#! /usr/bin/env python
#############################################################################
##                                                                         ##
## burneye-dumper1 --- Single Step Burneye Dumper Demonstration Program    ##
##               see http://www.secdev.org/articles/reverse/               ##
##               for more informations                                     ##
##                                                                         ##
## Copyright (C) 2004  Philippe Biondi <phil@secdev.org>                   ##
##                                                                         ##
## This program is free software; you can redistribute it and/or modify it ##
## under the terms of the GNU General Public License as published by the   ##
## Free Software Foundation; either version 2, or (at your option) any     ##
## later version.                                                          ##
##                                                                         ##
## This program is distributed in the hope that it will be useful, but     ##
## WITHOUT ANY WARRANTY; without even the implied warranty of              ##
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU       ##
## General Public License for more details.                                ##
##                                                                         ##
#############################################################################

import ptrace,os,sys,struct

fname = "/tmp/burndump"
target = [0x8040000, 0x8050000]
start = 0x053759A0  # Adresse proche de la fin du moteur burneye

f=open(sys.argv[1]) # Détermination de la taille du binaire protégé
f.seek(0,2)
size = f.tell()
f.close()

USER_EIP = 12*4
SIGTRAP = 5

pid = os.fork()
if pid == 0:
    ptrace.traceme()
    os.execvp(sys.argv[1],sys.argv[1:])

os.waitpid(pid,0)

signal=0
while 1:
    ptrace.singlestep(pid, signal)
    signal = 0
    os.waitpid(pid,0)
    eip = ptrace.peekuser(pid,USER_EIP)
    isn = ptrace.peekdata(pid, eip)
    if isn & 0xff == 0xcc:
        print "Fake breakpoint detected!"
        ptrace.pokeuser(pid,USER_EIP,eip+1)
        signal=SIGTRAP
    if eip > target[0] and eip < target[1]:
        print "here we are! EIP=%#08x" % eip
        break

print "Probing memory from %#08x" % start
while 1:
    try:
        data=ptrace.peekdata(pid,start)
        if data == 0x464c457fL:  # ELF magic
            break
    except:
        pass
    start += 1

print "Dumping memory from %#08x to file [%s]" % (start, fname)
f=open(fname,"w")
for i in range((size+0x5370000-start+3)/4):
    try:
        data=ptrace.peekdata(pid,start)
    except:
        break
    f.write(struct.pack("I",data))
    start += 4
f.close()

print "Dump finished at address %#08x" % start

ptrace.kill(pid)