class UnhealthyIdeas(MemStruct): fields = [ ("pastruct", Ptr("I", Array(RawStruct("=Bf")))), ("apstr", Array(Ptr("I", Str()), 10)), ("pself", Ptr("I", Self())), ("apself", Array(Ptr("I", Self()), 2)), ("ppself", Ptr("I", Ptr("I", Self()))), ("pppself", Ptr("I", Ptr("I", Ptr("I", Self())))), ]
class MyStruct(MemStruct): fields = [ # Number field: just struct.pack fields with one value ("num", Num("I")), ("flags", Num("B")), # This field is a pointer to another struct, it has a numeric # value (mystruct.other.val) and can be dereferenced to get an # OtherStruct instance (mystruct.other.deref) ("other", Ptr("I", OtherStruct)), # Ptr to a variable length String ("s", Ptr("I", Str())), ("i", Ptr("I", Num("I"))), ]
assert other == other2 # But same value ## Same stuff for Ptr to MemField alloc_addr = my_heap.vm_alloc( jitter.vm, mstruct.get_type().get_field_type("i").dst_type.size) mstruct.i = alloc_addr mstruct.i.deref.val = 8 assert mstruct.i.deref.val == 8 assert mstruct.i.val == alloc_addr memval = struct.unpack("I", jitter.vm.get_mem(alloc_addr, 4))[0] assert memval == 8 # Str tests ## Basic tests memstr = Str().lval(jitter.vm, addr_str) memstr.val = "" assert memstr.val == "" assert jitter.vm.get_mem(memstr.get_addr(), 1) == '\x00' memstr.val = "lala" assert jitter.vm.get_mem(memstr.get_addr(), memstr.get_size()) == 'lala\x00' jitter.vm.set_mem(memstr.get_addr(), 'MIAMs\x00') assert memstr.val == 'MIAMs' ## Ptr(Str()) manipulations mstruct.s.val = memstr.get_addr() assert mstruct.s.val == addr_str assert mstruct.s.deref == memstr assert mstruct.s.deref.val == 'MIAMs' mstruct.s.deref.val = "That's all folks!" assert mstruct.s.deref.val == "That's all folks!"
class DataStr(MemStruct): fields = [ ("valshort", Num("<H")), # Pointer to an utf16 null terminated string ("data", Ptr("<I", Str("utf16"))), ]
assert data.val1 == 0x22 and data.val2 == 0x11 # Let's play with strings memstr = datastr.data.deref # Note that memstr is Str("utf16") memstr.val = 'Miams' print "Cast data.array to MemStr and set the string value:" print repr(memstr) print # If you followed, memstr and data.array point to the same object, so: raw_miams = '\x00'.join('Miams') + '\x00'*3 raw_miams_array = [ord(c) for c in raw_miams] assert list(data.array)[:len(raw_miams_array)] == raw_miams_array assert data.array.cast(Str("utf16")) == memstr # Default is "ansi" assert data.array.cast(Str()) != memstr assert data.array.cast(Str("utf16")).val == memstr.val print "See that the original array has been modified:" print repr(data) print # Some type manipulation examples, for example let's construct an argv for # a program: # Let's say that we have two arguments, +1 for the program name and +1 for the # final null ptr in argv, the array has 4 elements: argv_t = Array(Ptr("<I", Str()), 4) print "3 arguments argv type:", argv_t
class UnicodeString(MemStruct): fields = [ ("length", Num("H")), ("maxlength", Num("H")), ("data", Ptr("<I", Str("utf16"))), ]
## Same stuff for Ptr to MemField alloc_addr = my_heap.vm_alloc(jitter.vm, mstruct.get_type().get_field_type("i") .dst_type.size) mstruct.i = alloc_addr mstruct.i.deref.val = 8 assert mstruct.i.deref.val == 8 assert mstruct.i.val == alloc_addr memval = struct.unpack("I", jitter.vm.get_mem(alloc_addr, 4))[0] assert memval == 8 # Str tests ## Basic tests memstr = Str().lval(jitter.vm, addr_str) memstr.val = "" assert memstr.val == "" assert jitter.vm.get_mem(memstr.get_addr(), 1) == '\x00' memstr.val = "lala" assert jitter.vm.get_mem(memstr.get_addr(), memstr.get_size()) == 'lala\x00' jitter.vm.set_mem(memstr.get_addr(), 'MIAMs\x00') assert memstr.val == 'MIAMs' ## Ptr(Str()) manipulations mstruct.s.val = memstr.get_addr() assert mstruct.s.val == addr_str assert mstruct.s.deref == memstr assert mstruct.s.deref.val == 'MIAMs' mstruct.s.deref.val = "That's all folks!" assert mstruct.s.deref.val == "That's all folks!"
argzero_addr = 0x141166 sb.jitter.vm.add_memory_page(passwd_addr,PAGE_READ | PAGE_WRITE,ascii_letters[:30] + '\x00','required input') sb.jitter.vm.add_memory_page(argzero_addr,PAGE_READ,'reverseMe\x00','argv[0] -> program path') sb.jitter.push_uint32_t(passwd_addr) #argv[1] sb.jitter.push_uint32_t(argzero_addr) #argv[0] sb.jitter.push_uint32_t(0x2) #argc ''' #Set default allocator from class heap() set_allocator(heap().vm_alloc) #implementing argv[] array busing core types of miasm2 argv_t = Array(Ptr("<I",Str()),3) argv = argv_t.lval(sb.jitter.vm) MemStrAnsi = Str().lval argv[0].val = MemStrAnsi.from_str(sb.jitter.vm, "./reverseMe").get_addr() argv[1].val = MemStrAnsi.from_str(sb.jitter.vm, ascii_letters[:28]).get_addr() argv[2].val = 0 sb.jitter.push_uint32_t(argv[2].val) #argv[2] sb.jitter.push_uint32_t(argv[1].val) #argv[1] sb.jitter.push_uint32_t(argv[0].val) #argv[0] sb.jitter.push_uint32_t(0x2) #argc #Handle INT \x80 exception and dump memory region def dump(jitter):