="color:#e06c75">i</span> <span style="color:#56b6c2">in</span> <span style="color:#e5c07b">range</span>(<span style="color:#d19a66">0</span>, <span style="color:#e5c07b">len</span>(<span style="color:#e06c75">data</span>), <span style="color:#d19a66">2</span>)] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#c678dd">def</span> <span style="color:#61afef;font-weight:bold">rc4_ksa</span>(<span style="color:#e06c75">key</span>): </span></span><span style="display:flex;"><span> <span style="color:#e06c75">sbox</span> <span style="color:#56b6c2">=</span> <span style="color:#e5c07b">bytearray</span>(<span style="color:#e5c07b">range</span>(<span style="color:#d19a66">256</span>)) </span></span><span style="display:flex;"><span> <span style="color:#e06c75">j</span> <span style="color:#56b6c2">=</span> <span style="color:#d19a66">0</span> </span></span><span style="display:flex;"><span> <span style="color:#c678dd">for</span> <span style="color:#e06c75">i</span> <span style="color:#56b6c2">in</span> <span style="color:#e5c07b">range</span>(<span style="color:#d19a66">256</span>): </span></span><span style="display:flex;"><span> <span style="color:#e06c75">j</span> <span style="color:#56b6c2">=</span> (<span style="color:#e06c75">j</span> <span style="color:#56b6c2">+</span> <span style="color:#e06c75">sbox</span>[<span style="color:#e06c75">i</span>] <span style="color:#56b6c2">+</span> <span style="color:#e5c07b">ord</span>(<span style="color:#e06c75">key</span>[<span style="color:#e06c75">i</span> <span style="color:#56b6c2">%</span> <span style="color:#e5c07b">len</span>(<span style="color:#e06c75">key</span>)])) <span style="color:#56b6c2">%</span> <span style="color:#d19a66">256</span> </span></span><span style="display:flex;"><span> <span style="color:#e06c75">sbox</span>[<span style="color:#e06c75">i</span>], <span style="color:#e06c75">sbox</span>[<span style="color:#e06c75">j</span>] <span style="color:#56b6c2">=</span> <span style="color:#e06c75">sbox</span>[<span style="color:#e06c75">j</span>], <span style="color:#e06c75">sbox</span>[<span style="color:#e06c75">i</span>] </span></span><span style="display:flex;"><span> <span style="color:#c678dd">return</span> <span style="color:#e06c75">sbox</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#c678dd">def</span> <span style="color:#61afef;font-weight:bold">rc4</span>(<span style="color:#e06c75">sbox</span>, <span style="color:#e06c75">msg</span>, <span style="color:#e06c75">idx</span>, <span style="color:#e06c75">length</span>): </span></span><span style="display:flex;"><span> <span style="color:#e06c75">i</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">j</span> <span style="color:#56b6c2">=</span> <span style="color:#d19a66">0</span> </span></span><span style="display:flex;"><span> <span style="color:#c678dd">for</span> <span style="color:#e06c75">k</span> <span style="color:#56b6c2">in</span> <span style="color:#e5c07b">range</span>(<span style="color:#e06c75">length</span>): </span></span><span style="display:flex;"><span> <span style="color:#e06c75">i</span> <span style="color:#56b6c2">=</span> (<span style="color:#e06c75">i</span> <span style="color:#56b6c2">+</span> <span style="color:#d19a66">1</span>) <span style="color:#56b6c2">%</span> <span style="color:#d19a66">256</span> </span></span><span style="display:flex;"><span> <span style="color:#e06c75">j</span> <span style="color:#56b6c2">=</span> (<span style="color:#e06c75">j</span> <span style="color:#56b6c2">+</span> <span style="color:#e06c75">sbox</span>[<span style="color:#e06c75">i</span>]) <span style="color:#56b6c2">%</span> <span style="color:#d19a66">256</span> </span></span><span style="display:flex;"><span> <span style="color:#e06c75">sbox</span>[<span style="color:#e06c75">i</span>], <span style="color:#e06c75">sbox</span>[<span style="color:#e06c75">j</span>] <span style="color:#56b6c2">=</span> <span style="color:#e06c75">sbox</span>[<span style="color:#e06c75">j</span>], <span style="color:#e06c75">sbox</span>[<span style="color:#e06c75">i</span>] </span></span><span style="display:flex;"><span> <span style="color:#e06c75">x</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">sbox</span>[(<span style="color:#e06c75">sbox</span>[<span style="color:#e06c75">i</span>] <span style="color:#56b6c2">+</span> <span style="color:#e06c75">sbox</span>[<span style="color:#e06c75">j</span>]) <span style="color:#56b6c2">%</span> <span style="color:#d19a66">256</span>] </span></span><span style="display:flex;"><span> <span style="color:#e06c75">msg</span>[<span style="color:#e06c75">idx</span> <span style="color:#56b6c2">+</span> <span style="color:#e06c75">k</span>] <span style="color:#56b6c2">^=</span> <span style="color:#e06c75">x</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#e06c75">box</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">rc4_ksa</span>(<span style="color:#98c379">&#34;YunZh1JunAlkaid&#34;</span>) </span></span><span style="display:flex;"><span><span style="color:#e06c75">rc4</span>(<span style="color:#e06c75">box</span>, <span style="color:#e06c75">state</span>, <span style="color:#d19a66">2772</span>, <span style="color:#d19a66">74</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#c678dd">def</span> <span style="color:#61afef;font-weight:bold">play</span>(): </span></span><span style="display:flex;"><span> <span style="color:#c678dd">global</span> <span style="color:#e06c75">flags</span> </span></span><span style="display:flex;"><span> <span style="color:#c678dd">global</span> <span style="color:#e06c75">state</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#e06c75">cnt</span> <span style="color:#56b6c2">=</span> <span style="color:#d19a66">0</span> </span></span><span style="display:flex;"><span> <span style="color:#c678dd">while</span> <span style="color:#e06c75">state</span>[<span style="color:#d19a66">0</span>] <span style="color:#56b6c2">!=</span> <span style="color:#d19a66">0xFFFF</span>: </span></span><span style="display:flex;"><span> <span style="color:#c678dd">if</span> <span style="color:#e06c75">state</span>[<span style="color:#d19a66">2</span>] <span style="color:#56b6c2">==</span> <span style="color:#d19a66">1</span>: </span></span><span style="display:flex;"><span> <span style="color:#e06c75">state</span>[<span style="color:#d19a66">2</span>] <span style="color:#56b6c2">=</span> <span style="color:#d19a66">0</span> </span></span><span style="display:flex;"><span> <span style="color:#e5c07b">print</span>(<span style="color:#98c379">f</span><span style="color:#98c379">&#34;Says: </span><span style="color:#98c379">{</span><span style="color:#e5c07b">chr</span>(<span style="color:#e06c75">state</span>[<span style="color:#d19a66">3</span>])<span style="color:#98c379">}</span><span style="color:#98c379">&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#c678dd">if</span> <span style="color:#e06c75">state</span>[<span style="color:#d19a66">7</span>] <span style="color:#56b6c2">==</span> <span style="color:#d19a66">1</span>: </span></span><span style="display:flex;"><span> <span style="color:#e06c75">state</span>[<span style="color:#d19a66">7</span>] <span style="color:#56b6c2">==</span> <span style="color:#d19a66">0</span> </span></span><span style="display:flex;"><span> <span style="color:#e5c07b">print</span>(<span style="color:#98c379">&#34;Reads one byte from stdin&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#e06c75">cnt</span> <span style="color:#56b6c2">+=</span> <span style="color:#d19a66">1</span> </span></span><span style="display:flex;"><span> <span style="color:#c678dd">if</span> <span style="color:#e06c75">cnt</span> <span style="color:#56b6c2">==</span> <span style="color:#d19a66">37</span> <span style="color:#56b6c2">and</span> <span style="color:#e06c75">state</span>[<span style="color:#d19a66">8</span>] <span style="color:#56b6c2">!=</span> <span style="color:#d19a66">126</span>: </span></span><span style="display:flex;"><span> <span style="color:#e5c07b">print</span>(<span style="color:#98c379">f</span><span style="color:#98c379">&#34;Says: Wrong! (But I don&#39;t care)&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#c678dd">if</span> <span style="color:#e06c75">state</span>[<span style="color:#d19a66">19</span>] <span style="color:#56b6c2">!=</span> <span style="color:#d19a66">0</span>: </span></span><span style="display:flex;"><span> <span style="color:#e5c07b">print</span>(<span style="color:#98c379">f</span><span style="color:#98c379">&#34;Says: Wrong! (But I don&#39;t care)&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#e06c75">state</span>[<span style="color:#d19a66">19</span>] <span style="color:#56b6c2">=</span> <span style="color:#d19a66">0</span> </span></span><span style="display:flex;"><span> <span style="color:#e06c75">idx</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">state</span>[<span style="color:#d19a66">0</span>] </span></span><span style="display:flex;"><span> <span style="color:#e06c75">rc4</span>(<span style="color:#e06c75">box</span>, <span style="color:#e06c75">state</span>, <span style="color:#e06c75">idx</span>, <span style="color:#d19a66">3</span>) </span></span><span style="display:flex;"><span> <span style="color:#e06c75">t0</span>, <span style="color:#e06c75">t1</span>, <span style="color:#e06c75">t2</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">state</span>[<span style="color:#e06c75">idx</span>], <span style="color:#e06c75">state</span>[<span style="color:#e06c75">idx</span> <span style="color:#56b6c2">+</span> <span style="color:#d19a66">1</span>], <span style="color:#e06c75">state</span>[<span style="color:#e06c75">idx</span> <span style="color:#56b6c2">+</span> <span style="color:#d19a66">2</span>] </span></span><span style="display:flex;"><span> <span style="color:#e06c75">state</span>[<span style="color:#d19a66">0</span>] <span style="color:#56b6c2">=</span> <span style="color:#e06c75">idx</span> <span style="color:#56b6c2">+</span> <span style="color:#d19a66">3</span> </span></span><span style="display:flex;"><span> <span style="color:#e06c75">rc4</span>(<span style="color:#e06c75">box</span>, <span style="color:#e06c75">state</span>, <span style="color:#e06c75">idx</span>, <span style="color:#d19a66">3</span>) </span></span><span style="display:flex;"><span> <span style="color:#e06c75">state</span>[<span style="color:#e06c75">t2</span>] <span style="color:#56b6c2">=</span> (<span style="color:#56b6c2">~</span>(<span style="color:#e06c75">state</span>[<span style="color:#e06c75">t0</span>] <span style="color:#56b6c2">&amp;</span> <span style="color:#e06c75">state</span>[<span style="color:#e06c75">t1</span>])) <span style="color:#56b6c2">&amp;</span> <span style="color:#d19a66">0xFFFF</span> </span></span><span style="display:flex;"><span> <span style="color:#e5c07b">print</span>(<span style="color:#98c379">f</span><span style="color:#98c379">&#34;</span><span style="color:#98c379">{</span><span style="color:#e06c75">idx</span><span style="color:#98c379">}</span><span style="color:#98c379">:</span><span style="color:#98c379">\t</span><span style="color:#98c379">nand</span><span style="color:#98c379">\t</span><span style="color:#98c379">[</span><span style="color:#98c379">{</span><span style="color:#e06c75">t2</span><span style="color:#98c379">}</span><span style="color:#98c379">], [</span><span style="color:#98c379">{</span><span style="color:#e06c75">t0</span><span style="color:#98c379">}</span><span style="color:#98c379">], [</span><span style="color:#98c379">{</span><span style="color:#e06c75">t1</span><span style="color:#98c379">}</span><span style="color:#98c379">]&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#e06c75">play</span>() </span></span><span style="display:flex;"><span><span style="color:#e06c75">exit</span>(<span style="color:#d19a66">0</span>) </span></span></code></pre></div><p>下面是输出截取的一部分,可以看到 519 到 528 是在转储位于地址 8 的输入到地址 2807;531 到 579 是地址 2772, 2773, 2774, 2775 的 XOR;582 到 594 是把上一步的结果和地址 2809 比较</p> GDGAlgiersCTF2022 https://binarydog.top/posts/ctf/gdgalgiersctf2022/ Wed, 12 Oct 2022 00:00:00 +0000 https://binarydog.top/posts/ctf/gdgalgiersctf2022/ <h2 class="heading" id="traditions"> Traditions <a class="anchor" href="#traditions">#</a> </h2> <p>假随机,种子 0x7E6</p> <div class="highlight"><pre tabindex="0" style="color:#abb2bf;background-color:#282c34;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#c678dd">import</span> <span style="color:#e06c75">ctypes</span> </span></span><span style="display:flex;"><span><span style="color:#e06c75">libc</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">ctypes</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">CDLL</span>(<span style="color:#98c379">&#34;libc.so.6&#34;</span>) </span></span><span style="display:flex;"><span><span style="color:#e06c75">libc</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">srand</span>(<span style="color:#d19a66">0x7E6</span>) </span></span><span style="display:flex;"><span><span style="color:#e06c75">stream</span> <span style="color:#56b6c2">=</span> [<span style="color:#e06c75">libc</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">rand</span>() <span style="color:#c678dd">for</span> <span style="color:#e06c75">i</span> <span style="color:#56b6c2">in</span> <span style="color:#e5c07b">range</span>(<span style="color:#d19a66">47</span>)] </span></span></code></pre></div><h2 class="heading" id="oldschool"> Oldschool <a class="anchor" href="#oldschool">#</a> </h2> <pre tabindex="0"><code>You&#39;ll probably recognize this format just by looking at the size of the binary file. </code></pre><p>512 字节的 MBR 块</p> <p>BIOS 会将 MBR 装载到 0x10000 的地址空间中,起始地址为 0x7C00</p> <p>MBR 部分以程序指针被置零结束</p> <p>这里使用 unicorn 加载并调试</p> <div class="highlight"><pre tabindex="0" style="color:#abb2bf;background-color:#282c34;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#c678dd">from</span> <span style="color:#e06c75">unicorn</span> <span style="color:#c678dd">import</span> <span style="color:#56b6c2">*</span> </span></span><span style="display:flex;"><span><span style="color:#c678dd">from</span> <span style="color:#e06c75">unicorn.x86_const</span> <span style="color:#c678dd">import</span> <span style="color:#56b6c2">*</span> </span></span><span style="display:flex;"><span><span style="color:#c678dd">from</span> <span style="color:#e06c75">capstone</span> <span style="color:#c678dd">import</span> <span style="color:#56b6c2">*</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#e06c75">base_addr</span> <span style="color:#56b6c2">=</span> <span style="color:#d19a66">0x7C00</span> </span></span><span style="display:flex;"><span><span style="color:#e06c75">entry_point</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">base_addr</span> </span></span><span style="display:flex;"><span><span style="color:#e06c75">mem_size</span> <span style="color:#56b6c2">=</span> <span style="color:#d19a66">0x10000</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#c678dd">with</span> <span style="color:#e5c07b">open</span>(<span style="color:#98c379">&#34;oldschool&#34;</span>, <span style="color:#98c379">&#34;rb&#34;</span>) <span style="color:#c678dd">as</span> <span style="color:#e06c75">fp</span>: </span></span><span style="display:flex;"><span> <span style="color:#e06c75">mbr</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">fp</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">read</span>() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#c678dd">def</span> <span style="color:#61afef;font-weight:bold">emu</span>(<span style="color:#e06c75">flag</span>): </span></span><span style="display:flex;"><span> <span style="color:#e06c75">mu</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">Uc</span>(<span style="color:#e06c75">UC_ARCH_X86</span>, <span style="color:#e06c75">UC_MODE_16</span>) </span></span><span style="display:flex;"><span> <span style="color:#e06c75">md</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">Cs</span>(<span style="color:#e06c75">CS_ARCH_X86</span>, <span style="color:#e06c75">CS_MODE_16</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#e06c75">mu</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">mem_map</span>(<span style="color:#d19a66">0</span>, <span style="color:#e06c75">mem_size</span>) </span></span><span style="display:flex;"><span> <span style="color:#e06c75">mu</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">mem_write</span>(<span style="color:#e06c75">base_addr</span>, <span style="color:#e06c75">mbr</span>[:<span style="color:#d19a66">512</span>]) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#e06c75">mu_stdin</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">flag</span> </span></span><span style="display:flex;"><span> <span style="color:#e06c75">mu_stdout</span> <span style="color:#56b6c2">=</span> [] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#c678dd">def</span> <span style="color:#61afef;font-weight:bold">hook_code</span>(<span style="color:#e06c75">mu</span>, <span style="color:#e06c75">address</span>, <span style="color:#e06c75">size</span>, <span style="color:#e06c75">user_data</span>): </span></span><span style="display:flex;"><span> <span style="color:#c678dd">nonlocal</span> <span style="color:#e06c75">md</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#e06c75">code</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">mu</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">mem_read</span>(<span style="color:#e06c75">address</span>, <span style="color:#e06c75">size</span>) </span></span><span style="display:flex;"><span> <span style="color:#e06c75">insns</span> <span style="color:#56b6c2">=</span> <span style="color:#e5c07b">list</span>(<span style="color:#e06c75">md</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">disasm</span>(<span style="color:#e5c07b">bytes</span>(<span style="color:#e06c75">code</span>), <span style="color:#e06c75">address</span>, <span style="color:#e06c75">count</span><span style="color:#56b6c2">=</span><span style="color:#d19a66">1</span>)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#c678dd">if</span> <span style="color:#e5c07b">len</span>(<span style="color:#e06c75">insns</span>) <span style="color:#56b6c2">==</span> <span style="color:#d19a66">0</span>: </span></span><span style="display:flex;"><span> <span style="color:#c678dd">raise</span> <span style="color:#e06c75">Exception</span>(<span style="color:#98c379">f</span><span style="color:#98c379">&#34;cant disasm insn at </span><span style="color:#98c379">{</span><span style="color:#e06c75">address</span><span style="color:#98c379">}</span><span style="color:#98c379">&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#e06c75">insn</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">insns</span>[<span style="color:#d19a66">0</span>] </span></span><span style="display:flex;"><span> <span style="color:#e06c75">address</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">insn</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">address</span> </span></span><span style="display:flex;"><span> <span style="color:#e06c75">size</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">insn</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">size</span> </span></span><span style="display:flex;"><span> <span style="color:#e06c75">mnemonic</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">insn</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">mnemonic</span> </span></span><span style="display:flex;"><span> <span style="color:#e06c75">op_str</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">insn</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">op_str</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#e5c07b">print</span>(<span style="color:#98c379">&#34;</span><span style="color:#98c379">%.8x</span><span style="color:#98c379">:</span><span style="color:#98c379">\t</span><span style="color:#98c379">%s</span><span style="color:#98c379">\t</span><span style="color:#98c379">%s</span><span style="color:#98c379">&#34;</span> <span style="color:#56b6c2">%</span> (<span style="color:#e06c75">address</span>, <span style="color:#e06c75">mnemonic</span>, <span style="color:#e06c75">op_str</span>)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#c678dd">if</span> <span style="color:#e06c75">address</span> <span style="color:#56b6c2">==</span> <span style="color:#d19a66">0x7c6a</span>: </span></span><span style="display:flex;"><span> <span style="color:#e06c75">ax</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">mu</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">reg_read</span>(<span style="color:#e06c75">UC_X86_REG_AX</span>) </span></span><span style="display:flex;"><span> <span style="color:#e06c75">bx</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">mu</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">reg_read</span>(<span style="color:#e06c75">UC_X86_REG_BX</span>) </span></span><span style="display:flex;"><span> <span style="color:#e06c75">dx</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">mu</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">reg_read</span>(<span style="color:#e06c75">UC_X86_REG_DX</span>) </span></span><span style="display:flex;"><span> <span style="color:#e06c75">di</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">mu</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">reg_read</span>(<span style="color:#e06c75">UC_X86_REG_DI</span>) </span></span><span style="display:flex;"><span> <span style="color:#e5c07b">print</span>(<span style="color:#98c379">&#34;ax: </span><span style="color:#98c379">%.4x</span><span style="color:#98c379">\t</span><span style="color:#98c379">bx: </span><span style="color:#98c379">%.4x</span><span style="color:#98c379">\t</span><span style="color:#98c379">dx: </span><span style="color:#98c379">%.4x</span><span style="color:#98c379">\t</span><span style="color:#98c379">di: </span><span style="color:#98c379">%.4x</span><span style="color:#98c379">&#34;</span> <span style="color:#56b6c2">%</span> (<span style="color:#e06c75">ax</span>, <span style="color:#e06c75">bx</span>, <span style="color:#e06c75">dx</span>, <span style="color:#e06c75">di</span>)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#c678dd">def</span> <span style="color:#61afef;font-weight:bold">hook_intr</span>(<span style="color:#e06c75">mu</span>, <span style="color:#e06c75">intno</span>, <span style="color:#e06c75">user_data</span>): </span></span><span style="display:flex;"><span> <span style="color:#c678dd">nonlocal</span> <span style="color:#e06c75">mu_stdin</span> </span></span><span style="display:flex;"><span> <span style="color:#c678dd">nonlocal</span> <span style="color:#e06c75">mu_stdout</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#e06c75">ah</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">mu</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">reg_read</span>(<span style="color:#e06c75">UC_X86_REG_AH</span>) </span></span><span style="display:flex;"><span> <span style="color:#e06c75">al</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">mu</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">reg_read</span>(<span style="color:#e06c75">UC_X86_REG_AL</span>) </span></span><span style="display:flex;"><span> <span style="color:#e06c75">di</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">mu</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">reg_read</span>(<span style="color:#e06c75">UC_X86_REG_DI</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#c678dd">if</span> <span style="color:#e06c75">intno</span> <span style="color:#56b6c2">==</span> <span style="color:#d19a66">0x10</span>: </span></span><span style="display:flex;"><span> <span style="color:#c678dd">if</span> <span style="color:#e06c75">ah</span> <span style="color:#56b6c2">==</span> <span style="color:#d19a66">0x0E</span>: <span style="color:#7f848e"># print char</span> </span></span><span style="display:flex;"><span> <span style="color:#e06c75">mu_stdout</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">append</span>(<span style="color:#e06c75">al</span>) </span></span><span style="display:flex;"><span> <span style="color:#c678dd">elif</span> <span style="color:#e06c75">intno</span> <span style="color:#56b6c2">==</span> <span style="color:#d19a66">0x16</span>: </span></span><span style="display:flex;"><span> <span style="color:#e06c75">mu</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">reg_write</span>(<span style="color:#e06c75">UC_X86_REG_AL</span>, <span style="color:#e06c75">mu_stdin</span>[<span style="color:#e06c75">di</span> <span style="color:#56b6c2">-</span> <span style="color:#d19a66">0x7D80</span>]) </span></span><span style="display:flex;"><span> <span style="color:#c678dd">else</span>: </span></span><span style="display:flex;"><span> <span style="color:#c678dd">raise</span> <span style="color:#e06c75">Exception</span>(<span style="color:#98c379">&#34;unk intr no: </span><span style="color:#98c379">%x</span><span style="color:#98c379">h&#34;</span> <span style="color:#56b6c2">%</span> <span style="color:#e06c75">intno</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#c678dd">try</span>: </span></span><span style="display:flex;"><span> <span style="color:#e06c75">mu</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">hook_add</span>(<span style="color:#e06c75">UC_HOOK_CODE</span>, <span style="color:#e06c75">hook_code</span>) </span></span><span style="display:flex;"><span> <span style="color:#e06c75">mu</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">hook_add</span>(<span style="color:#e06c75">UC_HOOK_INTR</span>, <span style="color:#e06c75">hook_intr</span>) </span></span><span style="display:flex;"><span> <span style="color:#e06c75">mu</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">emu_start</span>(<span style="color:#e06c75">begin</span><span style="color:#56b6c2">=</span><span style="color:#e06c75">entry_point</span>, <span style="color:#e06c75">until</span><span style="color:#56b6c2">=</span><span style="color:#d19a66">0</span>) </span></span><span style="display:flex;"><span> <span style="color:#c678dd">except</span> <span style="color:#e06c75">Exception</span> <span style="color:#c678dd">as</span> <span style="color:#e06c75">e</span>: </span></span><span style="display:flex;"><span> <span style="color:#e5c07b">print</span>(<span style="color:#e06c75">e</span>) </span></span><span style="display:flex;"><span> <span style="color:#e06c75">mu</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">emu_stop</span>() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#c678dd">return</span> <span style="color:#e5c07b">bytes</span>(<span style="color:#e06c75">mu_stdout</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#e06c75">out</span><span style="color:#56b6c2">=</span><span style="color:#e06c75">emu</span>(<span style="color:#98c379">b</span><span style="color:#98c379">&#34;0123456789ABCDEF&#34;</span>) </span></span><span style="display:flex;"><span><span style="color:#e5c07b">print</span>(<span style="color:#e5c07b">bytes</span>(<span style="color:#e06c75">out</span>)<span style="color:#56b6c2">.</span><span style="color:#e06c75">decode</span>()) </span></span></code></pre></div><p>上述模板将打印程序执行流,部分执行流如下</p>