def write_patches_to_file(asmcfg, exectbl, out_addr, out_file_name, mode, max_addr=2 ** 64 - 1, head=None):
if head is None:
head = asmcfg.heads()[0]
asmcfg = bbl_simplifier.apply_simp(asmcfg)
asmcfg.rebuild_edges()
remove_redundant_and_unpin_blocks(asmcfg, head, mode)
fix_multiple_next_constraints(asmcfg, mode)
# careless block reordering might have damaged edges of the graph and introduced dead blocks
asmcfg.rebuild_edges()
asmcfg.loc_db.set_location_offset(head, out_addr)
patches = asm_resolve_final(mn_x86, asmcfg, asmcfg.loc_db, dst_interval=interval([(out_addr, max_addr)]))
last_empty_address = 0
for offset, raw in patches.items():
logger.debug(
"patch addr rva is 0x%x; raw is 0x%x; the patch: %s" % (exectbl.virt2rva(offset), offset, raw.hex()))
exectbl.img_rva[exectbl.virt2rva(offset)] = raw
next_empty_address = offset + len(raw)
if last_empty_address < next_empty_address:
last_empty_address = next_empty_address
with open(out_file_name + ".bak", 'wb') as bak:
with open(out_file_name, 'rb') as fl:
bak.write(fl.read())
with open(out_file_name, 'wb') as fl:
fl.write(bytes(exectbl))
return last_empty_address
def compute_txt(ir, mode, txt, inputstate={}, debug=False):
asmcfg, loc_db = parse_asm.parse_txt(mn, mode, txt)
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
patches = asmblock.asm_resolve_final(mn, asmcfg, loc_db)
ir_arch = ir(loc_db)
lbl = loc_db.get_name_location("main")
ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg)
return symb_exec(lbl, ir_arch, ircfg, inputstate, debug)
def compute_txt(ir, mode, txt, inputstate={}, debug=False):
asmcfg, loc_db = parse_asm.parse_txt(mn, mode, txt)
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
patches = asmblock.asm_resolve_final(mn, asmcfg, loc_db)
ir_arch = ir(loc_db)
lbl = loc_db.get_name_location("main")
ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg)
return symb_exec(lbl, ir_arch, ircfg, inputstate, debug)
def compute_txt(Lifter, mode, txt, inputstate={}, debug=False):
loc_db = LocationDB()
asmcfg = parse_asm.parse_txt(mn, mode, txt, loc_db)
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
patches = asmblock.asm_resolve_final(mn, asmcfg)
lifter = Lifter(loc_db)
lbl = loc_db.get_name_location("main")
ircfg = lifter.new_ircfg_from_asmcfg(asmcfg)
return symb_exec(lbl, lifter, ircfg, inputstate, debug)
def asm(self):
asmcfg = parse_asm.parse_txt(mn_aarch64, 'l', self.TXT, self.loc_db)
# fix shellcode addr
self.loc_db.set_location_offset(self.loc_db.get_name_location("main"), 0x0)
s = StrPatchwork()
patches = asmblock.asm_resolve_final(mn_aarch64, asmcfg)
for offset, raw in viewitems(patches):
s[offset] = raw
self.assembly = bytes(s)
def asm(self):
blocks, loc_db = parse_asm.parse_txt(mn_mips32, 'l', self.TXT,
loc_db=self.myjit.ir_arch.loc_db)
# fix shellcode addr
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
s = StrPatchwork()
patches = asmblock.asm_resolve_final(mn_mips32, blocks, loc_db)
for offset, raw in viewitems(patches):
s[offset] = raw
s = bytes(s)
self.assembly = s
def asm(self):
blocks, loc_db = parse_asm.parse_txt(mn_x86, self.arch_attrib, self.TXT,
loc_db = self.myjit.ir_arch.loc_db)
# fix shellcode addr
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
s = StrPatchwork()
patches = asmblock.asm_resolve_final(mn_x86, blocks, loc_db)
for offset, raw in viewitems(patches):
s[offset] = raw
s = bytes(s)
self.assembly = s
def asm(self):
mn_x86 = self.machine.mn
asmcfg = parse_asm.parse_txt(mn_x86, self.arch_attrib, self.TXT,
self.loc_db)
# fix shellcode addr
self.loc_db.set_location_offset(self.loc_db.get_name_location("main"),
0x0)
output = StrPatchwork()
patches = asm_resolve_final(mn_x86, asmcfg)
for offset, raw in viewitems(patches):
output[offset] = raw
self.assembly = bytes(output)
def test_DirectiveDontSplit(self):
from miasm.arch.x86.arch import mn_x86
from miasm.core.parse_asm import parse_txt
from miasm.core.asmblock import asm_resolve_final
loc_db = LocationDB()
ASM0 = '''
lbl0:
INC EAX
JNZ lbl0
INC EAX
JZ lbl2
lbl1:
NOP
JMP lbl0
.dontsplit
lbl2:
MOV EAX, ECX
RET
.dontsplit
lbl3:
ADD EAX, EBX
.dontsplit
lbl4:
.align 0x10
.string "test"
lbl5:
.string "toto"
'''
asmcfg = parse_txt(mn_x86, 32, ASM0, loc_db)
patches = asm_resolve_final(mn_x86, asmcfg)
lbls = []
for i in range(6):
lbls.append(loc_db.get_name_location('lbl%d' % i))
# align test
offset = loc_db.get_location_offset(lbls[5])
assert (offset % 0x10 == 0)
lbl2block = {}
for block in asmcfg.blocks:
lbl2block[block.loc_key] = block
# dontsplit test
assert (lbls[2] == lbl2block[lbls[1]].get_next())
assert (lbls[3] == lbl2block[lbls[2]].get_next())
assert (lbls[4] == lbl2block[lbls[3]].get_next())
assert (lbls[5] == lbl2block[lbls[4]].get_next())
INC EBX
CMOVZ EAX, EBX
ADD EAX, ECX
JZ loop
RET
''')
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
for block in asmcfg.blocks:
print(block)
print("symbols:")
print(loc_db)
patches = asmblock.asm_resolve_final(mn_x86, asmcfg, loc_db)
# Translate to IR
ir_arch = ir_a_x86_32(loc_db)
ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg)
deadrm = DeadRemoval(ir_arch)
# Display IR
for lbl, irblock in viewitems(ircfg.blocks):
print(irblock)
# Dead propagation
open('graph.dot', 'w').write(ircfg.dot())
print('*' * 80)
deadrm(ircfg)
from miasm.core import asmblock
from miasm.arch.x86 import arch
from miasm.core import parse_asm
from miasm.core.interval import interval
my_mn = arch.mn_x86
asmcfg, loc_db = parse_asm.parse_txt(
my_mn, 64, r'''
main:
PUSH RBP
MOV RBP, RSP
loop_dec:
CMP RCX, RDX
JB loop_dec
end:
MOV RSP, RBP
POP RBP
RET
''')
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x100001000)
dst_interval = interval([(0x100001000, 0x100002000)])
patches = asmblock.asm_resolve_final(my_mn, asmcfg, loc_db, dst_interval)
# Assemble code
asmcfg, loc_db = parse_asm.parse_txt(mn_x86, 32, '''
main:
MOV EAX, 1
MOV EBX, 2
MOV ECX, 2
MOV DX, 2
loop:
INC EBX
CMOVZ EAX, EBX
ADD EAX, ECX
JZ loop
RET
''')
# Set 'main' loc_key's offset
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
# Spread information and resolve instructions offset
patches = asmblock.asm_resolve_final(mn_x86, asmcfg, loc_db)
# Show resolved asmcfg
for block in asmcfg.blocks:
print(block)
# Print offset -> bytes
pprint(patches)
# Fix shellcode addrs
loc_db.set_location_offset(loc_db.get_name_location("main"), addr_main)
if args.PE:
loc_db.set_location_offset(
loc_db.get_or_create_name_location("MessageBoxA"),
pe.DirImport.get_funcvirt('USER32.dll', 'MessageBoxA'))
# Print and graph firsts blocks before patching it
for block in asmcfg.blocks:
print(block)
open("graph.dot", "w").write(asmcfg.dot())
# Apply patches
patches = asmblock.asm_resolve_final(machine.mn, asmcfg, dst_interval)
if args.encrypt:
# Encrypt code
loc_start = loc_db.get_or_create_name_location(args.encrypt[0])
loc_stop = loc_db.get_or_create_name_location(args.encrypt[1])
ad_start = loc_db.get_location_offset(loc_start)
ad_stop = loc_db.get_location_offset(loc_stop)
for ad, val in list(viewitems(patches)):
if ad_start <= ad < ad_stop:
patches[ad] = b"".join(
int_to_byte(ord(x) ^ 0x42) for x in iterbytes(val))
print(patches)
if isinstance(virt, StrPatchwork):
for offset, raw in viewitems(patches):
loc_db.get_or_create_name_location("MessageBoxA"),
pe.DirImport.get_funcvirt(
'USER32.dll',
'MessageBoxA'
)
)
# Print and graph firsts blocks before patching it
for block in asmcfg.blocks:
print(block)
open("graph.dot", "w").write(asmcfg.dot())
# Apply patches
patches = asmblock.asm_resolve_final(
machine.mn,
asmcfg,
loc_db,
dst_interval
)
if args.encrypt:
# Encrypt code
loc_start = loc_db.get_or_create_name_location(args.encrypt[0])
loc_stop = loc_db.get_or_create_name_location(args.encrypt[1])
ad_start = loc_db.get_location_offset(loc_start)
ad_stop = loc_db.get_location_offset(loc_stop)
for ad, val in list(viewitems(patches)):
if ad_start <= ad < ad_stop:
patches[ad] = b"".join(int_to_byte(ord(x) ^ 0x42) for x in iterbytes(val))
print(patches)
if isinstance(virt, StrPatchwork):
