Code Monkey home page Code Monkey logo

chomper's Introduction

Chomper

build PyPI PyPI - Python Version GitHub license

Chomper is a lightweight emulation framework based on Unicorn. It is mainly used to emulate native programs on Android and iOS.

Features

  • Basic emulation of ELF and Mach-O
  • Support for a set of iOS system libraries (from iOS SDK 14.4.0)

Requirements

  • Python 3.8+
  • Unicorn 2.0.0+

Installation

$ pip install chomper

Usage

Emulate iOS executable files.

import uuid

from chomper import Chomper
from chomper.const import ARCH_ARM64, OS_IOS

# The system libraries will be automatically loaded from `rootfs_path` on iOS
emu = Chomper(
    arch=ARCH_ARM64,
    os_type=OS_IOS,
    rootfs_path="examples/ios/rootfs",
)

# Load main program
duapp = emu.load_module("examples/ios/apps/com.siwuai.duapp/DUApp")

s = "chomper"

# Construct arguments
a1 = emu.create_string("objc")
a2 = emu.create_string(s)
a3 = len(s)
a4 = emu.create_string(str(uuid.uuid4()))
a5 = emu.create_buffer(8)
a6 = emu.create_buffer(8)
a7 = emu.create_string("com.siwuai.duapp")

# Call function
emu.call_address(duapp.base + 0x109322118, a1, a2, a3, a4, a5, a6, a7)
result = emu.read_string(emu.read_pointer(a5))

Working with Objective-C.

from chomper import Chomper
from chomper.const import ARCH_ARM64, OS_IOS
from chomper.objc import ObjC

emu = Chomper(
    arch=ARCH_ARM64,
    os_type=OS_IOS,
    rootfs_path="examples/ios/rootfs",
)

objc = ObjC(emu)

emu.load_module("examples/ios/apps/cn.com.scal.sichuanair/zsch")

# Construct NSString object
a1 = objc.msg_send("NSString", "stringWithUTF8String:", "test")

# Call ObjC method
req_sign = objc.msg_send("ZSCHRSA", "getReqSign:", a1)

# Convert NSString object to C string
result_ptr = objc.msg_send(req_sign, "cStringUsingEncoding:", 4)
result = emu.read_string(result_ptr)

Emulate Android native libraries.

from chomper import Chomper
from chomper.const import ARCH_ARM64, OS_ANDROID

emu = Chomper(arch=ARCH_ARM64, os_type=OS_ANDROID)

# Load C standard and other libraries
emu.load_module("examples/android/rootfs/system/lib64/libc.so")
emu.load_module("examples/android/rootfs/system/lib64/libz.so")

libszstone = emu.load_module(
    "examples/apps/android/com.shizhuang.duapp/libszstone.so",
    exec_init_array=True,
)

s = "chomper"

a1 = emu.create_string(s)
a2 = len(s)
a3 = emu.create_buffer(1024)

result_size = emu.call_address(libszstone.base + 0x2F1C8, a1, a2, a3)
result = emu.read_bytes(a3, result_size)

Hook instructions.

def hook_code(uc, address, size, user_data):
    pass

symbol = emu.find_symbol("strlen")
emu.add_hook(symbol.address, hook_code)

Trace instructions.

# Trace all instructions
emu = Chomper(arch=ARCH_ARM64, os_type=OS_ANDROID, trace_instr=True)

# Trace instructions in this module
emu.load_module("examples/android/rootfs/system/lib64/libc.so", trace_inst=True)

Examples

Here are a fews examples of encryption emulations for security vendors.

chomper's People

Contributors

sledgeh4w avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

crackercat wschxida shuaibibobo crewcutbro trouble-bao guiqi0101 yfw123 yuzhouheike imzpy xbl2022 9540611855 longloo randlily cpudbg headware onegithuber npc2000 mdr668 shuixi2013 smile1024me anla2z zhuke945 yiiff daerduotutu922 hhzkzt soul-cat lvshuaijun 123456789zws xiaoyintou lanbaicode justanhnt ta01st woozoo86 sailor-fly ac928

chomper's Issues

Can't create NSURLRequest object.

Crash with creating NSURLRequest object.

The reference code is:

NSMutableURLRequest *reqM = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://www.google.com"]];

Code1:

def create_ns_url(emu, s):
    cls = objc_get_class(emu, "NSURL")
    alloc_sel = objc_sel_register_name(emu, "alloc")
    init_sel = objc_sel_register_name(emu, "initWithString:")
    space = emu.call_symbol("_objc_msgSend", cls, alloc_sel)
    return emu.call_symbol("_objc_msgSend", space, init_sel, create_ns_string(emu, s))


def create_ns_mutable_url_request(emu, s):
    ns_url_obj = create_ns_url(emu, s)
    cls = objc_get_class(emu, class_name="NSMutableURLRequest")
    sel = objc_sel_register_name(emu, "requestWithURL:")
    req_obj = emu.call_symbol("_objc_msgSend", cls, sel, ns_url_obj)
    return req_obj

Code2:

def create_ns_url(emu, s):
    cls = objc_get_class(emu, "NSURL")
    alloc_sel = objc_sel_register_name(emu, "alloc")
    init_sel = objc_sel_register_name(emu, "initWithString:")
    space = emu.call_symbol("_objc_msgSend", cls, alloc_sel)
    return emu.call_symbol("_objc_msgSend", space, init_sel, create_ns_string(emu, s))


def create_ns_mutable_url_request(emu, s):
    ns_url_obj = create_ns_url(emu, s)
    cls = objc_get_class(emu, class_name="NSMutableURLRequest")
    alloc_sel = objc_sel_register_name(emu, "alloc")
    init_sel = objc_sel_register_name(emu, "initWithString:")
    space = emu.call_symbol("_objc_msgSend", cls, alloc_sel)
    req_obj = emu.call_symbol("_objc_msgSend", space, init_sel, ns_url_obj)
    return req_obj

The crash happens on this line:

req_obj = emu.call_symbol("_objc_msgSend", cls, sel, ns_url_obj)
req_obj = emu.call_symbol("_objc_msgSend", space, init_sel, ns_url_obj)

Error Log:

2024-04-23 15:11:31,447 - __main__ - INFO: Start emulate at libobjc.A.dylib!0x1947ec460
2024-04-23 15:11:45,130 - __main__ - INFO: Registers: x0: 0x0000000000000000, x1: 0x00000000000772b8, x2: 0x0000000000000000, x3: 0x0000000000000001, x4: 0x000000005d3799ff [libsystem_c.dylib!0x18916e9ff], x5: 0x0000000000000000, x6: 0x0000000000000000, x7: 0x0000000000000036, x8: 0x000000000803c080, x9: 0x00000000000774f8, x10: 0x0000000000000000, x11: 0x000000024ed2f829 [libdyld.dylib!0x1800f3829], x12: 0x000000024ed12568 [libdyld.dylib!0x1800d6568], x13: 0x0000000000000000, x14: 0x000000000801000d, x15: 0x0000000000000000, x16: 0xfffffffffffffff6, x17: 0x0000000000000033, x18: 0x0000000000000000, x19: 0x0000000000000000, x20: 0x00000000000772b8, x21: 0x0000000000000000, x22: 0x000000005d3720a8 [libsystem_c.dylib!0x1891670a8], x23: 0x0000000000000001, x24: 0x0000000000000000, x25: 0x00000002e6d730f1 [libobjc.A.dylib!0x1cb75d0f1], x26: 0x00000009f1c28f90 [binary!0x10c128f90], x27: 0x00000002f500d000 [libobjc.A.dylib!0x1d99f7000], x28: 0x00000002f5f2b000 [libobjc.A.dylib!0x1da915000], x29: 0x00000000000772a0, x30: 0x000000002850e3f0 [libsystem_kernel.dylib!0x1ac3153f0]
2024-04-23 15:11:45,131 - __main__ - INFO: Trace stack: libsystem_kernel.dylib!0x1ac30b56c, libsystem_kernel.dylib!0x1ac3153ec, libsystem_kernel.dylib!0x1ac315598, libsystem_platform.dylib!0x1c8be956c, libdyld.dylib!0x1800f158c, libdyld.dylib!0x1800f1620, libdyld.dylib!0x1800f1994, libdyld.dylib!0x1800d1eb8, libdyld.dylib!0x1800d6570, libdyld.dylib!0x1800c9754, libsystem_c.dylib!0x1891670a4, libsystem_darwin.dylib!0x1c8ba9c68, libsystem_darwin.dylib!0x1c8ba4788, CFNetwork!0x180b174ac, libdispatch.dylib!0x1800a627c, libdispatch.dylib!0x180077cd4, CFNetwork!0x180b17688, libdispatch.dylib!0x1800a627c, libdispatch.dylib!0x180077cd4, CFNetwork!0x180c11360, libobjc.A.dylib!0x1947efb94, libobjc.A.dylib!0x19480f0b4, CFNetwork!0x180a4b75c, CFNetwork!0x180a4b658
Traceback (most recent call last):
  File "/Users/xxx/Documents/repos/chomper/venv/lib/python3.9/site-packages/chomper/core.py", line 200, in _start_emulate
    self.uc.emu_start(address, stop_addr)
  File "/Users/xxx/Documents/repos/chomper/venv/lib/python3.9/site-packages/unicorn/unicorn.py", line 550, in emu_start
    raise self._hook_exception
  File "/Users/xxx/Documents/repos/chomper/venv/lib/python3.9/site-packages/unicorn/unicorn.py", line 392, in wrapper
    return func(self, *args, **kwargs)
  File "/Users/xxx/Documents/repos/chomper/venv/lib/python3.9/site-packages/unicorn/unicorn.py", line 681, in _hook_intr_cb
    cb(self, intno, data)
  File "/Users/xxx/Documents/repos/chomper/venv/lib/python3.9/site-packages/chomper/core.py", line 417, in _interrupt_callback
    self._dispatch_syscall()
  File "/Users/xxx/Documents/repos/chomper/venv/lib/python3.9/site-packages/chomper/core.py", line 441, in _dispatch_syscall
    self.crash("Unhandled system call")
  File "/Users/xxx/Documents/repos/chomper/venv/lib/python3.9/site-packages/chomper/core.py", line 371, in crash
    raise EmulatorCrashedException(message)
chomper.exceptions.EmulatorCrashedException: Unhandled system call at libsystem_kernel.dylib!0x1ac30b56c
python-BaseException

[Solution] error about capstone

log

OSError: dlopen(/Users/abc/Documents/repos/chomper/venv/lib/python3.9/site-packages/capstone/lib/libcapstone.dylib, 0x0006): tried: '/Users/abc/Documents/repos/chomper/venv/lib/python3.9/site-packages/capstone/lib/libcapstone.dylib' (mach-o file, but is an incompatible architecture (have 'x86_64', need 'arm64')), '/System/Volumes/Preboot/Cryptexes/OS/Users/abc/Documents/repos/chomper/venv/lib/python3.9/site-packages/capstone/lib/libcapstone.dylib' (no such file), '/Users/abc/Documents/repos/chomper/venv/lib/python3.9/site-packages/capstone/lib/libcapstone.dylib' (mach-o file, but is an incompatible architecture (have 'x86_64', need 'arm64'))

solution:

1. git clone https://github.com/capstone-engine/capstone.git
2. cd capstone
3. ./make.sh mac-universal
4. replace file on venv/lib/python3.9/site-packages/capstone/lib

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.