arm

espes · Mar 21, 2015 · 5a80c28 · 5a80c28
1 parent d9e8de2
commit 5a80c28
Show file tree

Hide file tree

Showing 4 changed files with 268 additions and 51 deletions.
diff --git a/airplay.py b/airplay.py
@@ -726,7 +726,7 @@ class AirplayServer(object):
     def __init__(self, airtunesd_filename=None):
         self.airtunesd_filename = airtunesd_filename
 
-        self.airtunes_port = 49152
+        # self.airtunes_port = 49152
         self.airplay_port = 7000
         self.airplay_mirroring_port = 7100
 
@@ -798,19 +798,14 @@ def register_airtunes(self, port):
 
     def run(self):
 
-        self.zc = zeroconf.Zeroconf()
-        self.register_airtunes(self.airtunes_port)
-        self.register_airplay(self.airplay_port)
-
-
         self.airplay_server = ThreadedHTTPServer(
             ('', self.airplay_port), AirPlayHTTPHandler)
 
         self.airplay_mirroring_server = ThreadedHTTPServer(
             ('', self.airplay_mirroring_port), AirPlayMirroringHTTPHandler)
 
         self.airtunes_server = ThreadedHTTPServer(
-            ('', self.airtunes_port), AirTunesRTSPHandler)
+            ('', 0), AirTunesRTSPHandler)
 
         self.airplay_server.parent = self
         self.airplay_mirroring_server.parent = self
@@ -827,6 +822,12 @@ def run(self):
         self.airplay_mirroring_thread.start()
         # self.airtunes_thead.start()
 
+        # register with bonjour
+        self.zc = zeroconf.Zeroconf()
+        self.register_airtunes(self.airtunes_server.server_port)
+        self.register_airplay(self.airplay_port)
+
+
         print 'Ready'
 
         try:

diff --git a/drm.py b/drm.py
@@ -35,7 +35,7 @@ def initSAP(self):
         pSapInfo = self.p.malloc(4)
         self.p.call(self.fp_initsap, (pSapInfo, self.fpInfo))
 
-        self.sapInfo = self.p.cpu.ld_word(pSapInfo)
+        self.sapInfo = self.p.ld_word(pSapInfo)
 
     def challenge(self, type_, data, stage):
         if stage == 0:
@@ -54,7 +54,7 @@ def challenge(self, type_, data, stage):
         p_out_length = self.p.malloc(4)
 
         p_inout_stage = self.p.malloc(4)
-        self.p.cpu.st_word(p_inout_stage, stage)
+        self.p.st_word(p_inout_stage, stage)
 
         r = self.p.call(self.fp_challenge,
                 (type_, self.fpInfo, self.sapInfo,
@@ -67,11 +67,11 @@ def challenge(self, type_, data, stage):
 
         #assert r == 0
 
-        out_data = self.p.cpu.ld_word(p_out_data)
+        out_data = self.p.ld_word(p_out_data)
         # print "out_data", hex(out_data)
-        out_length = self.p.cpu.ld_word(p_out_length)
+        out_length = self.p.ld_word(p_out_length)
         # print "out_length", hex(out_length)
-        out_stage = self.p.cpu.ld_word(p_inout_stage)
+        out_stage = self.p.ld_word(p_inout_stage)
         # print "out_stage", out_stage
 
         if stage == 0:
@@ -95,11 +95,20 @@ def decrypt_key(self, param1):
 
         assert r == 0
 
-        out_data = self.p.cpu.ld_word(p_out_data)
+        out_data = self.p.ld_word(p_out_data)
         # print "out_data", hex(out_data)
-        out_length = self.p.cpu.ld_word(p_out_length)
+        out_length = self.p.ld_word(p_out_length)
         # print "out_length", hex(out_length)
 
         assert out_length == 16
 
         return self.p.copyout(out_data, out_length)
+
+if __name__ == "__main__":
+    fp = FairPlaySAP()
+
+    print
+    print "Stage 0"
+    print
+    r0 = fp.challenge(2, "46504c590201010000000004020001bb".decode("hex"), 0)
+    print r0.encode("hex")
diff --git a/dyld_info.py b/dyld_info.py
@@ -37,6 +37,22 @@
 BIND_OPCODE_DO_BIND_ULEB_TIMES_SKIPPING_ULEB = 0xC0
 
 
+REBASE_TYPE_POINTER = 1
+REBASE_TYPE_TEXT_ABSOLUTE32 = 2
+REBASE_TYPE_TEXT_PCREL32 = 3
+
+REBASE_OPCODE_MASK = 0xF0
+REBASE_IMMEDIATE_MASK = 0x0F
+REBASE_OPCODE_DONE = 0x00
+REBASE_OPCODE_SET_TYPE_IMM = 0x10
+REBASE_OPCODE_SET_SEGMENT_AND_OFFSET_ULEB = 0x20
+REBASE_OPCODE_ADD_ADDR_ULEB = 0x30
+REBASE_OPCODE_ADD_ADDR_IMM_SCALED = 0x40
+REBASE_OPCODE_DO_REBASE_IMM_TIMES = 0x50
+REBASE_OPCODE_DO_REBASE_ULEB_TIMES = 0x60
+REBASE_OPCODE_DO_REBASE_ADD_ADDR_ULEB = 0x70
+REBASE_OPCODE_DO_REBASE_ULEB_TIMES_SKIPPING_ULEB = 0x80
+
 def readString(f):
     r = ""
     while True:
@@ -80,21 +96,61 @@ def readSLeb128(f):
 
     return res
 
+def read_rebases(f, size, segs, ptrwidth=4):
+    addr = 0
+    rebases = []
+
+    end = f.tell() + size
+    while f.tell() < end:
+        c = ord(f.read(1))
+        opcode = c & REBASE_OPCODE_MASK
+        imm = c & REBASE_IMMEDIATE_MASK
+
+        if opcode == REBASE_OPCODE_DONE:
+            pass
+        elif opcode == REBASE_OPCODE_SET_TYPE_IMM:
+            assert imm == REBASE_TYPE_POINTER
+        elif opcode == REBASE_OPCODE_SET_SEGMENT_AND_OFFSET_ULEB:
+            addr = segs[imm].vmaddr + readULeb128(f)
+        elif opcode == REBASE_OPCODE_ADD_ADDR_ULEB:
+            addr = (addr + readULeb128(f)) % (2 ** 64)
+        elif opcode == REBASE_OPCODE_ADD_ADDR_IMM_SCALED:
+            addr += imm * ptrwidth
+        elif opcode == REBASE_OPCODE_DO_REBASE_IMM_TIMES:
+            for i in xrange(imm):
+                rebases.append(addr)
+                addr += ptrwidth
+        elif opcode == REBASE_OPCODE_DO_REBASE_ULEB_TIMES:
+            count = readULeb128(f)
+            for i in xrange(count):
+                rebases.append(addr)
+                addr += ptrwidth
+        elif opcode == REBASE_OPCODE_DO_REBASE_ADD_ADDR_ULEB:
+            rebases.append(addr)
+            addr += ptrwidth + readULeb128(f)
+        elif opcode == REBASE_OPCODE_DO_REBASE_ULEB_TIMES_SKIPPING_ULEB:
+            count = readULeb128(f)
+            skip = readULeb128(f)
+            for i in xrange(count):
+                rebases.append(addr)
+                addr += skip + ptrwidth
+        else:
+            raise NotImplementedError
 
+    return rebases
 
 def read_binds(f, size, segs, ptrwidth=4):
     libord = 0
     sym = None
     addr = 0
 
-    end = f.tell() + size
-
     symbols = []
 
+    end = f.tell() + size
     while f.tell() < end:
         c = ord(f.read(1))
-        imm = c & BIND_IMMEDIATE_MASK
         opcode = c & BIND_OPCODE_MASK
+        imm = c & BIND_IMMEDIATE_MASK
 
         if opcode == BIND_OPCODE_DONE:
             pass
@@ -104,38 +160,29 @@ def read_binds(f, size, segs, ptrwidth=4):
             libord = readULeb128(f)
         elif opcode == BIND_OPCODE_SET_DYLIB_SPECIAL_IMM:
             libord = (imm | 0xf0) if imm else 0
-
         elif opcode == BIND_OPCODE_SET_SYMBOL_TRAILING_FLAGS_IMM:
             sym = readString(f)
-
         elif opcode == BIND_OPCODE_SET_TYPE_IMM:
-            pass
-
+            assert imm == BIND_TYPE_POINTER
         elif opcode == BIND_OPCODE_SET_ADDEND_SLEB:
             readSLeb128(f)
-
         elif opcode == BIND_OPCODE_SET_SEGMENT_AND_OFFSET_ULEB:
             addr = segs[imm].vmaddr + readULeb128(f)
-
         elif opcode == BIND_OPCODE_ADD_ADDR_ULEB:
             addr = (addr + readULeb128(f)) % (2 ** 64)
-
         elif opcode == BIND_OPCODE_DO_BIND:
             symbols.append((sym, addr, libord))
             addr += ptrwidth
-
         elif opcode == BIND_OPCODE_DO_BIND_ADD_ADDR_ULEB:
             symbols.append((sym, addr, libord))
             addr += ptrwidth + readULeb128(f)
-
         elif opcode == BIND_OPCODE_DO_BIND_ADD_ADDR_IMM_SCALED:
             symbols.append((sym, addr, libord))
             addr += (imm+1) * ptrwidth
-
         elif opcode == BIND_OPCODE_DO_BIND_ULEB_TIMES_SKIPPING_ULEB:
             count = readULeb128(f)
             skip = readULeb128(f)
-            for i in range(count):
+            for i in xrange(count):
                 symbols.append((sym, addr, libord))
                 addr += skip + ptrwidth
         else:
@@ -175,7 +222,8 @@ def __init__(self, filename, cmd, segs):
             self.exports = []
 
             if cmd.rebase_size:
-                pass
+                f.seek(cmd.rebase_off)
+                self.rebases = read_rebases(f, cmd.rebase_size, segs)
 
             if cmd.bind_size:
                 f.seek(cmd.bind_off)