def main():
global dse, todo, current
sys.setrecursionlimit(2000) # oof
# Parse arguments
parser = Sandbox_Win_x86_64.parser(description="PE sandboxer")
parser.add_argument("filename", help="PE Filename")
options = parser.parse_args()
options.dependencies = True # So we dont need to reimplement qt
sb = Sandbox_Win_x86_64(LocationDB(),
options.filename,
options,
custom_methods=qt_methods)
sb.jitter.add_breakpoint(end_ptr, stop_exec) # End condition
# Setup the qt string memory and a pointer to it
sb.jitter.vm.add_memory_page(0x10000018, PAGE_READ | PAGE_WRITE,
pck64(0x20000000)) # Hooking in here
sb.jitter.vm.add_memory_page(0x20000000, PAGE_READ | PAGE_WRITE,
qtstring) # The initial qstring
sb.jitter.vm.add_memory_page(0x10000020, PAGE_READ | PAGE_WRITE,
b'\x00') # The result
sb.jitter.cpu.R15 = 0x10000000
sb.jitter.cpu.RSP = sb.jitter.stack_base + 0x8000
# Setup and attach the DSE
dse = DSEPC(sb.machine,
sb.loc_db,
produce_solution=DSEPC.PRODUCE_SOLUTION_PATH_COV)
sb.jitter.init_run(0x140004B61)
dse.attach(sb.jitter)
dse.update_state_from_concrete()
dse.symbolize_memory(interval([(flag_ptr, flag_ptr + 0x20)]))
# Printable unicode only
for address in range(flag_ptr, flag_ptr + 0x20, 0x2):
z3_mem = dse.z3_trans.from_expr(
dse.eval_expr(ExprMem(ExprInt(address, 64), 16)))
unicode_constraint = z3.And( \
z3.UGE(z3_mem, dse.z3_trans.from_expr(ExprInt(0x0020, 16))), \
z3.ULE(z3_mem, dse.z3_trans.from_expr(ExprInt(0x007E, 16))) \
)
dse.cur_solver.add(unicode_constraint)
snapshot = dse.take_snapshot()
# Begin run
todo = [b'\x41\x00' * 0x10]
while todo:
dse.restore_snapshot(snapshot)
current = todo.pop()
sb.jitter.vm.set_mem(flag_ptr,
current) # Update the password in jitter memory
print('-' * 40 + f' CONCRETE: {unicode_string(current)}')
sb.jitter.continue_run()
# Only needed for the final output
reaches = set()
while todo:
# Get the next candidate
arg_value = todo.pop()
# Avoid using twice the same input
if arg_value in done:
continue
done.add(arg_value)
print("Run with ARG = %s" % arg_value)
# Restore state, while keeping already found solutions
dse.restore_snapshot(snapshot, keep_known_solutions=True)
# Reinit jitter (reset jitter.run, etc.)
jitter.init_run(run_addr)
# Set the argument value in the jitter context
jitter.eval_expr(ExprAssign(arg_addr, arg_value))
# Launch
jitter.continue_run()
# Obtained solutions are in dse.new_solutions: identifier -> solution model
# The identifier depends on the strategy:
# - block address for code coverage
# - last edge for branch coverage
# - execution path for path coverage
# Register symbolic stubs for extern functions (xxx_puts_symb, ...)
dse.add_lib_handler(sb.libs, globals())
# Automatic exploration of solution
## Save the current clean state, before any computation of the FILE content
snapshot = dse.take_snapshot()
found = False
while todo:
# Prepare a solution to try, based on the clean state
file_content = todo.pop()
print("CUR: %r" % file_content)
open(TEMP_FILE.name, "wb").write(file_content)
dse.restore_snapshot(snapshot, keep_known_solutions=True)
FILE_to_info.clear()
FILE_to_info_symb.clear()
# Play the current file
try:
sb.run()
except FinishOn as finish_info:
print(finish_info.string)
if finish_info.string == b"OK":
# Stop if the expected result is found
found = True
break
finfo = FILE_to_info_symb[FILE_stream]
for sol_ident, model in viewitems(dse.new_solutions):