def test_findbytes():
payload = b" " * 0x1000 + pad.null(
b"\xffoo\x00bar thisis0test\n hAAAA\xc3\xc0\xc2\xc4\n\n\x10\x2f\x1f\x1a\x1b\x1f\x1d\xbb\xcc\xdd\xff",
0x10000)
buf = procmem(payload, base=0x400000)
assert list(buf.findbytesv("c? c? c? 0A")) == [0x40101B]
assert list(buf.findbytesv(b"1f ?? ?b")) == [0x401022, 0x401025]
assert list(buf.findbytesv("?f ?? ?? 00")) == [0x401000, 0x40102A]
assert not list(buf.findbytesv(enhex(b"test hAAAA")))
assert list(buf.findbytesv(enhex(b"test\n hAAAA")))
payload = b"".join([
b"a" * 0x1000,
b"b" * 0x1000,
b"c" * 0x1000,
b"d" * 0x1000
])
regions = [
Region(0x400000, 0x1000, 0, 0, 0, 0),
Region(0x401000, 0x1000, 0, 0, 0, 0x1000),
Region(0x402000, 0x1000, 0, 0, 0, 0x2000),
Region(0x410000, 0x1000, 0, 0, 0, 0x3000),
]
p = procmem(payload, regions=regions)
assert next(p.findbytesv(enhex(b"dddd"))) == 0x410000
def cit_aes_xor(self, p, addr):
log.info('[+] Found aes_xor key @ %X' % addr)
r = []
for c in disasm(p.readv(addr, 40), addr):
if len(r) == 4:
break
if c.mnem == 'xor':
r.append(c.op2.value)
return {'aes_xor': malduck.enhex(b''.join(map(p32, r)))}
def test_hash():
assert crc32(b"hello") == 0x3610a686
assert enhex(md5(b"hello")) == b"5d41402abc4b2a76b9719d911017c592"
assert enhex(
sha1(b"hello")) == (b"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d")
assert enhex(sha224(b"hello")) == (
b"ea09ae9cc6768c50fcee903ed054556e5bfc8347907f12598aa24193")
assert enhex(sha256(b"hello")) == (
b"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824")
assert enhex(sha384(b"hello")) == (
b"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f"
)
assert enhex(sha512(b"hello")) == (
b"9b71d224bd62f3785d96d46ad3ea3d73319bfbc2890caadae2dff72519673ca72"
b"323c3d99ba5c11d7c7acc6e14b8c5da0c4663475c2e5c3adef46f73bcdec043")
def test_hex():
assert enhex(b"hello") == b"68656c6c6f"
assert unhex("68656c6c6f") == b"hello"