def test_ParseTxt(self): from miasm.arch.x86.arch import mn_x86 from miasm.core.parse_asm import parse_txt loc_db = LocationDB() ASM0 = ''' ; .LFB0: .LA: .text .data .bss .string .ustring .byte 0 0x0 .byte a .comm .split .dontsplit .file .cfi_0 label: JMP EAX ;comment ''' ASM1 = ''' .XXX ''' self.assertTrue(parse_txt(mn_x86, 32, ASM0, loc_db)) self.assertRaises(ValueError, parse_txt, mn_x86, 32, ASM1, loc_db)
def compute_txt(ir, mode, txt, inputstate={}, debug=False): asmcfg, loc_db = parse_asm.parse_txt(mn, mode, txt) loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) patches = asmblock.asm_resolve_final(mn, asmcfg, loc_db) ir_arch = ir(loc_db) lbl = loc_db.get_name_location("main") ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg) return symb_exec(lbl, ir_arch, ircfg, inputstate, debug)
def compute_txt(Lifter, mode, txt, inputstate={}, debug=False): loc_db = LocationDB() asmcfg = parse_asm.parse_txt(mn, mode, txt, loc_db) loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) patches = asmblock.asm_resolve_final(mn, asmcfg) lifter = Lifter(loc_db) lbl = loc_db.get_name_location("main") ircfg = lifter.new_ircfg_from_asmcfg(asmcfg) return symb_exec(lbl, lifter, ircfg, inputstate, debug)
def asm(self): asmcfg = parse_asm.parse_txt(mn_aarch64, 'l', self.TXT, self.loc_db) # fix shellcode addr self.loc_db.set_location_offset(self.loc_db.get_name_location("main"), 0x0) s = StrPatchwork() patches = asmblock.asm_resolve_final(mn_aarch64, asmcfg) for offset, raw in viewitems(patches): s[offset] = raw self.assembly = bytes(s)
def asm(self): blocks, loc_db = parse_asm.parse_txt(mn_x86, self.arch_attrib, self.TXT, loc_db = self.myjit.ir_arch.loc_db) # fix shellcode addr loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) s = StrPatchwork() patches = asmblock.asm_resolve_final(mn_x86, blocks, loc_db) for offset, raw in viewitems(patches): s[offset] = raw s = bytes(s) self.assembly = s
def asm(self): blocks, loc_db = parse_asm.parse_txt(mn_mips32, 'l', self.TXT, loc_db=self.myjit.ir_arch.loc_db) # fix shellcode addr loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) s = StrPatchwork() patches = asmblock.asm_resolve_final(mn_mips32, blocks, loc_db) for offset, raw in viewitems(patches): s[offset] = raw s = bytes(s) self.assembly = s
def asm(self): mn_x86 = self.machine.mn asmcfg = parse_asm.parse_txt(mn_x86, self.arch_attrib, self.TXT, self.loc_db) # fix shellcode addr self.loc_db.set_location_offset(self.loc_db.get_name_location("main"), 0x0) output = StrPatchwork() patches = asm_resolve_final(mn_x86, asmcfg) for offset, raw in viewitems(patches): output[offset] = raw self.assembly = bytes(output)
def test_DirectiveDontSplit(self): from miasm.arch.x86.arch import mn_x86 from miasm.core.parse_asm import parse_txt from miasm.core.asmblock import asm_resolve_final loc_db = LocationDB() ASM0 = ''' lbl0: INC EAX JNZ lbl0 INC EAX JZ lbl2 lbl1: NOP JMP lbl0 .dontsplit lbl2: MOV EAX, ECX RET .dontsplit lbl3: ADD EAX, EBX .dontsplit lbl4: .align 0x10 .string "test" lbl5: .string "toto" ''' asmcfg = parse_txt(mn_x86, 32, ASM0, loc_db) patches = asm_resolve_final(mn_x86, asmcfg) lbls = [] for i in range(6): lbls.append(loc_db.get_name_location('lbl%d' % i)) # align test offset = loc_db.get_location_offset(lbls[5]) assert (offset % 0x10 == 0) lbl2block = {} for block in asmcfg.blocks: lbl2block[block.loc_key] = block # dontsplit test assert (lbls[2] == lbl2block[lbls[1]].get_next()) assert (lbls[3] == lbl2block[lbls[2]].get_next()) assert (lbls[4] == lbl2block[lbls[3]].get_next()) assert (lbls[5] == lbl2block[lbls[4]].get_next())
def test_DirectiveSplit(self): from miasm.arch.x86.arch import mn_x86 from miasm.core.parse_asm import parse_txt ASM0 = ''' lbl0: JNZ lbl0 .split lbl1: RET ''' asmcfg, loc_db = parse_txt(mn_x86, 32, ASM0) lbls = [] for i in range(2): lbls.append(loc_db.get_name_location('lbl%d' % i)) lbl2block = {} for block in asmcfg.blocks: lbl2block[block.loc_key] = block # split test assert (lbl2block[lbls[1]].get_next() is None)
from miasm.arch.x86.arch import mn_x86 from miasm.core import parse_asm from miasm.expression.expression import * from miasm.core import asmblock from miasm.arch.x86.ira import ir_a_x86_32 from miasm.analysis.data_flow import DeadRemoval # First, asm code asmcfg, loc_db = parse_asm.parse_txt(mn_x86, 32, ''' main: MOV EAX, 1 MOV EBX, 2 MOV ECX, 2 MOV DX, 2 loop: INC EBX CMOVZ EAX, EBX ADD EAX, ECX JZ loop RET ''') loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) for block in asmcfg.blocks: print(block) print("symbols:") print(loc_db)
loc_db = LocationDB() translator_smt2 = Translator.to_language("smt2") addr = int(options.address, 16) cont = Container.from_stream(open(args[0], 'rb'), loc_db) mdis = machine.dis_engine(cont.bin_stream, loc_db=loc_db) lifter = machine.lifter(mdis.loc_db) ircfg = lifter.new_ircfg() symbexec = SymbolicExecutionEngine(lifter) asmcfg = parse_asm.parse_txt( machine.mn, 32, ''' init: PUSH argv PUSH argc PUSH ret_addr ''', loc_db ) argc_lbl = loc_db.get_name_location('argc') argv_lbl = loc_db.get_name_location('argv') ret_addr_lbl = loc_db.get_name_location('ret_addr') init_lbl = loc_db.get_name_location('init') argc_loc = ExprLoc(argc_lbl, 32) argv_loc = ExprLoc(argv_lbl, 32) ret_addr_loc = ExprLoc(ret_addr_lbl, 32)
from miasm.expression.expression import * from miasm.core import asmblock from miasm.arch.x86.ira import ir_a_x86_32 from miasm.analysis.data_flow import dead_simp from miasm.analysis.cst_propag import add_state, propagate_cst_expr from miasm.expression.simplifications import expr_simp # First, asm code asmcfg, loc_db = parse_asm.parse_txt( mn_x86, 32, ''' main: PUSH EBP MOV EBP, ESP SUB ESP, 0x40 MOV ECX, 0x51CEB16D MOV DWORD PTR [EBP+0xf8], ECX MOV ECX, DWORD PTR [EBP+0xf8] MOV EDX, 0x51CEB454 XOR ECX, EDX MOV EAX, ECX RET ''') loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) for block in asmcfg.blocks: print(block) print("symbols:") print(loc_db) patches = asmblock.asm_resolve_final(mn_x86, asmcfg, loc_db)
if __name__ == '__main__': translator_smt2 = Translator.to_language("smt2") addr = int(options.address, 16) cont = Container.from_stream(open(args[0], 'rb')) mdis = machine.dis_engine(cont.bin_stream, loc_db=cont.loc_db) ir_arch = machine.ir(mdis.loc_db) ircfg = ir_arch.new_ircfg() symbexec = SymbolicExecutionEngine(ir_arch) asmcfg, loc_db = parse_asm.parse_txt(machine.mn, 32, ''' init: PUSH argv PUSH argc PUSH ret_addr ''', loc_db=mdis.loc_db) argc_lbl = loc_db.get_name_location('argc') argv_lbl = loc_db.get_name_location('argv') ret_addr_lbl = loc_db.get_name_location('ret_addr') init_lbl = loc_db.get_name_location('init') argc_loc = ExprLoc(argc_lbl, 32) argv_loc = ExprLoc(argv_lbl, 32) ret_addr_loc = ExprLoc(ret_addr_lbl, 32)
from miasm.core import asmblock from miasm.arch.x86 import arch from miasm.core import parse_asm from miasm.core.interval import interval my_mn = arch.mn_x86 asmcfg, loc_db = parse_asm.parse_txt( my_mn, 64, r''' main: PUSH RBP MOV RBP, RSP loop_dec: CMP RCX, RDX JB loop_dec end: MOV RSP, RBP POP RBP RET ''') loc_db.set_location_offset(loc_db.get_name_location("main"), 0x100001000) dst_interval = interval([(0x100001000, 0x100002000)]) patches = asmblock.asm_resolve_final(my_mn, asmcfg, loc_db, dst_interval)
from __future__ import print_function from pdb import pm from pprint import pprint from miasm.arch.x86.arch import mn_x86 from miasm.core import parse_asm, asmblock # Assemble code asmcfg, loc_db = parse_asm.parse_txt(mn_x86, 32, ''' main: MOV EAX, 1 MOV EBX, 2 MOV ECX, 2 MOV DX, 2 loop: INC EBX CMOVZ EAX, EBX ADD EAX, ECX JZ loop RET ''') # Set 'main' loc_key's offset loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) # Spread information and resolve instructions offset patches = asmblock.asm_resolve_final(mn_x86, asmcfg, loc_db) # Show resolved asmcfg for block in asmcfg.blocks:
dst_interval = interval([(pe.rva2virt(s_text.addr), pe.rva2virt(s_text.addr + s_text.size))]) else: st = StrPatchwork() addr_main = 0 virt = st output = st # Get and parse the source code with open(args.source) as fstream: source = fstream.read() loc_db = LocationDB() asmcfg = parse_asm.parse_txt(machine.mn, attrib, source, loc_db) # Fix shellcode addrs loc_db.set_location_offset(loc_db.get_name_location("main"), addr_main) if args.PE: loc_db.set_location_offset( loc_db.get_or_create_name_location("MessageBoxA"), pe.DirImport.get_funcvirt('USER32.dll', 'MessageBoxA')) # Print and graph firsts blocks before patching it for block in asmcfg.blocks: print(block) open("graph.dot", "w").write(asmcfg.dot()) # Apply patches
else: st = StrPatchwork() addr_main = 0 virt = st output = st # Get and parse the source code with open(args.source) as fstream: source = fstream.read() loc_db = LocationDB() asmcfg, loc_db = parse_asm.parse_txt(machine.mn, attrib, source, loc_db) # Fix shellcode addrs loc_db.set_location_offset(loc_db.get_name_location("main"), addr_main) if args.PE: loc_db.set_location_offset( loc_db.get_or_create_name_location("MessageBoxA"), pe.DirImport.get_funcvirt( 'USER32.dll', 'MessageBoxA' ) ) # Print and graph firsts blocks before patching it for block in asmcfg.blocks: