keep update with dev

Author: cq674350529

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,41 @@
+<!-- 
+We highly appreciate your interest and contribution to our project. 
+Before submiting your PR, please finish the checklist below. 
+-->
+
+## Checklist
+
+### Which kind of PR do you create?
+
+- [ ] This PR only contains minor fixes.
+- [ ] This PR contains major feature update.
+- [ ] This PR introduces a new function/api for Qiling Framework.
+
+### Coding convention?
+
+- [ ] The new code conforms to Qiling Framework naming convention.
+- [ ] The imports are arranged properly.
+- [ ] Essential comments are added.
+- [ ] The reference of the new code is pointed out.
+
+### Extra tests?
+
+- [ ] No extra tests are needed for this PR.
+- [ ] I have added enough tests for this PR.
+- [ ] Tests will be added after some discussion and review.
+
+### Changelog?
+
+- [ ] This PR doesn't need to update Changelog.
+- [ ] Changelog will be updated after some proper review.
+- [ ] Changelog has been updated in my PR.
+
+### Target branch?
+
+- [ ] The target branch is dev branch.
+
+### One last thing
+
+- [ ] I have read the [contribution guide](https://docs.qiling.io/en/latest/contribution/)
+
+-----

ChangeLog

@@ -1,5 +1,13 @@
 This file details the changelog of Qiling Framework.
 
+------------------------------------
+BREAK CHANGE
+- ql.multithread can be only set during Qiling.__init__ now.
+- ql.nprint and ql.dpring is depreciated. Please use logging directly instead.
+- ql.filename is renamed to ql.argv.
+- ql.output and ql.verbose now has slightly different meanings and can be adjusted runtime. See their docstring for details.
+- ql.filter now accepts a regular expression.
+
 ------------------------------------
 [Version 1.2.1]: December [SOMETHING], 2020
 

TODO

@@ -1,48 +1,4 @@
-*nix
-=====
-- More *nix based syscall
-
-iOS
-===
-- Partially completed. Did not test against any actual iOS binary yet
-
-FreeBSD
-=======
-Current Status: only work with assembler compiled binary
-- gcc compiled static binary
-- Dynamically compiled binary
-
-Windows
-=======
-- ARM64 Windows
-- More Windows API
-- API for PC name, WINS, WORKGOUP and Domains
-- API for fake installed application
-- API for process listing
-
-Debugging Server
-================
-- Add GDB stub commands
-
-USB
-===
-- Emulate USB
-
--------------------- FUTURE --------------------
-
-MCU
-===
-- STM32 Series?
-
-Blockchain
-==========
-- Smart contract emulator?
-
-Android
-======
-- It's Linux, but a bit more specific support ?
-- maybe an OS by itself
-
+Features request and TODO please refer to issue 333 https://github.com/qilingframework/qiling/issues/333
 
 -------------------- CHECKLIST before TAG --------------------
 Release 

examples/doogie_8086_crack.py

@@ -3,7 +3,7 @@
 # Cross Platform and Multi Architecture Advanced Binary Emulation Framework
 # Built on top of Unicorn emulator (www.unicorn-engine.org)
 
-import sys, curses, math, struct, string, time
+import sys, curses, math, struct, string, time, logging
 sys.path.append("..")
 from qiling import *
 from qiling.const import *
@@ -172,7 +172,7 @@ def read_until_zero(ql: Qiling, addr):
     return buf
 
 def set_required_datetime(ql: Qiling):
-    ql.nprint("Setting Feburary 06, 1990")
+    logging.info("Setting Feburary 06, 1990")
     ql.reg.ch = BIN2BCD(19)
     ql.reg.cl = BIN2BCD(1990%100)
     ql.reg.dh = BIN2BCD(2)

examples/hello_arm_linux_custom_syscall.py

@@ -14,12 +14,12 @@ def my_syscall_write(ql, write_fd, write_buf, write_count, *args, **kw):
 
     try:
         buf = ql.mem.read(write_buf, write_count)
-        ql.nprint("\n+++++++++\nmy write(%d,%x,%i) = %d\n+++++++++" % (write_fd, write_buf, write_count, regreturn))
+        logging.info("\n+++++++++\nmy write(%d,%x,%i) = %d\n+++++++++" % (write_fd, write_buf, write_count, regreturn))
         ql.os.fd[write_fd].write(buf)
         regreturn = write_count
     except:
         regreturn = -1
-        ql.nprint("\n+++++++++\nmy write(%d,%x,%i) = %d\n+++++++++" % (write_fd, write_buf, write_count, regreturn))
+        logging.info("\n+++++++++\nmy write(%d,%x,%i) = %d\n+++++++++" % (write_fd, write_buf, write_count, regreturn))
         if ql.output in (QL_OUTPUT.DEBUG, QL_OUTPUT.DUMP):
             raise
 

examples/hello_x8664_windows_customapi.py

@@ -3,7 +3,7 @@
 # Cross Platform and Multi Architecture Advanced Binary Emulation Framework
 # Built on top of Unicorn emulator (www.unicorn-engine.org) 
 
-import sys
+import sys, logging
 sys.path.append("..")
 
 from qiling import *
@@ -16,7 +16,7 @@
 @winsdkapi(cc=CDECL, replace_params={"str": STRING}) 
 def my_puts(ql, address, params):
     ret = 0
-    ql.nprint("\n+++++++++\nmy random Windows API\n+++++++++\n")
+    logging.info("\n+++++++++\nmy random Windows API\n+++++++++\n")
     string = params["str"]
     ret = len(string)
     return ret

examples/hfs_mbr_crack.py

@@ -0,0 +1,77 @@
+from qiling.const import QL_INTERCEPT
+from qiling import Qiling
+import curses, logging
+
+def input_index(ql: Qiling):
+    return ql.unpack16(ql.mem.read(0x81ba, 2))
+
+def target(ql: Qiling):
+    return ql.unpack16(ql.mem.read(0x81bb, 2))
+
+def stop(ql, b, c):
+    ql.emu_stop()
+
+def find_once(ql: Qiling, ch):
+    old = target(ql)
+    ql.reg.al = ch
+    h1 = ql.hook_code(stop, begin=0x8004, end=0x8004) # Fail
+    h2 = ql.hook_code(stop, begin=0x7fea, end=0x7fea) # Success
+    h3 = ql.hook_code(stop, begin=0x7e37, end=0x7e37)
+    ql.run(begin=0x7e3d)
+    ql.hook_del(h1)
+    ql.hook_del(h2)
+    ql.hook_del(h3)
+    new = target(ql)
+    if new > old:
+        return True
+    else:
+        return False
+
+def find_next(ql: Qiling):
+    ctx = ql.save()
+    ctx_succ = None
+    results = []
+    for i in range(0x61, 0x7a + 1):
+        if find_once(ql, i):
+            results.append(i)
+            ctx_succ = ql.save()
+        ql.restore(ctx)
+    if ctx_succ is None:
+        logging.info("Can't find any suitbale result.")
+        return None
+    ql.restore(ctx_succ)
+    return results
+
+def print_flags(results):
+    def _impl(fl, idx, results):
+        if idx == len(results):
+            print(f"flag: {fl}")
+        else:
+            for ch in results[idx]:
+                _impl(fl + ch, idx + 1, results)
+    curses.echo()
+    curses.nocbreak()
+    curses.endwin()
+    return _impl("", 0, results)
+
+def main():
+    flag = ""
+    results = []
+    ql = Qiling(["rootfs/8086/dos/hfs.img"], rootfs="rootfs/8086", console=False, log_dir=".", output="off")
+    h = ql.hook_code(stop, begin=0x7e3b, end=0x7e3b)
+    ql.run()
+    ql.hook_del(h)
+    ql.reg.ip = 0x7e3d
+    for i in range(9):
+        r = find_next(ql)
+        if r is None:
+            logging.info("Fail to crack.")
+            return
+        else:
+            r = list(map(lambda x: chr(x), r))
+            logging.info(f"Get {r}")
+            results.append(r)
+    print_flags(results)
+
+if __name__ == "__main__":
+    main()

examples/multithreading_arm64_linux.py

@@ -8,8 +8,7 @@
 from qiling import *
 
 def my_sandbox(path, rootfs):
-    ql = Qiling(path, rootfs, output = "debug")
-    ql.multithread = True
+    ql = Qiling(path, rootfs, output = "debug", multithread=True)
     ql.run()
 
 

examples/rootfs/8086/dos/hfs.img

@@ -3,7 +3,7 @@
 # Cross Platform and Multi Architecture Advanced Binary Emulation Framework
 # Built on top of Unicorn emulator (www.unicorn-engine.org) 
 
-import struct, sys
+import struct, sys, logging
 
 sys.path.append("..")
 from qiling import *
@@ -105,6 +105,7 @@ def sality_WriteFile(ql, address, params):
             r, nNumberOfBytesToWrite = ql.amsint32_driver.os.io_Write(buffer)
             ql.mem.write(lpNumberOfBytesWritten, ql.pack32(nNumberOfBytesToWrite))
         except Exception as e:
+            logging.exception("")
             print("Exception = %s" % str(e))
             r = 1
         if r:
@@ -143,6 +144,7 @@ def sality_StartServiceA(ql, address, params):
         else:
             return 1
     except Exception as e:
+        logging.exception("")
         print (e)
 
 
@@ -169,7 +171,7 @@ def hook_stop_address(ql):
     ql.os.set_function_args([0])
     ql.hook_address(hook_stop_address, 0x4055FA)
     ql.run(0x4053B2)
-    ql.nprint("[+] test kill thread")
+    logging.info("[+] test kill thread")
     if ql.amsint32_driver:
         ql.amsint32_driver.os.io_Write(struct.pack("<I", 0xdeadbeef))
         ql.amsint32_driver.hook_address(hook_stop_address, 0x10423)