def test(ctx):
data = Attributize.FromYaml(open('./decode.data.out', 'r').read())
dx = data.tb[4].raw
print(Format(data.tb[4].ans).bitlist().bin2byte(lsb=True).v)
dx = dx[:100]
print(dx)
dx = Format(dx).bitlist().bucket(2).v
mx = [[[1, 0, 1, 1], [1, 1, 1, 1]]]
x = ConvEnc(mx)
print(x.get_response([[0], [0], [1], [0], [1], [0], [0]]))
iobs, obs = x.get_step_response(14)
obs[0][1] = 0.0
obs[0][0] = 0.0
obs[1][1] = 0.0
print(obs)
print(iobs)
dec = ConvViterbi(x)
for o in dx:
dec.setup_next(o)
tb = []
for i in range(len(dx)):
res = dec.backpropagate(i + 1)
tb.append(res.action[0])
print(Format(tb).bin2byte(lsb=0).v)
#x = ConvEnc.FromSteps(data.step_response, n=2, k=1, concat_n=True, param_space=[(3, 0)])
print(x)
def _get(self, off, size):
base = off // 8
off %= 8
nx = (off + size + 7) // 8
buf = bytearray(self.do_read(base, nx))
if off != 0:
buf = Format(buf).shiftr(off).v
buf = Format(buf).resize_bits(size).v
return buf
def unpack(self, typ, buf, le=True):
if typ is None: return buf
if isinstance(typ, str): typ = self.by_name[typ]
if le:
buf = Format(buf).pad(typ.size, 0).v
else:
buf = Format(buf).lpad(typ.size, 0).v
pattern = self.little_endian[le] + typ.pack
return struct.unpack(pattern, buf)[0]
def get_white_seq(self, n):
m = swig.opa_math_common_swig
c = swig.opa_crypto_swig
init_state = [0, 0, 0, 0, 0, 1, 1, 1, 1]
poly = Format(0x221).bitlist(10).v
init_state = m.Poly_u32(m.cvar.PR_GF2, m.v_u32(init_state))
poly = m.Poly_u32(m.cvar.PR_GF2, m.v_u32(poly))
lfsr = c.LFSR_u32(m.cvar.GF2, init_state, poly)
lst = [lfsr.get_next() for _ in range(8 * n)]
lst = Format(lst).bin2byte(lsb=1).v
return lst
def unpack_multiple(self, typ, buf, le=True):
if typ is None: return buf
if isinstance(typ, str): typ = self.by_name[typ]
if le:
buf = Format(buf).modpad(typ.size, 0).v
else:
buf = Format(buf).lmodpad(typ.size, 0).v
nentries = len(buf) // typ.size
pattern = f'{self.little_endian[le]}{nentries}{typ.pack}'
return struct.unpack(pattern, buf)
def recover_msg(self, msg):
buckets = Format(msg).bucket(self.n).v
res = []
for i in range(1, len(buckets)):
dec = cmisc.xorlist(buckets[i - 1], self.decode(buckets[i]))
res.append(dec)
return b''.join(res)
def encode_shellcode(x):
assert len(x) <= 0x2e
res= b'a'
for i in x:
res += bytes([res[-1] ^ i])
res= Format(res).pad(0x2e, 0).v
return res
def _set(self, val, off, size, lazy, le):
# TODO: le ignored here
base = off // 8
off %= 8
val = bytearray(val)
if len(val) == 0: return
if lazy == False or not self.lazy:
nx = (off + size + 7) // 8
if le: val = val[:nx]
else: val = val[len(val) - nx:]
val = Format(val).shiftl(off).v
mask0 = BitOps.mask(off)
maskn1 = BitOps.imask(
BitOps.mod1(off + size, 8),
modpw=8) # we dont want imask(0) (imask(8) needed)
b0 = self.buf.read(base)
mask_b0 = mask0
if nx == 1:
b0 |= maskn1
else:
if maskn1 != 0:
val[-1] |= self.buf.read(base + nx - 1) & maskn1
if mask_b0 != 0: val[0] |= b0 & mask_b0
self.buf.write(base, val)
else:
assert False
def __init__(self, data, tsf=None):
self._data = data
self.data = Format(data).bucket(160).v
self.n = len(data)
self.maxl = max([len(x) for x in self.data])
self.scoring = Scoring()
self.left_margin = 6
if tsf is None: tsf = cmisc.defaultdict(lambda: 0)
self.tsf = tsf
def compute_score(self, attr):
rmp = {v: k for k, v in attr.items()}
rem = [l for l in self.letters if l not in rmp]
score = 0
for n in self.ng_data.keys():
n1 = self.ng_data[n]
n2 = self.ng_baseline[n]
cv = n2['col_all'].values
nv = n2['ngram_col_all'].values
defaultv = n2['default_col_all'].values[0]
groups = cmisc.defaultdict(list)
for cx, nx in zip(cv, nv):
sx = ''
for l in nx:
if l in rmp:
sx += l
else:
sx += '_'
groups[sx].append(cx)
tmpsum = 0
for group, groupv in groups.items():
def filter_actual(e):
ngram, prob = e
for l1, l2 in zip(group, ngram):
if l1 != '_' and l1 != attr.get(l2, None): return 0
return 1
group_act = cmisc.asq_query(n1).where(filter_actual).select(
lambda x: x[1]).to_list()
nn = max(len(group_act), len(groupv))
groupv = Format(groupv).pad(nn, defaultv, force_size=0).v
group_act = Format(group_act).pad(
nn, (defaultv if not group_act else group_act[-1] / 2),
force_size=0).v
err = self.measure_err(groupv, group_act, n)
score += err
tmpsum += err
#if len(group) == 1: print(group, tmpsum, rmp.get(group, -1), err, groupv[:2], group_act[:2])
#print(n, tmpsum)
return score
def patch_one_ins(self, addr, content):
one_ins = self.elf_file.get_one_ins(addr)
if isinstance(content, str):
content = self.mc.get_disassembly(content, addr=addr)
assert len(content) <= len(
one_ins.bytes), 'Cannot replace %s with %s(%s)' % (
one_ins.bytes, one_ins.bytes, content)
self.patch(addr,
Format(content).pad(len(one_ins.bytes), self.mc.nop[0]).v)
def __init__(self):
super().__init__()
self.add_re(
'(?P<file>[^(]*)\([^)]*\) : (?P<addr>\S*) = (?P<opcode>0x\S+)\s+:\s+(?P<mnemonic>.*)\s*'
)
self.add_re(
'(?P<file>[^(]*)\([^)]*\) : (?P<addr>\S*) = Label\s+:\s+(?P<label>.*):\s*'
)
#example: pru_cc1110.p( 225) : 0x0000 = Label : main:
self.add_hook('opcode', lambda x: binascii.unhexlify(x))
self.add_hook('addr', lambda x: Format(x).toint().v)
def test_rshift(self):
random.seed(10)
for i in range(2, 20):
x = random.getrandbits(8 * i)
sx = bytearray(x.to_bytes(i, 'little'))
shiftv = random.randrange(0, 8)
ns = Format(sx).shiftr(shiftv).v
nx = x >> shiftv
rx = int.from_bytes(ns, 'little')
print(nx == rx, shiftv, hex(x), hex(nx), hex(rx))
self.assertEqual(nx, rx)
def read(self): res = self.file.read() x = Format(res) if self.mode=='json': x = x.from_json() elif self.mode=='yaml': x = x.from_yaml() elif self.mode=='conf': x = x.from_conf() elif self.mode=='attr_yaml': x = x.from_yaml().to_attr() return x.v
def add_sym(self, addr, size, name, section, symtab_section): name = Format(name).tobytes().v strtab_section = symtab_section.linked sym = construct_make_default(self.elf.structs.Elf_Sym) sym.st_name = self.add_section_name_pos(name, name_section=symtab_section.linked) sym.st_value = addr sym.st_size = size sym.st_info.bind = 'STB_GLOBAL' sym.st_info.type = 'STT_FUNC' sym.st_other.visibility = 'STV_DEFAULT' sym.st_shndx = section.id res = Attributize(raw=sym, section=section) symtab_section.new_syms.append(res) return res
def FreqWaterfall(data, window_size):
hann = signal.hanning(window_size)
fall_data = []
data = Format(data).modpad(window_size, 0).v
for i in range(0, len(data), window_size):
cur = data[i:i + window_size]
cur = np.multiply(cur, hann)
now = np.abs(fftpack.fft(cur))
now = 20 * np.log(now)
fall_data.append(now)
fall_data = np.array(fall_data)
return fall_data
def write(self, x):
x = Format(x)
if self.mode=='json': x = x.to_json()
elif self.mode=='csv': x = x.to_csv()
elif self.mode=='yaml': x = x.to_yaml()
elif self.mode=='attr_yaml': assert 0
if self.binary_mode:
x = x.tobytes()
self.file.write(x.v)
def format_xxd_line(self, data, off):
res = '{:08x}: '.format(off)
data = Format(data).modpad(self.word_size, 0).v
for v in struct_helper.get(data, size=self.word_size, nelem=-1, little_endian=self.le):
res += ('{:0%dx} ' % (self.word_size * 2)).format(v)
res += ' '
for i in data:
if self.is_print(i):
res += chr(i)
else:
res += '.'
return res
def __init__(self):
super().__init__()
re_list = []
addr = 'addr=\S*'
fileline = 'fileline=\d+'
self.add_re([
addr, 'opcode=\S+( \S+)*', 'cyclecount=\[\d+\]', fileline,
'mnemonic=.*'
])
self.add_re([addr, fileline, 'label=\S+:'])
self.add_hook('opcode',
lambda x: binascii.unhexlify(x.replace(' ', '')))
self.add_hook('addr', lambda x: Format(x).toint(base=16).v)
self.add_hook('label', lambda x: x[:-1])
def __init__(self):
super().__init__()
addr_fmt = '(?P<addr>[0-9a-f]+)'
opcode_fmt = '(?P<opcode>[0-9a-f]+)'
self.ctx.text = False
text_cond = lambda x: x.text
self.add_re('{addr_fmt}\s+{opcode_fmt}\s+(?P<mnemonic>.*)\s*'.format(
addr_fmt=addr_fmt, opcode_fmt=opcode_fmt),
cond=text_cond)
self.add_re('{addr_fmt}\s+(?P<label>.*):\s*'.format(addr_fmt=addr_fmt),
cond=text_cond)
#example: pru_cc1110.p( 225) : 0x0000 = Label : main:
self.add_ctx_action('TEXT Section', lambda x: x.update(text=True))
self.add_ctx_action('DATA Section', lambda x: x.update(text=False))
self.add_hook('opcode', lambda x: binascii.unhexlify(x))
self.add_hook('addr', lambda x: Format(x).toint(16).v)
def encode(self, m):
m = self.pad(m)
buckets = Format(m).bucket(self.n).v
res = bytearray([0] * (len(m) + self.n))
if self.decode_db:
cur = next(self.decode_db.keys())
else:
cur = b'a' * self.n
res[-self.n:] = cur
for i in reversed(range(len(buckets))):
dec = self.decode(cur)
cur = cmisc.xorlist(dec, buckets[i])
res[i * self.n:(i + 1) * self.n] = cur
return res
def build(self):
children = list(self.cursor.get_children())
if len(children) != 1:
return True
elem = children[0]
tokens = list(elem.get_tokens())
if len(tokens) == 0:
return True
token = tokens[0]
val = token.spelling
if elem.kind == CursorKind.STRING_LITERAL:
self.val = val[1:-1]
elif elem.kind == CursorKind.INTEGER_LITERAL:
self.val = Format.ToInt(val)
return True
def FreqWaterfall_DS(ds, window_size):
hann = signal.hanning(window_size)
fall_data = []
data = Format(ds.y).modpad(window_size, 0).v
axis_t = []
samp_rate = ds.samp_rate
axis_f = np.linspace(-0.5 * samp_rate, 0.5 * samp_rate, window_size)
print('gogo', ds.samp_rate)
for i in range(0, len(data), window_size):
axis_t.append(i / ds.samp_rate)
cur = data[i:i + window_size]
cur = np.multiply(cur, hann)
now = np.abs(fftpack.fft(cur))
now = 20 * np.log(now / window_size)
fall_data.append(now)
fall_data = np.array(fall_data)
fall_data = np.roll(fall_data, window_size // 2, axis=1)
return Dataset2D(fall_data, axis_t, axis_f)
def __init__(self, msg, params):
self.msg = msg
self.params = params
self.valid = False
if msg is None: return
for i in range(-1, 2):
consumer = BufferConsumer(Format(msg).tobytearray().shiftr(i).v)
self.content = Attributize()
self.content.preamble = consumer.get(params.npreamble.get())
self.content.sync = consumer.get(params.nsync.get())
print(self.content.sync)
if self.check_sync():
break
else:
return
self.content.white_data = None
if params.white_data.get():
self.content.whitened_data = consumer.rem()
consumer = BufferConsumer(self.unwhiten(
self.content.whitened_data))
self.content.raw_data = consumer.rem()
self.content.length = consumer.get(1)[0]
print('GOT LENGTH ', self.content.length)
try:
if not params.addr_check.is_no:
self.content.address = consumer.get(1)[0]
self.data_pos = consumer.pos
self.content.data = consumer.get(self.content.length)
self.content.crc = consumer.get(2)
self.valid = True
except:
self.content.data = consumer.data[self.data_pos:]
pass
def smart_set(self, cur):
if self.is_pointer:
if cur is None: self.set(0)
elif isinstance(cur, int):
self.set(cur)
else:
if not isinstance(cur, (list, bytes, bytearray, str)):
cur = list([cur])
array_len = len(cur)
pointee = self.get_pointee(array_len=array_len)
pointee.smart_set(cur)
elif isinstance(cur, (bytes, bytearray, str)):
self.set(Format.ToBytes(cur))
elif self.is_primitive:
return self.set(cur)
elif self.is_array:
for i, v in enumerate(cur):
self.child(i).smart_set(v)
elif isinstance(cur, dict):
for k, v in cur.items():
self[k].smart_set(v)
else:
assert 0
def disp_registers(self):
res = []
for cell in self.flip_flops:
res.append(cell.data)
print(Format(res).bit().v)
def build_design(ctx):
repr_to_label = get_circuit_netlist(ctx)
print('la')
logics = dict()
for k, v in ctx.cell_logic_desc.items():
logics[k] = Attributize(op=karnaugh_simplify(v), table=v)
cells_pins = defaultdict(list)
cell_type_to_pinname = defaultdict(set)
for pid, groups in repr_to_label.items():
for cell, pname, idx in groups:
cells_pins[cell].append((pid, pname, idx))
cells = {}
for cell_name, pins in cells_pins.items():
c = Cell(cell_name, pins, logics)
cells[c.cellid] = c
for _, pname, idx in pins: cell_type_to_pinname[c.name].add(pname)
for cell in cells.values():
typ = cell_type_to_pinname[cell.name]
assert typ == set(cell.pins_typ.keys())
pid_to_pins = defaultdict(list)
for cell in cells.values():
for pid, name in cell.pin_to_name.items():
pid_to_pins[pid].append((cell, name))
for k, v in pid_to_pins.items():
tmp = defaultdict(int)
for u in v: tmp[u[1]] += 1
assert (tmp['input'] == 0 and tmp['output'] == 0) or tmp['output'] == 1, v
g = nx.DiGraph()
for pid in repr_to_label.keys():
g.add_node(pid, cell=None)
for cell in cells.values():
cell.node = None
if len(cell.outputs) == 0: continue
if cell.name == 'mkShiftReg': continue
output0, = cell.outputs.values()
cell.node = output0
g.node[output0]['cell'] = cell
for a in cell.inputs.values():
g.add_edge(a, output0)
start_nodes = []
end_nodes = []
for n, deg in g.in_degree():
if deg==0:
data = pid_to_pins[n]
for cell, name in data:
if cell.pins_typ[name] == 'alim':
break
else:
start_nodes.append(n)
for n, deg in g.out_degree():
if deg==0:
data = pid_to_pins[n]
for cell, name in data:
if cell.pins_typ[name] == 'alim':
break
else:
end_nodes.append(n)
starts = {}
ends = {}
print(start_nodes, end_nodes)
for dest, src in ((starts, start_nodes), (ends, end_nodes)):
for v in src:
lst = []
for cell, name in pid_to_pins[v]:
if cell.name == ctx.cell: lst.append(name)
assert len(lst) == 1, 'Fuu for %s'%v
dest[lst[0]] = v
ev = CircuitEvaluate(g, starts, ends, cells)
cnt = 0
for ff in ev.flip_flops:
seen = set()
q = deque()
seen.add(ff.inputs['D'])
q.append(ff.inputs['D'])
print(len(seen))
adj_cells = []
while len(q)>0:
a = q.popleft()
for pred in g.predecessors(a):
cell = g.node[pred]['cell']
if not cell: continue
if cell.is_reg:
adj_cells.append(cell)
break
if pred in seen: continue
seen.add(pred)
q.append(pred)
print(ff.node, adj_cells)
assert len(adj_cells) <= 1
cnt += len(adj_cells)
print(cnt)
seen = set()
q = deque()
seen.add(ends['unlocked'])
q.append(ends['unlocked'])
print(len(seen))
adj_cells = []
others = []
while len(q)>0:
a = q.popleft()
for pred in g.predecessors(a):
cell = g.node[pred]['cell']
if not cell:
others.append(pred)
continue
if cell.is_reg:
adj_cells.append(cell)
continue
if pred in seen: continue
seen.add(pred)
q.append(pred)
print(adj_cells, others)
print(len(adj_cells), len(ev.flip_flops))
inputs = list([z3.BitVec('x_%d'%i, 1) for i in range(len(ev.flip_flops))])
vals = {}
for ix, ff in enumerate(ev.flip_flops):
vals[ff.node] = inputs[ix]
res = ev.compute2(ends['unlocked'], vals)
s = z3.Solver()
s.add(res == 1)
s.check()
ans = []
for ix in inputs:
ans.append(s.model()[ix].as_long())
ans = ans[::-1]
passwd = bytes(Format(ans).bin2byte(lsb=False).v)
print('GOT PASS >> ', passwd)
tmp =[]
ev.reset()
ev.disp_registers()
inputstr = Format(passwd).bitlist(bitorder_le=False).v
for bit in inputstr:
res = ev.clock(**{'in':bit})
data = ev.regs()
print(bit, res, Format(data).bit().v)
ev.compute()
print(ev.vals[ends['unlocked']])
def test2(ctx):
pattern_key = b'You did the easy part! Congratz - get a flag as rewa'
pattern_write = b'70b50c001500fff797ff002807d103f09bff0923036001246442200070bd03682100db682a009847041ef6da03f08cff6442'
pattern_write = codecs.decode(pattern_write, 'hex')
def replace_file(fin, fout, **kwargs):
content = open(fin).read()
res = cmisc.template_replace_safe(content, **kwargs)
with open(fout, 'w') as f:
f.write(res)
def fmt1(x):
cx = []
for a in x:
cx.append(f'.byte {a}')
return '\n'.join(cx)
OPTS = '-mthumb -mcpu=cortex-m0'
sp.check_output(f'arm-none-eabi-gcc {OPTS} -c s2.c -o s2.o', shell=1)
sp.check_output(f'arm-none-eabi-gcc {OPTS} -c findit.c -o findit.o',
shell=1)
def get_bin(f):
sp.check_output(
f'arm-none-eabi-objcopy -O binary -j .text {f} res.bin', shell=1)
return open('./res.bin', 'rb').read()
findit_content = get_bin('findit.o')
solve_content = get_bin('s2.o')
findit_offset = 0x200
assert len(solve_content) < findit_offset
solve_content = Format(solve_content).pad(findit_offset, 0).v
replace_file('./entry.asm',
'./entry.out.asm',
PATTERN_WRITE=fmt1(pattern_write),
N_WRITE=len(pattern_write),
PATTERN_KEY=fmt1(pattern_key),
N_KEY=len(pattern_key),
FINDIT_FUNC_OFFSET=findit_offset)
sp.check_output(f'arm-none-eabi-as {OPTS} -c entry.out.asm -o entry.out.o',
shell=1)
entry_content = get_bin('entry.out.o')
content = entry_content + solve_content + findit_content
KEYLEN = 8
key = bytearray([0] * KEYLEN)
for i in range(KEYLEN):
sx = set()
for p in range(i, len(content), KEYLEN):
sx.add(content[p])
bad = set([0, 0xa])
for cnd in range(256):
if cnd in bad: continue
for v in sx:
if (cnd ^ v) in bad: break
else:
key[i] = cnd
break
else:
assert 0
print('Selecting key ', key)
end_marker = b'\xaa' * 8
replace_file('./encoder.asm',
'./encoder.out.asm',
DATALEN=len(content),
KEYLEN=KEYLEN,
KEY=fmt1(key))
sp.check_output('arm-none-eabi-as -c encoder.out.asm -o encoder.o',
shell=1)
prefix = get_bin('encoder.o')
prefix = prefix[:prefix.find(end_marker)]
print(hex(len(entry_content)), hex(len(solve_content)),
hex(len(findit_content)), hex(len(prefix)))
def encrypt(a, key):
res = list()
for i, c in enumerate(a):
res.append(c ^ key[i % len(key)])
return bytes(res)
print(prefix)
checkit(prefix)
c_content = encrypt(content, key)
checkit(c_content)
payload = prefix + c_content
print(payload)
checkit(payload)
open('payload.bin', 'wb').write(payload)
open('payload.dec.bin', 'wb').write(prefix + content)
if flags.simulate:
test_payload(ctx, payload)
return
return
# R0 : 0001B305
# R1 : 20003F11
# R2 : 20003C79
# R3 : 20003C79
# R4 : 00000002
# R5 : 00000222
# R6 : 00000047
# R7 : 20006760
# R8 : 00000000
# R9 : 00000000
# R10 : 00000000
# R11 : 00000000
# R12 : 0000001B
# SP : 20006760
# LR : 0001B305
# PC : 20003D1E
# xPSR : 01000000
# PSP : 20006740
# MSP : 20007EC0
# CPUID: 410CC200
conn = Serial(flags.port)
with conn:
res = conn.recv_until('Exec')
input('send payload?')
conn.send(payload + b'\x00')
conn.recv_until('Calling your shellcode')
while True:
try:
print(conn.get_to_end(timeout=1).decode())
except KeyboardInterrupt:
break
def _set(self, val, off, size, lazy, le):
self.ops.add(off, Format(val).bitlist(size, le).v)
if not self.deferred_write:
self.flush()
def unwhiten(self, whitened_data):
res = BitOps.xorlist(whitened_data,
self.get_white_seq(len(whitened_data)))
return Format.ToBytes(res)