Merge remote-tracking branch 'qiling.io/dev' into dev

Author: ucgJhe

README.md

@@ -28,6 +28,10 @@ Qiling is an advanced binary emulation framework, with the following features:
 
 Qiling also made its way to various international conferences.
 
+2022:
+- [Black Hat, EU](https://www.blackhat.com/eu-22/arsenal/schedule/#reversing-mcu-with-firmware-emulation-29553)
+- [Black Hat, MEA](https://blackhatmea.com/node/724)
+
 2021:
 - [Black Hat, USA](https://www.blackhat.com/us-21/arsenal/schedule/index.html#bringing-the-x-complete-re-experience-to-smart-contract-24119)
 - [Hack In The Box, Amsterdam](https://conference.hitb.org/hitbsecconf2021ams/sessions/when-qiling-framework-meets-symbolic-execution/)

qiling/arch/cortex_m.py

@@ -6,7 +6,7 @@
 from functools import cached_property
 from contextlib import ContextDecorator
 
-from unicorn import Uc, UcError, UC_ARCH_ARM, UC_MODE_ARM, UC_MODE_MCLASS, UC_MODE_THUMB, UC_ERR_OK
+from unicorn import UC_ARCH_ARM, UC_MODE_ARM, UC_MODE_MCLASS, UC_MODE_THUMB
 from capstone import Cs, CS_ARCH_ARM, CS_MODE_ARM, CS_MODE_MCLASS, CS_MODE_THUMB
 from keystone import Ks, KS_ARCH_ARM, KS_MODE_ARM, KS_MODE_THUMB
 
@@ -63,7 +63,7 @@ def __exit__(self, *exc):
 
 
 class QlArchCORTEX_M(QlArchARM):
-    type = QL_ARCH.ARM
+    type = QL_ARCH.CORTEX_M
     bits = 32
 
     def __init__(self, ql: Qiling):

qiling/arch/utils.py

@@ -106,13 +106,14 @@ def assembler(arch: QL_ARCH, endianess: QL_ENDIAN, is_thumb: bool) -> Ks:
     thumb = KS_MODE_THUMB if is_thumb else 0
 
     asm_map = {
-        QL_ARCH.ARM:   (KS_ARCH_ARM, KS_MODE_ARM + endian + thumb),
-        QL_ARCH.ARM64: (KS_ARCH_ARM64, KS_MODE_ARM),
-        QL_ARCH.MIPS:  (KS_ARCH_MIPS, KS_MODE_MIPS32 + endian),
-        QL_ARCH.A8086: (KS_ARCH_X86, KS_MODE_16),
-        QL_ARCH.X86:   (KS_ARCH_X86, KS_MODE_32),
-        QL_ARCH.X8664: (KS_ARCH_X86, KS_MODE_64),
-        QL_ARCH.PPC:   (KS_ARCH_PPC, KS_MODE_PPC32 + KS_MODE_BIG_ENDIAN)
+        QL_ARCH.CORTEX_M: (KS_ARCH_ARM, KS_MODE_ARM + KS_MODE_LITTLE_ENDIAN + KS_MODE_THUMB),
+        QL_ARCH.ARM:      (KS_ARCH_ARM, KS_MODE_ARM + endian + thumb),
+        QL_ARCH.ARM64:    (KS_ARCH_ARM64, KS_MODE_ARM),
+        QL_ARCH.MIPS:     (KS_ARCH_MIPS, KS_MODE_MIPS32 + endian),
+        QL_ARCH.A8086:    (KS_ARCH_X86, KS_MODE_16),
+        QL_ARCH.X86:      (KS_ARCH_X86, KS_MODE_32),
+        QL_ARCH.X8664:    (KS_ARCH_X86, KS_MODE_64),
+        QL_ARCH.PPC:      (KS_ARCH_PPC, KS_MODE_PPC32 + KS_MODE_BIG_ENDIAN)
     }
 
     if arch in asm_map:

qiling/const.py

@@ -1,15 +1,17 @@
 #!/usr/bin/env python3
-# 
+#
 # Cross Platform and Multi Architecture Advanced Binary Emulation Framework
 #
 
 from enum import Enum, Flag, IntEnum
-from typing import Mapping, Type, TypeVar
+from typing import Final, Mapping, Type, TypeVar
+
 
 class QL_ENDIAN(IntEnum):
     EL = 1
     EB = 2
 
+
 class QL_ARCH(IntEnum):
     X86 = 101
     X8664 = 102
@@ -23,6 +25,7 @@ class QL_ARCH(IntEnum):
     RISCV64 = 111
     PPC = 112
 
+
 class QL_OS(IntEnum):
     LINUX = 201
     FREEBSD = 202
@@ -35,44 +38,53 @@ class QL_OS(IntEnum):
     MCU = 209
     BLOB = 210
 
+
 class QL_VERBOSE(IntEnum):
-    DISABLED = -1 # turn off all the output
-    OFF = 0       # output only warnings 
-    DEFAULT = 1   # output warnings and Qiling execute process information
-    DEBUG = 4     # output all logs above and debug information, include syscall information
-    DISASM = 10   # output all assembly instructions during Qiling execution
-    DUMP = 20     # output any log Qiling can, include instructions and registers
+    DISABLED = -1   # turn off all the output
+    OFF = 0         # output only warnings
+    DEFAULT = 1     # output warnings and Qiling execute process information
+    DEBUG = 4       # output all logs above and debug information, include syscall information
+    DISASM = 10     # output all assembly instructions during Qiling execution
+    DUMP = 20       # output any log Qiling can, include instructions and registers
+
 
 class QL_DEBUGGER(IntEnum):
     GDB = 1
     IDAPRO = 2
     QDB = 3
 
+
 class QL_INTERCEPT(IntEnum):
     CALL = 1
     ENTER = 2
     EXIT = 3
 
+
 class QL_STOP(Flag):
     NONE = 0
     STACK_POINTER = (1 << 0)
-    EXIT_TRAP     = (1 << 1)
+    EXIT_TRAP = (1 << 1)
+
+
+QL_ARCH_INTERPRETER: Final = (QL_ARCH.EVM,)
 
-QL_ARCH_INTERPRETER = (QL_ARCH.EVM,)
+QL_OS_POSIX: Final = (QL_OS.LINUX, QL_OS.FREEBSD, QL_OS.MACOS, QL_OS.QNX)
+QL_OS_BAREMETAL: Final = (QL_OS.MCU,)
 
-QL_OS_POSIX     = (QL_OS.LINUX, QL_OS.FREEBSD, QL_OS.MACOS, QL_OS.QNX)
-QL_OS_BAREMETAL = (QL_OS.MCU,)
 
 QL_HOOK_BLOCK = 0b0001
 QL_CALL_BLOCK = 0b0010
 
 T = TypeVar('T', bound=Enum)
+
+
 def __casefold_enum(e: Type[T]) -> Mapping[str, T]:
     '''Create a casefolded mapping of an enum to allow case-insensitive lookup.
     '''
 
     return dict((k.casefold(), v) for k, v in e._member_map_.items())
 
+
 debugger_map = __casefold_enum(QL_DEBUGGER)
 arch_map     = __casefold_enum(QL_ARCH)
 os_map       = __casefold_enum(QL_OS)

qiling/debugger/gdb/utils.py

@@ -6,13 +6,13 @@
 from typing import Optional
 
 from qiling import Qiling
-from qiling.const import QL_ARCH
 
 # this code is partially based on uDbg
 # @see: https://github.com/iGio90/uDdbg
 
 PROMPT = r'gdb>'
 
+
 class QlGdbUtils:
     def __init__(self, ql: Qiling, entry_point: int, exit_point: int):
         self.ql = ql
@@ -32,10 +32,9 @@ def __entry_point_hook(ql: Qiling):
         # that hook will be used to set up the breakpoint handling hook
         ep_hret = ql.hook_address(__entry_point_hook, entry_point)
 
-
     def dbg_hook(self, ql: Qiling, address: int, size: int):
-        if ql.arch.type == QL_ARCH.ARM and ql.arch.is_thumb:
-            address += 1
+        if getattr(ql.arch, 'is_thumb', False):
+            address |= 1
 
         # resuming emulation after hitting a breakpoint will re-enter this hook.
         # avoid an endless hooking loop by detecting and skipping this case
@@ -53,24 +52,21 @@ def dbg_hook(self, ql: Qiling, address: int, size: int):
         #     ql.log.debug(f'{PROMPT} emulation entrypoint at {self.entry_point:#x}')
         #     ql.log.debug(f'{PROMPT} emulation exitpoint at {self.exit_point:#x}')
 
-
     def bp_insert(self, addr: int):
         if addr not in self.bp_list:
             self.bp_list.append(addr)
             self.ql.log.info(f'{PROMPT} breakpoint added at {addr:#x}')
 
-
     def bp_remove(self, addr: int):
         self.bp_list.remove(addr)
         self.ql.log.info(f'{PROMPT} breakpoint removed from {addr:#x}')
 
-
     def resume_emu(self, address: Optional[int] = None, steps: int = 0):
         if address is None:
             address = self.ql.arch.regs.arch_pc
 
-        if self.ql.arch.type == QL_ARCH.ARM and self.ql.arch.is_thumb:
-            address += 1
+        if getattr(self.ql.arch, 'is_thumb', False):
+            address |= 1
 
         op = f'stepping {steps} instructions' if steps else 'resuming'
         self.ql.log.info(f'{PROMPT} {op} from {address:#x}')

qiling/debugger/qdb/qdb.py

@@ -3,12 +3,12 @@
 # Cross Platform and Multi Architecture Advanced Binary Emulation Framework
 #
 
-from typing import Callable, Optional, Mapping, Tuple, Union
-
 import cmd
 
+from typing import Optional, Tuple, Union
+
 from qiling import Qiling
-from qiling.const import QL_OS, QL_ARCH, QL_VERBOSE
+from qiling.const import QL_OS, QL_ARCH
 from qiling.debugger import QlDebugger
 
 from .utils import setup_context_render, setup_branch_predictor, setup_address_marker, SnapshotManager, run_qdb_script
@@ -18,6 +18,7 @@
 
 from .utils import QDB_MSG, qdb_print
 
+
 class QlQdb(cmd.Cmd, QlDebugger):
     """
     The built-in debugger of Qiling Framework
@@ -134,7 +135,7 @@ def _run(self, address: int = 0, end: int = 0, count: int = 0) -> None:
 
             return
 
-        if self.ql.arch.type in (QL_ARCH.ARM, QL_ARCH.CORTEX_M) and self.ql.arch.is_thumb:
+        if getattr(self.ql.arch, 'is_thumb', False):
             address |= 1
 
         self.ql.emu_start(begin=address, end=end, count=count)
@@ -342,7 +343,7 @@ def do_examine(self, line: str) -> None:
 
         if type(err_msg := self.mm.parse(line)) is str:
             qdb_print(QDB_MSG.ERROR, err_msg)
-    
+
 
     def do_set(self, line: str) -> None:
         """

qiling/os/linux/linux.py

@@ -163,8 +163,10 @@ def run(self):
 
                     elif self.ql.loader.elf_entry != self.ql.loader.entry_point:
                         entry_address = self.ql.loader.elf_entry
-                        if self.ql.arch.type == QL_ARCH.ARM and entry_address & 1 == 1:
-                            entry_address -= 1
+
+                        if self.ql.arch.type == QL_ARCH.ARM:
+                            entry_address &= ~1
+
                         self.ql.emu_start(self.ql.loader.entry_point, entry_address, self.ql.timeout)
                         self.ql.do_lib_patch()
                         self.run_function_after_load()