def _getbytes(self, start, l=1): out = [] for ad in range(l): offset = ad + start + self.base_address if not is_mapped(offset): raise IOError("not enough bytes") out.append(int_to_byte(get_wide_byte(offset))) return b''.join(out)
def xxx_memset(jitter): ''' #include <string.h> void *memset(void *s, int c, size_t n); fills the first n bytes of the memory area pointed to by s with the constant byte c.''' ret_addr, args = jitter.func_args_systemv(['dest', 'c', 'n']) jitter.vm.set_mem(args.dest, int_to_byte(args.c & 0xFF) * args.n) return jitter.func_ret_systemv(ret_addr, args.dest)
"--verbose", help="verbose mode", action="store_true") options = parser.parse_args() if options.endianness == 'b': sandbox = Sandbox_Linux_armb_str elif options.endianness == 'l': sandbox = Sandbox_Linux_arml_str else: raise ValueError("Bad endianness!") loc_db = LocationDB() sb = sandbox(loc_db, options.filename, options, globals()) if options.address is None: raise ValueError('invalid address') sb.run() # test correct de xor start = sb.jitter.cpu.R0 stop = sb.jitter.cpu.R1 s = sb.jitter.vm.get_mem(start, stop - start) s = StrPatchwork(s) for i, c in enumerate(s): s[i] = int_to_byte(ord(c) ^ 0x11) s = bytes(s) assert (s == b"test string\x00")
assert jitter.vm.get_mem(cont.get_addr(), len(cont)) == b'\x01\x02\x03\x04' # Union test class UniStruct(MemStruct): fields = [ ("one", Num("B")), ("union", Union([ ("instruct", InStruct), ("i", Num(">I")), ])), ("last", Num("B")), ] uni = UniStruct(jitter.vm) jitter.vm.set_mem(uni.get_addr(), b''.join(int_to_byte(x) for x in range(len(uni)))) assert len(uni) == 6 # 1 + max(InStruct.sizeof(), 4) + 1 assert uni.one == 0x00 assert uni.union.instruct.foo == 0x01 assert uni.union.instruct.bar == 0x02 assert uni.union.i == 0x01020304 assert uni.last == 0x05 uni.union.instruct.foo = 0x02 assert uni.union.i == 0x02020304 uni.union.i = 0x11223344 assert uni.union.instruct.foo == 0x11 assert uni.union.instruct.bar == 0x22 # BitField test class BitStruct(MemUnion):
found = True break finfo = FILE_to_info_symb[FILE_stream] for sol_ident, model in viewitems(dse.new_solutions): # Build the file corresponding to solution in 'model' out = [] fsize = max( model.eval(dse.z3_trans.from_expr(FILE_size)).as_long(), len(finfo.gen_bytes)) for index in range(fsize): try: byteid = finfo.gen_bytes[index] out.append( int_to_byte( model.eval(dse.z3_trans.from_expr(byteid)).as_long())) except (KeyError, AttributeError) as _: # Default value if there is no constraint on current byte out.append(b"\x00") todo.add(b"".join(out)) # Assert that the result has been found assert found == True print("FOUND !") TEMP_FILE.close() # Replay for real if not is_win: print("Trying to launch the binary without Miasm")
if finish_info.string == b"OK": # Stop if the expected result is found found = True break finfo = FILE_to_info_symb[FILE_stream] for sol_ident, model in viewitems(dse.new_solutions): # Build the file corresponding to solution in 'model' out = [] fsize = max(model.eval(dse.z3_trans.from_expr(FILE_size)).as_long(), len(finfo.gen_bytes)) for index in range(fsize): try: byteid = finfo.gen_bytes[index] out.append(int_to_byte(model.eval(dse.z3_trans.from_expr(byteid)).as_long())) except (KeyError, AttributeError) as _: # Default value if there is no constraint on current byte out.append(b"\x00") todo.add(b"".join(out)) # Assert that the result has been found assert found == True print("FOUND !") TEMP_FILE.close() # Replay for real if not is_win: print("Trying to launch the binary without Miasm")
parser.add_argument('-v', "--verbose", help="verbose mode", action="store_true") options = parser.parse_args() if options.endianness == 'b': sandbox = Sandbox_Linux_armb_str elif options.endianness == 'l': sandbox = Sandbox_Linux_arml_str else: raise ValueError("Bad endianness!") sb = sandbox(options.filename, options, globals()) if options.address is None: raise ValueError('invalid address') sb.run() # test correct de xor start = sb.jitter.cpu.R0 stop = sb.jitter.cpu.R1 s = sb.jitter.vm.get_mem(start, stop-start) s = StrPatchwork(s) for i, c in enumerate(s): s[i] = int_to_byte(ord(c)^0x11) s = bytes(s) assert(s == b"test string\x00")
def compute_checksum(self, data): return encode_hex(int_to_byte(sum(map(ord, data)) % 256))
# Print and graph firsts blocks before patching it for block in asmcfg.blocks: print(block) open("graph.dot", "w").write(asmcfg.dot()) # Apply patches patches = asmblock.asm_resolve_final(machine.mn, asmcfg, dst_interval) if args.encrypt: # Encrypt code loc_start = loc_db.get_or_create_name_location(args.encrypt[0]) loc_stop = loc_db.get_or_create_name_location(args.encrypt[1]) ad_start = loc_db.get_location_offset(loc_start) ad_stop = loc_db.get_location_offset(loc_stop) for ad, val in list(viewitems(patches)): if ad_start <= ad < ad_stop: patches[ad] = b"".join( int_to_byte(ord(x) ^ 0x42) for x in iterbytes(val)) print(patches) if isinstance(virt, StrPatchwork): for offset, raw in viewitems(patches): virt[offset] = raw else: for offset, raw in viewitems(patches): virt.set(offset, raw) # Produce output open(args.output, 'wb').write(bytes(output))
# Union test class UniStruct(MemStruct): fields = [ ("one", Num("B")), ("union", Union([ ("instruct", InStruct), ("i", Num(">I")), ])), ("last", Num("B")), ] uni = UniStruct(jitter.vm) jitter.vm.set_mem(uni.get_addr(), b''.join(int_to_byte(x) for x in range(len(uni)))) assert len(uni) == 6 # 1 + max(InStruct.sizeof(), 4) + 1 assert uni.one == 0x00 assert uni.union.instruct.foo == 0x01 assert uni.union.instruct.bar == 0x02 assert uni.union.i == 0x01020304 assert uni.last == 0x05 uni.union.instruct.foo = 0x02 assert uni.union.i == 0x02020304 uni.union.i = 0x11223344 assert uni.union.instruct.foo == 0x11 assert uni.union.instruct.bar == 0x22 # BitField test class BitStruct(MemUnion):
# Apply patches patches = asmblock.asm_resolve_final( machine.mn, asmcfg, loc_db, dst_interval ) if args.encrypt: # Encrypt code loc_start = loc_db.get_or_create_name_location(args.encrypt[0]) loc_stop = loc_db.get_or_create_name_location(args.encrypt[1]) ad_start = loc_db.get_location_offset(loc_start) ad_stop = loc_db.get_location_offset(loc_stop) for ad, val in list(viewitems(patches)): if ad_start <= ad < ad_stop: patches[ad] = b"".join(int_to_byte(ord(x) ^ 0x42) for x in iterbytes(val)) print(patches) if isinstance(virt, StrPatchwork): for offset, raw in viewitems(patches): virt[offset] = raw else: for offset, raw in viewitems(patches): virt.set(offset, raw) # Produce output open(args.output, 'wb').write(bytes(output))