def compute_txt(ir, mode, txt, inputstate={}, debug=False):
asmcfg, loc_db = parse_asm.parse_txt(mn, mode, txt)
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
patches = asmblock.asm_resolve_final(mn, asmcfg, loc_db)
ir_arch = ir(loc_db)
lbl = loc_db.get_name_location("main")
ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg)
return symb_exec(lbl, ir_arch, ircfg, inputstate, debug)
def compute_txt(ir, mode, txt, inputstate={}, debug=False):
blocks, symbol_pool = parse_asm.parse_txt(mn, mode, txt)
symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0)
patches = asmblock.asm_resolve_final(mn, blocks, symbol_pool)
interm = ir(symbol_pool)
for bbl in blocks:
interm.add_bloc(bbl)
return symb_exec(interm, inputstate, debug)
def compute_txt(ir, mode, txt, inputstate={}, debug=False):
blocks, symbol_pool = parse_asm.parse_txt(mn, mode, txt)
symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0)
patches = asmblock.asm_resolve_final(mn, blocks, symbol_pool)
interm = ir(symbol_pool)
for bbl in blocks:
interm.add_bloc(bbl)
return symb_exec(interm, inputstate, debug)
def compute_txt(ir, mode, txt, inputstate={}, debug=False):
asmcfg, loc_db = parse_asm.parse_txt(mn, mode, txt)
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
patches = asmblock.asm_resolve_final(mn, asmcfg, loc_db)
interm = ir(loc_db)
lbl = loc_db.get_name_location("main")
for bbl in asmcfg.blocks:
interm.add_block(bbl)
return symb_exec(lbl, interm, inputstate, debug)
def asm(self):
blocks, symbol_pool = parse_asm.parse_txt(mn_aarch64, 'l', self.TXT,
symbol_pool = self.myjit.ir_arch.symbol_pool)
# fix shellcode addr
symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0)
s = StrPatchwork()
patches = asmblock.asm_resolve_final(mn_aarch64, blocks, symbol_pool)
for offset, raw in patches.items():
s[offset] = raw
self.assembly = str(s)
def asm(self):
blocks, loc_db = parse_asm.parse_txt(mn_aarch64, 'l', self.TXT,
loc_db = self.myjit.ir_arch.loc_db)
# fix shellcode addr
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
s = StrPatchwork()
patches = asmblock.asm_resolve_final(mn_aarch64, blocks, loc_db)
for offset, raw in patches.items():
s[offset] = raw
self.assembly = str(s)
def asm(self):
blocks, symbol_pool = parse_asm.parse_txt(mn_mips32, 'l', self.TXT,
symbol_pool=self.myjit.ir_arch.symbol_pool)
# fix shellcode addr
symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0)
s = StrPatchwork()
patches = asmblock.asm_resolve_final(mn_mips32, blocks, symbol_pool)
for offset, raw in patches.items():
s[offset] = raw
s = str(s)
self.assembly = s
def asm(self):
blocks, loc_db = parse_asm.parse_txt(mn_aarch64,
'l',
self.TXT,
loc_db=self.myjit.ir_arch.loc_db)
# fix shellcode addr
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
s = StrPatchwork()
patches = asmblock.asm_resolve_final(mn_aarch64, blocks, loc_db)
for offset, raw in patches.items():
s[offset] = raw
self.assembly = str(s)
def asm(self):
mn_x86 = self.machine.mn
blocks, loc_db = parse_asm.parse_txt(mn_x86,
self.arch_attrib,
self.TXT,
loc_db=self.myjit.ir_arch.loc_db)
# fix shellcode addr
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
output = StrPatchwork()
patches = asm_resolve_final(mn_x86, blocks, loc_db)
for offset, raw in patches.items():
output[offset] = raw
self.assembly = str(output)
def test_DirectiveDontSplit(self):
from miasm2.arch.x86.arch import mn_x86
from miasm2.core.parse_asm import parse_txt
from miasm2.core.asmblock import asm_resolve_final
ASM0 = '''
lbl0:
INC EAX
JNZ lbl0
INC EAX
JZ lbl2
lbl1:
NOP
JMP lbl0
.dontsplit
lbl2:
MOV EAX, ECX
RET
.dontsplit
lbl3:
ADD EAX, EBX
.dontsplit
lbl4:
.align 0x10
.string "test"
lbl5:
.string "toto"
'''
asmcfg, symbol_pool = parse_txt(mn_x86, 32, ASM0)
patches = asm_resolve_final(mn_x86,
asmcfg,
symbol_pool)
lbls = []
for i in xrange(6):
lbls.append(symbol_pool.getby_name('lbl%d' % i))
# align test
offset = symbol_pool.loc_key_to_offset(lbls[5])
assert(offset % 0x10 == 0)
lbl2block = {}
for block in asmcfg.blocks:
lbl2block[block.loc_key] = block
# dontsplit test
assert(lbls[2] == lbl2block[lbls[1]].get_next())
assert(lbls[3] == lbl2block[lbls[2]].get_next())
assert(lbls[4] == lbl2block[lbls[3]].get_next())
assert(lbls[5] == lbl2block[lbls[4]].get_next())
def asm(self):
mn_x86 = self.machine.mn
blocks, symbol_pool = parse_asm.parse_txt(
mn_x86,
self.arch_attrib,
self.TXT,
symbol_pool=self.myjit.ir_arch.symbol_pool
)
# fix shellcode addr
symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0)
output = StrPatchwork()
patches = asm_resolve_final(mn_x86, blocks, symbol_pool)
for offset, raw in patches.items():
output[offset] = raw
self.assembly = str(output)
def asm(self):
mn_x86 = self.machine.mn
blocks, symbol_pool = parse_asm.parse_txt(
mn_x86,
self.arch_attrib,
self.TXT,
symbol_pool=self.myjit.ir_arch.symbol_pool
)
# fix shellcode addr
symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0)
output = StrPatchwork()
patches = asm_resolve_final(mn_x86, blocks, symbol_pool)
for offset, raw in patches.items():
output[offset] = raw
self.assembly = str(output)
def asm(self):
mn_x86 = self.machine.mn
blocks, loc_db = parse_asm.parse_txt(
mn_x86,
self.arch_attrib,
self.TXT,
loc_db=self.myjit.ir_arch.loc_db
)
# fix shellcode addr
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
output = StrPatchwork()
patches = asm_resolve_final(mn_x86, blocks, loc_db)
for offset, raw in patches.items():
output[offset] = raw
self.assembly = str(output)
# Fix shellcode addrs
symbol_pool.set_offset(symbol_pool.getby_name("main"), addr_main)
if args.PE:
symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"),
pe.DirImport.get_funcvirt('USER32.dll', 'MessageBoxA'))
# Print and graph firsts blocks before patching it
for block in blocks:
print block
open("graph.dot", "w").write(blocks.dot())
# Apply patches
patches = asmblock.asm_resolve_final(machine.mn,
blocks,
symbol_pool,
dst_interval)
if args.encrypt:
# Encrypt code
ad_start = symbol_pool.getby_name_create(args.encrypt[0]).offset
ad_stop = symbol_pool.getby_name_create(args.encrypt[1]).offset
new_patches = dict(patches)
for ad, val in patches.items():
if ad_start <= ad < ad_stop:
new_patches[ad] = "".join([chr(ord(x) ^ 0x42) for x in val])
patches = new_patches
print patches
if isinstance(virt, StrPatchwork):
for offset, raw in patches.items():
INC EBX
CMOVZ EAX, EBX
ADD EAX, ECX
JZ loop
RET
''')
symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0)
for block in asmcfg.blocks:
print block
print "symbols:"
print symbol_pool
patches = asmblock.asm_resolve_final(mn_x86, asmcfg, symbol_pool)
# Translate to IR
ir_arch = ir_a_x86_32(symbol_pool)
for block in asmcfg.blocks:
print 'add block'
print block
ir_arch.add_block(block)
# Display IR
for lbl, irblock in ir_arch.blocks.items():
print irblock
# Dead propagation
open('graph.dot', 'w').write(ir_arch.graph.dot())
print '*' * 80
# Assemble code
asmcfg, loc_db = parse_asm.parse_txt(mn_x86, 32, '''
main:
MOV EAX, 1
MOV EBX, 2
MOV ECX, 2
MOV DX, 2
loop:
INC EBX
CMOVZ EAX, EBX
ADD EAX, ECX
JZ loop
RET
''')
# Set 'main' loc_key's offset
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
# Spread information and resolve instructions offset
patches = asmblock.asm_resolve_final(mn_x86, asmcfg, loc_db)
# Show resolved asmcfg
for block in asmcfg.blocks:
print block
# Print offset -> bytes
pprint(patches)
# Fix shellcode addrs
loc_db.set_location_offset(loc_db.get_name_location("main"), addr_main)
if args.PE:
loc_db.set_location_offset(loc_db.get_or_create_name_location("MessageBoxA"),
pe.DirImport.get_funcvirt('USER32.dll',
'MessageBoxA'))
# Print and graph firsts blocks before patching it
for block in asmcfg.blocks:
print block
open("graph.dot", "w").write(asmcfg.dot())
# Apply patches
patches = asmblock.asm_resolve_final(machine.mn,
asmcfg,
loc_db,
dst_interval)
if args.encrypt:
# Encrypt code
loc_start = loc_db.get_or_create_name_location(args.encrypt[0])
loc_stop = loc_db.get_or_create_name_location(args.encrypt[1])
ad_start = loc_db.get_location_offset(loc_start)
ad_stop = loc_db.get_location_offset(loc_stop)
new_patches = dict(patches)
for ad, val in patches.items():
if ad_start <= ad < ad_stop:
new_patches[ad] = "".join([chr(ord(x) ^ 0x42) for x in val])
patches = new_patches
print patches
# Fix shellcode addrs
symbol_pool.set_offset(symbol_pool.getby_name("main"), addr_main)
if args.PE:
symbol_pool.set_offset(
symbol_pool.getby_name_create("MessageBoxA"),
pe.DirImport.get_funcvirt('USER32.dll', 'MessageBoxA'))
# Print and graph firsts blocks before patching it
for block in blocks:
print block
open("graph.dot", "w").write(blocks.dot())
# Apply patches
patches = asmblock.asm_resolve_final(machine.mn, blocks, symbol_pool,
dst_interval)
if args.encrypt:
# Encrypt code
ad_start = symbol_pool.getby_name_create(args.encrypt[0]).offset
ad_stop = symbol_pool.getby_name_create(args.encrypt[1]).offset
new_patches = dict(patches)
for ad, val in patches.items():
if ad_start <= ad < ad_stop:
new_patches[ad] = "".join([chr(ord(x) ^ 0x42) for x in val])
patches = new_patches
print patches
if isinstance(virt, StrPatchwork):
for offset, raw in patches.items():
virt[offset] = raw
# Assemble code
asmcfg, loc_db = parse_asm.parse_txt(
mn_x86, 32, '''
main:
MOV EAX, 1
MOV EBX, 2
MOV ECX, 2
MOV DX, 2
loop:
INC EBX
CMOVZ EAX, EBX
ADD EAX, ECX
JZ loop
RET
''')
# Set 'main' loc_key's offset
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
# Spread information and resolve instructions offset
patches = asmblock.asm_resolve_final(mn_x86, asmcfg, loc_db)
# Show resolved asmcfg
for block in asmcfg.blocks:
print block
# Print offset -> bytes
pprint(patches)
from miasm2.core import asmblock
from miasm2.arch.x86 import arch
from miasm2.core import parse_asm
from miasm2.core.interval import interval
my_mn = arch.mn_x86
asmcfg, loc_db = parse_asm.parse_txt(my_mn, 64, r'''
main:
PUSH RBP
MOV RBP, RSP
loop_dec:
CMP RCX, RDX
JB loop_dec
end:
MOV RSP, RBP
POP RBP
RET
''')
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x100001000)
dst_interval = interval([(0x100001000, 0x100002000)])
patches = asmblock.asm_resolve_final(
my_mn,
asmcfg,
loc_db,
dst_interval
)
