add a simple uboot example

cq674350529 · cq674350529 · commit 15fb466c224a · 2021-11-13T17:50:52.000+08:00
diff --git a/examples/hello_arm_uboot.py b/examples/hello_arm_uboot.py
@@ -0,0 +1,70 @@
+#!/usr/bin/env python3
+#
+# Cross Platform and Multi Architecture Advanced Binary Emulation Framework
+#
+
+import sys
+sys.path.append("..")
+
+from qiling.core import Qiling
+from qiling.const import QL_VERBOSE
+from qiling.os.const import STRING
+
+def get_kaimendaji_password():
+    def my_getenv(ql, *args, **kwargs):
+        env = {"ID": b"000000000000000", "ethaddr": b"11:22:33:44:55:66"}
+        params = ql.os.resolve_fcall_params({'key': STRING})
+        value = env.get(params["key"], b"")
+
+        value_addr = ql.os.heap.alloc(len(value))
+        ql.mem.write(value_addr, value)
+
+        ql.reg.r0 = value_addr
+        ql.reg.arch_pc = ql.reg.lr
+
+    def get_password(ql, *args, **kwargs):
+        password_raw = ql.mem.read(ql.reg.r0, ql.reg.r2)
+
+        password = ''
+        for item in password_raw:
+            if 0 <= item <= 9:
+                password += chr(item + 48)
+            else:
+                password += chr(item + 87)
+
+        print("The password is: %s" % password)
+
+    def partial_run_init(ql):
+        # argv prepare
+        ql.reg.arch_sp -= 0x30
+        arg0_ptr = ql.reg.arch_sp
+        ql.mem.write(arg0_ptr, b"kaimendaji")
+
+        ql.reg.arch_sp -= 0x10
+        arg1_ptr = ql.reg.arch_sp
+        ql.mem.write(arg1_ptr, b"000000")   # arbitrary password
+
+        ql.reg.arch_sp -= 0x20
+        argv_ptr = ql.reg.arch_sp
+        ql.mem.write(argv_ptr, ql.pack(arg0_ptr))
+        ql.mem.write(argv_ptr + ql.pointersize, ql.pack(arg1_ptr))
+
+        ql.reg.r2 = 2
+        ql.reg.r3 = argv_ptr
+
+
+    with open("../examples/rootfs/blob/u-boot.bin.img", "rb") as f:
+        uboot_code = f.read()
+
+    ql = Qiling(code=uboot_code[0x40:], archtype="arm", ostype="blob", profile="uboot_bin.ql", verbose=QL_VERBOSE.OFF)
+
+    image_base_addr = ql.loader.load_address
+    ql.hook_address(my_getenv, image_base_addr + 0x13AC0)
+    ql.hook_address(get_password, image_base_addr + 0x48634)
+
+    partial_run_init(ql)
+
+    ql.run(image_base_addr + 0x486B4, image_base_addr + 0x48718)
+
+if __name__ == "__main__":
+    get_kaimendaji_password()
diff --git a/examples/uboot_bin.ql b/examples/uboot_bin.ql
@@ -0,0 +1,20 @@
+[CODE]
+ram_size = 0xa00000
+entry_point = 0x80800000
+heap_size = 0x300000
+
+
+[LOG]
+# log directory output
+# usage: dir = qlog
+dir =
+# split log file, use with multithread
+split = False
+
+
+[MISC]
+# append string into different logs
+# maily for multiple times Ql run with one file
+# usage: append = test1
+append =
+current_path = /
