diff options
| author | serpilliere <serpilliere@users.noreply.github.com> | 2018-03-05 16:38:27 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-03-05 16:38:27 +0100 |
| commit | 33b13d0b47f8304c9b45e9a1e337b360592a8a87 (patch) | |
| tree | bd3cc1a06b9962d4f19ba3770837970dad6b70e7 | |
| parent | 342614c1ec4bedd5bcc089ba01909a66b9a73aba (diff) | |
| parent | a635e3e35125c9f3dd780a37baaec3e65ec87111 (diff) | |
| download | miasm-33b13d0b47f8304c9b45e9a1e337b360592a8a87.tar.gz miasm-33b13d0b47f8304c9b45e9a1e337b360592a8a87.zip | |
Merge pull request #691 from commial/fix/start-ppc
Fix/start ppc
| -rw-r--r-- | example/symbol_exec/dse_crackme.py | 2 | ||||
| -rw-r--r-- | miasm2/analysis/sandbox.py | 38 | ||||
| -rw-r--r-- | miasm2/os_dep/linux_stdlib.py | 47 | ||||
| -rwxr-xr-x | test/test_all.py | 2 |
4 files changed, 61 insertions, 28 deletions
diff --git a/example/symbol_exec/dse_crackme.py b/example/symbol_exec/dse_crackme.py index 303447a4..f6050486 100644 --- a/example/symbol_exec/dse_crackme.py +++ b/example/symbol_exec/dse_crackme.py @@ -195,7 +195,7 @@ def xxx___libc_start_main_symb(dse): main_addr = dse.eval_expr(regs.RDI) argc = dse.eval_expr(regs.RSI) argv = dse.eval_expr(regs.RDX) - hlt_addr = ExprInt(0x1337beef, 64) + hlt_addr = ExprInt(sb.CALL_FINISH_ADDR, 64) dse.update_state({ ExprMem(top_stack, 64): hlt_addr, diff --git a/miasm2/analysis/sandbox.py b/miasm2/analysis/sandbox.py index 5bdccddd..8ffdb4ac 100644 --- a/miasm2/analysis/sandbox.py +++ b/miasm2/analysis/sandbox.py @@ -284,6 +284,7 @@ class OS_Linux(OS): # Library calls handler self.jitter.add_lib_handler(self.libs, methods) + linux_stdlib.ABORT_ADDR = self.CALL_FINISH_ADDR # Arguments self.argv = [self.PROGRAM_PATH] @@ -329,6 +330,7 @@ class OS_Linux_str(OS): # Library calls handler self.jitter.add_lib_handler(libs, methods) + linux_stdlib.ABORT_ADDR = self.CALL_FINISH_ADDR # Arguments self.argv = [self.PROGRAM_PATH] @@ -458,10 +460,10 @@ class Sandbox_Win_x86_32(Sandbox, Arch_x86_32, OS_Win): self.jitter.push_uint32_t(2) self.jitter.push_uint32_t(1) self.jitter.push_uint32_t(0) - self.jitter.push_uint32_t(0x1337beef) + self.jitter.push_uint32_t(self.CALL_FINISH_ADDR) # Set the runtime guard - self.jitter.add_breakpoint(0x1337beef, self.__class__.code_sentinelle) + self.jitter.add_breakpoint(self.CALL_FINISH_ADDR, self.__class__.code_sentinelle) def run(self, addr=None): """ @@ -491,10 +493,10 @@ class Sandbox_Win_x86_64(Sandbox, Arch_x86_64, OS_Win): self.jitter.push_uint64_t(0) # Pre-stack return address - self.jitter.push_uint64_t(0x1337beef) + self.jitter.push_uint64_t(self.CALL_FINISH_ADDR) # Set the runtime guard - self.jitter.add_breakpoint(0x1337beef, self.__class__.code_sentinelle) + self.jitter.add_breakpoint(self.CALL_FINISH_ADDR, self.__class__.code_sentinelle) def run(self, addr=None): """ @@ -536,7 +538,7 @@ class Sandbox_Linux_x86_32(Sandbox, Arch_x86_32, OS_Linux): self.jitter.vm.set_mem(ptr, arg) argv_ptrs.append(ptr) - self.jitter.push_uint32_t(0x1337beef) + self.jitter.push_uint32_t(self.CALL_FINISH_ADDR) self.jitter.push_uint32_t(0) for ptr in reversed(env_ptrs): self.jitter.push_uint32_t(ptr) @@ -545,10 +547,10 @@ class Sandbox_Linux_x86_32(Sandbox, Arch_x86_32, OS_Linux): self.jitter.push_uint32_t(ptr) self.jitter.push_uint32_t(len(self.argv)) else: - self.jitter.push_uint32_t(0x1337beef) + self.jitter.push_uint32_t(self.CALL_FINISH_ADDR) # Set the runtime guard - self.jitter.add_breakpoint(0x1337beef, self.__class__.code_sentinelle) + self.jitter.add_breakpoint(self.CALL_FINISH_ADDR, self.__class__.code_sentinelle) def run(self, addr=None): """ @@ -591,7 +593,7 @@ class Sandbox_Linux_x86_64(Sandbox, Arch_x86_64, OS_Linux): self.jitter.vm.set_mem(ptr, arg) argv_ptrs.append(ptr) - self.jitter.push_uint64_t(0x1337beef) + self.jitter.push_uint64_t(self.CALL_FINISH_ADDR) self.jitter.push_uint64_t(0) for ptr in reversed(env_ptrs): self.jitter.push_uint64_t(ptr) @@ -600,10 +602,10 @@ class Sandbox_Linux_x86_64(Sandbox, Arch_x86_64, OS_Linux): self.jitter.push_uint64_t(ptr) self.jitter.push_uint64_t(len(self.argv)) else: - self.jitter.push_uint64_t(0x1337beef) + self.jitter.push_uint64_t(self.CALL_FINISH_ADDR) # Set the runtime guard - self.jitter.add_breakpoint(0x1337beef, self.__class__.code_sentinelle) + self.jitter.add_breakpoint(self.CALL_FINISH_ADDR, self.__class__.code_sentinelle) def run(self, addr=None): """ @@ -653,10 +655,10 @@ class Sandbox_Linux_arml(Sandbox, Arch_arml, OS_Linux): self.jitter.push_uint32_t(ptr) self.jitter.push_uint32_t(len(self.argv)) - self.jitter.cpu.LR = 0x1337beef + self.jitter.cpu.LR = self.CALL_FINISH_ADDR # Set the runtime guard - self.jitter.add_breakpoint(0x1337beef, self.__class__.code_sentinelle) + self.jitter.add_breakpoint(self.CALL_FINISH_ADDR, self.__class__.code_sentinelle) def run(self, addr=None): if addr is None and self.options.address is None: @@ -678,10 +680,10 @@ class Sandbox_Linux_armb_str(Sandbox, Arch_armb, OS_Linux_str): def __init__(self, *args, **kwargs): Sandbox.__init__(self, *args, **kwargs) - self.jitter.cpu.LR = 0x1337beef + self.jitter.cpu.LR = self.CALL_FINISH_ADDR # Set the runtime guard - self.jitter.add_breakpoint(0x1337beef, self.__class__.code_sentinelle) + self.jitter.add_breakpoint(self.CALL_FINISH_ADDR, self.__class__.code_sentinelle) def run(self, addr=None): if addr is None and self.options.address is not None: @@ -694,10 +696,10 @@ class Sandbox_Linux_arml_str(Sandbox, Arch_arml, OS_Linux_str): def __init__(self, *args, **kwargs): Sandbox.__init__(self, *args, **kwargs) - self.jitter.cpu.LR = 0x1337beef + self.jitter.cpu.LR = self.CALL_FINISH_ADDR # Set the runtime guard - self.jitter.add_breakpoint(0x1337beef, self.__class__.code_sentinelle) + self.jitter.add_breakpoint(self.CALL_FINISH_ADDR, self.__class__.code_sentinelle) def run(self, addr=None): if addr is None and self.options.address is not None: @@ -735,10 +737,10 @@ class Sandbox_Linux_aarch64l(Sandbox, Arch_aarch64l, OS_Linux): self.jitter.push_uint64_t(ptr) self.jitter.push_uint64_t(len(self.argv)) - self.jitter.cpu.LR = 0x1337beef + self.jitter.cpu.LR = self.CALL_FINISH_ADDR # Set the runtime guard - self.jitter.add_breakpoint(0x1337beef, self.__class__.code_sentinelle) + self.jitter.add_breakpoint(self.CALL_FINISH_ADDR, self.__class__.code_sentinelle) def run(self, addr=None): if addr is None and self.options.address is None: diff --git a/miasm2/os_dep/linux_stdlib.py b/miasm2/os_dep/linux_stdlib.py index d0e281a1..9e1cc9db 100644 --- a/miasm2/os_dep/linux_stdlib.py +++ b/miasm2/os_dep/linux_stdlib.py @@ -1,5 +1,6 @@ #-*- coding:utf-8 -*- +import struct from sys import stdout from string import printable @@ -31,21 +32,51 @@ def xxx___libc_start_main(jitter): Note: - init, fini, rtld_fini are ignored - return address is forced to ABORT_ADDR, to avoid calling abort/hlt/... + - in powerpc, signature is: + + int __libc_start_main (int argc, char **argv, char **ev, ElfW (auxv_t) * + auxvec, void (*rtld_fini) (void), struct startup_info + *stinfo, char **stack_on_entry) """ global ABORT_ADDR - ret_ad, args = jitter.func_args_systemv(["main", "argc", "ubp_av", "init", - "fini", "rtld_fini", "stack_end"]) + if jitter.arch.name == "ppc32": + ret_ad, args = jitter.func_args_systemv( + ["argc", "argv", "ev", "aux_vec", "rtld_fini", "st_info", + "stack_on_entry"] + ) + + # Mimic glibc implementation + if args.stack_on_entry != 0: + argc = struct.unpack(">I", + jitter.vm.get_mem(args.stack_on_entry, 4))[0] + argv = args.stack_on_entry + 4 + envp = argv + ((argc + 1) * 4) + else: + argc = args.argc + argv = args.argv + envp = args.ev + # sda_base, main, init, fini + _, main, _, _ = struct.unpack(">IIII", + jitter.vm.get_mem(args.st_info, 4 * 4)) + + else: + ret_ad, args = jitter.func_args_systemv( + ["main", "argc", "ubp_av", "init", "fini", "rtld_fini", "stack_end"] + ) + + main = args.main + # done by __libc_init_first + size = jitter.ir_arch.pc.size / 8 + argc = args.argc + argv = args.ubp_av + envp = argv + (args.argc + 1) * size - # done by __libc_init_first - size = jitter.ir_arch.pc.size / 8 - argv = args.ubp_av - envp = argv + (args.argc + 1) * size # Call int main(int argc, char** argv, char** envp) - jitter.func_ret_systemv(args.main) + jitter.func_ret_systemv(main) ret_ad = ABORT_ADDR - jitter.func_prepare_systemv(ret_ad, args.argc, argv, envp) + jitter.func_prepare_systemv(ret_ad, argc, argv, envp) return True diff --git a/test/test_all.py b/test/test_all.py index 259a1eaa..fa27b787 100755 --- a/test/test_all.py +++ b/test/test_all.py @@ -686,7 +686,7 @@ for script, dep in [(["x86_32.py", Example.get_sample("x86_32_sc.bin")], []), Example.get_sample("md5_aarch64l"), "--mimic-env"], []), (["sandbox_elf_ppc32.py", - Example.get_sample("md5_ppc32b"), "-a", "0x1000087C"], + Example.get_sample("md5_ppc32b"), "--mimic-env"], []), (["msp430.py", Example.get_sample("msp430_sc.bin"), "0"], [test_msp430]), |