#! /usr/bin/env python
#############################################################################
##                                                                         ##
## burneye-dumper2 --- Burneye Dumper with debug registers demo. program   ##
##               see http://www.secdev.org/articles/reverse/               ##
##               for more informations                                     ##
##                                                                         ##
## Copyright (C) 2004  Philippe Biondi <phil@secdev.org>                   ##
##                                                                         ##
## This program is free software; you can redistribute it and/or modify it ##
## under the terms of the GNU General Public License as published by the   ##
## Free Software Foundation; either version 2, or (at your option) any     ##
## later version.                                                          ##
##                                                                         ##
## This program is distributed in the hope that it will be useful, but     ##
## WITHOUT ANY WARRANTY; without even the implied warranty of              ##
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU       ##
## General Public License for more details.                                ##
##                                                                         ##
#############################################################################

import ptrace,os,sys,struct

import warnings
warnings.filterwarnings("ignore", category=FutureWarning, append=1)

fname = "/tmp/burndump"
start = 0x8040000

SYS_PTRACE = 26

USER_EAX =  6*4
USER_EBX =  0*4
USER_ECX =  1*4
USER_EDX =  2*4
USER_EIP = 12*4
USER_ESP = 15*4
USER_EFLAGS = 14*4
USER_ORIG_EAX = 11*4
USER_SIG = 46*4
USER_DR0 = 63*4
USER_DR1 = 64*4
USER_DR2 = 65*4
USER_DR3 = 66*4
USER_DR4 = 67*4
USER_DR5 = 68*4
USER_DR6 = 69*4
USER_DR7 = 70*4

SIGTRAP = 5

f=open(sys.argv[1])
f.seek(0,2)
size = f.tell()
f.close()

pid = os.fork()

if pid == 0:
    ptrace.traceme()
    os.execvp(sys.argv[1],sys.argv[1:])

os.waitpid(pid,0)

signal=0

dr0 = 0x804985e # Attention au choix du point d'arret !
dr7 = 0x1
dr6 = 0

ptrace.pokeuser(pid, USER_DR0, dr0)
ptrace.pokeuser(pid, USER_DR6, 0)
ptrace.pokeuser(pid, USER_DR7, dr7)

while 1:
    ptrace.cont(pid,signal)
    signal=0
    os.waitpid(pid,0)
    eip = ptrace.peekuser(pid,USER_EIP)
    dr6 = ptrace.peekuser(pid, USER_DR6)
    isn = ptrace.peekdata(pid,eip-1)
    if (isn & 0xff) == 0xcc:
        print "Fake breakpoint detected!"
        signal = SIGTRAP
    print "%08x: %08x %08x" % (eip,dr6,isn)
    if dr6 & 0x1:
        break

print "Got it!"

start = 0x053759A0
print "Probing memory from %#08x" % start
while 1:
    try:
        data=ptrace.peekdata(pid,start)
        if data == 0x464c457fL:  # ELF magic
            break
    except:
        pass
    start += 0x1 #000

print "Dumping memory from %#08x to file [%s]" % (start, fname)

f=open(fname,"w")

for i in range((size+0x5370000-start)/4):
    try:
        data=ptrace.peekdata(pid,start)
    except:
        break
    f.write(struct.pack("I",data))
    start += 4

f.close()
print "Dump finished at address %#08x" % start

ptrace.kill(pid)