def regression_tests():
'''The code is quite dense & hacky ; it also relies on a lot of different formulaes / z3 expression
to generate the correct serial, so here we are just making sure we have the values we expect :).
Trust me: this little function saved me hours of debugging when I was modifying critical part of the code'''
assert (generate_magic_from_son_pc_using_z3(0x4022bc, 0) == 0xcd0e99ae)
assert (generate_magic_from_son_pc_using_z3(0x4022bc, 0x94) == 0x2d4f035c)
assert (generate_magic_from_son_pc_using_z3(0x4022bc, 0xcd) == 0x51c72d51)
assert (generate_magic_from_son_pc_using_z3(0x4022bc, 0x17a) == 0x7ae7ae50)
assert (generate_magic_from_son_pc_using_z3(0x4022bc, 0x1a4) == 0x36e2899e)
assert (generate_new_pc_from_pc_son_using_z3(0x40228c, 0) == 0x402290)
assert (generate_new_pc_from_pc_son_using_z3(0x40228c, 0x65) == 0x402fe8)
assert (generate_new_pc_from_pc_son_using_z3(0x40228c, 0xca) == 0x402548)
x = mini_mips_symexec_engine.MiniMipsSymExecEngine('regression_tests.log')
x.stack_offsets['var_30'] = 24
x.gpr['fp'] = 0x7fff6cb0
start_addr = x.gpr['fp'] + x.stack_offsets['var_30'] + 8
x.code = code.block_code_of_son_reordered_loop_unrolled
x.mem[start_addr + 0] = 0x11111111
x.mem[start_addr + 4] = 0x11111111
x.mem[start_addr + 8] = 0x11111111
x.mem[start_addr + 12] = 0x11111111
x.mem[start_addr + 16] = 0x11111111
x.mem[start_addr + 20] = 0x11111111
x.run()
assert (x.mem[start_addr + 0] == 0xf0eac3cb)
assert (x.mem[start_addr + 4] == 0xaf7e9746)
assert (x.mem[start_addr + 8] == 0x3d5562b4)
def get_serial():
print '> Instantiating the symbolic execution engine..'
x = mini_mips_symexec_engine.MiniMipsSymExecEngine('decrypt_serial.log')
x.enable_z3 = True
print '> Generating dynamically the code of the son & reorganizing/cleaning it..'
# If you don't want to generate it dynamically like a sir, I've copied a version inside
# code.block_code_of_son_reordered_loop_unrolled :-)
x.code = generate_son_code_reordered()
print '> Configuring the virtual environement..'
x.gpr['fp'] = 0x7fff6cb0
x.stack_offsets['var_30'] = 24
start_addr = x.gpr['fp'] + x.stack_offsets['var_30'] + 8
# (gdb) x/6dwx $s8+24+8
# 0x7fff6cd0: 0x11111111 0x11111111 0x11111111 0x11111111 0x11111111 0x11111111
a, b, c, d, e, f = BitVecs('a b c d e f', 32)
x.mem[start_addr + 0] = a
x.mem[start_addr + 4] = b
x.mem[start_addr + 8] = c
x.mem[start_addr + 12] = d
x.mem[start_addr + 16] = e
x.mem[start_addr + 20] = f
print '> Running the code..'
x.run()
for i in range(6):
with open(os.path.join('formulas', 'input_dword_%d.smt2' % i),
'w') as f_:
f_.write(
to_SMT2(x.mem[start_addr + i * 4], name='input_dword_%d' % i))
print '> Instantiating & configuring the solver..'
s = Solver()
s.add(
x.mem[start_addr + 0] == 0x7953205b,
x.mem[start_addr + 4] == 0x6b63616e,
x.mem[start_addr + 8] == 0x20766974,
x.mem[start_addr + 12] == 0x534e202b,
x.mem[start_addr + 16] == 0x203d2043,
x.mem[start_addr + 20] == 0x5d20333c,
)
print '> Solving..'
if s.check() == sat:
print '> Constraints solvable, here are the 6 DWORDs:'
m = s.model()
for i in (a, b, c, d, e, f):
print ' %r = 0x%.8X' % (i, m[i].as_long())
print '> Serial:', ''.join(('%.8x' % m[i].as_long())[::-1]
for i in (a, b, c, d, e, f)).upper()
else:
print '! Constraints unsolvable'
def extract_equation_of_function_that_generates_new_son_pc():
'''Extract the formula of the function generating the new son's $pc'''
x = mini_mips_symexec_engine.MiniMipsSymExecEngine(
'function_that_generates_new_son_pc.log')
x.debug = False
x.enable_z3 = True
tmp_pc = BitVec('magic', 32)
n_loop = BitVec('n_loop', 32)
x.stack['tmp_pc'] = tmp_pc
x.stack['var_2F0'] = n_loop
emu_generate_new_pc_for_son(x, print_final_state=False)
compute_pc_equation = simplify(x.gpr['v0'])
with open(os.path.join('formulas', 'generate_new_pc_son.smt2'), 'w') as f:
f.write(to_SMT2(compute_pc_equation, name='generate_new_pc_son'))
return tmp_pc, n_loop, compute_pc_equation
def extract_equation_of_function_that_generates_magic_value():
'''Here we do some magic to transform our mini MIPS emulator
into a symbolic execution engine ; the purpose is to extract
the formula of the function generating the 32-bits magic value'''
x = mini_mips_symexec_engine.MiniMipsSymExecEngine(
'function_that_generates_magic_value.log')
x.debug = False
x.enable_z3 = True
pc_son = BitVec('pc_son', 32)
n_break = BitVec('n_break', 32)
x.stack['pc_son'] = pc_son
x.stack['var_300'] = n_break
emu_generate_magic_from_son_pc(x, print_final_state=False)
compute_magic_equation = x.gpr['v0']
with open(
os.path.join('formulas', 'generate_magic_value_from_pc_son.smt2'),
'w') as f:
f.write(
to_SMT2(compute_magic_equation, name='generate_magic_from_pc_son'))
return pc_son, n_break, simplify(compute_magic_equation)