def write_patches_to_file(asmcfg, exectbl, out_addr, out_file_name, mode, max_addr=2 ** 64 - 1, head=None): if head is None: head = asmcfg.heads()[0] asmcfg = bbl_simplifier.apply_simp(asmcfg) asmcfg.rebuild_edges() remove_redundant_and_unpin_blocks(asmcfg, head, mode) fix_multiple_next_constraints(asmcfg, mode) # careless block reordering might have damaged edges of the graph and introduced dead blocks asmcfg.rebuild_edges() asmcfg.loc_db.set_location_offset(head, out_addr) patches = asm_resolve_final(mn_x86, asmcfg, asmcfg.loc_db, dst_interval=interval([(out_addr, max_addr)])) last_empty_address = 0 for offset, raw in patches.items(): logger.debug( "patch addr rva is 0x%x; raw is 0x%x; the patch: %s" % (exectbl.virt2rva(offset), offset, raw.hex())) exectbl.img_rva[exectbl.virt2rva(offset)] = raw next_empty_address = offset + len(raw) if last_empty_address < next_empty_address: last_empty_address = next_empty_address with open(out_file_name + ".bak", 'wb') as bak: with open(out_file_name, 'rb') as fl: bak.write(fl.read()) with open(out_file_name, 'wb') as fl: fl.write(bytes(exectbl)) return last_empty_address
def compute_txt(ir, mode, txt, inputstate={}, debug=False): asmcfg, loc_db = parse_asm.parse_txt(mn, mode, txt) loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) patches = asmblock.asm_resolve_final(mn, asmcfg, loc_db) ir_arch = ir(loc_db) lbl = loc_db.get_name_location("main") ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg) return symb_exec(lbl, ir_arch, ircfg, inputstate, debug)
def compute_txt(ir, mode, txt, inputstate={}, debug=False): asmcfg, loc_db = parse_asm.parse_txt(mn, mode, txt) loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) patches = asmblock.asm_resolve_final(mn, asmcfg, loc_db) ir_arch = ir(loc_db) lbl = loc_db.get_name_location("main") ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg) return symb_exec(lbl, ir_arch, ircfg, inputstate, debug)
def compute_txt(Lifter, mode, txt, inputstate={}, debug=False): loc_db = LocationDB() asmcfg = parse_asm.parse_txt(mn, mode, txt, loc_db) loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) patches = asmblock.asm_resolve_final(mn, asmcfg) lifter = Lifter(loc_db) lbl = loc_db.get_name_location("main") ircfg = lifter.new_ircfg_from_asmcfg(asmcfg) return symb_exec(lbl, lifter, ircfg, inputstate, debug)
def asm(self): asmcfg = parse_asm.parse_txt(mn_aarch64, 'l', self.TXT, self.loc_db) # fix shellcode addr self.loc_db.set_location_offset(self.loc_db.get_name_location("main"), 0x0) s = StrPatchwork() patches = asmblock.asm_resolve_final(mn_aarch64, asmcfg) for offset, raw in viewitems(patches): s[offset] = raw self.assembly = bytes(s)
def asm(self): blocks, loc_db = parse_asm.parse_txt(mn_mips32, 'l', self.TXT, loc_db=self.myjit.ir_arch.loc_db) # fix shellcode addr loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) s = StrPatchwork() patches = asmblock.asm_resolve_final(mn_mips32, blocks, loc_db) for offset, raw in viewitems(patches): s[offset] = raw s = bytes(s) self.assembly = s
def asm(self): blocks, loc_db = parse_asm.parse_txt(mn_x86, self.arch_attrib, self.TXT, loc_db = self.myjit.ir_arch.loc_db) # fix shellcode addr loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) s = StrPatchwork() patches = asmblock.asm_resolve_final(mn_x86, blocks, loc_db) for offset, raw in viewitems(patches): s[offset] = raw s = bytes(s) self.assembly = s
def asm(self): mn_x86 = self.machine.mn asmcfg = parse_asm.parse_txt(mn_x86, self.arch_attrib, self.TXT, self.loc_db) # fix shellcode addr self.loc_db.set_location_offset(self.loc_db.get_name_location("main"), 0x0) output = StrPatchwork() patches = asm_resolve_final(mn_x86, asmcfg) for offset, raw in viewitems(patches): output[offset] = raw self.assembly = bytes(output)
def test_DirectiveDontSplit(self): from miasm.arch.x86.arch import mn_x86 from miasm.core.parse_asm import parse_txt from miasm.core.asmblock import asm_resolve_final loc_db = LocationDB() ASM0 = ''' lbl0: INC EAX JNZ lbl0 INC EAX JZ lbl2 lbl1: NOP JMP lbl0 .dontsplit lbl2: MOV EAX, ECX RET .dontsplit lbl3: ADD EAX, EBX .dontsplit lbl4: .align 0x10 .string "test" lbl5: .string "toto" ''' asmcfg = parse_txt(mn_x86, 32, ASM0, loc_db) patches = asm_resolve_final(mn_x86, asmcfg) lbls = [] for i in range(6): lbls.append(loc_db.get_name_location('lbl%d' % i)) # align test offset = loc_db.get_location_offset(lbls[5]) assert (offset % 0x10 == 0) lbl2block = {} for block in asmcfg.blocks: lbl2block[block.loc_key] = block # dontsplit test assert (lbls[2] == lbl2block[lbls[1]].get_next()) assert (lbls[3] == lbl2block[lbls[2]].get_next()) assert (lbls[4] == lbl2block[lbls[3]].get_next()) assert (lbls[5] == lbl2block[lbls[4]].get_next())
INC EBX CMOVZ EAX, EBX ADD EAX, ECX JZ loop RET ''') loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) for block in asmcfg.blocks: print(block) print("symbols:") print(loc_db) patches = asmblock.asm_resolve_final(mn_x86, asmcfg, loc_db) # Translate to IR ir_arch = ir_a_x86_32(loc_db) ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg) deadrm = DeadRemoval(ir_arch) # Display IR for lbl, irblock in viewitems(ircfg.blocks): print(irblock) # Dead propagation open('graph.dot', 'w').write(ircfg.dot()) print('*' * 80) deadrm(ircfg)
from miasm.core import asmblock from miasm.arch.x86 import arch from miasm.core import parse_asm from miasm.core.interval import interval my_mn = arch.mn_x86 asmcfg, loc_db = parse_asm.parse_txt( my_mn, 64, r''' main: PUSH RBP MOV RBP, RSP loop_dec: CMP RCX, RDX JB loop_dec end: MOV RSP, RBP POP RBP RET ''') loc_db.set_location_offset(loc_db.get_name_location("main"), 0x100001000) dst_interval = interval([(0x100001000, 0x100002000)]) patches = asmblock.asm_resolve_final(my_mn, asmcfg, loc_db, dst_interval)
# Assemble code asmcfg, loc_db = parse_asm.parse_txt(mn_x86, 32, ''' main: MOV EAX, 1 MOV EBX, 2 MOV ECX, 2 MOV DX, 2 loop: INC EBX CMOVZ EAX, EBX ADD EAX, ECX JZ loop RET ''') # Set 'main' loc_key's offset loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) # Spread information and resolve instructions offset patches = asmblock.asm_resolve_final(mn_x86, asmcfg, loc_db) # Show resolved asmcfg for block in asmcfg.blocks: print(block) # Print offset -> bytes pprint(patches)
# Fix shellcode addrs loc_db.set_location_offset(loc_db.get_name_location("main"), addr_main) if args.PE: loc_db.set_location_offset( loc_db.get_or_create_name_location("MessageBoxA"), pe.DirImport.get_funcvirt('USER32.dll', 'MessageBoxA')) # Print and graph firsts blocks before patching it for block in asmcfg.blocks: print(block) open("graph.dot", "w").write(asmcfg.dot()) # Apply patches patches = asmblock.asm_resolve_final(machine.mn, asmcfg, dst_interval) if args.encrypt: # Encrypt code loc_start = loc_db.get_or_create_name_location(args.encrypt[0]) loc_stop = loc_db.get_or_create_name_location(args.encrypt[1]) ad_start = loc_db.get_location_offset(loc_start) ad_stop = loc_db.get_location_offset(loc_stop) for ad, val in list(viewitems(patches)): if ad_start <= ad < ad_stop: patches[ad] = b"".join( int_to_byte(ord(x) ^ 0x42) for x in iterbytes(val)) print(patches) if isinstance(virt, StrPatchwork): for offset, raw in viewitems(patches):
loc_db.get_or_create_name_location("MessageBoxA"), pe.DirImport.get_funcvirt( 'USER32.dll', 'MessageBoxA' ) ) # Print and graph firsts blocks before patching it for block in asmcfg.blocks: print(block) open("graph.dot", "w").write(asmcfg.dot()) # Apply patches patches = asmblock.asm_resolve_final( machine.mn, asmcfg, loc_db, dst_interval ) if args.encrypt: # Encrypt code loc_start = loc_db.get_or_create_name_location(args.encrypt[0]) loc_stop = loc_db.get_or_create_name_location(args.encrypt[1]) ad_start = loc_db.get_location_offset(loc_start) ad_stop = loc_db.get_location_offset(loc_stop) for ad, val in list(viewitems(patches)): if ad_start <= ad < ad_stop: patches[ad] = b"".join(int_to_byte(ord(x) ^ 0x42) for x in iterbytes(val)) print(patches) if isinstance(virt, StrPatchwork):