Skip to content
Permalink
Browse files

Add reverse engineered transmit function

  • Loading branch information...
vladistan committed Jan 5, 2019
1 parent 10aa0e9 commit d6277730d6e780cc1f5d4213929e7f10d8e1863a
Showing with 121 additions and 3 deletions.
  1. +28 −0 RunAllTests.cpp
  2. +25 −2 client.h
  3. +1 −1 mock_data.h
  4. +26 −0 mock_net.cpp
  5. +18 −0 mock_net.h
  6. +23 −0 transmit.c
@@ -7,6 +7,7 @@
extern "C" {
#include "support.h"
#include "sim_types.h"
#include "mock_data.h"
#include "client.h"
}

@@ -47,6 +48,9 @@ TEST(Sizes, SockAddrIn) {
LONGS_EQUAL(sizeof(sockaddr_in), 0x10);
}

TEST(Sizes, Bundle) {
LONGS_EQUAL(sizeof(struct bundle), 0x790);
}

TEST(Sizes, CliHelloPkt) {
LONGS_EQUAL(sizeof(struct cliHelloPkt), 0x300);
@@ -98,6 +102,30 @@ TEST(Misc, QMemCpy) {
STRCMP_EQUAL(msg, "World World");
}



TEST_GROUP(Transmit) {
void setup() {}

void teardown() { mock().clear(); }
};

TEST(Transmit, SendIsCalled) {

bnd bundle;

memset(bundle.send_pkt_pload, 0, sizeof(bundle.send_pkt_pload));
strcpy((char *) bundle.send_pkt_pload, "Hello There");

mock().expectOneCall("send");
transmit(&bundle);
mock().checkExpectations();

}


int main(int ac, char **av) {
return CommandLineTestRunner::RunAllTests(ac, av);
}


@@ -5,18 +5,41 @@
#ifndef CLIENT_H_INCLUDED
#define CLIENT_H_INCLUDED 1



struct bundle {
_BYTE unknown[800];
_QWORD send_pkt_sign[8];
_BYTE send_pkt_pload[704];
_QWORD unknown2;
_QWORD sent;
int sock;
_BYTE field_680x[332];
struct sockaddr_in loc_addr;
};


struct __attribute__((packed)) cliHelloPkt {
_WORD local_addr;
_QWORD victim_ip_hx;
_QWORD client_id[8];
_QWORD client_id_maybe[8];
_BYTE otp[6];
_BYTE enc_k[512];
_QWORD pad[22];
_QWORD field_248;
_BYTE pad_2[64];
_BYTE field_288[64];
_BYTE field_2D8[40];
};


union CliPkt {
struct cliHelloPkt hello;
_BYTE raw[768];
};


typedef struct bundle bnd;


unsigned int transmit(bnd *bundle);
#endif
@@ -2,7 +2,7 @@
#ifndef REPLICA_MOCK_DATA_H
#define REPLICA_MOCK_DATA_H

#include "tla_types.h"
#include "sim_types.h"
#include "client.h"

extern _BYTE loc_enc_ki[0x200LL];
@@ -1 +1,27 @@
extern "C" {
#include "mock_net.h"
#include "mock_data.h"
}

#include <CppUTestExt/MockSupport.h>


static int sndCalls = 0;

_BYTE mock_snd_store[3][STD_PACKET_SIZE];

ssize_t mock_send(int socket, const void *buffer, size_t length, int flags) {

mock().actualCall("send");
if(length == sizeof(mock_snd_store[0]) && sndCalls < 3 ) {
memcpy(mock_snd_store[sndCalls], buffer, length);
sndCalls++;
}
return length;
}



void mock_recv_init(int state){
sndCalls = 0;
}
@@ -0,0 +1,18 @@
#include "sim_types.h"


ssize_t mock_send(int socket, const void *buffer, size_t length, int flags);
int mock_connect(int sock, struct sockaddr *addr, int len);
int mock_getsockname(int, struct sockaddr *, socklen_t *);
int mock_recv(int socket, char * buf, int len, int flags);

void mock_recv_init(int state);

extern _BYTE mock_snd_store[3][STD_PACKET_SIZE];

#define recv mock_recv
#define send mock_send
#define connect mock_connect
#define getsockname mock_getsockname


@@ -1 +1,24 @@
#include "client.h"
#include "mock_net.h"

unsigned int transmit(struct bundle *bnd)
{
unsigned int sent; // rax
char *v2; // rbp
int v3; // eax

sent = 0LL;
v2 = (char *)bnd->send_pkt_sign;
bnd->sent = 0LL;
do
{
v3 = send(bnd->sock, v2, 768 - sent, 0);
if ( v3 < 0 )
return 1;
v2 += v3;
sent = bnd->sent + v3;
bnd->sent = sent;
}
while ( sent <= 0x2FF );
return 0;
}

0 comments on commit d627773

Please sign in to comment.
You can’t perform that action at this time.