def test_go_to_next_call_Create2times(self):
"""
Test de l'initialisation du moteur disass 32
"""
from test.minjat.f1 import data
disass = Disass32(data=b64decode(data))
disass2 = Disass32(data=b64decode(data))
disass.go_to_next_call('CreateThread')
if not disass2.go_to_next_call('CreateThread'):
assert False
assert True
def reverse(path, verbose):
disass = Disass32(path=path, verbose=verbose)
disass.make_xref()
for p in disass.xref['InternetConnectA']:
disass.set_position(p)
disass.update_stack_and_register()
try:
addr = disass.get_arguments(2)
print " CC\t: %s" % disass.get_string(addr)
except:
continue
if not disass.go_to_next_call('HttpOpenRequestA'):
continue
try:
lpszVerb = disass.get_string(disass.get_arguments(2))
lpszObjectName = disass.get_string(disass.get_arguments(3))
lpszVersion = disass.get_string(disass.get_arguments(4))
print " Request\t: %s %s %s" % (lpszVerb, lpszObjectName,
lpszVersion)
except Exception as e:
print str(e)
continue
def test_where_am_i(self, value):
"""
Test de l'initialisation du moteur disass 32
"""
from test.minjat.f1 import data
try:
disass = Disass32(data=b64decode(data))
except:
assert False
return
disass.rename_function('Entrypoint', "hopla")
try:
addr = disass.map_call_by_name["hopla"]
name = disass.map_call[addr]
except:
assert False
if name == "hopla":
assert True
return
assert False
def test_where_am_i(self, value):
"""
Test de l'initialisation du moteur disass 32
"""
from test.minjat.f1 import data
try:
disass = Disass32(data=b64decode(data))
except:
assert False
return
disass.register.eip = value[0]
disass.map_call[100] = "100"
disass.map_call[0] = "0"
disass.map_call[10] = "10"
disass.map_call[30] = "30"
disass.map_call[40] = "40"
disass.map_call[20] = "20"
if disass.where_am_i() == value[1]:
assert True
return
assert False
def reverse(path, verbose):
disass = Disass32(path=path, verbose=verbose)
if disass.is_dll():
disass.make_xref()
valuable_information = list()
for address in disass.xref['InternetOpenA']:
disass.set_position(address)
function = disass.where_am_i()
disass.set_position(disass.map_call_by_name[function])
while disass.go_to_instruction('REP'):
disass.update_stack_and_register()
try:
r = disass.get_string(disass.register.esi)
if r not in valuable_information:
valuable_information.append(r)
except:
continue
# If I change function it's finish
if disass.where_am_i() != function:
break
print_result(valuable_information, 'Host')
print_result(valuable_information, 'Content-Type')
print_result(valuable_information, 'Accept-Encoding')
print_result(valuable_information, 'Referer')
print_result(valuable_information, 'Accept-Language')
print_result(valuable_information, 'User-Agent')
print_result(valuable_information, 'Request')
def reverse(path, verbose):
disass = Disass32(path=path, verbose=verbose)
if disass.is_dll():
addrhMainThread = disass.symbols_exported_by_name['hMainThread']
disass.set_position(addrhMainThread)
elif disass.is_exe():
if not disass.go_to_next_call('CreateThread'):
print >> sys.stderr, "CreateThread not found in %s" % path
return
# CreateThread( ..., ... , ... )
startAddress = disass.get_arguments(3)
# We set our position in this Thread
disass.set_virtual_position(startAddress)
else:
return
# We are searching when C&C are copy
if not disass.go_to_next_call('lstrcpyW'):
print >> sys.stderr, "lstrcpyW not found in %s" % path
sys.exit(0)
address_cc1 = disass.get_arguments(2)
print disass.get_string(address_cc1)
# We are searching when C&C are copy
if not disass.go_to_next_call('lstrcpyW'):
print >> sys.stderr, "CALL lstrcpyW not found in %s" % path
sys.exit(0)
address_cc2 = disass.get_arguments(2)
print disass.get_string(address_cc2)
def test_next(self):
"""
Test de l'initialisation du moteur disass 32
"""
from test.minjat.f1 import data
try:
disass = Disass32(data=b64decode(data))
except:
assert False
return
s1 = disass.decode[0]
s2 = disass.decode[1]
s3 = disass.decode[2]
s4 = disass.decode[3]
if disass.register.eip != s1[0]:
assert False
disass.next()
if disass.register.eip != s2[0]:
assert False
disass.next()
if disass.register.eip != s3[0]:
assert False
disass.next()
if disass.register.eip != s4[0]:
assert False
assert True
return
def reverse(path, verbose):
disass = Disass32(path=path, verbose=verbose)
if disass.go_to_next_call('CreateMutex'):
address_mutex = disass.get_arguments(3)
mutex = disass.get_string(address_mutex)
print " Mutex\t\t:", mutex
version = mutex.split('v')[1]
print " Version\t:", version
if version[0] == '1':
# Version 1
reverse_v1(disass)
return
elif version[0] == '2':
#Version 2
reverse_v2(disass)
return
try:
reverse_v1(disass)
except:
print "Not supported"
return
def reverse(path, verbose):
disass = Disass32(path=path, verbose=verbose)
if disass.is_dll():
addr_servicemain = disass.symbols_exported_by_name['ServiceMain']
disass.set_position(addr_servicemain)
if not disass.go_to_next_call('_beginthreadex'):
return
addr_startthread = disass.get_arguments(3)
disass.set_virtual_position(addr_startthread)
list_cc = list()
while identify_cc_function(disass):
cc = disass.get_string(disass.get_arguments(1))
if cc not in list_cc:
list_cc.append(cc)
else:
break
print path
for c in list_cc:
print " CC\t:", c
def test_position_value(self):
"""
Test de l'initialisation du moteur disass 32
"""
from test.minjat.f1 import data
try:
disass = Disass32(data=b64decode(data))
except:
assert False
try:
disass.set_position(0x0)
except:
assert False
try:
disass.set_position(0x100)
except:
assert False
try:
disass.set_position(0x200)
except:
assert False
assert True
return
def reverse(path, verbose):
disass = Disass32(path=path, verbose=verbose)
disass.go_to_next_call('strncmp')
try:
addr = disass.get_arguments(1)
print " CC\t: %s" % disass.get_string(addr)
except:
pass
def test_load_data_agentuuw(self):
"""
Test de l'initialisation du moteur disass 32
"""
from test.agentuuw.f1 import data
try:
disass = Disass32(data=b64decode(data))
except:
assert False
return
def test_load_data_minjat(self):
"""
Test de l'initialisation du moteur disass 32
"""
from test.minjat.f1 import data
try:
disass = Disass32(data=b64decode(data))
except:
assert False
assert True
return
def test_next_call(self, value):
"""
Test de l'initialisation du moteur disass 32
"""
from test.agentuuw.f1 import data
try:
disass = Disass32(data=b64decode(data))
except:
assert False
assert True
def reverse(path, verbose):
disass = Disass32(path=path, verbose=verbose)
if disass.go_to_next_call('CreateMutex'):
address_mutex = disass.get_arguments(3)
print " Mutex\t:", disass.get_string(address_mutex)
if disass.go_to_next_call('InternetOpenA'):
ua = disass.get_string(disass.get_arguments(1))
disass.up()
disass.up()
last_position = disass.register.eip
host = disass.get_string(disass.get_arguments(1))
disass.go_to_next_call('InternetConnectA')
try:
port = disass.get_arguments(2)
print " Host\t\t:", host
print " Port\t\t:", port
print " UserAgent\t:", ua
except:
pass
print ""
disass.set_position(last_position)
if disass.go_to_next_call('InternetOpenA'):
ua = disass.get_string(disass.get_arguments(1))
disass.up()
disass.up()
last_position = disass.register.eip
host = disass.get_string(disass.get_arguments(1))
disass.go_to_next_call('InternetConnectA')
try:
port = disass.get_arguments(3)
print " Host\t\t:", host
print " Port\t\t:", port
print " UserAgent\t:", ua
except:
pass
request = ''
if disass.go_to_next_call('HttpOpenRequestA'):
s = disass.get_stack()
request = '%s%s%s%s' % (disass.get_string(
s[10]), "????????", disass.get_string(s[13]), '????????')
request = '%s %s %s' % (disass.get_string(
s[1]), request, disass.get_string(s[3]))
print " Request\t:", request
return True
def test_xref(self):
"""
Test de l'initialisation du moteur disass 32
"""
from test.kimjong.f1 import data
try:
disass = Disass32(data=b64decode(data))
except:
assert False
disass.make_xref()
assert True
def test_load_data_not_valid_win32(self):
"""
Test de l'initialisation du moteur disass 32
"""
from disass.exceptions import DataNotWin32ApplicationError
from test.minjat.f1 import data
try:
disass = Disass32(data=data)
except DataNotWin32ApplicationError:
return
except:
assert False
assert False
return
def test_get_unicode_value(self):
from test.minjat.f1 import data
try:
disass = Disass32(data=b64decode(data))
except:
assert False
domain = disass.get_string(0x41bad8)
if domain != 'timesofindia.8866.org':
print domain
assert False
assert True
def test_is_not_register(self, value):
"""
Test de l'initialisation du moteur disass 32
"""
from test.minjat.f1 import data
from disass.exceptions import InvalidValueEIP
try:
disass = Disass32(data=b64decode(data))
except:
assert False
if disass.is_register(value):
assert False
assert True
def test_symbols_imported_by_name(self):
"""
Test de l'initialisation du moteur disass 32
"""
from test.minjat.f1 import data
try:
disass = Disass32(data=b64decode(data))
except:
assert False
if "InternetReadFile" in disass.symbols_imported_by_name:
assert True
else:
assert False
return
def test_next_call_from_import(self, value):
"""
Test de l'initialisation du moteur disass 32
"""
from test.minjat.f1 import data
try:
disass = Disass32(data=b64decode(data))
except:
assert False
res = disass.go_to_next_call(value)
if not res:
assert False
assert True
def reverse(path, verbose):
disass = Disass32(path=path, verbose=verbose)
disass.go_to_next_call('GetCommandLineA')
disass.go_to_instruction('CALL')
disass.go_to_instruction('CALL')
disass.go_to_instruction('CALL')
disass.go_to_instruction('CALL')
if disass.go_to_next_call('memcpy'):
address_mutex = disass.get_arguments(2)
mutex = disass.get_string(address_mutex)
print " C&C\t\t:", mutex
def test_get_arguments(self, value):
"""
Test de l'initialisation du moteur disass 32
"""
from test.minjat.f1 import data
try:
disass = Disass32(data=b64decode(data))
except:
assert False
res = disass.go_to_next_call(value)
if int(disass.get_arguments(3)) == 0x403b16:
return
assert False
def reverse(path, verbose):
print path
disass = Disass32(path=path, verbose=verbose)
if disass.go_to_next_call('CreateMutex'):
address_mutex = disass.get_arguments(3)
print " Mutex\t:", disass.get_string(address_mutex)
found = False
if disass.go_to_next_call('__jmp__WS2_32.dll@52'):
print " CC1\t:", disass.get_string(disass.get_arguments(1))
found = True
if disass.go_to_next_call('__jmp__WS2_32.dll@52'):
print " CC2\t:", disass.get_string(disass.get_arguments(1))
if not found:
#
# Check in thread if there is connection with C&C
#
if disass.go_to_next_call('CreateThread'):
startAddress = disass.get_stack()[2]
disass.symbols_imported_by_name["startAdress"] = startAddress
disass.symbols_imported[startAddress] = "startAdress"
disass.set_virtual_position(startAddress)
if disass.go_to_next_call('__jmp__WS2_32.dll@52'):
print " CC1\t:", disass.get_string(disass.get_arguments(1))
found = True
if disass.go_to_next_call('__jmp__WS2_32.dll@52'):
print " CC2\t:", disass.get_string(disass.get_arguments(1))
if not found:
#
# Check if connection with HttpSendRequestA function
#
if disass.go_to_next_call('HttpSendRequestA'):
disass.up()
f2 = disass.where_am_i()
disass.up()
print " CC1\t:", disass.get_string(disass.get_arguments(1))
found = True
if disass.go_to_next_call(f2):
print " CC2\t:", disass.get_string(disass.get_arguments(1))
return
def test_position_negative_value(self):
"""
Test de l'initialisation du moteur disass 32
"""
from test.minjat.f1 import data
from disass.exceptions import InvalidValueEIP
try:
disass = Disass32(data=b64decode(data))
except:
assert False
try:
disass.set_position(-0x20)
except InvalidValueEIP as e:
assert True
return
assert False
def test_go_to_next_call(self, value):
"""
Test de l'initialisation du moteur disass 32
"""
from test.minjat.f1 import data
try:
disass = Disass32(data=b64decode(data))
except:
assert False
return
if disass.go_to_next_call(value):
assert True
return
assert False
return
def test_get_arguments_bad_value(self, value):
"""
Test de l'initialisation du moteur disass 32
"""
from test.minjat.f1 import data
try:
disass = Disass32(data=b64decode(data))
except:
assert False
res = disass.go_to_next_call(value)
try:
a = disass.get_arguments(0)
except ValueError as e:
return
assert False
def test_entrypoint(self):
"""
Test de l'initialisation du moteur disass 32
"""
from test.minjat.f1 import data
try:
disass = Disass32(data=b64decode(data))
except:
assert False
ep = disass.get_entry_point()
if ep == None:
assert False
if ep != disass.register.eip:
assert False
assert True
return
def test_replace_in_function(self, value):
"""
Test de l'initialisation du moteur disass 32
"""
from test.minjat.f1 import data
try:
disass = Disass32(data=b64decode(data))
except:
assert False
return
addr = disass.replace_function(value[0])
print addr, value[1]
if addr == value[1]:
assert True
return
assert False
return
def reverse(path, verbose):
disass = Disass32(path=path, verbose=verbose)
if not disass.go_to_next_call('InternetConnectA'):
print >> sys.stderr, "InternetConnectA not found in %s" % path
return
fn = disass.where_am_i()
address_cc = disass.get_arguments(2)
print " CC\t:", disass.get_string(address_cc)
disass.set_position(disass.map_call_by_name[fn])
if not disass.go_to_next_call('strcpy'):
print >> sys.stderr, "strcat not found in %s" % path
return
address_url = disass.get_arguments(2)
print " URL\t:", disass.get_string(address_url)
