def compute_txt(ir, mode, txt, inputstate={}, debug=False):
blocs, symbol_pool = parse_asm.parse_txt(mn, mode, txt)
symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0)
patches = asmbloc.asm_resolve_final(mn, blocs[0], symbol_pool)
interm = ir(symbol_pool)
for bbl in blocs[0]:
interm.add_bloc(bbl)
return symb_exec(interm, inputstate, debug)
def compute_txt(ir, mode, txt, inputstate={}, debug=False):
blocs, symbol_pool = parse_asm.parse_txt(mn, mode, txt)
symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0)
resolved_b, patches = asmbloc.asm_resolve_final(mn, blocs[0], symbol_pool)
interm = ir(symbol_pool)
for bbl in resolved_b:
interm.add_bloc(bbl)
return symb_exec(interm, inputstate, debug)
def asm(self):
blocs, symbol_pool = parse_asm.parse_txt(mn_aarch64, "l", self.TXT, symbol_pool=self.myjit.ir_arch.symbol_pool)
# fix shellcode addr
symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0)
s = StrPatchwork()
patches = asmbloc.asm_resolve_final(mn_aarch64, blocs, symbol_pool)
for offset, raw in patches.items():
s[offset] = raw
self.assembly = str(s)
def asm(self):
blocs, symbol_pool = parse_asm.parse_txt(mn_aarch64, 'l', self.TXT,
symbol_pool = self.myjit.ir_arch.symbol_pool)
# fix shellcode addr
symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0)
s = StrPatchwork()
patches = asmbloc.asm_resolve_final(mn_aarch64, blocs, symbol_pool)
for offset, raw in patches.items():
s[offset] = raw
self.assembly = str(s)
def assemble_text(src_text, symbols=[], mach_name="x86_64", mach_attr=64):
# 指定アーキテクチャのニーモニックを取得
mnemo = Machine(mach_name).mn
# セクションとシンボルの取得
sections, symbol_pool = parse_asm.parse_txt(mnemo, mach_attr, src_text)
# シンボル毎のアドレスを設定
for name, addr in symbols:
symbol_pool.set_offset(symbol_pool.getby_name(name), addr)
# アセンブル
patches = asmbloc.asm_resolve_final(mnemo, sections[0], symbol_pool)
# アセンブル結果の構築
patch_worker = StrPatchwork()
for offset, raw in patches.items():
patch_worker[offset] = raw
return str(patch_worker)
def assemble_text(src_text, symbols=[], mach_name="x86_64", mach_attr=64):
# 指定アーキテクチャのニーモニックを取得
mnemo = Machine(mach_name).mn
# セクションとシンボルの取得
sections, symbol_pool = parse_asm.parse_txt(mnemo, mach_attr, src_text)
# シンボル毎のアドレスを設定
for name, addr in symbols:
symbol_pool.set_offset(symbol_pool.getby_name(name), addr)
# アセンブル
patches = asmbloc.asm_resolve_final(mnemo, sections[0], symbol_pool)
# アセンブル結果の構築
patch_worker = StrPatchwork()
for offset, raw in patches.items():
patch_worker[offset] = raw
return str(patch_worker)
def test_DirectiveDontSplit(self):
from miasm2.arch.x86.arch import mn_x86
from miasm2.core.parse_asm import parse_txt
from miasm2.core.asmbloc import asm_resolve_final
ASM0 = '''
lbl0:
INC EAX
JNZ lbl0
INC EAX
JZ lbl2
lbl1:
NOP
JMP lbl0
.dontsplit
lbl2:
MOV EAX, ECX
RET
.dontsplit
lbl3:
ADD EAX, EBX
.dontsplit
lbl4:
.align 0x10
.string "test"
lbl5:
.string "toto"
'''
blocks, symbol_pool = parse_txt(mn_x86, 32, ASM0)
patches = asm_resolve_final(mn_x86,
blocks,
symbol_pool)
lbls = []
for i in xrange(6):
lbls.append(symbol_pool.getby_name('lbl%d' % i))
# align test
assert(lbls[5].offset % 0x10 == 0)
lbl2block = {}
for block in blocks:
lbl2block[block.label] = block
# dontsplit test
assert(lbls[2] == lbl2block[lbls[1]].get_next())
assert(lbls[3] == lbl2block[lbls[2]].get_next())
assert(lbls[4] == lbl2block[lbls[3]].get_next())
assert(lbls[5] == lbl2block[lbls[4]].get_next())
def test_DirectiveDontSplit(self):
from miasm2.arch.x86.arch import mn_x86
from miasm2.core.parse_asm import parse_txt
from miasm2.core.asmbloc import asm_resolve_final
ASM0 = '''
lbl0:
INC EAX
JNZ lbl0
INC EAX
JZ lbl2
lbl1:
NOP
JMP lbl0
.dontsplit
lbl2:
MOV EAX, ECX
RET
.dontsplit
lbl3:
ADD EAX, EBX
.dontsplit
lbl4:
.align 0x10
.string "test"
lbl5:
.string "toto"
'''
blocks, symbol_pool = parse_txt(mn_x86, 32, ASM0)
patches = asm_resolve_final(mn_x86, blocks, symbol_pool)
lbls = []
for i in xrange(6):
lbls.append(symbol_pool.getby_name('lbl%d' % i))
# align test
assert (lbls[5].offset % 0x10 == 0)
lbl2block = {}
for block in blocks:
lbl2block[block.label] = block
# dontsplit test
assert (lbls[2] == lbl2block[lbls[1]].get_next())
assert (lbls[3] == lbl2block[lbls[2]].get_next())
assert (lbls[4] == lbl2block[lbls[3]].get_next())
assert (lbls[5] == lbl2block[lbls[4]].get_next())
# Fix shellcode addrs
symbol_pool.set_offset(symbol_pool.getby_name("main"), addr_main)
if args.PE:
symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"),
pe.DirImport.get_funcvirt('MessageBoxA'))
# Print and graph firsts blocs before patching it
for bloc in blocs[0]:
print bloc
graph = asmbloc.bloc2graph(blocs[0])
open("graph.txt", "w").write(graph)
# Apply patches
resolved_b, patches = asmbloc.asm_resolve_final(machine.mn,
blocs[0],
symbol_pool)
if args.encrypt:
# Encrypt code
ad_start = symbol_pool.getby_name_create(args.encrypt[0]).offset
ad_stop = symbol_pool.getby_name_create(args.encrypt[1]).offset
new_patches = dict(patches)
for ad, val in patches.items():
if ad_start <= ad < ad_stop:
new_patches[ad] = "".join([chr(ord(x) ^ 0x42) for x in val])
patches = new_patches
print patches
for offset, raw in patches.items():
virt[offset] = raw
# Fix shellcode addrs
symbol_pool.set_offset(symbol_pool.getby_name("main"), addr_main)
if args.PE:
symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"),
pe.DirImport.get_funcvirt('MessageBoxA'))
# Print and graph firsts blocs before patching it
for bloc in blocs[0]:
print bloc
graph = asmbloc.bloc2graph(blocs[0])
open("graph.txt", "w").write(graph)
# Apply patches
patches = asmbloc.asm_resolve_final(machine.mn, blocs[0], symbol_pool,
dst_interval)
if args.encrypt:
# Encrypt code
ad_start = symbol_pool.getby_name_create(args.encrypt[0]).offset
ad_stop = symbol_pool.getby_name_create(args.encrypt[1]).offset
new_patches = dict(patches)
for ad, val in patches.items():
if ad_start <= ad < ad_stop:
new_patches[ad] = "".join([chr(ord(x) ^ 0x42) for x in val])
patches = new_patches
print patches
for offset, raw in patches.items():
virt[offset] = raw
LDR R3, [PC, mykey1-$]
loop:
ADD R2, R1, R2
ADD R1, R1, 1
LDR R3, [PC, mykey2-$]
CMP R1, R3
BEQ loop
ADD R0, R1, R2
BX LR
mykey1:
.long 0x1
mykey2:
.long 0x2
''')
# fix shellcode addr
symbol_pool.set_offset(symbol_pool.getby_name("main"), 0)
for b in blocs[0]:
print b
resolved_b, patches = asmbloc.asm_resolve_final(
mn_arm, blocs[0], symbol_pool)
print patches
for offset, raw in patches.items():
st[offset] = raw
open('arm_sc.bin', 'wb').write(str(st))
# Fix shellcode addrs
symbol_pool.set_offset(symbol_pool.getby_name("main"), addr_main)
if args.PE:
symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"),
pe.DirImport.get_funcvirt('USER32.dll', 'MessageBoxA'))
# Print and graph firsts blocs before patching it
for bloc in blocs:
print bloc
open("graph.dot", "w").write(blocs.dot())
# Apply patches
patches = asmbloc.asm_resolve_final(machine.mn,
blocs,
symbol_pool,
dst_interval)
if args.encrypt:
# Encrypt code
ad_start = symbol_pool.getby_name_create(args.encrypt[0]).offset
ad_stop = symbol_pool.getby_name_create(args.encrypt[1]).offset
new_patches = dict(patches)
for ad, val in patches.items():
if ad_start <= ad < ad_stop:
new_patches[ad] = "".join([chr(ord(x) ^ 0x42) for x in val])
patches = new_patches
print patches
if isinstance(virt, StrPatchwork):
for offset, raw in patches.items():
MOV RDX, msg
MOV RCX, 0x0
MOV RAX, QWORD PTR [ MessageBoxA ]
CALL RAX
RET
title:
.string "Hello!"
msg:
.string "World!"
''')
# fix shellcode addr
symbol_pool.set_offset(symbol_pool.getby_name("main"), e.rva2virt(s_text.addr))
symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"),
e.DirImport.get_funcvirt('MessageBoxA'))
e.Opthdr.AddressOfEntryPoint = s_text.addr
for b in blocs[0]:
print b
resolved_b, patches = asmbloc.asm_resolve_final(
mn_x86, blocs[0], symbol_pool,
max_offset=0xFFFFFFFFFFFFFFFF)
print patches
for offset, raw in patches.items():
e.virt[offset] = raw
open('box_x86_64.bin', 'wb').write(str(e))
ADDIU A2, A2, 0x1
MOVN A1, ZERO, ZERO
JR RA
ADDIU A2, A2, 0x1
'''
blocs_b, symbol_pool_b = parse_asm.parse_txt(mn_mips32, "b", txt)
blocs_l, symbol_pool_l = parse_asm.parse_txt(mn_mips32, "l", txt)
# fix shellcode addr
symbol_pool_b.set_offset(symbol_pool_b.getby_name("main"), 0)
symbol_pool_l.set_offset(symbol_pool_l.getby_name("main"), 0)
for b in blocs_b[0]:
print b
resolved_b, patches_b = asmbloc.asm_resolve_final(
mn_mips32, blocs_b[0], symbol_pool_b)
resolved_l, patches_l = asmbloc.asm_resolve_final(
mn_mips32, blocs_l[0], symbol_pool_l)
print patches_b
print patches_l
for offset, raw in patches_b.items():
st_b[offset] = raw
for offset, raw in patches_l.items():
st_l[offset] = raw
open('mips32_sc_b.bin', 'wb').write(str(st_l))
open('mips32_sc_l.bin', 'wb').write(str(st_l))
# fix shellcode addr
symbol_pool_b.set_offset(symbol_pool_b.getby_name("main"), 0)
symbol_pool_l.set_offset(symbol_pool_l.getby_name("main"), 0)
# graph sc####
g = asmbloc.bloc2graph(blocs_b[0])
open("graph.txt", "w").write(g)
s_b = StrPatchwork()
s_l = StrPatchwork()
print "symbols"
print symbol_pool_b
# dont erase from start to shell code padading
resolved_b, patches_b = asmbloc.asm_resolve_final(
my_mn, blocs_b[0], symbol_pool_b)
resolved__l, patches_l = asmbloc.asm_resolve_final(
my_mn, blocs_l[0], symbol_pool_l)
print patches_b
print patches_l
for offset, raw in patches_b.items():
s_b[offset] = raw
for offset, raw in patches_l.items():
s_l[offset] = raw
open('demo_armt_b.bin', 'wb').write(str(s_b))
open('demo_armt_l.bin', 'wb').write(str(s_l))
blocs_b, symbol_pool_b = parse_asm.parse_txt(my_mn, "b", txt)
blocs_l, symbol_pool_l = parse_asm.parse_txt(my_mn, "l", txt)
# fix shellcode addr
symbol_pool_b.set_offset(symbol_pool_b.getby_name("main"), 0x0)
symbol_pool_l.set_offset(symbol_pool_l.getby_name("main"), 0x0)
# graph sc####
g = asmbloc.bloc2graph(blocs_l[0])
open("graph.txt", "w").write(g)
s_b = StrPatchwork()
s_l = StrPatchwork()
print "symbols"
print symbol_pool_l
# dont erase from start to shell code padading
resolved_b, patches_b = asmbloc.asm_resolve_final(my_mn, blocs_b[0],
symbol_pool_b)
resolved_l, patches_l = asmbloc.asm_resolve_final(my_mn, blocs_l[0],
symbol_pool_l)
print patches_b
for offset, raw in patches_b.items():
s_b[offset] = raw
for offset, raw in patches_l.items():
s_l[offset] = raw
open('demo_arm_b.bin', 'w').write(str(s_b))
open('demo_arm_l.bin', 'w').write(str(s_l))
# Assemble code
blocs, symbol_pool = parse_asm.parse_txt(mn_x86, 32, '''
main:
MOV EAX, 1
MOV EBX, 2
MOV ECX, 2
MOV DX, 2
loop:
INC EBX
CMOVZ EAX, EBX
ADD EAX, ECX
JZ loop
RET
''')
# Set 'main' label's offset
symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0)
# Spread information and resolve instructions offset
resolved_b, patches = asmbloc.asm_resolve_final(mn_x86, blocs[0], symbol_pool)
# Show resolved blocs
for bloc in resolved_b:
print bloc
# Print offset -> bytes
pprint(patches)
MOV RCX, 0x0
MOV RAX, QWORD PTR [ MessageBoxA ]
CALL RAX
RET
title:
.string "Hello!"
msg:
.string "World!"
''')
# fix shellcode addr
symbol_pool.set_offset(symbol_pool.getby_name("main"), e.rva2virt(s_text.addr))
symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"),
e.DirImport.get_funcvirt('MessageBoxA'))
e.Opthdr.AddressOfEntryPoint = s_text.addr
for b in blocs[0]:
print b
resolved_b, patches = asmbloc.asm_resolve_final(mn_x86,
blocs[0],
symbol_pool,
max_offset=0xFFFFFFFFFFFFFFFF)
print patches
for offset, raw in patches.items():
e.virt[offset] = raw
open('box_x86_64.bin', 'wb').write(str(e))
loop:
INC EBX
CMOVZ EAX, EBX
ADD EAX, ECX
JZ loop
RET
''')
symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0)
for b in blocs:
print b
print "symbols:"
print symbol_pool
patches = asmbloc.asm_resolve_final(mn_x86, blocs, symbol_pool)
# Translate to IR
ir_arch = ir_a_x86_32(symbol_pool)
for b in blocs:
print 'add bloc'
print b
ir_arch.add_bloc(b)
# Display IR
for lbl, b in ir_arch.blocs.items():
print b
# Dead propagation
open('graph.dot', 'w').write(ir_arch.graph.dot())
print '*' * 80
# Fix shellcode addrs
symbol_pool.set_offset(symbol_pool.getby_name("main"), addr_main)
if args.PE:
symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"),
pe.DirImport.get_funcvirt('MessageBoxA'))
# Print and graph firsts blocs before patching it
for bloc in blocs[0]:
print bloc
graph = asmbloc.bloc2graph(blocs[0])
open("graph.txt", "w").write(graph)
# Apply patches
resolved_b, patches = asmbloc.asm_resolve_final(machine.mn, blocs[0],
symbol_pool)
if args.encrypt:
# Encrypt code
ad_start = symbol_pool.getby_name_create(args.encrypt[0]).offset
ad_stop = symbol_pool.getby_name_create(args.encrypt[1]).offset
new_patches = dict(patches)
for ad, val in patches.items():
if ad_start <= ad < ad_stop:
new_patches[ad] = "".join([chr(ord(x) ^ 0x42) for x in val])
patches = new_patches
print patches
for offset, raw in patches.items():
virt[offset] = raw
