from
unicorn
import
*
from
capstone
import
*
from
unicorn.x86_const
import
*
from
elftools.elf.elffile
import
ELFFile
from
elftools.elf.segments
import
Segment
import
ctypes
import
binascii
import
hexdump
import
struct
filepath
=
'kernel.elf'
load_base
=
0xFFFFFFFF81000000
stack_base
=
0
stack_size
=
0x20000
var_base
=
stack_base
+
stack_size
var_size
=
0x2000000
stop_stub_addr
=
var_base
+
var_size
stop_stub_size
=
0x10000
emu
=
Uc(UC_ARCH_X86, UC_MODE_64)
def
disasm(bytecode,addr):
md
=
Cs(CS_ARCH_X86,UC_MODE_64)
for
asm
in
md.disasm(bytecode,addr):
return
'%s\t%s'
%
(asm.mnemonic,asm.op_str)
def
align(addr, size, growl):
UC_MEM_ALIGN
=
0x1000
to
=
ctypes.c_uint64(UC_MEM_ALIGN).value
mask
=
ctypes.c_uint64(
0xFFFFFFFFFFFFFFFF
).value ^ ctypes.c_uint64(to
-
1
).value
right
=
addr
+
size
right
=
(right
+
to
-
1
) & mask
addr &
=
mask
size
=
right
-
addr
if
growl:
size
=
(size
+
to
-
1
) & mask
return
addr, size
def
hook_code(uc, address, size, user_data):
if
address
=
=
stop_stub_addr:
emu.emu_stop()
def
init_emu():
with
open
(filepath,
'rb'
) as elffile:
elf
=
ELFFile(elffile)
load_segments_addr
=
[
0xFFFFFFFF81000000
,
0xFFFFFFFF815EE000
]
load_segments
=
[x
for
x
in
elf.iter_segments()
if
x.header.p_type
=
=
'PT_LOAD'
]
for
segment
in
load_segments:
prot
=
UC_PROT_ALL
if
segment.header.p_vaddr
not
in
load_segments_addr:
continue
print
(
'mem_map: addr=0x%x size=0x%x'
%
(segment.header.p_vaddr,segment.header.p_memsz))
addr,size
=
align(load_base
+
segment.header.p_vaddr,segment.header.p_memsz,
True
)
addr
=
segment.header.p_vaddr
print
(
'fix_mem_map: addr=0x%x size=0x%x'
%
(addr,size))
emu.mem_map(addr, size, prot)
emu.mem_write(addr, segment.data())
emu.mem_map(stack_base, stack_size, UC_PROT_ALL)
emu.mem_map(var_base, var_size, UC_PROT_ALL)
emu.mem_map(stop_stub_addr, stop_stub_size, UC_PROT_ALL)
def
SerpentDecrypt(data):
emu.mem_write(stack_base
+
stack_size
-
8
, struct.pack(
'Q'
,stop_stub_addr))
emu.mem_write(var_base, data)
SerpentDecrypt_addr
=
0xFFFFFFFF81004660
code
=
emu.mem_read(SerpentDecrypt_addr,
8
)
hexdump.hexdump(code)
emu.reg_write(UC_X86_REG_RSP, stack_base
+
stack_size
-
8
)
emu.reg_write(UC_X86_REG_RDI, var_base)
emu.reg_write(UC_X86_REG_RSI,
len
(data))
emu.hook_add(UC_HOOK_CODE, hook_code,begin
=
stop_stub_addr, end
=
stop_stub_addr
+
stop_stub_size)
emu.emu_start(SerpentDecrypt_addr, SerpentDecrypt_addr
+
0x1000
)
return
emu.mem_read(var_base,
len
(data))
if
__name__
=
=
"__main__"
:
with
open
(
'initramfs.img'
,
'rb'
) as fd:
data
=
fd.read()
print
(
'%x'
%
len
(data))
init_emu()
dec_data
=
SerpentDecrypt(data)
with
open
(
'initramfs.gzip'
,
'wb+'
) as fd:
fd.write(dec_data)