def test(self): # Disassemble & assemble unit tests unit_tests = [("ADD R1, 2", "6108")] unit_tests += [("JMP 0xC3FA38", "d9c8c3fa")] unit_tests += [("SLT3 R0, R8, R10", "08a2")] unit_tests += [("SB R9, (R4)", "0948")] unit_tests += [("SSARB 3(GP)", "13ec")] unit_tests += [("SWCPI C13, (R2+)", "3d20")] unit_tests += [("ADD3 R2, SP, 0x1C", "421c")] unit_tests += [("SW R7, 0x50(SP)", "4752")] for mn_str, mn_hex in unit_tests: print("-" * 49) # Tests separation # Dissassemble mn_bin = decode_hex(mn_hex) mn = mn_mep.dis(mn_bin, "b") print("dis: %s -> %s" % (mn_hex.rjust(20), str(mn).rjust(20))) assert(str(mn) == mn_str) # dissassemble assertion # Assemble and return all possible candidates instr = mn_mep.fromstring(str(mn), "b") instr.mode = "b" asm_list = [encode_hex(i).decode() for i in mn_mep.asm(instr)] # Print the results print("asm: %s -> %s" % ( mn_str.rjust(20), ", ".join(asm_list).rjust(20)) ) assert(mn_hex in asm_list) # assemble assertion
def test(self): # Disassemble & assemble unit tests unit_tests = [("ADD R1, 2", "6108")] unit_tests += [("JMP 0xC3FA38", "d9c8c3fa")] unit_tests += [("SLT3 R0, R8, R10", "08a2")] unit_tests += [("SB R9, (R4)", "0948")] unit_tests += [("SSARB 3(GP)", "13ec")] unit_tests += [("SWCPI C13, (R2+)", "3d20")] unit_tests += [("ADD3 R2, SP, 0x1C", "421c")] unit_tests += [("SW R7, 0x50(SP)", "4752")] for mn_str, mn_hex in unit_tests: print("-" * 49) # Tests separation # Disassemble mn_bin = decode_hex(mn_hex) mn = mn_mep.dis(mn_bin, "b") print("dis: %s -> %s" % (mn_hex.rjust(20), str(mn).rjust(20))) assert (str(mn) == mn_str) # disassemble assertion # Assemble and return all possible candidates instr = mn_mep.fromstring(str(mn), "b") instr.mode = "b" asm_list = [encode_hex(i).decode() for i in mn_mep.asm(instr)] # Print the results print("asm: %s -> %s" % (mn_str.rjust(20), ", ".join(asm_list).rjust(20))) assert (mn_hex in asm_list) # assemble assertion
def test(): unit_tests = [('CLS', '00')] unit_tests += [('STRD R0', '0100')] unit_tests += [('STRB R0', '0200')] unit_tests += [('STRW R0', '0300')] unit_tests += [('LDRD R0', '0400')] unit_tests += [('LDRB R0', '0500')] unit_tests += [('LDRW R0', '0600')] unit_tests += [('MOV 0x68, R0', '076800')] unit_tests += [('MOV R1, R0', '080100')] unit_tests += [('ADD R2, R3', '090203')] unit_tests += [('SUB R0, R2', '0A0002')] unit_tests += [('MUL R0, R2', '0B0002')] unit_tests += [('DIV R0, R2', '0C0002')] unit_tests += [('MOD R0, R2', '0D0002')] unit_tests += [('AND R0, R2', '0E0002')] unit_tests += [('OR R0, R2', '0F0002')] unit_tests += [('XOR R0, R2', '100002')] unit_tests += [('JMP 0x69', '1169')] unit_tests += [('JE R0, R1, 0x32', '1200000132')] unit_tests += [('JNE R0, R1, 0x32', '1201000132')] unit_tests += [('JGE R0, R1, 0x32', '1202000132')] unit_tests += [('JL R0, R1, 0x32', '1203000132')] unit_tests += [('READ_INPUT 0x20', '1320')] unit_tests += [('PRN', '14')] unit_tests += [('VMEXIT', '15')] for mn_str, mn_hex in unit_tests: # print("-" * 49) # Tests separation mn_bin = decode_hex(mn_hex) mn = mn_spacez.dis(mn_bin) print("dis: %s -> %s" % (mn_hex.ljust(10), str(mn).ljust(20))) assert (str(mn) == mn_str) # disassemble assertion
def dis(mn_hex): """Disassembly helper""" mn_bin = decode_hex(mn_hex) try: return mn_mep.dis(mn_bin, "b") except Disasm_Exception: assert(False) # miasm don't know what to do
def exec_instruction(hex_asm, init_values): """Symbolically execute an instruction""" print("Hex:", hex_asm) # Disassemble an instruction mn = mn_mep.dis(decode_hex(hex_asm), "b") print("Dis:", mn) loc_db = LocationDB() # Get the IR im = ir_mepb(loc_db) iir, eiir, = im.get_ir(mn) print("\nInternal representation:", iir) # Symbolic execution sb = SymbolicExecutionEngine(ir_a_mepb(loc_db), regs_init) # Assign register values before symbolic evaluation for reg_expr_id, reg_expr_value in init_values: sb.symbols[reg_expr_id] = reg_expr_value print("\nModified registers:", [reg for reg in sb.modified(mems=False)]) print("Modified memories:", [mem for mem in sb.modified()]) print("\nFinal registers:") sb.dump(mems=False) print("\nFinal mems:") sb.dump()
def tostring(self): if len(self.bits) % 8: raise ValueError('num bits must be 8 bit aligned: %d' % len(self.bits)) b = int("".join(str(x) for x in self.bits), 2) b = "%X" % b b = '0' * (len(self.bits) // 4 - len(b)) + b b = decode_hex(b.encode()) return b
def tostring(self): if len(self.bits) % 8: raise ValueError( 'num bits must be 8 bit aligned: %d' % len(self.bits) ) b = int("".join(str(x) for x in self.bits), 2) b = "%X" % b b = '0' * (len(self.bits) // 4 - len(b)) + b b = decode_hex(b.encode()) return b
def mem_write(self, dest, data): """Memory read wrapper for symbolic execution @dest: ExprMem instance @data: Expr instance""" # Get the content to write data = self.expr_simp(data) if not isinstance(data, m2_expr.ExprInt): raise RuntimeError("A simplification is missing: %s" % data) to_write = int(data) # Format information addr = int(dest.ptr) size = data.size // 8 content = hex(to_write).replace("0x", "").replace("L", "") content = "0" * (size * 2 - len(content)) + content content = decode_hex(content) if self.vm.is_little_endian(): content = content[::-1] # Write in VmMngr context self.vm.set_mem(addr, content)
def mem_write(self, dest, data): """Memory read wrapper for symbolic execution @dest: ExprMem instance @data: Expr instance""" # Get the content to write data = self.expr_simp(data) if not isinstance(data, m2_expr.ExprInt): raise RuntimeError("A simplification is missing: %s" % data) to_write = data.arg.arg # Format information addr = dest.ptr.arg.arg size = data.size // 8 content = hex(to_write).replace("0x", "").replace("L", "") content = "0" * (size * 2 - len(content)) + content content = decode_hex(content) if self.vm.is_little_endian(): content = content[::-1] # Write in VmMngr context self.cpu.set_mem(addr, content) self.vm.add_mem_write(addr, len(content))
def h2i(s): return decode_hex(s.replace(' ', ''))
def code_sentinelle(jitter): jitter.running = False jitter.pc = 0 return True machine = Machine("x86_32") loc_db = LocationDB() jitter = machine.jitter(loc_db, sys.argv[1]) jitter.init_stack() # nop # mov eax, 0x42 # XX data = decode_hex("90b842000000ffff90909090") # Will raise memory error at 0x40000006 error_raised = False def raise_me(jitter): global error_raised error_raised = True assert jitter.pc == 0x40000006 return False jitter.add_exception_handler(EXCEPT_UNK_MNEMO, raise_me)
FFFFFF800901EBF8 A2 63 00 91 ADD X2, X29, #0x18 FFFFFF800901EBFC 00 00 80 52 MOV W0, 1 FFFFFF800901EC00 C0 00 00 35 CBNZ W0, loc_FFFFFF800901EC18 FFFFFF800901EC04 A0 0F 40 F9 LDR X0, [X29,#0x20+var_8] FFFFFF800901EC08 1F 00 1F EB CMP X0, XZR FFFFFF800901EC0C 60 19 00 90 ADRP X0, #0xFFFFFF800934A6C4@PAGE FFFFFF800901EC10 E1 07 9F 1A CSET W1, NE FFFFFF800901EC14 01 C4 06 B9 STR W1, [X0,#0xFFFFFF800934A6C4@PAGEOFF] FFFFFF800901EC18 20 00 80 52 MOV W0, #1 FFFFFF800901EC1C FD 7B C2 A8 LDP X29, X30, [SP+0x20+var_20],#0x20 FFFFFF800901EC20 C0 03 5F D6 RET ''' jitter.vm.set_mem( 0xFFFFFF800901EBEC, decode_hex( "FD7BBEA901008052FD030091A263009100008052C0000035A00F40F91F001FEB60190090E1079F1A01C406B920008052FD7BC2A8C0035FD6" )) # print(jitter.vm) jitter.set_trace_log() jitter.exceptions_handler.callbacks[EXCEPT_BREAKPOINT_MEMORY] = [] jitter.add_exception_handler(EXCEPT_BREAKPOINT_MEMORY, mem_breakpoint_handler) jitter.vm.add_memory_breakpoint(0xFFFFFF8009080000, 0x8000000, PAGE_READ | PAGE_WRITE) jitter.init_run(0xFFFFFF800901EBEC) try: jitter.continue_run()
from miasm.core.locationdb import LocationDB from pdb import pm # Shellcode # main: # MOV EAX, 0x10 # MOV EBX, 0x1 # loop_main: # SUB EAX, 0x1 # CMOVZ ECX, EBX # JNZ loop_main # loop_end: # RET data = decode_hex("b810000000bb0100000083e8010f44cb75f8c3") run_addr = 0x40000000 loc_db = LocationDB() def code_sentinelle(jitter): jitter.running = False jitter.pc = 0 return True def init_jitter(loc_db): global data, run_addr # Create jitter myjit = Machine("x86_32").jitter(loc_db, sys.argv[1]) myjit.vm.add_memory_page(run_addr, PAGE_READ | PAGE_WRITE, data)
import sys from pdb import pm from miasm.core.utils import decode_hex, encode_hex from miasm.jitter.csts import PAGE_READ, PAGE_WRITE from miasm.analysis.machine import Machine from miasm.expression.expression import ExprId, ExprAssign, ExprInt, ExprMem # Initial data: from 'example/samples/x86_32_sc.bin' data = decode_hex("8d49048d5b0180f90174058d5bffeb038d5b0189d8c3") # Init jitter myjit = Machine("x86_32").jitter(sys.argv[1]) myjit.init_stack() run_addr = 0x40000000 myjit.vm.add_memory_page(run_addr, PAGE_READ | PAGE_WRITE, data) # Sentinelle called on terminate def code_sentinelle(jitter): jitter.run = False jitter.pc = 0 return True myjit.push_uint32_t(0x1337beef) myjit.add_breakpoint(0x1337beef, code_sentinelle) # Run myjit.init_run(run_addr) myjit.continue_run()
def process_messages(self): while self.recv_queue: msg = self.recv_queue.pop(0) buf = BytesIO(msg) msg_type = buf.read(1) self.send_queue.append(b"+") if msg_type == b"q": if msg.startswith(b"qSupported"): self.send_queue.append(b"PacketSize=3fff") elif msg.startswith(b"qC"): # Current thread self.send_queue.append(b"") elif msg.startswith(b"qAttached"): # Not supported self.send_queue.append(b"") elif msg.startswith(b"qTStatus"): # Not supported self.send_queue.append(b"") elif msg.startswith(b"qfThreadInfo"): # Not supported self.send_queue.append(b"") else: raise NotImplementedError() elif msg_type == b"H": # Set current thread self.send_queue.append(b"OK") elif msg_type == b"?": # Report why the target halted self.send_queue.append(self.status) # TRAP signal elif msg_type == b"g": # Report all general register values self.send_queue.append(self.report_general_register_values()) elif msg_type == b"p": # Read a specific register reg_num = int(buf.read(), 16) self.send_queue.append(self.read_register(reg_num)) elif msg_type == b"P": # Set a specific register reg_num, value = buf.read().split(b"=") reg_num = int(reg_num, 16) value = int(encode_hex(decode_hex(value)[::-1]), 16) self.set_register(reg_num, value) self.send_queue.append(b"OK") elif msg_type == b"m": # Read memory addr, size = (int(x, 16) for x in buf.read().split(b",", 1)) self.send_queue.append(self.read_memory(addr, size)) elif msg_type == b"k": # Kill self.sock.close() self.send_queue = [] self.sock = None elif msg_type == b"!": # Extending debugging will be used self.send_queue.append(b"OK") elif msg_type == b"v": if msg == b"vCont?": # Is vCont supported ? self.send_queue.append(b"") elif msg_type == b"s": # Step self.dbg.step() self.send_queue.append(b"S05") # TRAP signal elif msg_type == b"Z": # Add breakpoint or watchpoint bp_type = buf.read(1) if bp_type == b"0": # Exec breakpoint assert (buf.read(1) == b",") addr, size = (int(x, 16) for x in buf.read().split(b",", 1)) if size != 1: raise NotImplementedError("Bigger size") self.dbg.add_breakpoint(addr) self.send_queue.append(b"OK") elif bp_type == b"1": # Hardware BP assert (buf.read(1) == b",") addr, size = (int(x, 16) for x in buf.read().split(b",", 1)) self.dbg.add_memory_breakpoint(addr, size, read=True, write=True) self.send_queue.append(b"OK") elif bp_type in [b"2", b"3", b"4"]: # Memory breakpoint assert (buf.read(1) == b",") read = bp_type in [b"3", b"4"] write = bp_type in [b"2", b"4"] addr, size = (int(x, 16) for x in buf.read().split(b",", 1)) self.dbg.add_memory_breakpoint(addr, size, read=read, write=write) self.send_queue.append(b"OK") else: raise ValueError("Impossible value") elif msg_type == b"z": # Remove breakpoint or watchpoint bp_type = buf.read(1) if bp_type == b"0": # Exec breakpoint assert (buf.read(1) == b",") addr, size = (int(x, 16) for x in buf.read().split(b",", 1)) if size != 1: raise NotImplementedError("Bigger size") dbgsoft = self.dbg.get_breakpoint_by_addr(addr) assert (len(dbgsoft) == 1) self.dbg.remove_breakpoint(dbgsoft[0]) self.send_queue.append(b"OK") elif bp_type == b"1": # Hardware BP assert (buf.read(1) == b",") addr, size = (int(x, 16) for x in buf.read().split(b",", 1)) self.dbg.remove_memory_breakpoint_by_addr_access( addr, read=True, write=True) self.send_queue.append(b"OK") elif bp_type in [b"2", b"3", b"4"]: # Memory breakpoint assert (buf.read(1) == b",") read = bp_type in [b"3", b"4"] write = bp_type in [b"2", b"4"] addr, size = (int(x, 16) for x in buf.read().split(b",", 1)) self.dbg.remove_memory_breakpoint_by_addr_access( addr, read=read, write=write) self.send_queue.append(b"OK") else: raise ValueError("Impossible value") elif msg_type == b"c": # Continue self.status = b"" self.send_messages() ret = self.dbg.run() if isinstance(ret, debugging.DebugBreakpointSoft): self.status = b"S05" self.send_queue.append(b"S05") # TRAP signal elif isinstance(ret, ExceptionHandle): if ret == ExceptionHandle.memoryBreakpoint(): self.status = b"S05" self.send_queue.append(b"S05") else: raise NotImplementedError("Unknown Except") elif isinstance(ret, debugging.DebugBreakpointTerminate): # Connection should close, but keep it running as a TRAP # The connection will be close on instance destruction print(ret) self.status = b"S05" self.send_queue.append(b"S05") else: raise NotImplementedError() else: raise NotImplementedError("Not implemented: message type %r" % msg_type)
print(jitter.vm) jitter.cpu.ESP = 0x10000 + 0x1000 jitter.push_uint32_t(0x0) jitter.push_uint32_t(0x1337beef) jitter.vm.reset_memory_access() print(hex(jitter.vm.get_exception())) # Add code, and keep memory write pending jitter.vm.add_memory_page(0x1000, PAGE_READ | PAGE_WRITE, b"\x00" * 0x1000, "code page") # MOV EAX, 0x11223344 # RET jitter.vm.set_mem(0x1000, decode_hex("B844332211C3")) jitter.set_trace_log() def do_not_raise_me(jitter): raise ValueError("Should not be here") jitter.exceptions_handler.callbacks[EXCEPT_BREAKPOINT_MEMORY] = [] jitter.add_exception_handler(EXCEPT_BREAKPOINT_MEMORY, do_not_raise_me) jitter.vm.add_memory_breakpoint(0x11000 - 4, 4, PAGE_READ | PAGE_WRITE) # The memory write pending will raise automod exception # The RET should not re evaluate PC @ [ESP+4] jitter.init_run(0x1000)
def code_sentinelle(jitter): jitter.run = False jitter.pc = 0 return True machine = Machine("x86_32") jitter = machine.jitter(sys.argv[1]) jitter.init_stack() # nop # mov eax, 0x42 # jmp 0x20 data = decode_hex("90b842000000eb20") # Will raise memory error at 0x40000028 error_raised = False def raise_me(jitter): global error_raised error_raised = True assert jitter.pc == 0x40000028 return False jitter.add_exception_handler(EXCEPT_ACCESS_VIOL, raise_me) run_addr = 0x40000000
from builtins import map from pdb import pm from future.utils import viewitems from miasm.core.utils import decode_hex from miasm.analysis.machine import Machine from miasm.analysis.binary import Container from miasm.core.asmblock import AsmCFG, AsmConstraint, AsmBlock, \ AsmBlockBad, AsmConstraintTo, AsmConstraintNext, \ bbl_simplifier from miasm.core.graph import DiGraphSimplifier, MatchGraphJoker from miasm.expression.expression import ExprId # Initial data: from 'samples/simple_test.bin' data = decode_hex("5589e583ec10837d08007509c745fc01100000eb73837d08017709c745fc02100000eb64837d08057709c745fc03100000eb55837d080774138b450801c083f80e7509c745fc04100000eb3c8b450801c083f80e7509c745fc05100000eb298b450883e03085c07409c745fc06100000eb16837d08427509c745fc07100000eb07c745fc081000008b45fcc9c3") cont = Container.from_string(data) # Test Disasm engine machine = Machine("x86_32") mdis = machine.dis_engine(cont.bin_stream, loc_db=cont.loc_db) ## Disassembly of one block first_block = mdis.dis_block(0) assert len(first_block.lines) == 5 print(first_block) ## Test redisassemble asmcfg first_block_bis = mdis.dis_block(0) assert len(first_block.lines) == len(first_block_bis.lines) print(first_block_bis)
from miasm.analysis.machine import Machine from pdb import pm # Shellcode # main: # MOV EAX, 0x10 # MOV EBX, 0x1 # loop_main: # SUB EAX, 0x1 # CMOVZ ECX, EBX # JNZ loop_main # loop_end: # RET data = decode_hex("b810000000bb0100000083e8010f44cb75f8c3") run_addr = 0x40000000 def code_sentinelle(jitter): jitter.run = False jitter.pc = 0 return True def init_jitter(): global data, run_addr # Create jitter myjit = Machine("x86_32").jitter(sys.argv[1]) myjit.vm.add_memory_page(run_addr, PAGE_READ | PAGE_WRITE, data) # Init jitter
def process_messages(self): while self.recv_queue: msg = self.recv_queue.pop(0) buf = BytesIO(msg) msg_type = buf.read(1) self.send_queue.append(b"+") if msg_type == b"q": if msg.startswith(b"qSupported"): self.send_queue.append(b"PacketSize=3fff") elif msg.startswith(b"qC"): # Current thread self.send_queue.append(b"") elif msg.startswith(b"qAttached"): # Not supported self.send_queue.append(b"") elif msg.startswith(b"qTStatus"): # Not supported self.send_queue.append(b"") elif msg.startswith(b"qfThreadInfo"): # Not supported self.send_queue.append(b"") else: raise NotImplementedError() elif msg_type == b"H": # Set current thread self.send_queue.append(b"OK") elif msg_type == b"?": # Report why the target halted self.send_queue.append(self.status) # TRAP signal elif msg_type == b"g": # Report all general register values self.send_queue.append(self.report_general_register_values()) elif msg_type == b"p": # Read a specific register reg_num = int(buf.read(), 16) self.send_queue.append(self.read_register(reg_num)) elif msg_type == b"P": # Set a specific register reg_num, value = buf.read().split(b"=") reg_num = int(reg_num, 16) value = int(encode_hex(decode_hex(value)[::-1]), 16) self.set_register(reg_num, value) self.send_queue.append(b"OK") elif msg_type == b"m": # Read memory addr, size = (int(x, 16) for x in buf.read().split(b",", 1)) self.send_queue.append(self.read_memory(addr, size)) elif msg_type == b"k": # Kill self.sock.close() self.send_queue = [] self.sock = None elif msg_type == b"!": # Extending debugging will be used self.send_queue.append(b"OK") elif msg_type == b"v": if msg == b"vCont?": # Is vCont supported ? self.send_queue.append(b"") elif msg_type == b"s": # Step self.dbg.step() self.send_queue.append(b"S05") # TRAP signal elif msg_type == b"Z": # Add breakpoint or watchpoint bp_type = buf.read(1) if bp_type == b"0": # Exec breakpoint assert(buf.read(1) == b",") addr, size = (int(x, 16) for x in buf.read().split(b",", 1)) if size != 1: raise NotImplementedError("Bigger size") self.dbg.add_breakpoint(addr) self.send_queue.append(b"OK") elif bp_type == b"1": # Hardware BP assert(buf.read(1) == b",") addr, size = (int(x, 16) for x in buf.read().split(b",", 1)) self.dbg.add_memory_breakpoint( addr, size, read=True, write=True ) self.send_queue.append(b"OK") elif bp_type in [b"2", b"3", b"4"]: # Memory breakpoint assert(buf.read(1) == b",") read = bp_type in [b"3", b"4"] write = bp_type in [b"2", b"4"] addr, size = (int(x, 16) for x in buf.read().split(b",", 1)) self.dbg.add_memory_breakpoint( addr, size, read=read, write=write ) self.send_queue.append(b"OK") else: raise ValueError("Impossible value") elif msg_type == b"z": # Remove breakpoint or watchpoint bp_type = buf.read(1) if bp_type == b"0": # Exec breakpoint assert(buf.read(1) == b",") addr, size = (int(x, 16) for x in buf.read().split(b",", 1)) if size != 1: raise NotImplementedError("Bigger size") dbgsoft = self.dbg.get_breakpoint_by_addr(addr) assert(len(dbgsoft) == 1) self.dbg.remove_breakpoint(dbgsoft[0]) self.send_queue.append(b"OK") elif bp_type == b"1": # Hardware BP assert(buf.read(1) == b",") addr, size = (int(x, 16) for x in buf.read().split(b",", 1)) self.dbg.remove_memory_breakpoint_by_addr_access( addr, read=True, write=True ) self.send_queue.append(b"OK") elif bp_type in [b"2", b"3", b"4"]: # Memory breakpoint assert(buf.read(1) == b",") read = bp_type in [b"3", b"4"] write = bp_type in [b"2", b"4"] addr, size = (int(x, 16) for x in buf.read().split(b",", 1)) self.dbg.remove_memory_breakpoint_by_addr_access( addr, read=read, write=write ) self.send_queue.append(b"OK") else: raise ValueError("Impossible value") elif msg_type == b"c": # Continue self.status = b"" self.send_messages() ret = self.dbg.run() if isinstance(ret, debugging.DebugBreakpointSoft): self.status = b"S05" self.send_queue.append(b"S05") # TRAP signal elif isinstance(ret, ExceptionHandle): if ret == ExceptionHandle.memoryBreakpoint(): self.status = b"S05" self.send_queue.append(b"S05") else: raise NotImplementedError("Unknown Except") elif isinstance(ret, debugging.DebugBreakpointTerminate): # Connexion should close, but keep it running as a TRAP # The connexion will be close on instance destruction print(ret) self.status = b"S05" self.send_queue.append(b"S05") else: raise NotImplementedError() else: raise NotImplementedError( "Not implemented: message type %r" % msg_type )
import sys from pdb import pm from miasm.core.utils import decode_hex, encode_hex from miasm.jitter.csts import PAGE_READ, PAGE_WRITE from miasm.analysis.machine import Machine from miasm.expression.expression import ExprId, ExprAssign, ExprInt, ExprMem from miasm.core.locationdb import LocationDB # Initial data: from 'example/samples/x86_32_sc.bin' data = decode_hex("8d49048d5b0180f90174058d5bffeb038d5b0189d8c3") loc_db = LocationDB() # Init jitter myjit = Machine("x86_32").jitter(loc_db, sys.argv[1]) myjit.init_stack() run_addr = 0x40000000 myjit.vm.add_memory_page(run_addr, PAGE_READ | PAGE_WRITE, data) # Sentinelle called on terminate def code_sentinelle(jitter): jitter.running = False jitter.pc = 0 return True myjit.push_uint32_t(0x1337beef) myjit.add_breakpoint(0x1337beef, code_sentinelle)
def code_sentinelle(jitter): jitter.run = False jitter.pc = 0 return True machine = Machine("x86_32") jitter = machine.jitter(sys.argv[1]) jitter.init_stack() # nop # mov eax, 0x42 # jmp 0x20 data = decode_hex("90b842000000eb20") # Will raise memory error at 0x40000028 error_raised = False def raise_me(jitter): global error_raised error_raised = True assert jitter.pc == 0x40000028 return False jitter.add_exception_handler(EXCEPT_ACCESS_VIOL, raise_me)