Beispiel #1
0
 def OVFLADD(a, b):
     size = len(a)
     assert size == len(b)
     maxint = 2**(size * 8) - 1
     a = unpack(a, 'all', endianness='little', sign=False)
     b = unpack(b, 'all', endianness='little', sign=False)
     return (maxint - a) < b
    def run():
        parser1 = Parser()
        parser1.parse_file(PositiveCombinationTest.testfile1)

        backend1 = Z3Backend(name=PositiveCombinationTest.testfile1,
                             voi="variable")
        backend1.log.setLevel(logging.ERROR)
        backend1.exec_statements(parser1.statements)

        parser2 = Parser()
        parser2.parse_file(PositiveCombinationTest.testfile2)

        backend2 = Z3Backend(name=PositiveCombinationTest.testfile2,
                             voi="variable")
        backend2.log.setLevel(logging.ERROR)
        backend2.exec_statements(parser2.statements)

        backend = backend1 & backend2
        backend.log.setLevel(logging.ERROR)
        solver = backend.solver
        model = backend.model

        assert model, "Model unsat. Test failed"

        testcase = backend.generate_testcase("variable")
        testcase = unpack(testcase, 'all')
        assert(testcase > 15)
        assert(testcase & 0xffff == 0)
        assert((testcase & (testcase - 1) != 0))
        return True
Beispiel #3
0
    def _exec_loop(self, stmt):
        if not all(self._eval_condition(x) for x in stmt._conditions):
            return
        name = f"L{stmt._loop_name}"
        varname = Variable(stmt.output_name)
        inputvar = stmt.input_var
        startpos = stmt.startpos
        count = unpack(self._eval_expression(stmt.count),
                       'all',
                       endianness='little')
        structsize = Expression("INT",
                                Expression("IMM", Immediate(stmt.structsize)),
                                Expression("IMM", Immediate(4)))

        self.log.debug(f"Executing loop {name} {count} times")
        for iteration in range(count):
            conditionpref = f"{name}_{iteration}_"
            iterationexpr = Expression("IMM", Immediate(iteration))
            nstartpos = Expression(
                "ADD", startpos, Expression("MUL", structsize, iterationexpr))
            sliceexpr = Expression("Slice", inputvar, nstartpos, structsize)
            assignment = Assignment(varname, sliceexpr)
            self._exec_assignment(assignment)
            for s in stmt._statements:
                if isinstance(s, Condition):
                    s = s.clone()
                    s.add_prefix(conditionpref)
                self._exec_statement(s)
Beispiel #4
0
    def __init__(self, buf):
        n = context.bytes

        # Long
        self.d_ino    = unpack(buf[:n])
        buf=buf[n:]

        # Long
        self.d_off    = unpack(buf[:n])
        buf=buf[n:]

        # Short
        self.d_reclen = unpack(buf[:2], 16)
        buf=buf[2:]

        # Name
        self.d_name = buf[:buf.index('\x00')]
Beispiel #5
0
    def _b(self, addr, ndx, size):
        addr += ndx * size
        data = self._leak(addr, size)

        if not data:
            return None

        return unpack(data, 8 * size)
Beispiel #6
0
 def signed_inner(*args):
     args = [
         unpack(x, 'all', endianness='little', sign=True)
         if n not in skipargs else x for n, x in enumerate(args)
     ]
     ret = func(*args)
     return ret if skipret else pack(
         ret, 'all', endianness='little', sign=True)
Beispiel #7
0
    def _clear(self, addr, ndx, size):
        addr += ndx * size
        data = map(lambda x: self.cache.pop(x, None), range(addr, addr + size))

        if not all(data):
            return None

        return unpack(''.join(data), size * 8)
Beispiel #8
0
 def unsigned_inner(*args):
     # unpack the argumts as unsigned (unless they are ignored)
     args = [
         unpack(x, 'all', endianness='little', sign=False)
         if n not in skipargs else x for n, x in enumerate(args)
     ]
     ret = func(*args)
     return ret if skipret else pack(ret, 'all', endianness='little')
    def __init__(self, buf):
        n = context.bytes

        # Long
        self.d_ino = unpack(buf[:n])
        buf = buf[n:]

        # Long
        self.d_off = unpack(buf[:n])
        buf = buf[n:]

        # Short
        self.d_reclen = unpack(buf[:2], 16)
        buf = buf[2:]

        # Name
        self.d_name = buf[:buf.index('\x00')]
Beispiel #10
0
    def _clear(self, addr, ndx, size):
        addr += ndx * size
        data = [self.cache.pop(x, None) for x in range(addr, addr+size)]

        if not all(data):
            return None

        return unpack(b''.join(data), size*8)
Beispiel #11
0
    def run():
        parser = Parser(pwd=os.path.dirname(os.path.realpath(__file__)))
        parser.parse_file(OptimizationTest.testfile)

        backend = Z3Backend()
        backend.log.setLevel(logging.ERROR)
        backend.exec_statements(parser.statements)
        solver = backend.solver
        model = backend.model

        assert model, "Model unsat. Test failed"

        var1 = backend.generate_testcase(varname="var1")
        var2 = backend.generate_testcase(varname="var2")
        var1 = unpack(var1, 'all', endianness="little")
        var2 = unpack(var2, 'all', endianness="little")
        assert var1 == var2 == 10

        return True
Beispiel #12
0
    def generic_crc(data, polynom, width, init, refin, refout, xorout):
        """A generic CRC-sum function.

        This is suitable to use with:
        http://reveng.sourceforge.net/crc-catalogue/all.htm

        The "check" value in the document is the CRC-sum of the string "123456789".

        Arguments:
            data(str):    The data to calculate the CRC-sum of. This should either be a string or a list of bits.
            polynom(int): The polynomial to use.
            init(int):    If the CRC-sum was calculated in hardware, then this would b
                        the initial value of the checksum register.
            refin(bool):  Should the input bytes be reflected?
            refout(bool): Should the checksum be reflected?
            xorout(int):  The value to xor the checksum with before outputting
        """

        polynom = BitPolynom(int(polynom)) | (1 << width)
        if polynom.degree() != width:
            raise ValueError("Polynomial is too large for that width")

        init &= (1 << width) - 1
        xorout &= (1 << width) - 1

        if isinstance(data, list):
            # refin is not meaningful in this case
            inlen = len(data)
            p = BitPolynom(int(''.join('1' if v else '0' for v in data), 2))
        elif isinstance(data, six.binary_type):
            inlen = len(data) * 8
            if refin:
                data = fiddling.bitswap(data)
            p = BitPolynom(
                packing.unpack(data, 'all', endian='big', sign=False))
        else:
            raise ValueError("Don't know how to crc %s()" %
                             type(data).__name__)
        p = p << width
        p ^= init << inlen
        p = p % polynom
        res = p.n
        if refout:
            res = fiddling.bitswap_int(res, width)
        res ^= xorout

        return res
Beispiel #13
0
def render_body(context, string, append_null=True, **pageargs):
    __M_caller = context.caller_stack._push_frame()
    try:
        __M_locals = __M_dict_builtin(pageargs=pageargs,
                                      string=string,
                                      append_null=append_null)
        repr = context.get('repr', UNDEFINED)
        __M_writer = context.writer()
        from pwnlib.shellcraft.thumb import mov

        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(
            __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
                              for __M_key in ['mov']
                              if __M_key in __M_locals_builtin_stored]))
        __M_writer(u'\n')
        from pwnlib.util import lists, packing

        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(
            __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
                              for __M_key in ['packing', 'lists']
                              if __M_key in __M_locals_builtin_stored]))
        __M_writer(u'\n')
        __M_writer(u'\n')

        if append_null:
            string += '\x00'
        if not string:
            return

        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(
            __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
                              for __M_key in ['string']
                              if __M_key in __M_locals_builtin_stored]))
        __M_writer(u'    /* push ')
        __M_writer(unicode(repr(string)))
        __M_writer(u' */\n\n')
        for word in lists.group(4, string, 'fill', '\x00')[::-1]:
            __M_writer(u'    ')
            __M_writer(unicode(mov('r1', packing.unpack(word))))
            __M_writer(u'\n    push {r1}\n')
        return ''
    finally:
        context.caller_stack._pop_frame()
Beispiel #14
0
    def generic_crc(data, polynom, width, init, refin, refout, xorout):
        """A generic CRC-sum function.

        This is suitable to use with:
        http://reveng.sourceforge.net/crc-catalogue/all.htm

        The "check" value in the document is the CRC-sum of the string "123456789".

        Arguments:
            data(str):    The data to calculate the CRC-sum of. This should either be a string or a list of bits.
            polynom(int): The polynomial to use.
            init(int):    If the CRC-sum was calculated in hardware, then this would b
                        the initial value of the checksum register.
            refin(bool):  Should the input bytes be reflected?
            refout(bool): Should the checksum be reflected?
            xorout(int):  The value to xor the checksum with before outputting
        """

        polynom = BitPolynom(int(polynom)) | (1 << width)
        if polynom.degree() != width:
            raise ValueError("Polynomial is too large for that width")

        init   &= (1 << width)-1
        xorout &= (1 << width)-1

        if isinstance(data, list):
            # refin is not meaningful in this case
            inlen = len(data)
            p = BitPolynom(int(''.join('1' if v else '0' for v in data), 2))
        elif isinstance(data, str):
            inlen = len(data)*8
            if refin:
                data = fiddling.bitswap(data)
            p = BitPolynom(packing.unpack(data, 'all', endian='big', sign=False))
        p = p << width
        p ^= init << inlen
        p  = p % polynom
        res = p.n
        if refout:
            res = fiddling.bitswap_int(res, width)
        res ^= xorout

        return res
Beispiel #15
0
    def field(self, address, obj):
        """field(address, field) => a structure field.

        Leak a field from a structure.

        Arguments:
            address(int): Base address to calculate offsets from
            field(obj):   Instance of a ctypes field

        Return Value:
            The type of the return value will be dictated by
            the type of ``field``.
        """
        size = obj.size
        offset = obj.offset
        data = self.n(address + offset, size)
        if not data:
            return None
        return unpack(data, size * 8)
Beispiel #16
0
    def _telescope(self, addr):
        m = self.to_map(addr)
        if m is None:
            return None

        # code
        if m.is_executable:
            return "%s" % self._disasm(addr, 3)
        # data
        else:
            data = self.read(addr, self.bytes)
            word = packing.unpack(data)
            if 0 <= word <= 4096:
                return str(word)
            elif all(c in string.printable for c in data):
                return self.string(addr, 32) + "..."
            else:
                child = self._telescope(word)
                if child is None:
                    return "0x%08x" % word
                else:
                    return "0x%08x -> %s" % (word, child)
Beispiel #17
0
 def unpack(self, *a, **kw):
     return packing.unpack(self.recvn(context.bytes), *a, **kw)
Beispiel #18
0
 def unpack(self, address, *a, **kw):        return packing.unpack(self.read(address, context.bytes), *a, **kw)
 def string(self, address):
Beispiel #19
0
 def unpack(self, address, *a, **kw):
     """Unpacks an integer from the specified ``address``."""
     return packing.unpack(self.read(address, context.bytes), *a, **kw)
Beispiel #20
0
def render_body(context, egg, start_address=0, double_check=True, **pageargs):
    __M_caller = context.caller_stack._push_frame()
    try:
        __M_locals = __M_dict_builtin(start_address=start_address,
                                      pageargs=pageargs,
                                      egg=egg,
                                      double_check=double_check)
        int = context.get('int', UNDEFINED)
        Exception = context.get('Exception', UNDEFINED)
        isinstance = context.get('isinstance', UNDEFINED)
        long = context.get('long', UNDEFINED)
        len = context.get('len', UNDEFINED)
        __M_writer = context.writer()
        from pwnlib.shellcraft.arm import mov

        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(
            __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
                              for __M_key in ['mov']
                              if __M_key in __M_locals_builtin_stored]))
        __M_writer(u'\n')
        from pwnlib.util.packing import unpack

        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(
            __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
                              for __M_key in ['unpack']
                              if __M_key in __M_locals_builtin_stored]))
        __M_writer(u'\n')
        from pwnlib import constants

        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(
            __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
                              for __M_key in ['constants']
                              if __M_key in __M_locals_builtin_stored]))
        __M_writer(u'\n')
        __M_writer(u'\n')
        __M_writer(u'\n')

        if not isinstance(egg, (int, long)):
            if not len(egg) == 4:
                raise Exception(
                    'Egg should be either an integer or a four byte string')
            egg = unpack(egg)

        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(
            __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
                              for __M_key in ['egg']
                              if __M_key in __M_locals_builtin_stored]))
        __M_writer(u'\negghunter:\n    eor r1, r1, r1\n')
        if start_address < 1024:
            __M_writer(u'    mvn r2, r1\n')
        else:
            __M_writer(u'    ')
            __M_writer(unicode(mov('r2', (start_address & ~(4096 - 1)) - 1)))
            __M_writer(u'\n')
        __M_writer(u'\n    /* Put egg in r3 */\n    ')
        __M_writer(unicode(mov('r3', egg)))
        __M_writer(
            u'\n\nnext_page:\n    mvn r2, r2, lsr #0x0c\n    mvn r2, r2, lsl #0x0c\n\nnext_byte:\n    add r2, r2, #0x01\n\n'
        )
        if double_check:
            __M_writer(u'    add r0, r2, #0x07\n')
        else:
            __M_writer(u'    add r0, r2, #0x03\n')
        __M_writer(u'    mov r7, #0x21\n    swi #0\n\n    /* EFAULT = ')
        __M_writer(unicode(constants.linux.arm.EFAULT))
        __M_writer(u' means unmapped memory */\n    cmn r0, #')
        __M_writer(unicode(constants.linux.arm.EFAULT))
        __M_writer(u'\n    beq next_page\n\n')
        if double_check:
            __M_writer(u'    ldm r2, {r4, r5}\n')
        else:
            __M_writer(u'    ldm r2, {r4}\n')
        __M_writer(u'\n    cmp r4, r3\n    bne next_byte\n')
        if double_check:
            __M_writer(u'    cmp r5, r3\n    bne next_byte\n')
        __M_writer(u'\negg_found:\n')
        if double_check:
            __M_writer(u'    add pc, r2, #0x08\n')
        else:
            __M_writer(u'    add pc, r2, #0x04\n')
        return ''
    finally:
        context.caller_stack._pop_frame()
Beispiel #21
0
 def _exec_debug(self, stmt):
     self.log.critical(hex(unpack(self._eval_expression(stmt.expr), 'all')))
Beispiel #22
0
def render_body(context, dest, src, stack_allowed=True, **pageargs):
    __M_caller = context.caller_stack._push_frame()
    try:
        __M_locals = __M_dict_builtin(dest=dest,
                                      src=src,
                                      pageargs=pageargs,
                                      stack_allowed=stack_allowed)
        int = context.get('int', UNDEFINED)
        isinstance = context.get('isinstance', UNDEFINED)
        hex = context.get('hex', UNDEFINED)
        long = context.get('long', UNDEFINED)
        str = context.get('str', UNDEFINED)
        __M_writer = context.writer()
        from pwnlib.util import lists, packing, fiddling, misc

        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(
            __M_dict_builtin([
                (__M_key, __M_locals_builtin_stored[__M_key])
                for __M_key in ['packing', 'fiddling', 'misc', 'lists']
                if __M_key in __M_locals_builtin_stored
            ]))

        import logging
        log = logging.getLogger('pwnlib.shellcraft')

        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(
            __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
                              for __M_key in ['logging', 'log']
                              if __M_key in __M_locals_builtin_stored]))
        __M_writer(u'\n')
        __M_writer(u'\n')

        regs = [['rax', 'eax', 'ax', 'al'], ['rbx', 'ebx', 'bx', 'bl'],
                ['rcx', 'ecx', 'cx', 'cl'], ['rdx', 'edx', 'dx', 'dl'],
                ['rdi', 'edi', 'di', 'dil'], ['rsi', 'esi', 'si', 'sil'],
                ['rbp', 'ebp', 'bp', 'bpl'], ['rsp', 'esp', 'sp', 'spl'],
                ['r8', 'r8d', 'r8w', 'r8b'], ['r9', 'r9d', 'r9w', 'r9b'],
                ['r10', 'r10d', 'r10w',
                 'r10b'], ['r11', 'r11d', 'r11w', 'r11b'],
                ['r12', 'r12d', 'r12w',
                 'r12b'], ['r13', 'r13d', 'r13w', 'r13b'],
                ['r14', 'r14d', 'r14w', 'r14b'],
                ['r15', 'r15d', 'r15w', 'r15b']]

        def okay(s):
            return '\0' not in s and '\n' not in s

        def pretty(n):
            if n < 0:
                return str(n)
            else:
                return hex(n)

        all_regs, sizes, bigger, smaller = misc.register_sizes(
            regs, [64, 32, 16, 8])
        dest_orig = dest

        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(
            __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
                              for __M_key in [
                                  'smaller', 'okay', 'sizes', 'regs',
                                  'dest_orig', 'pretty', 'all_regs', 'bigger'
                              ] if __M_key in __M_locals_builtin_stored]))
        if dest not in all_regs:
            __M_writer(u'    ')
            log.error('%s is not a register' % str(dest_orig))

            __M_locals_builtin_stored = __M_locals_builtin()
            __M_locals.update(
                __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
                                  for __M_key in []
                                  if __M_key in __M_locals_builtin_stored]))
        elif isinstance(src, (int, long)):
            __M_writer(u'    ')

            if not (-2**(sizes[dest] - 1) <= src < 2**sizes[dest]):
                log.error('Number %s does not fit into %s' %
                          (pretty(src), dest_orig))

            # Calculate the unsigned and signed versions
            srcu = src & (2**sizes[dest] - 1)
            srcs = srcu - 2 * (srcu & (2**(sizes[dest] - 1)))

            # micro-optimization: if you ever touch e.g. eax, then all the upper bits
            # of rax will be set to 0. We exploit this fact here
            if 0 <= src < 2**32 and sizes[dest] == 64:
                dest = smaller[dest][0]

            # Calculate the packed version
            srcp = packing.pack(srcu, sizes[dest], 'little', False)

            __M_locals_builtin_stored = __M_locals_builtin()
            __M_locals.update(
                __M_dict_builtin([
                    (__M_key, __M_locals_builtin_stored[__M_key])
                    for __M_key in ['dest', 'srcs', 'srcp', 'srcu']
                    if __M_key in __M_locals_builtin_stored
                ]))
            if src == 0:
                __M_writer(u'        xor ')
                __M_writer(unicode(dest))
                __M_writer(u', ')
                __M_writer(unicode(dest))
                __M_writer(u'\n')
            elif src == 10 and stack_allowed and sizes[
                    dest] == 32:  # sizes[dest] == 64 not possible here
                __M_writer(u'        push 9\n        pop ')
                __M_writer(unicode(bigger[dest][0]))
                __M_writer(u'\n        inc ')
                __M_writer(unicode(dest))
                __M_writer(u'\n')
            elif stack_allowed and sizes[dest] in [
                    32, 64
            ] and -2**7 <= srcs < 2**7 and okay(srcp[0]):
                __M_writer(u'        push ')
                __M_writer(unicode(pretty(srcs)))
                __M_writer(u'\n        pop ')
                __M_writer(
                    unicode(dest if sizes[dest] == 64 else bigger[dest][0]))
                __M_writer(u'\n')
            elif okay(srcp):
                __M_writer(u'        mov ')
                __M_writer(unicode(dest))
                __M_writer(u', ')
                __M_writer(unicode(pretty(src)))
                __M_writer(u'\n')
            elif stack_allowed and sizes[dest] in [
                    32, 64
            ] and -2**31 <= srcs < 2**31 and okay(srcp[:4]):
                __M_writer(u'        push ')
                __M_writer(unicode(pretty(srcs)))
                __M_writer(u'\n        pop ')
                __M_writer(
                    unicode(dest if sizes[dest] == 64 else bigger[dest][0]))
                __M_writer(u'\n')
            else:
                __M_writer(u'        ')

                a, b = fiddling.xor_pair(srcp, avoid='\x00\n')
                a = pretty(packing.unpack(a, sizes[dest], 'little', False))
                b = pretty(packing.unpack(b, sizes[dest], 'little', False))

                __M_locals_builtin_stored = __M_locals_builtin()
                __M_locals.update(
                    __M_dict_builtin([
                        (__M_key, __M_locals_builtin_stored[__M_key])
                        for __M_key in ['a', 'b']
                        if __M_key in __M_locals_builtin_stored
                    ]))
                if sizes[dest] != 64:
                    __M_writer(u'          mov ')
                    __M_writer(unicode(dest))
                    __M_writer(u', ')
                    __M_writer(unicode(a))
                    __M_writer(u'\n          xor ')
                    __M_writer(unicode(dest))
                    __M_writer(u', ')
                    __M_writer(unicode(b))
                    __M_writer(u'\n')
                elif stack_allowed:
                    __M_writer(u'          mov ')
                    __M_writer(unicode(dest))
                    __M_writer(u', ')
                    __M_writer(unicode(a))
                    __M_writer(u'\n          push ')
                    __M_writer(unicode(dest))
                    __M_writer(u'\n          mov ')
                    __M_writer(unicode(dest))
                    __M_writer(u', ')
                    __M_writer(unicode(b))
                    __M_writer(u'\n          xor [rsp], ')
                    __M_writer(unicode(dest))
                    __M_writer(u'\n          pop ')
                    __M_writer(unicode(dest))
                    __M_writer(u'\n')
                else:
                    __M_writer(u'          ')
                    log.error("Cannot put %s into '%s' without using stack." %
                              (pretty(src), dest_orig))

                    __M_locals_builtin_stored = __M_locals_builtin()
                    __M_locals.update(
                        __M_dict_builtin([
                            (__M_key, __M_locals_builtin_stored[__M_key])
                            for __M_key in []
                            if __M_key in __M_locals_builtin_stored
                        ]))
        elif src in all_regs:
            __M_writer(u'    ')

            # micro-optimization: if you ever touch e.g. eax, then all the upper bits
            # of rax will be set to 0. We exploit this fact here
            if sizes[dest] == 64 and sizes[src] != 64:
                dest = smaller[dest][0]

            __M_locals_builtin_stored = __M_locals_builtin()
            __M_locals.update(
                __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
                                  for __M_key in ['dest']
                                  if __M_key in __M_locals_builtin_stored]))
            if src == dest or src in bigger[dest] or src in smaller[dest]:
                __M_writer(u'        /* moving ')
                __M_writer(unicode(src))
                __M_writer(u' into ')
                __M_writer(unicode(dest_orig))
                __M_writer(u', but this is a no-op */\n')
            elif sizes[dest] == sizes[src]:
                __M_writer(u'        mov ')
                __M_writer(unicode(dest))
                __M_writer(u', ')
                __M_writer(unicode(src))
                __M_writer(u'\n')
            elif sizes[dest] > sizes[src]:
                __M_writer(u'        movzx ')
                __M_writer(unicode(dest))
                __M_writer(u', ')
                __M_writer(unicode(src))
                __M_writer(u'\n')
            else:
                for r in smaller[src]:
                    if sizes[r] == sizes[dest]:
                        __M_writer(u'                mov ')
                        __M_writer(unicode(dest))
                        __M_writer(u', ')
                        __M_writer(unicode(r))
                        __M_writer(u'\n                ')
                        break

                        __M_locals_builtin_stored = __M_locals_builtin()
                        __M_locals.update(
                            __M_dict_builtin([
                                (__M_key, __M_locals_builtin_stored[__M_key])
                                for __M_key in []
                                if __M_key in __M_locals_builtin_stored
                            ]))
        else:
            __M_writer(u'    ')
            log.error('%s is neither a register nor an immediate' % src)

            __M_locals_builtin_stored = __M_locals_builtin()
            __M_locals.update(
                __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key])
                                  for __M_key in []
                                  if __M_key in __M_locals_builtin_stored]))
        return ''
    finally:
        context.caller_stack._pop_frame()
Beispiel #23
0
def render_body(context, dest, src, stack_allowed=True, **pageargs):
    __M_caller = context.caller_stack._push_frame()
    try:
        __M_locals = __M_dict_builtin(dest=dest,
                                      src=src,
                                      pageargs=pageargs,
                                      stack_allowed=stack_allowed)
        tuple = context.get('tuple', UNDEFINED)
        int = context.get('int', UNDEFINED)
        hex = context.get('hex', UNDEFINED)
        long = context.get('long', UNDEFINED)
        str = context.get('str', UNDEFINED)
        isinstance = context.get('isinstance', UNDEFINED)
        __M_writer = context.writer()

        from pwnlib.shellcraft import eval, pretty, okay
        from pwnlib.util import lists, packing, fiddling, misc
        from pwnlib.log import getLogger
        from pwnlib.shellcraft.registers import get_register, is_register, bits_required
        log = getLogger('pwnlib.shellcraft.i386.mov')

        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(
            __M_dict_builtin([
                (__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in [
                    'okay', 'eval', 'misc', 'bits_required', 'lists',
                    'get_register', 'getLogger', 'packing', 'fiddling',
                    'pretty', 'is_register', 'log'
                ] if __M_key in __M_locals_builtin_stored
            ]))
        __M_writer(u'\n')
        __M_writer(u'\n')
        __M_writer(u'\n')

        src_name = src
        if not isinstance(src, (str, tuple)):
            src_name = pretty(src)

        if not get_register(dest):
            log.error('%r is not a register' % dest)

        dest = get_register(dest)

        if dest.size > 32 or dest.is64bit:
            log.error("cannot use %s on i386" % dest)

        if get_register(src):
            src = get_register(src)

            if src.is64bit:
                log.error("cannot use %s on i386" % src)

            if dest.size < src.size and src.name not in dest.bigger:
                log.error("cannot mov %s, %s: dddest is smaller than src" %
                          (dest, src))
        else:
            src = eval(src)

            if not dest.fits(src):
                log.error("cannot mov %s, %r: dest is smaller than src" %
                          (dest, src))

            src_size = bits_required(src)

            # Calculate the packed version
            mask = ((1 << 32) - 1)
            masked = src & mask
            srcp = packing.pack(masked, dest.size)

            # Calculate the unsigned and signed versions
            srcu = packing.unpack(srcp, dest.size, sign=False)
            srcs = packing.unpack(srcp, dest.size, sign=True)

            srcp_not = packing.pack(fiddling.bnot(masked))
            srcp_neg = packing.pack(fiddling.negate(masked))
            srcu_not = packing.unpack(srcp_not)
            srcu_neg = packing.unpack(srcp_neg)

        __M_locals_builtin_stored = __M_locals_builtin()
        __M_locals.update(
            __M_dict_builtin([
                (__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in [
                    'src', 'srcp_neg', 'src_size', 'dest', 'mask', 'srcu_not',
                    'srcp_not', 'srcs', 'srcp', 'masked', 'srcu', 'src_name',
                    'srcu_neg'
                ] if __M_key in __M_locals_builtin_stored
            ]))
        if is_register(src):
            if src == dest:
                __M_writer(u'    /* moving ')
                __M_writer(unicode(src))
                __M_writer(u' into ')
                __M_writer(unicode(dest))
                __M_writer(u', but this is a no-op */\n')
            elif src.name in dest.bigger:
                __M_writer(u'    /* moving ')
                __M_writer(unicode(src))
                __M_writer(u' into ')
                __M_writer(unicode(dest))
                __M_writer(u', but this is a no-op */\n')
            elif dest.size > src.size:
                __M_writer(u'    movzx ')
                __M_writer(unicode(dest))
                __M_writer(u', ')
                __M_writer(unicode(src))
                __M_writer(u'\n')
            else:
                __M_writer(u'    mov ')
                __M_writer(unicode(dest))
                __M_writer(u', ')
                __M_writer(unicode(src))
                __M_writer(u'\n')
        elif isinstance(src, (int, long)):
            if src == 0:
                __M_writer(u'        xor ')
                __M_writer(unicode(dest))
                __M_writer(u', ')
                __M_writer(unicode(dest))
                __M_writer(u'\n')
            elif stack_allowed and dest.size == 32 and src == 10:
                __M_writer(u'        push 9 /* mov ')
                __M_writer(unicode(dest))
                __M_writer(u", '\\n' */\n        pop ")
                __M_writer(unicode(dest))
                __M_writer(u'\n        inc ')
                __M_writer(unicode(dest))
                __M_writer(u'\n')
            elif stack_allowed and dest.size == 32 and okay(srcp):
                __M_writer(u'        push ')
                __M_writer(unicode(pretty(src)))
                __M_writer(u'\n        pop ')
                __M_writer(unicode(dest))
                __M_writer(u'\n')
            elif stack_allowed and dest.size == 32 and -127 <= srcs < 128 and okay(
                    srcp[0]):
                __M_writer(u'        push ')
                __M_writer(unicode(pretty(src)))
                __M_writer(u'\n        pop ')
                __M_writer(unicode(dest))
                __M_writer(u'\n')
            elif okay(srcp):
                __M_writer(u'        mov ')
                __M_writer(unicode(dest))
                __M_writer(u', ')
                __M_writer(unicode(pretty(src)))
                __M_writer(u'\n')
            elif 0 <= srcu < 2**8 and okay(srcp[0]) and dest.sizes.get(8, 0):
                __M_writer(u'        xor ')
                __M_writer(unicode(dest))
                __M_writer(u', ')
                __M_writer(unicode(dest))
                __M_writer(u'\n        mov ')
                __M_writer(unicode(dest.sizes[8]))
                __M_writer(u', ')
                __M_writer(unicode(pretty(srcu)))
                __M_writer(u'\n')
            elif srcu == (srcu & 0xff00) and okay(srcp[1]) and dest.ff00:
                __M_writer(u'        xor ')
                __M_writer(unicode(dest))
                __M_writer(u', ')
                __M_writer(unicode(dest))
                __M_writer(u'\n        mov ')
                __M_writer(unicode(dest.ff00))
                __M_writer(u', ')
                __M_writer(unicode(pretty(src)))
                __M_writer(u' >> 8\n')
            elif 0 <= srcu < 2**16 and okay(srcp[:2]) and dest.sizes[16]:
                __M_writer(u'        xor ')
                __M_writer(unicode(dest))
                __M_writer(u', ')
                __M_writer(unicode(dest))
                __M_writer(u'\n        mov ')
                __M_writer(unicode(dest.sizes[16]))
                __M_writer(u', ')
                __M_writer(unicode(pretty(src)))
                __M_writer(u'\n')
            elif okay(srcp_neg):
                __M_writer(u'        mov ')
                __M_writer(unicode(dest))
                __M_writer(u', -')
                __M_writer(unicode(pretty(src)))
                __M_writer(u'\n        neg ')
                __M_writer(unicode(dest))
                __M_writer(u'\n')
            elif okay(srcp_not):
                __M_writer(u'        mov ')
                __M_writer(unicode(dest))
                __M_writer(u', (-1) ^ ')
                __M_writer(unicode(pretty(src)))
                __M_writer(u'\n        not ')
                __M_writer(unicode(dest))
                __M_writer(u'\n')
            else:
                __M_writer(u'        ')

                a, b = fiddling.xor_pair(srcp, avoid='\x00\n')
                a = hex(packing.unpack(a, dest.size))
                b = hex(packing.unpack(b, dest.size))

                __M_locals_builtin_stored = __M_locals_builtin()
                __M_locals.update(
                    __M_dict_builtin([
                        (__M_key, __M_locals_builtin_stored[__M_key])
                        for __M_key in ['a', 'b']
                        if __M_key in __M_locals_builtin_stored
                    ]))
                __M_writer(u'        mov ')
                __M_writer(unicode(dest))
                __M_writer(u', ')
                __M_writer(unicode(a))
                __M_writer(u'\n        xor ')
                __M_writer(unicode(dest))
                __M_writer(u', ')
                __M_writer(unicode(a))
                __M_writer(u' ^ ')
                __M_writer(unicode(pretty(src)))
                __M_writer(u'\n')
        return ''
    finally:
        context.caller_stack._pop_frame()
Beispiel #24
0
def unpack_bytes(s: bytes, n: int = None) -> int:
    '''Unpack the first `n` bytes of a bytestring,
    defaulting to n=context.bytes'''
    if n is None: n = context.bytes
    return unpack(s[:n], n * 8)
Beispiel #25
0
    def unpack(self, *a, **kw):     return packing.unpack(self.recvn(context.bytes), *a, **kw)

    def flat(self, *a, **kw):       return self.send(packing.flat(*a,**kw))