Merge pull request #8 from shaymargolis/add-pic-tests

Add pic tests

Author: shaymargolis

.github/workflows/python-app.yml

@@ -30,7 +30,7 @@ jobs:
         # stop the build if there are Python syntax errors or undefined names
         flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
         # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
-        flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
+        flake8 . --count --max-complexity=10 --max-line-length=127 --statistics
     - name: Test with pytest
       run: |
         pytest

shellblocks/primitives/print.py

@@ -5,8 +5,8 @@ class ShellcodePrimitivePrint(ShellcodePrimitive):
     def __init__(self, nickname: str, print_function: int, print_string: str):
         super().__init__(
             nickname,
-            ["print.c", "utils.h"],
-            "print.c",
+            ["print.S", "utils.h"],
+            "print.S",
             "print.h"
         )
 

shellblocks/shellcode_primitive.py

@@ -24,7 +24,7 @@ def generate_header_file(self, path: Path):
             if isinstance(val, int):
                 contents += [f"#define {key} ({hex(val)})"]
             elif isinstance(val, str):
-                contents += [f"#define {key} (\"{val}\")"]
+                contents += [f"#define {key} \"{val}\""]
             else:
                 raise Exception(f"Cannot write header! Bad type {type(val)}")
 

shellblocks/src/jump_hook.c

@@ -1,19 +1,13 @@
 #include "utils.h"
 #include "jump_hook.h"
 
-const u32 opcodes[] = {
-    0x3c020000 + (JUMP_HOOK_GOTO_ADDRESS >> 16),    // lui   $v0,      %HI(dst_address)
-    0x24420000 + (JUMP_HOOK_GOTO_ADDRESS & 0xffff), // addiu $v0, $v0, %LO(dst_address)
-    0x00400008,                                     // jr    $v0
-    0x00000000,                                     // nop
-};
-
 void __attribute__((noreturn)) start(void) {
     u32 *hook_address = (u32 *)JUMP_HOOK_HOOK_ADDRESS;
 
-    for (int i = 0; i < sizeof(opcodes) / sizeof(opcodes[0]); i++) {
-        *(hook_address + i) = opcodes[i];
-    }
+    *(hook_address + 0) = 0x3c020000 + (JUMP_HOOK_GOTO_ADDRESS >> 16);    // lui   $v0,      %HI(dst_address)
+    *(hook_address + 1) = 0x24420000 + (JUMP_HOOK_GOTO_ADDRESS & 0xffff); // addiu $v0, $v0, %LO(dst_address)
+    *(hook_address + 2) = 0x00400008;                                     // jr    $v0
+    *(hook_address + 3) = 0x00000000;                                     // nop
 
     __builtin_unreachable();
 }

shellblocks/src/print.S

@@ -0,0 +1,36 @@
+#include "print.h"
+
+.global start
+start:
+    // Save $ra
+    addiu $sp, -4
+    sw $ra, 0($sp)
+
+    // Get $pc using bal
+    bal code
+    nop
+code:
+    // bal somehow compiles to "bal + nop" so 2 opcodes
+    addiu $a0, $ra, (print_string - code + 4)
+    nop
+
+    lui $v0, %hi(PRINT_FUNCTION_ADDRESS)
+    addiu $v0, %lo(PRINT_FUNCTION_ADDRESS)
+    jalr $v0
+    nop
+
+    // Restore $ra
+    lw $ra, 0($sp)
+    addiu $sp, 4
+    nop
+
+    // Jump over the printed string, to ensure we can run
+    // another primitive after this one.
+    b end_of_code
+
+print_string:
+    .asciiz PRINT_STRING
+    .align 2
+
+end_of_code:
+    nop

shellblocks/src/print.c

@@ -2,7 +2,7 @@ SECTIONS
 {
     .text : 
     {
-        *(.text)
+        *(.text*)
     }
 
     .rodata : 

shellblocks/src/shellcode_ldscript.ld

@@ -7,6 +7,9 @@
 from shellblocks.primitives.goto import ShellcodePrimitiveGoto
 
 
+SECTOR_SIZE = 0x2000
+
+
 @pytest.mark.parametrize('goto_page_and_address', [
     (0x81000000, 0x81000010),
     (0xbc000000, 0xbc000010),
@@ -36,11 +39,50 @@ def test_goto_sanity(temp_dir_path, goto_page_and_address):
 
     mu = Uc(UC_ARCH_MIPS, UC_MODE_32 | UC_MODE_BIG_ENDIAN)
     mu.mem_map(shellcode_address, 0x2000)
-    mu.mem_map(0x81000000, 0x2000)
 
     # write machine code to be emulated to memory
     mu.mem_write(shellcode_address, shellcode)
 
     mu.emu_start(shellcode_address, goto_address)
 
     assert goto_address == mu.reg_read(UC_MIPS_REG_PC)
+
+
+@pytest.mark.parametrize('shellcode_run_addr', [
+    (0x81000010),
+    (0xbc000010),
+    (0xbcf00010),
+    (0x91000118),
+])
+def test_goto_is_pic(temp_dir_path, shellcode_run_addr):
+    # Generate shellcode
+    # ------------------
+    shellcode_address = 0xbfc00000
+    _, goto_address = (0xbc000000, 0xbc000010)
+
+    shellcode_run_sector = int(shellcode_run_addr/SECTOR_SIZE) * SECTOR_SIZE
+
+    step = ShellcodeStep(
+        "first_step",
+        shellcode_address,
+        [
+            ShellcodePrimitiveGoto("copy_next_stage", goto_address),
+        ],
+        0x1000
+    )
+
+    out_file = step.generate(temp_dir_path / step.nickname)
+    shellcode = out_file.read_bytes()
+
+    # Try to run shellcode
+    # --------------------
+
+    mu = Uc(UC_ARCH_MIPS, UC_MODE_32 | UC_MODE_BIG_ENDIAN)
+    mu.mem_map(shellcode_run_sector, 0x2000)
+
+    # write machine code to be emulated to memory
+    mu.mem_write(shellcode_run_addr, shellcode)
+
+    mu.emu_start(shellcode_run_addr, goto_address)
+
+    assert goto_address == mu.reg_read(UC_MIPS_REG_PC)

tests/test_goto.py

@@ -16,7 +16,7 @@
     0x91000118,
 ])
 @pytest.mark.parametrize('jump_hook_goto', [
-    0x81000020,
+    0x81002020,
     0xbc002020,
     0xbcf00070,
     0x910f0218,
@@ -53,8 +53,6 @@ def test_jump_hook_sanity(temp_dir_path, jump_hook_location, jump_hook_goto):
         ]
     ))
 
-    end_of_code = shellcode.find(EXPECTED_HOOK)
-
     # Try to run shellcode
     # --------------------
 
@@ -67,7 +65,7 @@ def test_jump_hook_sanity(temp_dir_path, jump_hook_location, jump_hook_goto):
     mu.mem_write(jump_hook_sector, b"\x00" * 0x1000)
 
     # emulate code in infinite time & unlimited instructions
-    mu.emu_start(shellcode_address, shellcode_address + end_of_code)
+    mu.emu_start(shellcode_address, shellcode_address + len(shellcode))
 
     assert mu.mem_read(jump_hook_location, len(EXPECTED_HOOK)) == EXPECTED_HOOK
     assert mu.mem_read(jump_hook_location+len(EXPECTED_HOOK), 1) == (b"\x00")

tests/test_jump_hook.py

@@ -90,6 +90,35 @@ def test_memcpy_sanity(temp_dir_path, default_memcpy_helper, copy_len):
     assert helper.mu.mem_read(helper.second_copy_addr + copy_len, 1) == b"\x00"
 
 
+@pytest.mark.parametrize('shellcode_run_addr', [
+    (0x83000010),
+    (0xbc000010),
+    (0xbcf00010),
+    (0x91000118),
+])
+def test_memcpy_is_pic(temp_dir_path, shellcode_run_addr, default_memcpy_helper):
+    copy_len = 0x1000
+    helper = default_memcpy_helper
+    shellcode = memcpy_get_shellcode(temp_dir_path, helper, copy_len)
+
+    shellcode_run_sector = int(shellcode_run_addr/SECTOR_SIZE) * SECTOR_SIZE
+    helper.mu.mem_map(shellcode_run_sector, SECTOR_SIZE)
+
+    # Try to run shellcode
+    # --------------------
+
+    # write machine code to be emulated to memory
+    helper.mu.mem_write(shellcode_run_addr, shellcode)
+    helper.mu.mem_write(helper.first_copy_addr, b"\xAA" * copy_len)
+    helper.mu.mem_write(helper.second_copy_addr, b"\x00" * copy_len)
+
+    helper.mu.emu_start(shellcode_run_addr, shellcode_run_addr + len(shellcode))
+
+    assert helper.mu.mem_read(helper.second_copy_addr - 1, 1) == b"\x00"
+    assert helper.mu.mem_read(helper.second_copy_addr, copy_len) == (b"\xAA" * copy_len)
+    assert helper.mu.mem_read(helper.second_copy_addr + copy_len, 1) == b"\x00"
+
+
 @pytest.mark.parametrize('copy_len', [
     100,
     200,