diff options
| -rw-r--r-- | miasm/arch/ia32_sem.py | 114 | ||||
| -rw-r--r-- | miasm/tools/emul_lib/libcodenat.c | 18 | ||||
| -rw-r--r-- | miasm/tools/emul_lib/libcodenat.h | 19 | ||||
| -rw-r--r-- | miasm/tools/seh_helper.py | 9 | ||||
| -rw-r--r-- | miasm/tools/win_api.py | 3 |
5 files changed, 139 insertions, 24 deletions
diff --git a/miasm/arch/ia32_sem.py b/miasm/arch/ia32_sem.py index ad2d71ae..304d4701 100644 --- a/miasm/arch/ia32_sem.py +++ b/miasm/arch/ia32_sem.py @@ -93,6 +93,15 @@ reg_cr5 = 'cr5' reg_cr6 = 'cr6' reg_cr7 = 'cr7' +reg_mm0 = 'mm0' +reg_mm1 = 'mm1' +reg_mm2 = 'mm2' +reg_mm3 = 'mm3' +reg_mm4 = 'mm4' +reg_mm5 = 'mm5' +reg_mm6 = 'mm6' +reg_mm7 = 'mm7' + reg_tsc1 = "tsc1" reg_tsc2 = "tsc2" @@ -209,6 +218,15 @@ cr5 = ExprId(reg_cr5) cr6 = ExprId(reg_cr6) cr7 = ExprId(reg_cr7) +mm0 = ExprId(reg_mm0, 64) +mm1 = ExprId(reg_mm1, 64) +mm2 = ExprId(reg_mm2, 64) +mm3 = ExprId(reg_mm3, 64) +mm4 = ExprId(reg_mm4, 64) +mm5 = ExprId(reg_mm5, 64) +mm6 = ExprId(reg_mm6, 64) +mm7 = ExprId(reg_mm7, 64) + eflag= ExprId(reg_eflag) tmp1= ExprId(reg_tmp1) @@ -2108,7 +2126,7 @@ def sidt(info, a): b = a.arg print "DEFAULT SIDT ADDRESS %s!!"%str(a) e.append(ExprAff(ExprMem(b, 32), ExprInt32(0xe40007ff))) - e.append(ExprAff(ExprMem(ExprOp("+", b, ExprInt32(4)), 32), ExprInt32(0x8245))) + e.append(ExprAff(ExprMem(ExprOp("+", b, ExprInt32(4)), 16), ExprInt32(0x8245))) return e @@ -2132,6 +2150,18 @@ def cmovle(info, a, b): e= [] e.append(ExprAff(a, ExprCond( ExprOp('|', ExprOp('^', nf, of), zf) , b, a))) return e +def cmova(info, a, b): + e= [] + e.append(ExprAff(a, ExprCond( ExprOp('|', cf, zf) , a, b))) + return e +def cmovae(info, a, b): + e= [] + e.append(ExprAff(a, ExprCond( cf , a, b))) + return e +def cmovbe(info, a, b): + e= [] + e.append(ExprAff(a, ExprCond( ExprOp('|', cf, zf) , b, a))) + return e def cmovo(info, a, b): e= [] e.append(ExprAff(a, ExprCond(of , b, a))) @@ -2201,38 +2231,60 @@ def cpuid(info): e.append(ExprAff(edx, ExprOp('cpuid', eax, ExprInt32(3)))) return e +def bittest_get(a, b): + if isinstance(a, ExprId): + off_bit = ExprOp('&', b, ExprInt_from(a, a.get_size() - 1)) + d = a + #d = ExprOp('>>', a, off_bit) + else: + off_bit = ExprOp('&', b, ExprInt_from(a, a.get_size() - 1)) + off_byte = ExprOp("&", + ExprOp('>>', b, ExprInt_from(a, 3)), + ExprOp('!', ExprInt_from(a, a.get_size()/8 -1))) + + d = ExprMem(a.arg+off_byte, a.size) + #d = ExprOp('>>', mem, off_bit) + return d, off_bit + def bt(info, a, b): e= [] - c= ExprOp('&', b, ExprInt_from(a, b.get_size() - 1)) - d= ExprOp('>>', a, c) + d, off_bit = bittest_get(a, b) + d = ExprOp(">>", d, off_bit) e.append(ExprAff(cf, ExprOp('&', d, ExprInt_from(a, 1)))) return e def btc(info, a, b): e= [] - c= ExprOp('&', b, ExprInt_from(a, b.get_size() - 1)) - d= ExprOp('>>', a, c) - m= ExprOp('<<', ExprInt_from(a, 1), b) - e.append(ExprAff(cf, ExprOp('&', d, ExprInt_from(a, 1)))) - e.append(ExprAff(a, ExprOp('^', a, m))) + d, off_bit = bittest_get(a, b) + e.append(ExprAff(cf, ExprOp('&', + ExprOp(">>", d, off_bit), + ExprInt_from(a, 1)))) + + m = ExprOp('<<', ExprInt_from(a, 1), off_bit) + e.append(ExprAff(d, ExprOp('^', d, m))) + return e def bts(info, a, b): e= [] - c= ExprOp('&', b, ExprInt_from(a, b.get_size() - 1)) - d= ExprOp('>>', a, c) - m= ExprOp('<<', ExprInt_from(a, 1), b) - e.append(ExprAff(cf, ExprOp('&', d, ExprInt_from(a, 1)))) - e.append(ExprAff(a, ExprOp('|', a, m))) + d, off_bit = bittest_get(a, b) + e.append(ExprAff(cf, ExprOp('&', + ExprOp(">>", d, off_bit), + ExprInt_from(a, 1)))) + m = ExprOp('<<', ExprInt_from(a, 1), off_bit) + e.append(ExprAff(d, ExprOp('|', d, m))) + return e def btr(info, a, b): e= [] - c= ExprOp('&', b, ExprInt_from(a, b.get_size() - 1)) - d= ExprOp('>>', a, c) - m= ~ExprOp('<<', ExprInt_from(a, 1), b) - e.append(ExprAff(cf, ExprOp('&', d, ExprInt_from(a, 1)))) - e.append(ExprAff(a, ExprOp('&', a, m))) + d, off_bit = bittest_get(a, b) + e.append(ExprAff(cf, ExprOp('&', + ExprOp(">>", d, off_bit), + ExprInt_from(a, 1)))) + m = ~ExprOp('<<', ExprInt_from(a, 1), off_bit) + e.append(ExprAff(d, ExprOp('&', d, m))) + return e @@ -2325,6 +2377,14 @@ def l_str(info, a): e.append(ExprAff(a, ExprOp('load_tr_segment_selector', ExprInt32(0)))) return e +def movd(info, a, b): + e = [] + if a.get_size() == 64: + e.append(ExprAff(a, ExprCompose([(ExprInt32(0), 32, 64), (b, 0, 32)]))) + else: + e.append(ExprAff(a, b[0:32])) + return e + mnemo_func = {'mov': mov, 'xchg': xchg, 'movzx': movzx, @@ -2504,6 +2564,9 @@ mnemo_func = {'mov': mov, 'cmovge':cmovge, 'cmovnl':cmovge, 'cmovl':cmovl, + 'cmova':cmova, + 'cmovae':cmovae, + 'cmovbe':cmovbe, 'cmovnge':cmovl, 'cmovle':cmovle, 'cmovng':cmovle, @@ -2542,6 +2605,7 @@ mnemo_func = {'mov': mov, "fclex":fclex, "fnclex":fnclex, "str":l_str, + "movd":movd, } @@ -2615,6 +2679,15 @@ class ia32_rexpr: r_cr6 = cr6 r_cr7 = cr7 + r_mm0 = mm0 + r_mm1 = mm1 + r_mm2 = mm2 + r_mm3 = mm3 + r_mm4 = mm4 + r_mm5 = mm5 + r_mm6 = mm6 + r_mm7 = mm7 + r_ax = r_eax[:16] r_cx = r_ecx[:16] r_dx = r_edx[:16] @@ -2653,6 +2726,8 @@ class ia32_rexpr: reg_listdr=[r_dr0, r_dr1, r_dr2, r_dr3, r_dr4, r_dr5, r_dr6, r_dr7] reg_listcr=[r_cr0, r_cr1, r_cr2, r_cr3, r_cr4, r_cr5, r_cr6, r_cr7] + reg_mmx= [r_mm0, r_mm1, r_mm2, r_mm3, r_mm4, r_mm5, r_mm6, r_mm7] + reg_flt = [float_st0, float_st1, float_st2, float_st3, float_st4, float_st5, float_st6, float_st7] reg_dict = {} @@ -2708,6 +2783,9 @@ def dict_to_Expr(d, modifs = {}, opmode = u32, admode = u32, segm_to_do = set()) if modifs[sd] is not None: t = tab32[size] n&=7 + if modifs[mm] and n>0x7: + t = ia32_rexpr.reg_mmx + n&=7 out = t[n] elif is_imm(d): diff --git a/miasm/tools/emul_lib/libcodenat.c b/miasm/tools/emul_lib/libcodenat.c index e1cd54f5..2030c66a 100644 --- a/miasm/tools/emul_lib/libcodenat.c +++ b/miasm/tools/emul_lib/libcodenat.c @@ -781,11 +781,26 @@ int rcl_rez_op(unsigned int size, unsigned int a, unsigned int b, unsigned int c { uint64_t tmp; - tmp = (cf << size) | a; size++; b %= size; + if (b == 0) { + switch(size){ + case 8+1: + return a&0xff; + case 16+1: + return a&0xffff; + case 32+1: + return a&0xffffffff; + default: + fprintf(stderr, "inv size in rclleft %d\n", size); + exit(0); + } + } + + tmp = (a<<1) | cf; + b -=1; switch(size){ case 8+1: tmp = (tmp << b) | ((tmp&0x1FF) >> (size-b)); @@ -1567,7 +1582,6 @@ void _vm_init_regs() } - unsigned int _get_memory_page_max_address_py(void) { unsigned int ret; diff --git a/miasm/tools/emul_lib/libcodenat.h b/miasm/tools/emul_lib/libcodenat.h index 5e9a3b60..b7c0360b 100644 --- a/miasm/tools/emul_lib/libcodenat.h +++ b/miasm/tools/emul_lib/libcodenat.h @@ -236,6 +236,25 @@ typedef struct { uint64_t pfmem64_6; uint64_t pfmem64_7; + + uint64_t mm0; + uint64_t mm1; + uint64_t mm2; + uint64_t mm3; + uint64_t mm4; + uint64_t mm5; + uint64_t mm6; + uint64_t mm7; + + uint64_t mm0_new; + uint64_t mm1_new; + uint64_t mm2_new; + uint64_t mm3_new; + uint64_t mm4_new; + uint64_t mm5_new; + uint64_t mm6_new; + uint64_t mm7_new; + uint32_t segm_base[0x10000]; }vm_cpu_t; diff --git a/miasm/tools/seh_helper.py b/miasm/tools/seh_helper.py index 25fb44ec..2ca499f2 100644 --- a/miasm/tools/seh_helper.py +++ b/miasm/tools/seh_helper.py @@ -297,10 +297,12 @@ def create_modules_chain(modules_name): bpath = fname.replace('/', '\\') bname = os.path.split(fname)[1].lower() bname = "\x00".join(bname)+"\x00" - print "add module", repr(bname), repr(bpath) + #print "add module", repr(bname), repr(bpath) #print hex(InInitializationOrderModuleList_address+i*0x1000) if e == None: e = pe_init.PE(open(fname, 'rb').read()) + print "add module", hex(e.NThdr.ImageBase), repr(bname) + modules_info[bname] = addr, e m_o = "" @@ -361,7 +363,7 @@ def fix_InLoadOrderModuleList(module_info): e, bname, addr = olist[i] p_e, p_bname, p_addr = olist[(i-1)%len(olist)] n_e, n_bname, n_addr = olist[(i+1)%len(olist)] - vm_set_mem(addr+0, pdw(p_addr)+pdw(n_addr)) + vm_set_mem(addr+0, pdw(n_addr)+pdw(p_addr)) @@ -478,11 +480,12 @@ def build_fake_InLoadOrderModuleList(modules_name): fname, e = m, None bname = os.path.split(fname)[1].lower() bname = "\x00".join(bname)+"\x00" - print "add module", repr(bname) print hex(InLoadOrderModuleList_address+i*0x1000) if e == None: e = pe_init.PE(open(fname, 'rb').read()) + print "add module", hex(e.NThdr.ImageBase), repr(bname) + next_ad = InLoadOrderModuleList_address + (i+1)*0x1000 if i == len(modules_name) -1: next_ad = InLoadOrderModuleList_address diff --git a/miasm/tools/win_api.py b/miasm/tools/win_api.py index 741f1c7f..8eb62e95 100644 --- a/miasm/tools/win_api.py +++ b/miasm/tools/win_api.py @@ -1171,7 +1171,7 @@ def kernel32_GetCommandLineA(): print whoami(), hex(ret_ad) s = winobjs.module_path - + s = '"%s"'%s alloc_addr = get_next_alloc_addr(0x1000) vm_add_memory_page(alloc_addr, PAGE_READ|PAGE_WRITE, s) @@ -1963,6 +1963,7 @@ def my_GetEnvironmentVariable(funcname, get_str, set_str, mylen): s = get_str(lpname) if get_str == get_str_unic: s = s[::2] + print 'variable', repr(s) if s in winobjs.env_variables: v = set_str(winobjs.env_variables[s]) else: |