def hookHandlerNative():
"""Address of the func name as returned by getMethodName is pointed by
EAX+0x08 However, unlike the published AVM source code claims, setNative
function in the NPSWF32 has an additional check before the correct function
address is assigned to the MethodInfo object. That logic is reimplemented
here."""
global GBP
address = pykd.ptrPtr(pykd.reg("eax")+0x8)
comp_byte = pykd.ptrByte(pykd.ptrPtr(pykd.reg("esp")+0x18) + 0x38)
if comp_byte > 0:
nativefunc = pykd.ptrPtr(pykd.reg("esi")+0x28)
else:
nativefunc = pykd.ptrPtr(pykd.reg("esi")+0x24)
if pykd.isValid(address):
methodName = pykd.loadCStr(address)
if pykd.isValid(nativefunc):
print "[^] NATIVE METHOD: at 0x%x \t offset: 0x%x \tName: %s" % \
(nativefunc,nativefunc-NPS['base_addr'],
methodName.decode("utf-8","replace"))
if NPS["TraceNative"] and methodName not in GBP['BP_FUNCS'] and\
methodName not in GBP['BP_RFUNCS']:
if NPS["Debug"]:
print "[Debug] Setting bp for tracing on 0x%x" % nativefunc
GBP[nativefunc] = pykd.setBp(nativefunc, lambda: functionHandler(methodName))
func_breakpoints(methodName.decode("utf-8","replace"), nativefunc)
else:
print "[!] No native function found. Something is likely wrong!!!"
return pykd.executionStatus.NoChange
def print_nline_ptrs(self, start_addr, line_num):
for i in range(line_num):
pykd.dprint("{:02d}:{:04x}| ".format(i, i * PTRSIZE))
addr = start_addr + i * PTRSIZE
if not pykd.isValid(addr):
print_err("Invalid memory address: {:#x}".format(addr))
break
else:
self.print_ptrs(addr)
def hookHandlerInterp():
"""..."""
global GBP
# address of the func name as returned by getMethodName
address = pykd.ptrPtr(pykd.reg("eax")+0x8)
if pykd.isValid(address):
methodName = pykd.loadCStr(address)
GBP['INTERP_RET'] = pykd.setBp((NPS["SetInterpRet"]-4),
lambda: hookHandlerInterpRet(methodName))
return pykd.executionStatus.NoChange
def to_addr(val):
""" Convert a value to a memory address """
try:
addr = to_int(get_expr(val))
if pykd.isValid(addr):
return addr & context.PTRMASK
except:
pass
return None
def print_general_regs(self):
for reg_name in self.context.regs_name:
reg_data = self.context.regs[reg_name]
reg_str = '{:3}: '.format(reg_name.upper())
reg_color = self.set_reg_color(reg_name,
color_changed=color.red,
color_unchanged=color.lime)
pykd.dprint(reg_color(reg_str), dml=True)
if pykd.isValid(reg_data): # reg_data is a pointer
self.print_ptrs(reg_data)
else:
pykd.dprintln("{:#x}".format(reg_data))
def hookHandlerJit():
"""Unlike setNative, setJit is a fairly simple in that the GprMethodProc
parameted contains the resolved address of the jitted function.
We simply need to read that register value."""
global GBP
# address of the func name as returned by getMethodName
address = pykd.ptrPtr(pykd.reg("eax")+0x8)
# address of the jitted function
jitfunc = pykd.ptrPtr(pykd.reg("esp")+0x28)
if pykd.isValid(address):
methodName = pykd.loadCStr(address)
if pykd.isValid(jitfunc):
print "[&] JITTED METHOD: at 0x%x \t offset: 0x%x \t\tName: %s" %\
(jitfunc,0,methodName.decode("utf-8","replace"))
if NPS["TraceJit"] and methodName not in GBP['BP_FUNCS'] and\
methodName not in GBP['BP_RFUNCS']:
if NPS["Debug"]:
print "[Debug] Setting bp for tracing on 0x%x" % jitfunc
GBP[jitfunc] = pykd.setBp(jitfunc, lambda: functionHandler(methodName))
func_breakpoints(methodName.decode("utf-8","replace"), jitfunc)
else:
print "[!] No jitted function found. Something is likely wrong!!!"
return pykd.executionStatus.NoChange
def hookHandlerInterpRet(methodName):
"""..."""
global GBP
interpfunc = pykd.reg("eax")
if pykd.isValid(interpfunc):
print "[#] INTERP STUB: at 0x%x \t offset: 0x%x \t\tName: %s" %\
(interpfunc,0,methodName.decode("utf-8","replace"))
if NPS["TraceInterp"] and methodName not in GBP['BP_FUNCS'] and\
methodName not in GBP['BP_RFUNCS']:
if NPS["Debug"]:
print "[Debug] Setting bp for tracing on 0x%x" % interpfunc
GBP[interpfunc] = pykd.setBp(interpfunc, lambda: functionHandler(methodName))
func_breakpoints(methodName.decode("utf-8","replace"), interpfunc)
else:
print "[!] No interp stub found. Something is likely wrong!!!"
try:
del GBP['INTERP_RET']
except KeyError:
pass
return pykd.executionStatus.NoChange
def is_address(self, value): if is_int(value): return pykd.isValid(value) else: return False
def testVaValid(self):
self.assertTrue(pykd.isValid(target.module.begin()))
self.assertFalse(pykd.isValid(0))
self.assertFalse(pykd.isValid(0xDEADBEAF))
def _meta_object_id_of_frame(frame):
id_addr = _meta_object_addr_of_frame(frame) + 24
if isValid(id_addr):
return ptrWord(id_addr)
else:
return 0
def _meta_object_name_of_frame(frame):
name_addr = ptrPtr(_meta_object_addr_of_frame(frame) + 16)
if isValid(name_addr):
return loadWStr(name_addr)
else:
return ''
def _meta_object_name_of_frame(frame):
name_addr = ptrPtr(_meta_object_addr_of_frame(frame) + 16)
if isValid(name_addr):
return loadWStr(name_addr)
else:
return ''
def _meta_object_id_of_frame(frame):
id_addr = _meta_object_addr_of_frame(frame) + 24
if isValid(id_addr):
return ptrWord(id_addr)
else:
return 0
def testEnd(self):
self.assertEqual(target.module.size(),
target.module.end() - target.module.begin())
self.assertTrue(pykd.isValid(target.module.end() - 1))
def testSize(self):
self.assertNotEqual(0, target.module.size())
self.assertTrue(
pykd.isValid(target.module.begin() + target.module.size() - 1))
