GithubHelp home page GithubHelp logo

qilingframework / qiling Goto Github PK

View Code? Open in Web Editor NEW
4.8K 133.0 722.0 67.7 MB

A True Instrumentable Binary Emulation Framework

Home Page: https://qiling.io

License: GNU General Public License v2.0

Python 99.82% Dockerfile 0.02% Shell 0.02% CodeQL 0.13% Batchfile 0.01%
binary emulator framework unicorn-emulator malware analysis qiling reverse-engineering cross-architecture uefi

qiling's Introduction

Documentation Status Downloads Chat on Telegram

Qiling's usecase, blog and related work

Qiling is an advanced binary emulation framework, with the following features:

  • Emulate multi-platforms: Windows, MacOS, Linux, Android, BSD, UEFI, DOS, MBR, Ethereum Virtual Machine
  • Emulate multi-architectures: 8086, X86, X86_64, ARM, ARM64, MIPS, RISCV, PowerPC
  • Support multiple file formats: PE, MachO, ELF, COM, MBR
  • Support Windows Driver (.sys), Linux Kernel Module (.ko) & MacOS Kernel (.kext) via Demigod
  • Emulates & sandbox code in an isolated environment
  • Provides a fully configurable sandbox
  • Provides in-depth memory, register, OS level and filesystem level API
  • Fine-grain instrumentation: allows hooks at various levels (instruction/basic-block/memory-access/exception/syscall/IO/etc)
  • Provides virtual machine level API such as save and restore current execution state
  • Supports cross architecture and platform debugging capabilities
  • Built-in debugger with reverse debugging capability
  • Allows dynamic hotpatch on-the-fly running code, including the loaded library
  • True framework in Python, making it easy to build customized security analysis tools on top

Qiling also made its way to various international conferences.

2022:

2021:

2020:

2019:

Qiling is backed by Unicorn engine.

Visit our website https://www.qiling.io for more information.

License

This project is released and distributed under free software license GPLv2 and later version.

Qiling vs other Emulators

There are many open source emulators, but two projects closest to Qiling are Unicorn & Qemu usermode. This section explains the main differences of Qiling against them.

Qiling vs Unicorn engine

Built on top of Unicorn, but Qiling & Unicorn are two different animals.

  • Unicorn is just a CPU emulator, so it focuses on emulating CPU instructions, that can understand emulator memory. Beyond that, Unicorn is not aware of higher level concepts, such as dynamic libraries, system calls, I/O handling or executable formats like PE, MachO or ELF. As a result, Unicorn can only emulate raw machine instructions, without Operating System (OS) context
  • Qiling is designed as a higher level framework, that leverages Unicorn to emulate CPU instructions, but can understand OS: it has executable format loaders (for PE, MachO & ELF at the moment), dynamic linkers (so we can load & relocate shared libraries), syscall & IO handlers. For this reason, Qiling can run executable binary without requiring its native OS
Qiling vs Qemu usermode

Qemu usermode does similar thing to our emulator, that is to emulate whole executable binaries in cross-architecture way. However, Qiling offers some important differences against Qemu usermode.

  • Qiling is a true analysis framework, that allows you to build your own dynamic analysis tools on top (in friendly Python language). Meanwhile, Qemu is just a tool, not a framework
  • Qiling can perform dynamic instrumentation, and can even hotpatch code at runtime. Qemu does not do either
  • Not only working cross-architecture, Qiling is also cross-platform, so for example you can run Linux ELF file on top of Windows. In contrast, Qemu usermode only run binary of the same OS, such as Linux ELF on Linux, due to the way it forwards syscall from emulated code to native OS
  • Qiling supports more platforms, including Windows, MacOS, Linux & BSD. Qemu usermode can only handle Linux & BSD

Installation

Please see setup guide file for how to install Qiling Framework.

Examples

  • The example below shows how to use Qiling framework in the most striaghtforward way to emulate a Windows executable.
from qiling import Qiling

if __name__ == "__main__":
    # initialize Qiling instance, specifying the executable to emulate and the emulated system root.
    # note that the current working directory is assumed to be Qiling home
    ql = Qiling([r'examples/rootfs/x86_windows/bin/x86_hello.exe'], r'examples/rootfs/x86_windows')

    # start emulation
    ql.run()
  • The following example shows how a Windows crackme may be patched dynamically to make it always display the "Congratulation" dialog.
from qiling import Qiling

def force_call_dialog_func(ql: Qiling):
    # get DialogFunc address from current stack frame
    lpDialogFunc = ql.stack_read(-8)

    # setup stack memory for DialogFunc
    ql.stack_push(0)
    ql.stack_push(1001)     # IDS_APPNAME
    ql.stack_push(0x111)    # WM_COMMAND
    ql.stack_push(0)

    # push return address
    ql.stack_push(0x0401018)

    # resume emulation from DialogFunc address
    ql.arch.regs.eip = lpDialogFunc


if __name__ == "__main__":
    # initialize Qiling instance
    ql = Qiling([r'rootfs/x86_windows/bin/Easy_CrackMe.exe'], r'rootfs/x86_windows')

    # NOP out some code
    ql.patch(0x004010B5, b'\x90\x90')
    ql.patch(0x004010CD, b'\x90\x90')
    ql.patch(0x0040110B, b'\x90\x90')
    ql.patch(0x00401112, b'\x90\x90')

    # hook at an address with a callback
    ql.hook_address(force_call_dialog_func, 0x00401016)
    ql.run()

The below Youtube video shows how the above example works.

Emulating ARM router firmware on Ubuntu X64 machine

  • Qiling Framework hot-patch and emulates ARM router's /usr/bin/httpd on a X86_64Bit Ubuntu

qiling Tutorial: Emulating and Fuzz ARM router firmware

Qiling's IDAPro Plugin: Instrument and Decrypt Mirai's Secret

  • This video demonstrate how Qiling's IDAPro plugin able to make IDApro run with Qiling instrumentation engine

GDBserver with IDAPro demo

  • Solving a simple CTF challenge with Qiling Framework and IDAPro

Solving a simple CTF challenge with Qiling Framework and IDAPro

Emulating MBR

  • Qiling Framework emulates MBR

qiling DEMO: Emulating MBR

Qltool

Qiling also provides a friendly tool named qltool to quickly emulate shellcode & executable binaries.

With qltool, easy execution can be performed:

With shellcode:

$ ./qltool code --os linux --arch arm --format hex -f examples/shellcodes/linarm32_tcp_reverse_shell.hex

With binary file:

$ ./qltool run -f examples/rootfs/x8664_linux/bin/x8664_hello --rootfs  examples/rootfs/x8664_linux/

With binary and GDB debugger enable:

$ ./qltool run -f examples/rootfs/x8664_linux/bin/x8664_hello --gdb 127.0.0.1:9999 --rootfs examples/rootfs/x8664_linux

With code coverage collection (UEFI only for now):

$ ./qltool run -f examples/rootfs/x8664_efi/bin/TcgPlatformSetupPolicy --rootfs examples/rootfs/x8664_efi --coverage-format drcov --coverage-file TcgPlatformSetupPolicy.cov

With json output (Windows mainly):

$ ./qltool run -f examples/rootfs/x86_windows/bin/x86_hello.exe --rootfs  examples/rootfs/x86_windows/ --console False --json

Contact

Get the latest info from our website https://www.qiling.io

Contact us at email [email protected], or via Twitter @qiling_io or Weibo

Core developers, Key Contributors and etc

Please refer to CREDITS.md

qiling's People

Contributors

0ssigeno avatar 0xphoenix avatar aquynh avatar assafcarlsbad avatar bet4it avatar bkerler avatar chenhuitao avatar chfl4gs avatar chinggg avatar cla7aye15i4nd avatar cq674350529 avatar danielmoos avatar dliv3 avatar domenukk avatar elicn avatar jhumble avatar kabeor avatar klks avatar learn-more avatar liba2k avatar madprogrammer avatar nghiadt1098 avatar nullablevoidptr avatar rohan-cod avatar sigeryang avatar spikei avatar ucgjhe avatar w1tcher avatar wtdcode avatar xwings avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

gteissier chung96vn icchy blacktrace olivierh59500 seth1002 chubbymaggie wolfking2 gz3zfork eva1216 heruix imulmul sweetink st-rnd vicz123 miguelraulb jienou domenukk carlosgprado jiongyichen quangnh89 guipengliao zenhumany spresec leonw7 jhumble kingking888 gridl canghaiwuhen hanbinglengyue ttdemo liumengdeqq freemanzyq sanchahua awesome-security cn0xroot gavz zhangf911 shalekesan wonderkun hohjgdhsj bwry fzxcp3 broilfish glen61y141 bambu 0xbadca7 alfink v0id-re fakegit harry1080 superf0sh haidragon arkaop mlodic phymanwow thelumberjhack rajivraj peterg75 jack51706 idiom babapreorder miyagaw61 ty60 5l1v3r1 timb-machine-mirrors yfw123 ellen2015 haxine zmdprogrom yang-zhiyuan chago leedaga allensmile thx0701 itayc0hen frantictyping jeffli678 lzz 0ssigeno certego ldbqh xtiankisutsa huerr chfl4gs cor3sm4sh3r ababook diaosidev blue-infosec cherry-wb goodskillprogramer balayette 0xd3xt3r okubo-git waveburst imendax orcloveasagi geekonion wyu0hop cclauss

qiling's Issues

socket_type = socket_type_mapping(socket_type, ql.arch) issue

@ucgJhe looks like we got arm screwd, can u take a look

[!] SYSCALL ERROR: ql_syscall_socket Traceback (most recent call last): File "../qiling/os/linux/arm.py", line 62, in hook_syscall LINUX_SYSCALL_FUNC(ql, param0, param1, param2, param3, param4, param5) File "../qiling/os/posix/syscall.py", line 1249, in ql_syscall_socket socket_type = socket_type_mapping(socket_type, ql.arch) File "../qiling/os/posix/constant.py", line 116, in socket_type_mapping }.get(arch)(t) TypeError: 'NoneType' object is not callable

Invalid memory read (UC_ERR_READ_UNMAPPED) while running a Windows PE

Description of the issue

I am trying to unpack some kkrunchy packed binary (kkrunchy itself) as a way to test the framework.

(I can run all the PE examples from the project perfectly fine.)

But I ran into the following issue:

python kkrunchy.py
[+] SET_THREAD_AREA selector : 0x73
[+] SET_THREAD_AREA selector : 0x7b
[+] SET_THREAD_AREA selector : 0x83
[+] SET_THREAD_AREA selector : 0x8b
[+] SET_THREAD_AREA selector : 0x90
[+] Windows Registry PATH: /home/yannick/workspace/projects/qiling/examples/rootfs/x86_windows/Windows/registry
[+] Loading /home/yannick/workspace/projects/qiling/examples/rootfs/x86_windows/bin/kkrunchy_023a.exe to 0x5e0000
[+] PE entry point at 0x5e9a7a
[+] Initiate stack address at 0xfffdd000 
[+] TEB addr is 0x6000
[+] PEB addr is 0x6044
[+] Loading /home/yannick/workspace/projects/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/kernel32.dll to 0x10000000
[+] Done with loading /home/yannick/workspace/projects/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/kernel32.dll
[+] Done with loading /home/yannick/workspace/projects/qiling/examples/rootfs/x86_windows/bin/kkrunchy_023a.exe
0x100149d7: LoadLibraryA(lpLibFileName = "KERNEL32.dll") = 0x10000000
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "OutputDebugStringA") = 0x1003b2b7
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "WriteFile") = 0x10011282
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "GetStdHandle") = 0x100151b3
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "CloseHandle") = 0x10011410
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "ReadFile") = 0x10013ed3
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "GetFileSize") = 0x1001196e
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "CreateFileA") = 0x100153c6
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "GetTickCount") = 0x1001110c
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "ExitProcess") = 0x10017a10
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "GetProcAddress") = 0x10011222
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "LoadLibraryA") = 0x100149d7
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "VirtualProtect") = 0x1001435f
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "GetLocaleInfoA") = 0x1002d5e5
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "HeapSize") = 0x100c9bce
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "GetSystemTimeAsFileTime") = 0x10013509
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "GetCurrentProcessId") = 0x100111f8
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "GetCurrentThreadId") = 0x10011450
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "QueryPerformanceCounter") = 0x10011725
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "LCMapStringW") = 0x100117b9
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "HeapAlloc") = 0x100c9ba0
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "HeapFree") = 0x100114c9
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "HeapReAlloc") = 0x100c9bb6
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "GetLastError") = 0x100111c0
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "MultiByteToWideChar") = 0x1001192e
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "GetModuleHandleA") = 0x10011245
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "GetCommandLineA") = 0x100151a1
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "GetVersionExA") = 0x10013519
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "HeapDestroy") = 0x100135b7
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "HeapCreate") = 0x10014a2d
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "VirtualFree") = 0x1001186e
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "VirtualAlloc") = 0x10011856
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "TerminateProcess") = 0x1002d802
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "GetCurrentProcess") = 0x10011809
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "GetModuleFileNameA") = 0x100114b1
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "UnhandledExceptionFilter") = 0x1003772f
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "FreeEnvironmentStringsA") = 0x1001e349
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "GetEnvironmentStrings") = 0x1001e361
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "FreeEnvironmentStringsW") = 0x100151cb
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "WideCharToMultiByte") = 0x1001170d
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "GetEnvironmentStringsW") = 0x100151e3
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "SetHandleCount") = 0x1001cb29
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "GetFileType") = 0x10013531
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "GetStartupInfoA") = 0x10010e00
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "GetACP") = 0x1001179c
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "GetOEMCP") = 0x1003d1a1
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "GetCPInfo") = 0x10015189
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "RtlUnwind") = 0x1003d1c3
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "InterlockedExchange") = 0x10011462
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "VirtualQuery") = 0x1001445a
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "GetStringTypeA") = 0x10038266
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "GetStringTypeW") = 0x10011946
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "LCMapStringA") = 0x1003bc39
0x10011222: GetProcAddress(hModule = 0x10000000, lpProcName = "GetSystemInfo") = 0x100149ca
[+] Loading /home/yannick/workspace/projects/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/ole32.dll to 0x1010b000
[+] Done with loading /home/yannick/workspace/projects/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/ole32.dll
0x100149d7: LoadLibraryA(lpLibFileName = "ole32.dll") = 0x1010b000
0x10011222: GetProcAddress(hModule = 0x1010b000, lpProcName = "CoCreateInstance") = 0x10154d0b
0x10011222: GetProcAddress(hModule = 0x1010b000, lpProcName = "CoUninitialize") = 0x101536d3
0x10011222: GetProcAddress(hModule = 0x1010b000, lpProcName = "CoInitialize") = 0x10126636
[+] Loading /home/yannick/workspace/projects/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/oleaut32.dll to 0x10267000
[+] Done with loading /home/yannick/workspace/projects/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/oleaut32.dll
0x100149d7: LoadLibraryA(lpLibFileName = "OLEAUT32.dll") = 0x10267000
[!] GetProcAddress Exception Found
Traceback (most recent call last):
  File "/home/yannick/.local/share/virtualenvs/qiling-Z14cQecd/lib/python3.8/site-packages/qiling-0.9-py3.8.egg/qiling/os/windows/x86.py", line 45, in hook_winapi
  File "/home/yannick/.local/share/virtualenvs/qiling-Z14cQecd/lib/python3.8/site-packages/qiling-0.9-py3.8.egg/qiling/os/windows/fncc.py", line 186, in wrapper
  File "/home/yannick/.local/share/virtualenvs/qiling-Z14cQecd/lib/python3.8/site-packages/qiling-0.9-py3.8.egg/qiling/os/windows/fncc.py", line 145, in x86_stdcall
  File "/home/yannick/.local/share/virtualenvs/qiling-Z14cQecd/lib/python3.8/site-packages/qiling-0.9-py3.8.egg/qiling/os/windows/fncc.py", line 130, in __x86_cc
  File "/home/yannick/.local/share/virtualenvs/qiling-Z14cQecd/lib/python3.8/site-packages/qiling-0.9-py3.8.egg/qiling/os/windows/fncc.py", line 95, in set_function_params
  File "/home/yannick/.local/share/virtualenvs/qiling-Z14cQecd/lib/python3.8/site-packages/qiling-0.9-py3.8.egg/qiling/os/utils.py", line 470, in read_cstring
  File "/home/yannick/.local/share/virtualenvs/qiling-Z14cQecd/lib/python3.8/site-packages/unicorn/unicorn.py", line 394, in mem_read
    raise UcError(status)
unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "kkrunchy.py", line 32, in <module>
    my_sandbox([binary], rootfs)
  File "kkrunchy.py", line 25, in my_sandbox
    ql.run()
  File "/home/yannick/.local/share/virtualenvs/qiling-Z14cQecd/lib/python3.8/site-packages/qiling-0.9-py3.8.egg/qiling/core.py", line 212, in run
  File "/home/yannick/.local/share/virtualenvs/qiling-Z14cQecd/lib/python3.8/site-packages/qiling-0.9-py3.8.egg/qiling/os/windows/x86.py", line 172, in runner
  File "/home/yannick/.local/share/virtualenvs/qiling-Z14cQecd/lib/python3.8/site-packages/qiling-0.9-py3.8.egg/qiling/core.py", line 23, in wrapper
  File "/home/yannick/.local/share/virtualenvs/qiling-Z14cQecd/lib/python3.8/site-packages/qiling-0.9-py3.8.egg/qiling/core.py", line 265, in _callback
  File "/home/yannick/.local/share/virtualenvs/qiling-Z14cQecd/lib/python3.8/site-packages/qiling-0.9-py3.8.egg/qiling/os/windows/x86.py", line 48, in hook_winapi
qiling.exception.QlErrorSyscallError: [!] Windows API Implementation Error

kkrunchy.py script:

import os
from unicorn import *
from unicorn.x86_const import *

from qiling import *

def dump_bin(ql):
    ql.nprint("Found unpacked binary")
    ql.uc.emu.stop()


def my_sandbox(path, rootfs):
    ql = Qiling(
        path, rootfs, libcache=True, output="debug"
    )

    # print(f"Stack addr: 0x{ql.stack_address:08x}")
    # print(f"Stack size: 0x{ql.stack_size:08x}")
    # print(f"mmap start: 0x{ql.mmap_start:08x}")

    # Hooking final return address
    ql.hook_address(dump_bin, 0x005f09b5)

    # Run
    ql.run()


if __name__ == "__main__":
    binary = os.path.join(os.getcwd(), "rootfs/x86_windows/bin/kkrunchy_023a.exe")
    rootfs = os.path.join(os.getcwd(), "rootfs/x86_windows")

    my_sandbox([binary], rootfs)

Analyzed binary > http://www.farbrausch.de/~fg/kkrunchy/kkrunchy_023a.zip (from ryg's homepage)

Execution environment

  • Ubuntu 18.04 Linux rick 4.15.0-74-generic #84-Ubuntu SMP Thu Dec 19 08:06:28 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
  • python packages:
pipenv run pip freeze
capstone==4.0.1
enum-compat==0.0.3
future==0.18.2
keystone-engine==0.9.1.post3
pefile==2019.4.18
python-registry==1.3.1
qiling==0.9
unicodecsv==0.14.1
unicorn==1.0.1

Question

Is there a way to configure Qiling so that I don't run into this issue?

Thanks

fail to load dynamic library 

lamba@ubuntu:~/qiling$ sudo pip3 install keystone-engine
The directory '/home/lamba/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/lamba/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Requirement already satisfied: keystone-engine in /usr/local/lib/python3.6/dist-packages
lamba@ubuntu:~/qiling$ python3
Python 3.6.9 (default, Nov  7 2019, 10:44:02) 
[GCC 8.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from qiling import *
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/lamba/qiling/qiling/__init__.py", line 1, in <module>
    from .core import *
  File "/home/lamba/qiling/qiling/core.py", line 13, in <module>
    from qiling.os.utils import *
  File "/home/lamba/qiling/qiling/os/utils.py", line 22, in <module>
    from keystone import *
  File "/usr/local/lib/python3.6/dist-packages/keystone/__init__.py", line 4, in <module>
    from .keystone import Ks, ks_version, ks_arch_supported, version_bind, debug, KsError, __version__
  File "/usr/local/lib/python3.6/dist-packages/keystone/keystone.py", line 74, in <module>
    raise ImportError("ERROR: fail to load the dynamic library.")
ImportError: ERROR: fail to load the dynamic library.

double print in log file

test case will be with netgear in example

with multithread = Faslse and contain fork

@ucgJhe will you be able to help ?

close(6) = 0
close(6) = 0
fcntl(4, 6) = 0
fcntl(4, 6) = 0
close(4) = 0
close(4) = 0

write(1,7fd71458,2173) = 0

write(1,7fd71458,2173) = 0
write(1,7fd71458,2173) = -1
write(1,7fd71458,2173) = -1
[!] SYSCALL ERROR: ql_syscall_write
[!] SYSCALL ERROR: ql_syscall_write
[!] SYSCALL ERROR: ql_syscall_execve
[!] SYSCALL ERROR: ql_syscall_execve

windows registry issue at low python version

windows exe can work at python3.6 and higher, but at low python version,it will show this:

  File "/usr/local/lib/python3.5/dist-packages/qiling-0.9-py3.5.egg/qiling/core.py", line 198, in __init__
  File "/usr/local/lib/python3.5/dist-packages/qiling-0.9-py3.5.egg/qiling/core.py", line 208, in load_exec
  File "/usr/local/lib/python3.5/dist-packages/qiling-0.9-py3.5.egg/qiling/os/windows/x86.py", line 115, in loader_file
  File "/usr/local/lib/python3.5/dist-packages/qiling-0.9-py3.5.egg/qiling/os/windows/x86.py", line 90, in setup_windows32
  File "/usr/local/lib/python3.5/dist-packages/qiling-0.9-py3.5.egg/qiling/os/windows/registry.py", line 64, in __init__
  File "/usr/lib/python3.5/json/__init__.py", line 312, in loads
    s.__class__.__name__))
TypeError: the JSON object must be str, not 'bytes'

Usage of fcntl on windows

Python does not have a fcntl equivalent on windows. This will prevent Qiling from running on Windows OS. qiling.os.posix.filestruct relies on fnctl for ioctl method in the ql_file, ql_socket, and ql_pipe classes.

os\utils.py ql_asm2bytes issue

the function compile_instructions in ql_asm2bytes used unhexlify, but it haven‘t import unhexlify from binascii.

This will cause the following problems:
NameError: name 'unhexlify' is not defined

for better debugging

for better debugging maybe use REUSEADDR for socket and reveal syscall write content just like syscall read does, will it help ?

install error

Installed c:\anaconda3\envs\tensorflow\lib\site-packages\qiling-0.9-py3.6.egg
Processing dependencies for qiling==0.9
Searching for unicorn>=1.0.2
Reading https://pypi.python.org/simple/unicorn/
No local packages or working download links found for unicorn>=1.0.2
error: Could not find suitable distribution for Requirement.parse('unicorn>=1.0.2')

Syscall hook

Hi! Is there a proper way to add syscall without patching library? Or I should patch corresponding files to implement required functionality?

KeyError: b'_crt_debugger_hook'

root@ubuntu:~/tool/qiling-master/examples# python3 regdemo_x86_windows.py
[+] SET_THREAD_AREA selector : 0x73
[+] SET_THREAD_AREA selector : 0x7b
[+] SET_THREAD_AREA selector : 0x83
[+] SET_THREAD_AREA selector : 0x8b
[+] SET_THREAD_AREA selector : 0x90
WARNING: Registry files format error[' File "/usr/local/lib/python3.6/dist-packages/qiling-0.9-py3.6.egg/qiling/os/windows/registry.py", line 76, in init\n self.hklm['SAM'] = Registry.Registry(os.path.join(self.hive, 'SAM'))\n']
[+] Loading rootfs/x86_windows/bin/RegDemo.exe to 0x400000
[+] PE entry point at 0x401381
[+] Initiate stack address at 0xfffdd000
[+] TEB addr is 0x6000
[+] PEB addr is 0x6044
[+] Loading rootfs/x86_windows/dlls/kernel32.dll to 0x10000000
[+] Done with loading rootfs/x86_windows/dlls/kernel32.dll
[+] Loading rootfs/x86_windows/dlls/advapi32.dll to 0x100b2000
[+] Done with loading rootfs/x86_windows/dlls/advapi32.dll
[+] Loading rootfs/x86_windows/dlls/msvcr110.dll to 0x10155000
[+] Done with loading rootfs/x86_windows/dlls/msvcr110.dll
Traceback (most recent call last):
File "regdemo_x86_windows.py", line 25, in
my_sandbox(["rootfs/x86_windows/bin/RegDemo.exe"], "rootfs/x86_windows")
File "regdemo_x86_windows.py", line 18, in my_sandbox
ql = Qiling(path, rootfs, output = "debug")
File "/usr/local/lib/python3.6/dist-packages/qiling-0.9-py3.6.egg/qiling/core.py", line 176, in init
File "/usr/local/lib/python3.6/dist-packages/qiling-0.9-py3.6.egg/qiling/core.py", line 185, in run_exec
File "/usr/local/lib/python3.6/dist-packages/qiling-0.9-py3.6.egg/qiling/os/windows/x86.py", line 109, in loader_file
File "/usr/local/lib/python3.6/dist-packages/qiling-0.9-py3.6.egg/qiling/loader/pe.py", line 313, in load
KeyError: b'_crt_debugger_hook'

MIPS32 Little Endian gdbserver not working

server: gdbserver
client: idapro

[getpkt: discarding char '+']
getpkt ("qSupported:xmlRegisters=i386,arm,mips");  [sending ack]
[sent ack]
putpkt ("$PacketSize=3fff;QPassSignals+;QProgramSignals+;qXfer:libraries-svr4:read+;augmented-libraries-svr4-read+;qXfer:auxv:read+;qXfer:spu:read+;qXfer:spu:write+;qXfer:siginfo:read+;qXfer:siginfo:write+;qXfer:features:read+;QStartNoAckMode+;qXfer:osdata:read+;multiprocess+;fork-events+;vfork-events+;exec-events+;QNonStop+;QDisableRandomization+;qXfer:threads:read+;BreakpointCommands+;QAgent+;swbreak+;hwbreak+;qXfer:exec-file:read+;vContSupported+;QThreadEvents+;no-resumed+#96"); [looking for ack]
[received '+' (0x2b)]
getpkt ("QStartNoAckMode");  [sending ack]
[sent ack]
[noack mode enabled]
putpkt ("$OK#9a"); [noack mode]
getpkt ("QDisableRandomization:1");  [no ack sent]
[address space randomization disabled]
putpkt ("$OK#9a"); [noack mode]
getpkt ("!");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("Hg0");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("qXfer:features:read:target.xml:0,3ffe");  [no ack sent]
putpkt ("$l<?xml version="1.0"?>
<!-- Copyright (C) 2007-2016 Free Software Foundation, Inc.

 *!Copying and distribution of this file, with or without modification,
 *!are permitted in any medium without royalty provided the copyright
 *!notice and this notice are preserved.  -->

<!DOCTYPE target SYSTEM "gdb-target.dtd">
<target>
  <architecture>mips</architecture>
  <osabi>GNU/Linux</osabi>
  <xi:include href="mips-cpu.xml"/>
  <xi:include href="mips-cp0.xml"/>
  <xi:include href="mips-fpu.xml"/>

  <feature name="org.gnu.gdb.mips.linux">
 * <reg name="restart" bitsize="32" group="system"/>
  </feature>
</target>
#df"); [noack mode]
getpkt ("qXfer:features:read:mips-cpu.xml:0,3ffe");  [no ack sent]
putpkt ("$l<?xml version="1.0"?>
<!-- Copyright (C) 2007-2016 Free Software Foundation, Inc.

 *!Copying and distribution of this file, with or without modification,
 *!are permitted in any medium without royalty provided the copyright
 *!notice and this notice are preserved.  -->

<!DOCTYPE feature SYSTEM "gdb-target.dtd">
<feature name="org.gnu.gdb.mips.cpu">
  <reg name="r0" bitsize="32" regnum="0"/>
  <reg name="r1" bitsize="32"/>
  <reg name="r2" bitsize="32"/>
  <reg name="r3" bitsize="32"/>
  <reg name="r4" bitsize="32"/>
  <reg name="r5" bitsize="32"/>
  <reg name="r6" bitsize="32"/>
  <reg name="r7" bitsize="32"/>
  <reg name="r8" bitsize="32"/>
  <reg name="r9" bitsize="32"/>
  <reg name="r10" bitsize="32"/>
  <reg name="r11" bitsize="32"/>
  <reg name="r12" bitsize="32"/>
  <reg name="r13" bitsize="32"/>
  <reg name="r14" bitsize="32"/>
  <reg name="r15" bitsize="32"/>
  <reg name="r16" bitsize="32"/>
  <reg name="r17" bitsize="32"/>
  <reg name="r18" bitsize="32"/>
  <reg name="r19" bitsize="32"/>
  <reg name="r20" bitsize="32"/>
  <reg name="r21" bitsize="32"/>
  <reg name="r22" bitsize="32"/>
  <reg name="r23" bitsize="32"/>
  <reg name="r24" bitsize="32"/>
  <reg name="r25" bitsize="32"/>
  <reg name="r26" bitsize="32"/>
  <reg name="r27" bitsize="32"/>
  <reg name="r28" bitsize="32"/>
  <reg name="r29" bitsize="32"/>
  <reg name="r30" bitsize="32"/>
  <reg name="r31" bitsize="32"/>

  <reg name="lo" bitsize="32" regnum="33"/>
  <reg name="hi" bitsize="32" regnum="34"/>
  <reg name="pc" bitsize="32" regnum="37"/>
</feature>
#9e"); [noack mode]
getpkt ("qXfer:features:read:mips-cp0.xml:0,3ffe");  [no ack sent]
putpkt ("$l<?xml version="1.0"?>
<!-- Copyright (C) 2007-2016 Free Software Foundation, Inc.

 *!Copying and distribution of this file, with or without modification,
 *!are permitted in any medium without royalty provided the copyright
 *!notice and this notice are preserved.  -->

<!DOCTYPE feature SYSTEM "gdb-target.dtd">
<feature name="org.gnu.gdb.mips.cp0">
  <reg name="status" bitsize="32" regnum="32"/>
  <reg name="badvaddr" bitsize="32" regnum="35"/>
  <reg name="cause" bitsize="32" regnum="36"/>
</feature>
#f1"); [noack mode]
getpkt ("qXfer:features:read:mips-fpu.xml:0,3ffe");  [no ack sent]
putpkt ("$l<?xml version="1.0"?>
<!-- Copyright (C) 2007-2016 Free Software Foundation, Inc.

 *!Copying and distribution of this file, with or without modification,
 *!are permitted in any medium without royalty provided the copyright
 *!notice and this notice are preserved.  -->

<!DOCTYPE feature SYSTEM "gdb-target.dtd">
<feature name="org.gnu.gdb.mips.fpu">
  <reg name="f0" bitsize="32" type="ieee_single" regnum="38"/>
  <reg name="f1" bitsize="32" type="ieee_single"/>
  <reg name="f2" bitsize="32" type="ieee_single"/>
  <reg name="f3" bitsize="32" type="ieee_single"/>
  <reg name="f4" bitsize="32" type="ieee_single"/>
  <reg name="f5" bitsize="32" type="ieee_single"/>
  <reg name="f6" bitsize="32" type="ieee_single"/>
  <reg name="f7" bitsize="32" type="ieee_single"/>
  <reg name="f8" bitsize="32" type="ieee_single"/>
  <reg name="f9" bitsize="32" type="ieee_single"/>
  <reg name="f10" bitsize="32" type="ieee_single"/>
  <reg name="f11" bitsize="32" type="ieee_single"/>
  <reg name="f12" bitsize="32" type="ieee_single"/>
  <reg name="f13" bitsize="32" type="ieee_single"/>
  <reg name="f14" bitsize="32" type="ieee_single"/>
  <reg name="f15" bitsize="32" type="ieee_single"/>
  <reg name="f16" bitsize="32" type="ieee_single"/>
  <reg name="f17" bitsize="32" type="ieee_single"/>
  <reg name="f18" bitsize="32" type="ieee_single"/>
  <reg name="f19" bitsize="32" type="ieee_single"/>
  <reg name="f20" bitsize="32" type="ieee_single"/>
  <reg name="f21" bitsize="32" type="ieee_single"/>
  <reg name="f22" bitsize="32" type="ieee_single"/>
  <reg name="f23" bitsize="32" type="ieee_single"/>
  <reg name="f24" bitsize="32" type="ieee_single"/>
  <reg name="f25" bitsize="32" type="ieee_single"/>
  <reg name="f26" bitsize="32" type="ieee_single"/>
  <reg name="f27" bitsize="32" type="ieee_single"/>
  <reg name="f28" bitsize="32" type="ieee_single"/>
  <reg name="f29" bitsize="32" type="ieee_single"/>
  <reg name="f30" bitsize="32" type="ieee_single"/>
  <reg name="f31" bitsize="32" type="ieee_single"/>

  <reg name="fcsr" bitsize="32" group="float"/>
  <reg name="fir" bitsize="32" group="float"/>
</feature>
#dd"); [noack mode]
getpkt ("?");  [no ack sent]
putpkt ("$T051d:00e7ff7f;25:40ccfc77;#65"); [noack mode]
getpkt ("m7fffe700,1");  [no ack sent]
putpkt ("$01#61"); [noack mode]
getpkt ("me7ff7f,1");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m77fccc40,1");  [no ack sent]
putpkt ("$25#67"); [noack mode]
getpkt ("m40ccfc77,1");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("?");  [no ack sent]
putpkt ("$T051d:00e7ff7f;25:40ccfc77;#65"); [noack mode]
getpkt ("qXfer:threads:read::0,3ffe");  [no ack sent]
putpkt ("$l<threads>
<thread id="367" core="0" name="mips32el_hello"/>
</threads>
#d0"); [noack mode]
getpkt ("qC");  [no ack sent]
putpkt ("$#00"); [noack mode]
getpkt ("p25");  [no ack sent]
putpkt ("$#00"); [noack mode]
getpkt ("g");  [no ack sent]
putpkt ("$0*}0*Cdc3e2d77e0bc9b55887ac755787ac75500909e55606d1f77c8719e550*Fe7ff7fd87f867f0*"0013a40* 78730200fc0*"08c495552000801040ccfc77f*}f*}f*Z0*&93730*&#e3"); [noack mode]
getpkt ("qXfer:exec-file:read::0,3ffe");  [no ack sent]
putpkt ("$l/home/xwings/mips32el_hello#a4"); [noack mode]
getpkt ("vFile:open:2f686f6d652f7877696e67732f6d6970733332656c5f68656c6c6f,0,124");
  [no ack sent]
putpkt ("$F5#7b"); [noack mode]
getpkt ("vFile:pread:5,1,fff");  [no ack sent]
putpkt ("$F1;.#e0"); [noack mode]
getpkt ("vFile:pread:5,1,1fff");  [no ack sent]
putpkt ("$F0;#b1"); [noack mode]
getpkt ("vFile:pread:5,1,17ff");  [no ack sent]
putpkt ("$F1;"); [noack mode]
getpkt ("vFile:pread:5,1,1bff");  [no ack sent]
putpkt ("$F0;#b1"); [noack mode]
getpkt ("vFile:pread:5,1,19ff");  [no ack sent]
putpkt ("$F0;#b1"); [noack mode]
getpkt ("vFile:pread:5,1,18ff");  [no ack sent]
putpkt ("$F0;#b1"); [noack mode]
getpkt ("vFile:pread:5,1,187f");  [no ack sent]
putpkt ("$F1;"); [noack mode]
getpkt ("vFile:pread:5,1,18bf");  [no ack sent]
putpkt ("$F0;#b1"); [noack mode]
getpkt ("vFile:pread:5,1,189f");  [no ack sent]
putpkt ("$F0;#b1"); [noack mode]
getpkt ("vFile:pread:5,1,188f");  [no ack sent]
putpkt ("$F1;"); [noack mode]
getpkt ("vFile:pread:5,1,1897");  [no ack sent]
putpkt ("$F1;"); [noack mode]
getpkt ("vFile:pread:5,1,189b");  [no ack sent]
putpkt ("$F1;"); [noack mode]
getpkt ("vFile:pread:5,1,189d");  [no ack sent]
putpkt ("$F0;#b1"); [noack mode]
getpkt ("vFile:pread:5,1,189c");  [no ack sent]
putpkt ("$F0;#b1"); [noack mode]
getpkt ("vFile:pread:5,100,0");  [no ack sent]
putpkt ("$F100;�ELF☺☺☺"); [noack mode]
getpkt ("vFile:pread:5,100,100");  [no ack sent]
putpkt ("$F100;☺"); [noack mode]
getpkt ("vFile:close:5");  [no ack sent]
putpkt ("$F0#76"); [noack mode]
getpkt ("qXfer:auxv:read::0,3ffe");  [no ack sent]
putpkt ("$l!"); [noack mode]
getpkt ("qXfer:threads:read::0,3ffe");  [no ack sent]
putpkt ("$l<threads>
<thread id="367" core="0" name="mips32el_hello"/>
</threads>
#d0"); [noack mode]
getpkt ("Z0,555557cc,4");  [no ack sent]
putpkt ("$#00"); [noack mode]
getpkt ("B555557cc,S");  [no ack sent]
putpkt ("$#00"); [noack mode]
getpkt ("m555557cc,4");  [no ack sent]
putpkt ("$e0ffbd27#90"); [noack mode]
getpkt ("M555557cc,4:0d000500");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("m77fccc00,100");  [no ack sent]
putpkt ("$04a49c2721e099035080858fe0ffbd274c80998f020004241000bcaf1c00bfaf43491104f81da5241000bc8f7080998f3f7011047f0004240*,25c8e003010011040*%4001c3cb4a39c2721e09f0325f820031880848f108084af2520a003f0ffbd271c80888f7c0c0825010010050*"002340e8031c80998f1817392721c8280309f820030*"001000bd272080998f04001c3c64a39c2721e0990325808003258840002480828f0* 428c06004010*)a48f232082008010020021e8a2030* a4af2880848f0* 848c0* a58f0400a627803805002138e6000400e724f8ff01242410a1032540a003e0ff5d24#b3"); [noack mode]
getpkt ("m3a300,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m55565900,100");  [no ack sent]
putpkt ("$02001c3c70809c2721e09903e0ffbd271000bcaf1c00bfaf1c00bf8f0800e0032000bd270*5100020*648656c6c6f2c20576f726c64210**5c070* f0060*v80c0070* 20080* c4080* 7409010*"0100d809010*&c4050* 540901005809010*Fe0080*(d0080*0d809010*f#42"); [noack mode]
getpkt ("m700,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m800,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m0,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m80000000,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("mffffff00,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m77fff000,100");  [no ack sent]
putpkt ("$010*H80ac010*(9c0c0* e02e0300d832030040210100d425010*"0300e4b50* d03c03003c6b0100e42e0300e82e03003031010*"0200501e0100a0990* 20d0*!f02e030070d8010070d60100b0e0010030cd0100f82f030090d5010070d701008030010054c70* 249e0100f43c030040ec0100f42f03004c3d0100b8ab01008ccf0* 301b010020d301002c0d0* 7cce0* f063010010a6010080cd0100a4af01009cc90100400c0* e0d0010098ad0100a8a10100ec3b03008cb0010014c90* 40c80* 40a30100682a010020940* 8051010090520100602a0100#88"); [noack mode]
getpkt ("m10900,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m55555000,100");  [no ack sent]
putpkt ("$7f454c460101010*/3000800010*%60* 340*"4c130*!7100070340020* a00280022002100060*"340*"340*"340*"40010* 40010*!50*"040*"030*"74010* 74010* 74010*!d0*"0d0*"040*"010*"030* 70a8010* a8010* a8010* 180*"180*"040*"080*(70c0010* c0010* c0010* 180*"180*"040*"040*"010*:54090* 54090*!50*'100010*"54090* 5409010054090100880*"9c0*"060*'100020*"fc010* fc010* #0a"); [noack mode]
getpkt ("m7fffe700,100");  [no ack sent]
putpkt ("$010*"04e8ff7f0*"0013e8ff7fcfedff7f04eeff7f15eeff7f27eeff7f33eeff7f44eeff7f56eeff7f79eeff7f8ceeff7fa2eeff7fb6eeff7fc6eeff7fceeeff7fe0eeff7fefeeff7f0eefff7f4cefff7fd8efff7f0*"00210*"00d0ff7710*,60*"0010*!110*"640*"030*"34505* 040*"20*"0050*"0a0*"070*"00c0fc77080*+90*"00565* 0b0*"e8030*!c0*"e8030*!d0*"e8030*!e0*"e8030* 170**190*"f0e7ff7f1f0*"edefff7f0*444ac5a862874d0386a7544c2282bb5a3#db"); [noack mode]
getpkt ("m10000,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("mff00,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m77fccd00,100");  [no ack sent]
putpkt ("$1c00a8af1000bcaf2c80998f0c4511040*"001000bc8f1c00bd8f3080828f25c82002080020030*%4001c3cd4a29c2721e099033480828f0800e003f03b42240400828c010042240800e003040082ac0400828cf* 42240800e003040082ac04001c3c9ca29c2721e09903c8ffbd273880998f020002242800a6272000bcaf1c00a0af3000b0af258080003400bfaf080080ac1800a2af1400a0af1000a0af2800a0af0400858c0* 848c0c2a1104a802a7242800a38f080060103400bf8f020040102520*%448c0400628c21104400080002ae3400bf8f3000b08f0800e0033800bd2704001c3c14a29c2721e099033c80828fd0ffbd27#79"); [noack mode]
getpkt ("m600,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m100,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m200,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m55555100,100");  [no ack sent]
putpkt ("$fc010* 18010* 18010*!40*"040*"040*"84010* 84010* 84010* 20*"020*"0040*"040*"040*"d8010* d8010* d8010* 240*"240*"040*"040*[40*"2f6c69622f6c642e736f2e310*%40*"10*"0010*"474e550*'30*"020*62002010100050*<f60100b20*<70890100040*"140*"030*"474e5500b80aba64c7d8fe3c5fe9e69ac33b8f4c8e0ac5f5010*"#be"); [noack mode]
getpkt ("m55555200,100");  [no ack sent]
putpkt ("$bd0*"0c0*"c4050*!d0*%90* 190*"540901001b0*"040*"1a0*"580901001c0*"040*"040*"14030*!50*"68040*!60*"68030*!a0*"ea0*"0b0*"10*"0350* 7014070100150*+30*"80090100110*"a4050* 120*"20*"0130*"080*"010* 70010*"050* 70020*"060* 70*&a0* 700f0*"110* 7010*"0120* 701f0*"130* 70090*"fbf* 6f0*"08fef* 6f74050* f*"6f010*"f0f* 6f52050*X#0c"); [noack mode]
getpkt ("m55555300,100");  [no ack sent]
putpkt ("$0*E30*"10*"0080*"090*"050*Cd0*"040*"0b0*"060*"0a0*"070*"0c0*"0e0*"020*"0f0*"030*Rc4050*)3000d002c0*"c4080*!80*"12000e00010*"010**1300f1ffc70*"30090*!40*"11001100120*"7009010*&110017001c0*"20080* a40*"12000e00490*"c0070* 580*"12000e00260*"c4050*(12000d00790**#6e"); [noack mode]
getpkt ("m55555400,100");  [no ack sent]
putpkt ("$0*"0020*"0a20*220*"03c0*"e0080*(120*"4e0*2220*"b60*"d0080*(120*"5d0*220*"0930*2220*"005f44594e414d49435f4c494e4b494e47005f5f524c445f4d4150005f5f6c6962635f6373755f696e6974005f5f6c6962635f6373755f66696e69005f5f6c6962635f73746172745f6d61696e005f5f676d6f6e5f73746172745f5f005f49544d5f64657265676973746572544d436c6f6e655461626c65005f49544d5f7265676973746572544d436c6f6e655461626c65005f5f637861#13"); [noack mode]
getpkt ("m494d4100,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m500,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m635f6300,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m43494d00,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m55555500,100");  [no ack sent]
putpkt ("$5f66696e616c697a65005f4a765f5265676973746572436c6173736573007072696e7466006c6962632e736f2e36005f494f5f737464696e5f7573656400474c4942435f322e3000474c4942435f322e320*'10001000100010001000100010*'30*"030*"020*"01000200bd0*"10*+1069690d0*!300d60*"10*"01269690d0*!200e0*;54090100030*"58090100030*"d8090100030*"02001c3cac839c2721e09903e0ffbd271000bcaf1c00bfaf5880828f04004010*%5880998f09f820030*"001c00bf8f0800e0032000bd27#3a"); [noack mode]
getpkt ("m69647400,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m900,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m414d5f00,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m675f5f00,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m5f5f0000,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m67657200,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m69676500,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m735f6300,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m735f6e00,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m6c006600,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m72656400,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m69665f00,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m2e6f7300,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m2e325f00,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m55555600,100");  [no ack sent]
putpkt ("$2500e003010011040*%2001c3c64839c2721e09f0325f80* 1880848f0* a58f0400a627f8ff012424e8a103e0ffbd271c80878f2080888f1000a8af1400a2af1800bdaf5480998f09f820030*"00f* 0010*.2001c3c10839c2721e099032880848f2480828f7409842403004224231044000700422c050040146080998f030020130*%80020030*%800e0030*%2001c3ccc829c2721e099032880848f2480858f740984242328a40083280500c217050021284500432805000500a0104c80998f030020130*%80020030*%800e0030*%2001c3c80829c2721e09903e0ffbd27#a1"); [noack mode]
getpkt ("m18300,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m55555700,100");  [no ack sent]
putpkt ("$1800b0af2880908f1000bcaf1c00bfafe00902920d0040146480828f050040102c80828f6480998f09f820030* 448c1000bc8f3080998f60063927c8ff11040*%1000224e00902a21c00bf8f1800b08f0800e0032000bd2702001c3c14829c2721e099032880828fe0ffbd275c0944241000bcaf1c00bfaf0* 828c060040145080998f3080998f1c00bf8fa4063927c3ff00102000bd27faff20130*%9f820030*"00f6ff00101000bc8f0*52001c3cb0819c2721e099030d0005001c00bfaf1800beaf25f0a0031000bcaf3080828f400944245c80828f25c840* 9f820030*"001000dc8f2510*!#7a"); [noack mode]
getpkt ("m55555800,100");  [no ack sent]
putpkt ("$25e8c0031c00bf8f1800be8f2000bd270800e0030*52001c3c50819c2721e09903c8ffbd273480998f1000bcaf3000b5af25a8c0002c00b4af25a0a0002800b3af259880002400b2af1c00b0af3400bfaf59ff11042000b1af1000bc8f3880908f3c80928f23905002839012000900401225880*"00198e010031262530a0022528800209f8200325206002f9ff5116040010263400bf8f3000b58f2c00b48f2800b38f2400b28f2000b18f1c00b08f0800e0033800bd270800e0030*,1080998f2578e00309f820030d0018241080998f2578e00309f820030b0018240*<#b1"); [noack mode]
getpkt ("m55555900,100");  [no ack sent]
putpkt ("$02001c3c70809c2721e09903e0ffbd271000bcaf1c00bfaf1c00bf8f0800e0032000bd270*5100020*648656c6c6f2c20576f726c64210**5c070* f0060*v80c0070* 20080* c4080* 7409010*"0100d809010*&c4050* 540901005809010*Fe0080*(d0080*0d80901004743433a202844656269616e20362e332e302d31382b6465623975312920362e332e3020#ea"); [noack mode]
getpkt ("m55565a00,100");  [no ack sent]
putpkt ("$0*}0*}0*}0*}0*}0*7#c4"); [noack mode]
getpkt ("m1400,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m1f00,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("k");  [no ack sent]

server: gdbserver
client: gdbclient

getpkt ("qSupported:multiprocess+;swbreak+;hwbreak+;qRelocInsn+;fork-events+;vfork-events+;exec-events+;vContSupported+;QThreadEvents+;no-resumed+;xmlRegisters=i386");  [sending ack]
[sent ack]
putpkt ("$PacketSize=3fff;QPassSignals+;QProgramSignals+;qXfer:libraries-svr4:read+;augmented-libraries-svr4-read+;qXfer:auxv:read+;qXfer:spu:read+;qXfer:spu:write+;qXfer:siginfo:read+;qXfer:siginfo:write+;qXfer:features:read+;QStartNoAckMode+;qXfer:osdata:read+;multiprocess+;fork-events+;vfork-events+;exec-events+;QNonStop+;QDisableRandomization+;qXfer:threads:read+;BreakpointCommands+;QAgent+;swbreak+;hwbreak+;qXfer:exec-file:read+;vContSupported+;QThreadEvents+;no-resumed+#96"); [looking for ack]
[received '+' (0x2b)]
getpkt ("vMustReplyEmpty");  [sending ack]
[sent ack]
putpkt ("$#00"); [looking for ack]
[received '+' (0x2b)]
getpkt ("QStartNoAckMode");  [sending ack]
[sent ack]
[noack mode enabled]
putpkt ("$OK#9a"); [noack mode]
[getpkt: discarding char '+']
getpkt ("QProgramSignals:0;1;3;4;6;7;8;9;a;b;c;d;f;10;11;12;13;14;15;16;17;18;19;1a;1b;1c;1d;1e;1f;20;21;22;23;24;25;26;27;28;29;2a;2b;2c;2d;2e;2f;30;31;32;33;34;35;36;37;38;39;3a;3b;3c;3d;3e;3f;40;41;42;43;44;45;46;47;48;49;4a;4b;4c;4d;4e;4f;50;51;52;53;54;55;56;57;58;59;5a;5b;5c;5d;5e;5f;60;61;62;63;64;65;66;67;68;69;6a;6b;6c;6d;6e;6f;70;71;72;73;74;75;76;77;78;79;7a;7b;7c;7d;7e;7f;80;81;82;83;84;85;86;87;88;89;8a;8b;8c;8d;8e;8f;90;91;92;93;94;95;96;97;98;99;9a;");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("Hgp0.0");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("qXfer:features:read:target.xml:0,fff");  [no ack sent]
putpkt ("$l<?xml version="1.0"?>
<!-- Copyright (C) 2007-2016 Free Software Foundation, Inc.

 *!Copying and distribution of this file, with or without modification,
 *!are permitted in any medium without royalty provided the copyright
 *!notice and this notice are preserved.  -->

<!DOCTYPE target SYSTEM "gdb-target.dtd">
<target>
  <architecture>mips</architecture>
  <osabi>GNU/Linux</osabi>
  <xi:include href="mips-cpu.xml"/>
  <xi:include href="mips-cp0.xml"/>
  <xi:include href="mips-fpu.xml"/>

  <feature name="org.gnu.gdb.mips.linux">
 * <reg name="restart" bitsize="32" group="system"/>
  </feature>
</target>
#df"); [noack mode]
getpkt ("qXfer:features:read:mips-cpu.xml:0,fff");  [no ack sent]
putpkt ("$l<?xml version="1.0"?>
<!-- Copyright (C) 2007-2016 Free Software Foundation, Inc.

 *!Copying and distribution of this file, with or without modification,
 *!are permitted in any medium without royalty provided the copyright
 *!notice and this notice are preserved.  -->

<!DOCTYPE feature SYSTEM "gdb-target.dtd">
<feature name="org.gnu.gdb.mips.cpu">
  <reg name="r0" bitsize="32" regnum="0"/>
  <reg name="r1" bitsize="32"/>
  <reg name="r2" bitsize="32"/>
  <reg name="r3" bitsize="32"/>
  <reg name="r4" bitsize="32"/>
  <reg name="r5" bitsize="32"/>
  <reg name="r6" bitsize="32"/>
  <reg name="r7" bitsize="32"/>
  <reg name="r8" bitsize="32"/>
  <reg name="r9" bitsize="32"/>
  <reg name="r10" bitsize="32"/>
  <reg name="r11" bitsize="32"/>
  <reg name="r12" bitsize="32"/>
  <reg name="r13" bitsize="32"/>
  <reg name="r14" bitsize="32"/>
  <reg name="r15" bitsize="32"/>
  <reg name="r16" bitsize="32"/>
  <reg name="r17" bitsize="32"/>
  <reg name="r18" bitsize="32"/>
  <reg name="r19" bitsize="32"/>
  <reg name="r20" bitsize="32"/>
  <reg name="r21" bitsize="32"/>
  <reg name="r22" bitsize="32"/>
  <reg name="r23" bitsize="32"/>
  <reg name="r24" bitsize="32"/>
  <reg name="r25" bitsize="32"/>
  <reg name="r26" bitsize="32"/>
  <reg name="r27" bitsize="32"/>
  <reg name="r28" bitsize="32"/>
  <reg name="r29" bitsize="32"/>
  <reg name="r30" bitsize="32"/>
  <reg name="r31" bitsize="32"/>

  <reg name="lo" bitsize="32" regnum="33"/>
  <reg name="hi" bitsize="32" regnum="34"/>
  <reg name="pc" bitsize="32" regnum="37"/>
</feature>
#9e"); [noack mode]
getpkt ("qXfer:features:read:mips-cp0.xml:0,fff");  [no ack sent]
putpkt ("$l<?xml version="1.0"?>
<!-- Copyright (C) 2007-2016 Free Software Foundation, Inc.

 *!Copying and distribution of this file, with or without modification,
 *!are permitted in any medium without royalty provided the copyright
 *!notice and this notice are preserved.  -->

<!DOCTYPE feature SYSTEM "gdb-target.dtd">
<feature name="org.gnu.gdb.mips.cp0">
  <reg name="status" bitsize="32" regnum="32"/>
  <reg name="badvaddr" bitsize="32" regnum="35"/>
  <reg name="cause" bitsize="32" regnum="36"/>
</feature>
#f1"); [noack mode]
getpkt ("qXfer:features:read:mips-fpu.xml:0,fff");  [no ack sent]
putpkt ("$l<?xml version="1.0"?>
<!-- Copyright (C) 2007-2016 Free Software Foundation, Inc.

 *!Copying and distribution of this file, with or without modification,
 *!are permitted in any medium without royalty provided the copyright
 *!notice and this notice are preserved.  -->

<!DOCTYPE feature SYSTEM "gdb-target.dtd">
<feature name="org.gnu.gdb.mips.fpu">
  <reg name="f0" bitsize="32" type="ieee_single" regnum="38"/>
  <reg name="f1" bitsize="32" type="ieee_single"/>
  <reg name="f2" bitsize="32" type="ieee_single"/>
  <reg name="f3" bitsize="32" type="ieee_single"/>
  <reg name="f4" bitsize="32" type="ieee_single"/>
  <reg name="f5" bitsize="32" type="ieee_single"/>
  <reg name="f6" bitsize="32" type="ieee_single"/>
  <reg name="f7" bitsize="32" type="ieee_single"/>
  <reg name="f8" bitsize="32" type="ieee_single"/>
  <reg name="f9" bitsize="32" type="ieee_single"/>
  <reg name="f10" bitsize="32" type="ieee_single"/>
  <reg name="f11" bitsize="32" type="ieee_single"/>
  <reg name="f12" bitsize="32" type="ieee_single"/>
  <reg name="f13" bitsize="32" type="ieee_single"/>
  <reg name="f14" bitsize="32" type="ieee_single"/>
  <reg name="f15" bitsize="32" type="ieee_single"/>
  <reg name="f16" bitsize="32" type="ieee_single"/>
  <reg name="f17" bitsize="32" type="ieee_single"/>
  <reg name="f18" bitsize="32" type="ieee_single"/>
  <reg name="f19" bitsize="32" type="ieee_single"/>
  <reg name="f20" bitsize="32" type="ieee_single"/>
  <reg name="f21" bitsize="32" type="ieee_single"/>
  <reg name="f22" bitsize="32" type="ieee_single"/>
  <reg name="f23" bitsize="32" type="ieee_single"/>
  <reg name="f24" bitsize="32" type="ieee_single"/>
  <reg name="f25" bitsize="32" type="ieee_single"/>
  <reg name="f26" bitsize="32" type="ieee_single"/>
  <reg name="f27" bitsize="32" type="ieee_single"/>
  <reg name="f28" bitsize="32" type="ieee_single"/>
  <reg name="f29" bitsize="32" type="ieee_single"/>
  <reg name="f30" bitsize="32" type="ieee_single"/>
  <reg name="f31" bitsize="32" type="ieee_single"/>

  <reg name="fcsr" bitsize="32" group="float"/>
  <reg name="fir" bitsize="32" group="float"/>
</feature>
#dd"); [noack mode]
getpkt ("qXfer:auxv:read::0,1000");  [no ack sent]
putpkt ("$l!"); [noack mode]
getpkt ("QNonStop:0");  [no ack sent]
[all-stop mode enabled]
putpkt ("$OK#9a"); [noack mode]
getpkt ("qTStatus");  [no ack sent]
putpkt ("$#00"); [noack mode]
getpkt ("?");  [no ack sent]
putpkt ("$T051d:00e7ff7f;25:40ccfc77;#65"); [noack mode]
getpkt ("qXfer:threads:read::0,fff");  [no ack sent]
putpkt ("$l<threads>
<thread id="p39d.39d" core="0" name="mips32el_hello"/>
</threads>
#6e"); [noack mode]
getpkt ("qAttached:39d");  [no ack sent]
putpkt ("$0#30"); [noack mode]
getpkt ("Hc-1");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("qC");  [no ack sent]
putpkt ("$#00"); [noack mode]
getpkt ("qOffsets");  [no ack sent]
putpkt ("$#00"); [noack mode]
getpkt ("g");  [no ack sent]
putpkt ("$0*}0*Cdc9e1f77e01cca55885a2256785a225600f0cc5560cd1177c8d1cc550*Fe7ff7f487fd57f0*"0013a40* 78730200fc0*"54dbfc762000801040ccfc77f*}f*}f*Z0*&93730*&#9f"); [noack mode]
getpkt ("qXfer:auxv:read::0,1000");  [no ack sent]
putpkt ("$l!"); [noack mode]
getpkt ("m55555034,140");  [no ack sent]
putpkt ("$060*"340*"340*"340*"40010* 40010*!50*"040*"030*"74010* 74010* 74010*!d0*"0d0*"040*"010*"030* 70a8010* a8010* a8010* 180*"180*"040*"080*(70c0010* c0010* c0010* 180*"180*"040*"040*"010*:54090* 54090*!50*'100010*"54090* 5409010054090100880*"9c0*"060*'100020*"fc010* fc010* fc010* 18010* 18010*!40*"040*"040*"84010* 84010* 84010* 20*"020*"0040*"040*"040*"d8010* d8010* d8010* 240*"240*"040*"040*[40*"#cf"); [noack mode]
getpkt ("qXfer:libraries-svr4:read::0,fff");  [no ack sent]
putpkt ("$l<library-list-svr4 version="1.0"/>#e5"); [noack mode]
getpkt ("vFile:setfs:0");  [no ack sent]
putpkt ("$F0#76"); [noack mode]
getpkt ("vFile:open:2f70726f632f3932352f7461736b2f3932352f6d617073,0,1c0");  [no ack sent]
putpkt ("$F5#7b"); [noack mode]
getpkt ("vFile:pread:5,3fff,0");  [no ack sent]
putpkt ("$F210;5*!000-5* 6000 r-xp 0*"00 08:01 1922 *" /home/xwings/mips32el_hello
55565000-55566000 rwxp 0*"00 08:01 1922 *" /home/xwings/mips32el_hello
77fcc000-77fef000 r-xp 0*"00 08:01 30051 *"/lib/mipsel-linux-gnu/ld-2.24.so
77ffc000-77ffd000 r--p 0*"00 00:00 0 *&[vvar]
77ffd000-77ffe000 r-xp 0*"00 00:00 0 *&[vdso]
77ffe000-780*" rwxp 00022000 08:01 30051 *"/lib/mipsel-linux-gnu/ld-2.24.so
7ffde000-7f* 000 rwxp 0*"00 00:00 0 *&[stack]
7f* 000-80*"0 rwxp 0*"00 00:00 0
#01"); [noack mode]
getpkt ("vFile:pread:5,3fff,210");  [no ack sent]
putpkt ("$F0;#b1"); [noack mode]
getpkt ("vFile:close:5");  [no ack sent]
putpkt ("$F0#76"); [noack mode]
getpkt ("vFile:setfs:39d");  [no ack sent]
putpkt ("$F0#76"); [noack mode]
getpkt ("vFile:open:2f6c69622f6c642e736f2e31,0,0");  [no ack sent]
putpkt ("$F5#7b"); [noack mode]
getpkt ("vFile:fstat:5");  [no ack sent]
putpkt ("$F40;"); [noack mode]
getpkt ("vFile:fstat:5");  [no ack sent]
putpkt ("$F40;"); [noack mode]
getpkt ("vFile:fstat:5");  [no ack sent]
putpkt ("$F40;"); [noack mode]
getpkt ("vFile:pread:5,3fff,0");  [no ack sent]
putpkt ("$F3e36;�ELF☺☺☺"); [noack mode]
getpkt ("vFile:pread:5,3fff,257f0");  [no ack sent]
putpkt ("$F410;"); [noack mode]
getpkt ("vFile:pread:5,3fff,34");  [no ack sent]
putpkt ("$F3e35;♥"); [noack mode]
getpkt ("vFile:pread:5,3fff,256f4");  [no ack sent]
putpkt ("$F50c;"); [noack mode]
getpkt ("vFile:pread:5,3fff,188");  [no ack sent]
putpkt ("$F3e2e;♦"); [noack mode]
getpkt ("vFile:pread:5,3fff,256b0");  [no ack sent]
putpkt ("$F550;A☼"); [noack mode]
getpkt ("vFile:pread:5,3fff,0");  [no ack sent]
putpkt ("$F3e36;�ELF☺☺☺"); [noack mode]
getpkt ("vFile:pread:5,3fff,257f0");  [no ack sent]
putpkt ("$F410;"); [noack mode]
getpkt ("vFile:pread:5,3fff,34");  [no ack sent]
putpkt ("$F3e35;♥"); [noack mode]
getpkt ("vFile:pread:5,3fff,256f4");  [no ack sent]
putpkt ("$F50c;"); [noack mode]
getpkt ("vFile:pread:5,3fff,158");  [no ack sent]
putpkt ("$F3e31;"); [noack mode]
getpkt ("vFile:pread:5,3fff,256b0");  [no ack sent]
putpkt ("$F550;A☼"); [noack mode]
getpkt ("vFile:pread:5,3fff,0");  [no ack sent]
putpkt ("$F3e36;�ELF☺☺☺"); [noack mode]
getpkt ("vFile:pread:5,3fff,257f0");  [no ack sent]
putpkt ("$F410;"); [noack mode]
getpkt ("vFile:pread:5,3fff,34");  [no ack sent]
putpkt ("$F3e35;♥"); [noack mode]
getpkt ("vFile:pread:5,3fff,256f4");  [no ack sent]
putpkt ("$F50c;"); [noack mode]
getpkt ("vFile:pread:5,3fff,158");  [no ack sent]
putpkt ("$F3e31;"); [noack mode]
getpkt ("vFile:pread:5,3fff,256b0");  [no ack sent]
putpkt ("$F550;A☼"); [noack mode]
getpkt ("vFile:pread:5,3fff,0");  [no ack sent]
putpkt ("$F3e36;�ELF☺☺☺"); [noack mode]
getpkt ("qXfer:libraries-svr4:read::0,fff");  [no ack sent]
putpkt ("$l<library-list-svr4 version="1.0"/>#e5"); [noack mode]
getpkt ("vFile:open:2f6c69622f6c642e736f2e31,0,0");  [no ack sent]
putpkt ("$F6#7c"); [noack mode]
getpkt ("vFile:fstat:6");  [no ack sent]
putpkt ("$F40;"); [noack mode]
getpkt ("vFile:fstat:6");  [no ack sent]
putpkt ("$F40;"); [noack mode]
getpkt ("vFile:fstat:6");  [no ack sent]
putpkt ("$F40;"); [noack mode]
getpkt ("vFile:pread:6,3fff,0");  [no ack sent]
putpkt ("$F3e36;�ELF☺☺☺"); [noack mode]
getpkt ("vFile:pread:6,3fff,257f0");  [no ack sent]
putpkt ("$F410;"); [noack mode]
getpkt ("vFile:pread:6,3fff,34");  [no ack sent]
putpkt ("$F3e35;♥"); [noack mode]
getpkt ("vFile:pread:6,3fff,256f4");  [no ack sent]
putpkt ("$F50c;"); [noack mode]
getpkt ("vFile:pread:6,3fff,188");  [no ack sent]
putpkt ("$F3e2e;♦"); [noack mode]
getpkt ("vFile:pread:6,3fff,256b0");  [no ack sent]
putpkt ("$F550;A☼"); [noack mode]
getpkt ("vFile:pread:6,3fff,0");  [no ack sent]
putpkt ("$F3e36;�ELF☺☺☺"); [noack mode]
getpkt ("vFile:pread:6,3fff,257f0");  [no ack sent]
putpkt ("$F410;"); [noack mode]
getpkt ("vFile:pread:6,3fff,34");  [no ack sent]
putpkt ("$F3e35;♥"); [noack mode]
getpkt ("vFile:pread:6,3fff,256f4");  [no ack sent]
putpkt ("$F50c;"); [noack mode]
getpkt ("vFile:pread:6,3fff,158");  [no ack sent]
putpkt ("$F3e31;"); [noack mode]
getpkt ("vFile:pread:6,3fff,256b0");  [no ack sent]
putpkt ("$F550;A☼"); [noack mode]
getpkt ("vFile:pread:6,3fff,0");  [no ack sent]
putpkt ("$F3e36;�ELF☺☺☺"); [noack mode]
getpkt ("vFile:pread:6,3fff,257f0");  [no ack sent]
putpkt ("$F410;"); [noack mode]
getpkt ("vFile:pread:6,3fff,34");  [no ack sent]
putpkt ("$F3e35;♥"); [noack mode]
getpkt ("vFile:pread:6,3fff,256f4");  [no ack sent]
putpkt ("$F50c;"); [noack mode]
getpkt ("vFile:pread:6,3fff,158");  [no ack sent]
putpkt ("$F3e31;"); [noack mode]
getpkt ("vFile:pread:6,3fff,256b0");  [no ack sent]
putpkt ("$F550;A☼"); [noack mode]
getpkt ("vFile:pread:6,3fff,0");  [no ack sent]
putpkt ("$F3e36;�ELF☺☺☺"); [noack mode]
getpkt ("vFile:fstat:6");  [no ack sent]
putpkt ("$F40;"); [noack mode]
getpkt ("vFile:pread:6,3fff,256c0");  [no ack sent]
putpkt ("$F540;337113644432fe735558926aab9a861f9ef8b3.debug"); [noack mode]
getpkt ("vFile:open:2f6c69622f33333731313336343434333266653733353535383932366161623961383631663965663862332e6465627567,0,0");  [no ack sent]
putpkt ("$F-1,2#02"); [noack mode]
getpkt ("vFile:open:2f6c69622f2e64656275672f33333731313336343434333266653733353535383932366161623961383631663965663862332e6465627567,0,0");  [no ack sent]
putpkt ("$F-1,2#02"); [noack mode]
getpkt ("qSymbol::");  [no ack sent]
putpkt ("$qSymbol:6e70746c5f76657273696f6e#13"); [noack mode]
getpkt ("qSymbol::6e70746c5f76657273696f6e");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("vFile:pread:5,3fff,774");  [no ack sent]
putpkt ("$F3e02;☺"); [noack mode]
getpkt ("vFile:pread:5,3fff,564");  [no ack sent]
putpkt ("$F3e15;"); [noack mode]
getpkt ("vFile:pread:5,3fff,354");  [no ack sent]
putpkt ("$F3e1e;"); [noack mode]
getpkt ("m77fdea60,4");  [no ack sent]
putpkt ("$0800e003#c0"); [noack mode]
getpkt ("vFile:close:5");  [no ack sent]
putpkt ("$F0#76"); [noack mode]
getpkt ("m77ffd000,34");  [no ack sent]
putpkt ("$7f454c460101010*/3000800010*"90020* 340*"5c0b0*!7100070340020* 70028000f000e00#d6"); [noack mode]
getpkt ("m77ffd034,e0");  [no ack sent]
putpkt ("$030* 7018010* 18010* 18010* 180*"180*"040*"080*(7030010* 30010* 30010* 180*"180*"040*"040*"010*:380a0* 380a0*!50*'100020*"60090* 60090* 60090* c80*"c80*"040*"040*"040*"48020* 48020* 48020* 3c0*"3c0*"040*"040*"50e574640*M40*[40*"#cf"); [noack mode]
getpkt ("m77ffd000,1000");  [no ack sent]
putpkt ("$7f454c460101010*/3000800010*"90020* 340*"5c0b0*!7100070340020* 70028000f000e00030* 7018010* 18010* 18010* 180*"180*"040*"080*(7030010* 30010* 30010* 180*"180*"040*"040*"010*:380a0* 380a0*!50*'100020*"60090* 60090* 60090* c80*"c80*"040*"040*"040*"48020* 48020* 48020* 3c0*"3c0*"040*"040*"50e574640*M40*[40*.200201010*q30*"050*"030*+40*;20*R18010*)30001003a0*21100f1ff010*"90020* d4010* 12000900150*"64040* ec040* 1200090* 5f5f7664736f5f67657474696d656f66646179005f5f7664736f5f636c6f636b5f67657474696d65006c696e75782d7664736f2e736f2e31004c494e55585f322e360*'2000200020*"0100010001000100a1bfee0d140*"1c0*"2a0*+10*"02000100f675ae03140**3a0*+60*"040**4c696e75780*"41090400040*"140*"030*"474e55001f509d2d761d32399c029e5cda4ef87d491a50c20*4f8ffbd2701000d2402000e240400bfaf020011040*"0058fdf* 0* e78f2138e70300f0e7240* b0af1800e88c010006315a00c0140*"002000e6904e00c010a7ff02245200cd10*!ec8c4e00ce142510*"4f0e68c00f0ea8c04f0e98cfcffc9140*"002800e98c2c00eb8c3000f98c234849012400f08c2330cb003400eb8c2b5049010800ef8c2330ca000c00f88c245029031c00e98c19005001243066011250*!10580*!2c8d0702780090021304f0121582b032b50ca00215878010610260121504b012000393140300a0006182a01043006022510c2000b1079000b1819001800e68cceffc8140*"002f0060102540*!65c40b3c9a3b063c00366b2500cacd3421304b00f* 69242b50c200211849012510c000faff6014010008252b30cd00f7ffc010*&a0080106210033cc3370200d34d632421400c011800430*"88ac1010*!8311020023104600040082ac0500a0102510*!3800e38c0* a3ac3c00e38c0400a3ac0400bf8f0* b08f0800e0030800bd27d7ff001025180* 3b100a7cb4ff00102530*!1800e88c01000631a4ffc010*%fbff0010*%9a3b063c00cac6342b304600ceffc010*%daff0010*%f8ffbd27010003240400bfaf020011040*"0088fbf* 0* e28f2110e2038600831000f0422402008328520060140500032438008310060003247c0083140400bf8f1800488c010003310d0160140*(438c0* a3ac0c00468c1c00448c0800438c40380600274804000438270106188300063086002518e300200084300b18c4000400a3ac1000468c1400478c1800438ceaff68140*%400a48c0* aa8c21388700c34704002b20e400211888002150ca002510e000e90060102530*!65c4093c9a3b043c0036292500ca8b3421204900f* 67242b4082002118070125108000faff60140100c6242b208b00f7ff80100400bf8f2130ca000400a2ac0800bd272510*"800e0030* a6ac1800488c01000331de0060140*(438c0* a3ac0c00468c1c00448c0800438c40380600274804000438270106188300063086002518e300200084300b18c4000400a3ac1800438cecff03150400bf8f2510*"800e0030800bd272c00801401000d2402000e2418004c8c01008331aa0060140*"0020004390250060100400bf8f0* 438c0* a3ac200043909f006d10*%74006e102530*!25380* 1800438cefff83150*"00b900e01025180* 65c4093c9a3b023c0036292500ca4a342110c900f* e4242b4046002138040125304000faffe014010063242b104a00f7ff4010*)a48c2510*"400bf8f0800bd270400a6ac211883000800e0030* a3ac0400bf8fa7ff02240800e0030800bd2701000a2402000b241800488c01000331800060140*"0020004390f5ff60100400bf8f0* 438c0* a3ac200043906c006a10*%1e006b1025180* 25380* 1000468c1400498c1800448cedff0415212023010* aa8c251080002b208900211887002150ca00890060102530*!65c4093c9a3b043c0036292500ca8b3421204900f* 67242b4082002118070125108000faff60140100c6242b208b00f7ff80100400bf8f86ff00102130ca0004f0438c00f0448c04f0468cfcff6614253880002800468c3000498c2c00448c24004e8c2330e60034004d8c2b38e6000c004c8c243026011c00498c232064000800438c1900ce00232087002420a4011230*!10380*!2688e70277009002118c3002138a70120002d312160ec002b3866002138ec000618230140200700063827010420c401251883000b18ed00bfff00100b380d0004f0438c00f0488c04f0448cfcff64140*"002800448c2c00498c30004a8c232004012400588c2318690034004b8c245044010800498c190058010c004f8c2b4004011c00448c23186800244063011250*!10580*!218187127c80400200098302140490121586b002b180a0121486f010630880021186900404003000638830004402803253006010b30f80069ff00100b3818003b10077cb7ff001025180* 3b10087cdaff001025180* 18004c8c0100833154ff6010*%fbff0010*%1800488c010003317eff6010*%fbff0010*%9a3b043c00ca84342b20e40014ff80100400bf8f21ff00102130ca001800488c01000331f1fe6010*%fbff0010*%1800488c0100033120ff6010*%fbff0010*%9a3b023c00ca42342b10c20044ff4010*%51ff0010*!a48c9a3b043c00ca84342b20440074ff80100400bf8f07ff00102130ca00611002240c0*"171002240c0*"0e0*"2a0*"10*,40*"48010*!50*"c0010*!60*"70010*!a0*"440*"0b0*"10*"0030*"300a0*!10* 70010*"050* 70020*"060* 70*&a0* 70020*"110* 70050*"120* 70160*"130* 70050*"fcf* 6f10020* fdf* 6f020*"1e0*"020*"f0f* 6f04020*}0*=8090020*%180fcf*"0*-80*"1d0*"1f0*"64040*&80fcf*"0*-80*"1d0*"1f0*"50090*H1d0*"1f0*"58090*H1d0*"1f0*"4743433a202844656269616e20362e332e302d31382920362e332e302032303137303531360* 2e7368737472746162002e4d4950532e616269666c616773002e726567696e666f002e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f64002e6e6f7465002e74657874002e64796e616d6963002e676f74002e706472002e636f6d6d656e740*qb0*"2a0* 70020*"18010* 18010* 180*380*"180*"1a0*"060* 70020*"30010* 30010* 180*340*"180*"230*"050*"020*"48010* 48010* 280*"040*+40*"040*"290*"0b0*"020*"70010* 70010* 50*"0050*"020*"040*"10*"0310*"030*"020*"c0010* c0010* 440*310**390*"f*"6f020*"04020*!4020*!a0*"040*+20*"020*"460*"fdf* 6f020*"10020* 10020* 380*"050*"020*"040**550*"070*"020*"48020* 48020* 3c0*340**5b0*"010*"060*"90020* 90020* d0060*010*+610*"060*"020*"60090* 60090* c80*"050*+40*"080*"6a0*"010*"030* 10300a0* 300a0*!80*210*"0040*"6f0*"010*2380a0* 80*440**740*"010*"30*+b80a0* 260*310*"010*"010*"030*2de0a0* 7d0*310*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*6#15"); [noack mode]
getpkt ("qSymbol::");  [no ack sent]
putpkt ("$qSymbol:6e70746c5f76657273696f6e#13"); [noack mode]
getpkt ("qSymbol::6e70746c5f76657273696f6e");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("qXfer:threads:read::0,fff");  [no ack sent]
putpkt ("$l<threads>
<thread id="p39d.39d" core="0" name="mips32el_hello"/>
</threads>
#6e"); [noack mode]
getpkt ("vFile:setfs:0");  [no ack sent]
putpkt ("$F0#76"); [noack mode]
getpkt ("vFile:open:2f70726f632f3932352f6d617073,0,0");  [no ack sent]
putpkt ("$F5#7b"); [noack mode]
getpkt ("vFile:pread:5,3fff,0");  [no ack sent]
putpkt ("$F210;5*!000-5* 6000 r-xp 0*"00 08:01 1922 *" /home/xwings/mips32el_hello
55565000-55566000 rwxp 0*"00 08:01 1922 *" /home/xwings/mips32el_hello
77fcc000-77fef000 r-xp 0*"00 08:01 30051 *"/lib/mipsel-linux-gnu/ld-2.24.so
77ffc000-77ffd000 r--p 0*"00 00:00 0 *&[vvar]
77ffd000-77ffe000 r-xp 0*"00 00:00 0 *&[vdso]
77ffe000-780*" rwxp 00022000 08:01 30051 *"/lib/mipsel-linux-gnu/ld-2.24.so
7ffde000-7f* 000 rwxp 0*"00 00:00 0 *&[stack]
7f* 000-80*"0 rwxp 0*"00 00:00 0
#01"); [noack mode]
getpkt ("vFile:pread:5,3fff,210");  [no ack sent]
putpkt ("$F0;#b1"); [noack mode]
getpkt ("vFile:close:5");  [no ack sent]
putpkt ("$F0#76"); [noack mode]
getpkt ("m77fccc40,4");  [no ack sent]
putpkt ("$25c8e003#fa"); [noack mode]
getpkt ("m77fccc40,33");  [no ack sent]
putpkt ("$25c8e003010011040*%4001c3cb4a39c2721e09f0325f820031880848f108084af2520a003f0ffbd271c80888f7c0c08#75"); [noack mode]
getpkt ("m77fccc40,4");  [no ack sent]
putpkt ("$25c8e003#fa"); [noack mode]
getpkt ("m77fccc3c,4");  [no ack sent]
putpkt ("$0*"00#dc"); [noack mode]
getpkt ("m77fccc40,4");  [no ack sent]
putpkt ("$25c8e003#fa"); [noack mode]
getpkt ("m77fccc3c,4");  [no ack sent]
putpkt ("$0*"00#dc"); [noack mode]
getpkt ("vFile:pread:6,3fff,22a8c");  [no ack sent]
putpkt ("$F3174;►"); [noack mode]
getpkt ("m77fccc40,4");  [no ack sent]
putpkt ("$25c8e003#fa"); [noack mode]
getpkt ("m77fccc40,40");  [no ack sent]
putpkt ("$25c8e003010011040*%4001c3cb4a39c2721e09f0325f820031880848f108084af2520a003f0ffbd271c80888f7c0c0825010010050*"002340e803#08"); [noack mode]
getpkt ("m7fffe700,4");  [no ack sent]
putpkt ("$010*"#dd"); [noack mode]
getpkt ("m7fffe700,33");  [no ack sent]
putpkt ("$010*"04e8ff7f0*"0013e8ff7fcfedff7f04eeff7f15eeff7f27eeff7f33eeff7f44eeff7f56eeff7f79eeff7f8ceeff#fa"); [noack mode]
getpkt ("m7fffe700,4");  [no ack sent]
putpkt ("$010*"#dd"); [noack mode]
getpkt ("m7fffe700,33");  [no ack sent]
putpkt ("$010*"04e8ff7f0*"0013e8ff7fcfedff7f04eeff7f15eeff7f27eeff7f33eeff7f44eeff7f56eeff7f79eeff7f8ceeff#fa"); [noack mode]
getpkt ("m7fffe704,4");  [no ack sent]
putpkt ("$04e8ff7f#6a"); [noack mode]
getpkt ("m7fffe804,4");  [no ack sent]
putpkt ("$6d697073#da"); [noack mode]
getpkt ("m7fffe804,33");  [no ack sent]
putpkt ("$6d697073* 2656c5f68656c6c6f004c535f434f4c4f52533d72733d303a64693d30313b33343a6c6e3d30313b33363a6d683d#e5"); [noack mode]
getpkt ("m7fffe804,33");  [no ack sent]
putpkt ("$6d697073* 2656c5f68656c6c6f004c535f434f4c4f52533d72733d303a64693d30313b33343a6c6e3d30313b33363a6d683d#e5"); [noack mode]
getpkt ("m7fffe708,4");  [no ack sent]
putpkt ("$0*"00#dc"); [noack mode]
getpkt ("m7fffe708,33");  [no ack sent]
putpkt ("$0*"0013e8ff7fcfedff7f04eeff7f15eeff7f27eeff7f33eeff7f44eeff7f56eeff7f79eeff7f8ceeff7fa2eeff7fb6eeff#44"); [noack mode]
getpkt ("m7fffe70c,4");  [no ack sent]
putpkt ("$13e8ff7f#6a"); [noack mode]
getpkt ("m7fffe813,4");  [no ack sent]
putpkt ("$4c535f43#01"); [noack mode]
getpkt ("m7fffe813,33");  [no ack sent]
putpkt ("$4c535f434f4c4f52533d72733d303a64693d30313b33343a6c6e3d30313b33363a6d683d30303a70693d34303b3*!a736f3d#8b"); [noack mode]
getpkt ("m7fffe813,33");  [no ack sent]
putpkt ("$4c535f434f4c4f52533d72733d303a64693d30313b33343a6c6e3d30313b33363a6d683d30303a70693d34303b3*!a736f3d#8b"); [noack mode]
getpkt ("m7fffe710,4");  [no ack sent]
putpkt ("$cfedff7f#fb"); [noack mode]
getpkt ("m7fffedcf,4");  [no ack sent]
putpkt ("$5353485f#d7"); [noack mode]
getpkt ("m7fffedcf,33");  [no ack sent]
putpkt ("$5353485f434f4e4e454354494f4e3d31302e3235332e3235332e3235342034393239342031302e3235332e3235332e31312032#f0"); [noack mode]
getpkt ("m7fffedcf,33");  [no ack sent]
putpkt ("$5353485f434f4e4e454354494f4e3d31302e3235332e3235332e3235342034393239342031302e3235332e3235332e31312032#f0"); [noack mode]
getpkt ("m7fffe714,4");  [no ack sent]
putpkt ("$04eeff7f#97"); [noack mode]
getpkt ("m7fffee04,4");  [no ack sent]
putpkt ("$4c414e47#00"); [noack mode]
getpkt ("m7fffee04,33");  [no ack sent]
putpkt ("$4c414e473d656e5f53472e5554462d38005844475f53455353494f4e5f49443d633400555345523d7877696e6773005057443d#ba"); [noack mode]
getpkt ("m7fffee04,33");  [no ack sent]
putpkt ("$4c414e473d656e5f53472e5554462d38005844475f53455353494f4e5f49443d633400555345523d7877696e6773005057443d#ba"); [noack mode]
getpkt ("m7fffe718,4");  [no ack sent]
putpkt ("$15eeff7f#99"); [noack mode]
getpkt ("m7fffee15,4");  [no ack sent]
putpkt ("$5844475f#db"); [noack mode]
getpkt ("m7fffee15,33");  [no ack sent]
putpkt ("$5844475f53455353494f4e5f49443d633400555345523d7877696e6773005057443d2f686f6d652f7877696e677300484f4d45#de"); [noack mode]
getpkt ("m7fffee15,33");  [no ack sent]
putpkt ("$5844475f53455353494f4e5f49443d633400555345523d7877696e6773005057443d2f686f6d652f7877696e677300484f4d45#de"); [noack mode]

Problem with qiling

Hello, could you help me? I have some error when i try to run a crackme and i don't know what is it means
Out text:
WARNING: Registry files format error[' File "/usr/local/lib/python3.6/dist-packages/qiling-0.9-py3.6.egg/qiling/os/windows/registry.py", line 71, in init\n self.hklm['SAM'] = Registry.Registry(os.path.join(self.hive, 'SAM'))\n']
[+] Loading /home/bigger777/any/qiling/examples/rootfs/x86_windows/bin/ch15.exe to 0x400000
[+] PE entry point at 0x4014e0
[+] Initiate stack address at 0xfffdd000
[+] TEB addr is 0x6000
[+] PEB addr is 0x6044
[+] Loading /home/bigger777/any/qiling/examples/rootfs/x86_windows/dlls/kernel32.dll to 0x10000000
[+] Done with loading /home/bigger777/any/qiling/examples/rootfs/x86_windows/dlls/kernel32.dll
[+] Loading /home/bigger777/any/qiling/examples/rootfs/x86_windows/dlls/msvcrt.dll to 0x100d5000
[+] Done with loading /home/bigger777/any/qiling/examples/rootfs/x86_windows/dlls/msvcrt.dll
[+] Done with loading /home/bigger777/any/qiling/examples/rootfs/x86_windows/bin/ch15.exe
WARNING: Registry files format error[' File "/usr/local/lib/python3.6/dist-packages/qiling-0.9-py3.6.egg/qiling/os/windows/registry.py", line 71, in init\n self.hklm['SAM'] = Registry.Registry(os.path.join(self.hive, 'SAM'))\n']
0x10015e60: GetSystemTimeAsFileTime(lpSystemTimeAsFileTime = 0xffffcfcc)
0x10023c00: GetCurrentProcessId() = 0x3e8
0x10011a60: GetCurrentThreadId() = 0x0
0x10023130: GetTickCount() = 0x30d40
0x10017f40: QueryPerformanceCounter(lpPerformanceCount = 0xffffcfc4) = 0x0
0x1013b4c0: _initterm(pfbegin = 0x40700c, pfend = 0x407018)
0x1013b4c0: _initterm(pfbegin = 0x407000, pfend = 0x407008)
0x10019ca0: SetUnhandledExceptionFilter(lpTopLevelExceptionFilter = 0x401520) = 0x4
0x10018f60: GetModuleHandleA(lpModuleName = "msvcrt.dll") = 0x100d5000
[!] 'hook_GetProcAddress' is not implemented

GetStringTypeA is not implemented

Hello,

Testing the example Easy_CrackMe.exe:
~/tools/qiling/examples$ python crackme_x86_windows_unpatch.py
Gives a:
GetStringTypeA is not implemented.

I had to copy the GetStringTypeExA function and rename it to GetStringTypeA in qiling/qiling/os/windows/dlls/kernel32.py to make it work.
I was wondering if there was an easiest way that I may have missed.

commit e54bc5e
Author: chfl4gs [email protected]
Date: Thu Nov 28 20:28:55 2019 +0800

$ uname -a
Linux 5.0.0-32-generic #34~18.04.2-Ubuntu SMP Thu Oct 10 10:36:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Great tool though.
Cheers.

Collection of works, presentations, blogpost, etc for Qiling related projects

Official Youtube

Showcase

  • Emotet's embedded C2
  • dragonfly
  • pwnservice
  • Karton Unpacker
  • Qualcomm Sahara / Firehose Attack Client / Diag Tools
  • FileInsight-plugins
  • efi_fuzz
  • vacation3

Tutorial

  • Qiling Lab 01
  • Arm64 binary emulation using Qiling Framework

Papers

  • On the Effectiveness of Binary Emulation in Malware Classification
  • LoRaWAN’s Protocol Stacks: The Forgotten Targets at Risk
  • FIRMGUIDE: Boosting the Capability of Rehosting Embedded Linux Kernels through Model-Guided
    Kernel Execution
  • EDGE OF THE ART IN VULNERABILITY RESEARCH VERSION 4 OF 4
  • Dragonfly: next generation sandbox

Writeup

  • [Fuzzing] Qiling 框架在 Ubuntu22.04 rootfs下遇到 CPU ISA level 错误的临时解决方案
  • Unionware Writeup Part A [UnionCTF 2021]
  • Dynamic analysis of firmware components in IoT devices
  • [原创]一种新的Android Runtime环境仿真及调试方法
  • A Sneak Peek into Smart Contracts Reversing and Emulation
  • QILING: un framework para emular binarios muy útil para el análisis de malware
  • Reversing embedded device bootloader (U-Boot)
  • PancakeCon CTF "Crack" Challenge
  • TP-Link XDR-5430-V2 研究分享 - 第一章
  • Leveraging Qiling for Kport strings decryption
  • Decrypt configuration files like exactly how Huawei ONT does
  • Hunting IcedID and unpacking automation with Qiling
  • [Mal Series # 17] Binary Emulation with Qiling Framework
  • Automatic unpacking with Qiling framework
  • WINTERN 2020: IOT FIRMWARE ANALYSIS
  • Unpacking In-Memory Malware with Qiling
  • Qiling: A true instrumentable binary emulation framework
  • Playing with PE Files, Packers and Qiling Framework
  • Unpacking RAGNARLOCKER via emulation
  • Reproducing n-day vulnerabilities and writing N-day based fuzzer with Qiling
  • Emulated a Netgear router binary using qiling to reverse a backdoor
  • Using Qiling Framework to Unpack TA505 packed samples
  • [PT007] Simulating and hunting firmware vulnerabilities with Qiling
  • Decrypt Aisuru Bot Encoded Strings with Qiling Framework
  • Brute-Force Flareon2015 Challenge#2 with Qiling
  • Moving From Manual Reverse Engineering of UEFI Modules To Dynamic Emulation of UEFI Firmware
  • Qiling & Binary Emulation for automatic unpacking
  • [原创]使用Qiling IDA插件解密Mirai病毒数据
  • Part II: Analyzing a buffer overflow in the DLINK DIR-645 with Qiling framework, Part II
  • Part I: Analyzing a buffer overflow in the DLINK DIR-645 with Qiling framework and Ghidra.
  • Automated dynamic import resolving using binary emulation
  • Using Qiling to resolve obfuscated import on windows
  • Dive deeper – Analyze real mode binaries like a Pro with Qiling Framework
  • Qiling For Malware Analysis: Part 1 and Part 2
  • PE Emulation With Code Coverage Using Qiling and Dragon Dance
  • Automated malware unpacking with binary emulation
  • ByteBandits CTF 2020 - Autobot
  • Qiling Scripting and Simple RE Task
  • Certego research at the HITB Security Conference:
  • EFI_DXE_Emulator: Qiling support in the works!
  • 多架构二进制 Fuzzing 的几种环境搭建
  • Phân tích mẫu mã độc khai thác lỗ hổng Microsoft Office Equation Editor
  • Qiling Fuzzer
  • Csaw CtF

Media

Conference

Podcast

Youtube

qiling/os/fncc.py

  1. cleanup and move winapi to else where, this is a os neutral section
  2. x64 fastcall clear stack by caller

Use python's logging module

We should move to python's logging module. the module is thread-safe and offers a number of features including log rotation and custom formatters.

got interrupt 0xd ???

length of filename less than 14 characters will cause "got interrupt 0xd ???" error in mips32el arch

reproduce steps

  1. cp examples/rootfs/mips32el_linux/bin/mips32el_hello ./hello
  2. cat buggy.py
from qiling import *

def my_sandbox(path, rootfs):
    ql = Qiling(path, rootfs, output='debug')
    ql.run()

if __name__ == "__main__":
    my_sandbox(["./hello"], "examples/rootfs/mips32el_linux")
  1. python buggy.py
[+] load 0x4fef000 - 0x4fef954
[+] load 0x4fff954 - 0x4fff9dc
[+] mem_start: 0x0 mem_end: 0x11000
[+] interp is : examples/rootfs/mips32el_linux/lib/ld.so.1
[+] interp_mem_size is : 34000
brk(0x0)
[+] brk return(0x5000000)
mmap2(0x0, 8192, 0x3, 0x802, -1, 0)
[+] log mmap2 return addr : 0x7fbef000
[+] log mmap2 addr range  : 0x7fbef000 - 0x7fbf1000
[+] mmap_base is 0x7fbef000
uname(0x7ff3c754) = 0
access(/etc/ld.so.nohwcap, 0x0) = -1 
[!] No such file or directory
access(/etc/ld.so.preload, 0x4) = -1 
[!] No such file or directory
got interrupt 0xd ???

Running windows crackme fails

when running via python3.7 in the examples directory I get
qiling.exception.QlErrorFileNotFound: [!] Cannot find dll in rootfs/x86_windows\dlls\kernel32.dll

Error while Running Qiling in window

$ python hello_x86_linux.py
Traceback (most recent call last):
File "hello_x86_linux.py", line 14, in
from qiling import *
File "..\qiling_init_.py", line 1, in
from .core import *
File "..\qiling\core.py", line 17, in
from qiling.os.posix.filestruct import *
File "..\qiling\os\posix\filestruct.py", line 14, in
import fcntl
ModuleNotFoundError: No module named 'fcntl'

ImportError: ERROR: fail to load the dynamic library. 

pip3 install -e .
Obtaining file:///home/user/work/opt/qiling
Collecting capstone>=4.0.1 (from qiling==0.9)
  Downloading https://files.pythonhosted.org/packages/35/0c/74db5b9b9ed25d72869832865b7612658bd796cd02c26b1d567cbc9f0ab6/capstone-4.0.1-py2.py3-none-manylinux1_x86_64.whl (1.9MB)
     |████████████████████████████████| 1.9MB 3.2MB/s
Collecting keystone-engine>=0.9.1.post3 (from qiling==0.9)
  Downloading https://files.pythonhosted.org/packages/9a/fc/ed0d3f46921bfaa612d9e8ce8313f99f4149ecf6635659510220c994cb72/keystone-engine-0.9.1-3.tar.gz (2.8MB)
     |████████████████████████████████| 2.8MB 6.7MB/s
Collecting unicorn>=1.0.2rc1 (from qiling==0.9)
  Downloading https://files.pythonhosted.org/packages/40/ca/316207963eb550a890ca48d717c2c1c3e2e5cadcdc812d6102c4f5bcf8f3/unicorn-1.0.2rc1-py2.py3-none-manylinux1_x86_64.whl (8.1MB)
     |████████████████████████████████| 8.1MB 16.4MB/s
Collecting pefile>=2019.4.18 (from qiling==0.9)
Collecting python-registry>=1.3.1 (from qiling==0.9)
  Downloading https://files.pythonhosted.org/packages/f1/0f/2605f98bb9c7ef92f926fdf3295583363fe42fc6e8f64cf38b24a029e767/python_registry-1.3.1-py3-none-any.whl
Collecting future (from pefile>=2019.4.18->qiling==0.9)
  Downloading https://files.pythonhosted.org/packages/f6/85/c273089eb6efa5644c0a1382ea553554bc0d40e00a46d989ec67f123f8b5/future-0.18.0.tar.gz (830kB)
     |████████████████████████████████| 839kB 11.8MB/s
Collecting unicodecsv (from python-registry>=1.3.1->qiling==0.9)
  Downloading https://files.pythonhosted.org/packages/6f/a4/691ab63b17505a26096608cc309960b5a6bdf39e4ba1a793d5f9b1a53270/unicodecsv-0.14.1.tar.gz
Collecting enum-compat (from python-registry>=1.3.1->qiling==0.9)
  Downloading https://files.pythonhosted.org/packages/95/6e/26bdcba28b66126f66cf3e4cd03bcd63f7ae330d29ee68b1f6b623550bfa/enum-compat-0.0.2.tar.gz
Building wheels for collected packages: keystone-engine, future, unicodecsv, enum-compat
  Building wheel for keystone-engine (setup.py) ... done
  Created wheel for keystone-engine: filename=keystone_engine-0.9.1.post3-cp36-cp36m-linux_x86_64.whl size=1800659 sha256=2ffa06c5301c69ad6f7c04e6756af7855204c0e15a778ff9f94376734b574757
  Stored in directory: /home/user/.cache/pip/wheels/e9/40/c1/6ac6e82d6aa880cd8d492d95e59be376eb77015683b94ee934
  Building wheel for future (setup.py) ... done
  Created wheel for future: filename=future-0.18.0-cp36-none-any.whl size=490414 sha256=2b81a1dc0ee38feef14c2a9e9bcd8271b3186308c9dfa3b1d9e49ffc014869aa
  Stored in directory: /home/user/.cache/pip/wheels/2c/02/af/63eadc269fe686aa0aa9c38eee165ad5734cbf8b765cfeedaa
  Building wheel for unicodecsv (setup.py) ... done
  Created wheel for unicodecsv: filename=unicodecsv-0.14.1-cp36-none-any.whl size=10767 sha256=841650414e90d25583f068fdb46662d5c61f47c59285af82ca781eb54090ef96
  Stored in directory: /home/user/.cache/pip/wheels/a6/09/e9/e800279c98a0a8c94543f3de6c8a562f60e51363ed26e71283
  Building wheel for enum-compat (setup.py) ... done
  Created wheel for enum-compat: filename=enum_compat-0.0.2-cp36-none-any.whl size=1290 sha256=596b7ad6bb60fc1943c81d2fbfdcd97dd1cb47d164919d0455a8701f654b4963
  Stored in directory: /home/user/.cache/pip/wheels/b1/69/f4/229af6a49beece0f688c9c73d9188769b89e698361d21ce96a
Successfully built keystone-engine future unicodecsv enum-compat
Installing collected packages: capstone, keystone-engine, unicorn, future, pefile, unicodecsv, enum-compat, python-registry, qiling
  Running setup.py develop for qiling
Successfully installed capstone-4.0.1 enum-compat-0.0.2 future-0.18.0 keystone-engine-0.9.1.post3 pefile-2019.4.18 python-registry-1.3.1 qiling unicodecsv-0.14.1 unicorn-1.0.2rc1
(qiling) ✔ ~/work/opt/qiling [master|✔]
14:02 $ qlalr ^C
(qiling) ✘-INT ~/work/opt/qiling [master|✔]
14:04 $ ls -al
total 100
drwxrwxr-x 8 user user  4096 Oct 14 14:01 .
drwxrwxr-x 4 user user  4096 Oct 14 14:00 ..
-rw-rw-r-- 1 user user   233 Oct 14 14:00 AUTHORS.TXT
-rw-rw-r-- 1 user user 17992 Oct 14 14:00 COPYING
-rw-rw-r-- 1 user user   547 Oct 14 14:00 CREDITS.TXT
-rw-rw-r-- 1 user user   465 Oct 14 14:00 Dockerfile
drwxrwxr-x 2 user user  4096 Oct 14 14:00 docs
drwxrwxr-x 5 user user  4096 Oct 14 14:00 examples
drwxrwxr-x 8 user user  4096 Oct 14 14:00 .git
-rw-rw-r-- 1 user user   240 Oct 14 14:00 .gitignore
drwxrwxr-x 5 user user  4096 Oct 14 14:00 qiling
drwxrwxr-x 2 user user  4096 Oct 14 14:02 qiling.egg-info
-rwxrwxr-x 1 user user  7944 Oct 14 14:00 qltool
-rw-rw-r-- 1 user user  5962 Oct 14 14:00 README.md
-rw-rw-r-- 1 user user   104 Oct 14 14:00 requirements.txt
-rw-rw-r-- 1 user user  1696 Oct 14 14:00 setup.py
drwxrwxr-x 2 user user  4096 Oct 14 14:00 tests
-rw-rw-r-- 1 user user   694 Oct 14 14:00 TODO
-rw-rw-r-- 1 user user    79 Oct 14 14:00 .travis.yml
(qiling) ✔ ~/work/opt/qiling [master|✔]
14:04 $ ./qltool
Traceback (most recent call last):
  File "./qltool", line 15, in <module>
    from keystone import *
  File "/home/user/.virtualenvs/qiling/lib/python3.6/site-packages/keystone/__init__.py", line 4, in <module>
    from .keystone import Ks, ks_version, ks_arch_supported, version_bind, debug, KsError, __version__
  File "/home/user/.virtualenvs/qiling/lib/python3.6/site-packages/keystone/keystone.py", line 75, in <module>
    raise ImportError("ERROR: fail to load the dynamic library.")
ImportError: ERROR: fail to load the dynamic library.

This appears to be the same issue i've run into with keystone before...

keystone-engine/keystone#386

It looks like there's still not a solution for this, but it will likely cause headaches for your users if this is not addressed in some way.

For ref, the current solution I have is to link (or copy) the keystone.so file over manually after install into an appropriate library path.

64bit host emulate 32bit exception

finally i installed ok now. when i emulate a mips elf image, it seems not ok.
the reason may be my system is 64bit, and target is 32bit. but stat.st_ino is not a 32bit value, it's overflow.

[+] load 0x400000 - 0x405c60
[+] load 0x415fc8 - 0x41615f
[+] mem_start: 0x400000 mem_end: 0x417000
[+] interp is : Downloads/rootfs/lib/ld-uClibc.so.0
[+] interp_mem_size is : 18000
[+] interp_base is : 0x47ba000
[+] mmap_start is : 0x7fbef000
[+] Currently running pid is: 76384; tid is: 77384
[!] 0x47bdd24: syscall number = 0x10ca(4298) not implement
[+] log mmap - mmap(0x0, 4096, 0x3, 0x802, -1, 0)
[+] log mmap - return addr : 0x7fbef000
[+] log mmap - addr range : 0x7fbef000 - 0x7fbf0000
[+] log mmap - mapping needed
[+] mmap_base is 0x7fbef000
stat(/etc/ld.so.cache, 0x7ff3cad8) = -1
[!] stat() read/write fail
open(/lib/libubox.so, 0x0, 0x0) = 3
[+] File Found: /lib/libubox.so
[!] SYSCALL ERROR: ql_syscall_fstat
[+] Currently running pid is: 76384; tid is: 77384
Traceback (most recent call last):
File "PycharmProjects/dht/dht.py", line 12, in
my_sandbox(["Downloads/https/rootfs/mtd"], "/Users/fr0zenrain/Downloads/https/rootfs")
File "PycharmProjects/dht/dht.py", line 8, in my_sandbox
ql.run()
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/qiling-0.9-py3.7.egg/qiling/core.py", line 210, in run
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/qiling-0.9-py3.7.egg/qiling/os/linux/mips32el.py", line 259, in runner
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/qiling-0.9-py3.7.egg/qiling/core.py", line 23, in wrapper
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/qiling-0.9-py3.7.egg/qiling/core.py", line 280, in _callback
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/qiling-0.9-py3.7.egg/qiling/os/linux/mips32el.py", line 39, in hook_syscall
qiling.exception.QlErrorExecutionStop: [!] got interrupt 0x14 ???

fstat_buf += ql.pack32(fstat_info.st_ino)

so can qiling run as 32bit platform? thanks!

Typo in loader/elf.py

There is a typo in loader/elf.py

from qiling.exception improt *

Also forks are disabled so I can't send a pull request.

A question

qiling just implement many kinds of executable file loader?

Cannot import the module

I'm using unicorn 1.0.2 and keystone 0.9.1_3 compiled from the latest source code from GitHub since I cannot get them from pip3.
I also changed the line "keystone-engine>=0.9.1.3" with "keystone-engine>=0.9.1_3" in requirements.txt.

root@test:~/qiling# python3 setup.py install
running install
running bdist_egg
running egg_info
writing qiling.egg-info/PKG-INFO
writing dependency_links to qiling.egg-info/dependency_links.txt
writing requirements to qiling.egg-info/requires.txt
writing top-level names to qiling.egg-info/top_level.txt
reading manifest file 'qiling.egg-info/SOURCES.txt'
writing manifest file 'qiling.egg-info/SOURCES.txt'
installing library code to build/bdist.linux-x86_64/egg
running install_lib
warning: install_lib: 'build/lib' does not exist -- no Python modules to install

creating build/bdist.linux-x86_64/egg
creating build/bdist.linux-x86_64/egg/EGG-INFO
copying qiling.egg-info/PKG-INFO -> build/bdist.linux-x86_64/egg/EGG-INFO
copying qiling.egg-info/SOURCES.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying qiling.egg-info/dependency_links.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying qiling.egg-info/requires.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying qiling.egg-info/top_level.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
zip_safe flag not set; analyzing archive contents...
creating 'dist/qiling-0.9-py3.6.egg' and adding 'build/bdist.linux-x86_64/egg' to it
removing 'build/bdist.linux-x86_64/egg' (and everything under it)
Processing qiling-0.9-py3.6.egg
Removing /usr/local/lib/python3.6/dist-packages/qiling-0.9-py3.6.egg
Copying qiling-0.9-py3.6.egg to /usr/local/lib/python3.6/dist-packages
qiling 0.9 is already the active version in easy-install.pth

Installed /usr/local/lib/python3.6/dist-packages/qiling-0.9-py3.6.egg
Processing dependencies for qiling==0.9
Searching for capstone>=4.0.1
Reading https://pypi.python.org/simple/capstone/
Downloading https://files.pythonhosted.org/packages/35/0c/74db5b9b9ed25d72869832865b7612658bd796cd02c26b1d567cbc9f0ab6/capstone-4.0.1-py2.py3-none-manylinux1_x86_64.whl#sha256=dae578f97b24212fb97a5c833342e56c69e7fb71502187a0b51a4326381e4204
Best match: capstone 4.0.1
Processing capstone-4.0.1-py2.py3-none-manylinux1_x86_64.whl
Installing capstone-4.0.1-py2.py3-none-manylinux1_x86_64.whl to /usr/local/lib/python3.6/dist-packages
Adding capstone 4.0.1 to easy-install.pth file

Installed /usr/local/lib/python3.6/dist-packages/capstone-4.0.1-py3.6-linux-x86_64.egg
Searching for future
Reading https://pypi.python.org/simple/future/
Downloading https://files.pythonhosted.org/packages/90/52/e20466b85000a181e1e144fd8305caf2cf475e2f9674e797b222f8105f5f/future-0.17.1.tar.gz#sha256=67045236dcfd6816dc439556d009594abf643e5eb48992e36beac09c2ca659b8
Best match: future 0.17.1
Processing future-0.17.1.tar.gz
Writing /tmp/easy_install-tx7exrtq/future-0.17.1/setup.cfg
Running future-0.17.1/setup.py -q bdist_egg --dist-dir /tmp/easy_install-tx7exrtq/future-0.17.1/egg-dist-tmp-z2bjzxvr
warning: no files found matching '*.au' under directory 'tests'
warning: no files found matching '*.gif' under directory 'tests'
warning: no files found matching '*.txt' under directory 'tests'
zip_safe flag not set; analyzing archive contents...
future.backports.test.__pycache__.ssl_servers.cpython-36: module references __file__
future.backports.test.__pycache__.support.cpython-36: module references __file__
future.standard_library.__pycache__.__init__.cpython-36: module references __file__
future.standard_library.__pycache__.__init__.cpython-36: module references __path__
future.utils.__pycache__.__init__.cpython-36: module MAY be using inspect.stack
past.builtins.__pycache__.misc.cpython-36: module MAY be using inspect.stack
past.translation.__pycache__.__init__.cpython-36: module references __file__
past.translation.__pycache__.__init__.cpython-36: module references __path__
creating /usr/local/lib/python3.6/dist-packages/future-0.17.1-py3.6.egg
Extracting future-0.17.1-py3.6.egg to /usr/local/lib/python3.6/dist-packages
Adding future 0.17.1 to easy-install.pth file
Installing futurize script to /usr/local/bin
Installing pasteurize script to /usr/local/bin

Installed /usr/local/lib/python3.6/dist-packages/future-0.17.1-py3.6.egg
Searching for unicorn==1.0.2
Best match: unicorn 1.0.2
Processing unicorn-1.0.2-py3.6.egg
unicorn 1.0.2 is already the active version in easy-install.pth

Using /usr/local/lib/python3.6/dist-packages/unicorn-1.0.2-py3.6.egg
Searching for pefile==2019.4.18
Best match: pefile 2019.4.18
Processing pefile-2019.4.18-py3.6.egg
pefile 2019.4.18 is already the active version in easy-install.pth

Using /usr/local/lib/python3.6/dist-packages/pefile-2019.4.18-py3.6.egg
Searching for keystone-engine==0.9.1.post3
Best match: keystone-engine 0.9.1.post3
Adding keystone-engine 0.9.1.post3 to easy-install.pth file

Using /usr/local/lib/python3.6/dist-packages
Finished processing dependencies for qiling==0.9

root@test:/usr/local/lib/python3.6/dist-packages# pip3 list
DEPRECATION: The default format will switch to columns in the future. You can use --format=(legacy|columns) (or define a format=(legacy|columns) in your pip.conf under the [list] section) to disable this warning.
asn1crypto (0.24.0)
capstone (4.0.1)
command-not-found (0.3)
cryptography (2.1.4)
decorator (4.1.2)
distro-info (0.18)
future (0.17.1)
idna (2.6)
ipython (5.5.0)
ipython-genutils (0.2.0)
keyring (10.6.0)
keyrings.alt (3.0)
keystone-engine (0.9.1.post3)
language-selector (0.1)
netifaces (0.10.4)
pefile (2019.4.18)
pexpect (4.2.1)
pickleshare (0.7.4)
pip (9.0.1)
prompt-toolkit (1.0.15)
pycrypto (2.6.1)
Pygments (2.2.0)
pygobject (3.26.1)
python-apt (1.6.3)
pyxdg (0.25)
PyYAML (3.12)
qiling (0.9)
SecretStorage (2.3.1)
setuptools (39.0.1)
simplegeneric (0.8.1)
six (1.11.0)
traitlets (4.3.2)
ufw (0.35)
unicorn (1.0.2)
wcwidth (0.1.7)
wheel (0.30.0)

The installation seems fine. However, when I tried to use qiling in ipython:

root@test:~/qiling# ipython3
Python 3.6.8 (default, Jan 14 2019, 11:02:34) 
Type "copyright", "credits" or "license" for more information.

IPython 5.5.0 -- An enhanced Interactive Python.
?         -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help      -> Python's own help system.
object?   -> Details about 'object', use 'object??' for extra details.

In [1]: from qiling import *
---------------------------------------------------------------------------
ModuleNotFoundError                       Traceback (most recent call last)
<ipython-input-1-137f039783d3> in <module>()
----> 1 from qiling import *

ModuleNotFoundError: No module named 'qiling'

In [2]:

I cannot import the module.I've tried this on ubuntu 18.04/python 3.6.8, mojave 10.14.5/python 3.7.2 and archlinux/python 3.7.4, neither of them could work. I can't import qiling in python3, either.

having trouble when I was simulating a firmware

Firmware:Netgear R6220-V1.1.0.86.img
`import sys
from qiling import *

def my_sandbox(path, rootfs):
ql = Qiling(path, rootfs, output="debug", stdin = sys.stdin, stdout = sys.stdout, stderr = sys.stderr, log_file = 'logfile', separate_log_file = True, consolelog = True)
ql.root = False
ql.add_fs_mapper('/proc', '/proc')
ql.run()

if name == "main":
my_sandbox(["rootfs/netgear_r6220/bin/mini_httpd","-d","/www","-r","NETGEAR R6220","-c","**.cgi","-t","300"], "rootfs/netgear_r6220")
`

image
image

Call for Alpha testers

We are currently in Alpha test phase, that will be followed by public beta release.

This is a call for testers: please email your short instroduction, with your github ID to [email protected] for shortlisting.

Evaluation will be based on your open source participation.

NOTE: at the moment we have not published Qiling code yet, so do not try to install with setup.py.

Windows Exceptions (SEH stack x86 + section based x64)

Relative to packers analysis where SEH and exceptions are used a lot to throw off analysis:

Any current support for x86 SEH handlers registered on fs:[0] (TIB start) when an exception occurs in the code , or do we have to propagate call with hooks ? Also on Vectored registered exception , but its an api call so its kinda a mix. Note from Wiki about VEH vectored exception handling:

VEH does not replace Structured Exception Handling (SEH), rather VEH and SEH coexist, with VEH handlers having priority over SEH handlers.

Same question regarding .pdata section and exceptions mechanisms on x86-64.

x86:
https://docs.microsoft.com/en-us/windows/win32/debug/structured-exception-handling
https://en.wikipedia.org/wiki/Win32_Thread_Information_Block
https://en.wikipedia.org/wiki/Microsoft-specific_exception_handling_mechanisms#SEH
https://docs.microsoft.com/en-us/windows/win32/debug/structured-exception-handling

x64:
https://docs.microsoft.com/en-us/cpp/build/exception-handling-x64?view=vs-2019

Qiling.hook_address() signature changed

In the second example of the readme, there is one line of code:

ql.hook_address(0x00401016, force_call_dialog_func)

I tried to run it but it fail. I troubleshooted it and found the correct code should be:

ql.hook_address(force_call_dialog_func, 0x00401016)

And it then runs without any problem. You would better either change the function signature or update the readme.

However, I have to say the readme version is better and the one in the actual code is less intuitive.

Best output structure for windows connect function

I PoC'd the following hook for the connect function which will also extract and print the IP address and Port from the sockaddr structure:

# int WSAAPI connect(
#  SOCKET         s,
#  const sockaddr *name,
#  int            namelen
# );

@winapi(cc=STDCALL, params={"s": INT, "name": POINTER, "namelen": INT})
def hook_connect(ql, address, params):
    port = ql.mem_read(params["name"] + 2, 2)
    address = ql.mem_read(params["name"] + 4, 4)
    print("Connecting to port: " + str(int.from_bytes(port, byteorder="big")))
    print("Connecting to address: " + ".".join([str(octet) for octet in address]))
    return 0

This results in the following output when running:

0x100d4ed0: VirtualAlloc(lpAddress = 0x0, dwSize = 0x155, flAllocationType = 0x1000, flProtect = 0x40) = 0x5024be4
0x100e1990: LoadLibraryA(lpLibFileName = "ws2_32") = 0x10215000
0x1021dce0: WSAStartup(wVersionRequired = 0x190, LPWSADATA = "") = 0x0
0x1022bbd0: WSASocketA(af = 0x2, type = 0x1, protocol = 0x0, lpProtocolInfo = 0x0, g = 0x0, dwFlags = 0x0) = 0x0
Connecting to port: 1234
Connecting to address: 111.222.111.11
0x10229de0: connect(s = 0x0, name = 0xffffce4c, namelen = 0x10) = 0x0
0x1021f710: recv(s = 0x0, buf = 0xffffce4c, len = 0x4, flags = 0x0) = 0x0
0x10222340: closesocket(s = 0x0) = 0x0

Extracting and printing the port and address is useful for malware analysis as it allows the user to see the data which is passed to the connect function via the sockaddr structure.

Would you be happy with this format in a pull request, or would you prefer to not be printing from memory addresses by default, and instead let the user do this at their end?

can't pass arg to command line tools

in core.py , I think self.argv is writtern by self.filename and lost args .
for example

 ql = Qiling(["rootfs/arm_linux/bin/aa"], "rootfs/arm_linux",argv=["rootfs/arm_linux/bin/aa","666666666"])
  if self.rootfs and self.shellcoder == None:
            if (os.path.exists(str(self.filename[0])) and os.path.exists(self.rootfs)):
                self.path = (str(self.filename[0]))
                if self.ostype == None or self.arch == None:
                    self.arch, self.ostype = ql_checkostype(self.path)
                tmp = self.argv
                print(self.filename)
                self.argv[0] = self.filename[0]
                print(self.argv)

MacOS can not install

on macos, the win32 script was called, so install failed

...
Processing dependencies for qiling==0.9
Searching for unicorn>=1.0.2rc1
Reading https://pypi.org/simple/unicorn/
Downloading https://files.pythonhosted.org/packages/c5/7c/503af471bb35d5ac29df57af2d4f65bd2eafed15bcadfb3766ac65c59eb6/unicorn-1.0.2rc1.tar.gz#sha256=6bda96ee35217fff50af55ba95cb76a601f927f056d9502e61510d4bc29a209d
Best match: unicorn 1.0.2rc1
Processing unicorn-1.0.2rc1.tar.gz
Writing /tmp/easy_install-Q8QFQm/unicorn-1.0.2rc1/setup.cfg
Running unicorn-1.0.2rc1/setup.py -q bdist_egg --dist-dir /tmp/easy_install-Q8QFQm/unicorn-1.0.2rc1/egg-dist-tmp-0OuVVs
/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/setuptools/dist.py:472: UserWarning: Normalizing '1.0.2.rc1' to '1.0.2rc1'
normalized_version,
Microsoft (R) Build Engine version 16.1.85+gad9c9926a7 for Mono
Copyright (C) Microsoft Corporation. All rights reserved.

Syntax: MSBuild.exe [options] [project file | directory]
...

PE loader needs to process relocations

Consider the
reloaderd sample (from this year's FlareOn): This crashes the loader, as it tries to directly map the PE at a location that is intentionally defined to mess with loaders. The PE loading mechanism should consider using relocations if the image base is just too high to work.

ql.nprint issue

There is a bug running netgear firmware.

This only exits when
ql.multithread = False
We need to fix it. @ucgJhe

File "../qiling/os/linux/mips32el.py", line 56, in hook_syscall LINUX_SYSCALL_FUNC(ql, param0, param1, param2, param3, param4, param5) File "../qiling/os/posix/syscall.py", line 1163, in ql_syscall_vfork ql.nprint("vfork() = %d" % regreturn) File "../qiling/core.py", line 222, in nprint fd.info(*args, **kw) AttributeError: '_io.TextIOWrapper' object has no attribute 'info'

Emulating/hooking scanf

My test binary (Win x68) uses vfscanf.
I receive
[!] 'hook___stdio_common_vfscanf' is not implemented.

Can I simply ignore the hook and emulate the dlls' scanf somehow?

For a hook, I've started googling around and it seems there are a few implementations.
There is a MIT licensed package here:
https://pypi.org/project/scanf/
and some code that could be used as well:
http://code.activestate.com/recipes/502213-simple-scanf-implementation/
What would be the best way to implement this?

I would suggest to start out with adding testcases for cases like this, then build the hook (?)

Error running linux ping binary

I was trying to run ping binary in qiling the code is as follows

from qiling.os.posix.syscall import ql_syscall_socket, ql_syscall_connect
ql = Qiling(filename=["/bin/ping",'-4','google.com'], rootfs="/",output=3)
ql.debug_stop=True
ql.set_syscall(125, my_syscall_capget)
ql.set_syscall(126, my_syscall_capset)
ql.set_syscall(157, my_syscall_prctl)
ql.set_syscall(105, my_syscall_setuid)
ql.set_syscall(32,  my_syscall_dup)
ql.set_syscall(0x29,my_syscall_socket)
ql.set_syscall(0x2a, ql_syscall_connect)
ql.run()

interestingly ql_syscall_connect is not implement in linux x86_64 system. was it intentional ?
below is the crash I am getting

[!] SYSCALL ERROR:  ql_syscall_connect
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/dist-packages/qiling/os/linux/x8664.py", line 48, in hook_syscall
    LINUX_SYSCALL_FUNC(ql, param0, param1, param2, param3, param4, param5)
  File "/usr/local/lib/python3.6/dist-packages/qiling/os/posix/syscall.py", line 1291, in ql_syscall_connect
    if s.socket.family == AF_UNIX:
AttributeError: 'ql_file' object has no attribute 'socket'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "qiling_test.py", line 56, in <module>
    ql.run()
  File "/usr/local/lib/python3.6/dist-packages/qiling/core.py", line 215, in run
    runner(self)
  File "/usr/local/lib/python3.6/dist-packages/qiling/os/linux/x8664.py", line 124, in runner
    raise ql.internal_exception
  File "/usr/local/lib/python3.6/dist-packages/qiling/core.py", line 23, in wrapper
    return func(*args, **kw)
  File "/usr/local/lib/python3.6/dist-packages/qiling/core.py", line 450, in _callback_x86_syscall
    callback(self)
  File "/usr/local/lib/python3.6/dist-packages/qiling/os/linux/x8664.py", line 56, in hook_syscall
    raise QlErrorSyscallError("[!] Syscall Implementation Error: %s" % (LINUX_SYSCALL_FUNC_NAME))
qiling.exception.QlErrorSyscallError: [!] Syscall Implementation Error: ql_syscall_connect

my system configuration is
Linux

If someone guides me I can fix it and share pull request

Thank you

Comply with GNU Debugger's GDB Server or Simple qemu-gdbserver

As of now we stick to qemu-gdbserver standard. most of the binary we need to manually rebase.

This is how we can dump the output between gdbserver and their client. To make things simplier, we disable threads and vCont

There are some missing non printable char, so i attached a proper tcpdump file.

ida-gdbserver.zip

gdbserver --remote-debug  --disable-packet=threads,vCont 0.0.0.0:9999 rootfs/x8664_linux/bin/mybinary

Log Between gdb and gdbserver

[getpkt: discarding char '+']
getpkt ("qSupported:multiprocess+;swbreak+;hwbreak+;qRelocInsn+;fork-events+;vfork-events+;exec-events+;vContSupported+;QThreadEvents+;no-resumed+;xmlRegisters=i386");  [sending ack]
[sent ack]
putpkt ("$PacketSize=3fff;QPassSignals+;QProgramSignals+;QStartupWithShell+;QEnvironmentHexEncoded+;QEnvironmentReset+;QEnvironmentUnset+;QSetWorkingDir+;QCatchSyscalls+;qXfer:libraries-svr4:read+;augmented-libraries-svr4-read+;qXfer:auxv:read+;qXfer:spu:read+;qXfer:spu:write+;qXfer:siginfo:read+;qXfer:siginfo:write+;qXfer:features:read+;QStartNoAckMode+;qXfer:osdata:read+;multiprocess+;fork-events+;vfork-events+;exec-events+;QNonStop+;QDisableRandomization+;qXfer:threads:read+;ConditionalTracepoints+;TraceStateVariables+;TracepointSource+;DisconnectedTracing+;FastTracepoints+;StaticTracepoints+;InstallInTrace+;qXfer:statictrace:read+;qXfer:traceframe-info:read+;EnableDisableTracepoints+;QTBuffer:size+;tracenz+;ConditionalBreakpoints+;BreakpointCommands+;QAgent+;swbreak+;hwbreak+;qXfer:exec-file:read+;vContSupported+;QThreadEvents+;no-resumed+#f1"); [looking for ack]
[received '+' (0x2b)]
getpkt ("vMustReplyEmpty");  [sending ack]
[sent ack]
putpkt ("$#00"); [looking for ack]
[received '+' (0x2b)]
getpkt ("QStartNoAckMode");  [sending ack]
[sent ack]
[noack mode enabled]
putpkt ("$OK#9a"); [noack mode]
[getpkt: discarding char '+']
getpkt ("QProgramSignals:0;1;3;4;6;7;8;9;a;b;c;d;e;f;10;11;12;13;14;15;16;17;18;19;1a;1b;1c;1d;1e;1f;20;21;22;23;24;25;26;27;28;29;2a;2b;2c;2d;2e;2f;30;31;32;33;34;35;36;37;38;39;3a;3b;3c;3d;3e;3f;40;41;42;43;44;45;46;47;48;49;4a;4b;4c;4d;4e;4f;50;51;52;53;54;55;56;57;58;59;5a;5b;5c;5d;5e;5f;60;61;62;63;64;65;66;67;68;69;6a;6b;6c;6d;6e;6f;70;71;72;73;74;75;76;77;78;79;7a;7b;7c;7d;7e;7f;80;81;82;83;84;85;86;87;88;89;8a;8b;8c;8d;8e;8f;90;91;92;93;94;95;96;97;98;99;9a;");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("Hgp0.0");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("qXfer:features:read:target.xml:0,fff");  [no ack sent]
putpkt ("$l<?xml version="1.0"?><!DOCTYPE target SYSTEM "gdb-target.dtd"><target><architecture>i386:x86-64</architecture><osabi>GNU/Linux</osabi><xi:include href="64bit-core.xml"/><xi:include href="64bit-sse.xml"/><xi:include href="64bit-linux.xml"/><xi:include href="64bit-segments.xml"/><xi:include href="64bit-avx.xml"/><xi:include href="64bit-mpx.xml"/></target>#3c"); [noack mode]
getpkt ("qXfer:features:read:64bit-core.xml:0,fff");  [no ack sent]
putpkt ("$l<?xml version="1.0"?>
<!-- Copyright (C) 2010-2018 Free Software Foundation, Inc.

 *!Copying and distribution of this file, with or without modification,
 *!are permitted in any medium without royalty provided the copyright
 *!notice and this notice are preserved.  -->

<!DOCTYPE feature SYSTEM "gdb-target.dtd">
<feature name="org.gnu.gdb.i386.core">
  <flags id="i386_eflags" size="4">
 * <field name="CF" start="0" end="0"/>
 * <field name="" start="1" end="1"/>
 * <field name="PF" start="2" end="2"/>
 * <field name="AF" start="4" end="4"/>
 * <field name="ZF" start="6" end="6"/>
 * <field name="SF" start="7" end="7"/>
 * <field name="TF" start="8" end="8"/>
 * <field name="IF" start="9" end="9"/>
 * <field name="DF" start="10" end="10"/>
 * <field name="OF" start="11" end="11"/>
 * <field name="NT" start="14" end="14"/>
 * <field name="RF" start="16" end="16"/>
 * <field name="VM" start="17" end="17"/>
 * <field name="AC" start="18" end="18"/>
 * <field name="VIF" start="19" end="19"/>
 * <field name="VIP" start="20" end="20"/>
 * <field name="ID" start="21" end="21"/>
  </flags>

  <reg name="rax" bitsize="64" type="int64"/>
  <reg name="rbx" bitsize="64" type="int64"/>
  <reg name="rcx" bitsize="64" type="int64"/>
  <reg name="rdx" bitsize="64" type="int64"/>
  <reg name="rsi" bitsize="64" type="int64"/>
  <reg name="rdi" bitsize="64" type="int64"/>
  <reg name="rbp" bitsize="64" type="data_ptr"/>
  <reg name="rsp" bitsize="64" type="data_ptr"/>
  <reg name="r8" bitsize="64" type="int64"/>
  <reg name="r9" bitsize="64" type="int64"/>
  <reg name="r10" bitsize="64" type="int64"/>
  <reg name="r11" bitsize="64" type="int64"/>
  <reg name="r12" bitsize="64" type="int64"/>
  <reg name="r13" bitsize="64" type="int64"/>
  <reg name="r14" bitsize="64" type="int64"/>
  <reg name="r15" bitsize="64" type="int64"/>

  <reg name="rip" bitsize="64" type="code_ptr"/>
  <reg name="eflags" bitsize="32" type="i386_eflags"/>
  <reg name="cs" bitsize="32" type="int32"/>
  <reg name="ss" bitsize="32" type="int32"/>
  <reg name="ds" bitsize="32" type="int32"/>
  <reg name="es" bitsize="32" type="int32"/>
  <reg name="fs" bitsize="32" type="int32"/>
  <reg name="gs" bitsize="32" type="int32"/>

  <reg name="st0" bitsize="80" type="i387_ext"/>
  <reg name="st1" bitsize="80" type="i387_ext"/>
  <reg name="st2" bitsize="80" type="i387_ext"/>
  <reg name="st3" bitsize="80" type="i387_ext"/>
  <reg name="st4" bitsize="80" type="i387_ext"/>
  <reg name="st5" bitsize="80" type="i387_ext"/>
  <reg name="st6" bitsize="80" type="i387_ext"/>
  <reg name="st7" bitsize="80" type="i387_ext"/>

  <reg name="fctrl" bitsize="32" type="int" group="float"/>
  <reg name="fstat" bitsize="32" type="int" group="float"/>
  <reg name="ftag" bitsize="32" type="int" group="float"/>
  <reg name="fiseg" bitsize="32" type="int" group="float"/>
  <reg name="fioff" bitsize="32" type="int" group="float"/>
  <reg name="foseg" bitsize="32" type="int" group="float"/>
  <reg name="fooff" bitsize="32" type="int" group="float"/>
  <reg name="fop" bitsize="32" type="int" group="float"/>
</feature>
#61"); [noack mode]
getpkt ("qXfer:features:read:64bit-sse.xml:0,fff");  [no ack sent]
putpkt ("$l<?xml version="1.0"?>
<!-- Copyright (C) 2010-2018 Free Software Foundation, Inc.

 *!Copying and distribution of this file, with or without modification,
 *!are permitted in any medium without royalty provided the copyright
 *!notice and this notice are preserved.  -->

<!DOCTYPE feature SYSTEM "gdb-target.dtd">
<feature name="org.gnu.gdb.i386.sse">
  <vector id="v4f" type="ieee_single" count="4"/>
  <vector id="v2d" type="ieee_double" count="2"/>
  <vector id="v16i8" type="int8" count="16"/>
  <vector id="v8i16" type="int16" count="8"/>
  <vector id="v4i32" type="int32" count="4"/>
  <vector id="v2i64" type="int64" count="2"/>
  <union id="vec128">
 * <field name="v4_float" type="v4f"/>
 * <field name="v2_double" type="v2d"/>
 * <field name="v16_int8" type="v16i8"/>
 * <field name="v8_int16" type="v8i16"/>
 * <field name="v4_int32" type="v4i32"/>
 * <field name="v2_int64" type="v2i64"/>
 * <field name="uint128" type="uint128"/>
  </union>
  <flags id="i386_mxcsr" size="4">
 * <field name="IE" start="0" end="0"/>
 * <field name="DE" start="1" end="1"/>
 * <field name="ZE" start="2" end="2"/>
 * <field name="OE" start="3" end="3"/>
 * <field name="UE" start="4" end="4"/>
 * <field name="PE" start="5" end="5"/>
 * <field name="DAZ" start="6" end="6"/>
 * <field name="IM" start="7" end="7"/>
 * <field name="DM" start="8" end="8"/>
 * <field name="ZM" start="9" end="9"/>
 * <field name="OM" start="10" end="10"/>
 * <field name="UM" start="11" end="11"/>
 * <field name="PM" start="12" end="12"/>
 * <field name="FZ" start="15" end="15"/>
  </flags>

  <reg name="xmm0" bitsize="128" type="vec128" regnum="40"/>
  <reg name="xmm1" bitsize="128" type="vec128"/>
  <reg name="xmm2" bitsize="128" type="vec128"/>
  <reg name="xmm3" bitsize="128" type="vec128"/>
  <reg name="xmm4" bitsize="128" type="vec128"/>
  <reg name="xmm5" bitsize="128" type="vec128"/>
  <reg name="xmm6" bitsize="128" type="vec128"/>
  <reg name="xmm7" bitsize="128" type="vec128"/>
  <reg name="xmm8" bitsize="128" type="vec128"/>
  <reg name="xmm9" bitsize="128" type="vec128"/>
  <reg name="xmm10" bitsize="128" type="vec128"/>
  <reg name="xmm11" bitsize="128" type="vec128"/>
  <reg name="xmm12" bitsize="128" type="vec128"/>
  <reg name="xmm13" bitsize="128" type="vec128"/>
  <reg name="xmm14" bitsize="128" type="vec128"/>
  <reg name="xmm15" bitsize="128" type="vec128"/>

  <reg name="mxcsr" bitsize="32" type="i386_mxcsr" group="vector"/>
</feature>
#84"); [noack mode]
getpkt ("qXfer:features:read:64bit-linux.xml:0,fff");  [no ack sent]
putpkt ("$l<?xml version="1.0"?>
<!-- Copyright (C) 2010-2018 Free Software Foundation, Inc.

 *!Copying and distribution of this file, with or without modification,
 *!are permitted in any medium without royalty provided the copyright
 *!notice and this notice are preserved.  -->

<!DOCTYPE feature SYSTEM "gdb-target.dtd">
<feature name="org.gnu.gdb.i386.linux">
  <reg name="orig_rax" bitsize="64" type="int" regnum="57"/>
</feature>
#7e"); [noack mode]
getpkt ("qXfer:features:read:64bit-segments.xml:0,fff");  [no ack sent]
putpkt ("$l<?xml version="1.0"?>
<!-- Copyright (C) 2016-2018 Free Software Foundation, Inc.

 *!Copying and distribution of this file, with or without modification,
 *!are permitted in any medium without royalty provided the copyright
 *!notice and this notice are preserved.  -->

<!DOCTYPE feature SYSTEM "gdb-target.dtd">
<feature name="org.gnu.gdb.i386.segments">
  <reg name="fs_base" bitsize="64" type="int"/>
  <reg name="gs_base" bitsize="64" type="int"/>
</feature>
#91"); [noack mode]
getpkt ("qXfer:features:read:64bit-avx.xml:0,fff");  [no ack sent]
putpkt ("$l<?xml version="1.0"?>
<!-- Copyright (C) 2010-2018 Free Software Foundation, Inc.

 *!Copying and distribution of this file, with or without modification,
 *!are permitted in any medium without royalty provided the copyright
 *!notice and this notice are preserved.  -->

<!DOCTYPE feature SYSTEM "gdb-target.dtd">
<feature name="org.gnu.gdb.i386.avx">
  <reg name="ymm0h" bitsize="128" type="uint128"/>
  <reg name="ymm1h" bitsize="128" type="uint128"/>
  <reg name="ymm2h" bitsize="128" type="uint128"/>
  <reg name="ymm3h" bitsize="128" type="uint128"/>
  <reg name="ymm4h" bitsize="128" type="uint128"/>
  <reg name="ymm5h" bitsize="128" type="uint128"/>
  <reg name="ymm6h" bitsize="128" type="uint128"/>
  <reg name="ymm7h" bitsize="128" type="uint128"/>
  <reg name="ymm8h" bitsize="128" type="uint128"/>
  <reg name="ymm9h" bitsize="128" type="uint128"/>
  <reg name="ymm10h" bitsize="128" type="uint128"/>
  <reg name="ymm11h" bitsize="128" type="uint128"/>
  <reg name="ymm12h" bitsize="128" type="uint128"/>
  <reg name="ymm13h" bitsize="128" type="uint128"/>
  <reg name="ymm14h" bitsize="128" type="uint128"/>
  <reg name="ymm15h" bitsize="128" type="uint128"/>
</feature>
#03"); [noack mode]
getpkt ("qXfer:features:read:64bit-mpx.xml:0,fff");  [no ack sent]
putpkt ("$l<?xml version="1.0"?>
<!-- Copyright (C) 2013-2018 Free Software Foundation, Inc.

 *!Copying and distribution of this file, with or without modification,
 *!are permitted in any medium without royalty provided the copyright
 *!notice and this notice are preserved.  -->

<!DOCTYPE feature SYSTEM "gdb-target.dtd">
<feature name="org.gnu.gdb.i386.mpx">
  <struct id="br128">
 * <field name="lbound" type="uint64"/>
 * <field name="ubound_raw" type="uint64"/>
  </struct>

  <struct id="_bndstatus" size="8">
 * <field name="bde" start="2" end="63"/>
 * <field name="error" start="0" end="1"/>
  </struct>

  <union id="status">
 * <field name="raw" type="data_ptr"/>
 * <field name="status" type="_bndstatus"/>
  </union>

  <struct id="_bndcfgu" size="8">
 * <field name="base" start="12" end="63"/>
 * <field name="reserved" start="2" end="11"/>
 * <!-- Explicitly set the type here, otherwise it defaults to bool.  -->
 * <field name="preserved" start="1" end="1" type="uint64"/>
 * <field name="enabled" start="0" end="0" type="uint64"/>
  </struct>

   <union id="cfgu">
 * <field name="raw" type="data_ptr"/>
 * <field name="config" type="_bndcfgu"/>
  </union>

  <reg name="bnd0raw" bitsize="128" type="br128"/>
  <reg name="bnd1raw" bitsize="128" type="br128"/>
  <reg name="bnd2raw" bitsize="128" type="br128"/>
  <reg name="bnd3raw" bitsize="128" type="br128"/>
  <reg name="bndcfgu" * bitsize="64" type="cfgu"/>
  <reg name="bndstatus"  bitsize="64" type="status"/>
</feature>
#4b"); [noack mode]
getpkt ("qXfer:auxv:read::0,1000");  [no ack sent]
putpkt ("$l!"); [noack mode]
getpkt ("QNonStop:0");  [no ack sent]
[all-stop mode enabled]
putpkt ("$OK#9a"); [noack mode]
getpkt ("qTStatus");  [no ack sent]
putpkt ("$T0;tnotrun:0;tframes:0;tcreated:0;tfree:50*!;tsize:50*!;circular:0;disconn:0;starttime:0;stoptime:0;username:;notes::#30"); [noack mode]
getpkt ("qTfV");  [no ack sent]
putpkt ("$1:0:1:74726163655f74696d657374616d70#06"); [noack mode]
getpkt ("qTsV");  [no ack sent]
putpkt ("$l#6c"); [noack mode]
getpkt ("?");  [no ack sent]
putpkt ("$T0506:0*,;07:c0e4f*"7f0* ;10:9060ddf7ff7f0* ;#d8"); [noack mode]
getpkt ("qXfer:threads:read::0,fff");  [no ack sent]
putpkt ("$l<threads>
<thread id="p650f.650f" core="2" name="AnokhREV"/>
</threads>
#4e"); [noack mode]
getpkt ("qAttached:650f");  [no ack sent]
putpkt ("$0#30"); [noack mode]
getpkt ("Hc-1");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("qC");  [no ack sent]
putpkt ("$#00"); [noack mode]
getpkt ("qOffsets");  [no ack sent]
putpkt ("$#00"); [noack mode]
getpkt ("g");  [no ack sent]
putpkt ("$0*}0*+c0e4f*"7f0*}0*?9060ddf7ff7f0*"020* 330*"2b0*}0*}0* c020*!d2e50* aba70* ee7f0* c020d2e512560* f05ff1170*}0*}0*}0*}0*}0*?f05ff1173b0*}0*}0*}0*}0*}0*}0*}0*C#26"); [noack mode]
getpkt ("qXfer:auxv:read::0,1000");  [no ack sent]
putpkt ("$l!"); [noack mode]
getpkt ("m555555554040,1f8");  [no ack sent]
putpkt ("$060*"040*"40*+40*+40*+f8010*(f8010*)80*+30*"040*"38020*(38020*(38020*(1c0**1c0*+10*+10*"050*R580e0*(580e0*,20*(10*"060*"881d0*(881d20*'881d20*'99020*(b8020*,20*(20*"060*"981d0*(981d20*'981d20*'f0010*(f0010*)80*+40*"040*"54020*(54020*(54020*(440**440*+40**50e57464040*"e80c0*(e80c0*(e80c0*(440**440*+40**51e57464060*r10*+52e57464040*"881d0*(881d20*'881d20*'78020*(78020*)10**#03"); [noack mode]
getpkt ("qXfer:libraries-svr4:read::0,fff");  [no ack sent]
putpkt ("$l<library-list-svr4 version="1.0"/>#e5"); [noack mode]
getpkt ("vFile:setfs:0");  [no ack sent]
putpkt ("$F0#76"); [noack mode]
getpkt ("vFile:open:2f70726f632f32353837312f7461736b2f32353837312f6d617073,0,1c0");  [no ack sent]
putpkt ("$F5#7b"); [noack mode]
getpkt ("vFile:pread:5,3fff,0");  [no ack sent]
putpkt ("$F36a;5*"554000-5*%000 r-xp 0*"00 08:02 5776403 *0/home/xwings/projects/qiling/jexamples/rootfs/x8664_linux/bin/AnokhREV
5*"755000-5*"757000 rw-p 0* 1000 08:02 5776403 *0/home/xwings/projects/qiling/jexamples/rootfs/x8664_linux/bin/AnokhREV
7f* 7dd5000-7f* 7dfc000 r-xp 0*"00 08:02 2888386 *0/lib/x86_64-linux-gnu/ld-2.27.so
7f* 7ff7000-7f* 7ffa000 r--p 0*"00 00:00 0 *6[vvar]
7f* 7ffa000-7f* 7ffc000 r-xp 0*"00 00:00 0 *6[vdso]
7f* 7ffc000-7f* 7ffe000 rw-p 00027000 08:02 2888386 *0/lib/x86_64-linux-gnu/ld-2.27.so
7f* 7ffe000-7f* 7fff000 rw-p 0*"00 00:00 0
7f*"de000-7f*"ff000 rw-p 0*"00 00:00 0 *6[stack]
f*&60*!-f*&601000 r-xp 0*"00 00:00 0 *.[vsyscall]
#73"); [noack mode]
getpkt ("vFile:pread:5,3fff,36a");  [no ack sent]
putpkt ("$F0;#b1"); [noack mode]
getpkt ("vFile:close:5");  [no ack sent]
putpkt ("$F0#76"); [noack mode]
getpkt ("vFile:setfs:650f");  [no ack sent]
putpkt ("$F0#76"); [noack mode]
getpkt ("vFile:open:2f6c696236342f6c642d6c696e75782d7838362d36342e736f2e32,0,0");  [no ack sent]
putpkt ("$F5#7b"); [noack mode]
getpkt ("vFile:fstat:5");  [no ack sent]
putpkt ("$F40;"); [noack mode]
getpkt ("vFile:fstat:5");  [no ack sent]
putpkt ("$F40;"); [noack mode]
getpkt ("vFile:fstat:5");  [no ack sent]
putpkt ("$F40;"); [noack mode]
getpkt ("vFile:pread:5,3fff,0");  [no ack sent]
putpkt ("$F3f98;�ELF☻☺☺"); [noack mode]
getpkt ("vFile:pread:5,3fff,29510");  [no ack sent]
putpkt ("$F6c0;"); [noack mode]
getpkt ("vFile:pread:5,3fff,40");  [no ack sent]
putpkt ("$F3f98;☺"); [noack mode]
getpkt ("vFile:pread:5,3fff,29410");  [no ack sent]
putpkt ("$F7c0;"); [noack mode]
getpkt ("vFile:pread:5,3fff,1c8");  [no ack sent]
putpkt ("$F3f98;♦"); [noack mode]
getpkt ("vFile:pread:5,3fff,28fd8");  [no ack sent]
putpkt ("$Fbf8"); [noack mode]
getpkt ("qXfer:libraries-svr4:read::0,fff");  [no ack sent]
putpkt ("$l<library-list-svr4 version="1.0"/>#e5"); [noack mode]
getpkt ("vFile:open:2f6c696236342f6c642d6c696e75782d7838362d36342e736f2e32,0,0");  [no ack sent]
putpkt ("$F6#7c"); [noack mode]
getpkt ("vFile:fstat:6");  [no ack sent]
putpkt ("$F40;"); [noack mode]
getpkt ("vFile:fstat:6");  [no ack sent]
putpkt ("$F40;"); [noack mode]
getpkt ("vFile:fstat:6");  [no ack sent]
putpkt ("$F40;"); [noack mode]
getpkt ("vFile:pread:6,3fff,0");  [no ack sent]
putpkt ("$F3f98;�ELF☻☺☺"); [noack mode]
getpkt ("vFile:pread:6,3fff,29510");  [no ack sent]
putpkt ("$F6c0;"); [noack mode]
getpkt ("vFile:pread:6,3fff,40");  [no ack sent]
putpkt ("$F3f98;☺"); [noack mode]
getpkt ("vFile:pread:6,3fff,29410");  [no ack sent]
putpkt ("$F7c0;"); [noack mode]
getpkt ("vFile:pread:6,3fff,1c8");  [no ack sent]
putpkt ("$F3f98;♦"); [noack mode]
getpkt ("vFile:pread:6,3fff,28fd8");  [no ack sent]
putpkt ("$Fbf8"); [noack mode]
getpkt ("vFile:fstat:6");  [no ack sent]
putpkt ("$F40;"); [noack mode]
getpkt ("vFile:pread:6,3fff,958");  [no ack sent]
putpkt ("$F3f94;☺"); [noack mode]
getpkt ("vFile:pread:6,3fff,6f0");  [no ack sent]
putpkt ("$F3f96;"); [noack mode]
getpkt ("vFile:pread:6,3fff,3c0");  [no ack sent]
putpkt ("$F3f99;"); [noack mode]
getpkt ("vFile:pread:6,3fff,29400");  [no ack sent]
putpkt ("$F7d0;ld-2.27.so"); [noack mode]
getpkt ("vFile:open:2f6c696236342f6c642d322e32372e736f,0,0");  [no ack sent]
putpkt ("$F-1,2#02"); [noack mode]
getpkt ("vFile:open:2f6c696236342f2e64656275672f6c642d322e32372e736f,0,0");  [no ack sent]
putpkt ("$F-1,2#02"); [noack mode]
getpkt ("qSymbol::");  [no ack sent]
putpkt ("$qSymbol:6764625f6167656e745f6764625f74705f686561705f62756*!572#57"); [noack mode]
getpkt ("qSymbol::6764625f6167656e745f6764625f74705f686561705f627566666572");  [no ack sent] putpkt ("$qSymbol:6e70746c5f76657273696f6e#13"); [noack mode]
getpkt ("qSymbol::6e70746c5f76657273696f6e");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("vFile:pread:5,3fff,958");  [no ack sent]
putpkt ("$F3f94;☺"); [noack mode]
getpkt ("vFile:pread:5,3fff,6f0");  [no ack sent]
putpkt ("$F3f96;"); [noack mode]
getpkt ("vFile:pread:5,3fff,3c0");  [no ack sent]
putpkt ("$F3f99;"); [noack mode]
getpkt ("m7ffff7dd8df2,1");  [no ack sent]
putpkt ("$90#69"); [noack mode]
getpkt ("m7ffff7dd94d1,1");  [no ack sent]
putpkt ("$90#69"); [noack mode]
getpkt ("m7ffff7ddbb2a,1");  [no ack sent]
putpkt ("$90#69"); [noack mode]
getpkt ("m7ffff7ddaba6,1");  [no ack sent]
putpkt ("$90#69"); [noack mode]
getpkt ("m7ffff7dea41c,1");  [no ack sent]
putpkt ("$90#69"); [noack mode]
getpkt ("m7ffff7deb0b7,1");  [no ack sent]
putpkt ("$90#69"); [noack mode]
getpkt ("m7ffff7deb354,1");  [no ack sent]
putpkt ("$90#69"); [noack mode]
getpkt ("vFile:close:5");  [no ack sent]
putpkt ("$F0#76"); [noack mode]
getpkt ("m7ffff7ffa000,40");  [no ack sent]
putpkt ("$7f454c460201010*/3003e00010*"70090*(40*+e010*1400038000400400011001000#12"); [noack mode]
getpkt ("m7ffff7ffa040,e0");  [no ack sent]
putpkt ("$010*"050*Sb10**b10*+10**20*"040*"48030*(48030*(48030*(20010*(20010*)80*+40*"040*"a8070*(a8070*(a8070*(3c0**3c0*+40**50e57464040*"e4070*(e4070*(e4070*(3c0**3c0*+40**#c6"); [noack mode]
getpkt ("m7ffff7ffa000,1fff");  [no ack sent]
putpkt ("$7f454c460201010*/3003e00010*"70090*(40*+e010*14000380004004000110010* 10*"050*Sb10**b10*+10**20*"040*"48030*(48030*(48030*(20010*(20010*)80*+40*"040*"a8070*(a8070*(a8070*(3c0**3c0*+40**50e57464040*"e4070*(e4070*(e4070*(3c0**3c0*+40*+30*"0a0*"040*"030*"060*370*+90*"010*"050*+20*"080*+30*"010*"010*"060*"8134300146650081010*"050*"070*"7e55dd7100ca1bb0864b85e60d8e1e8294789e7c19a3436e8a2ac62626b062656d5887ff0*M80*"22000c00300a0*)5030*(160*"12000c00400d0*(c2010*(1d0*"22000c00400d0*(c2010*(2a0*"12000c00100f0*(150**310*"22000c00100f0*(150*+10*"12000c00300a0*)5030*(540*"1100f1ff0*<360*"12000c00300f0*(2a0**3d0*"22000c00300f0*(2a0*,5f5f7664736f5f636c6f636b5f67657474696d65005f5f7664736f5f67657474696d656f66646179005f5f7664736f5f74696d65005f5f7664736f5f676574637075006c696e75782d7664736f2e736f2e31004c494e55585f322e360*"02000200020002000200020002000200020*+100010001000100a1bfee0d140*"1c0*"440*+10*"02000100f675ae03140**540*+e0**440**10*<40**20010*(f5feff6f0*"0060010*)50**98020*)60**a8010*)a0**5e0*+b0**180**fcf* 6f0*"0010030*(fdf* 6f0*%20**1e0*+20**f0f* 6f0*"00f6020*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*660*"040**4c696e75780*"120f0400040*"140*"030*"474e55009478314fb21d71baa43d3a46b2748a2f95e9c011011b033b380*"060*"8c010* 540*"bc010* 7c0*"4c020* a40*"5c050* f40*"2c070* 44010* 4c070* 64010* 140*+17a5200017810011b0c070890010* 240*"1c0*"30010* 230*"00410e108602430d06590ac60c0708410b44c60c07080* 240*"440*"38010* 880*"00410e108602500d06026c0ac60c0708410b49c60c0708004c0*"6c0*"a0010*!5030*"450c0a004c10060276004b0f03766006100e027678100d027670100c027668451003027658024e0ac342ca0c0a0042cc42cd42ce41c6440c0708410b0*"4c0*"bc0*"60040* c2010*"450c0a004910060276004b0f03766006100e027678100d027670100c02766845100302765802d20ac342ca0c0a0042cc42cd42ce41c6440c0708410b0*"1c0*"0c010* e0050* 150*"00410e1086024d0d0646c60c07080* 1c0*"2c010* e0050* 2a0*"00410e108602480d0660c60c07080*0554889e50faee80f3148c1e2204809d0488b1501c7f* 4839c277025dc34889d05dc30f1f00662e0f1f840*&558b0d59d6f* 4c8d0552d6f* 4889e589ce83e6fef60560d6f* 01745f0faee80f3148c1e2204809d00fbe154ad6f* 482b052fd6f* 89d14989c1f7d949d3e989d148d3e085d28b1528d6f* 490f48c148f7e2480facd020488b150dd6f* 418b0839ce75a74801d048390574c6f* 480f43056cc6f* 5dc331c0c7070*"005dc30f1f840*&4c8d5424084883e4f04189fb41ff72f8554889e541564155415441524c8d6dcc53488d1d28c6f* 4883ec1883ff0174710f8e00010* 83ff05744383ff060f85e30*"8b03a8010f856d020* 488b154ac6f* 488916488b1548c6f* 488956083b0375dd31c04883c4185b415a415c415d415e5d498d62f8c3f3908b03a80175f8488b1504c6f* 488916488b1502c6f* 488956083b0374caebdff390448b2341f6c40175f58b05a3c5f* 8945cc488b05c5c5f* 4889068b0590c5f* 4c8b15bdc5f* 83f8010f8423010* 83f8020f8447010* 83f8030f849c010* 8b0d80c5f* 44392375b14c89d048d3e8483dffc99a3b0f86c30*"31d2482d00ca9a3b83c201483dffc99a3b77ef480116488946088b45cc85c00f8540f*"4963fbb8e40*"0f05e933f*"85ff4c8d6dcc75e9448b2341f6c4010f8577010* 8b0502c5f* 8945cc488b051cc5f* 4889068b05efc4f* 4c8b1504c5f* 83f801745c83f8020f84bc0*"83f8030f84c50*"8b0de3c4f* 44392375b14c89d048d3e8483dffc99a3b762a31d2482d00ca9a3b83c201483dffc99a3b77ef480116488946088b45cc85c00f8467f*"e9a2fef* 31d2e949f*"488975c0e86afdf* 488b75c0482b0577c4f* 8b1581c4f* 48230572c4f* 480fafc24901c2eb8c488975c0e840fdf* 488b75c0482b054dc4f* 8b1557c4f* 48230548c4f* 480fafc24901c2e9c2fef* 488975c04c89efe840fdf* 488b75c0ebce488975c04c89efe82efdf* 488b75c0eb92488d3d81e3f* eb1b4c8b3580e3f* 488b0d81e3f* 0faee80f31448b0f4539c8747a448b074585c075ddc745cc0*"0031c0e958f*"488d3d47e3f* eb1b4c8b3546e3f* 488b0d47e3f* 0faee80f31448b0f4539c87424448b074585c075ddc745cc0*"0031c0e948f*"f390e982fdf*!390e975fef* 48c1e2204809d049f7e64889d04801c84883f8ff0f8520f*"ebc848c1e2204809d049f7e64889d04801c84883f8ff0f85dafef* e96f*"f90662e0f1f840*&4c8d5424084883e4f041ff72f8554889e54156415541544152534883ec184885ff0f84b90*"4c8d2512c3f* 4c8d6dcc4889fb458b1c2441f6c3010f8537010* 8b05fbc2f* 8945cc488b0515c3f* 4889038b05e8c2f* 4c8b15fdc2f* 83f8010f84920*"83f8020f84ec0*"83f8030f84ad0*"8b0dd8c2f* 453b1c2475ab4c89d248d3ea4881faffc99a3b0f86d60*"31c04881ea00ca9a3b83c0014881faffc99a3b77ed4801038b45cc4889530885c00f84d30*"48c1ea0348b9cff753e3a59bc4204889d048f7e148c1ea044889530831c04885f60f85960*"4883c4185b415a415c415d415e5d498d62f8c3488975c0e829fbf* 488b75c0482b0536c2f* 8b1540c2f* 48230531c2f* 480fafc24901c2e953f*"4c8d058ee1f* eb1b4c8b358de1f* 488b0d8ee1f* 0faee80f31458b084439cf7457418b3885ff75dec745cc0*"0031c0ebaa488975c04c89efe8f3faf* 488b75c0eb9831c0e938f*"f390e9b4fef* 8b1519c2f* 89168b1515c2f* 895604e954f*"b860*"04889df0f05e945f*"48c1e2204809d049f7e64889d04801c84883f8ff0f854bf*"eb940f1f4000662e0f1f840*&554885ff488b058dc1f* 4889e574034889075dc3909090909090909090909055b87b0*"4889e50f03c0904885ff740a89c281e2ff0f0* 89174885f67405c1e80c890631c05dc31afaf* 8b0*"71000303030dfaf* 810*"72000303034bfaf* 770*"71000303033efaf* 6d0*"720003030301fdf* 630*"7100030303f4fcf* 590*"720003030321fdf* 4f0*"710003030314fdf* 450*"7200030303c0fef* 3b0*"7100030303b3fef* 310*"72000303035df*"270*"16020404010faef00faee80faef00faee80faef00faee80faef00faee80faef00faee8f30fc7f84743433a20285562756e747520372e342e302d317562756e7475317e31382e30342e312920372e342e30*!2e7368737472746162002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f64002e64796e616d6963002e726f64617461002e6e6f7465002e65685f6672616d655f686472002e65685f6672616d65002e74657874002e616c74696e737472756374696f6e73002e616c74696e7374725f7265706c6163656d656e74002e636f6d6d656e740*}0*Ff0*"050*"020**20010*(20010*(3c0*+30*+80*+40*+b0*"f6f* 6f020**60010*(60010*(480*+30*+80*:150*"0b0*"020**a8010*(a8010*(f0*,40*"010*"080**180**1d0*"030*"020**98020*(98020*(5e0*;10*:250*"f*"6f020**f6020*(f6020*(140*+30*+20*+20**320*"fdf* 6f020**10030*(10030*(380*+40*"020*"080*:410*"060*"030**48030*(48030*(20010*)40*+80**10*+4a0*"010*"030**68040*(68040*(40030*980*:520*"070*"020**a8070*(a8070*(3c0*;40*:580*"010*"020**e4070*(e4070*(3c0*;40*:660*"010*"020**20080*(20080*(48010*980*:70*"0010*"060**70090*(70090*(ea050*810*;760*"010*"020**5a0f0*(5a0f0*(8f0*;10*:870*"010*"060**e90f0*(e90f0*(220*;10*:9d0*"010*"30*<b10*)2b0*;10*+10*+10*"030*B3610*)a60*;10*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*}0*_#e5"); [noack mode]
getpkt ("m7ffff7ffbfff,1");  [no ack sent]
putpkt ("$00#60"); [noack mode]
getpkt ("qSymbol::");  [no ack sent]
putpkt ("$qSymbol:6764625f6167656e745f6764625f74705f686561705f62756*!572#57"); [noack mode]
getpkt ("qSymbol::6764625f6167656e745f6764625f74705f686561705f627566666572");  [no ack sent] putpkt ("$qSymbol:6e70746c5f76657273696f6e#13"); [noack mode]
getpkt ("qSymbol::6e70746c5f76657273696f6e");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("qXfer:threads:read::0,fff");  [no ack sent]
putpkt ("$l<threads>
<thread id="p650f.650f" core="2" name="AnokhREV"/>
</threads>
#4e"); [noack mode]
getpkt ("m7ffff7dd6090,1");  [no ack sent]
putpkt ("$48#6c"); [noack mode]
getpkt ("m7ffff7dd6090,1");  [no ack sent]
putpkt ("$48#6c"); [noack mode]
getpkt ("vFile:pread:6,3fff,247b0");  [no ack sent]
putpkt ("$F3fd6;¶"); [noack mode]
getpkt ("m7ffff7dd6090,9");  [no ack sent]
putpkt ("$4889e7e8080e0* 49#fa"); [noack mode]
getpkt ("qSymbol::");  [no ack sent]
putpkt ("$qSymbol:6764625f6167656e745f6764625f74705f686561705f62756*!572#57"); [noack mode]
getpkt ("qSymbol::6764625f6167656e745f6764625f74705f686561705f627566666572");  [no ack sent] putpkt ("$qSymbol:6e70746c5f76657273696f6e#13"); [noack mode]
getpkt ("qSymbol::6e70746c5f76657273696f6e");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("qTStatus");  [no ack sent]
putpkt ("$T0;tnotrun:0;tframes:0;tcreated:0;tfree:50*!;tsize:50*!;circular:0;disconn:0;starttime:0;stoptime:0;username:;notes::#30"); [noack mode]
getpkt ("qTfP");  [no ack sent]
putpkt ("$l#6c"); [noack mode]
getpkt ("Z0,7ffff7dd94d1,1");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("Z0,7ffff7dea41c,1");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("Z0,7ffff7deb354,1");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("QPassSignals:e;10;14;17;1a;1b;1c;21;24;25;2c;4c;97;");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("vCont?");  [no ack sent]
putpkt ("$#00"); [noack mode]
getpkt ("Hcp650f.0");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("c");  [no ack sent]
putpkt ("$T05swbreak:;06:a0e3f*"7f0* ;07:c0e1f*"7f0* ;10:d194ddf7ff7f0* ;#d8"); [noack mode] getpkt ("g");  [no ack sent]
putpkt ("$40e1fff7ff7f0* 40e1fff7ff7f0* f71fdff7ff7f0*)84e010*>a0e3f*"7f0* c0e1f*"7f0*0c0*+f0d9fff7ff7f0*!6020*870e1fff7ff7f0* 70e1fff7ff7f0* c094fdf7ff7f0* d194ddf7ff7f0* 46020* 330*"2b0*}0*}0* c020*!d2e50* 57570* ee7f0* c020d2e512560* f05ff1170*"00e8909ef7ff7f0*"80fdf7ff7f0* f*60*"474c4942435f505249564154450*"2e322e0*63500474c4942435f322e3300474c49420*}0*}0*}0*Y801f0* f*,c094fdf7ff7f0*}0*}0*}0*}0*}0*}0*}0*)#45"); [noack mode]
getpkt ("m555555554040,38");  [no ack sent]
putpkt ("$060*"040*"40*+40*+40*+f8010*(f8010*)80**#ac"); [noack mode]
getpkt ("m555555554078,38");  [no ack sent]
putpkt ("$030*"040*"38020*(38020*(38020*(1c0**1c0*+10**#92"); [noack mode]
getpkt ("m5555555540b0,38");  [no ack sent]
putpkt ("$010*"050*R580e0*(580e0*,20*'#ad"); [noack mode]
getpkt ("m5555555540e8,38");  [no ack sent]
putpkt ("$010*"060*"881d0*(881d20*'881d20*'99020*(b8020*,20*'#41"); [noack mode]
getpkt ("m555555554120,38");  [no ack sent]
putpkt ("$020*"060*"981d0*(981d20*'981d20*'f0010*(f0010*)80**#69"); [noack mode]
getpkt ("m555555755d98,1f0");  [no ack sent]
putpkt ("$010*+10*+c0**80060*)d0**340c0*(190**881d20*'1b0*+80**1a0**901d20*'1c0*+80**f5feff6f0*"0098425*"550*!50**10445*"550*!60**c0425*"550*!a0**af0*+b0**180**150**40e1fff7ff7f0*!30**885f75*"50*!20**a80**140*+70**170**d845*%0*!70*,45*%0*!80**d80*+90**180**1e0*+80**fbf* 6f0*%10*!80*"00fef* 6f0*"00e0040*(f*"6f0*%10**f0f* 6f0*"00c0445*"550* f9f* 6f0*%30*}0*i#ae"); [noack mode]
getpkt ("m555555554040,38");  [no ack sent]
putpkt ("$060*"040*"40*+40*+40*+f8010*(f8010*)80**#ac"); [noack mode]
getpkt ("m555555554078,38");  [no ack sent]
putpkt ("$030*"040*"38020*(38020*(38020*(1c0**1c0*+10**#92"); [noack mode]
getpkt ("m5555555540b0,38");  [no ack sent]
putpkt ("$010*"050*R580e0*(580e0*,20*'#ad"); [noack mode]
getpkt ("m5555555540e8,38");  [no ack sent]
putpkt ("$010*"060*"881d0*(881d20*'881d20*'99020*(b8020*,20*'#41"); [noack mode]
getpkt ("m555555554120,38");  [no ack sent]
putpkt ("$020*"060*"981d0*(981d20*'981d20*'f0010*(f0010*)80**#69"); [noack mode]
getpkt ("m555555755d98,1f0");  [no ack sent]
putpkt ("$010*+10*+c0**80060*)d0**340c0*(190**881d20*'1b0*+80**1a0**901d20*'1c0*+80**f5feff6f0*"0098425*"550*!50**10445*"550*!60**c0425*"550*!a0**af0*+b0**180**150**40e1fff7ff7f0*!30**885f75*"50*!20**a80**140*+70**170**d845*%0*!70*,45*%0*!80**d80*+90**180**1e0*+80**fbf* 6f0*%10*!80*"00fef* 6f0*"00e0040*(f*"6f0*%10**f0f* 6f0*"00c0445*"550* f9f* 6f0*%30*}0*i#ae"); [noack mode]
getpkt ("m555555755e60,8");  [no ack sent]
putpkt ("$40e1fff7ff7f0* #46"); [noack mode]
getpkt ("qXfer:libraries-svr4:read::0,fff");  [no ack sent]
putpkt ("$l<library-list-svr4 version="1.0" main-lm="0x7f* 7ffe170"><library name="linux-vdso.so.1" lm="0x7f* 7ffe710" l_addr="0x7f* 7ffa000" l_ld="0x7f* 7ffa348"/><library name="/lib/x86_64-linux-gnu/libc.so.6" lm="0x7f* 7fd8000" l_addr="0x7f* 79e4000" l_ld="0x7f* 7dceb80"/><library name="/lib64/ld-linux-x86-64.so.2" lm="0x7f* 7ffd9f0" l_addr="0x7f* 7dd5000" l_ld="0x7f* 7ffce68"/></library-list-svr4>#8e"); [noack mode]
getpkt ("vFile:open:2f6c69622f7838365f36342d6c696e75782d676e752f6c6962632e736f2e36,0,0");  [no ack sent]
putpkt ("$F5#7b"); [noack mode]
getpkt ("vFile:fstat:5");  [no ack sent]
putpkt ("$F40;"); [noack mode]
getpkt ("vFile:fstat:5");  [no ack sent]
putpkt ("$F40;"); [noack mode]
getpkt ("vFile:fstat:5");  [no ack sent]
putpkt ("$F40;"); [noack mode]
getpkt ("vFile:pread:5,3fff,0");  [no ack sent]
putpkt ("$F3f37;�ELF☻☺☺♥"); [noack mode]
getpkt ("vFile:pread:5,3fff,1ee990");  [no ack sent]
putpkt ("$F1240;"); [noack mode]
getpkt ("vFile:pread:5,3fff,40");  [no ack sent]
putpkt ("$F3f37;♠"); [noack mode]
getpkt ("vFile:pread:5,3fff,1ee4c8");  [no ack sent]
putpkt ("$F1708;"); [noack mode]
getpkt ("vFile:pread:5,3fff,270");  [no ack sent]
putpkt ("$F3f35;♦"); [noack mode]
getpkt ("vFile:pread:5,3fff,1ec860");  [no ack sent]
putpkt ("$F3370"); [noack mode]
getpkt ("vFile:fstat:5");  [no ack sent]
putpkt ("$F40;"); [noack mode]
getpkt ("vFile:pread:5,3fff,294");  [no ack sent]
putpkt ("$F3f34;♦"); [noack mode]
getpkt ("vFile:pread:5,3fff,18ef8");  [no ack sent]
putpkt ("$F3fdf;☺"); [noack mode]
getpkt ("vFile:pread:5,3fff,119d0");  [no ack sent]
putpkt ("$F3ffa;"); [noack mode]
getpkt ("vFile:pread:5,3fff,159ca");  [no ack sent]
putpkt ("$F3fe0;ir"); [noack mode]
getpkt ("vFile:pread:5,3fff,3ee8");  [no ack sent]
putpkt ("$F3f9d;"); [noack mode]
getpkt ("vFile:pread:5,3fff,7e85");  [no ack sent]
putpkt ("$F3f9b;"); [noack mode]
getpkt ("vFile:pread:5,3fff,be20");  [no ack sent]
putpkt ("$F3f93;g♥"); [noack mode]
getpkt ("vFile:pread:5,3fff,fdb3");  [no ack sent]
putpkt ("$F3fc9;"); [noack mode]
getpkt ("vFile:pread:5,3fff,178ae");  [no ack sent]
putpkt ("$F3fc5;"); [noack mode]
getpkt ("vFile:pread:5,3fff,20fd0");  [no ack sent]
putpkt ("$F3f20;52<"); [noack mode]
getpkt ("vFile:pread:5,3fff,18f28");  [no ack sent]
putpkt ("$F3fdf; v>"); [noack mode]
getpkt ("vFile:pread:5,3fff,1cf07");  [no ack sent]
putpkt ("$F3ff3;"); [noack mode]
getpkt ("vFile:pread:5,3fff,20efa");  [no ack sent]
putpkt ("$F3f1f;"); [noack mode]
getpkt ("vFile:pread:5,3fff,1ee4b4");  [no ack sent]
putpkt ("$F171c;libc-2.27.so"); [noack mode]
getpkt ("vFile:open:2f6c69622f7838365f36342d6c696e75782d676e752f6c6962632d322e32372e736f,0,0");  [no ack sent]
putpkt ("$F7#7d"); [noack mode]
getpkt ("vFile:fstat:7");  [no ack sent]
putpkt ("$F40;"); [noack mode]
getpkt ("vFile:fstat:7");  [no ack sent]
putpkt ("$F40;"); [noack mode]
getpkt ("vFile:fstat:7");  [no ack sent]
putpkt ("$F40;"); [noack mode]
getpkt ("vFile:fstat:7");  [no ack sent]
putpkt ("$F40;"); [noack mode]
getpkt ("vFile:fstat:5");  [no ack sent]
putpkt ("$F40;"); [noack mode]
getpkt ("vFile:close:7");  [no ack sent]
putpkt ("$F0#76"); [noack mode]
getpkt ("vFile:open:2f6c69622f7838365f36342d6c696e75782d676e752f2e64656275672f6c6962632d322e32372e736f,0,0");  [no ack sent]
putpkt ("$F-1,2#02"); [noack mode]
getpkt ("vFile:fstat:5");  [no ack sent]
putpkt ("$F40;"); [noack mode]
getpkt ("qSymbol::");  [no ack sent]
putpkt ("$qSymbol:6764625f6167656e745f6764625f74705f686561705f62756*!572#57"); [noack mode]
getpkt ("qSymbol::6764625f6167656e745f6764625f74705f686561705f627566666572");  [no ack sent] putpkt ("$qSymbol:6e70746c5f76657273696f6e#13"); [noack mode]
getpkt ("qSymbol::6e70746c5f76657273696f6e");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("qSymbol::");  [no ack sent]
putpkt ("$qSymbol:6764625f6167656e745f6764625f74705f686561705f62756*!572#57"); [noack mode]
getpkt ("qSymbol::6764625f6167656e745f6764625f74705f686561705f627566666572");  [no ack sent] putpkt ("$qSymbol:6e70746c5f76657273696f6e#13"); [noack mode]
getpkt ("qSymbol::6e70746c5f76657273696f6e");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("m7ffff7a22c20,1");  [no ack sent]
putpkt ("$55#6a"); [noack mode]
getpkt ("m7ffff7a22c20,1");  [no ack sent]
putpkt ("$55#6a"); [noack mode]
getpkt ("m7ffff7a22c20,1");  [no ack sent]
putpkt ("$55#6a"); [noack mode]
getpkt ("m7ffff7b18bc3,1");  [no ack sent]
putpkt ("$90#69"); [noack mode]
getpkt ("m7ffff7a22c93,1");  [no ack sent]
putpkt ("$90#69"); [noack mode]
getpkt ("z0,7ffff7dd94d1,1");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("QPassSignals:");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("Hcp650f.650f");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("s");  [no ack sent]
putpkt ("$T0506:a0e3f*"7f0* ;07:c0e1f*"7f0* ;10:d294ddf7ff7f0* ;#75"); [noack mode]
getpkt ("Z0,7ffff7dd94d1,1");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("QPassSignals:e;10;14;17;1a;1b;1c;21;24;25;2c;4c;97;");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("Hcp650f.0");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("c");  [no ack sent]

Log Between IDAPro and gdbserver

[getpkt: discarding char '+']
getpkt ("qSupported:xmlRegisters=i386,arm,mips");  [sending ack]
[sent ack]
putpkt ("$PacketSize=3fff;QPassSignals+;QProgramSignals+;QStartupWithShell+;QEnvironmentHexEncoded+;QEnvironmentReset+;QEnvironmentUnset+;QSetWorkingDir+;QCatchSyscalls+;qXfer:libraries-svr4:read+;augmented-libraries-svr4-read+;qXfer:auxv:read+;qXfer:spu:read+;qXfer:spu:write+;qXfer:siginfo:read+;qXfer:siginfo:write+;qXfer:features:read+;QStartNoAckMode+;qXfer:osdata:read+;multiprocess+;fork-events+;vfork-events+;exec-events+;QNonStop+;QDisableRandomization+;qXfer:threads:read+;ConditionalTracepoints+;TraceStateVariables+;TracepointSource+;DisconnectedTracing+;StaticTracepoints+;InstallInTrace+;qXfer:statictrace:read+;qXfer:traceframe-info:read+;EnableDisableTracepoints+;QTBuffer:size+;tracenz+;ConditionalBreakpoints+;BreakpointCommands+;QAgent+;swbreak+;hwbreak+;qXfer:exec-file:read+;vContSupported+;QThreadEvents+;no-resumed+#71"); [looking for ack]
[received '+' (0x2b)]
getpkt ("QStartNoAckMode");  [sending ack]
[sent ack]
[noack mode enabled]
putpkt ("$OK#9a"); [noack mode]
getpkt ("QDisableRandomization:1");  [no ack sent]
[address space randomization disabled]
putpkt ("$OK#9a"); [noack mode]
getpkt ("!");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("Hg0");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("qXfer:features:read:target.xml:0,3ffe");  [no ack sent]
putpkt ("$l<?xml version="1.0"?><!DOCTYPE target SYSTEM "gdb-target.dtd"><target><architecture>i386:x86-64</architecture><osabi>GNU/Linux</osabi><xi:include href="64bit-core.xml"/><xi:include href="64bit-sse.xml"/><xi:include href="64bit-linux.xml"/><xi:include href="64bit-segments.xml"/><xi:include href="64bit-avx.xml"/><xi:include href="64bit-mpx.xml"/></target>#3c"); [noack mode]
getpkt ("qXfer:features:read:64bit-core.xml:0,3ffe");  [no ack sent]
putpkt ("$l<?xml version="1.0"?>
<!-- Copyright (C) 2010-2018 Free Software Foundation, Inc.

 *!Copying and distribution of this file, with or without modification,
 *!are permitted in any medium without royalty provided the copyright
 *!notice and this notice are preserved.  -->

<!DOCTYPE feature SYSTEM "gdb-target.dtd">
<feature name="org.gnu.gdb.i386.core">
  <flags id="i386_eflags" size="4">
 * <field name="CF" start="0" end="0"/>
 * <field name="" start="1" end="1"/>
 * <field name="PF" start="2" end="2"/>
 * <field name="AF" start="4" end="4"/>
 * <field name="ZF" start="6" end="6"/>
 * <field name="SF" start="7" end="7"/>
 * <field name="TF" start="8" end="8"/>
 * <field name="IF" start="9" end="9"/>
 * <field name="DF" start="10" end="10"/>
 * <field name="OF" start="11" end="11"/>
 * <field name="NT" start="14" end="14"/>
 * <field name="RF" start="16" end="16"/>
 * <field name="VM" start="17" end="17"/>
 * <field name="AC" start="18" end="18"/>
 * <field name="VIF" start="19" end="19"/>
 * <field name="VIP" start="20" end="20"/>
 * <field name="ID" start="21" end="21"/>
  </flags>

  <reg name="rax" bitsize="64" type="int64"/>
  <reg name="rbx" bitsize="64" type="int64"/>
  <reg name="rcx" bitsize="64" type="int64"/>
  <reg name="rdx" bitsize="64" type="int64"/>
  <reg name="rsi" bitsize="64" type="int64"/>
  <reg name="rdi" bitsize="64" type="int64"/>
  <reg name="rbp" bitsize="64" type="data_ptr"/>
  <reg name="rsp" bitsize="64" type="data_ptr"/>
  <reg name="r8" bitsize="64" type="int64"/>
  <reg name="r9" bitsize="64" type="int64"/>
  <reg name="r10" bitsize="64" type="int64"/>
  <reg name="r11" bitsize="64" type="int64"/>
  <reg name="r12" bitsize="64" type="int64"/>
  <reg name="r13" bitsize="64" type="int64"/>
  <reg name="r14" bitsize="64" type="int64"/>
  <reg name="r15" bitsize="64" type="int64"/>

  <reg name="rip" bitsize="64" type="code_ptr"/>
  <reg name="eflags" bitsize="32" type="i386_eflags"/>
  <reg name="cs" bitsize="32" type="int32"/>
  <reg name="ss" bitsize="32" type="int32"/>
  <reg name="ds" bitsize="32" type="int32"/>
  <reg name="es" bitsize="32" type="int32"/>
  <reg name="fs" bitsize="32" type="int32"/>
  <reg name="gs" bitsize="32" type="int32"/>

  <reg name="st0" bitsize="80" type="i387_ext"/>
  <reg name="st1" bitsize="80" type="i387_ext"/>
  <reg name="st2" bitsize="80" type="i387_ext"/>
  <reg name="st3" bitsize="80" type="i387_ext"/>
  <reg name="st4" bitsize="80" type="i387_ext"/>
  <reg name="st5" bitsize="80" type="i387_ext"/>
  <reg name="st6" bitsize="80" type="i387_ext"/>
  <reg name="st7" bitsize="80" type="i387_ext"/>

  <reg name="fctrl" bitsize="32" type="int" group="float"/>
  <reg name="fstat" bitsize="32" type="int" group="float"/>
  <reg name="ftag" bitsize="32" type="int" group="float"/>
  <reg name="fiseg" bitsize="32" type="int" group="float"/>
  <reg name="fioff" bitsize="32" type="int" group="float"/>
  <reg name="foseg" bitsize="32" type="int" group="float"/>
  <reg name="fooff" bitsize="32" type="int" group="float"/>
  <reg name="fop" bitsize="32" type="int" group="float"/>
</feature>
#61"); [noack mode]
getpkt ("qXfer:features:read:64bit-sse.xml:0,3ffe");  [no ack sent]
putpkt ("$l<?xml version="1.0"?>
<!-- Copyright (C) 2010-2018 Free Software Foundation, Inc.

 *!Copying and distribution of this file, with or without modification,
 *!are permitted in any medium without royalty provided the copyright
 *!notice and this notice are preserved.  -->

<!DOCTYPE feature SYSTEM "gdb-target.dtd">
<feature name="org.gnu.gdb.i386.sse">
  <vector id="v4f" type="ieee_single" count="4"/>
  <vector id="v2d" type="ieee_double" count="2"/>
  <vector id="v16i8" type="int8" count="16"/>
  <vector id="v8i16" type="int16" count="8"/>
  <vector id="v4i32" type="int32" count="4"/>
  <vector id="v2i64" type="int64" count="2"/>
  <union id="vec128">
 * <field name="v4_float" type="v4f"/>
 * <field name="v2_double" type="v2d"/>
 * <field name="v16_int8" type="v16i8"/>
 * <field name="v8_int16" type="v8i16"/>
 * <field name="v4_int32" type="v4i32"/>
 * <field name="v2_int64" type="v2i64"/>
 * <field name="uint128" type="uint128"/>
  </union>
  <flags id="i386_mxcsr" size="4">
 * <field name="IE" start="0" end="0"/>
 * <field name="DE" start="1" end="1"/>
 * <field name="ZE" start="2" end="2"/>
 * <field name="OE" start="3" end="3"/>
 * <field name="UE" start="4" end="4"/>
 * <field name="PE" start="5" end="5"/>
 * <field name="DAZ" start="6" end="6"/>
 * <field name="IM" start="7" end="7"/>
 * <field name="DM" start="8" end="8"/>
 * <field name="ZM" start="9" end="9"/>
 * <field name="OM" start="10" end="10"/>
 * <field name="UM" start="11" end="11"/>
 * <field name="PM" start="12" end="12"/>
 * <field name="FZ" start="15" end="15"/>
  </flags>

  <reg name="xmm0" bitsize="128" type="vec128" regnum="40"/>
  <reg name="xmm1" bitsize="128" type="vec128"/>
  <reg name="xmm2" bitsize="128" type="vec128"/>
  <reg name="xmm3" bitsize="128" type="vec128"/>
  <reg name="xmm4" bitsize="128" type="vec128"/>
  <reg name="xmm5" bitsize="128" type="vec128"/>
  <reg name="xmm6" bitsize="128" type="vec128"/>
  <reg name="xmm7" bitsize="128" type="vec128"/>
  <reg name="xmm8" bitsize="128" type="vec128"/>
  <reg name="xmm9" bitsize="128" type="vec128"/>
  <reg name="xmm10" bitsize="128" type="vec128"/>
  <reg name="xmm11" bitsize="128" type="vec128"/>
  <reg name="xmm12" bitsize="128" type="vec128"/>
  <reg name="xmm13" bitsize="128" type="vec128"/>
  <reg name="xmm14" bitsize="128" type="vec128"/>
  <reg name="xmm15" bitsize="128" type="vec128"/>

  <reg name="mxcsr" bitsize="32" type="i386_mxcsr" group="vector"/>
</feature>
#84"); [noack mode]
getpkt ("qXfer:features:read:64bit-linux.xml:0,3ffe");  [no ack sent]
putpkt ("$l<?xml version="1.0"?>
<!-- Copyright (C) 2010-2018 Free Software Foundation, Inc.

 *!Copying and distribution of this file, with or without modification,
 *!are permitted in any medium without royalty provided the copyright
 *!notice and this notice are preserved.  -->

<!DOCTYPE feature SYSTEM "gdb-target.dtd">
<feature name="org.gnu.gdb.i386.linux">
  <reg name="orig_rax" bitsize="64" type="int" regnum="57"/>
</feature>
#7e"); [noack mode]
getpkt ("qXfer:features:read:64bit-segments.xml:0,3ffe");  [no ack sent]
putpkt ("$l<?xml version="1.0"?>
<!-- Copyright (C) 2016-2018 Free Software Foundation, Inc.

 *!Copying and distribution of this file, with or without modification,
 *!are permitted in any medium without royalty provided the copyright
 *!notice and this notice are preserved.  -->

<!DOCTYPE feature SYSTEM "gdb-target.dtd">
<feature name="org.gnu.gdb.i386.segments">
  <reg name="fs_base" bitsize="64" type="int"/>
  <reg name="gs_base" bitsize="64" type="int"/>
</feature>
#91"); [noack mode]
getpkt ("qXfer:features:read:64bit-avx.xml:0,3ffe");  [no ack sent]
putpkt ("$l<?xml version="1.0"?>
<!-- Copyright (C) 2010-2018 Free Software Foundation, Inc.

 *!Copying and distribution of this file, with or without modification,
 *!are permitted in any medium without royalty provided the copyright
 *!notice and this notice are preserved.  -->

<!DOCTYPE feature SYSTEM "gdb-target.dtd">
<feature name="org.gnu.gdb.i386.avx">
  <reg name="ymm0h" bitsize="128" type="uint128"/>
  <reg name="ymm1h" bitsize="128" type="uint128"/>
  <reg name="ymm2h" bitsize="128" type="uint128"/>
  <reg name="ymm3h" bitsize="128" type="uint128"/>
  <reg name="ymm4h" bitsize="128" type="uint128"/>
  <reg name="ymm5h" bitsize="128" type="uint128"/>
  <reg name="ymm6h" bitsize="128" type="uint128"/>
  <reg name="ymm7h" bitsize="128" type="uint128"/>
  <reg name="ymm8h" bitsize="128" type="uint128"/>
  <reg name="ymm9h" bitsize="128" type="uint128"/>
  <reg name="ymm10h" bitsize="128" type="uint128"/>
  <reg name="ymm11h" bitsize="128" type="uint128"/>
  <reg name="ymm12h" bitsize="128" type="uint128"/>
  <reg name="ymm13h" bitsize="128" type="uint128"/>
  <reg name="ymm14h" bitsize="128" type="uint128"/>
  <reg name="ymm15h" bitsize="128" type="uint128"/>
</feature>
#03"); [noack mode]
getpkt ("qXfer:features:read:64bit-mpx.xml:0,3ffe");  [no ack sent]
putpkt ("$l<?xml version="1.0"?>
<!-- Copyright (C) 2013-2018 Free Software Foundation, Inc.

 *!Copying and distribution of this file, with or without modification,
 *!are permitted in any medium without royalty provided the copyright
 *!notice and this notice are preserved.  -->

<!DOCTYPE feature SYSTEM "gdb-target.dtd">
<feature name="org.gnu.gdb.i386.mpx">
  <struct id="br128">
 * <field name="lbound" type="uint64"/>
 * <field name="ubound_raw" type="uint64"/>
  </struct>

  <struct id="_bndstatus" size="8">
 * <field name="bde" start="2" end="63"/>
 * <field name="error" start="0" end="1"/>
  </struct>

  <union id="status">
 * <field name="raw" type="data_ptr"/>
 * <field name="status" type="_bndstatus"/>
  </union>

  <struct id="_bndcfgu" size="8">
 * <field name="base" start="12" end="63"/>
 * <field name="reserved" start="2" end="11"/>
 * <!-- Explicitly set the type here, otherwise it defaults to bool.  -->
 * <field name="preserved" start="1" end="1" type="uint64"/>
 * <field name="enabled" start="0" end="0" type="uint64"/>
  </struct>

   <union id="cfgu">
 * <field name="raw" type="data_ptr"/>
 * <field name="config" type="_bndcfgu"/>
  </union>

  <reg name="bnd0raw" bitsize="128" type="br128"/>
  <reg name="bnd1raw" bitsize="128" type="br128"/>
  <reg name="bnd2raw" bitsize="128" type="br128"/>
  <reg name="bnd3raw" bitsize="128" type="br128"/>
  <reg name="bndcfgu" * bitsize="64" type="cfgu"/>
  <reg name="bndstatus"  bitsize="64" type="status"/>
</feature>
#4b"); [noack mode]
getpkt ("?");  [no ack sent]
putpkt ("$T0506:0*,;07:c0e4f*"7f0* ;10:9060ddf7ff7f0* ;#d8"); [noack mode]
getpkt ("?");  [no ack sent]
putpkt ("$T0506:0*,;07:c0e4f*"7f0* ;10:9060ddf7ff7f0* ;#d8"); [noack mode]
getpkt ("qXfer:threads:read::0,3ffe");  [no ack sent]
putpkt ("$l<threads>
<thread id="651b" core="3" name="AnokhREV"/>
</threads>
#ad"); [noack mode]
getpkt ("qC");  [no ack sent]
putpkt ("$#00"); [noack mode]
getpkt ("p10");  [no ack sent]
putpkt ("$#00"); [noack mode]
getpkt ("g");  [no ack sent]
putpkt ("$0*}0*+c0e4f*"7f0*}0*?9060ddf7ff7f0*"020* 330*"2b0*}0*}0* a0930* 83ef0* a* 0* ff7e0* a09383ef0c560* c0bc7d170*}0*}0*}0*}0*}0*?c0bc7d173b0*}0*}0*}0*}0*}0*}0*}0*C#48"); [noack mode]
getpkt ("qXfer:exec-file:read::0,3ffe");  [no ack sent]
putpkt ("$l/home/xwings/projects/qiling/jexamples/rootfs/x8664_linux/bin/AnokhREV#a6"); [noack mode]
getpkt ("vFile:open:2f686f6d652f7877696e67732f70726f6a656374732f71696c696e672f6a6578616d706c65732f726f6f7466732f78383636345f6c696e75782f62696e2f416e6f6b68524556,0,124");  [no ack sent]
putpkt ("$F5#7b"); [noack mode]
getpkt ("vFile:pread:5,1,fff");  [no ack sent]
putpkt ("$F1;"); [noack mode]
getpkt ("vFile:pread:5,1,1fff");  [no ack sent]
putpkt ("$F1;"); [noack mode]
getpkt ("vFile:pread:5,1,3fff");  [no ack sent]
putpkt ("$F0;#b1"); [noack mode]
getpkt ("vFile:pread:5,1,2fff");  [no ack sent]
putpkt ("$F1;"); [noack mode]
getpkt ("vFile:pread:5,1,37ff");  [no ack sent]
putpkt ("$F0;#b1"); [noack mode]
getpkt ("vFile:pread:5,1,33ff");  [no ack sent]
putpkt ("$F0;#b1"); [noack mode]
getpkt ("vFile:pread:5,1,31ff");  [no ack sent]
putpkt ("$F1;"); [noack mode]
getpkt ("vFile:pread:5,1,32ff");  [no ack sent]
putpkt ("$F0;#b1"); [noack mode]
getpkt ("vFile:pread:5,1,327f");  [no ack sent]
putpkt ("$F0;#b1"); [noack mode]
getpkt ("vFile:pread:5,1,323f");  [no ack sent]
putpkt ("$F0;#b1"); [noack mode]
getpkt ("vFile:pread:5,1,321f");  [no ack sent]
putpkt ("$F0;#b1"); [noack mode]
getpkt ("vFile:pread:5,1,320f");  [no ack sent]
putpkt ("$F1;"); [noack mode]
getpkt ("vFile:pread:5,1,3217");  [no ack sent]
putpkt ("$F1;"); [noack mode]
getpkt ("vFile:pread:5,1,321b");  [no ack sent]
putpkt ("$F0;#b1"); [noack mode]
getpkt ("vFile:pread:5,1,3219");  [no ack sent]
putpkt ("$F0;#b1"); [noack mode]
getpkt ("vFile:pread:5,1,3218");  [no ack sent]
putpkt ("$F0;#b1"); [noack mode]
getpkt ("vFile:pread:5,100,0");  [no ack sent]
putpkt ("$F100;�ELF☻☺☺"); [noack mode]
getpkt ("vFile:pread:5,100,100");  [no ack sent]
putpkt ("$F100;↔ "); [noack mode]
getpkt ("vFile:pread:5,100,200");  [no ack sent]
putpkt ("$F100;Rtd♦"); [noack mode]
getpkt ("vFile:close:5");  [no ack sent]
putpkt ("$F0#76"); [noack mode]
getpkt ("qXfer:auxv:read::0,3ffe");  [no ack sent]
putpkt ("$l!"); [noack mode]
getpkt ("qXfer:threads:read::0,3ffe");  [no ack sent]
putpkt ("$l<threads>
<thread id="651b" core="3" name="AnokhREV"/>
</threads>
#ad"); [noack mode]
getpkt ("Z0,555555554ada,1");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("m7ffff7dd6000,100");  [no ack sent]
putpkt ("$2cc00100ebe5488b4008bf0210*!4889059a7f2200488936b89e0*"488976100f0585c07429488d1d810c0200488d35b20c02004889dabf020*"31c0e81b060100bf7f0*"e8e1bf0100ebdec605a07f220001eb0231f64889f05bc3488d35e8240200bf020*"4883ec0831c0e8e8050100bf7f0*"e8aebf0100662e0f1f840*'f1f40004889e7e8080e0* 4989c48b05976622005a488d24c429c2524889d64989e54883e4f0488b3da66f2200498d4cd510498d550831ede866f50* 488d15cff80* 4c89ec41ffe4660f1f840*&83470401c390662e0f1f840*&836f0401c390662e0f1f840*&#11"); [noack mode]
getpkt ("m7ffff7ffc700,100");  [no ack sent]
putpkt ("$0*}0*}0*L10*j20*"010*27f030*!3030*}0*O#75"); [noack mode]
getpkt ("m0,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m7ffff7ffd000,100");  [no ack sent]
putpkt ("$687e220*F960e0*(a60e0*(b60e0*(c60e0*(d60e0*(e60e0*(f60e0*}0*H10*}0*}0*8#1f"); [noack mode]
getpkt ("m7ffff7de5900,100");  [no ack sent]
putpkt ("$f*"f605566e210002754a488b9308010* eb88a8030f853ef*"e911f*"498b7708803e007518488b050e6e2100488b30488d05b30001004885f6480f44f0488d3daa07010031c0e8af0b0* e987fef* 84d27518488b05df6d2100488b30488d05840001004885f6480f44f0488d3d6707010031c04c890424e87c0b0* 488b83a0*"04c8b04244885c00f85e0fef* e9f4fef* 0f1f00554889e54157415641554154534883ec284c8b25a87f21004983ec010f8823020* c745c0*%4b8d1ce4488d058c76210048c1e3044801c3eb250f1f00488d3d817f2100ff157b8521004983ec014881eb90*"04983fcff0f84ce01#e4"); [noack mode]
getpkt ("m1f0ffffffef400,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("mec83485354415500,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m56415741e5894800,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m7ffff7de5600,100");  [no ack sent]
putpkt ("$54240841544c8b442418ffd0585a8b35fc72210083c3014d8b6d4039f372a94883c4385b5d415c415d415e415fc36690415741564989ff415541544989cd555389f54989d44883ec18488b1d708321004c8bb740010* 4c8b8748010* 4885db0f85c1010* 4d85f674094d85c00f854b010* 418b9fc0020*!f1f400083eb0183fbff0f84bd0*"498b97b8030* 89d84c8b34c2410fb68614030* a80875db498b760883c80841888614030*!fb61684d20f845a010* 498b86a0*"04885c00f84920*"f6058b702100020f85a50*"488b40084903064c89ea4c89e689efffd0498b8e08010* 4885c97488498b8618010* 48#db"); [noack mode]
getpkt ("m7ffff7dd6e00,100");  [no ack sent]
putpkt ("$410fb60424e9a4fcf* 4883fe0a0f854cfdf* 488b0596df01004839030f853cfdf* 0fb7058edf0100663943080f852bfdf* 810d2159220080*"0c70537582200010*"410fb60424e95bfcf* 0f1f00662e0f1f840*&534889fb8b5704488b3df2612200be010*"e85802010085c074068b0385c075065bc30f1f40005bbf010*"e99db101000f1f00662e0f1f840*&554889e541574156415541544989fc534883ec480f3148c1e22089c04809c2488b05a25f220048891553582200488d15945f22004989d64c2b35226122004885c0488915186b22004c8935016b22000f849b0*"488d3d6461220049b9d003#86"); [noack mode]
getpkt ("m555555554000,100");  [no ack sent]
putpkt ("$7f454c460201010*/3003e00010*"30070*(40*+d82a0*040003800090040001d001c00060*"040*"40*+40*+40*+f8010*(f8010*)80*+30*"040*"38020*(38020*(38020*(1c0**1c0*+10*+10*"050*R580e0*(580e0*,20*(10*"060*"881d0*(881d20*'#3b"); [noack mode]
getpkt ("m7fffffffe400,100");  [no ack sent]
putpkt ("$0*}0*}0*}0*z10**fce6f*"7f0*01ce7f*"7f0*!8edf*"7f0* 3eedf*"7f0* 60edf*"7f0* 75edf*"7f0* #2f"); [noack mode]
getpkt ("m7fffffffe500,100");  [no ack sent]
putpkt ("$86edf*"7f0* 9aedf*"7f0* acedf*"7f0* b8edf*"7f0* e3edf*"7f0* f5edf*"7f0* 17eef*"7f0* 58eef*"7f0* 6beef*"7f0* 81eef*"7f0* 91eef*"7f0* a5eef*"7f0* adeef*"7f0* bceef*"7f0* f2eef*"7f0* 11ef*"f7f0* 91ef*"f7f0*0210*,a0fff7ff7f0* 10*+fffb8b1f0*%60*,10*)110**640*+30**40405*"550*!40**380*+50*+90**#35"); [noack mode]
getpkt ("m700,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m200,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m201d00,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m555555554100,100");  [no ack sent]
putpkt ("$881d20*'99020*(b8020*,20*(20*"060*"981d0*(981d20*'981d20*'f0010*(f0010*)80*+40*"040*"54020*(54020*(54020*(440**440*+40**50e57464040*"e80c0*(e80c0*(e80c0*(440**440*+40**51e57464060*r10*+#9e"); [noack mode]
getpkt ("mc00,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m555555554200,100");  [no ack sent]
putpkt ("$52e57464040*"881d0*(881d20*'881d20*'78020*(78020*)10**2f6c696236342f6c642d6c696e75782d7838362d36342e736f2e3200040*"10*"0010*"474e550*'30*"020*+40*"140*"030*"474e55005ecc71fb1f0bb25fbb6e38006ea1dbcc3150616c020*"0d0*"010*"060*&200080*,d0*"67556110*U590*"120*B6a0*"20*3#a3"); [noack mode]
getpkt ("m555555554400,100");  [no ack sent]
putpkt ("$302020*(80*,6c6962632e736f2e36007075747300737464696e007072696e7466006667657473006d656d736574006d616c6c6f63005f5f6378615f66696e616c697a6500737472636d70005f5f6c6962635f73746172745f6d61696e006672656500474c4942435f322e322e35005f49544d5f64657265676973746572544d436c6f6e655461626c65005f5f676d6f6e5f73746172745f5f005f49544d5f7265676973746572544d436c6f6e655461626c650*%20*"02000200020002000200020*"020*"0200020*'1000100010*"10*+751a69090*!2005e0**#c1"); [noack mode]
getpkt ("m352e322e325f4300,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m73747570003600,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m555555554300,100");  [no ack sent]
putpkt ("$0*-b0*"120*B160*"120*B230*"120*B470*"120*B1d0*"120*B40*"0120*B860*"20*C2a0*"120*B950*"20*C310*"220*B10*"011001800#c3"); [noack mode]
getpkt ("m5472657473696700,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m746e697270006e00,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m6d656d0073746500,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m5f5f00636f6c6c00,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m69616d5f74726100,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m6c616d0074657300,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m74735f6362696c00,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m5f005f5f74726100,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m6e69665f61786300,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m434d547265747300,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m7300657a696c6100,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m6567660066746e00,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m202000,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m7300737475700000,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m555555554500,100");  [no ack sent]
putpkt ("$881d20*(80**30080*(901d20*(80**f0070*)82020*(80*+82020*'d81f20*(60*"020*2e01f20*(60*"060*2e81f20*(60*"090*2f01f20*(60*"0b0*2f81f20*(60*"0c0*2302020*(50*"0d0*2a01f20*(70*"010*2a81f20*(70*"030*"#49"); [noack mode]
getpkt ("m4d54495f00352e00,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m555555554600,100");  [no ack sent]
putpkt ("$0*,b01f20*(70*"040*2b81f20*(70*"050*2c01f20*(70*"070*2c81f20*(70*"080*2d01f20*(70*"0a0*24883ec08488b055d1920004885c07402ffd04883c408c30*.ff35ea182000ff25ec1820* f1f4000ff25ea182000680*"00e9e0f*"ff25e218200068010*"e9d0f*"ff25da18200068020*"e9c0f*"ff25d218200068030*"e9b0f*"ff25ca18200068040*"e9a0f*"#46"); [noack mode]
getpkt ("m555555755f00,100");  [no ack sent]
putpkt ("$e0040*(f*"6f0*%10**f0f* 6f0*"00c0040*(f9f* 6f0*%30*}0*i981d20*Gb6060*(c6060*(d6060*(e6060*(f6060*)6070*(16070*x#8e"); [noack mode]
getpkt ("m600,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m555555554700,100");  [no ack sent]
putpkt ("$ff25c218200068050*"e990f*"ff25ba18200068060*"e980f*"ff25d21820006690*-31ed4989d15e4889e24883e4f050544c8d05ea040* 488d0d73040* 488d3d85030* ff1586182000f40f1f440* 488d3dc118200055488d05b91820004839f84889e57419488b055a1820004885c0740d5dffe0662e0f1f840*&5dc30f1f4000662e0f1f840*&488d3d81182000488d357a182000554829fe4889e548c1fe034889f048c1e83f4801c648d1fe7418488b05211820004885c0740c5dffe0660f1f840*&5dc30f1f4000662e0f1f840*&803d411820*!752f48833df7172000#80"); [noack mode]
getpkt ("m555555756000,100");  [no ack sent]
putpkt ("$0*-82020*'8baf1177b7a06023671254c142832311730*}0*}0*}0*}0*V#d5"); [noack mode]
getpkt ("m555555554800,100");  [no ack sent]
putpkt ("$00554889e5740c488b3dfa172000e80df*"e848f*"c605191820* 15dc30f1f80*%f3c3660f1f440* 554889e55de966f*"554889e5897decc745f80*"00e978020* c745fc0*"00e95c020* 8b45f84863d0488d05aa1720* fb60c028b45f883c0014863d0488d05961720* fb6040283e01331c18b45f84863d0488d0580172000880c028b45f84863d0488d05701720* fb6040289c18b45f883c0014863d0488d055a1720* fb6040283c82001c889c18b45f84863d0488d0542172000880c028b45f84863d0488d05321720* fb60c028b45f883c0014863d0488d051e1720* fb6040283e01b31c18b45f84863#04"); [noack mode]
getpkt ("m2360a0b77711af00,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m555555554a00,100");  [no ack sent]
putpkt ("$d0488d05081620* fb6040289c18b45f883c0014863d0488d05f21520* fb6040283c84a01c889c18b45f84863d0488d05da152000880c028b45f84863d0488d05ca1520* fb60c028b45f883c0014863d0488d05b61520* fb6040283e04531c18b45f84863d0488d05a0152000880c028b45f84863d0488d05901520* fb6040289c18b45f883c0014863d0488d057a1520* fb6040283c81f01c889c18b45f84863d0488d0562152000880c028345fc018b45fc3b45ec0f8c98fdf* 8345f801b8110*"83e8013945f80f8c77fdf* 905dc3554889e54883ec10488d3d68010* e8d3fbf* b8110*"83c00148984889c7e811fcf* 48#79"); [noack mode]
getpkt ("m11238342c1541200,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m555555554900,100");  [no ack sent]
putpkt ("$d0488d0508172000880c028b45f84863d0488d05f81620* fb6040289c18b45f883c0014863d0488d05e21620* fb6040283c83801c889c18b45f84863d0488d05ca162000880c028b45f84863d0488d05ba1620* fb60c028b45f883c0014863d0488d05a61620* fb6040283e02a31c18b45f84863d0488d0590162000880c028b45f84863d0488d05801620* fb6040289c18b45f883c0014863d0488d056a1620* fb6040283c82b01c889c18b45f84863d0488d0552162000880c028b45f84863d0488d05421620* fb60c028b45f883c0014863d0488d052e1620* fb6040283e05f31c18b45f84863d0488d0518162000880c028b45f84863#89"); [noack mode]
getpkt ("m555555554c00,100");  [no ack sent]
putpkt ("$4c89fa4c89f64489ef41ff14dc4883c3014839dd75ea4883c4085b5d415c415d415e415fc390662e0f1f840*&f3c30* 4883ec084883c408c30*"0100020*&110**57656c636f6d6520546f20416e6f6b686120326b313920506c6561736520456e7465722074686520666c616720210* 43616e6e6f7420616c6c6f6361746520616e79206d656d6f72792073706163652e20506c6561736520747279206c617465722e00596f757220666c61672069732078696f6d6172617b25737d0a000a507373742057726f6e672054727920416761696e20*&11b033b440*"070*"b8f9f* 90*"038faf* #a9"); [noack mode]
getpkt ("m686b6f6e41206f00,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m20656d6f636c6500,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m555555554b00,100");  [no ack sent]
putpkt ("$8945f848837df800751b488d3d6f010* b80*"00e8b5fbf* b8f*"ffe9960*"b8110*"83c0014863d0488b45f8be0*"004889c7e89ffbf* 488b15e8142000b8110*"8d4801488b45f889ce4889c7e892fbf* bf91020* e8d2fcf* 488b45f8488d359d1420004889c7e885fbf* 85c0751a488d358a142000488d3d27010* b80*"00e839fbf* eb11488d3d2e010* b80*"00e826fbf* 488b45f84889c7e8fafaf* b80*"00c9c30f1f00415741564989d7415541544c8d25b611200055488d2db6112000534189fd4989f64c29e54883ec0848c1fd03e88ffaf* 4885ed742031db0f1f840*&#6d"); [noack mode]
getpkt ("m212067616c00,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m20657461636f6c00,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m6120746f6e6e6100,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m2e726574616c00,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m6f69782073692000,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m616c662072756f00,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("ma7d73257b6100,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m2079725420676e00,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m7257207473735000,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m555555755d00,100");  [no ack sent]
putpkt ("$0*}0*}0*j30080*(f0070*)10*+10*+c0**80060*)d0**340c0*(190**881d20*'1b0*+80**1a0**901d20*'1c0**#a0"); [noack mode]
getpkt ("m800,100");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]
getpkt ("m555555755e00,100");  [no ack sent]
putpkt ("$080**f5feff6f0*"0098020*)50**10040*)60**c0020*)a0**af0*+b0**180**150*;30**881f20*(20**a80**140*+70**170**d8050*)70*-50*)80**d80*+90**180**1e0*+80**fbf* 6f0*%10*!80*"00fef* 6f0*"00#92"); [noack mode]
getpkt ("m7ffff7dd6000,100");  [no ack sent]
putpkt ("$2cc00100ebe5488b4008bf0210*!4889059a7f2200488936b89e0*"488976100f0585c07429488d1d810c0200488d35b20c02004889dabf020*"31c0e81b060100bf7f0*"e8e1bf0100ebdec605a07f220001eb0231f64889f05bc3488d35e8240200bf020*"4883ec0831c0e8e8050100bf7f0*"e8aebf0100662e0f1f840*'f1f40004889e7e8080e0* 4989c48b05976622005a488d24c429c2524889d64989e54883e4f0488b3da66f2200498d4cd510498d550831ede866f50* 488d15cff80* 4c89ec41ffe4660f1f840*&83470401c390662e0f1f840*&836f0401c390662e0f1f840*&#11"); [noack mode]
getpkt ("m7ffff7de5900,100");  [no ack sent]
putpkt ("$f*"f605566e210002754a488b9308010* eb88a8030f853ef*"e911f*"498b7708803e007518488b050e6e2100488b30488d05b30001004885f6480f44f0488d3daa07010031c0e8af0b0* e987fef* 84d27518488b05df6d2100488b30488d05840001004885f6480f44f0488d3d6707010031c04c890424e87c0b0* 488b83a0*"04c8b04244885c00f85e0fef* e9f4fef* 0f1f00554889e54157415641554154534883ec284c8b25a87f21004983ec010f8823020* c745c0*%4b8d1ce4488d058c76210048c1e3044801c3eb250f1f00488d3d817f2100ff157b8521004983ec014881eb90*"04983fcff0f84ce01#e4"); [noack mode]
getpkt ("m555555554000,100");  [no ack sent]
putpkt ("$7f454c460201010*/3003e00010*"30070*(40*+d82a0*040003800090040001d001c00060*"040*"40*+40*+40*+f8010*(f8010*)80*+30*"040*"38020*(38020*(38020*(1c0**1c0*+10*+10*"050*R580e0*(580e0*,20*(10*"060*"881d0*(881d20*'#3b"); [noack mode]
getpkt ("m7fffffffe400,100");  [no ack sent]
putpkt ("$0*}0*}0*}0*z10**fce6f*"7f0*01ce7f*"7f0*!8edf*"7f0* 3eedf*"7f0* 60edf*"7f0* 75edf*"7f0* #2f"); [noack mode]
getpkt ("m7fffffffe500,100");  [no ack sent]
putpkt ("$86edf*"7f0* 9aedf*"7f0* acedf*"7f0* b8edf*"7f0* e3edf*"7f0* f5edf*"7f0* 17eef*"7f0* 58eef*"7f0* 6beef*"7f0* 81eef*"7f0* 91eef*"7f0* a5eef*"7f0* adeef*"7f0* bceef*"7f0* f2eef*"7f0* 11ef*"f7f0* 91ef*"f7f0*0210*,a0fff7ff7f0* 10*+fffb8b1f0*%60*,10*)110**640*+30**40405*"550*!40**380*+50*+90**#35"); [noack mode]
getpkt ("vCont?");  [no ack sent]
putpkt ("$#00"); [noack mode]
getpkt ("c");  [no ack sent]
putpkt ("$T0506:c04b5*"550* ;07:e0e3f*"7f0* ;10:db4a5*"550* ;#8a"); [noack mode]
getpkt ("g");  [no ack sent]
putpkt ("$d94a5*"550*0c04b5*"550* d8e4f*"7f0* c8e4f*"7f0*!10**c04b5*"550* e0e3f*"7f0* 800dddf7ff7f0* 800dddf7ff7f0*110**30475*"550* c0e4f*"7f0*@db4a5*"550* 46020* 330*"2b0*}0*}0* 80930* 83ef0* 5* 0* ff7e0* 809383ef0c560* 50c97d170*D66732f78383636345f6c696e75782f620*@ff0*2ff002f2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f0*}0*}0*}0*Y801f0* f*,c094fdf7ff7f0*}0*}0*}0*}0*}0*}0*}0*)#7a"); [noack mode]
getpkt ("Gd94a5555555500000000000000000000c04b555555550000d8e4ffffff7f0000c8e4ffffff7f00000100000000000000c04b555555550000e0e3ffffff7f0000800dddf7ff7f0000800dddf7ff7f0000000000000000000001000000000000003047555555550000c0e4ffffff7f000000000000000000000000000000000000da4a55555555000046020000330000002b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008093000083ef000055550000ff7e0000809383ef0c56000050c97d17000000000000000000000000000000000000000066732f78383636345f6c696e75782f62000000000000000000000000000000000000ff0000000000000000000000ff002f2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000801f0000ffffffffffffffffc094fdf7ff7f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("m555555554a00,100");  [no ack sent]
putpkt ("$d0488d05081620* fb6040289c18b45f883c0014863d0488d05f21520* fb6040283c84a01c889c18b45f84863d0488d05da152000880c028b45f84863d0488d05ca1520* fb60c028b45f883c0014863d0488d05b61520* fb6040283e04531c18b45f84863d0488d05a0152000880c028b45f84863d0488d05901520* fb6040289c18b45f883c0014863d0488d057a1520* fb6040283c81f01c889c18b45f84863d0488d0562152000880c028345fc018b45fc3b45ec0f8c98fdf* 8345f801b8110*"83e8013945f80f8c77fdf* 905dc3554889e54883ec10488d3d68010* e8d3fbf* b8110*"83c00148984889c7e811fcf* 48#79"); [noack mode]
getpkt ("m555555554c00,100");  [no ack sent]
putpkt ("$4c89fa4c89f64489ef41ff14dc4883c3014839dd75ea4883c4085b5d415c415d415e415fc390662e0f1f840*&f3c30* 4883ec084883c408c30*"0100020*&110**57656c636f6d6520546f20416e6f6b686120326b313920506c6561736520456e7465722074686520666c616720210* 43616e6e6f7420616c6c6f6361746520616e79206d656d6f72792073706163652e20506c6561736520747279206c617465722e00596f757220666c61672069732078696f6d6172617b25737d0a000a507373742057726f6e672054727920416761696e20*&11b033b440*"070*"b8f9f* 90*"038faf* #a9"); [noack mode]
getpkt ("m555555554b00,100");  [no ack sent]
putpkt ("$8945f848837df800751b488d3d6f010* b80*"00e8b5fbf* b8f*"ffe9960*"b8110*"83c0014863d0488b45f8be0*"004889c7e89ffbf* 488b15e8142000b8110*"8d4801488b45f889ce4889c7e892fbf* bf91020* e8d2fcf* 488b45f8488d359d1420004889c7e885fbf* 85c0751a488d358a142000488d3d27010* b80*"00e839fbf* eb11488d3d2e010* b80*"00e826fbf* 488b45f84889c7e8fafaf* b80*"00c9c30f1f00415741564989d7415541544c8d25b611200055488d2db6112000534189fd4989f64c29e54883ec0848c1fd03e88ffaf* 4885ed742031db0f1f840*&#6d"); [noack mode]
getpkt ("m7fffffffe300,100");  [no ack sent]
putpkt ("$8777b9f7ff7f0* 80030*(40e3f*"7f0* 50e3f*"7f0* 98eafff7ff7f0*Pf*"ff0*468a2fff7ff7f0* 10e7fff7ff7f0*P47656e750*%90**6076ddf7ff7f0* f8e3f*"7f0* ffb5f0*(10*+d4c5*"550* a059def7ff7f0*0c04b5*"550* 30475*"550* c0e4f*"7f0*0c04b5*"550* 975ba0f7ff7f0*!10**c8e4f*"7f0* #60"); [noack mode]
getpkt ("m7fffffffe400,100");  [no ack sent]
putpkt ("$0080*"10*"d94a5*"550*0798d2d16aa8168ca30475*"550* c0e4f*"7f0*@798d4d46ffd43d9f798d333740c43d9f0*"00ff7f0*@3357def7ff7f0* 38b6dcf7ff7f0* 78d32a0*V30475*"550* c0e4f*"7f0* 5a475*"550* b8e4f*"7f0* 1c0*+10**fce6f*"7f0*01ce7f*"7f0*!8edf*"7f0* 3eedf*"7f0* 60edf*"7f0* 75edf*"7f0* #d1"); [noack mode]
getpkt ("m555555554000,100");  [no ack sent]
putpkt ("$7f454c460201010*/3003e00010*"30070*(40*+d82a0*040003800090040001d001c00060*"040*"40*+40*+40*+f8010*(f8010*)80*+30*"040*"38020*(38020*(38020*(1c0**1c0*+10*+10*"050*R580e0*(580e0*,20*(10*"060*"881d0*(881d20*'#3b"); [noack mode]
getpkt ("qXfer:threads:read::0,3ffe");  [no ack sent]
putpkt ("$l<threads>
<thread id="651b" core="3" name="AnokhREV"/>
</threads>
#ad"); [noack mode]
getpkt ("qXfer:threads:read::0,3ffe");  [no ack sent]
putpkt ("$l<threads>
<thread id="651b" core="3" name="AnokhREV"/>
</threads>
#ad"); [noack mode]
getpkt ("z0,555555554ada,1");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("Hc651b");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("s");  [no ack sent]
putpkt ("$T0506:e0e3f*"7f0* ;07:c8e3f*"7f0* ;10:c049a6f7ff7f0* ;#4f"); [noack mode]
getpkt ("g");  [no ack sent]
putpkt ("$d94a5*"550*0c04b5*"550* d8e4f*"7f0* c8e4f*"7f0* 504c5*"550* e0e3f*"7f0* c8e3f*"7f0* 800dddf7ff7f0* 800dddf7ff7f0*110**30475*"550* c0e4f*"7f0*@c049a6f7ff7f0*!2020* 330*"2b0*}0*}0* 80930* 83ef0* 5* 0* ff7e0* 809383ef0c560* 70ca7d170*D66732f78383636345f6c696e75782f620*@ff0*2ff002f2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f0*}0*}0*}0*Y801f0* f*,c094fdf7ff7f0*}0*}0*}0*}0*}0*}0*}0*)#dd"); [noack mode]
getpkt ("Z0,555555554ada,1");  [no ack sent]
putpkt ("$OK#9a"); [noack mode]
getpkt ("c");  [no ack sent]
Welcome To Anokha 2k19 Please Enter the flag !

Psst Wrong Try Again
Child exited with status 0
putpkt ("$W00#b7"); [noack mode]
getpkt ("g");  [no ack sent]
putpkt ("$E01#a6"); [noack mode]

unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED)

Hi all, I get this trouble when I try the example provided in the documentation; I do not understand what is fair :)

#!/usr/bin/python3
from unicorn import *
from capstone import *
from qiling import *
 
import sys
 
md = Cs(CS_ARCH_X86, CS_MODE_64)
 
def hook_code(mu, address, size, user_data):
 	print('>>> Tracing instruction at {}, instruction size = {}'.format(hex(address), size))
 
 if __name__ == '__main__':
 	ql = Qiling(["./a.out"], "/")
 	ql.show_map_info()
 	ql.uc.hook_add(UC_HOOK_CODE, hook_code)
 	ql.run()

+] 555555554000 - 555555756000 /mnt/c/Users/jukebox/Desktop/Whitebox/lab1/a.out
[+] 7ffff7dd5000 - 7ffff7ffb000 /lib64/ld-linux-x86-64.so.2
brk(0x0)
uname(0x7fffffffe9d0) = 0
access(/etc/ld.so.nohwcap, 0x0) = -1
access(/etc/ld.so.preload, 0x4) = -1
open(/etc/ld.so.cache, 0x80000, 0x1) = 3
fstat(3, 0x7fffffffe3b0) = 0
SYSCALL: ql_syscall_mmap2
[!] SYSCALL: ql_syscall_mmap2
close(3) = 0
Invalid memory read (UC_ERR_READ_UNMAPPED)
[!] Invalid memory read (UC_ERR_READ_UNMAPPED)
Traceback (most recent call last):
File "/usr/local/lib/python3.5/dist-packages/qiling-0.9-py3.5.egg/qiling/os/linux/x8664.py", line 115, in runner
File "/usr/local/lib/python3.5/dist-packages/unicorn/unicorn.py", line 288, in emu_start
raise UcError(status)
unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "./primus.py", line 17, in
ql.run()
File "/usr/local/lib/python3.5/dist-packages/qiling-0.9-py3.5.egg/qiling/core.py", line 192, in run
File "/usr/local/lib/python3.5/dist-packages/qiling-0.9-py3.5.egg/qiling/os/linux/x8664.py", line 126, in runner
qiling.exception.QlErrorExecutionStop: [!] Emulation Stopped

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.