def test_complex1(self):
patches = []
added_code = '''
mov eax, 4
mov ebx, 1
mov ecx, 0x080484f3
mov edx, 2
int 0x80
call {added_function}
'''
patches.append(AddEntryPointPatch(added_code))
added_code = '''
mov eax, 1
mov ebx, 0x34
int 0x80
'''
patches.append(AddEntryPointPatch(added_code))
test_str = b"testtesttest\n\x00"
added_code = '''
mov eax, 4
mov ebx, 1
mov ecx, {added_data}
mov edx, %d
int 0x80
ret
''' % (len(test_str))
patches.append(AddCodePatch(added_code, "added_function"))
patches.append(AddRODataPatch(test_str, "added_data"))
self.run_test("printf_nopie",
patches,
expected_output=b'%s' + test_str,
expected_returnCode=0x34)
def test_complex1(self):
patches = []
added_code = '''
dli $v0, 5001
dli $a0, 1
dla $a1, 0x120000cf8
dli $a2, 2
syscall
jal {added_function}
dli $v0, 5058
dli $a0, 0x34
syscall
'''
patches.append(AddEntryPointPatch(added_code))
test_str = b"testtesttest\n\x00"
added_code = '''
dli $v0, 5001
dli $a0, 1
dla $a1, {added_data}
dli $a2, %d
syscall
jr $ra
''' % (len(test_str))
patches.append(AddCodePatch(added_code, "added_function"))
patches.append(AddRODataPatch(test_str, "added_data"))
self.run_test("printf_nopie",
patches,
expected_output=b'%s' + test_str,
expected_returnCode=0x34)
def test_complex1(self):
patches = []
added_code = '''
mov x8, 0x40
mov x0, 0x1
ldr x1, =0x400648
mov x2, 2
svc 0
bl {added_function}
mov x8, 0x5d
mov x0, 0x34
svc 0
'''
patches.append(AddEntryPointPatch(added_code))
test_str = b"testtesttest\n\x00"
added_code = '''
mov x8, 0x40
mov x0, 0x1
ldr x1, ={added_data}
mov x2, %d
svc 0
ret
''' % (len(test_str))
patches.append(AddCodePatch(added_code, "added_function"))
patches.append(AddRODataPatch(test_str, "added_data"))
self.run_test("printf_nopie", patches, expected_output=b'%s' + test_str, expected_returnCode=0x34)
def test_complex1(self):
patches = []
added_code = '''
li r0, 4
li r3, 1
lis r4, 0x10000758@h
ori r4, r4, 0x10000758@l
li r5, 2
sc
bl {added_function}
li r0, 1
li r3, 0x34
sc
'''
patches.append(AddEntryPointPatch(added_code))
test_str = b"testtesttest\n\x00"
added_code = '''
li r0, 4
li r3, 1
lis r4, {added_data}@h
ori r4, r4, {added_data}@l
li r5, %d
sc
blr
''' % (len(test_str))
patches.append(AddCodePatch(added_code, "added_function"))
patches.append(AddRODataPatch(test_str, "added_data"))
self.run_test("printf_nopie",
patches,
expected_output=b'%s' + test_str,
expected_returnCode=0x34)
def test_complex1(self):
patches = []
added_code = '''
mov r7, 0x4
mov r0, 0x1
ldr r1, =0x10450
mov r2, 2
svc 0
bl {added_function}
mov r7, 0x1
mov r0, 0x34
svc 0
'''
patches.append(AddEntryPointPatch(added_code))
test_str = b"testtesttest\n\x00"
added_code = '''
mov r7, 0x4
mov r0, 0x1
ldr r1, ={added_data}
mov r2, %d
svc 0
bx lr
''' % (len(test_str))
patches.append(
AddCodePatch(added_code, "added_function", is_thumb=True))
patches.append(AddRODataPatch(test_str, "added_data"))
self.run_test("printf_nopie",
patches,
expected_output=b'%s' + test_str,
expected_returnCode=0x34)
def test_add_entry_point_patch(self):
added_code = '''
li $v0, 4004
li $a0, 1
la $a1, 0x400934
li $a2, 2
syscall
'''
self.run_test("printf_nopie", [AddEntryPointPatch(added_code)], expected_output=b'%sHi', expected_returnCode=0)
def test_add_entry_point_patch(self):
added_code = '''
mov x8, 0x40
mov x0, 0x1
ldr x1, =0x400648
mov x2, 2
svc 0
'''
self.run_test("printf_nopie", [AddEntryPointPatch(added_code)], expected_output=b'%sHi', expected_returnCode=0)
def test_add_entry_point_patch(self):
added_code = '''
mov r7, 0x4
mov r0, 0x1
ldr r1, =0x10450
mov r2, 2
svc 0
'''
self.run_test("printf_nopie", [AddEntryPointPatch(added_code)],
expected_output=b'%sHi',
expected_returnCode=0)
def test_add_entry_point_patch(self):
added_code = '''
li r0, 4
li r3, 1
lis r4, 0x10000758@h
ori r4, r4, 0x10000758@l
li r5, 2
sc
'''
self.run_test("printf_nopie", [AddEntryPointPatch(added_code)],
expected_output=b'%sHi',
expected_returnCode=0)
def test_add_entry_point_patch(self):
added_code = '''
mov eax, 4
mov ebx, 1
mov ecx, 0x080484f3
mov edx, 2
int 0x80
mov eax, 1 ;sys_exit
mov ebx, 0x1 ;return code
int 0x80
'''
self.run_test("printf_nopie", [AddEntryPointPatch(added_code)],
expected_output=b'%s',
expected_returnCode=0x1)
def get_patches(self):
matches = self.ident.matches
malloc_addr = None
for f, (name, _) in matches.items():
if name == "malloc":
malloc_addr = f.addr
break
if malloc_addr is None:
l.warning("malloc not found")
return []
cfg = self.patcher.cfg
# we need a data patch
self.patches = []
self.patches.append(AddRWDataPatch(4, "malloc_pseudorand"))
added_code = '''
xor eax, eax
add al, 7
mov ebx, {malloc_pseudorand}
xor ecx, ecx
add cl, 4
xor edx, edx
int 0x80
'''
self.patches.append(AddEntryPointPatch(added_code))
ff = cfg.functions[malloc_addr]
# get free regs
free_regs = set()
for r in self.relevant_registers:
if self.is_reg_free(ff.addr, r, False):
free_regs.add(r)
free_regs = list(free_regs)
# the malloc patch itself
prefix = ""
suffix = ""
sp_off = 4
if len(free_regs) == 0:
use_reg = "eax"
prefix += "push eax; \n"
suffix += "pop eax; \n"
sp_off += 4
else:
use_reg = free_regs[0]
added_code = """
mov %s, DWORD [{malloc_pseudorand}];
add %s, 13;
mov DWORD [{malloc_pseudorand}], %s;
and %s, 0x8;
add %s, 0x8;
add DWORD [esp+%d], %s;
""" % (use_reg, use_reg, use_reg, use_reg, use_reg, sp_off, use_reg)
code = prefix + added_code + suffix
l.debug("adding:\n%s", code)
self.patches.append(InsertCodePatch(malloc_addr, code))
return list(self.patches)
