def strcmp():
p0 = int(execution_state.getRegisterService().getValue("R0")) & 0xffffffff
p0_str = memory.retrieve_char_array(p0)
p1 = int(execution_state.getRegisterService().getValue("R1")) & 0xffffffff
p1_str = memory.retrieve_char_array(p1)
if config.debug:
print "strcmp(%s, %s)" % (p0_str, p1_str)
config.log_print("strcmp(%s, %s)" % (p0_str, p1_str))
# continue the execution of the target application
execution_state.getExecutionService().resume()
cleanup
return
def retrieve_string_value(string_ptr):
length_val = memory.readMemory32(string_ptr + config.offset_string_length)
reference_ptr = memory.readMemory32(string_ptr +
config.offset_string_reference)
char_array = memory.retrieve_char_array(reference_ptr)
return char_array
def parse_string_id_item(dex_file_off, string_ids_off, string_id):
string_data_item_ptr = dex_file_off + string_ids_off + string_id * 0x4
string_data_item_off = memory.readMemory32(string_data_item_ptr +
offset_string_data_off)
utf16_size, offset_data_off = utility.readuleb128(dex_file_off +
string_data_item_off +
offset_utf16_size_off)
data = memory.retrieve_char_array(dex_file_off + string_data_item_off +
offset_data_off)
def RegisterNatives():
class_ptr = int(
execution_state.getRegisterService().getValue("R1")) & 0xffffffff
methods_ptr = int(
execution_state.getRegisterService().getValue("R2")) & 0xffffffff
method_count = int(
execution_state.getRegisterService().getValue("R3")) & 0xffffffff
for idx in range(method_count):
method_name_ptr = memory.readMemory32((methods_ptr + idx * 0xc) + 0x0)
method_name_val = memory.retrieve_char_array(method_name_ptr)
method_subsignature_ptr = memory.readMemory32((methods_ptr +
idx * 0xc) + 0x4)
method_subsignature_val = memory.retrieve_char_array(
method_subsignature_ptr)
method_pointer_ptr = (methods_ptr + idx * 0xc) + 0x8
method_pointer_val = memory.readMemory32(method_pointer_ptr)
config.log_print(
"[RegisterNatives] signature = %s%s, method_ptr = %0#10x" %
(method_name_val, method_subsignature_val, method_pointer_val))
# continue the execution of the target application
execution_state.getExecutionService().resume()
cleanup()
return
def open():
# -- HEAD -- #
start_prolog()
# -- BODY -- #
path_ptr = int(
execution_state.getRegisterService().getValue("R0")) & 0xffffffff
path_val = memory.retrieve_char_array(path_ptr)
if config.debug:
print "[open] path = %s" % path_val
config.log_print("[open] path = %s" % path_val)
# -- TAIL -- #
end_prolog()
# continue the execution of the target application
execution_state.getExecutionService().resume()
cleanup()
return
def FindClass():
# -- HEAD -- #
start_prolog()
# ensure that the LoadMethod breakpoint is enabled
for idx in range(
0,
execution_state.getBreakpointService().getBreakpointCount()):
brk_object = execution_state.getBreakpointService().getBreakpoint(idx)
if (int(brk_object.getAddresses()[0])
& 0xffffffff) == config.brk_LoadMethod:
brk_object.enable()
# -- BODY -- #
# get the "descriptor" parameter
descriptor_param = int(
execution_state.getRegisterService().getValue("R2")) & 0xffffffff
descriptor_ptr = descriptor_param
# read the "descriptor" string
descriptor_string_val = memory.retrieve_char_array(descriptor_ptr)
print "[FindClass] descriptor = %s" % descriptor_string_val
if config.package_name.replace(".", "/") in descriptor_string_val:
force_loading(descriptor_string_val)
# -- TAIL -- #
end_prolog_done()
else:
# -- TAIL -- #
end_prolog()
# continue the execution of the target application
execution_state.getExecutionService().resume()
cleanup()
return
# continue the execution of the target application
execution_state.getExecutionService().resume()
cleanup()
return
def FindClass():
# -- HEAD -- #
start_prolog()
# -- BODY -- #
# get the "soa" parameter
soa_param = int(
execution_state.getRegisterService().getValue("R1")) & 0xffffffff
# retrieve the "self_" field (i.e., Thread* const self_)
thread_ptr = memory.readMemory32(soa_param)
# get the "descriptor" parameter
descriptor_param = int(
execution_state.getRegisterService().getValue("R2")) & 0xffffffff
descriptor_ptr = descriptor_param
# read the "descriptor" string
descriptor_string_val = memory.retrieve_char_array(descriptor_ptr)
print "[FindClass] descriptor = %s" % descriptor_string_val
if config.package_name.replace(".", "/") in descriptor_string_val:
mirror_class_names, mirror_class_ptrs = force_loading(
descriptor_string_val)
config.save_class_info(thread_ptr, mirror_class_names,
mirror_class_ptrs)
# -- TAIL -- #
end_prolog_done()
else:
# -- TAIL -- #
end_prolog()
# continue the execution of the target application
execution_state.getExecutionService().resume()
cleanup()
return
# continue the execution of the target application
execution_state.getExecutionService().resume()
cleanup()
return
def init_art():
# get the PID
pid_val = int(execution_state.getVariableService().readValue(
"$AARCH64::$System::$Memory::$CONTEXTIDR_EL1.PROCID")) & 0xffffffff
# -1-
# read the "name" parameter
name_ptr = int(
execution_state.getRegisterService().getValue("R0")) & 0xffffffff
name_val = memory.retrieve_char_array(name_ptr)
# read the "flags" parameter
flags_val = int(
execution_state.getRegisterService().getValue("R1")) & 0xffffffff
# read the "extinfo" parameter
extinfo_ptr = int(
execution_state.getRegisterService().getValue("R2")) & 0xffffffff
if config.debug:
print "[entrypoint] [do_dlopen] pid = %#x" % pid_val
print "[entrypoint] [do_dlopen] name = %s" % name_val
print "[entrypoint] [do_dlopen] flags_val = %#x" % flags_val
print "[entrypoint] [do_dlopen] extinfo_ptr = %0#10x" % extinfo_ptr
# the first loaded Oat file must be our target
if not config.package_filter(name_val):
# should not be reached
assert False
config.log_print("[entrypoint] [do_dlopen] pid = %#x" % pid_val)
# -2-
# goto the invocation of the find_library method
brk_find_library_offset = config.linker_base + find_library_offset - config.linker_file_offset + config.linker_memory_offset
execution_state.getExecutionService().resumeTo(brk_find_library_offset)
try:
execution_state.getExecutionService().waitForStop(
120000) # wait for 120s
except DebugException:
raise RuntimeError("wtf !!!")
# retrieve soinfo pointer
si_ptr = int(
execution_state.getRegisterService().getValue("R0")) & 0xffffffff
if config.debug:
print "[entrypoint] [do_dlopen] si = %0#10x" % si_ptr
base_ptr = si_ptr + config.offset_soinfo_base
base_val = memory.readMemory32(base_ptr)
size_ptr = si_ptr + config.offset_soinfo_size
size_val = memory.readMemory32(size_ptr)
if base_val == 0x0 or size_val == 0x0:
# -3-
# goto the invocation of the call_constructors method
brk_call_constructors_offset = config.linker_base + call_constructors_offset - config.linker_file_offset + config.linker_memory_offset
execution_state.getExecutionService().resumeTo(
brk_call_constructors_offset)
try:
execution_state.getExecutionService().waitForStop(
120000) # wait for 120s
except DebugException:
raise RuntimeError("wtf !!!")
base_ptr = si_ptr + config.offset_soinfo_base
base_val = memory.readMemory32(base_ptr)
size_ptr = si_ptr + config.offset_soinfo_size
size_val = memory.readMemory32(size_ptr)
if config.debug:
print "[entrypoint] [do_dlopen] si->base = %0#10x" % base_val
print "[entrypoint] [do_dlopen] si->size = %#x" % size_val
config.log_print(
"[entrypoint] [do_dlopen] name = %s, si->base = %0#10x, si->size = %#x"
% (name_val, base_val, size_val))
if not base_val == 0x0:
config.save_range_info(base_val, base_val + size_val - 0x1)
# initialization
setup(pid_val)
# continue the execution of the target application
execution_state.getExecutionService().resume()
cleanup()
return
def fopen():
# -- HEAD -- #
start_prolog()
# -- BODY -- #
pid = int(execution_state.getVariableService().readValue("$AARCH64::$System::$Memory::$CONTEXTIDR_EL1.PROCID")) & 0xffffffff
# -1-
# read the "name" parameter
path_ptr = int(execution_state.getRegisterService().getValue("R0")) & 0xffffffff
path_val = "unknown"
if path_ptr != 0x0:
path_val = memory.retrieve_char_array(path_ptr)
# config.log_print("[fopen] %s" % path_val)
if path_val == ("/proc/%d/maps" % pid) or path_val == "/proc/self/maps":
# goto the fgets method
brk_fgets = config.libc_base + fgets_start - config.libc_file_offset + config.libc_memory_offset
execution_state.getExecutionService().resumeTo(brk_fgets)
try:
execution_state.getExecutionService().waitForStop(5000) # wait for 5s
except DebugException:
# -- TAIL -- #
end_prolog()
# continue the execution of the target application
cleanup()
execution_state.getExecutionService().resume()
return
# goto the strstr method
brk_strstr = config.libc_base + strstr_start - config.libc_file_offset + config.libc_memory_offset
execution_state.getExecutionService().resumeTo(brk_strstr)
try:
execution_state.getExecutionService().waitForStop(5000) # wait for 5s
except DebugException:
# -- TAIL -- #
end_prolog()
# continue the execution of the target application
cleanup()
execution_state.getExecutionService().resume()
return
first_string_ptr = int(execution_state.getRegisterService().getValue("R0")) & 0xffffffff
first_string_val = "??"
if first_string_ptr != 0x0:
first_string_val = memory.retrieve_char_array(first_string_ptr)
second_string_ptr = int(execution_state.getRegisterService().getValue("R1")) & 0xffffffff
second_string_val = "??"
if second_string_ptr != 0x0:
second_string_val = memory.retrieve_char_array(second_string_ptr)
# config.log_print("[strstr-1] %s %s" % (first_string_val, second_string_val))
if second_string_val != "@com.android.reverse-":
# -- TAIL -- #
end_prolog()
# continue the execution of the target application
cleanup()
execution_state.getExecutionService().resume()
return
# goto the strstr method
brk_strstr = config.libc_base + strstr_start - config.libc_file_offset + config.libc_memory_offset
execution_state.getExecutionService().resumeTo(brk_strstr)
try:
execution_state.getExecutionService().waitForStop(5000) # wait for 5s
except DebugException:
# -- TAIL -- #
end_prolog()
# continue the execution of the target application
cleanup()
execution_state.getExecutionService().resume()
return
first_string_ptr = int(execution_state.getRegisterService().getValue("R0")) & 0xffffffff
first_string_val = "??"
if first_string_ptr != 0x0:
first_string_val = memory.retrieve_char_array(first_string_ptr)
second_string_ptr = int(execution_state.getRegisterService().getValue("R1")) & 0xffffffff
second_string_val = "??"
if second_string_ptr != 0x0:
second_string_val = memory.retrieve_char_array(second_string_ptr)
# config.log_print("[strstr-2] %s %s" % (first_string_val, second_string_val))
if second_string_val == "*****@*****.**":
config.log_print("[polyu] ADI-1 found !!!")
else:
pass
# -- TAIL -- #
end_prolog()
# continue the execution of the target application
execution_state.getExecutionService().resume()
cleanup()
return
def system_property_get():
# -- HEAD -- #
start_prolog()
# -- BODY -- #
pid = int(execution_state.getVariableService().readValue(
"$AARCH64::$System::$Memory::$CONTEXTIDR_EL1.PROCID")) & 0xffffffff
# -1-
# read the "name" parameter
name_ptr = int(
execution_state.getRegisterService().getValue("R0")) & 0xffffffff
name_val = "unknown"
if name_ptr != 0x0:
name_val = memory.retrieve_char_array(name_ptr)
# config.log_print("%s" % name_val)
if name_val == "init.svc.qemud" or name_val == "init.svc.qemu-props" or name_val == "qemu.hw.mainkeys" or name_val == "qemu.sf.fake_camera" or name_val == "qemu.sf.lcd_density" or name_val == "ro.kernel.qemu" or name_val == "ro.kernel.android.qemud" or name_val == "ro.kernel.qemu.gles":
config.log_print("[polyu] AEU-2 found !!!")
elif name_val == "ro.bootloader" or name_val == "ro.bootmode":
# goto the end of system_property_get method
brk_system_property_get = config.libc_base + config.system_property_get_end - config.libc_file_offset + config.libc_memory_offset
execution_state.getExecutionService().resumeTo(brk_system_property_get)
try:
execution_state.getExecutionService().waitForStop(
5000) # wait for 5s
except DebugException:
raise RuntimeError
# goto the strncmp method
brk_strncmp = config.libc_base + strncmp_start - config.libc_file_offset + config.libc_memory_offset
execution_state.getExecutionService().resumeTo(brk_strncmp)
try:
execution_state.getExecutionService().waitForStop(
5000) # wait for 5s
except DebugException:
# -- TAIL -- #
end_prolog()
# continue the execution of the target application
cleanup()
execution_state.getExecutionService().resume()
return
first_string_ptr = int(
execution_state.getRegisterService().getValue("R0")) & 0xffffffff
first_string_val = "??"
if first_string_ptr != 0x0:
first_string_val = memory.retrieve_char_array(first_string_ptr)
second_string_ptr = int(
execution_state.getRegisterService().getValue("R1")) & 0xffffffff
second_string_val = "??"
if second_string_ptr != 0x0:
second_string_val = memory.retrieve_char_array(second_string_ptr)
# config.log_print("%s %s" % (first_string_val, second_string_val))
if first_string_val == "unknown" or second_string_val == "unknown":
config.log_print("[polyu] AEU-3-a found !!!")
elif name_val == "ro.hardware":
# goto the end of system_property_get method
brk_system_property_get = config.libc_base + config.system_property_get_end - config.libc_file_offset + config.libc_memory_offset
execution_state.getExecutionService().resumeTo(brk_system_property_get)
try:
execution_state.getExecutionService().waitForStop(
5000) # wait for 5s
except DebugException:
raise RuntimeError
# goto the strncmp method
brk_strncmp = config.libc_base + strncmp_start - config.libc_file_offset + config.libc_memory_offset
execution_state.getExecutionService().resumeTo(brk_strncmp)
try:
execution_state.getExecutionService().waitForStop(
5000) # wait for 5s
except DebugException:
# -- TAIL -- #
end_prolog()
# continue the execution of the target application
cleanup()
execution_state.getExecutionService().resume()
return
first_string_ptr = int(
execution_state.getRegisterService().getValue("R0")) & 0xffffffff
first_string_val = "??"
if first_string_ptr != 0x0:
first_string_val = memory.retrieve_char_array(first_string_ptr)
second_string_ptr = int(
execution_state.getRegisterService().getValue("R1")) & 0xffffffff
second_string_val = "??"
if second_string_ptr != 0x0:
second_string_val = memory.retrieve_char_array(second_string_ptr)
# config.log_print("%s %s" % (first_string_val, second_string_val))
if first_string_val == "goldfish" or second_string_val == "goldfish":
config.log_print("[polyu] AEU-3-b found !!!")
elif name_val == "ro.product.device":
# goto the end of system_property_get method
brk_system_property_get = config.libc_base + config.system_property_get_end - config.libc_file_offset + config.libc_memory_offset
execution_state.getExecutionService().resumeTo(brk_system_property_get)
try:
execution_state.getExecutionService().waitForStop(
5000) # wait for 5s
except DebugException:
raise RuntimeError
# goto the strncmp method
brk_strncmp = config.libc_base + strncmp_start - config.libc_file_offset + config.libc_memory_offset
execution_state.getExecutionService().resumeTo(brk_strncmp)
try:
execution_state.getExecutionService().waitForStop(
5000) # wait for 5s
except DebugException:
# -- TAIL -- #
end_prolog()
# continue the execution of the target application
cleanup()
execution_state.getExecutionService().resume()
return
first_string_ptr = int(
execution_state.getRegisterService().getValue("R0")) & 0xffffffff
first_string_val = "??"
if first_string_ptr != 0x0:
first_string_val = memory.retrieve_char_array(first_string_ptr)
second_string_ptr = int(
execution_state.getRegisterService().getValue("R1")) & 0xffffffff
second_string_val = "??"
if second_string_ptr != 0x0:
second_string_val = memory.retrieve_char_array(second_string_ptr)
# config.log_print("%s %s" % (first_string_val, second_string_val))
if first_string_val == "generic" or second_string_val == "generic":
config.log_print("[polyu] AEU-3-c found !!!")
elif name_val == "ro.product.model" or name_val == "ro.product.name":
# goto the end of system_property_get method
brk_system_property_get = config.libc_base + config.system_property_get_end - config.libc_file_offset + config.libc_memory_offset
execution_state.getExecutionService().resumeTo(brk_system_property_get)
try:
execution_state.getExecutionService().waitForStop(
5000) # wait for 5s
except DebugException:
raise RuntimeError
# goto the strncmp method
brk_strncmp = config.libc_base + strncmp_start - config.libc_file_offset + config.libc_memory_offset
execution_state.getExecutionService().resumeTo(brk_strncmp)
try:
execution_state.getExecutionService().waitForStop(
5000) # wait for 5s
except DebugException:
# -- TAIL -- #
end_prolog()
# continue the execution of the target application
cleanup()
execution_state.getExecutionService().resume()
return
first_string_ptr = int(
execution_state.getRegisterService().getValue("R0")) & 0xffffffff
first_string_val = "??"
if first_string_ptr != 0x0:
first_string_val = memory.retrieve_char_array(first_string_ptr)
second_string_ptr = int(
execution_state.getRegisterService().getValue("R1")) & 0xffffffff
second_string_val = "??"
if second_string_ptr != 0x0:
second_string_val = memory.retrieve_char_array(second_string_ptr)
# config.log_print("%s %s" % (first_string_val, second_string_val))
if first_string_val == "sdk" or second_string_val == "sdk":
config.log_print("[polyu] AEU-3-d found !!!")
else:
pass
# -- TAIL -- #
end_prolog()
# continue the execution of the target application
execution_state.getExecutionService().resume()
cleanup()
return
def fopen():
# -- HEAD -- #
start_prolog()
# -- BODY -- #
# -1-
# read the "name" parameter
path_ptr = int(
execution_state.getRegisterService().getValue("R0")) & 0xffffffff
path_val = "unknown"
if path_ptr != 0x0:
path_val = memory.retrieve_char_array(path_ptr)
if path_val == "/proc/tty/drivers":
# goto the fscanf method
brk_fscanf = config.libc_base + fscanf_start - config.libc_file_offset + config.libc_memory_offset
execution_state.getExecutionService().resumeTo(brk_fscanf)
try:
execution_state.getExecutionService().waitForStop(
5000) # wait for 5s
except DebugException:
# -- TAIL -- #
end_prolog()
# continue the execution of the target application
cleanup()
execution_state.getExecutionService().resume()
return
# goto the strncmp method
brk_strncmp = config.libc_base + strncmp_start - config.libc_file_offset + config.libc_memory_offset
execution_state.getExecutionService().resumeTo(brk_strncmp)
try:
execution_state.getExecutionService().waitForStop(
5000) # wait for 5s
except DebugException:
# -- TAIL -- #
end_prolog()
# continue the execution of the target application
cleanup()
execution_state.getExecutionService().resume()
return
first_string_ptr = int(
execution_state.getRegisterService().getValue("R0")) & 0xffffffff
first_string_val = "??"
if first_string_ptr != 0x0:
first_string_val = memory.retrieve_char_array(first_string_ptr)
second_string_ptr = int(
execution_state.getRegisterService().getValue("R1")) & 0xffffffff
second_string_val = "??"
if second_string_ptr != 0x0:
second_string_val = memory.retrieve_char_array(second_string_ptr)
if first_string_val == "goldfish" or second_string_val == "goldfish":
config.log_print("[polyu] AEU-1 found !!!")
else:
pass
# -- TAIL -- #
end_prolog()
# continue the execution of the target application
execution_state.getExecutionService().resume()
cleanup()
return
