def generate_medium_reassembler_binary(self, test_bin=True):
try:
nr = NetworkRules()
backend = ReassemblerBackend(self.infile)
patches = []
patches.extend(IndirectCFI(self.infile, backend).get_patches())
patches.extend(
TransmitProtection(self.infile, backend).get_patches())
patches.extend(ShiftStack(self.infile, backend).get_patches())
patches.extend(Adversarial(self.infile, backend).get_patches())
patches.extend(Backdoor(self.infile, backend).get_patches())
# patches.extend(NxStack(self.infile,backend).get_patches())
patches.extend(
MallocExtPatcher(self.infile, backend).get_patches())
patches.extend(
StackRetEncryption(self.infile, backend).get_patches())
patches.extend(
UninitializedPatcher(self.infile, backend).get_patches())
patches.extend(
NoFlagPrintfPatcher(self.infile, backend).get_patches())
backend.apply_patches(patches)
final_content = backend.get_final_content()
if test_bin:
test_bin_with_qemu(self.infile, final_content)
res = (final_content, "")
except PatcherexError, e:
traceback.print_exc(e)
res = (None, None)
def generate_medium_reassembler_optimized_binary(self, test_bin=True):
try:
intermediate = tempfile.mktemp(prefix='%s_' %
os.path.basename(self.infile))
optimize_it(self.infile, intermediate)
nr = NetworkRules()
backend = ReassemblerBackend(intermediate)
patches = []
patches.extend(IndirectCFI(intermediate, backend).get_patches())
patches.extend(
TransmitProtection(intermediate, backend).get_patches())
patches.extend(ShiftStack(intermediate, backend).get_patches())
patches.extend(Adversarial(intermediate, backend).get_patches())
patches.extend(Backdoor(intermediate, backend).get_patches())
# patches.extend(NxStack(intermediate,backend).get_patches())
patches.extend(
MallocExtPatcher(intermediate, backend).get_patches())
patches.extend(
StackRetEncryption(intermediate, backend).get_patches())
patches.extend(
UninitializedPatcher(intermediate, backend).get_patches())
patches.extend(
NoFlagPrintfPatcher(intermediate, backend).get_patches())
backend.apply_patches(patches)
final_content = backend.get_final_content()
if test_bin:
test_bin_with_qemu(self.infile, final_content)
res = (final_content, "")
except PatcherexError, e:
traceback.print_exc(e)
res = (None, None)
def generate_stackretencryption_binary(self, test_bin=None):
backend = ReassemblerBackend(self.infile)
patches = []
patches.extend(StackRetEncryption(self.infile, backend).get_patches())
backend.apply_patches(patches)
final_content = backend.get_final_content()
return (final_content, "")
def generate_indirectcfi_binary(self, test_bin=None): # new
backend = ReassemblerBackend(self.infile)
patches = []
patches.extend(IndirectCFI(self.infile, backend).get_patches())
backend.apply_patches(patches)
final_content = backend.get_final_content()
return (final_content, "")
def generate_shiftstack_binary(self, test_bin=None): # new
backend = ReassemblerBackend(self.infile)
patches = []
patches.extend(ShiftStack(self.infile, backend).get_patches())
backend.apply_patches(patches)
final_content = backend.get_final_content()
return (final_content, "")
"gcc -f dwarf -g {in_file} -o {outfile}",
"armel32":
"python arm_fixup.py {in_file} && arm-linux-gnueabi-gcc -Xassembler --gstabs+ -masm-syntax-unified -ffunction-sections -mcpu=cortex-a8 -g {in_file} -o {outfile}",
}
runs = {"armel32": "qemu-arm-static -L /usr/arm-linux-gnueabi {outfile}"}
if len(sys.argv) < 3:
print(
"Usage: {} [binary] [architecture] [autorun]\n\tValid architectures: {}"
.format(sys.argv[0], ", ".join(archs.keys())))
sys.exit(1)
name = sys.argv[1]
arch = sys.argv[2]
autorun = True if len(sys.argv) == 4 else False
backend = ReassemblerBackend(name)
patches = []
out_file = "a.out"
out_asm = "/tmp/{}_mod".format(name.replace("/", "_"))
# and then we save the file
backend._binary.remove_unnecessary_stuff() #Seriously?
try:
backend.save(out_asm)
except Exception as e:
s = str(e)
if "/tmp/" in s:
fname = "/tmp/" + s.split("/tmp/")[1].split(" ")[0]
print("Builtin RAMBLR assembler failed. Asm file at {}".format(fname))
else:
raise
import patcherex
from patcherex.backends.detourbackend import DetourBackend
from patcherex.backends.reassembler_backend import ReassemblerBackend
from patcherex.patches import *
# the detour backend can be used as well:
# backend = DetourBackend("test_binaries/CADET_00003")
backend = ReassemblerBackend("cgc_binaries/CADET_00003")
patches = []
transmit_code = '''
; eax is the transmitted buffer
; ebx is the length
pusha
mov ecx,eax
mov edx,ebx
mov eax,0x2
mov ebx,0x1
mov esi,0x0
int 0x80
popa
ret
'''
patches.append(AddCodePatch(transmit_code, name="transmit_function"))
patches.append(AddRODataPatch(b"HI!\x00", name="transmitted_string"))
# the following code is going to be executed just before the original instruction at 0x8048166
injected_code = '''
; at this code location, it is fine to clobber eax and ebx
mov eax, {transmitted_string} ; a patch can refer to another patch address, by putting its name between curly brackets
import patcherex
from patcherex.backends.detourbackend import DetourBackend
from patcherex.backends.reassembler_backend import ReassemblerBackend
from patcherex.patches import *
# the detour backend can be used as well:
# backend = DetourBackend("test_binaries/CADET_00003")
backend = ReassemblerBackend("win_binaries/sh.exe")
patches = []
transmit_code = '''
; eax is the transmitted buffer
; ebx is the length
pusha
mov ecx,eax
mov edx,ebx
mov eax,0x2
mov ebx,0x1
mov esi,0x0
int 0x80
popa
ret
'''
patches.append(AddCodePatch(transmit_code, name="transmit_function"))
patches.append(AddRODataPatch(b"HI!\x00", name="transmitted_string"))
# the following code is going to be executed just before the original instruction at 0x8048166
injected_code = '''
; at this code location, it is fine to clobber eax and ebx
mov eax, {transmitted_string} ; a patch can refer to another patch address, by putting its name between curly brackets