switch to oracle

CHALLENGE

@@ -11,6 +11,9 @@ InputOracle -- Preagreed upon inputs (TODO: replace with memory reads from given
   returns
   $v0 = inputs[$a0] >> $a1
 
+This has been changed to an MMIO oracle
+hash at 0x30001000 loads len at 0x31000000 and data at 0x31000004
+
 PreimageOracle -- key value store
   $a0 = dword index in value
   $t0 = hash[31:0]

minigeth/oracle/embedded_mips.go

@@ -5,7 +5,6 @@ package oracle
 
 import (
 	"fmt"
-	"io/ioutil"
 	"math/big"
 	"os"
 	"reflect"
@@ -65,7 +64,7 @@ func Output(output common.Hash) {
 func Preimage(hash common.Hash) []byte {
 	val, ok := preimages[hash]
 	if !ok {
-		f, err := os.Open(fmt.Sprintf("/tmp/eth/%s", hash))
+		/*f, err := os.Open(fmt.Sprintf("/tmp/eth/%s", hash))
 		if err != nil {
 			panic("missing preimage")
 		}
@@ -74,7 +73,20 @@ func Preimage(hash common.Hash) []byte {
 		ret, err := ioutil.ReadAll(f)
 		if err != nil {
 			panic("preimage read failed")
-		}
+		}*/
+
+		// load in hash
+		preImageHash := byteAt(0x30001000, 0x20)
+		copy(preImageHash, hash.Bytes())
+
+		// used in unicorn emulator to trigger the load
+		// in onchain mips, it's instant
+		os.Getpid()
+
+		// ready
+		rawSize := common.CopyBytes(byteAt(0x31000000, 4))
+		size := (int(rawSize[0]) << 24) | (int(rawSize[1]) << 16) | (int(rawSize[2]) << 8) | int(rawSize[3])
+		ret := common.CopyBytes(byteAt(0x31000004, size))
 
 		realhash := crypto.Keccak256Hash(ret)
 		if realhash != hash {

risc/run.py

@@ -3,6 +3,7 @@ import os
 import sys
 import math
 import struct
+import binascii
 import traceback
 from elftools.elf.elffile import ELFFile
 from capstone import *
@@ -25,7 +26,12 @@ regs = ["at", "v0", "v1", "a0", "a1", "a2", "a3"]
 SIZE = 16*1024*1024
 
 heap_start = 0x20000000 # 0x20000000-0x30000000
-# input oracle @ 0x30000000
+# input oracle              @ 0x30000000
+# output oracle             @ 0x30000800
+# preimage oracle (write)   @ 0x30001000
+# preimage oracle (read)    @ 0x31000000-0x32000000 (16 MB)
+# preimage oracle (trigger) @ 0x32000000 (returns size)
+
 brk_start = 0x40000000  # 0x40000000-0x80000000
 
 # hmm, very slow
@@ -75,6 +81,15 @@ def hook_interrupt(uc, intno, user_data):
     syscall_no = uc.reg_read(UC_MIPS_REG_V0)
     uc.reg_write(UC_MIPS_REG_V0, 0)
     uc.reg_write(UC_MIPS_REG_A3, 0)
+
+    if syscall_no == 4020:
+      oracle_hash = binascii.hexlify(uc.mem_read(0x30001000, 0x20)).decode('utf-8')
+      dat = open("/tmp/eth/0x"+oracle_hash, "rb").read()
+      #print("oracle:", oracle_hash, len(dat))
+      uc.mem_write(0x31000000, struct.pack(">I", len(dat)))
+      uc.mem_write(0x31000004, dat)
+      return True
+
     if syscall_no == 4004:
       # write
       fd = uc.reg_read(UC_MIPS_REG_A0)
@@ -127,6 +142,9 @@ def hook_interrupt(uc, intno, user_data):
     elif syscall_no == 4222:
       # gettid
       return
+    elif syscall_no == 4166:
+      # nanosleep
+      return
 
     if syscall_no == 4005:
       filename = uc.reg_read(UC_MIPS_REG_A0)
@@ -267,7 +285,7 @@ mu.mem_map(heap_start, 256*1024*1024)
 mu.mem_map(brk_start, 1024*1024*1024)
 
 # input oracle
-mu.mem_map(0x30000000, 4096)
+mu.mem_map(0x30000000, 0x2000000)
 dat = open("/tmp/eth/13284469", "rb").read()
 mu.mem_write(0x30000000, dat)
 
@@ -323,8 +341,6 @@ for section in elffile.iter_sections():
 
 #mu.hook_add(UC_HOOK_BLOCK, hook_code, user_data=mu)
 
-#mu.hook_add(UC_HOOK_CODE, hook_code, user_data=mu)
-
 
 def hook_mem_invalid(uc, access, address, size, value, user_data):
   pc = uc.reg_read(UC_MIPS_REG_PC)