chomper 0.3.4

A lightweight emulation framework for emulating security algorithms of iOS executables and libraries.

Chomper

Chomper is a lightweight emulation framework based on Unicorn. It is mainly used to emulate security algorithms of iOS executables and libraries. In addition, it also provides limited support for Android native libraries.

Features

• Basic emulation for ELF and Mach-O
• Support for a subset of iOS system libraries (from iOS 14.4.0)

Requirements

• Python 3.8+
• Unicorn 2.0.0+

Installation

Clone the repository to use the latest version (recommended):

$ git clone https://github.com/sledgeh4w/chomper ; cd chomper
$ pip install .

Using the version on PyPI:

$ pip install chomper

Usage

Emulate iOS executables.

import uuid

from chomper import Chomper
from chomper.const import ARCH_ARM64, OS_IOS

# For iOS, system libraries will be automatically loaded from `rootfs_path`
emu = Chomper(
    arch=ARCH_ARM64,
    os_type=OS_IOS,
    rootfs_path="rootfs/ios",
)

# Load main program
duapp = emu.load_module("examples/binaries/ios/com.siwuai.duapp/DUApp")

s = "chomper"

# Construct arguments
a1 = emu.create_string("objc")
a2 = emu.create_string(s)
a3 = len(s)
a4 = emu.create_string(str(uuid.uuid4()))
a5 = emu.create_buffer(8)
a6 = emu.create_buffer(8)
a7 = emu.create_string("com.siwuai.duapp")

# Call function
emu.call_address(duapp.base + 0x9322118, a1, a2, a3, a4, a5, a6, a7)
result = emu.read_string(emu.read_pointer(a5))

Working with Objective-C.

from chomper import Chomper
from chomper.const import ARCH_ARM64, OS_IOS
from chomper.objc import ObjC

emu = Chomper(
    arch=ARCH_ARM64,
    os_type=OS_IOS,
    rootfs_path="rootfs/ios",
)

objc = ObjC(emu)

emu.load_module("examples/binaries/ios/cn.com.scal.sichuanair/zsch")

# Use this context manager to ensure that Objective-C objects can be automatically released
with objc.autorelease_pool():
    # Construct NSString object
    a1 = objc.msg_send("NSString", "stringWithUTF8String:", "test")

    # Call Objective-C method
    req_sign = objc.msg_send("ZSCHRSA", "getReqSign:", a1)

    # Convert NSString object to C string
    result_ptr = objc.msg_send(req_sign, "cStringUsingEncoding:", 4)
    result = emu.read_string(result_ptr)

Emulate Android native libraries.

from chomper import Chomper
from chomper.const import ARCH_ARM64, OS_ANDROID

emu = Chomper(arch=ARCH_ARM64, os_type=OS_ANDROID)

# Load C standard and other libraries
emu.load_module("examples/rootfs/android/system/lib64/libc.so")
emu.load_module("examples/rootfs/android/system/lib64/libz.so")

libszstone = emu.load_module(
    "examples/binaries/android/com.shizhuang.duapp/libszstone.so",
    exec_init_array=True,
)

s = "chomper"

a1 = emu.create_string(s)
a2 = len(s)
a3 = emu.create_buffer(1024)

result_size = emu.call_address(libszstone.base + 0x2F1C8, a1, a2, a3)
result = emu.read_bytes(a3, result_size)

Examples

There are some security algorithm emulation codes in examples, and you can download all example binary files from SourceForge.