def test_ParseTxt(self): from miasm2.arch.x86.arch import mn_x86 from miasm2.core.parse_asm import parse_txt ASM0 = ''' ; .LFB0: .LA: .text .data .bss .string .ustring .byte 0 0x0 .byte a .comm .split .dontsplit .file .cfi_0 label: JMP EAX ;comment ''' ASM1 = ''' .XXX ''' self.assertTrue(parse_txt(mn_x86, 32, ASM0)) self.assertRaises(ValueError, parse_txt, mn_x86, 32, ASM1)
def compute_txt(ir, mode, txt, inputstate={}, debug=False): blocs, symbol_pool = parse_asm.parse_txt(mn, mode, txt) symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0) patches = asmbloc.asm_resolve_final(mn, blocs[0], symbol_pool) interm = ir(symbol_pool) for bbl in blocs[0]: interm.add_bloc(bbl) return symb_exec(interm, inputstate, debug)
def compute_txt(ir, mode, txt, inputstate={}, debug=False): blocks, symbol_pool = parse_asm.parse_txt(mn, mode, txt) symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0) patches = asmblock.asm_resolve_final(mn, blocks, symbol_pool) interm = ir(symbol_pool) for bbl in blocks: interm.add_bloc(bbl) return symb_exec(interm, inputstate, debug)
def compute_txt(ir, mode, txt, inputstate={}, debug=False): asmcfg, loc_db = parse_asm.parse_txt(mn, mode, txt) loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) patches = asmblock.asm_resolve_final(mn, asmcfg, loc_db) ir_arch = ir(loc_db) lbl = loc_db.get_name_location("main") ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg) return symb_exec(lbl, ir_arch, ircfg, inputstate, debug)
def compute_txt(ir, mode, txt, inputstate={}, debug=False): asmcfg, symbol_pool = parse_asm.parse_txt(mn, mode, txt) symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0) patches = asmblock.asm_resolve_final(mn, asmcfg, symbol_pool) interm = ir(symbol_pool) lbl = symbol_pool.getby_name("main") for bbl in asmcfg.blocks: interm.add_block(bbl) return symb_exec(lbl, interm, inputstate, debug)
def compute_txt(ir, mode, txt, inputstate={}, debug=False): asmcfg, loc_db = parse_asm.parse_txt(mn, mode, txt) loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) patches = asmblock.asm_resolve_final(mn, asmcfg, loc_db) interm = ir(loc_db) lbl = loc_db.get_name_location("main") for bbl in asmcfg.blocks: interm.add_block(bbl) return symb_exec(lbl, interm, inputstate, debug)
def asm(self): blocs, symbol_pool = parse_asm.parse_txt(mn_aarch64, "l", self.TXT, symbol_pool=self.myjit.ir_arch.symbol_pool) # fix shellcode addr symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0) s = StrPatchwork() patches = asmbloc.asm_resolve_final(mn_aarch64, blocs, symbol_pool) for offset, raw in patches.items(): s[offset] = raw self.assembly = str(s)
def asm(self): blocs, symbol_pool = parse_asm.parse_txt(mn_aarch64, 'l', self.TXT, symbol_pool = self.myjit.ir_arch.symbol_pool) # fix shellcode addr symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0) s = StrPatchwork() patches = asmbloc.asm_resolve_final(mn_aarch64, blocs, symbol_pool) for offset, raw in patches.items(): s[offset] = raw self.assembly = str(s)
def asm(self): blocks, loc_db = parse_asm.parse_txt(mn_aarch64, 'l', self.TXT, loc_db = self.myjit.ir_arch.loc_db) # fix shellcode addr loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) s = StrPatchwork() patches = asmblock.asm_resolve_final(mn_aarch64, blocks, loc_db) for offset, raw in patches.items(): s[offset] = raw self.assembly = str(s)
def asm(self): blocks, loc_db = parse_asm.parse_txt(mn_aarch64, 'l', self.TXT, loc_db=self.myjit.ir_arch.loc_db) # fix shellcode addr loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) s = StrPatchwork() patches = asmblock.asm_resolve_final(mn_aarch64, blocks, loc_db) for offset, raw in patches.items(): s[offset] = raw self.assembly = str(s)
def asm(self): mn_x86 = self.machine.mn blocks, loc_db = parse_asm.parse_txt(mn_x86, self.arch_attrib, self.TXT, loc_db=self.myjit.ir_arch.loc_db) # fix shellcode addr loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) output = StrPatchwork() patches = asm_resolve_final(mn_x86, blocks, loc_db) for offset, raw in patches.items(): output[offset] = raw self.assembly = str(output)
def assemble_text(src_text, symbols=[], mach_name="x86_64", mach_attr=64): # 指定アーキテクチャのニーモニックを取得 mnemo = Machine(mach_name).mn # セクションとシンボルの取得 sections, symbol_pool = parse_asm.parse_txt(mnemo, mach_attr, src_text) # シンボル毎のアドレスを設定 for name, addr in symbols: symbol_pool.set_offset(symbol_pool.getby_name(name), addr) # アセンブル patches = asmbloc.asm_resolve_final(mnemo, sections[0], symbol_pool) # アセンブル結果の構築 patch_worker = StrPatchwork() for offset, raw in patches.items(): patch_worker[offset] = raw return str(patch_worker)
def test_DirectiveDontSplit(self): from miasm2.arch.x86.arch import mn_x86 from miasm2.core.parse_asm import parse_txt from miasm2.core.asmblock import asm_resolve_final ASM0 = ''' lbl0: INC EAX JNZ lbl0 INC EAX JZ lbl2 lbl1: NOP JMP lbl0 .dontsplit lbl2: MOV EAX, ECX RET .dontsplit lbl3: ADD EAX, EBX .dontsplit lbl4: .align 0x10 .string "test" lbl5: .string "toto" ''' asmcfg, symbol_pool = parse_txt(mn_x86, 32, ASM0) patches = asm_resolve_final(mn_x86, asmcfg, symbol_pool) lbls = [] for i in xrange(6): lbls.append(symbol_pool.getby_name('lbl%d' % i)) # align test offset = symbol_pool.loc_key_to_offset(lbls[5]) assert(offset % 0x10 == 0) lbl2block = {} for block in asmcfg.blocks: lbl2block[block.loc_key] = block # dontsplit test assert(lbls[2] == lbl2block[lbls[1]].get_next()) assert(lbls[3] == lbl2block[lbls[2]].get_next()) assert(lbls[4] == lbl2block[lbls[3]].get_next()) assert(lbls[5] == lbl2block[lbls[4]].get_next())
def asm(self): mn_x86 = self.machine.mn blocks, loc_db = parse_asm.parse_txt( mn_x86, self.arch_attrib, self.TXT, loc_db=self.myjit.ir_arch.loc_db ) # fix shellcode addr loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) output = StrPatchwork() patches = asm_resolve_final(mn_x86, blocks, loc_db) for offset, raw in patches.items(): output[offset] = raw self.assembly = str(output)
def asm(self): mn_x86 = self.machine.mn blocks, symbol_pool = parse_asm.parse_txt( mn_x86, self.arch_attrib, self.TXT, symbol_pool=self.myjit.ir_arch.symbol_pool ) # fix shellcode addr symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0) output = StrPatchwork() patches = asm_resolve_final(mn_x86, blocks, symbol_pool) for offset, raw in patches.items(): output[offset] = raw self.assembly = str(output)
def test_DirectiveSplit(self): from miasm2.arch.x86.arch import mn_x86 from miasm2.core.parse_asm import parse_txt ASM0 = ''' lbl0: JNZ lbl0 .split lbl1: RET ''' blocks, symbol_pool = parse_txt(mn_x86, 32, ASM0) lbls = [] for i in xrange(2): lbls.append(symbol_pool.getby_name('lbl%d' % i)) lbl2block = {} for block in blocks: lbl2block[block.label] = block # split test assert(lbl2block[lbls[1]].get_next() is None)
def test_DirectiveSplit(self): from miasm2.arch.x86.arch import mn_x86 from miasm2.core.parse_asm import parse_txt ASM0 = ''' lbl0: JNZ lbl0 .split lbl1: RET ''' asmcfg, loc_db = parse_txt(mn_x86, 32, ASM0) lbls = [] for i in xrange(2): lbls.append(loc_db.get_name_location('lbl%d' % i)) lbl2block = {} for block in asmcfg.blocks: lbl2block[block.loc_key] = block # split test assert (lbl2block[lbls[1]].get_next() is None)
def test_DirectiveSplit(self): from miasm2.arch.x86.arch import mn_x86 from miasm2.core.parse_asm import parse_txt ASM0 = ''' lbl0: JNZ lbl0 .split lbl1: RET ''' blocks, symbol_pool = parse_txt(mn_x86, 32, ASM0) lbls = [] for i in xrange(2): lbls.append(symbol_pool.getby_name('lbl%d' % i)) lbl2block = {} for block in blocks: lbl2block[block.label] = block # split test assert (lbl2block[lbls[1]].get_next() is None)
from miasm2.arch.x86.arch import mn_x86 from miasm2.core import parse_asm from miasm2.expression.expression import * from miasm2.core import asmblock from miasm2.arch.x86.ira import ir_a_x86_32 from miasm2.analysis.data_flow import dead_simp # First, asm code asmcfg, symbol_pool = parse_asm.parse_txt(mn_x86, 32, ''' main: MOV EAX, 1 MOV EBX, 2 MOV ECX, 2 MOV DX, 2 loop: INC EBX CMOVZ EAX, EBX ADD EAX, ECX JZ loop RET ''') symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0) for block in asmcfg.blocks: print block print "symbols:" print symbol_pool
ret_addr = ExprId('ret_addr', 32) reg_and_id[argc.name] = argc reg_and_id[argv.name] = argv reg_and_id[ret_addr.name] = ret_addr my_symbols = [argc, argv, ret_addr] my_symbols = dict([(x.name, x) for x in my_symbols]) my_symbols.update(machine.mn.regs.all_regs_ids_byname) ir_arch = machine.ir(mdis.symbol_pool) symbexec = SymbolicExecutionEngine(ir_arch, symbols_init) blocks, symbol_pool = parse_asm.parse_txt(machine.mn, 32, ''' PUSH argv PUSH argc PUSH ret_addr ''') b = list(blocks)[0] print b # add fake address and len to parsed instructions for i, line in enumerate(b.lines): line.offset, line.l = i, 1 ir_arch.add_block(b) irb = get_block(ir_arch, mdis, 0) symbexec.emulbloc(irb) symbexec.dump_mem() # reset ir_arch blocks
PUSH {LR} SUB SP, 0x100 MOV R0, SP ADD R1, PC, mystr-$+6 MOV R0, R0 EORS R2, R2 ADDS R2, R2, 0x4 BL memcpy ADD SP, 0x100 POP {PC} mystr: .string "toto" ''' blocs_b, symbol_pool_b = parse_asm.parse_txt(my_mn, "b", txt) blocs_l, symbol_pool_l = parse_asm.parse_txt(my_mn, "l", txt) # fix shellcode addr symbol_pool_b.set_offset(symbol_pool_b.getby_name("main"), 0) symbol_pool_l.set_offset(symbol_pool_l.getby_name("main"), 0) # graph sc#### g = asmbloc.bloc2graph(blocs_b[0]) open("graph.txt", "w").write(g) s_b = StrPatchwork() s_l = StrPatchwork() print "symbols" print symbol_pool_b
my_var_parser = parse_ast(my_ast_id2expr, my_ast_int2expr) base_expr.setParseAction(my_var_parser) blocs, symbol_pool = parse_asm.parse_txt( mn_x86, 32, ''' main: PUSH EBP MOV EBP, ESP MOV BYTE PTR [myint], 0x90 myint: INT 0x3 PUSH 0 PUSH title PUSH msg PUSH 0 CALL DWORD PTR [ MessageBoxA ] MOV ESP, EBP POP EBP RET title: .string "Hello!" msg: .string "World!" ''') # fix shellcode addr symbol_pool.set_offset(symbol_pool.getby_name("main"), e.rva2virt(s_text.addr)) symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"),
return reg_and_id.get(t, ExprId(t, size=32)) my_var_parser = parse_ast(my_ast_id2expr, my_ast_int2expr) base_expr.setParseAction(my_var_parser) st = StrPatchwork() blocs, symbol_pool = parse_asm.parse_txt( mn_msp430, None, """ main: mov.w 0x10, R10 mov.w 0x0, R11 loop: add.w 1, R11 sub.w 1, R10 jnz loop mov.w @SP+, PC """, ) # fix shellcode addr symbol_pool.set_offset(symbol_pool.getby_name("main"), 0) for b in blocs[0]: print b resolved_b, patches = asmbloc.asm_resolve_final(mn_msp430, blocs[0], symbol_pool) print patches
from miasm2.core import asmblock from miasm2.arch.x86 import arch from miasm2.core import parse_asm from miasm2.core.interval import interval my_mn = arch.mn_x86 asmcfg, loc_db = parse_asm.parse_txt( my_mn, 64, r''' main: PUSH RBP MOV RBP, RSP loop_dec: CMP RCX, RDX JB loop_dec end: MOV RSP, RBP POP RBP RET ''') loc_db.set_location_offset(loc_db.get_name_location("main"), 0x100001000) dst_interval = interval([(0x100001000, 0x100002000)]) patches = asmblock.asm_resolve_final(my_mn, asmcfg, loc_db, dst_interval)
ret_addr = ExprId('ret_addr') reg_and_id[argc.name] = argc reg_and_id[argv.name] = argv reg_and_id[ret_addr.name] = ret_addr my_symbols = [argc, argv, ret_addr] my_symbols = dict([(x.name, x) for x in my_symbols]) my_symbols.update(mn_x86.regs.all_regs_ids_byname) ir_arch = ir_x86_32(mdis.symbol_pool) sb = symbexec(ir_arch, symbols_init) blocs, symbol_pool = parse_asm.parse_txt(mn_x86, 32, ''' PUSH argv PUSH argc PUSH ret_addr ''') b = list(blocs)[0] print b # add fake address and len to parsed instructions for i, l in enumerate(b.lines): l.offset, l.l = i, 1 ir_arch.add_bloc(b) irb = get_bloc(ir_arch, mdis, 0) sb.emulbloc(irb) sb.dump_mem() # reset ir_arch blocs
virt = pe.virt output = pe dst_interval = interval([(pe.rva2virt(s_text.addr), pe.rva2virt(s_text.addr + s_text.size))]) else: st = StrPatchwork() addr_main = 0 virt = st output = st # Get and parse the source code with open(args.source) as fstream: source = fstream.read() blocks, symbol_pool = parse_asm.parse_txt(machine.mn, attrib, source) # Fix shellcode addrs symbol_pool.set_offset(symbol_pool.getby_name("main"), addr_main) if args.PE: symbol_pool.set_offset( symbol_pool.getby_name_create("MessageBoxA"), pe.DirImport.get_funcvirt('USER32.dll', 'MessageBoxA')) # Print and graph firsts blocks before patching it for block in blocks: print block open("graph.dot", "w").write(blocks.dot()) # Apply patches
dst_interval = interval([(pe.rva2virt(s_text.addr), pe.rva2virt(s_text.addr + s_text.size))]) else: st = StrPatchwork() addr_main = 0 virt = st output = st # Get and parse the source code with open(args.source) as fstream: source = fstream.read() symbol_pool = asmblock.AsmSymbolPool() asmcfg, symbol_pool = parse_asm.parse_txt(machine.mn, attrib, source, symbol_pool) # Fix shellcode addrs symbol_pool.set_offset(symbol_pool.getby_name("main"), addr_main) if args.PE: symbol_pool.set_offset( symbol_pool.getby_name_create("MessageBoxA"), pe.DirImport.get_funcvirt('USER32.dll', 'MessageBoxA')) # Print and graph firsts blocks before patching it for block in asmcfg.blocks: print block open("graph.dot", "w").write(asmcfg.dot()) # Apply patches
mdis = dis_engine(bs) addr = int(options.address, 16) symbols_init = dict(machine.mn.regs.regs_init) ir_arch = machine.ir(mdis.symbol_pool) symbexec = SymbolicExecutionEngine(ir_arch, symbols_init) asmcfg, symbol_pool = parse_asm.parse_txt(machine.mn, 32, ''' init: PUSH argv PUSH argc PUSH ret_addr ''', symbol_pool=mdis.symbol_pool) argc_lbl = symbol_pool.getby_name('argc') argv_lbl = symbol_pool.getby_name('argv') ret_addr_lbl = symbol_pool.getby_name('ret_addr') init_lbl = symbol_pool.getby_name('init') argc = ExprLoc(argc_lbl, 32) argv = ExprLoc(argv_lbl, 32) ret_addr = ExprLoc(ret_addr_lbl, 32) block = asmcfg.loc_key_to_block(init_lbl)
txt = ''' main: ADDIU A0, ZERO, 0x10 ADDIU A1, ZERO, 0 loop: ADDIU A1, A1, 0x1 BNE A0, ZERO, loop ADDIU A0, A0, 0xFFFFFFFF ADDIU A2, A2, 0x1 MOVN A1, ZERO, ZERO JR RA ADDIU A2, A2, 0x1 ''' blocs_b, symbol_pool_b = parse_asm.parse_txt(mn_mips32, "b", txt) blocs_l, symbol_pool_l = parse_asm.parse_txt(mn_mips32, "l", txt) # fix shellcode addr symbol_pool_b.set_offset(symbol_pool_b.getby_name("main"), 0) symbol_pool_l.set_offset(symbol_pool_l.getby_name("main"), 0) for b in blocs_b[0]: print b resolved_b, patches_b = asmbloc.asm_resolve_final(mn_mips32, blocs_b[0], symbol_pool_b) resolved_l, patches_l = asmbloc.asm_resolve_final(mn_mips32, blocs_l[0], symbol_pool_l) print patches_b print patches_l
return reg_and_id.get(t, ExprId(t, size=32)) my_var_parser = parse_ast(my_ast_id2expr, my_ast_int2expr) base_expr.setParseAction(my_var_parser) blocs, symbol_pool = parse_asm.parse_txt(mn_x86, 32, ''' main: PUSH EBP MOV EBP, ESP MOV BYTE PTR [myint], 0x90 myint: INT 0x3 PUSH 0 PUSH title PUSH msg PUSH 0 CALL DWORD PTR [ MessageBoxA ] MOV ESP, EBP POP EBP RET title: .string "Hello!" msg: .string "World!" ''') # fix shellcode addr symbol_pool.set_offset(symbol_pool.getby_name("main"), e.rva2virt(s_text.addr)) symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"), e.DirImport.get_funcvirt('MessageBoxA'))
def my_ast_id2expr(t): return reg_and_id.get(t, ExprId(t, size=32)) my_var_parser = parse_ast(my_ast_id2expr, my_ast_int2expr) base_expr.setParseAction(my_var_parser) blocs, symbol_pool = parse_asm.parse_txt( mn_x86, 32, ''' main: PUSH 0 PUSH title PUSH msg PUSH 0 CALL DWORD PTR [ MessageBoxA ] RET title: .string "Hello!" msg: .string "World!" ''') # fix shellcode addr symbol_pool.set_offset(symbol_pool.getby_name("main"), e.rva2virt(s_text.addr)) symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"), e.DirImport.get_funcvirt('MessageBoxA')) e.Opthdr.AddressOfEntryPoint = s_text.addr for b in blocs[0]:
blocs, symbol_pool = parse_asm.parse_txt(mn_x86, 32, ''' main: CALL cipher_code CALL msgbox_encrypted_start CALL cipher_code RET cipher_code: PUSH EBP MOV EBP, ESP LEA ESI, DWORD PTR [msgbox_encrypted_start] LEA EDI, DWORD PTR [msgbox_encrypted_stop] loop: XOR BYTE PTR [ESI], 0x42 INC ESI CMP ESI, EDI JBE loop MOV ESP, EBP POP EBP RET msgbox_encrypted_start: PUSH 0 PUSH title PUSH msg PUSH 0 CALL DWORD PTR [ MessageBoxA ] RET .dontsplit msgbox_encrypted_stop: .long 0 title: .string "Hello!" msg: .string "World!" ''')
from miasm2.arch.x86.arch import mn_x86 from miasm2.core import parse_asm from miasm2.expression.expression import * from miasm2.core import asmbloc from miasm2.arch.x86.ira import ir_a_x86_32 # First, asm code blocs, symbol_pool = parse_asm.parse_txt( mn_x86, 32, ''' main: MOV EAX, 1 MOV EBX, 2 MOV ECX, 2 MOV DX, 2 loop: INC EBX CMOVZ EAX, EBX ADD EAX, ECX JZ loop RET ''') symbol_pool.set_offset(symbol_pool.getby_name("main"), 0x0) for b in blocs: print b print "symbols:" print symbol_pool patches = asmbloc.asm_resolve_final(mn_x86, blocs, symbol_pool)
txt = ''' main: ADDIU A0, ZERO, 0x10 ADDIU A1, ZERO, 0 loop: ADDIU A1, A1, 0x1 BNE A0, ZERO, loop ADDIU A0, A0, 0xFFFFFFFF ADDIU A2, A2, 0x1 MOVN A1, ZERO, ZERO JR RA ADDIU A2, A2, 0x1 ''' blocs_b, symbol_pool_b = parse_asm.parse_txt(mn_mips32, "b", txt) blocs_l, symbol_pool_l = parse_asm.parse_txt(mn_mips32, "l", txt) # fix shellcode addr symbol_pool_b.set_offset(symbol_pool_b.getby_name("main"), 0) symbol_pool_l.set_offset(symbol_pool_l.getby_name("main"), 0) for b in blocs_b[0]: print b resolved_b, patches_b = asmbloc.asm_resolve_final( mn_mips32, blocs_b[0], symbol_pool_b) resolved_l, patches_l = asmbloc.asm_resolve_final( mn_mips32, blocs_l[0], symbol_pool_l) print patches_b print patches_l
my_var_parser = parse_ast(my_ast_id2expr, my_ast_int2expr) base_expr.setParseAction(my_var_parser) st = StrPatchwork() blocs, symbol_pool = parse_asm.parse_txt(mn_arm, 'l', ''' main: MOV R1, R0 MOV R2, 0x100 LDR R3, [PC, mykey1-$] loop: ADD R2, R1, R2 ADD R1, R1, 1 LDR R3, [PC, mykey2-$] CMP R1, R3 BEQ loop ADD R0, R1, R2 BX LR mykey1: .long 0x1 mykey2: .long 0x2 ''') # fix shellcode addr symbol_pool.set_offset(symbol_pool.getby_name("main"), 0) for b in blocs[0]: print b
def my_ast_id2expr(t): return reg_and_id.get(t, ExprId(t, size=64)) my_var_parser = parse_ast(my_ast_id2expr, my_ast_int2expr) base_expr.setParseAction(my_var_parser) blocs, symbol_pool = parse_asm.parse_txt(mn_x86, 64, ''' main: MOV R9, 0x0 MOV R8, title MOV RDX, msg MOV RCX, 0x0 MOV RAX, QWORD PTR [ MessageBoxA ] CALL RAX RET title: .string "Hello!" msg: .string "World!" ''') # fix shellcode addr symbol_pool.set_offset(symbol_pool.getby_name("main"), e.rva2virt(s_text.addr)) symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"), e.DirImport.get_funcvirt('MessageBoxA')) e.Opthdr.AddressOfEntryPoint = s_text.addr for b in blocs[0]:
blocs, symbol_pool = parse_asm.parse_txt( mn_x86, 32, ''' main: CALL cipher_code CALL msgbox_encrypted_start CALL cipher_code RET cipher_code: PUSH EBP MOV EBP, ESP LEA ESI, DWORD PTR [msgbox_encrypted_start] LEA EDI, DWORD PTR [msgbox_encrypted_stop] loop: XOR BYTE PTR [ESI], 0x42 INC ESI CMP ESI, EDI JBE loop MOV ESP, EBP POP EBP RET msgbox_encrypted_start: PUSH 0 PUSH title PUSH msg PUSH 0 CALL DWORD PTR [ MessageBoxA ] RET .dontsplit msgbox_encrypted_stop: .long 0 title: .string "Hello!" msg: .string "World!" ''')
data = open(args[0]).read() bs = bin_stream_str(data) mdis = dis_engine(bs) addr = int(options.address, 16) ir_arch = machine.ir(mdis.loc_db) ircfg = ir_arch.new_ircfg() symbexec = SymbolicExecutionEngine(ir_arch) asmcfg, loc_db = parse_asm.parse_txt(machine.mn, 32, ''' init: PUSH argv PUSH argc PUSH ret_addr ''', loc_db=mdis.loc_db) argc_lbl = loc_db.get_name_location('argc') argv_lbl = loc_db.get_name_location('argv') ret_addr_lbl = loc_db.get_name_location('ret_addr') init_lbl = loc_db.get_name_location('init') argc_loc = ExprLoc(argc_lbl, 32) argv_loc = ExprLoc(argv_lbl, 32) ret_addr_loc = ExprLoc(ret_addr_lbl, 32)
def my_ast_id2expr(t): return reg_and_id.get(t, ExprId(t, size=64)) my_var_parser = parse_ast(my_ast_id2expr, my_ast_int2expr) base_expr.setParseAction(my_var_parser) blocs, symbol_pool = parse_asm.parse_txt( mn_x86, 64, ''' main: MOV R9, 0x0 MOV R8, title MOV RDX, msg MOV RCX, 0x0 MOV RAX, QWORD PTR [ MessageBoxA ] CALL RAX RET title: .string "Hello!" msg: .string "World!" ''') # fix shellcode addr symbol_pool.set_offset(symbol_pool.getby_name("main"), e.rva2virt(s_text.addr)) symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"), e.DirImport.get_funcvirt('MessageBoxA')) e.Opthdr.AddressOfEntryPoint = s_text.addr for b in blocs[0]:
EOR R3, R3, R2 STRB R3, [R0], 1 CMP R0, R1 BNE loop end: MOV R0, R4 LDMFD SP!, {R4, R5, PC} key: .byte 0x11 mystr: .string "test string" mystrend: .long 0 ''' blocs_b, symbol_pool_b = parse_asm.parse_txt(my_mn, "b", txt) blocs_l, symbol_pool_l = parse_asm.parse_txt(my_mn, "l", txt) # fix shellcode addr symbol_pool_b.set_offset(symbol_pool_b.getby_name("main"), 0x0) symbol_pool_l.set_offset(symbol_pool_l.getby_name("main"), 0x0) # graph sc#### g = asmbloc.bloc2graph(blocs_l[0]) open("graph.txt", "w").write(g) s_b = StrPatchwork() s_l = StrPatchwork() print "symbols" print symbol_pool_l
blocs, symbol_pool = parse_asm.parse_txt( mn_x86, 32, """ main: CALL test_automod RET lbl_good: NOP NOP NOP NOP NOP NOP NOP NOP NOP test_automod: PUSH EBP MOV EBP, ESP LEA EDI, DWORD PTR [lbl_mod] LEA ESI, DWORD PTR [lbl_good] MOV ECX, 0x8 REPE MOVSB lbl_mod: XOR EAX, EAX MOV DWORD PTR [EAX], 0xDEADC0DE NOP NOP NOP PUSH 0 PUSH title PUSH msg PUSH 0 CALL DWORD PTR [ MessageBoxA ] MOV ESP, EBP POP EBP RET title: .string "Hello!" msg: .string "World!" """, )
def from_asm(self, asm_text): all_bloc, symbol_pool = parse_asm.parse_txt(self.mn,0, asm_text) self.blks = all_bloc raise Exception("Not correctly implemented")
ret_addr = ExprId('ret_addr') reg_and_id[argc.name] = argc reg_and_id[argv.name] = argv reg_and_id[ret_addr.name] = ret_addr my_symbols = [argc, argv, ret_addr] my_symbols = dict([(x.name, x) for x in my_symbols]) my_symbols.update(mn_x86.regs.all_regs_ids_byname) ir_arch = ir_x86_32(mdis.symbol_pool) sb = symbexec(ir_arch, symbols_init) blocs, symbol_pool = parse_asm.parse_txt( mn_x86, 32, ''' PUSH argv PUSH argc PUSH ret_addr ''') b = list(blocs)[0] print b # add fake address and len to parsed instructions for i, l in enumerate(b.lines): l.offset, l.l = i, 1 ir_arch.add_bloc(b) irb = get_bloc(ir_arch, mdis, 0) sb.emulbloc(irb) sb.dump_mem() # reset ir_arch blocs ir_arch.blocs = {}
blocs, symbol_pool = parse_asm.parse_txt(mn_x86, 32, ''' main: CALL test_automod CALL test_automod RET test_automod: PUSH EBP MOV EBP, ESP loop: MOV EAX, 0 CMP EAX, 0 JMP mod_addr mod_addr: JNZ end PUSH 0 PUSH title PUSH msg PUSH 0 CALL DWORD PTR [ MessageBoxA ] ; automodif code MOV BYTE PTR [mod_addr], 0xEB JMP loop end: MOV BYTE PTR [mod_addr], 0x75 MOV ESP, EBP POP EBP RET title: .string "Hello!" msg: .string "World!" ''')
else: st = StrPatchwork() addr_main = 0 virt = st output = st # Get and parse the source code with open(args.source) as fstream: source = fstream.read() loc_db = LocationDB() asmcfg, loc_db = parse_asm.parse_txt(machine.mn, attrib, source, loc_db) # Fix shellcode addrs loc_db.set_location_offset(loc_db.get_name_location("main"), addr_main) if args.PE: loc_db.set_location_offset(loc_db.get_or_create_name_location("MessageBoxA"), pe.DirImport.get_funcvirt('USER32.dll', 'MessageBoxA')) # Print and graph firsts blocks before patching it for block in asmcfg.blocks: print block open("graph.dot", "w").write(asmcfg.dot()) # Apply patches
return ExprInt32(a) def my_ast_id2expr(t): return reg_and_id.get(t, ExprId(t, size=32)) my_var_parser = parse_ast(my_ast_id2expr, my_ast_int2expr) base_expr.setParseAction(my_var_parser) blocs, symbol_pool = parse_asm.parse_txt(mn_x86, 32, ''' main: PUSH 0 PUSH title PUSH msg PUSH 0 CALL DWORD PTR [ MessageBoxA ] RET title: .string "Hello!" msg: .string "World!" ''') # fix shellcode addr symbol_pool.set_offset(symbol_pool.getby_name("main"), e.rva2virt(s_text.addr)) symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"), e.DirImport.get_funcvirt('MessageBoxA')) e.Opthdr.AddressOfEntryPoint = s_text.addr for b in blocs[0]: print b
bs = bin_stream_str(data) mdis = dis_engine(bs) addr = int(options.address, 16) symbols_init = dict(machine.mn.regs.regs_init) ir_arch = machine.ir(mdis.symbol_pool) symbexec = SymbolicExecutionEngine(ir_arch, symbols_init) asmcfg, symbol_pool = parse_asm.parse_txt(machine.mn, 32, ''' init: PUSH argv PUSH argc PUSH ret_addr ''', symbol_pool=mdis.symbol_pool) argc_lbl = symbol_pool.getby_name('argc') argv_lbl = symbol_pool.getby_name('argv') ret_addr_lbl = symbol_pool.getby_name('ret_addr') init_lbl = symbol_pool.getby_name('init') argc = ExprLoc(argc_lbl, 32) argv = ExprLoc(argv_lbl, 32) ret_addr = ExprLoc(ret_addr_lbl, 32)
output = pe dst_interval = interval([(pe.rva2virt(s_text.addr), pe.rva2virt(s_text.addr + s_text.size))]) else: st = StrPatchwork() addr_main = 0 virt = st output = st # Get and parse the source code with open(args.source) as fstream: source = fstream.read() blocs, symbol_pool = parse_asm.parse_txt(machine.mn, attrib, source) # Fix shellcode addrs symbol_pool.set_offset(symbol_pool.getby_name("main"), addr_main) if args.PE: symbol_pool.set_offset(symbol_pool.getby_name_create("MessageBoxA"), pe.DirImport.get_funcvirt('USER32.dll', 'MessageBoxA')) # Print and graph firsts blocs before patching it for bloc in blocs: print bloc open("graph.dot", "w").write(blocs.dot()) # Apply patches patches = asmbloc.asm_resolve_final(machine.mn,
blocs, symbol_pool = parse_asm.parse_txt( mn_x86, 32, ''' main: CALL test_automod RET lbl_good: NOP NOP NOP NOP NOP NOP NOP NOP NOP test_automod: PUSH EBP MOV EBP, ESP LEA EDI, DWORD PTR [lbl_mod] LEA ESI, DWORD PTR [lbl_good] MOV ECX, 0x8 REPE MOVSB lbl_mod: XOR EAX, EAX MOV DWORD PTR [EAX], 0xDEADC0DE NOP NOP NOP PUSH 0 PUSH title PUSH msg PUSH 0 CALL DWORD PTR [ MessageBoxA ] MOV ESP, EBP POP EBP RET title: .string "Hello!" msg: .string "World!" ''')
from pdb import pm from pprint import pprint from miasm2.arch.x86.arch import mn_x86 from miasm2.core import parse_asm, asmblock # Assemble code asmcfg, loc_db = parse_asm.parse_txt( mn_x86, 32, ''' main: MOV EAX, 1 MOV EBX, 2 MOV ECX, 2 MOV DX, 2 loop: INC EBX CMOVZ EAX, EBX ADD EAX, ECX JZ loop RET ''') # Set 'main' loc_key's offset loc_db.set_location_offset(loc_db.get_name_location("main"), 0x0) # Spread information and resolve instructions offset patches = asmblock.asm_resolve_final(mn_x86, asmcfg, loc_db) # Show resolved asmcfg for block in asmcfg.blocks:
from miasm2.core import asmblock from miasm2.arch.x86 import arch from miasm2.core import parse_asm from miasm2.core.interval import interval my_mn = arch.mn_x86 asmcfg, loc_db = parse_asm.parse_txt(my_mn, 64, r''' main: PUSH RBP MOV RBP, RSP loop_dec: CMP RCX, RDX JB loop_dec end: MOV RSP, RBP POP RBP RET ''') loc_db.set_location_offset(loc_db.get_name_location("main"), 0x100001000) dst_interval = interval([(0x100001000, 0x100002000)]) patches = asmblock.asm_resolve_final( my_mn, asmcfg, loc_db, dst_interval )
translator_smt2 = Translator.to_language("smt2") addr = int(options.address, 16) cont = Container.from_stream(open(args[0])) mdis = machine.dis_engine(cont.bin_stream, loc_db=cont.loc_db) ir_arch = machine.ir(mdis.loc_db) ircfg = ir_arch.new_ircfg() symbexec = SymbolicExecutionEngine(ir_arch) asmcfg, loc_db = parse_asm.parse_txt(machine.mn, 32, ''' init: PUSH argv PUSH argc PUSH ret_addr ''', loc_db=mdis.loc_db) argc_lbl = loc_db.get_name_location('argc') argv_lbl = loc_db.get_name_location('argv') ret_addr_lbl = loc_db.get_name_location('ret_addr') init_lbl = loc_db.get_name_location('init') argc_loc = ExprLoc(argc_lbl, 32) argv_loc = ExprLoc(argv_lbl, 32) ret_addr_loc = ExprLoc(ret_addr_lbl, 32) ret_addr = ExprId("ret_addr", ret_addr_loc.size)
blocs, symbol_pool = parse_asm.parse_txt(mn_x86, 32, ''' main: PUSH EBP MOV EBP, ESP SUB ESP, 0x100 MOV EAX, 0x1337 ; test ptr manip LEA ESI, DWORD PTR [mystr^toto] CALL toto mystr: .string "test string" toto: POP EDI PUSH EDI ; test scasb XOR EAX, EAX XOR ECX, ECX DEC ECX REPNE SCASB NOT ECX DEC ECX ; test movsb POP ESI LEA EDI, DWORD PTR [EBP-0x100] REPE MOVSB ; test float PUSH 0 FLD1 FLD1 FADD ST, ST(1) FIST DWORD PTR [ESP] POP EAX ; test cond mnemo NOP NOP CMOVZ EAX, EBX ; test shr NOP SHR EAX, 1 NOP NOP SHR EAX, CL NOP MOV ESP, EBP POP EBP RET ''')