def main():
mu = Uc(UC_ARCH_ARM, UC_MODE_THUMB)
mu.last_instr = ""
setup_hooks(mu)
load_mem(mu, 0x9FD6, 0x9FF8 - 0x9FD6)
load_mem(mu, 0x35000, 0x4000)
sram_addr = 0x20000000 & PAGE_MASK
sram_size = ((0x40000) & PAGE_MASK) + PAGE_SIZE
mu.mem_map(sram_addr, sram_size)
setup_stack(mu)
# mu.reg_write(UC_ARM_REG_R0, gps_cfg['addr'])
print("[Starting Emulation]")
mu.emu_start(0x0369E0 | 1, 0x369FE)
with open("data_0x200000D8_7bc.bin", "wb") as fh:
mem = mu.mem_read(0x200000D8, 0x7BC)
fh.write(mem)
fh.close()
print("[Done]")
def hook_instr(mu: Uc, address, size, user_data):
# BL sha1sum
# if address == 0x0369F6:
# mu.reg_write(UC_ARM_REG_PC, address + size)
# if address == 0x369F8:
# d = input()
# if d:
# dump_hex_buf(mu, 0x200000D8, 128)
if address >= 0x3642A and address <= 0x3658A:
# input()
pass
if address >= 0x0369E0 and address <= 0x36A00:
print(">>> Tracing instruction at 0x%X, instruction size = 0x%X" %
(address, size))
R0 = mu.reg_read(UC_ARM_REG_R0)
R1 = mu.reg_read(UC_ARM_REG_R1)
R2 = mu.reg_read(UC_ARM_REG_R2)
R3 = mu.reg_read(UC_ARM_REG_R3)
R4 = mu.reg_read(UC_ARM_REG_R4)
PC = mu.reg_read(UC_ARM_REG_PC)
print(f"R0: {R0:08X} R1: {R1:08X} R2: {R2:08X} "
f"R3: {R3:08X} R4: {R4:08X} PC: {PC:08X}")
mem = mu.mem_read(address, size)
for i in cs.disasm(mem, address):
print(f" 0x{i.address:08X}:\t{i.mnemonic}\t{i.op_str}")
# if i.mnemonic == "blx":
# print(f"[-] Skipping call to {R1:08X}")
# mu.reg_write(UC_ARM_REG_PC, address + size + 1)
print()
# dump_hex_buf(mu, R0, R1)
mu.last_instr = (
f">>> Tracing instruction at 0x{address:08X}, instruction size = 0x{size:X}\n"
)
R0 = mu.reg_read(UC_ARM_REG_R0)
R1 = mu.reg_read(UC_ARM_REG_R1)
R2 = mu.reg_read(UC_ARM_REG_R2)
R3 = mu.reg_read(UC_ARM_REG_R3)
R4 = mu.reg_read(UC_ARM_REG_R4)
PC = mu.reg_read(UC_ARM_REG_PC)
mu.last_instr += (f"R0: {R0:08X} R1: {R1:08X} R2: {R2:08X} "
f"R3: {R3:08X} R4: {R4:08X} PC: {PC:08X}\n")
# branch = False
mem = mu.mem_read(address, size)
for i in cs.disasm(mem, address):
mu.last_instr += f" 0x{i.address:08X}:\t{i.mnemonic}\t{i.op_str}\n"
