def test_ParseTxt(self):
from miasm2.arch.x86.arch import mn_x86
from miasm2.core.parse_asm import parse_txt
ASM0 = '''
;
.LFB0:
.LA:
.text
.data
.bss
.string
.ustring
.byte 0 0x0
.byte a
.comm
.split
.dontsplit
.file
.cfi_0
label:
JMP EAX ;comment
'''
ASM1 = '''
.XXX
'''
self.assertTrue(parse_txt(mn_x86, 32, ASM0))
self.assertRaises(ValueError, parse_txt, mn_x86, 32, ASM1)
def test_ParseTxt(self):
from miasm2.arch.x86.arch import mn_x86
from miasm2.core.parse_asm import parse_txt
ASM0 = '''
;
.LFB0:
.LA:
.text
.data
.bss
.string
.ustring
.byte 0 0x0
.byte a
.comm
.split
.dontsplit
.file
.cfi_0
label:
JMP EAX ;comment
'''
ASM1 = '''
.XXX
'''
self.assertTrue(parse_txt(mn_x86, 32, ASM0))
self.assertRaises(ValueError, parse_txt, mn_x86, 32, ASM1)
def compute_txt(ir, mode, txt, inputstate={}, debug=False):
blocs, symbol_pool = parse_asm.parse_txt(mn, mode, txt)
symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0)
patches = asmbloc.asm_resolve_final(mn, blocs[0], symbol_pool)
interm = ir(symbol_pool)
for bbl in blocs[0]:
interm.add_bloc(bbl)
return symb_exec(interm, inputstate, debug)
def compute_txt(ir, mode, txt, inputstate={}, debug=False):
blocks, symbol_pool = parse_asm.parse_txt(mn, mode, txt)
symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0)
patches = asmblock.asm_resolve_final(mn, blocks, symbol_pool)
interm = ir(symbol_pool)
for bbl in blocks:
interm.add_bloc(bbl)
return symb_exec(interm, inputstate, debug)
def compute_txt(ir, mode, txt, inputstate={}, debug=False):
asmcfg, loc_db = parse_asm.parse_txt(mn, mode, txt)
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
patches = asmblock.asm_resolve_final(mn, asmcfg, loc_db)
ir_arch = ir(loc_db)
lbl = loc_db.get_name_location("main")
ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg)
return symb_exec(lbl, ir_arch, ircfg, inputstate, debug)
def compute_txt(ir, mode, txt, inputstate={}, debug=False):
asmcfg, symbol_pool = parse_asm.parse_txt(mn, mode, txt)
symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0)
patches = asmblock.asm_resolve_final(mn, asmcfg, symbol_pool)
interm = ir(symbol_pool)
lbl = symbol_pool.getby_name("main")
for bbl in asmcfg.blocks:
interm.add_block(bbl)
return symb_exec(lbl, interm, inputstate, debug)
def compute_txt(ir, mode, txt, inputstate={}, debug=False):
asmcfg, loc_db = parse_asm.parse_txt(mn, mode, txt)
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
patches = asmblock.asm_resolve_final(mn, asmcfg, loc_db)
interm = ir(loc_db)
lbl = loc_db.get_name_location("main")
for bbl in asmcfg.blocks:
interm.add_block(bbl)
return symb_exec(lbl, interm, inputstate, debug)
def asm(self):
blocs, symbol_pool = parse_asm.parse_txt(mn_aarch64, "l", self.TXT, symbol_pool=self.myjit.ir_arch.symbol_pool)
# fix shellcode addr
symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0)
s = StrPatchwork()
patches = asmbloc.asm_resolve_final(mn_aarch64, blocs, symbol_pool)
for offset, raw in patches.items():
s[offset] = raw
self.assembly = str(s)
def asm(self):
blocs, symbol_pool = parse_asm.parse_txt(mn_aarch64, 'l', self.TXT,
symbol_pool = self.myjit.ir_arch.symbol_pool)
# fix shellcode addr
symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0)
s = StrPatchwork()
patches = asmbloc.asm_resolve_final(mn_aarch64, blocs, symbol_pool)
for offset, raw in patches.items():
s[offset] = raw
self.assembly = str(s)
def asm(self):
blocks, loc_db = parse_asm.parse_txt(mn_aarch64, 'l', self.TXT,
loc_db = self.myjit.ir_arch.loc_db)
# fix shellcode addr
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
s = StrPatchwork()
patches = asmblock.asm_resolve_final(mn_aarch64, blocks, loc_db)
for offset, raw in patches.items():
s[offset] = raw
self.assembly = str(s)
def asm(self):
blocks, loc_db = parse_asm.parse_txt(mn_aarch64,
'l',
self.TXT,
loc_db=self.myjit.ir_arch.loc_db)
# fix shellcode addr
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
s = StrPatchwork()
patches = asmblock.asm_resolve_final(mn_aarch64, blocks, loc_db)
for offset, raw in patches.items():
s[offset] = raw
self.assembly = str(s)
def asm(self):
mn_x86 = self.machine.mn
blocks, loc_db = parse_asm.parse_txt(mn_x86,
self.arch_attrib,
self.TXT,
loc_db=self.myjit.ir_arch.loc_db)
# fix shellcode addr
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
output = StrPatchwork()
patches = asm_resolve_final(mn_x86, blocks, loc_db)
for offset, raw in patches.items():
output[offset] = raw
self.assembly = str(output)
def assemble_text(src_text, symbols=[], mach_name="x86_64", mach_attr=64):
# 指定アーキテクチャのニーモニックを取得
mnemo = Machine(mach_name).mn
# セクションとシンボルの取得
sections, symbol_pool = parse_asm.parse_txt(mnemo, mach_attr, src_text)
# シンボル毎のアドレスを設定
for name, addr in symbols:
symbol_pool.set_offset(symbol_pool.getby_name(name), addr)
# アセンブル
patches = asmbloc.asm_resolve_final(mnemo, sections[0], symbol_pool)
# アセンブル結果の構築
patch_worker = StrPatchwork()
for offset, raw in patches.items():
patch_worker[offset] = raw
return str(patch_worker)
def assemble_text(src_text, symbols=[], mach_name="x86_64", mach_attr=64):
# 指定アーキテクチャのニーモニックを取得
mnemo = Machine(mach_name).mn
# セクションとシンボルの取得
sections, symbol_pool = parse_asm.parse_txt(mnemo, mach_attr, src_text)
# シンボル毎のアドレスを設定
for name, addr in symbols:
symbol_pool.set_offset(symbol_pool.getby_name(name), addr)
# アセンブル
patches = asmbloc.asm_resolve_final(mnemo, sections[0], symbol_pool)
# アセンブル結果の構築
patch_worker = StrPatchwork()
for offset, raw in patches.items():
patch_worker[offset] = raw
return str(patch_worker)
def test_DirectiveDontSplit(self):
from miasm2.arch.x86.arch import mn_x86
from miasm2.core.parse_asm import parse_txt
from miasm2.core.asmblock import asm_resolve_final
ASM0 = '''
lbl0:
INC EAX
JNZ lbl0
INC EAX
JZ lbl2
lbl1:
NOP
JMP lbl0
.dontsplit
lbl2:
MOV EAX, ECX
RET
.dontsplit
lbl3:
ADD EAX, EBX
.dontsplit
lbl4:
.align 0x10
.string "test"
lbl5:
.string "toto"
'''
asmcfg, symbol_pool = parse_txt(mn_x86, 32, ASM0)
patches = asm_resolve_final(mn_x86,
asmcfg,
symbol_pool)
lbls = []
for i in xrange(6):
lbls.append(symbol_pool.getby_name('lbl%d' % i))
# align test
offset = symbol_pool.loc_key_to_offset(lbls[5])
assert(offset % 0x10 == 0)
lbl2block = {}
for block in asmcfg.blocks:
lbl2block[block.loc_key] = block
# dontsplit test
assert(lbls[2] == lbl2block[lbls[1]].get_next())
assert(lbls[3] == lbl2block[lbls[2]].get_next())
assert(lbls[4] == lbl2block[lbls[3]].get_next())
assert(lbls[5] == lbl2block[lbls[4]].get_next())
def asm(self):
mn_x86 = self.machine.mn
blocks, loc_db = parse_asm.parse_txt(
mn_x86,
self.arch_attrib,
self.TXT,
loc_db=self.myjit.ir_arch.loc_db
)
# fix shellcode addr
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
output = StrPatchwork()
patches = asm_resolve_final(mn_x86, blocks, loc_db)
for offset, raw in patches.items():
output[offset] = raw
self.assembly = str(output)
def asm(self):
mn_x86 = self.machine.mn
blocks, symbol_pool = parse_asm.parse_txt(
mn_x86,
self.arch_attrib,
self.TXT,
symbol_pool=self.myjit.ir_arch.symbol_pool
)
# fix shellcode addr
symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0)
output = StrPatchwork()
patches = asm_resolve_final(mn_x86, blocks, symbol_pool)
for offset, raw in patches.items():
output[offset] = raw
self.assembly = str(output)
def asm(self):
mn_x86 = self.machine.mn
blocks, symbol_pool = parse_asm.parse_txt(
mn_x86,
self.arch_attrib,
self.TXT,
symbol_pool=self.myjit.ir_arch.symbol_pool
)
# fix shellcode addr
symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0)
output = StrPatchwork()
patches = asm_resolve_final(mn_x86, blocks, symbol_pool)
for offset, raw in patches.items():
output[offset] = raw
self.assembly = str(output)
def test_DirectiveSplit(self):
from miasm2.arch.x86.arch import mn_x86
from miasm2.core.parse_asm import parse_txt
ASM0 = '''
lbl0:
JNZ lbl0
.split
lbl1:
RET
'''
blocks, symbol_pool = parse_txt(mn_x86, 32, ASM0)
lbls = []
for i in xrange(2):
lbls.append(symbol_pool.getby_name('lbl%d' % i))
lbl2block = {}
for block in blocks:
lbl2block[block.label] = block
# split test
assert(lbl2block[lbls[1]].get_next() is None)
def test_DirectiveSplit(self):
from miasm2.arch.x86.arch import mn_x86
from miasm2.core.parse_asm import parse_txt
ASM0 = '''
lbl0:
JNZ lbl0
.split
lbl1:
RET
'''
asmcfg, loc_db = parse_txt(mn_x86, 32, ASM0)
lbls = []
for i in xrange(2):
lbls.append(loc_db.get_name_location('lbl%d' % i))
lbl2block = {}
for block in asmcfg.blocks:
lbl2block[block.loc_key] = block
# split test
assert (lbl2block[lbls[1]].get_next() is None)
def test_DirectiveSplit(self):
from miasm2.arch.x86.arch import mn_x86
from miasm2.core.parse_asm import parse_txt
ASM0 = '''
lbl0:
JNZ lbl0
.split
lbl1:
RET
'''
blocks, symbol_pool = parse_txt(mn_x86, 32, ASM0)
lbls = []
for i in xrange(2):
lbls.append(symbol_pool.getby_name('lbl%d' % i))
lbl2block = {}
for block in blocks:
lbl2block[block.label] = block
# split test
assert (lbl2block[lbls[1]].get_next() is None)
from miasm2.arch.x86.arch import mn_x86
from miasm2.core import parse_asm
from miasm2.expression.expression import *
from miasm2.core import asmblock
from miasm2.arch.x86.ira import ir_a_x86_32
from miasm2.analysis.data_flow import dead_simp
# First, asm code
asmcfg, symbol_pool = parse_asm.parse_txt(mn_x86, 32, '''
main:
MOV EAX, 1
MOV EBX, 2
MOV ECX, 2
MOV DX, 2
loop:
INC EBX
CMOVZ EAX, EBX
ADD EAX, ECX
JZ loop
RET
''')
symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0)
for block in asmcfg.blocks:
print block
print "symbols:"
print symbol_pool
ret_addr = ExprId('ret_addr', 32)
reg_and_id[argc.name] = argc
reg_and_id[argv.name] = argv
reg_and_id[ret_addr.name] = ret_addr
my_symbols = [argc, argv, ret_addr]
my_symbols = dict([(x.name, x) for x in my_symbols])
my_symbols.update(machine.mn.regs.all_regs_ids_byname)
ir_arch = machine.ir(mdis.symbol_pool)
symbexec = SymbolicExecutionEngine(ir_arch, symbols_init)
blocks, symbol_pool = parse_asm.parse_txt(machine.mn, 32, '''
PUSH argv
PUSH argc
PUSH ret_addr
''')
b = list(blocks)[0]
print b
# add fake address and len to parsed instructions
for i, line in enumerate(b.lines):
line.offset, line.l = i, 1
ir_arch.add_block(b)
irb = get_block(ir_arch, mdis, 0)
symbexec.emulbloc(irb)
symbexec.dump_mem()
# reset ir_arch blocks
PUSH {LR}
SUB SP, 0x100
MOV R0, SP
ADD R1, PC, mystr-$+6
MOV R0, R0
EORS R2, R2
ADDS R2, R2, 0x4
BL memcpy
ADD SP, 0x100
POP {PC}
mystr:
.string "toto"
'''
blocs_b, symbol_pool_b = parse_asm.parse_txt(my_mn, "b", txt)
blocs_l, symbol_pool_l = parse_asm.parse_txt(my_mn, "l", txt)
# fix shellcode addr
symbol_pool_b.set_offset(symbol_pool_b.getby_name("main"), 0)
symbol_pool_l.set_offset(symbol_pool_l.getby_name("main"), 0)
# graph sc####
g = asmbloc.bloc2graph(blocs_b[0])
open("graph.txt", "w").write(g)
s_b = StrPatchwork()
s_l = StrPatchwork()
print "symbols"
print symbol_pool_b
my_var_parser = parse_ast(my_ast_id2expr, my_ast_int2expr)
base_expr.setParseAction(my_var_parser)
blocs, symbol_pool = parse_asm.parse_txt(
mn_x86, 32, '''
main:
PUSH EBP
MOV EBP, ESP
MOV BYTE PTR [myint], 0x90
myint:
INT 0x3
PUSH 0
PUSH title
PUSH msg
PUSH 0
CALL DWORD PTR [ MessageBoxA ]
MOV ESP, EBP
POP EBP
RET
title:
.string "Hello!"
msg:
.string "World!"
''')
# fix shellcode addr
symbol_pool.set_offset(symbol_pool.getby_name("main"), e.rva2virt(s_text.addr))
symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"),
return reg_and_id.get(t, ExprId(t, size=32))
my_var_parser = parse_ast(my_ast_id2expr, my_ast_int2expr)
base_expr.setParseAction(my_var_parser)
st = StrPatchwork()
blocs, symbol_pool = parse_asm.parse_txt(
mn_msp430,
None,
"""
main:
mov.w 0x10, R10
mov.w 0x0, R11
loop:
add.w 1, R11
sub.w 1, R10
jnz loop
mov.w @SP+, PC
""",
)
# fix shellcode addr
symbol_pool.set_offset(symbol_pool.getby_name("main"), 0)
for b in blocs[0]:
print b
resolved_b, patches = asmbloc.asm_resolve_final(mn_msp430, blocs[0], symbol_pool)
print patches
from miasm2.core import asmblock
from miasm2.arch.x86 import arch
from miasm2.core import parse_asm
from miasm2.core.interval import interval
my_mn = arch.mn_x86
asmcfg, loc_db = parse_asm.parse_txt(
my_mn, 64, r'''
main:
PUSH RBP
MOV RBP, RSP
loop_dec:
CMP RCX, RDX
JB loop_dec
end:
MOV RSP, RBP
POP RBP
RET
''')
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x100001000)
dst_interval = interval([(0x100001000, 0x100002000)])
patches = asmblock.asm_resolve_final(my_mn, asmcfg, loc_db, dst_interval)
ret_addr = ExprId('ret_addr')
reg_and_id[argc.name] = argc
reg_and_id[argv.name] = argv
reg_and_id[ret_addr.name] = ret_addr
my_symbols = [argc, argv, ret_addr]
my_symbols = dict([(x.name, x) for x in my_symbols])
my_symbols.update(mn_x86.regs.all_regs_ids_byname)
ir_arch = ir_x86_32(mdis.symbol_pool)
sb = symbexec(ir_arch, symbols_init)
blocs, symbol_pool = parse_asm.parse_txt(mn_x86, 32, '''
PUSH argv
PUSH argc
PUSH ret_addr
''')
b = list(blocs)[0]
print b
# add fake address and len to parsed instructions
for i, l in enumerate(b.lines):
l.offset, l.l = i, 1
ir_arch.add_bloc(b)
irb = get_bloc(ir_arch, mdis, 0)
sb.emulbloc(irb)
sb.dump_mem()
# reset ir_arch blocs
virt = pe.virt
output = pe
dst_interval = interval([(pe.rva2virt(s_text.addr),
pe.rva2virt(s_text.addr + s_text.size))])
else:
st = StrPatchwork()
addr_main = 0
virt = st
output = st
# Get and parse the source code
with open(args.source) as fstream:
source = fstream.read()
blocks, symbol_pool = parse_asm.parse_txt(machine.mn, attrib, source)
# Fix shellcode addrs
symbol_pool.set_offset(symbol_pool.getby_name("main"), addr_main)
if args.PE:
symbol_pool.set_offset(
symbol_pool.getby_name_create("MessageBoxA"),
pe.DirImport.get_funcvirt('USER32.dll', 'MessageBoxA'))
# Print and graph firsts blocks before patching it
for block in blocks:
print block
open("graph.dot", "w").write(blocks.dot())
# Apply patches
dst_interval = interval([(pe.rva2virt(s_text.addr),
pe.rva2virt(s_text.addr + s_text.size))])
else:
st = StrPatchwork()
addr_main = 0
virt = st
output = st
# Get and parse the source code
with open(args.source) as fstream:
source = fstream.read()
symbol_pool = asmblock.AsmSymbolPool()
asmcfg, symbol_pool = parse_asm.parse_txt(machine.mn, attrib, source,
symbol_pool)
# Fix shellcode addrs
symbol_pool.set_offset(symbol_pool.getby_name("main"), addr_main)
if args.PE:
symbol_pool.set_offset(
symbol_pool.getby_name_create("MessageBoxA"),
pe.DirImport.get_funcvirt('USER32.dll', 'MessageBoxA'))
# Print and graph firsts blocks before patching it
for block in asmcfg.blocks:
print block
open("graph.dot", "w").write(asmcfg.dot())
# Apply patches
mdis = dis_engine(bs)
addr = int(options.address, 16)
symbols_init = dict(machine.mn.regs.regs_init)
ir_arch = machine.ir(mdis.symbol_pool)
symbexec = SymbolicExecutionEngine(ir_arch, symbols_init)
asmcfg, symbol_pool = parse_asm.parse_txt(machine.mn,
32,
'''
init:
PUSH argv
PUSH argc
PUSH ret_addr
''',
symbol_pool=mdis.symbol_pool)
argc_lbl = symbol_pool.getby_name('argc')
argv_lbl = symbol_pool.getby_name('argv')
ret_addr_lbl = symbol_pool.getby_name('ret_addr')
init_lbl = symbol_pool.getby_name('init')
argc = ExprLoc(argc_lbl, 32)
argv = ExprLoc(argv_lbl, 32)
ret_addr = ExprLoc(ret_addr_lbl, 32)
block = asmcfg.loc_key_to_block(init_lbl)
txt = '''
main:
ADDIU A0, ZERO, 0x10
ADDIU A1, ZERO, 0
loop:
ADDIU A1, A1, 0x1
BNE A0, ZERO, loop
ADDIU A0, A0, 0xFFFFFFFF
ADDIU A2, A2, 0x1
MOVN A1, ZERO, ZERO
JR RA
ADDIU A2, A2, 0x1
'''
blocs_b, symbol_pool_b = parse_asm.parse_txt(mn_mips32, "b", txt)
blocs_l, symbol_pool_l = parse_asm.parse_txt(mn_mips32, "l", txt)
# fix shellcode addr
symbol_pool_b.set_offset(symbol_pool_b.getby_name("main"), 0)
symbol_pool_l.set_offset(symbol_pool_l.getby_name("main"), 0)
for b in blocs_b[0]:
print b
resolved_b, patches_b = asmbloc.asm_resolve_final(mn_mips32, blocs_b[0],
symbol_pool_b)
resolved_l, patches_l = asmbloc.asm_resolve_final(mn_mips32, blocs_l[0],
symbol_pool_l)
print patches_b
print patches_l
return reg_and_id.get(t, ExprId(t, size=32))
my_var_parser = parse_ast(my_ast_id2expr, my_ast_int2expr)
base_expr.setParseAction(my_var_parser)
blocs, symbol_pool = parse_asm.parse_txt(mn_x86, 32, '''
main:
PUSH EBP
MOV EBP, ESP
MOV BYTE PTR [myint], 0x90
myint:
INT 0x3
PUSH 0
PUSH title
PUSH msg
PUSH 0
CALL DWORD PTR [ MessageBoxA ]
MOV ESP, EBP
POP EBP
RET
title:
.string "Hello!"
msg:
.string "World!"
''')
# fix shellcode addr
symbol_pool.set_offset(symbol_pool.getby_name("main"), e.rva2virt(s_text.addr))
symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"),
e.DirImport.get_funcvirt('MessageBoxA'))
def my_ast_id2expr(t):
return reg_and_id.get(t, ExprId(t, size=32))
my_var_parser = parse_ast(my_ast_id2expr, my_ast_int2expr)
base_expr.setParseAction(my_var_parser)
blocs, symbol_pool = parse_asm.parse_txt(
mn_x86, 32, '''
main:
PUSH 0
PUSH title
PUSH msg
PUSH 0
CALL DWORD PTR [ MessageBoxA ]
RET
title:
.string "Hello!"
msg:
.string "World!"
''')
# fix shellcode addr
symbol_pool.set_offset(symbol_pool.getby_name("main"), e.rva2virt(s_text.addr))
symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"),
e.DirImport.get_funcvirt('MessageBoxA'))
e.Opthdr.AddressOfEntryPoint = s_text.addr
for b in blocs[0]:
blocs, symbol_pool = parse_asm.parse_txt(mn_x86, 32, '''
main:
CALL cipher_code
CALL msgbox_encrypted_start
CALL cipher_code
RET
cipher_code:
PUSH EBP
MOV EBP, ESP
LEA ESI, DWORD PTR [msgbox_encrypted_start]
LEA EDI, DWORD PTR [msgbox_encrypted_stop]
loop:
XOR BYTE PTR [ESI], 0x42
INC ESI
CMP ESI, EDI
JBE loop
MOV ESP, EBP
POP EBP
RET
msgbox_encrypted_start:
PUSH 0
PUSH title
PUSH msg
PUSH 0
CALL DWORD PTR [ MessageBoxA ]
RET
.dontsplit
msgbox_encrypted_stop:
.long 0
title:
.string "Hello!"
msg:
.string "World!"
''')
from miasm2.arch.x86.arch import mn_x86
from miasm2.core import parse_asm
from miasm2.expression.expression import *
from miasm2.core import asmbloc
from miasm2.arch.x86.ira import ir_a_x86_32
# First, asm code
blocs, symbol_pool = parse_asm.parse_txt(
mn_x86, 32, '''
main:
MOV EAX, 1
MOV EBX, 2
MOV ECX, 2
MOV DX, 2
loop:
INC EBX
CMOVZ EAX, EBX
ADD EAX, ECX
JZ loop
RET
''')
symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0)
for b in blocs:
print b
print "symbols:"
print symbol_pool
patches = asmbloc.asm_resolve_final(mn_x86, blocs, symbol_pool)
txt = '''
main:
ADDIU A0, ZERO, 0x10
ADDIU A1, ZERO, 0
loop:
ADDIU A1, A1, 0x1
BNE A0, ZERO, loop
ADDIU A0, A0, 0xFFFFFFFF
ADDIU A2, A2, 0x1
MOVN A1, ZERO, ZERO
JR RA
ADDIU A2, A2, 0x1
'''
blocs_b, symbol_pool_b = parse_asm.parse_txt(mn_mips32, "b", txt)
blocs_l, symbol_pool_l = parse_asm.parse_txt(mn_mips32, "l", txt)
# fix shellcode addr
symbol_pool_b.set_offset(symbol_pool_b.getby_name("main"), 0)
symbol_pool_l.set_offset(symbol_pool_l.getby_name("main"), 0)
for b in blocs_b[0]:
print b
resolved_b, patches_b = asmbloc.asm_resolve_final(
mn_mips32, blocs_b[0], symbol_pool_b)
resolved_l, patches_l = asmbloc.asm_resolve_final(
mn_mips32, blocs_l[0], symbol_pool_l)
print patches_b
print patches_l
my_var_parser = parse_ast(my_ast_id2expr, my_ast_int2expr)
base_expr.setParseAction(my_var_parser)
st = StrPatchwork()
blocs, symbol_pool = parse_asm.parse_txt(mn_arm, 'l', '''
main:
MOV R1, R0
MOV R2, 0x100
LDR R3, [PC, mykey1-$]
loop:
ADD R2, R1, R2
ADD R1, R1, 1
LDR R3, [PC, mykey2-$]
CMP R1, R3
BEQ loop
ADD R0, R1, R2
BX LR
mykey1:
.long 0x1
mykey2:
.long 0x2
''')
# fix shellcode addr
symbol_pool.set_offset(symbol_pool.getby_name("main"), 0)
for b in blocs[0]:
print b
def my_ast_id2expr(t):
return reg_and_id.get(t, ExprId(t, size=64))
my_var_parser = parse_ast(my_ast_id2expr, my_ast_int2expr)
base_expr.setParseAction(my_var_parser)
blocs, symbol_pool = parse_asm.parse_txt(mn_x86, 64, '''
main:
MOV R9, 0x0
MOV R8, title
MOV RDX, msg
MOV RCX, 0x0
MOV RAX, QWORD PTR [ MessageBoxA ]
CALL RAX
RET
title:
.string "Hello!"
msg:
.string "World!"
''')
# fix shellcode addr
symbol_pool.set_offset(symbol_pool.getby_name("main"), e.rva2virt(s_text.addr))
symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"),
e.DirImport.get_funcvirt('MessageBoxA'))
e.Opthdr.AddressOfEntryPoint = s_text.addr
for b in blocs[0]:
blocs, symbol_pool = parse_asm.parse_txt(
mn_x86, 32, '''
main:
CALL cipher_code
CALL msgbox_encrypted_start
CALL cipher_code
RET
cipher_code:
PUSH EBP
MOV EBP, ESP
LEA ESI, DWORD PTR [msgbox_encrypted_start]
LEA EDI, DWORD PTR [msgbox_encrypted_stop]
loop:
XOR BYTE PTR [ESI], 0x42
INC ESI
CMP ESI, EDI
JBE loop
MOV ESP, EBP
POP EBP
RET
msgbox_encrypted_start:
PUSH 0
PUSH title
PUSH msg
PUSH 0
CALL DWORD PTR [ MessageBoxA ]
RET
.dontsplit
msgbox_encrypted_stop:
.long 0
title:
.string "Hello!"
msg:
.string "World!"
''')
data = open(args[0]).read()
bs = bin_stream_str(data)
mdis = dis_engine(bs)
addr = int(options.address, 16)
ir_arch = machine.ir(mdis.loc_db)
ircfg = ir_arch.new_ircfg()
symbexec = SymbolicExecutionEngine(ir_arch)
asmcfg, loc_db = parse_asm.parse_txt(machine.mn, 32, '''
init:
PUSH argv
PUSH argc
PUSH ret_addr
''',
loc_db=mdis.loc_db)
argc_lbl = loc_db.get_name_location('argc')
argv_lbl = loc_db.get_name_location('argv')
ret_addr_lbl = loc_db.get_name_location('ret_addr')
init_lbl = loc_db.get_name_location('init')
argc_loc = ExprLoc(argc_lbl, 32)
argv_loc = ExprLoc(argv_lbl, 32)
ret_addr_loc = ExprLoc(ret_addr_lbl, 32)
def my_ast_id2expr(t):
return reg_and_id.get(t, ExprId(t, size=64))
my_var_parser = parse_ast(my_ast_id2expr, my_ast_int2expr)
base_expr.setParseAction(my_var_parser)
blocs, symbol_pool = parse_asm.parse_txt(
mn_x86, 64, '''
main:
MOV R9, 0x0
MOV R8, title
MOV RDX, msg
MOV RCX, 0x0
MOV RAX, QWORD PTR [ MessageBoxA ]
CALL RAX
RET
title:
.string "Hello!"
msg:
.string "World!"
''')
# fix shellcode addr
symbol_pool.set_offset(symbol_pool.getby_name("main"), e.rva2virt(s_text.addr))
symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"),
e.DirImport.get_funcvirt('MessageBoxA'))
e.Opthdr.AddressOfEntryPoint = s_text.addr
for b in blocs[0]:
EOR R3, R3, R2
STRB R3, [R0], 1
CMP R0, R1
BNE loop
end:
MOV R0, R4
LDMFD SP!, {R4, R5, PC}
key:
.byte 0x11
mystr:
.string "test string"
mystrend:
.long 0
'''
blocs_b, symbol_pool_b = parse_asm.parse_txt(my_mn, "b", txt)
blocs_l, symbol_pool_l = parse_asm.parse_txt(my_mn, "l", txt)
# fix shellcode addr
symbol_pool_b.set_offset(symbol_pool_b.getby_name("main"), 0x0)
symbol_pool_l.set_offset(symbol_pool_l.getby_name("main"), 0x0)
# graph sc####
g = asmbloc.bloc2graph(blocs_l[0])
open("graph.txt", "w").write(g)
s_b = StrPatchwork()
s_l = StrPatchwork()
print "symbols"
print symbol_pool_l
blocs, symbol_pool = parse_asm.parse_txt(
mn_x86,
32,
"""
main:
CALL test_automod
RET
lbl_good:
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
test_automod:
PUSH EBP
MOV EBP, ESP
LEA EDI, DWORD PTR [lbl_mod]
LEA ESI, DWORD PTR [lbl_good]
MOV ECX, 0x8
REPE MOVSB
lbl_mod:
XOR EAX, EAX
MOV DWORD PTR [EAX], 0xDEADC0DE
NOP
NOP
NOP
PUSH 0
PUSH title
PUSH msg
PUSH 0
CALL DWORD PTR [ MessageBoxA ]
MOV ESP, EBP
POP EBP
RET
title:
.string "Hello!"
msg:
.string "World!"
""",
)
def from_asm(self, asm_text):
all_bloc, symbol_pool = parse_asm.parse_txt(self.mn,0, asm_text)
self.blks = all_bloc
raise Exception("Not correctly implemented")
ret_addr = ExprId('ret_addr')
reg_and_id[argc.name] = argc
reg_and_id[argv.name] = argv
reg_and_id[ret_addr.name] = ret_addr
my_symbols = [argc, argv, ret_addr]
my_symbols = dict([(x.name, x) for x in my_symbols])
my_symbols.update(mn_x86.regs.all_regs_ids_byname)
ir_arch = ir_x86_32(mdis.symbol_pool)
sb = symbexec(ir_arch, symbols_init)
blocs, symbol_pool = parse_asm.parse_txt(
mn_x86, 32, '''
PUSH argv
PUSH argc
PUSH ret_addr
''')
b = list(blocs)[0]
print b
# add fake address and len to parsed instructions
for i, l in enumerate(b.lines):
l.offset, l.l = i, 1
ir_arch.add_bloc(b)
irb = get_bloc(ir_arch, mdis, 0)
sb.emulbloc(irb)
sb.dump_mem()
# reset ir_arch blocs
ir_arch.blocs = {}
blocs, symbol_pool = parse_asm.parse_txt(mn_x86, 32, '''
main:
CALL test_automod
CALL test_automod
RET
test_automod:
PUSH EBP
MOV EBP, ESP
loop:
MOV EAX, 0
CMP EAX, 0
JMP mod_addr
mod_addr:
JNZ end
PUSH 0
PUSH title
PUSH msg
PUSH 0
CALL DWORD PTR [ MessageBoxA ]
; automodif code
MOV BYTE PTR [mod_addr], 0xEB
JMP loop
end:
MOV BYTE PTR [mod_addr], 0x75
MOV ESP, EBP
POP EBP
RET
title:
.string "Hello!"
msg:
.string "World!"
''')
else:
st = StrPatchwork()
addr_main = 0
virt = st
output = st
# Get and parse the source code
with open(args.source) as fstream:
source = fstream.read()
loc_db = LocationDB()
asmcfg, loc_db = parse_asm.parse_txt(machine.mn, attrib, source, loc_db)
# Fix shellcode addrs
loc_db.set_location_offset(loc_db.get_name_location("main"), addr_main)
if args.PE:
loc_db.set_location_offset(loc_db.get_or_create_name_location("MessageBoxA"),
pe.DirImport.get_funcvirt('USER32.dll',
'MessageBoxA'))
# Print and graph firsts blocks before patching it
for block in asmcfg.blocks:
print block
open("graph.dot", "w").write(asmcfg.dot())
# Apply patches
return ExprInt32(a)
def my_ast_id2expr(t):
return reg_and_id.get(t, ExprId(t, size=32))
my_var_parser = parse_ast(my_ast_id2expr, my_ast_int2expr)
base_expr.setParseAction(my_var_parser)
blocs, symbol_pool = parse_asm.parse_txt(mn_x86, 32, '''
main:
PUSH 0
PUSH title
PUSH msg
PUSH 0
CALL DWORD PTR [ MessageBoxA ]
RET
title:
.string "Hello!"
msg:
.string "World!"
''')
# fix shellcode addr
symbol_pool.set_offset(symbol_pool.getby_name("main"), e.rva2virt(s_text.addr))
symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"),
e.DirImport.get_funcvirt('MessageBoxA'))
e.Opthdr.AddressOfEntryPoint = s_text.addr
for b in blocs[0]:
print b
bs = bin_stream_str(data)
mdis = dis_engine(bs)
addr = int(options.address, 16)
symbols_init = dict(machine.mn.regs.regs_init)
ir_arch = machine.ir(mdis.symbol_pool)
symbexec = SymbolicExecutionEngine(ir_arch, symbols_init)
asmcfg, symbol_pool = parse_asm.parse_txt(machine.mn, 32, '''
init:
PUSH argv
PUSH argc
PUSH ret_addr
''',
symbol_pool=mdis.symbol_pool)
argc_lbl = symbol_pool.getby_name('argc')
argv_lbl = symbol_pool.getby_name('argv')
ret_addr_lbl = symbol_pool.getby_name('ret_addr')
init_lbl = symbol_pool.getby_name('init')
argc = ExprLoc(argc_lbl, 32)
argv = ExprLoc(argv_lbl, 32)
ret_addr = ExprLoc(ret_addr_lbl, 32)
output = pe
dst_interval = interval([(pe.rva2virt(s_text.addr),
pe.rva2virt(s_text.addr + s_text.size))])
else:
st = StrPatchwork()
addr_main = 0
virt = st
output = st
# Get and parse the source code
with open(args.source) as fstream:
source = fstream.read()
blocs, symbol_pool = parse_asm.parse_txt(machine.mn, attrib, source)
# Fix shellcode addrs
symbol_pool.set_offset(symbol_pool.getby_name("main"), addr_main)
if args.PE:
symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"),
pe.DirImport.get_funcvirt('USER32.dll', 'MessageBoxA'))
# Print and graph firsts blocs before patching it
for bloc in blocs:
print bloc
open("graph.dot", "w").write(blocs.dot())
# Apply patches
patches = asmbloc.asm_resolve_final(machine.mn,
blocs, symbol_pool = parse_asm.parse_txt(
mn_x86, 32, '''
main:
CALL test_automod
RET
lbl_good:
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
test_automod:
PUSH EBP
MOV EBP, ESP
LEA EDI, DWORD PTR [lbl_mod]
LEA ESI, DWORD PTR [lbl_good]
MOV ECX, 0x8
REPE MOVSB
lbl_mod:
XOR EAX, EAX
MOV DWORD PTR [EAX], 0xDEADC0DE
NOP
NOP
NOP
PUSH 0
PUSH title
PUSH msg
PUSH 0
CALL DWORD PTR [ MessageBoxA ]
MOV ESP, EBP
POP EBP
RET
title:
.string "Hello!"
msg:
.string "World!"
''')
from pdb import pm
from pprint import pprint
from miasm2.arch.x86.arch import mn_x86
from miasm2.core import parse_asm, asmblock
# Assemble code
asmcfg, loc_db = parse_asm.parse_txt(
mn_x86, 32, '''
main:
MOV EAX, 1
MOV EBX, 2
MOV ECX, 2
MOV DX, 2
loop:
INC EBX
CMOVZ EAX, EBX
ADD EAX, ECX
JZ loop
RET
''')
# Set 'main' loc_key's offset
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
# Spread information and resolve instructions offset
patches = asmblock.asm_resolve_final(mn_x86, asmcfg, loc_db)
# Show resolved asmcfg
for block in asmcfg.blocks:
from miasm2.core import asmblock
from miasm2.arch.x86 import arch
from miasm2.core import parse_asm
from miasm2.core.interval import interval
my_mn = arch.mn_x86
asmcfg, loc_db = parse_asm.parse_txt(my_mn, 64, r'''
main:
PUSH RBP
MOV RBP, RSP
loop_dec:
CMP RCX, RDX
JB loop_dec
end:
MOV RSP, RBP
POP RBP
RET
''')
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x100001000)
dst_interval = interval([(0x100001000, 0x100002000)])
patches = asmblock.asm_resolve_final(
my_mn,
asmcfg,
loc_db,
dst_interval
)
translator_smt2 = Translator.to_language("smt2")
addr = int(options.address, 16)
cont = Container.from_stream(open(args[0]))
mdis = machine.dis_engine(cont.bin_stream, loc_db=cont.loc_db)
ir_arch = machine.ir(mdis.loc_db)
ircfg = ir_arch.new_ircfg()
symbexec = SymbolicExecutionEngine(ir_arch)
asmcfg, loc_db = parse_asm.parse_txt(machine.mn,
32,
'''
init:
PUSH argv
PUSH argc
PUSH ret_addr
''',
loc_db=mdis.loc_db)
argc_lbl = loc_db.get_name_location('argc')
argv_lbl = loc_db.get_name_location('argv')
ret_addr_lbl = loc_db.get_name_location('ret_addr')
init_lbl = loc_db.get_name_location('init')
argc_loc = ExprLoc(argc_lbl, 32)
argv_loc = ExprLoc(argv_lbl, 32)
ret_addr_loc = ExprLoc(ret_addr_lbl, 32)
ret_addr = ExprId("ret_addr", ret_addr_loc.size)
blocs, symbol_pool = parse_asm.parse_txt(mn_x86, 32, ''' main: PUSH EBP MOV EBP, ESP SUB ESP, 0x100 MOV EAX, 0x1337 ; test ptr manip LEA ESI, DWORD PTR [mystr^toto] CALL toto mystr: .string "test string" toto: POP EDI PUSH EDI ; test scasb XOR EAX, EAX XOR ECX, ECX DEC ECX REPNE SCASB NOT ECX DEC ECX ; test movsb POP ESI LEA EDI, DWORD PTR [EBP-0x100] REPE MOVSB ; test float PUSH 0 FLD1 FLD1 FADD ST, ST(1) FIST DWORD PTR [ESP] POP EAX ; test cond mnemo NOP NOP CMOVZ EAX, EBX ; test shr NOP SHR EAX, 1 NOP NOP SHR EAX, CL NOP MOV ESP, EBP POP EBP RET ''')
