def test_ParseTxt(self):
from miasm.arch.x86.arch import mn_x86
from miasm.core.parse_asm import parse_txt
loc_db = LocationDB()
ASM0 = '''
;
.LFB0:
.LA:
.text
.data
.bss
.string
.ustring
.byte 0 0x0
.byte a
.comm
.split
.dontsplit
.file
.cfi_0
label:
JMP EAX ;comment
'''
ASM1 = '''
.XXX
'''
self.assertTrue(parse_txt(mn_x86, 32, ASM0, loc_db))
self.assertRaises(ValueError, parse_txt, mn_x86, 32, ASM1, loc_db)
def compute_txt(ir, mode, txt, inputstate={}, debug=False):
asmcfg, loc_db = parse_asm.parse_txt(mn, mode, txt)
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
patches = asmblock.asm_resolve_final(mn, asmcfg, loc_db)
ir_arch = ir(loc_db)
lbl = loc_db.get_name_location("main")
ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg)
return symb_exec(lbl, ir_arch, ircfg, inputstate, debug)
def compute_txt(ir, mode, txt, inputstate={}, debug=False):
asmcfg, loc_db = parse_asm.parse_txt(mn, mode, txt)
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
patches = asmblock.asm_resolve_final(mn, asmcfg, loc_db)
ir_arch = ir(loc_db)
lbl = loc_db.get_name_location("main")
ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg)
return symb_exec(lbl, ir_arch, ircfg, inputstate, debug)
def compute_txt(Lifter, mode, txt, inputstate={}, debug=False):
loc_db = LocationDB()
asmcfg = parse_asm.parse_txt(mn, mode, txt, loc_db)
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
patches = asmblock.asm_resolve_final(mn, asmcfg)
lifter = Lifter(loc_db)
lbl = loc_db.get_name_location("main")
ircfg = lifter.new_ircfg_from_asmcfg(asmcfg)
return symb_exec(lbl, lifter, ircfg, inputstate, debug)
def asm(self):
asmcfg = parse_asm.parse_txt(mn_aarch64, 'l', self.TXT, self.loc_db)
# fix shellcode addr
self.loc_db.set_location_offset(self.loc_db.get_name_location("main"), 0x0)
s = StrPatchwork()
patches = asmblock.asm_resolve_final(mn_aarch64, asmcfg)
for offset, raw in viewitems(patches):
s[offset] = raw
self.assembly = bytes(s)
def asm(self):
blocks, loc_db = parse_asm.parse_txt(mn_x86, self.arch_attrib, self.TXT,
loc_db = self.myjit.ir_arch.loc_db)
# fix shellcode addr
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
s = StrPatchwork()
patches = asmblock.asm_resolve_final(mn_x86, blocks, loc_db)
for offset, raw in viewitems(patches):
s[offset] = raw
s = bytes(s)
self.assembly = s
def asm(self):
blocks, loc_db = parse_asm.parse_txt(mn_mips32, 'l', self.TXT,
loc_db=self.myjit.ir_arch.loc_db)
# fix shellcode addr
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
s = StrPatchwork()
patches = asmblock.asm_resolve_final(mn_mips32, blocks, loc_db)
for offset, raw in viewitems(patches):
s[offset] = raw
s = bytes(s)
self.assembly = s
def asm(self):
mn_x86 = self.machine.mn
asmcfg = parse_asm.parse_txt(mn_x86, self.arch_attrib, self.TXT,
self.loc_db)
# fix shellcode addr
self.loc_db.set_location_offset(self.loc_db.get_name_location("main"),
0x0)
output = StrPatchwork()
patches = asm_resolve_final(mn_x86, asmcfg)
for offset, raw in viewitems(patches):
output[offset] = raw
self.assembly = bytes(output)
def test_DirectiveDontSplit(self):
from miasm.arch.x86.arch import mn_x86
from miasm.core.parse_asm import parse_txt
from miasm.core.asmblock import asm_resolve_final
loc_db = LocationDB()
ASM0 = '''
lbl0:
INC EAX
JNZ lbl0
INC EAX
JZ lbl2
lbl1:
NOP
JMP lbl0
.dontsplit
lbl2:
MOV EAX, ECX
RET
.dontsplit
lbl3:
ADD EAX, EBX
.dontsplit
lbl4:
.align 0x10
.string "test"
lbl5:
.string "toto"
'''
asmcfg = parse_txt(mn_x86, 32, ASM0, loc_db)
patches = asm_resolve_final(mn_x86, asmcfg)
lbls = []
for i in range(6):
lbls.append(loc_db.get_name_location('lbl%d' % i))
# align test
offset = loc_db.get_location_offset(lbls[5])
assert (offset % 0x10 == 0)
lbl2block = {}
for block in asmcfg.blocks:
lbl2block[block.loc_key] = block
# dontsplit test
assert (lbls[2] == lbl2block[lbls[1]].get_next())
assert (lbls[3] == lbl2block[lbls[2]].get_next())
assert (lbls[4] == lbl2block[lbls[3]].get_next())
assert (lbls[5] == lbl2block[lbls[4]].get_next())
def test_DirectiveSplit(self):
from miasm.arch.x86.arch import mn_x86
from miasm.core.parse_asm import parse_txt
ASM0 = '''
lbl0:
JNZ lbl0
.split
lbl1:
RET
'''
asmcfg, loc_db = parse_txt(mn_x86, 32, ASM0)
lbls = []
for i in range(2):
lbls.append(loc_db.get_name_location('lbl%d' % i))
lbl2block = {}
for block in asmcfg.blocks:
lbl2block[block.loc_key] = block
# split test
assert (lbl2block[lbls[1]].get_next() is None)
from miasm.arch.x86.arch import mn_x86
from miasm.core import parse_asm
from miasm.expression.expression import *
from miasm.core import asmblock
from miasm.arch.x86.ira import ir_a_x86_32
from miasm.analysis.data_flow import DeadRemoval
# First, asm code
asmcfg, loc_db = parse_asm.parse_txt(mn_x86, 32, '''
main:
MOV EAX, 1
MOV EBX, 2
MOV ECX, 2
MOV DX, 2
loop:
INC EBX
CMOVZ EAX, EBX
ADD EAX, ECX
JZ loop
RET
''')
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
for block in asmcfg.blocks:
print(block)
print("symbols:")
print(loc_db)
loc_db = LocationDB()
translator_smt2 = Translator.to_language("smt2")
addr = int(options.address, 16)
cont = Container.from_stream(open(args[0], 'rb'), loc_db)
mdis = machine.dis_engine(cont.bin_stream, loc_db=loc_db)
lifter = machine.lifter(mdis.loc_db)
ircfg = lifter.new_ircfg()
symbexec = SymbolicExecutionEngine(lifter)
asmcfg = parse_asm.parse_txt(
machine.mn, 32, '''
init:
PUSH argv
PUSH argc
PUSH ret_addr
''',
loc_db
)
argc_lbl = loc_db.get_name_location('argc')
argv_lbl = loc_db.get_name_location('argv')
ret_addr_lbl = loc_db.get_name_location('ret_addr')
init_lbl = loc_db.get_name_location('init')
argc_loc = ExprLoc(argc_lbl, 32)
argv_loc = ExprLoc(argv_lbl, 32)
ret_addr_loc = ExprLoc(ret_addr_lbl, 32)
from miasm.expression.expression import *
from miasm.core import asmblock
from miasm.arch.x86.ira import ir_a_x86_32
from miasm.analysis.data_flow import dead_simp
from miasm.analysis.cst_propag import add_state, propagate_cst_expr
from miasm.expression.simplifications import expr_simp
# First, asm code
asmcfg, loc_db = parse_asm.parse_txt(
mn_x86, 32, '''
main:
PUSH EBP
MOV EBP, ESP
SUB ESP, 0x40
MOV ECX, 0x51CEB16D
MOV DWORD PTR [EBP+0xf8], ECX
MOV ECX, DWORD PTR [EBP+0xf8]
MOV EDX, 0x51CEB454
XOR ECX, EDX
MOV EAX, ECX
RET
''')
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
for block in asmcfg.blocks:
print(block)
print("symbols:")
print(loc_db)
patches = asmblock.asm_resolve_final(mn_x86, asmcfg, loc_db)
if __name__ == '__main__':
translator_smt2 = Translator.to_language("smt2")
addr = int(options.address, 16)
cont = Container.from_stream(open(args[0], 'rb'))
mdis = machine.dis_engine(cont.bin_stream, loc_db=cont.loc_db)
ir_arch = machine.ir(mdis.loc_db)
ircfg = ir_arch.new_ircfg()
symbexec = SymbolicExecutionEngine(ir_arch)
asmcfg, loc_db = parse_asm.parse_txt(machine.mn, 32, '''
init:
PUSH argv
PUSH argc
PUSH ret_addr
''',
loc_db=mdis.loc_db)
argc_lbl = loc_db.get_name_location('argc')
argv_lbl = loc_db.get_name_location('argv')
ret_addr_lbl = loc_db.get_name_location('ret_addr')
init_lbl = loc_db.get_name_location('init')
argc_loc = ExprLoc(argc_lbl, 32)
argv_loc = ExprLoc(argv_lbl, 32)
ret_addr_loc = ExprLoc(ret_addr_lbl, 32)
from miasm.core import asmblock
from miasm.arch.x86 import arch
from miasm.core import parse_asm
from miasm.core.interval import interval
my_mn = arch.mn_x86
asmcfg, loc_db = parse_asm.parse_txt(
my_mn, 64, r'''
main:
PUSH RBP
MOV RBP, RSP
loop_dec:
CMP RCX, RDX
JB loop_dec
end:
MOV RSP, RBP
POP RBP
RET
''')
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x100001000)
dst_interval = interval([(0x100001000, 0x100002000)])
patches = asmblock.asm_resolve_final(my_mn, asmcfg, loc_db, dst_interval)
from __future__ import print_function
from pdb import pm
from pprint import pprint
from miasm.arch.x86.arch import mn_x86
from miasm.core import parse_asm, asmblock
# Assemble code
asmcfg, loc_db = parse_asm.parse_txt(mn_x86, 32, '''
main:
MOV EAX, 1
MOV EBX, 2
MOV ECX, 2
MOV DX, 2
loop:
INC EBX
CMOVZ EAX, EBX
ADD EAX, ECX
JZ loop
RET
''')
# Set 'main' loc_key's offset
loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0)
# Spread information and resolve instructions offset
patches = asmblock.asm_resolve_final(mn_x86, asmcfg, loc_db)
# Show resolved asmcfg
for block in asmcfg.blocks:
dst_interval = interval([(pe.rva2virt(s_text.addr),
pe.rva2virt(s_text.addr + s_text.size))])
else:
st = StrPatchwork()
addr_main = 0
virt = st
output = st
# Get and parse the source code
with open(args.source) as fstream:
source = fstream.read()
loc_db = LocationDB()
asmcfg = parse_asm.parse_txt(machine.mn, attrib, source, loc_db)
# Fix shellcode addrs
loc_db.set_location_offset(loc_db.get_name_location("main"), addr_main)
if args.PE:
loc_db.set_location_offset(
loc_db.get_or_create_name_location("MessageBoxA"),
pe.DirImport.get_funcvirt('USER32.dll', 'MessageBoxA'))
# Print and graph firsts blocks before patching it
for block in asmcfg.blocks:
print(block)
open("graph.dot", "w").write(asmcfg.dot())
# Apply patches
else:
st = StrPatchwork()
addr_main = 0
virt = st
output = st
# Get and parse the source code
with open(args.source) as fstream:
source = fstream.read()
loc_db = LocationDB()
asmcfg, loc_db = parse_asm.parse_txt(machine.mn, attrib, source, loc_db)
# Fix shellcode addrs
loc_db.set_location_offset(loc_db.get_name_location("main"), addr_main)
if args.PE:
loc_db.set_location_offset(
loc_db.get_or_create_name_location("MessageBoxA"),
pe.DirImport.get_funcvirt(
'USER32.dll',
'MessageBoxA'
)
)
# Print and graph firsts blocks before patching it
for block in asmcfg.blocks:
