Permalink
Browse files

Fixed obfuscator and strlen hook

  • Loading branch information...
b
b committed Dec 17, 2017
1 parent aaf375c commit 5680b36e7fee6f4e75051cb59ecbf7f621c4241d
Showing with 7 additions and 2 deletions.
  1. +7 −2 sample/rc4/prga.py
View
@@ -23,19 +23,22 @@ def __init__(self):
self.mu.mem_map(0x1000 * 3, 0x1000)
self.mu.mem_map(0x1000 * 4, 0x1000) # Missed mapping
self.mu.mem_write(0x601040L, self.data_0)
self.mu.mem_write(0x601040L, self.data_0) # obfuscator
self.mu.mem_write(0x400626L, self.code_0) # swap()
self.mu.mem_write(0x400733L, self.code_1)
self.mu.mem_write(0x400a54L, "4142434400".decode('hex'))
self.mu.mem_write(0x4004d0L, "ff25410b2000".decode('hex'))
self.hookdict = {4196201L: 'hook_strlen'}
def hook_strlen(self):
arg = self.mu.reg_read(UC_X86_REG_RDI)
arg0 = arg
mem = self.mu.mem_read(arg, 1)
while mem[0]!="\x00":
while mem[0] != 0:
arg+=1
mem = self.mu.mem_read(arg, 1)
print "strlen(): %d" % (arg-arg0)
self.mu.reg_write(UC_X86_REG_RAX, arg-arg0)
return arg-arg0
@@ -46,6 +49,7 @@ def _start_unicorn(self, startaddr):
if self.mu.reg_read(UC_X86_REG_RIP) == 1:
return
retAddr = struct.unpack("<q", self.mu.mem_read(self.mu.reg_read(UC_X86_REG_RSP), 8))[0]
print "%08x" % retAddr
if retAddr in self.hookdict.keys():
getattr(self, self.hookdict[retAddr])()
self.mu.reg_write(UC_X86_REG_RSP, self.mu.reg_read(UC_X86_REG_RSP) + 8)
@@ -67,6 +71,7 @@ def run(self, arg_0, arg_1, arg_2):
self.mu.mem_write(argAddr_2, arg_2)
self.mu.reg_write(UC_X86_REG_RDX, argAddr_2)
self._start_unicorn(0x400733)
print repr(self.mu.mem_read(argAddr_2, 4))
return self.mu.reg_read(UC_X86_REG_RAX)

0 comments on commit 5680b36

Please sign in to comment.