chomper 0.3.7

A lightweight emulation framework for emulating security algorithms of iOS executables and libraries.

Chomper

Chomper is a lightweight emulation framework based on Unicorn. It is mainly used to emulate security algorithms in iOS executables and libraries. In addition, it also provides limited support for Android native libraries.

Features

• Emulation of ELF and Mach-O binaries
• Support for a subset of iOS system libraries (from iOS 14.4.0)

Requirements

• Python 3.9+
• Unicorn 2.0.0+

Installation

Install the stable version from PyPI:

$ pip install chomper

Or install the latest version from GitHub:

$ pip install git+https://github.com/sledgeh4w/chomper.git

Clone rootfs repository:

$ git clone https://github.com/sledgeh4w/rootfs.git

Usage

Emulate iOS executables.

from chomper import Chomper
from chomper.const import ARCH_ARM64, OS_IOS

# For iOS, system libraries will be automatically loaded from `rootfs_path`
emu = Chomper(
    arch=ARCH_ARM64,
    os_type=OS_IOS,
    rootfs_path="rootfs/ios",
)

# Load program
discover = emu.load_module("examples/binaries/ios/com.xingin.discover/8.74/discover")

s = "chomper"

# Construct arguments
a1 = emu.create_string(s)
a2 = len(s)
a3 = emu.create_buffer(120)
a4 = 120
a5 = emu.create_buffer(8)

# Call function
emu.call_address(discover.base + 0x324ef10, a1, a2, a3, a4, a5)
result = emu.read_string(a3)

Working with Objective-C.

from chomper import Chomper
from chomper.const import ARCH_ARM64, OS_IOS
from chomper.objc import ObjcRuntime

emu = Chomper(
    arch=ARCH_ARM64,
    os_type=OS_IOS,
    rootfs_path="rootfs/ios",
)

objc = ObjcRuntime(emu)

emu.load_module("examples/binaries/ios/cn.com.scal.sichuanair/zsch")

# Use this context manager to ensure that Objective-C objects can be automatically released
with objc.autorelease_pool():
    # Find class
    zsch_rsa_class = objc.find_class("ZSCHRSA")

    # Create NSString object
    a1 = objc.create_ns_string("chomper")

    # Call Objective-C method
    req_sign = zsch_rsa_class.call_method("getReqSign:", a1)

    # Convert NSString object to C string
    result_ptr = req_sign.call_method("UTF8String")
    result = emu.read_string(result_ptr)

Emulate Android native libraries.

from chomper import Chomper
from chomper.const import ARCH_ARM64, OS_ANDROID

emu = Chomper(
    arch=ARCH_ARM64,
    os_type=OS_ANDROID,
    rootfs_path="rootfs/android",
)

# Load dependency libraries
emu.load_module("rootfs/android/system/lib64/libz.so")

libszstone = emu.load_module("examples/binaries/android/com.shizhuang.duapp/libszstone.so")

s = "chomper"

a1 = emu.create_string(s)
a2 = len(s)
a3 = emu.create_buffer(1024)

result_size = emu.call_address(libszstone.base + 0x2F1C8, a1, a2, a3)
result = emu.read_bytes(a3, result_size)

Examples

There are some security algorithm emulation codes in algorithms.