def _getbytes(self, start, l=1):
out = []
for ad in range(l):
offset = ad + start + self.base_address
if not is_mapped(offset):
raise IOError("not enough bytes")
out.append(int_to_byte(get_wide_byte(offset)))
return b''.join(out)
def xxx_memset(jitter):
'''
#include <string.h>
void *memset(void *s, int c, size_t n);
fills the first n bytes of the memory area pointed to by s with the constant
byte c.'''
ret_addr, args = jitter.func_args_systemv(['dest', 'c', 'n'])
jitter.vm.set_mem(args.dest, int_to_byte(args.c & 0xFF) * args.n)
return jitter.func_ret_systemv(ret_addr, args.dest)
def xxx_memset(jitter):
'''
#include <string.h>
void *memset(void *s, int c, size_t n);
fills the first n bytes of the memory area pointed to by s with the constant
byte c.'''
ret_addr, args = jitter.func_args_systemv(['dest', 'c', 'n'])
jitter.vm.set_mem(args.dest, int_to_byte(args.c & 0xFF) * args.n)
return jitter.func_ret_systemv(ret_addr, args.dest)
"--verbose",
help="verbose mode",
action="store_true")
options = parser.parse_args()
if options.endianness == 'b':
sandbox = Sandbox_Linux_armb_str
elif options.endianness == 'l':
sandbox = Sandbox_Linux_arml_str
else:
raise ValueError("Bad endianness!")
loc_db = LocationDB()
sb = sandbox(loc_db, options.filename, options, globals())
if options.address is None:
raise ValueError('invalid address')
sb.run()
# test correct de xor
start = sb.jitter.cpu.R0
stop = sb.jitter.cpu.R1
s = sb.jitter.vm.get_mem(start, stop - start)
s = StrPatchwork(s)
for i, c in enumerate(s):
s[i] = int_to_byte(ord(c) ^ 0x11)
s = bytes(s)
assert (s == b"test string\x00")
assert jitter.vm.get_mem(cont.get_addr(), len(cont)) == b'\x01\x02\x03\x04'
# Union test
class UniStruct(MemStruct):
fields = [
("one", Num("B")),
("union", Union([
("instruct", InStruct),
("i", Num(">I")),
])),
("last", Num("B")),
]
uni = UniStruct(jitter.vm)
jitter.vm.set_mem(uni.get_addr(), b''.join(int_to_byte(x) for x in range(len(uni))))
assert len(uni) == 6 # 1 + max(InStruct.sizeof(), 4) + 1
assert uni.one == 0x00
assert uni.union.instruct.foo == 0x01
assert uni.union.instruct.bar == 0x02
assert uni.union.i == 0x01020304
assert uni.last == 0x05
uni.union.instruct.foo = 0x02
assert uni.union.i == 0x02020304
uni.union.i = 0x11223344
assert uni.union.instruct.foo == 0x11
assert uni.union.instruct.bar == 0x22
# BitField test
class BitStruct(MemUnion):
found = True
break
finfo = FILE_to_info_symb[FILE_stream]
for sol_ident, model in viewitems(dse.new_solutions):
# Build the file corresponding to solution in 'model'
out = []
fsize = max(
model.eval(dse.z3_trans.from_expr(FILE_size)).as_long(),
len(finfo.gen_bytes))
for index in range(fsize):
try:
byteid = finfo.gen_bytes[index]
out.append(
int_to_byte(
model.eval(dse.z3_trans.from_expr(byteid)).as_long()))
except (KeyError, AttributeError) as _:
# Default value if there is no constraint on current byte
out.append(b"\x00")
todo.add(b"".join(out))
# Assert that the result has been found
assert found == True
print("FOUND !")
TEMP_FILE.close()
# Replay for real
if not is_win:
print("Trying to launch the binary without Miasm")
if finish_info.string == b"OK":
# Stop if the expected result is found
found = True
break
finfo = FILE_to_info_symb[FILE_stream]
for sol_ident, model in viewitems(dse.new_solutions):
# Build the file corresponding to solution in 'model'
out = []
fsize = max(model.eval(dse.z3_trans.from_expr(FILE_size)).as_long(),
len(finfo.gen_bytes))
for index in range(fsize):
try:
byteid = finfo.gen_bytes[index]
out.append(int_to_byte(model.eval(dse.z3_trans.from_expr(byteid)).as_long()))
except (KeyError, AttributeError) as _:
# Default value if there is no constraint on current byte
out.append(b"\x00")
todo.add(b"".join(out))
# Assert that the result has been found
assert found == True
print("FOUND !")
TEMP_FILE.close()
# Replay for real
if not is_win:
print("Trying to launch the binary without Miasm")
parser.add_argument('-v', "--verbose",
help="verbose mode", action="store_true")
options = parser.parse_args()
if options.endianness == 'b':
sandbox = Sandbox_Linux_armb_str
elif options.endianness == 'l':
sandbox = Sandbox_Linux_arml_str
else:
raise ValueError("Bad endianness!")
sb = sandbox(options.filename, options, globals())
if options.address is None:
raise ValueError('invalid address')
sb.run()
# test correct de xor
start = sb.jitter.cpu.R0
stop = sb.jitter.cpu.R1
s = sb.jitter.vm.get_mem(start, stop-start)
s = StrPatchwork(s)
for i, c in enumerate(s):
s[i] = int_to_byte(ord(c)^0x11)
s = bytes(s)
assert(s == b"test string\x00")
def compute_checksum(self, data):
return encode_hex(int_to_byte(sum(map(ord, data)) % 256))
# Print and graph firsts blocks before patching it
for block in asmcfg.blocks:
print(block)
open("graph.dot", "w").write(asmcfg.dot())
# Apply patches
patches = asmblock.asm_resolve_final(machine.mn, asmcfg, dst_interval)
if args.encrypt:
# Encrypt code
loc_start = loc_db.get_or_create_name_location(args.encrypt[0])
loc_stop = loc_db.get_or_create_name_location(args.encrypt[1])
ad_start = loc_db.get_location_offset(loc_start)
ad_stop = loc_db.get_location_offset(loc_stop)
for ad, val in list(viewitems(patches)):
if ad_start <= ad < ad_stop:
patches[ad] = b"".join(
int_to_byte(ord(x) ^ 0x42) for x in iterbytes(val))
print(patches)
if isinstance(virt, StrPatchwork):
for offset, raw in viewitems(patches):
virt[offset] = raw
else:
for offset, raw in viewitems(patches):
virt.set(offset, raw)
# Produce output
open(args.output, 'wb').write(bytes(output))
# Union test
class UniStruct(MemStruct):
fields = [
("one", Num("B")),
("union", Union([
("instruct", InStruct),
("i", Num(">I")),
])),
("last", Num("B")),
]
uni = UniStruct(jitter.vm)
jitter.vm.set_mem(uni.get_addr(),
b''.join(int_to_byte(x) for x in range(len(uni))))
assert len(uni) == 6 # 1 + max(InStruct.sizeof(), 4) + 1
assert uni.one == 0x00
assert uni.union.instruct.foo == 0x01
assert uni.union.instruct.bar == 0x02
assert uni.union.i == 0x01020304
assert uni.last == 0x05
uni.union.instruct.foo = 0x02
assert uni.union.i == 0x02020304
uni.union.i = 0x11223344
assert uni.union.instruct.foo == 0x11
assert uni.union.instruct.bar == 0x22
# BitField test
class BitStruct(MemUnion):
def compute_checksum(self, data):
return encode_hex(int_to_byte(sum(map(ord, data)) % 256))
# Apply patches
patches = asmblock.asm_resolve_final(
machine.mn,
asmcfg,
loc_db,
dst_interval
)
if args.encrypt:
# Encrypt code
loc_start = loc_db.get_or_create_name_location(args.encrypt[0])
loc_stop = loc_db.get_or_create_name_location(args.encrypt[1])
ad_start = loc_db.get_location_offset(loc_start)
ad_stop = loc_db.get_location_offset(loc_stop)
for ad, val in list(viewitems(patches)):
if ad_start <= ad < ad_stop:
patches[ad] = b"".join(int_to_byte(ord(x) ^ 0x42) for x in iterbytes(val))
print(patches)
if isinstance(virt, StrPatchwork):
for offset, raw in viewitems(patches):
virt[offset] = raw
else:
for offset, raw in viewitems(patches):
virt.set(offset, raw)
# Produce output
open(args.output, 'wb').write(bytes(output))
