about summary refs log tree commit diff stats
path: root/example/find_rop.py
diff options
context:
space:
mode:
Diffstat (limited to 'example/find_rop.py')
-rw-r--r--example/find_rop.py118
1 files changed, 101 insertions, 17 deletions
diff --git a/example/find_rop.py b/example/find_rop.py
index 91806225..a071cf18 100644
--- a/example/find_rop.py
+++ b/example/find_rop.py
@@ -25,7 +25,92 @@ code_stop = e.rva2virt(s_code.addr+s_code.size)
 
 
 print "run on", hex(code_start), hex(code_stop)
-                           
+
+
+filename = os.environ.get('PYTHONSTARTUP')
+if filename and os.path.isfile(filename):
+    execfile(filename)
+
+
+def whoami():
+    return inspect.stack()[1][3]
+
+
+
+def mem_read_wrap(evaluator, e):
+    return e
+
+
+def mem_write_wrap(evaluator, dst, s, src, pool_out):
+    return ExprTop()
+
+
+
+min_addr = code_start
+max_addr = code_stop
+
+print hex(min_addr), hex(max_addr)
+arg1 = ExprId('ARG1', 32, True)
+arg2 = ExprId('ARG2', 32, True)
+ret1 = ExprId('RET1', 32, True)
+
+data1 = ExprId('DATA1', 32, True)
+data2 = ExprId('DATA2', 32, True)
+data3 = ExprId('DATA3', 32, True)
+data4 = ExprId('DATA4', 32, True)
+data5 = ExprId('DATA5', 32, True)
+data6 = ExprId('DATA6', 32, True)
+data7 = ExprId('DATA7', 32, True)
+data8 = ExprId('DATA8', 32, True)
+data9 = ExprId('DATA9', 32, True)
+data10 = ExprId('DATA10', 32, True)
+
+machine = eval_abs({esp:init_esp, ebp:init_ebp, eax:init_eax, ebx:init_ebx, ecx:init_ecx, edx:init_edx, esi:init_esi, edi:init_edi,
+                cs:ExprInt(uint32(9)),
+                zf :  ExprInt(uint32(0)), nf :  ExprInt(uint32(0)), pf : ExprInt(uint32(0)),
+                of :  ExprInt(uint32(0)), cf :  ExprInt(uint32(0)), tf : ExprInt(uint32(0)),
+                i_f:  ExprInt(uint32(1)), df :  ExprInt(uint32(0)), af : ExprInt(uint32(0)),
+                iopl: ExprInt(uint32(0)), nt :  ExprInt(uint32(0)), rf : ExprInt(uint32(0)),
+                vm :  ExprInt(uint32(0)), ac :  ExprInt(uint32(0)), vif: ExprInt(uint32(0)),
+                vip:  ExprInt(uint32(0)), i_d:  ExprInt(uint32(0)),tsc1: ExprInt(uint32(0)),
+                tsc2: ExprInt(uint32(0)),
+                dr7:ExprInt(uint32(0)),
+                cr0:init_cr0,
+
+                },
+               mem_read_wrap,
+               mem_write_wrap,
+               )
+
+
+# add some info for example
+from elfesteem import *
+from miasm.tools.pe_helper import *
+import inspect
+from miasm.core import asmbloc
+from miasm.core import parse_asm
+from elfesteem import pe
+from miasm.tools.to_c_helper import *
+
+
+if len(sys.argv) < 2:
+    print "%s dllfile"%sys.argv[0]
+    sys.exit(0)
+fname = sys.argv[1]
+e = pe_init.PE(open(fname, 'rb').read())
+in_str = bin_stream(e.virt)
+
+# find gadget only in first section
+section_code_name = e.SHList.shlist[0].name.strip("\x00")
+s_code = e.getsectionbyname(section_code_name)
+
+
+code_start = e.rva2virt(s_code.addr)
+code_stop = e.rva2virt(s_code.addr+s_code.size)
+
+
+print "run on", hex(code_start), hex(code_stop)
+
 
 filename = os.environ.get('PYTHONSTARTUP')
 if filename and os.path.isfile(filename):
@@ -76,7 +161,7 @@ machine = eval_abs({esp:init_esp, ebp:init_ebp, eax:init_eax, ebx:init_ebx, ecx:
                 tsc2: ExprInt(uint32(0)),
                 dr7:ExprInt(uint32(0)),
                 cr0:init_cr0,
-                
+
                 },
                mem_read_wrap,
                mem_write_wrap,
@@ -84,17 +169,17 @@ machine = eval_abs({esp:init_esp, ebp:init_ebp, eax:init_eax, ebx:init_ebx, ecx:
 
 
 # add some info for example
-machine.eval_instr(push(arg2))
-machine.eval_instr(push(arg1))
-machine.eval_instr(push(ret1))
-machine.eval_instr(push(ebp))
-machine.eval_instr(mov(ebp, esp))
-machine.eval_instr(sub(esp, ExprInt(uint32(0x14))))
-machine.eval_instr(mov(eax, ExprMem(ebp + ExprInt(uint32(8)))))
-machine.eval_instr(mov(edx, ExprMem(eax + ExprInt(uint32(12)))))
-machine.eval_instr(mov(eax, ExprMem(ebp + ExprInt(uint32(12)))))
-machine.eval_instr(mov(ExprMem(esp), eax))
-machine.eval_instr(push(ExprInt(uint32(0x1337beef))))
+machine.eval_instr(push(('u32', 'u32'), arg2))
+machine.eval_instr(push(('u32', 'u32'), arg1))
+machine.eval_instr(push(('u32', 'u32'), ret1))
+machine.eval_instr(push(('u32', 'u32'), ebp))
+machine.eval_instr(mov(('u32', 'u32'), ebp, esp))
+machine.eval_instr(sub(('u32', 'u32'), esp, ExprInt(uint32(0x14))))
+machine.eval_instr(mov(('u32', 'u32'), eax, ExprMem(ebp + ExprInt(uint32(8)))))
+machine.eval_instr(mov(('u32', 'u32'), edx, ExprMem(eax + ExprInt(uint32(12)))))
+machine.eval_instr(mov(('u32', 'u32'), eax, ExprMem(ebp + ExprInt(uint32(12)))))
+machine.eval_instr(mov(('u32', 'u32'), ExprMem(esp), eax))
+machine.eval_instr(push(('u32', 'u32'), ExprInt(uint32(0x1337beef))))
 
 for k in machine.pool:
     machine.pool[k] = expr_simp(machine.pool[k])
@@ -110,7 +195,7 @@ for f_ad in xrange(min_addr, max_addr):
     start_ad = f_ad
     my_eip = ExprInt(uint32(f_ad))
     cycles = 0
-    
+
     while True:
         cycles += 1
         # max 5 instructions chain
@@ -127,12 +212,11 @@ for f_ad in xrange(min_addr, max_addr):
         if not (min_addr < ad< max_addr):
             break
         in_str.offset = ad
-        
         l = x86_mn.dis(in_str)
         # print hex(my_eip.arg), l
         if not l:
             break
-        
+
         args = []
         my_eip.arg+=uint32(l.l)
         try:
@@ -143,7 +227,7 @@ for f_ad in xrange(min_addr, max_addr):
             my_eip, mem_dst = emul_full_expr(ex, l, my_eip, None, machine)
         except:
             break
-        
+
     for k in machine.pool:
         machine.pool[k] = expr_simp(machine.pool[k])