def compute_txt(ir, mode, txt, inputstate={}, debug=False): blocs, symbol_pool = parse_asm.parse_txt(mn, mode, txt) symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0) patches = asmbloc.asm_resolve_final(mn, blocs[0], symbol_pool) interm = ir(symbol_pool) for bbl in blocs[0]: interm.add_bloc(bbl) return symb_exec(interm, inputstate, debug)
def compute_txt(ir, mode, txt, inputstate={}, debug=False): blocs, symbol_pool = parse_asm.parse_txt(mn, mode, txt) symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0) resolved_b, patches = asmbloc.asm_resolve_final(mn, blocs[0], symbol_pool) interm = ir(symbol_pool) for bbl in resolved_b: interm.add_bloc(bbl) return symb_exec(interm, inputstate, debug)
def asm(self): blocs, symbol_pool = parse_asm.parse_txt(mn_aarch64, "l", self.TXT, symbol_pool=self.myjit.ir_arch.symbol_pool) # fix shellcode addr symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0) s = StrPatchwork() patches = asmbloc.asm_resolve_final(mn_aarch64, blocs, symbol_pool) for offset, raw in patches.items(): s[offset] = raw self.assembly = str(s)
def asm(self): blocs, symbol_pool = parse_asm.parse_txt(mn_aarch64, 'l', self.TXT, symbol_pool = self.myjit.ir_arch.symbol_pool) # fix shellcode addr symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0) s = StrPatchwork() patches = asmbloc.asm_resolve_final(mn_aarch64, blocs, symbol_pool) for offset, raw in patches.items(): s[offset] = raw self.assembly = str(s)
def assemble_text(src_text, symbols=[], mach_name="x86_64", mach_attr=64): # 指定アーキテクチャのニーモニックを取得 mnemo = Machine(mach_name).mn # セクションとシンボルの取得 sections, symbol_pool = parse_asm.parse_txt(mnemo, mach_attr, src_text) # シンボル毎のアドレスを設定 for name, addr in symbols: symbol_pool.set_offset(symbol_pool.getby_name(name), addr) # アセンブル patches = asmbloc.asm_resolve_final(mnemo, sections[0], symbol_pool) # アセンブル結果の構築 patch_worker = StrPatchwork() for offset, raw in patches.items(): patch_worker[offset] = raw return str(patch_worker)
def test_DirectiveDontSplit(self): from miasm2.arch.x86.arch import mn_x86 from miasm2.core.parse_asm import parse_txt from miasm2.core.asmbloc import asm_resolve_final ASM0 = ''' lbl0: INC EAX JNZ lbl0 INC EAX JZ lbl2 lbl1: NOP JMP lbl0 .dontsplit lbl2: MOV EAX, ECX RET .dontsplit lbl3: ADD EAX, EBX .dontsplit lbl4: .align 0x10 .string "test" lbl5: .string "toto" ''' blocks, symbol_pool = parse_txt(mn_x86, 32, ASM0) patches = asm_resolve_final(mn_x86, blocks, symbol_pool) lbls = [] for i in xrange(6): lbls.append(symbol_pool.getby_name('lbl%d' % i)) # align test assert(lbls[5].offset % 0x10 == 0) lbl2block = {} for block in blocks: lbl2block[block.label] = block # dontsplit test assert(lbls[2] == lbl2block[lbls[1]].get_next()) assert(lbls[3] == lbl2block[lbls[2]].get_next()) assert(lbls[4] == lbl2block[lbls[3]].get_next()) assert(lbls[5] == lbl2block[lbls[4]].get_next())
def test_DirectiveDontSplit(self): from miasm2.arch.x86.arch import mn_x86 from miasm2.core.parse_asm import parse_txt from miasm2.core.asmbloc import asm_resolve_final ASM0 = ''' lbl0: INC EAX JNZ lbl0 INC EAX JZ lbl2 lbl1: NOP JMP lbl0 .dontsplit lbl2: MOV EAX, ECX RET .dontsplit lbl3: ADD EAX, EBX .dontsplit lbl4: .align 0x10 .string "test" lbl5: .string "toto" ''' blocks, symbol_pool = parse_txt(mn_x86, 32, ASM0) patches = asm_resolve_final(mn_x86, blocks, symbol_pool) lbls = [] for i in xrange(6): lbls.append(symbol_pool.getby_name('lbl%d' % i)) # align test assert (lbls[5].offset % 0x10 == 0) lbl2block = {} for block in blocks: lbl2block[block.label] = block # dontsplit test assert (lbls[2] == lbl2block[lbls[1]].get_next()) assert (lbls[3] == lbl2block[lbls[2]].get_next()) assert (lbls[4] == lbl2block[lbls[3]].get_next()) assert (lbls[5] == lbl2block[lbls[4]].get_next())
# Fix shellcode addrs symbol_pool.set_offset(symbol_pool.getby_name("main"), addr_main) if args.PE: symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"), pe.DirImport.get_funcvirt('MessageBoxA')) # Print and graph firsts blocs before patching it for bloc in blocs[0]: print bloc graph = asmbloc.bloc2graph(blocs[0]) open("graph.txt", "w").write(graph) # Apply patches resolved_b, patches = asmbloc.asm_resolve_final(machine.mn, blocs[0], symbol_pool) if args.encrypt: # Encrypt code ad_start = symbol_pool.getby_name_create(args.encrypt[0]).offset ad_stop = symbol_pool.getby_name_create(args.encrypt[1]).offset new_patches = dict(patches) for ad, val in patches.items(): if ad_start <= ad < ad_stop: new_patches[ad] = "".join([chr(ord(x) ^ 0x42) for x in val]) patches = new_patches print patches for offset, raw in patches.items(): virt[offset] = raw
# Fix shellcode addrs symbol_pool.set_offset(symbol_pool.getby_name("main"), addr_main) if args.PE: symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"), pe.DirImport.get_funcvirt('MessageBoxA')) # Print and graph firsts blocs before patching it for bloc in blocs[0]: print bloc graph = asmbloc.bloc2graph(blocs[0]) open("graph.txt", "w").write(graph) # Apply patches patches = asmbloc.asm_resolve_final(machine.mn, blocs[0], symbol_pool, dst_interval) if args.encrypt: # Encrypt code ad_start = symbol_pool.getby_name_create(args.encrypt[0]).offset ad_stop = symbol_pool.getby_name_create(args.encrypt[1]).offset new_patches = dict(patches) for ad, val in patches.items(): if ad_start <= ad < ad_stop: new_patches[ad] = "".join([chr(ord(x) ^ 0x42) for x in val]) patches = new_patches print patches for offset, raw in patches.items(): virt[offset] = raw
LDR R3, [PC, mykey1-$] loop: ADD R2, R1, R2 ADD R1, R1, 1 LDR R3, [PC, mykey2-$] CMP R1, R3 BEQ loop ADD R0, R1, R2 BX LR mykey1: .long 0x1 mykey2: .long 0x2 ''') # fix shellcode addr symbol_pool.set_offset(symbol_pool.getby_name("main"), 0) for b in blocs[0]: print b resolved_b, patches = asmbloc.asm_resolve_final( mn_arm, blocs[0], symbol_pool) print patches for offset, raw in patches.items(): st[offset] = raw open('arm_sc.bin', 'wb').write(str(st))
# Fix shellcode addrs symbol_pool.set_offset(symbol_pool.getby_name("main"), addr_main) if args.PE: symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"), pe.DirImport.get_funcvirt('USER32.dll', 'MessageBoxA')) # Print and graph firsts blocs before patching it for bloc in blocs: print bloc open("graph.dot", "w").write(blocs.dot()) # Apply patches patches = asmbloc.asm_resolve_final(machine.mn, blocs, symbol_pool, dst_interval) if args.encrypt: # Encrypt code ad_start = symbol_pool.getby_name_create(args.encrypt[0]).offset ad_stop = symbol_pool.getby_name_create(args.encrypt[1]).offset new_patches = dict(patches) for ad, val in patches.items(): if ad_start <= ad < ad_stop: new_patches[ad] = "".join([chr(ord(x) ^ 0x42) for x in val]) patches = new_patches print patches if isinstance(virt, StrPatchwork): for offset, raw in patches.items():
MOV RDX, msg MOV RCX, 0x0 MOV RAX, QWORD PTR [ MessageBoxA ] CALL RAX RET title: .string "Hello!" msg: .string "World!" ''') # fix shellcode addr symbol_pool.set_offset(symbol_pool.getby_name("main"), e.rva2virt(s_text.addr)) symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"), e.DirImport.get_funcvirt('MessageBoxA')) e.Opthdr.AddressOfEntryPoint = s_text.addr for b in blocs[0]: print b resolved_b, patches = asmbloc.asm_resolve_final( mn_x86, blocs[0], symbol_pool, max_offset=0xFFFFFFFFFFFFFFFF) print patches for offset, raw in patches.items(): e.virt[offset] = raw open('box_x86_64.bin', 'wb').write(str(e))
ADDIU A2, A2, 0x1 MOVN A1, ZERO, ZERO JR RA ADDIU A2, A2, 0x1 ''' blocs_b, symbol_pool_b = parse_asm.parse_txt(mn_mips32, "b", txt) blocs_l, symbol_pool_l = parse_asm.parse_txt(mn_mips32, "l", txt) # fix shellcode addr symbol_pool_b.set_offset(symbol_pool_b.getby_name("main"), 0) symbol_pool_l.set_offset(symbol_pool_l.getby_name("main"), 0) for b in blocs_b[0]: print b resolved_b, patches_b = asmbloc.asm_resolve_final( mn_mips32, blocs_b[0], symbol_pool_b) resolved_l, patches_l = asmbloc.asm_resolve_final( mn_mips32, blocs_l[0], symbol_pool_l) print patches_b print patches_l for offset, raw in patches_b.items(): st_b[offset] = raw for offset, raw in patches_l.items(): st_l[offset] = raw open('mips32_sc_b.bin', 'wb').write(str(st_l)) open('mips32_sc_l.bin', 'wb').write(str(st_l))
# fix shellcode addr symbol_pool_b.set_offset(symbol_pool_b.getby_name("main"), 0) symbol_pool_l.set_offset(symbol_pool_l.getby_name("main"), 0) # graph sc#### g = asmbloc.bloc2graph(blocs_b[0]) open("graph.txt", "w").write(g) s_b = StrPatchwork() s_l = StrPatchwork() print "symbols" print symbol_pool_b # dont erase from start to shell code padading resolved_b, patches_b = asmbloc.asm_resolve_final( my_mn, blocs_b[0], symbol_pool_b) resolved__l, patches_l = asmbloc.asm_resolve_final( my_mn, blocs_l[0], symbol_pool_l) print patches_b print patches_l for offset, raw in patches_b.items(): s_b[offset] = raw for offset, raw in patches_l.items(): s_l[offset] = raw open('demo_armt_b.bin', 'wb').write(str(s_b)) open('demo_armt_l.bin', 'wb').write(str(s_l))
blocs_b, symbol_pool_b = parse_asm.parse_txt(my_mn, "b", txt) blocs_l, symbol_pool_l = parse_asm.parse_txt(my_mn, "l", txt) # fix shellcode addr symbol_pool_b.set_offset(symbol_pool_b.getby_name("main"), 0x0) symbol_pool_l.set_offset(symbol_pool_l.getby_name("main"), 0x0) # graph sc#### g = asmbloc.bloc2graph(blocs_l[0]) open("graph.txt", "w").write(g) s_b = StrPatchwork() s_l = StrPatchwork() print "symbols" print symbol_pool_l # dont erase from start to shell code padading resolved_b, patches_b = asmbloc.asm_resolve_final(my_mn, blocs_b[0], symbol_pool_b) resolved_l, patches_l = asmbloc.asm_resolve_final(my_mn, blocs_l[0], symbol_pool_l) print patches_b for offset, raw in patches_b.items(): s_b[offset] = raw for offset, raw in patches_l.items(): s_l[offset] = raw open('demo_arm_b.bin', 'w').write(str(s_b)) open('demo_arm_l.bin', 'w').write(str(s_l))
# Assemble code blocs, symbol_pool = parse_asm.parse_txt(mn_x86, 32, ''' main: MOV EAX, 1 MOV EBX, 2 MOV ECX, 2 MOV DX, 2 loop: INC EBX CMOVZ EAX, EBX ADD EAX, ECX JZ loop RET ''') # Set 'main' label's offset symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0) # Spread information and resolve instructions offset resolved_b, patches = asmbloc.asm_resolve_final(mn_x86, blocs[0], symbol_pool) # Show resolved blocs for bloc in resolved_b: print bloc # Print offset -> bytes pprint(patches)
MOV RCX, 0x0 MOV RAX, QWORD PTR [ MessageBoxA ] CALL RAX RET title: .string "Hello!" msg: .string "World!" ''') # fix shellcode addr symbol_pool.set_offset(symbol_pool.getby_name("main"), e.rva2virt(s_text.addr)) symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"), e.DirImport.get_funcvirt('MessageBoxA')) e.Opthdr.AddressOfEntryPoint = s_text.addr for b in blocs[0]: print b resolved_b, patches = asmbloc.asm_resolve_final(mn_x86, blocs[0], symbol_pool, max_offset=0xFFFFFFFFFFFFFFFF) print patches for offset, raw in patches.items(): e.virt[offset] = raw open('box_x86_64.bin', 'wb').write(str(e))
loop: INC EBX CMOVZ EAX, EBX ADD EAX, ECX JZ loop RET ''') symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0) for b in blocs: print b print "symbols:" print symbol_pool patches = asmbloc.asm_resolve_final(mn_x86, blocs, symbol_pool) # Translate to IR ir_arch = ir_a_x86_32(symbol_pool) for b in blocs: print 'add bloc' print b ir_arch.add_bloc(b) # Display IR for lbl, b in ir_arch.blocs.items(): print b # Dead propagation open('graph.dot', 'w').write(ir_arch.graph.dot()) print '*' * 80