def fetch(sock):
extra_lines = flush(sock)
sock.send("fetch\n")
crc = 0
lines = []
l = readline(sock)
if not l:
return None
if l != 'START\n':
W("Bad expected START line '%s'\n" % l.rstrip('\n'))
extra_lines.append(l)
return encode_extra(extra_lines)
crc = crc16(l, crc)
while True:
l = readline(sock)
crc = crc16(l, crc)
if l == 'END\n':
break
lines.append(l.rstrip('\n'))
lines += encode_extra(extra_lines)
for d in lines:
L("Received: %s" % d)
l = readline(sock)
recv_crc = None
try:
k, v = l.rstrip('\n').split('=')
if k == 'CRC':
recv_crc = int(v)
if recv_crc < 0 or recv_crc > 0xffff:
recv_crc = None
except ValueError:
pass
if recv_crc is None:
W("Bad expected CRC line '%s'\n" % l.rstrip('\n'))
return None
if recv_crc != crc:
W("Bad CRC: calculated 0x%x vs received 0x%x\n" % (crc, recv_crc))
return None
return lines
def fetch(sock):
print "fetch"
sock.send("fetch\n")
crc = 0
lines = []
l = readline(sock)
if l != 'START\n':
print >> sys.stderr, "Bad expected START line '%s'\n" % l.rstrip('\n')
return None
crc = crc16(l, crc)
while True:
l = readline(sock)
crc = crc16(l, crc)
if l == 'END\n':
break
lines.append(l.rstrip('\n'))
print lines
l = readline(sock)
recv_crc = None
try:
k, v = l.rstrip('\n').split('=')
print k, v
if k == 'CRC':
recv_crc = int(v)
if recv_crc < 0 or recv_crc > 0xffff:
recv_crc = None
except ValueError:
pass
if recv_crc is None:
print >> sys.stderr, "Bad expected CRC line '%s'\n" % l.rstrip('\n')
return None
if recv_crc != crc:
print >> sys.stderr, "Bad CRC: calculated 0x%x vs received 0x%x\n" % (
crc, recv_crc)
return None
return lines
def fetch(sock):
print "fetch"
sock.send("fetch\n")
crc = 0
lines = []
l = readline(sock)
if l != 'START\n':
print>>sys.stderr, "Bad expected START line '%s'\n" % l.rstrip('\n')
return None
crc = crc16(l, crc)
while True:
l = readline(sock)
crc = crc16(l, crc)
if l == 'END\n':
break
lines.append(l.rstrip('\n'))
print lines
l = readline(sock)
recv_crc = None
try:
k, v = l.rstrip('\n').split('=')
print k,v
if k == 'CRC':
recv_crc = int(v)
if recv_crc < 0 or recv_crc > 0xffff:
recv_crc = None
except ValueError:
pass
if recv_crc is None:
print>>sys.stderr, "Bad expected CRC line '%s'\n" % l.rstrip('\n')
return None
if recv_crc != crc:
print>>sys.stderr, "Bad CRC: calculated 0x%x vs received 0x%x\n" % (crc, recv_crc)
return None
return lines
def sys_get_crc16(cls, computer):
if X86_DEBUG:
eip = computer.reg_read(unicorn.x86_const.UC_X86_REG_EIP)
print('[{}]\t{:#08x}: SYS_GET_CRC16'.format(
computer.team_name, eip))
random_data = get_random_data(length=1)
computer.crc16_value = crc16(random_data)
if X86_DEBUG:
print('[{}]\tdata = {}, crc16 = {:#x}'.format(
computer.team_name, dump(random_data), computer.crc16_value))
computer.reg_write(unicorn.x86_const.UC_X86_REG_EDI,
computer.crc16_value)
# success
computer.reg_write(unicorn.x86_const.UC_X86_REG_EAX, 1)
return True
def sys_get_crc16(cls, computer):
if ARM_DEBUG:
pc = computer.reg_read(unicorn.arm_const.UC_ARM_REG_PC)
print('[{}]\t{:#08x}: SYS_GET_CRC16'.format(
computer.team_name, pc))
random_data = get_random_data(length=1)
computer.crc16_value = crc16(random_data)
if ARM_DEBUG:
print('[{}]\tdata = {}, crc16 = {:#x}'.format(
computer.team_name, dump(random_data), computer.crc16_value))
# write crc16 value to R8 registry
computer.reg_write(unicorn.arm_const.UC_ARM_REG_R8,
computer.crc16_value)
# success
computer.reg_write(unicorn.arm_const.UC_ARM_REG_R7, 1)
return True
def sys_send_crc16(cls, computer):
if ARM_DEBUG:
pc = computer.reg_read(unicorn.arm_const.UC_ARM_REG_PC)
print('[{}]\t{:#08x}: SYS_SEND_CRC16'.format(
computer.team_name, pc))
r8 = computer.reg_read(unicorn.arm_const.UC_ARM_REG_R8)
string = [(r8 & 0xff)]
if ARM_DEBUG:
print('[{}]\tstring = {}'.format(computer.team_name, dump(string)))
crc16_from_r8 = crc16(string)
if computer.crc16_value != None and computer.crc16_value == crc16_from_r8:
computer.score += ARM_MINING_SCORE
global scores
scores[computer.team_name] += ARM_MINING_SCORE
computer.crc16_value = None
# success
computer.reg_write(unicorn.arm_const.UC_ARM_REG_R7,
ARM_MINING_SCORE)
computer.mining = True
computer.src = computer.graph.ids[computer.node]
return True
# failure
computer.reg_write(unicorn.arm_const.UC_ARM_REG_R7, 0)
return False
def sys_send_crc16(cls, computer):
if X86_DEBUG:
eip = computer.reg_read(unicorn.x86_const.UC_X86_REG_EIP)
print('[{}]\t{:#08x}: SYS_SEND_CRC16'.format(
computer.team_name, eip))
edi = computer.reg_read(unicorn.x86_const.UC_X86_REG_EDI)
string = [(edi & 0xff)]
if X86_DEBUG:
print('[{}]\tstring = {}'.format(computer.team_name, dump(string)))
crc16_from_edi = crc16(string)
if computer.crc16_value != None and computer.crc16_value == crc16_from_edi:
computer.score += X86_MINING_SCORE
global scores
scores[computer.team_name] += X86_MINING_SCORE
computer.crc16_value = None
# success
computer.reg_write(unicorn.x86_const.UC_X86_REG_EAX,
X86_MINING_SCORE)
computer.mining = True
computer.src = computer.graph.ids[computer.node]
return True
# failure
computer.reg_write(unicorn.x86_const.UC_X86_REG_EAX, 0)
return False
def sys_infect(cls, computer):
if ARM_DEBUG:
pc = computer.reg_read(unicorn.arm_const.UC_ARM_REG_PC)
print('[{}]\t{:#08x}: SYS_INFECT'.format(computer.team_name, pc))
# check if computer can infect
crc16_inv_r6 = computer.reg_read(unicorn.arm_const.UC_ARM_REG_R6)
string = [(crc16_inv_r6 & 0xff)]
crc16_r6 = crc16(string)
if not (crc16_r6 != None and crc16_r6 == computer.crc16_value):
computer.crc16_value = None
# failure
computer.reg_write(unicorn.arm_const.UC_ARM_REG_R7, 0)
return False
# read computer id
id_reg = computer.reg_read(unicorn.arm_const.UC_ARM_REG_R0)
# verify that the id belongs to the neighbor
success = False
computer_node = computer.node
computer_id = computer.graph.ids[computer_node]
neighbors = computer.graph.neighbors[computer_id]
for node in neighbors:
neighbor_id = computer.graph.ids[node]
if neighbor_id == id_reg:
success = True
if not success:
# failure
computer.reg_write(unicorn.arm_const.UC_ARM_REG_R7, 0)
return False
# get neighbor object by id
success = False
for node in computer.graph.ids:
if computer.graph.ids[node] == id_reg:
success = True
break
if not success:
# failure
computer.reg_write(unicorn.arm_const.UC_ARM_REG_R7, 0)
return False
global computers
for new_computer in computers:
if new_computer.node == node:
break
# check if node is empty
free_node = True
if new_computer.team_name:
free_node = False
# check current replay
global replay_step
for comp in replay_step:
if (comp['target'] == new_computer.graph.ids[new_computer.node]
) or (comp['target'] == computer.graph.ids[computer.node]):
computer.reg_write(unicorn.arm_const.UC_ARM_REG_R7, 0)
return False
# read pointer
code_address = computer.reg_read(unicorn.arm_const.UC_ARM_REG_R8)
# read size
code_size = computer.reg_read(unicorn.arm_const.UC_ARM_REG_R9)
if (code_size > 1024) or (code_address < 0) or (
code_address >= MEMORY_SIZE - code_size):
# write 0 in R7 and exit
computer.reg_write(unicorn.arm_const.UC_ARM_REG_R7, 0)
return False
# get shellcode
shellcode = computer.mem_read(code_address, code_size)
# infect neighbor computer
if not free_node:
new_computer.mem_unmap(new_computer.base_address, MEMORY_SIZE)
new_computer.emu_stop()
new_computer.free()
new_computer.team_name = computer.team_name
new_computer.emulator_init(bytes(shellcode))
# success
computer.infect = True
computer.src = computer.graph.ids[computer.node]
computer.dst = new_computer.graph.ids[new_computer.node]
computer.reg_write(unicorn.arm_const.UC_ARM_REG_R7, 1)
return True
def sys_infect(cls, computer):
if X86_DEBUG:
eip = computer.reg_read(unicorn.x86_const.UC_X86_REG_EIP)
print('[{}]\t{:#08x}: SYS_INFECT'.format(computer.team_name, eip))
# check if computer can infect
crc16_inv_ebx = computer.reg_read(unicorn.x86_const.UC_X86_REG_EBX)
string = [(crc16_inv_ebx & 0xff)]
crc16_ebx = crc16(string)
if not (crc16_ebx != None and crc16_ebx == computer.crc16_value):
computer.crc16_value = None
# failure
computer.reg_write(unicorn.x86_const.UC_X86_REG_EAX, 0)
return False
# read computer id
id_edx = computer.reg_read(unicorn.x86_const.UC_X86_REG_EDX)
# verify that the id belongs to the neighbor
success = False
computer_node = computer.node
computer_id = computer.graph.ids[computer_node]
neighbors = computer.graph.neighbors[computer_id]
for node in neighbors:
neighbor_id = computer.graph.ids[node]
if neighbor_id == id_edx:
success = True
if not success:
# failure
computer.reg_write(unicorn.x86_const.UC_X86_REG_EAX, 0)
return False
# get neighbor object by id
success = False
for node in computer.graph.ids:
if computer.graph.ids[node] == id_edx:
success = True
break
if not success:
# failure
computer.reg_write(unicorn.x86_const.UC_X86_REG_EAX, 0)
return False
global computers
for new_computer in computers:
if new_computer.node == node:
break
# check if node is empty
free_node = True
if new_computer.team_name:
free_node = False
# check current replay
global replay_step
for comp in replay_step:
if (comp['target'] == new_computer.graph.ids[new_computer.node]
) or (comp['target'] == computer.graph.ids[computer.node]):
computer.reg_write(unicorn.x86_const.UC_X86_REG_EAX, 0)
return False
# read pointer
pointer_edi = computer.reg_read(unicorn.x86_const.UC_X86_REG_EDI)
# read size
size_ecx = computer.reg_read(unicorn.x86_const.UC_X86_REG_ECX)
if (size_ecx > 1024) or (pointer_edi < 0) or (pointer_edi >=
MEMORY_SIZE - size_ecx):
# write 0 in EAX and exit
computer.reg_write(unicorn.x86_const.UC_X86_REG_EAX, 0)
return False
# read shellcode
shellcode = computer.mem_read(pointer_edi, size_ecx)
# infect neighbor computer
if not free_node:
new_computer.mem_unmap(new_computer.base_address, MEMORY_SIZE)
new_computer.emu_stop()
new_computer.free()
new_computer.team_name = computer.team_name
new_computer.emulator_init(bytes(shellcode))
# success
computer.infect = True
computer.src = computer.graph.ids[computer.node]
computer.dst = new_computer.graph.ids[new_computer.node]
computer.reg_write(unicorn.x86_const.UC_X86_REG_EAX, 1)
return True