def __call__(self, raw_bytes, avoid, pcreg=''): while len(raw_bytes) % context.bytes: raw_bytes += '\x00' a, b = xor_pair(raw_bytes, avoid) mov_ecx = shellcraft.i386.mov('ecx', len(raw_bytes) / context.bytes) decoder = self.decoder % mov_ecx decoder = asm(decoder) for left, right in zip(group(context.bytes, a), group(context.bytes, b)): decoder += left decoder += right return decoder
def __call__(self, raw_bytes, avoid, pcreg=''): while len(raw_bytes) % context.bytes: raw_bytes += b'\x00' a, b = xor_pair(raw_bytes, avoid) mov_ecx = shellcraft.i386.mov('ecx', len(raw_bytes) // context.bytes) decoder = self.decoder % mov_ecx decoder = asm(decoder) for left, right in zip(group(context.bytes, a), group(context.bytes, b)): decoder += left decoder += right return decoder
def render_body(context, string, append_null=True, **pageargs): __M_caller = context.caller_stack._push_frame() try: __M_locals = __M_dict_builtin(pageargs=pageargs, string=string, append_null=append_null) ord = context.get('ord', UNDEFINED) isinstance = context.get('isinstance', UNDEFINED) str = context.get('str', UNDEFINED) __M_writer = context.writer() from pwnlib.util import lists, packing, fiddling from pwnlib.shellcraft import pretty, okay __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update( __M_dict_builtin([ (__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['packing', 'fiddling', 'okay', 'pretty', 'lists'] if __M_key in __M_locals_builtin_stored ])) __M_writer(u'\n') __M_writer(u'\n') __M_writer(u'\n') original = string string = packing.flat(string) if append_null: string += '\x00' if isinstance(original, str): original += '\x00' if not string: return if ord(string[-1]) >= 128: extend = '\xff' else: extend = '\x00' __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update( __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['original', 'extend', 'string'] if __M_key in __M_locals_builtin_stored])) __M_writer(u' /* push ') __M_writer(unicode(pretty(original, False))) __M_writer(u' */\n') for word in lists.group(4, string, 'fill', extend)[::-1]: sign = packing.u32(word, endian='little', sign='signed') __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update( __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['sign'] if __M_key in __M_locals_builtin_stored])) if sign in [0, 0xa]: __M_writer(u' push ') __M_writer(unicode(pretty(sign + 1))) __M_writer(u'\n dec byte ptr [esp]\n') elif -0x80 <= sign <= 0x7f and okay(word[0]): __M_writer(u' push ') __M_writer(unicode(pretty(sign))) __M_writer(u'\n') elif okay(word): __M_writer(u' push ') __M_writer(unicode(pretty(sign))) __M_writer(u'\n') else: a, b = fiddling.xor_pair(word, avoid='\x00\n') a = packing.u32(a, endian='little', sign='unsigned') b = packing.u32(b, endian='little', sign='unsigned') __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update( __M_dict_builtin([ (__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['a', 'b'] if __M_key in __M_locals_builtin_stored ])) __M_writer(u' push ') __M_writer(unicode(pretty(a))) __M_writer(u'\n xor dword ptr [esp], ') __M_writer(unicode(pretty(b))) __M_writer(u'\n') return '' finally: context.caller_stack._pop_frame()
def render_body(context, dest, src, stack_allowed=True, **pageargs): __M_caller = context.caller_stack._push_frame() try: __M_locals = __M_dict_builtin(dest=dest, src=src, pageargs=pageargs, stack_allowed=stack_allowed) int = context.get('int', UNDEFINED) isinstance = context.get('isinstance', UNDEFINED) hex = context.get('hex', UNDEFINED) long = context.get('long', UNDEFINED) str = context.get('str', UNDEFINED) __M_writer = context.writer() from pwnlib.util import lists, packing, fiddling, misc __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update( __M_dict_builtin([ (__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['packing', 'fiddling', 'misc', 'lists'] if __M_key in __M_locals_builtin_stored ])) import logging log = logging.getLogger('pwnlib.shellcraft') __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update( __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['logging', 'log'] if __M_key in __M_locals_builtin_stored])) __M_writer(u'\n') __M_writer(u'\n') regs = [['rax', 'eax', 'ax', 'al'], ['rbx', 'ebx', 'bx', 'bl'], ['rcx', 'ecx', 'cx', 'cl'], ['rdx', 'edx', 'dx', 'dl'], ['rdi', 'edi', 'di', 'dil'], ['rsi', 'esi', 'si', 'sil'], ['rbp', 'ebp', 'bp', 'bpl'], ['rsp', 'esp', 'sp', 'spl'], ['r8', 'r8d', 'r8w', 'r8b'], ['r9', 'r9d', 'r9w', 'r9b'], ['r10', 'r10d', 'r10w', 'r10b'], ['r11', 'r11d', 'r11w', 'r11b'], ['r12', 'r12d', 'r12w', 'r12b'], ['r13', 'r13d', 'r13w', 'r13b'], ['r14', 'r14d', 'r14w', 'r14b'], ['r15', 'r15d', 'r15w', 'r15b']] def okay(s): return '\0' not in s and '\n' not in s def pretty(n): if n < 0: return str(n) else: return hex(n) all_regs, sizes, bigger, smaller = misc.register_sizes( regs, [64, 32, 16, 8]) dest_orig = dest __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update( __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in [ 'smaller', 'okay', 'sizes', 'regs', 'dest_orig', 'pretty', 'all_regs', 'bigger' ] if __M_key in __M_locals_builtin_stored])) if dest not in all_regs: __M_writer(u' ') log.error('%s is not a register' % str(dest_orig)) __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update( __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in [] if __M_key in __M_locals_builtin_stored])) elif isinstance(src, (int, long)): __M_writer(u' ') if not (-2**(sizes[dest] - 1) <= src < 2**sizes[dest]): log.error('Number %s does not fit into %s' % (pretty(src), dest_orig)) # Calculate the unsigned and signed versions srcu = src & (2**sizes[dest] - 1) srcs = srcu - 2 * (srcu & (2**(sizes[dest] - 1))) # micro-optimization: if you ever touch e.g. eax, then all the upper bits # of rax will be set to 0. We exploit this fact here if 0 <= src < 2**32 and sizes[dest] == 64: dest = smaller[dest][0] # Calculate the packed version srcp = packing.pack(srcu, sizes[dest], 'little', False) __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update( __M_dict_builtin([ (__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['dest', 'srcs', 'srcp', 'srcu'] if __M_key in __M_locals_builtin_stored ])) if src == 0: __M_writer(u' xor ') __M_writer(unicode(dest)) __M_writer(u', ') __M_writer(unicode(dest)) __M_writer(u'\n') elif src == 10 and stack_allowed and sizes[ dest] == 32: # sizes[dest] == 64 not possible here __M_writer(u' push 9\n pop ') __M_writer(unicode(bigger[dest][0])) __M_writer(u'\n inc ') __M_writer(unicode(dest)) __M_writer(u'\n') elif stack_allowed and sizes[dest] in [ 32, 64 ] and -2**7 <= srcs < 2**7 and okay(srcp[0]): __M_writer(u' push ') __M_writer(unicode(pretty(srcs))) __M_writer(u'\n pop ') __M_writer( unicode(dest if sizes[dest] == 64 else bigger[dest][0])) __M_writer(u'\n') elif okay(srcp): __M_writer(u' mov ') __M_writer(unicode(dest)) __M_writer(u', ') __M_writer(unicode(pretty(src))) __M_writer(u'\n') elif stack_allowed and sizes[dest] in [ 32, 64 ] and -2**31 <= srcs < 2**31 and okay(srcp[:4]): __M_writer(u' push ') __M_writer(unicode(pretty(srcs))) __M_writer(u'\n pop ') __M_writer( unicode(dest if sizes[dest] == 64 else bigger[dest][0])) __M_writer(u'\n') else: __M_writer(u' ') a, b = fiddling.xor_pair(srcp, avoid='\x00\n') a = pretty(packing.unpack(a, sizes[dest], 'little', False)) b = pretty(packing.unpack(b, sizes[dest], 'little', False)) __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update( __M_dict_builtin([ (__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['a', 'b'] if __M_key in __M_locals_builtin_stored ])) if sizes[dest] != 64: __M_writer(u' mov ') __M_writer(unicode(dest)) __M_writer(u', ') __M_writer(unicode(a)) __M_writer(u'\n xor ') __M_writer(unicode(dest)) __M_writer(u', ') __M_writer(unicode(b)) __M_writer(u'\n') elif stack_allowed: __M_writer(u' mov ') __M_writer(unicode(dest)) __M_writer(u', ') __M_writer(unicode(a)) __M_writer(u'\n push ') __M_writer(unicode(dest)) __M_writer(u'\n mov ') __M_writer(unicode(dest)) __M_writer(u', ') __M_writer(unicode(b)) __M_writer(u'\n xor [rsp], ') __M_writer(unicode(dest)) __M_writer(u'\n pop ') __M_writer(unicode(dest)) __M_writer(u'\n') else: __M_writer(u' ') log.error("Cannot put %s into '%s' without using stack." % (pretty(src), dest_orig)) __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update( __M_dict_builtin([ (__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in [] if __M_key in __M_locals_builtin_stored ])) elif src in all_regs: __M_writer(u' ') # micro-optimization: if you ever touch e.g. eax, then all the upper bits # of rax will be set to 0. We exploit this fact here if sizes[dest] == 64 and sizes[src] != 64: dest = smaller[dest][0] __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update( __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['dest'] if __M_key in __M_locals_builtin_stored])) if src == dest or src in bigger[dest] or src in smaller[dest]: __M_writer(u' /* moving ') __M_writer(unicode(src)) __M_writer(u' into ') __M_writer(unicode(dest_orig)) __M_writer(u', but this is a no-op */\n') elif sizes[dest] == sizes[src]: __M_writer(u' mov ') __M_writer(unicode(dest)) __M_writer(u', ') __M_writer(unicode(src)) __M_writer(u'\n') elif sizes[dest] > sizes[src]: __M_writer(u' movzx ') __M_writer(unicode(dest)) __M_writer(u', ') __M_writer(unicode(src)) __M_writer(u'\n') else: for r in smaller[src]: if sizes[r] == sizes[dest]: __M_writer(u' mov ') __M_writer(unicode(dest)) __M_writer(u', ') __M_writer(unicode(r)) __M_writer(u'\n ') break __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update( __M_dict_builtin([ (__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in [] if __M_key in __M_locals_builtin_stored ])) else: __M_writer(u' ') log.error('%s is neither a register nor an immediate' % src) __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update( __M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in [] if __M_key in __M_locals_builtin_stored])) return '' finally: context.caller_stack._pop_frame()
def render_body(context, dest, src, stack_allowed=True, **pageargs): __M_caller = context.caller_stack._push_frame() try: __M_locals = __M_dict_builtin(dest=dest, src=src, pageargs=pageargs, stack_allowed=stack_allowed) tuple = context.get('tuple', UNDEFINED) int = context.get('int', UNDEFINED) hex = context.get('hex', UNDEFINED) long = context.get('long', UNDEFINED) str = context.get('str', UNDEFINED) isinstance = context.get('isinstance', UNDEFINED) __M_writer = context.writer() from pwnlib.shellcraft import eval, pretty, okay from pwnlib.util import lists, packing, fiddling, misc from pwnlib.log import getLogger from pwnlib.shellcraft.registers import get_register, is_register, bits_required log = getLogger('pwnlib.shellcraft.i386.mov') __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update( __M_dict_builtin([ (__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in [ 'okay', 'eval', 'misc', 'bits_required', 'lists', 'get_register', 'getLogger', 'packing', 'fiddling', 'pretty', 'is_register', 'log' ] if __M_key in __M_locals_builtin_stored ])) __M_writer(u'\n') __M_writer(u'\n') __M_writer(u'\n') src_name = src if not isinstance(src, (str, tuple)): src_name = pretty(src) if not get_register(dest): log.error('%r is not a register' % dest) dest = get_register(dest) if dest.size > 32 or dest.is64bit: log.error("cannot use %s on i386" % dest) if get_register(src): src = get_register(src) if src.is64bit: log.error("cannot use %s on i386" % src) if dest.size < src.size and src.name not in dest.bigger: log.error("cannot mov %s, %s: dddest is smaller than src" % (dest, src)) else: src = eval(src) if not dest.fits(src): log.error("cannot mov %s, %r: dest is smaller than src" % (dest, src)) src_size = bits_required(src) # Calculate the packed version mask = ((1 << 32) - 1) masked = src & mask srcp = packing.pack(masked, dest.size) # Calculate the unsigned and signed versions srcu = packing.unpack(srcp, dest.size, sign=False) srcs = packing.unpack(srcp, dest.size, sign=True) srcp_not = packing.pack(fiddling.bnot(masked)) srcp_neg = packing.pack(fiddling.negate(masked)) srcu_not = packing.unpack(srcp_not) srcu_neg = packing.unpack(srcp_neg) __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update( __M_dict_builtin([ (__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in [ 'src', 'srcp_neg', 'src_size', 'dest', 'mask', 'srcu_not', 'srcp_not', 'srcs', 'srcp', 'masked', 'srcu', 'src_name', 'srcu_neg' ] if __M_key in __M_locals_builtin_stored ])) if is_register(src): if src == dest: __M_writer(u' /* moving ') __M_writer(unicode(src)) __M_writer(u' into ') __M_writer(unicode(dest)) __M_writer(u', but this is a no-op */\n') elif src.name in dest.bigger: __M_writer(u' /* moving ') __M_writer(unicode(src)) __M_writer(u' into ') __M_writer(unicode(dest)) __M_writer(u', but this is a no-op */\n') elif dest.size > src.size: __M_writer(u' movzx ') __M_writer(unicode(dest)) __M_writer(u', ') __M_writer(unicode(src)) __M_writer(u'\n') else: __M_writer(u' mov ') __M_writer(unicode(dest)) __M_writer(u', ') __M_writer(unicode(src)) __M_writer(u'\n') elif isinstance(src, (int, long)): if src == 0: __M_writer(u' xor ') __M_writer(unicode(dest)) __M_writer(u', ') __M_writer(unicode(dest)) __M_writer(u'\n') elif stack_allowed and dest.size == 32 and src == 10: __M_writer(u' push 9 /* mov ') __M_writer(unicode(dest)) __M_writer(u", '\\n' */\n pop ") __M_writer(unicode(dest)) __M_writer(u'\n inc ') __M_writer(unicode(dest)) __M_writer(u'\n') elif stack_allowed and dest.size == 32 and okay(srcp): __M_writer(u' push ') __M_writer(unicode(pretty(src))) __M_writer(u'\n pop ') __M_writer(unicode(dest)) __M_writer(u'\n') elif stack_allowed and dest.size == 32 and -127 <= srcs < 128 and okay( srcp[0]): __M_writer(u' push ') __M_writer(unicode(pretty(src))) __M_writer(u'\n pop ') __M_writer(unicode(dest)) __M_writer(u'\n') elif okay(srcp): __M_writer(u' mov ') __M_writer(unicode(dest)) __M_writer(u', ') __M_writer(unicode(pretty(src))) __M_writer(u'\n') elif 0 <= srcu < 2**8 and okay(srcp[0]) and dest.sizes.get(8, 0): __M_writer(u' xor ') __M_writer(unicode(dest)) __M_writer(u', ') __M_writer(unicode(dest)) __M_writer(u'\n mov ') __M_writer(unicode(dest.sizes[8])) __M_writer(u', ') __M_writer(unicode(pretty(srcu))) __M_writer(u'\n') elif srcu == (srcu & 0xff00) and okay(srcp[1]) and dest.ff00: __M_writer(u' xor ') __M_writer(unicode(dest)) __M_writer(u', ') __M_writer(unicode(dest)) __M_writer(u'\n mov ') __M_writer(unicode(dest.ff00)) __M_writer(u', ') __M_writer(unicode(pretty(src))) __M_writer(u' >> 8\n') elif 0 <= srcu < 2**16 and okay(srcp[:2]) and dest.sizes[16]: __M_writer(u' xor ') __M_writer(unicode(dest)) __M_writer(u', ') __M_writer(unicode(dest)) __M_writer(u'\n mov ') __M_writer(unicode(dest.sizes[16])) __M_writer(u', ') __M_writer(unicode(pretty(src))) __M_writer(u'\n') elif okay(srcp_neg): __M_writer(u' mov ') __M_writer(unicode(dest)) __M_writer(u', -') __M_writer(unicode(pretty(src))) __M_writer(u'\n neg ') __M_writer(unicode(dest)) __M_writer(u'\n') elif okay(srcp_not): __M_writer(u' mov ') __M_writer(unicode(dest)) __M_writer(u', (-1) ^ ') __M_writer(unicode(pretty(src))) __M_writer(u'\n not ') __M_writer(unicode(dest)) __M_writer(u'\n') else: __M_writer(u' ') a, b = fiddling.xor_pair(srcp, avoid='\x00\n') a = hex(packing.unpack(a, dest.size)) b = hex(packing.unpack(b, dest.size)) __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update( __M_dict_builtin([ (__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['a', 'b'] if __M_key in __M_locals_builtin_stored ])) __M_writer(u' mov ') __M_writer(unicode(dest)) __M_writer(u', ') __M_writer(unicode(a)) __M_writer(u'\n xor ') __M_writer(unicode(dest)) __M_writer(u', ') __M_writer(unicode(a)) __M_writer(u' ^ ') __M_writer(unicode(pretty(src))) __M_writer(u'\n') return '' finally: context.caller_stack._pop_frame()
def render_body(context,string,append_null=True,**pageargs): __M_caller = context.caller_stack._push_frame() try: __M_locals = __M_dict_builtin(pageargs=pageargs,string=string,append_null=append_null) ord = context.get('ord', UNDEFINED) hex = context.get('hex', UNDEFINED) repr = context.get('repr', UNDEFINED) __M_writer = context.writer() from pwnlib.util import lists, packing, fiddling __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['packing','fiddling','lists'] if __M_key in __M_locals_builtin_stored])) __M_writer(u'\n') __M_writer(u'\n') if append_null: string += '\x00' if not string: return def okay(s): return '\n' not in s and '\0' not in s if ord(string[-1]) >= 128: extend = '\xff' else: extend = '\x00' def pretty(n): return hex(n & (2 ** 64 - 1)) __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['pretty','okay','string','extend'] if __M_key in __M_locals_builtin_stored])) __M_writer(u' /* push ') __M_writer(unicode(repr(string))) __M_writer(u' */\n') for word in lists.group(8, string, 'fill', extend)[::-1]: sign = packing.u64(word, 'little', 'signed') __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['sign'] if __M_key in __M_locals_builtin_stored])) if sign in [0, 0xa]: __M_writer(u' push ') __M_writer(unicode(sign + 1)) __M_writer(u'\n dec byte ptr [rsp]\n') elif -0x80 <= sign <= 0x7f and okay(word[0]): __M_writer(u' push ') __M_writer(unicode(pretty(sign))) __M_writer(u'\n') elif -0x80000000 <= sign <= 0x7fffffff and okay(word[:4]): __M_writer(u' push ') __M_writer(unicode(pretty(sign))) __M_writer(u'\n') elif okay(word): __M_writer(u' mov rax, ') __M_writer(unicode(hex(sign))) __M_writer(u'\n push rax\n') elif word[4:] == '\x00\x00\x00\x00': a,b = fiddling.xor_pair(word[:4], avoid = '\x00\n') a = packing.u32(a, 'little', 'unsigned') b = packing.u32(b, 'little', 'unsigned') __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['a','b'] if __M_key in __M_locals_builtin_stored])) __M_writer(u' push ') __M_writer(unicode(pretty(a))) __M_writer(u'\n xor dword ptr [rsp], ') __M_writer(unicode(pretty(b))) __M_writer(u'\n') else: a,b = fiddling.xor_pair(word, avoid = '\x00\n') a = packing.u64(a, 'little', 'unsigned') b = packing.u64(b, 'little', 'unsigned') __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['a','b'] if __M_key in __M_locals_builtin_stored])) __M_writer(u' mov rax, ') __M_writer(unicode(pretty(a))) __M_writer(u'\n push rax\n mov rax, ') __M_writer(unicode(pretty(b))) __M_writer(u'\n xor [rsp], rax\n') return '' finally: context.caller_stack._pop_frame()