def compute_txt(ir, mode, txt, inputstate={}, debug=False): asmcfg, loc_db = parse_asm.parse_txt(mn, mode, txt) loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) patches = asmblock.asm_resolve_final(mn, asmcfg, loc_db) ir_arch = ir(loc_db) lbl = loc_db.get_name_location("main") ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg) return symb_exec(lbl, ir_arch, ircfg, inputstate, debug)
def compute_txt(ir, mode, txt, inputstate={}, debug=False): blocks, symbol_pool = parse_asm.parse_txt(mn, mode, txt) symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0) patches = asmblock.asm_resolve_final(mn, blocks, symbol_pool) interm = ir(symbol_pool) for bbl in blocks: interm.add_bloc(bbl) return symb_exec(interm, inputstate, debug)
def compute_txt(ir, mode, txt, inputstate={}, debug=False): blocks, symbol_pool = parse_asm.parse_txt(mn, mode, txt) symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0) patches = asmblock.asm_resolve_final(mn, blocks, symbol_pool) interm = ir(symbol_pool) for bbl in blocks: interm.add_bloc(bbl) return symb_exec(interm, inputstate, debug)
def compute_txt(ir, mode, txt, inputstate={}, debug=False): asmcfg, loc_db = parse_asm.parse_txt(mn, mode, txt) loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) patches = asmblock.asm_resolve_final(mn, asmcfg, loc_db) interm = ir(loc_db) lbl = loc_db.get_name_location("main") for bbl in asmcfg.blocks: interm.add_block(bbl) return symb_exec(lbl, interm, inputstate, debug)
def asm(self): blocks, symbol_pool = parse_asm.parse_txt(mn_aarch64, 'l', self.TXT, symbol_pool = self.myjit.ir_arch.symbol_pool) # fix shellcode addr symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0) s = StrPatchwork() patches = asmblock.asm_resolve_final(mn_aarch64, blocks, symbol_pool) for offset, raw in patches.items(): s[offset] = raw self.assembly = str(s)
def asm(self): blocks, loc_db = parse_asm.parse_txt(mn_aarch64, 'l', self.TXT, loc_db = self.myjit.ir_arch.loc_db) # fix shellcode addr loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) s = StrPatchwork() patches = asmblock.asm_resolve_final(mn_aarch64, blocks, loc_db) for offset, raw in patches.items(): s[offset] = raw self.assembly = str(s)
def asm(self): blocks, symbol_pool = parse_asm.parse_txt(mn_mips32, 'l', self.TXT, symbol_pool=self.myjit.ir_arch.symbol_pool) # fix shellcode addr symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0) s = StrPatchwork() patches = asmblock.asm_resolve_final(mn_mips32, blocks, symbol_pool) for offset, raw in patches.items(): s[offset] = raw s = str(s) self.assembly = s
def asm(self): blocks, loc_db = parse_asm.parse_txt(mn_aarch64, 'l', self.TXT, loc_db=self.myjit.ir_arch.loc_db) # fix shellcode addr loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) s = StrPatchwork() patches = asmblock.asm_resolve_final(mn_aarch64, blocks, loc_db) for offset, raw in patches.items(): s[offset] = raw self.assembly = str(s)
def asm(self): mn_x86 = self.machine.mn blocks, loc_db = parse_asm.parse_txt(mn_x86, self.arch_attrib, self.TXT, loc_db=self.myjit.ir_arch.loc_db) # fix shellcode addr loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) output = StrPatchwork() patches = asm_resolve_final(mn_x86, blocks, loc_db) for offset, raw in patches.items(): output[offset] = raw self.assembly = str(output)
def test_DirectiveDontSplit(self): from miasm2.arch.x86.arch import mn_x86 from miasm2.core.parse_asm import parse_txt from miasm2.core.asmblock import asm_resolve_final ASM0 = ''' lbl0: INC EAX JNZ lbl0 INC EAX JZ lbl2 lbl1: NOP JMP lbl0 .dontsplit lbl2: MOV EAX, ECX RET .dontsplit lbl3: ADD EAX, EBX .dontsplit lbl4: .align 0x10 .string "test" lbl5: .string "toto" ''' asmcfg, symbol_pool = parse_txt(mn_x86, 32, ASM0) patches = asm_resolve_final(mn_x86, asmcfg, symbol_pool) lbls = [] for i in xrange(6): lbls.append(symbol_pool.getby_name('lbl%d' % i)) # align test offset = symbol_pool.loc_key_to_offset(lbls[5]) assert(offset % 0x10 == 0) lbl2block = {} for block in asmcfg.blocks: lbl2block[block.loc_key] = block # dontsplit test assert(lbls[2] == lbl2block[lbls[1]].get_next()) assert(lbls[3] == lbl2block[lbls[2]].get_next()) assert(lbls[4] == lbl2block[lbls[3]].get_next()) assert(lbls[5] == lbl2block[lbls[4]].get_next())
def asm(self): mn_x86 = self.machine.mn blocks, symbol_pool = parse_asm.parse_txt( mn_x86, self.arch_attrib, self.TXT, symbol_pool=self.myjit.ir_arch.symbol_pool ) # fix shellcode addr symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0) output = StrPatchwork() patches = asm_resolve_final(mn_x86, blocks, symbol_pool) for offset, raw in patches.items(): output[offset] = raw self.assembly = str(output)
def asm(self): mn_x86 = self.machine.mn blocks, symbol_pool = parse_asm.parse_txt( mn_x86, self.arch_attrib, self.TXT, symbol_pool=self.myjit.ir_arch.symbol_pool ) # fix shellcode addr symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0) output = StrPatchwork() patches = asm_resolve_final(mn_x86, blocks, symbol_pool) for offset, raw in patches.items(): output[offset] = raw self.assembly = str(output)
def asm(self): mn_x86 = self.machine.mn blocks, loc_db = parse_asm.parse_txt( mn_x86, self.arch_attrib, self.TXT, loc_db=self.myjit.ir_arch.loc_db ) # fix shellcode addr loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) output = StrPatchwork() patches = asm_resolve_final(mn_x86, blocks, loc_db) for offset, raw in patches.items(): output[offset] = raw self.assembly = str(output)
# Fix shellcode addrs symbol_pool.set_offset(symbol_pool.getby_name("main"), addr_main) if args.PE: symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"), pe.DirImport.get_funcvirt('USER32.dll', 'MessageBoxA')) # Print and graph firsts blocks before patching it for block in blocks: print block open("graph.dot", "w").write(blocks.dot()) # Apply patches patches = asmblock.asm_resolve_final(machine.mn, blocks, symbol_pool, dst_interval) if args.encrypt: # Encrypt code ad_start = symbol_pool.getby_name_create(args.encrypt[0]).offset ad_stop = symbol_pool.getby_name_create(args.encrypt[1]).offset new_patches = dict(patches) for ad, val in patches.items(): if ad_start <= ad < ad_stop: new_patches[ad] = "".join([chr(ord(x) ^ 0x42) for x in val]) patches = new_patches print patches if isinstance(virt, StrPatchwork): for offset, raw in patches.items():
INC EBX CMOVZ EAX, EBX ADD EAX, ECX JZ loop RET ''') symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0) for block in asmcfg.blocks: print block print "symbols:" print symbol_pool patches = asmblock.asm_resolve_final(mn_x86, asmcfg, symbol_pool) # Translate to IR ir_arch = ir_a_x86_32(symbol_pool) for block in asmcfg.blocks: print 'add block' print block ir_arch.add_block(block) # Display IR for lbl, irblock in ir_arch.blocks.items(): print irblock # Dead propagation open('graph.dot', 'w').write(ir_arch.graph.dot()) print '*' * 80
# Assemble code asmcfg, loc_db = parse_asm.parse_txt(mn_x86, 32, ''' main: MOV EAX, 1 MOV EBX, 2 MOV ECX, 2 MOV DX, 2 loop: INC EBX CMOVZ EAX, EBX ADD EAX, ECX JZ loop RET ''') # Set 'main' loc_key's offset loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) # Spread information and resolve instructions offset patches = asmblock.asm_resolve_final(mn_x86, asmcfg, loc_db) # Show resolved asmcfg for block in asmcfg.blocks: print block # Print offset -> bytes pprint(patches)
# Fix shellcode addrs loc_db.set_location_offset(loc_db.get_name_location("main"), addr_main) if args.PE: loc_db.set_location_offset(loc_db.get_or_create_name_location("MessageBoxA"), pe.DirImport.get_funcvirt('USER32.dll', 'MessageBoxA')) # Print and graph firsts blocks before patching it for block in asmcfg.blocks: print block open("graph.dot", "w").write(asmcfg.dot()) # Apply patches patches = asmblock.asm_resolve_final(machine.mn, asmcfg, loc_db, dst_interval) if args.encrypt: # Encrypt code loc_start = loc_db.get_or_create_name_location(args.encrypt[0]) loc_stop = loc_db.get_or_create_name_location(args.encrypt[1]) ad_start = loc_db.get_location_offset(loc_start) ad_stop = loc_db.get_location_offset(loc_stop) new_patches = dict(patches) for ad, val in patches.items(): if ad_start <= ad < ad_stop: new_patches[ad] = "".join([chr(ord(x) ^ 0x42) for x in val]) patches = new_patches print patches
# Fix shellcode addrs symbol_pool.set_offset(symbol_pool.getby_name("main"), addr_main) if args.PE: symbol_pool.set_offset( symbol_pool.getby_name_create("MessageBoxA"), pe.DirImport.get_funcvirt('USER32.dll', 'MessageBoxA')) # Print and graph firsts blocks before patching it for block in blocks: print block open("graph.dot", "w").write(blocks.dot()) # Apply patches patches = asmblock.asm_resolve_final(machine.mn, blocks, symbol_pool, dst_interval) if args.encrypt: # Encrypt code ad_start = symbol_pool.getby_name_create(args.encrypt[0]).offset ad_stop = symbol_pool.getby_name_create(args.encrypt[1]).offset new_patches = dict(patches) for ad, val in patches.items(): if ad_start <= ad < ad_stop: new_patches[ad] = "".join([chr(ord(x) ^ 0x42) for x in val]) patches = new_patches print patches if isinstance(virt, StrPatchwork): for offset, raw in patches.items(): virt[offset] = raw
# Assemble code asmcfg, loc_db = parse_asm.parse_txt( mn_x86, 32, ''' main: MOV EAX, 1 MOV EBX, 2 MOV ECX, 2 MOV DX, 2 loop: INC EBX CMOVZ EAX, EBX ADD EAX, ECX JZ loop RET ''') # Set 'main' loc_key's offset loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) # Spread information and resolve instructions offset patches = asmblock.asm_resolve_final(mn_x86, asmcfg, loc_db) # Show resolved asmcfg for block in asmcfg.blocks: print block # Print offset -> bytes pprint(patches)
from miasm2.core import asmblock from miasm2.arch.x86 import arch from miasm2.core import parse_asm from miasm2.core.interval import interval my_mn = arch.mn_x86 asmcfg, loc_db = parse_asm.parse_txt(my_mn, 64, r''' main: PUSH RBP MOV RBP, RSP loop_dec: CMP RCX, RDX JB loop_dec end: MOV RSP, RBP POP RBP RET ''') loc_db.set_location_offset(loc_db.get_name_location("main"), 0x100001000) dst_interval = interval([(0x100001000, 0x100002000)]) patches = asmblock.asm_resolve_final( my_mn, asmcfg, loc_db, dst_interval )