diff options
| -rw-r--r-- | example/asm_msp430_sc.py | 54 | ||||
| -rw-r--r-- | example/test_jit_msp430.py | 71 | ||||
| -rw-r--r-- | example/unpack_upx.py | 10 | ||||
| -rw-r--r-- | miasm2/analysis/machine.py | 10 | ||||
| -rw-r--r-- | miasm2/arch/arm/jit.py | 71 | ||||
| -rw-r--r-- | miasm2/arch/arm/regs.py | 8 | ||||
| -rw-r--r-- | miasm2/arch/arm/sem.py | 2 | ||||
| -rw-r--r-- | miasm2/arch/msp430/arch.py | 6 | ||||
| -rw-r--r-- | miasm2/arch/msp430/jit.py | 43 | ||||
| -rw-r--r-- | miasm2/arch/x86/jit.py | 166 | ||||
| -rw-r--r-- | miasm2/core/utils.py | 4 | ||||
| -rw-r--r-- | miasm2/jitter/jitload.py | 247 | ||||
| -rw-r--r-- | test/jitter/os_dep/win_api_x86_32.py | 7 | ||||
| -rw-r--r-- | test/test_all.py | 3 |
14 files changed, 436 insertions, 266 deletions
diff --git a/example/asm_msp430_sc.py b/example/asm_msp430_sc.py new file mode 100644 index 00000000..5dee56fb --- /dev/null +++ b/example/asm_msp430_sc.py @@ -0,0 +1,54 @@ +#! /usr/bin/env python + +from miasm2.core.cpu import parse_ast +from miasm2.arch.msp430.arch import mn_msp430, base_expr, variable +from miasm2.core.bin_stream import bin_stream +from miasm2.core import parse_asm +from miasm2.expression.expression import * +from elfesteem.strpatchwork import StrPatchwork + +from pdb import pm +from miasm2.core import asmbloc +import struct + +reg_and_id = dict(mn_msp430.regs.all_regs_ids_byname) + + +def my_ast_int2expr(a): + return ExprInt32(a) + + +def my_ast_id2expr(t): + return reg_and_id.get(t, ExprId(t, size=32)) + +my_var_parser = parse_ast(my_ast_id2expr, my_ast_int2expr) +base_expr.setParseAction(my_var_parser) + + +st = StrPatchwork() + +blocs, symbol_pool = parse_asm.parse_txt(mn_msp430, None, ''' +main: + mov.w 0x10, R10 + mov.w 0x0, R11 +loop: + add.w 1, R11 + sub.w 1, R10 + jnz loop + mov.w @SP+, PC +''') + +# fix shellcode addr +symbol_pool.set_offset(symbol_pool.getby_name("main"), 0) + +for b in blocs[0]: + print b + +resolved_b, patches = asmbloc.asm_resolve_final( + mn_msp430, None, blocs[0], symbol_pool) +print patches + +for offset, raw in patches.items(): + st[offset] = raw + +open('msp430_sc.bin', 'wb').write(str(st)) diff --git a/example/test_jit_msp430.py b/example/test_jit_msp430.py new file mode 100644 index 00000000..d725951a --- /dev/null +++ b/example/test_jit_msp430.py @@ -0,0 +1,71 @@ +#!/usr/bin/env python +#-*- coding:utf-8 -*- +from argparse import ArgumentParser +from miasm2.analysis import debugging, gdbserver +from miasm2.jitter.csts import * + +from miasm2.jitter.jitload import vm_load_elf, libimp, preload_elf +from miasm2.analysis.machine import Machine + +parser = ArgumentParser( + description="""Sandbox raw binary with msp430 engine +(ex: test_jit_msp430.py example/msp430_sc.bin 0)""") +parser.add_argument("-r", "--log-regs", + help="Log registers value for each instruction", + action="store_true") +parser.add_argument("-m", "--log-mn", + help="Log desassembly conversion for each instruction", + action="store_true") +parser.add_argument("-n", "--log-newbloc", + help="Log basic blocks processed by the Jitter", + action="store_true") +parser.add_argument("-j", "--jitter", + help="Jitter engine. Possible values are : tcc (default), llvm", + default="tcc") +parser.add_argument("-d", "--debugging", + help="Attach a CLI debugguer to the sandboxed programm", + action="store_true") +parser.add_argument("binary", + help="binary to run") +parser.add_argument("addr", + help="start exec on addr") + +machine = Machine("msp430") + +def jit_msp430_binary(args): + filepath, entryp = args.binary, int(args.addr, 16) + myjit = machine.jitter(jit_type = args.jitter) + myjit.init_stack() + + # Log level (if available with jitter engine) + myjit.jit.log_regs = args.log_regs + myjit.jit.log_mn = args.log_mn + myjit.jit.log_newbloc = args.log_newbloc + + myjit.vm.vm_add_memory_page(0, PAGE_READ | PAGE_WRITE, open(filepath).read()) + myjit.add_breakpoint(0x1337, lambda _: exit(0)) + + + # for stack + myjit.vm.vm_add_memory_page(0xF000, PAGE_READ | PAGE_WRITE, "\x00"*0x1000) + + myjit.cpu.SP = 0xF800 + + myjit.vm_push_uint16_t(0x1337) + myjit.init_run(entryp) + + + + # Handle debugging + if args.debugging is True: + dbg = debugging.Debugguer(myjit) + cmd = debugging.DebugCmd(dbg) + cmd.cmdloop() + + else: + print(myjit.continue_run()) + +if __name__ == '__main__': + from sys import stderr + args = parser.parse_args() + jit_msp430_binary(args) diff --git a/example/unpack_upx.py b/example/unpack_upx.py index 14eac9ef..05e3f4b7 100644 --- a/example/unpack_upx.py +++ b/example/unpack_upx.py @@ -10,13 +10,12 @@ from elfesteem import * from elfesteem.strpatchwork import StrPatchwork from miasm2.core import asmbloc -from miasm2.arch.x86.arch import mn_x86 -from miasm2.arch.x86.disasm import dis_x86_32 -from miasm2.jitter.jitload import jitter_x86_32, vm_load_pe, preload_pe, libimp +from miasm2.jitter.jitload import vm_load_pe, preload_pe, libimp from miasm2.jitter.jitload import bin_stream_vm from miasm2.jitter.csts import * from miasm2.jitter.os_dep import win_api_x86_32 +from miasm2.analysis.machine import Machine # Debug settings # from pdb import pm @@ -56,7 +55,8 @@ else: logging.basicConfig(level=logging.WARNING) # Init arch -myjit = jitter_x86_32(jit_type=args.jitter) +machine = Machine("x86_32") +myjit = machine.jitter(args.jitter) myjit.init_stack() # Log level (if available with jitter engine) @@ -74,7 +74,7 @@ if args.verbose is True: ep = e.rva2virt(e.Opthdr.AddressOfEntryPoint) # Ensure there is one and only one leave (for OEP discovering) -mdis = dis_x86_32(myjit.bs) +mdis = machine.dis_engine(myjit.bs) mdis.dont_dis_nulstart_bloc = True ab = mdis.dis_multibloc(ep) diff --git a/miasm2/analysis/machine.py b/miasm2/analysis/machine.py index 2fd88fda..55d7668c 100644 --- a/miasm2/analysis/machine.py +++ b/miasm2/analysis/machine.py @@ -28,7 +28,7 @@ class Machine(object): from miasm2.arch.arm.disasm import dis_arm as dis_engine from miasm2.arch.arm.arch import mn_arm as mn from miasm2.arch.arm.ira import ir_a_arm as ira - from miasm2.jitter.jitload import jitter_arm as jitter + from miasm2.arch.arm.jit import jitter_arm as jitter elif machine_name == "armt": from miasm2.arch.arm.disasm import dis_armt as dis_engine from miasm2.arch.arm.arch import mn_armt as mn @@ -41,23 +41,23 @@ class Machine(object): from miasm2.arch.x86.disasm import dis_x86_16 as dis_engine from miasm2.arch.x86.arch import mn_x86 as mn from miasm2.arch.x86.ira import ir_a_x86_16 as ira - from miasm2.jitter.jitload import jitter_x86_16 as jitter + from miasm2.arch.x86.jit import jitter_x86_16 as jitter elif machine_name == "x86_32": from miasm2.arch.x86.disasm import dis_x86_32 as dis_engine from miasm2.arch.x86.arch import mn_x86 as mn from miasm2.arch.x86.ira import ir_a_x86_32 as ira - from miasm2.jitter.jitload import jitter_x86_32 as jitter + from miasm2.arch.x86.jit import jitter_x86_32 as jitter from miasm2.analysis.gdbserver import GdbServer_x86_32 as gdbserver elif machine_name == "x86_64": from miasm2.arch.x86.disasm import dis_x86_64 as dis_engine from miasm2.arch.x86.arch import mn_x86 as mn from miasm2.arch.x86.ira import ir_a_x86_64 as ira - from miasm2.jitter.jitload import jitter_x86_64 as jitter + from miasm2.arch.x86.jit import jitter_x86_64 as jitter elif machine_name == "msp430": from miasm2.arch.msp430.disasm import dis_msp430 as dis_engine from miasm2.arch.msp430.arch import mn_msp430 as mn from miasm2.arch.msp430.ira import ir_a_msp430 as ira - from miasm2.jitter.jitload import jitter_msp430 as jitter + from miasm2.arch.msp430.jit import jitter_msp430 as jitter from miasm2.analysis.gdbserver import GdbServer_msp430 as gdbserver elif machine_name == "mips32b": from miasm2.arch.mips32.disasm import dis_mips32b as dis_engine diff --git a/miasm2/arch/arm/jit.py b/miasm2/arch/arm/jit.py new file mode 100644 index 00000000..d491671c --- /dev/null +++ b/miasm2/arch/arm/jit.py @@ -0,0 +1,71 @@ +from miasm2.jitter.jitload import jitter +from miasm2.core import asmbloc +from miasm2.core.utils import * +from miasm2.arch.arm.sem import ir_arm + +import logging + +log = logging.getLogger('jit_arm') +hnd = logging.StreamHandler() +hnd.setFormatter(logging.Formatter("[%(levelname)s]: %(message)s")) +log.addHandler(hnd) +log.setLevel(logging.CRITICAL) + +class jitter_arm(jitter): + + def __init__(self, *args, **kwargs): + sp = asmbloc.asm_symbol_pool() + jitter.__init__(self, ir_arm(sp), *args, **kwargs) + self.my_ir.jit_pc = self.my_ir.arch.regs.PC + + def vm_push_uint32_t(self, v): + self.cpu.SP -= 4 + self.vm.vm_set_mem(self.cpu.SP, pck32(v)) + + def vm_pop_uint32_t(self): + x = upck32(self.vm.vm_get_mem(self.cpu.SP, 4)) + self.cpu.SP += 4 + return x + + def get_stack_arg(self, n): + x = upck32(self.vm.vm_get_mem(self.cpu.SP + 4 * n, 4)) + return x + + # calling conventions + + def func_args_stdcall(self, n_args): + args = [] + for i in xrange(min(n_args, 4)): + args.append(self.cpu.vm_get_gpreg()['R%d' % i]) + for i in xrange(max(0, n_args - 4)): + args.append(self.get_stack_arg(i)) + + ret_ad = self.cpu.LR + log.debug('%s %s %s' % (whoami(), hex(ret_ad), [hex(x) for x in args])) + return ret_ad, args + + def func_ret_stdcall(self, ret_addr, ret_value=None): + self.pc = self.cpu.PC = ret_addr + if ret_value is not None: + self.cpu.R0 = ret_value + return True + + def get_arg_n_stdcall(self, n): + if n < 4: + arg = self.cpu.vm_get_gpreg()['R%d' % n] + else: + arg = self.get_stack_arg(n-4) + return arg + + def add_lib_handler(self, libs): + from miasm2.jitter.os_dep import linux_stdlib + for offset, fname in libs.fad2cname.iteritems(): + if fname in linux_stdlib.__dict__: + self.add_breakpoint(offset, linux_stdlib.__dict__[fname]) + else: + log.warning( + 'jitter libhandler: %s function not found!' % fname) + + def init_run(self, *args, **kwargs): + jitter.init_run(self, *args, **kwargs) + self.cpu.PC = self.pc diff --git a/miasm2/arch/arm/regs.py b/miasm2/arch/arm/regs.py index 2787605a..29b2c805 100644 --- a/miasm2/arch/arm/regs.py +++ b/miasm2/arch/arm/regs.py @@ -9,6 +9,8 @@ from miasm2.expression.expression import * regs32_str = ["R%d" % i for i in xrange(13)] + ["SP", "LR", "PC"] regs32_expr = [ExprId(x, 32) for x in regs32_str] +exception_flags = ExprId('exception_flags', 32) + R0 = regs32_expr[0] R1 = regs32_expr[1] @@ -63,7 +65,8 @@ cf_init = ExprId("cf_init", size=1) all_regs_ids = [ R0, R1, R2, R3, R4, R5, R6, R7, R8, R9, R10, R11, R12, SP, LR, PC, - zf, nf, of, cf + zf, nf, of, cf, + exception_flags ] all_regs_ids_no_alias = all_regs_ids @@ -74,7 +77,8 @@ all_regs_ids_init = [R0_init, R1_init, R2_init, R3_init, R4_init, R5_init, R6_init, R7_init, R8_init, R9_init, R10_init, R11_init, R12_init, SP_init, LR_init, PC_init, - zf_init, nf_init, of_init, cf_init + zf_init, nf_init, of_init, cf_init, + ExprInt32(0) ] regs_init = {} diff --git a/miasm2/arch/arm/sem.py b/miasm2/arch/arm/sem.py index 498017c9..c2ce1b55 100644 --- a/miasm2/arch/arm/sem.py +++ b/miasm2/arch/arm/sem.py @@ -701,7 +701,7 @@ def stmdb(ir, instr, a, b): def svc(ir, instr, a): # XXX TODO implement e = [ - ExprAff(ExprId('vmmngr.exception_flags'), ExprInt32(EXCEPT_PRIV_INSN))] + ExprAff(ExprId(exception_flags), ExprInt32(EXCEPT_PRIV_INSN))] return None, e diff --git a/miasm2/arch/msp430/arch.py b/miasm2/arch/msp430/arch.py index 0e3b4acd..34993ebc 100644 --- a/miasm2/arch/msp430/arch.py +++ b/miasm2/arch/msp430/arch.py @@ -179,7 +179,7 @@ class instruction_msp430(instruction): return [self.args[0]] def get_symbol_size(self, symbol, symbol_pool): - return self.mode + return 16 def fixDstOffset(self): e = self.args[0] @@ -190,7 +190,7 @@ class instruction_msp430(instruction): log.warning('dynamic dst %r' % e) return # return ExprInt32(e.arg - (self.offset + self.l)) - self.args[0] = ExprInt_fromsize(self.mode, e.arg) + self.args[0] = ExprInt_fromsize(16, e.arg - (self.offset + self.l)) def get_info(self, c): pass @@ -202,7 +202,6 @@ class instruction_msp430(instruction): def get_args_expr(self): args = [] for a in self.args: - # a = a.replace_expr(replace_regs[self.mode]) args.append(a) return args @@ -584,3 +583,4 @@ offimm = bs(l=10, cls=(msp430_offs,), fname="offs") bs_f2_jcc = bs_name(l=3, name={'jnz': 0, 'jz': 1, 'jnc': 2, 'jc': 3, 'jn': 4, 'jge': 5, 'jl': 6, 'jmp': 7}) addop("f2_3", [bs('001'), bs_f2_jcc, offimm]) + diff --git a/miasm2/arch/msp430/jit.py b/miasm2/arch/msp430/jit.py new file mode 100644 index 00000000..0a39be06 --- /dev/null +++ b/miasm2/arch/msp430/jit.py @@ -0,0 +1,43 @@ +from miasm2.jitter.jitload import jitter +from miasm2.core import asmbloc +from miasm2.core.utils import * +from miasm2.arch.arm.sem import ir_arm + +import logging + +log = logging.getLogger('jit_msp430') +hnd = logging.StreamHandler() +hnd.setFormatter(logging.Formatter("[%(levelname)s]: %(message)s")) +log.addHandler(hnd) +log.setLevel(logging.CRITICAL) + +class jitter_msp430(jitter): + + def __init__(self, *args, **kwargs): + from miasm2.arch.msp430.sem import ir_msp430 + sp = asmbloc.asm_symbol_pool() + jitter.__init__(self, ir_msp430(sp), *args, **kwargs) + self.my_ir.jit_pc = self.my_ir.arch.regs.PC + + def vm_push_uint16_t(self, v): + regs = self.cpu.vm_get_gpreg() + regs['SP'] -= 2 + self.cpu.vm_set_gpreg(regs) + self.vm.vm_set_mem(regs['SP'], pck16(v)) + + def vm_pop_uint16_t(self): + regs = self.cpu.vm_get_gpreg() + x = upck16(self.vm.vm_get_mem(regs['SP'], 2)) + regs['SP'] += 2 + self.cpu.vm_set_gpreg(regs) + return x + + def get_stack_arg(self, n): + regs = self.cpu.vm_get_gpreg() + x = upck16(self.vm.vm_get_mem(regs['SP'] + 2 * n, 2)) + return x + + def init_run(self, *args, **kwargs): + jitter.init_run(self, *args, **kwargs) + self.cpu.PC = self.pc + diff --git a/miasm2/arch/x86/jit.py b/miasm2/arch/x86/jit.py new file mode 100644 index 00000000..a365502f --- /dev/null +++ b/miasm2/arch/x86/jit.py @@ -0,0 +1,166 @@ +from miasm2.jitter.jitload import jitter +from miasm2.core import asmbloc +from miasm2.core.utils import * +from miasm2.arch.x86.sem import ir_x86_16, ir_x86_32, ir_x86_64 + + +import logging + +log = logging.getLogger('jit_x86') +hnd = logging.StreamHandler() +hnd.setFormatter(logging.Formatter("[%(levelname)s]: %(message)s")) +log.addHandler(hnd) +log.setLevel(logging.CRITICAL) + +class jitter_x86_16(jitter): + + def __init__(self, *args, **kwargs): + sp = asmbloc.asm_symbol_pool() + jitter.__init__(self, ir_x86_16(sp), *args, **kwargs) + self.my_ir.jit_pc = self.my_ir.arch.regs.RIP + self.my_ir.do_stk_segm = False + self.orig_irbloc_fix_regs_for_mode = self.my_ir.irbloc_fix_regs_for_mode + self.my_ir.irbloc_fix_regs_for_mode = self.my_irbloc_fix_regs_for_mode + + def my_irbloc_fix_regs_for_mode(self, irbloc, attrib=64): + self.orig_irbloc_fix_regs_for_mode(irbloc, 64) + + def vm_push_uint16_t(self, v): + self.cpu.SP -= self.my_ir.sp.size / 8 + self.vm.vm_set_mem(self.cpu.SP, pck16(v)) + + def vm_pop_uint16_t(self): + x = upck16(self.vm.vm_get_mem(self.cpu.SP, self.my_ir.sp.size / 8)) + self.cpu.SP += self.my_ir.sp.size / 8 + return x + + def get_stack_arg(self, n): + x = upck16(self.vm.vm_get_mem(self.cpu.SP + 4 * n, 4)) + return x + + def init_run(self, *args, **kwargs): + jitter.init_run(self, *args, **kwargs) + self.cpu.IP = self.pc + + +class jitter_x86_32(jitter): + + def __init__(self, *args, **kwargs): + sp = asmbloc.asm_symbol_pool() + jitter.__init__(self, ir_x86_32(sp), *args, **kwargs) + self.my_ir.jit_pc = self.my_ir.arch.regs.RIP + self.my_ir.do_stk_segm = False + + self.orig_irbloc_fix_regs_for_mode = self.my_ir.irbloc_fix_regs_for_mode + self.my_ir.irbloc_fix_regs_for_mode = self.my_irbloc_fix_regs_for_mode + + def my_irbloc_fix_regs_for_mode(self, irbloc, attrib=64): + self.orig_irbloc_fix_regs_for_mode(irbloc, 64) + + def vm_push_uint32_t(self, v): + self.cpu.ESP -= self.my_ir.sp.size / 8 + self.vm.vm_set_mem(self.cpu.ESP, pck32(v)) + + def vm_pop_uint32_t(self): + x = upck32(self.vm.vm_get_mem(self.cpu.ESP, self.my_ir.sp.size / 8)) + self.cpu.ESP += self.my_ir.sp.size / 8 + return x + + def get_stack_arg(self, n): + x = upck32(self.vm.vm_get_mem(self.cpu.ESP + 4 * n, 4)) + return x + + # calling conventions + + # stdcall + def func_args_stdcall(self, n_args): + ret_ad = self.vm_pop_uint32_t() + args = [] + for _ in xrange(n_args): + args.append(self.vm_pop_uint32_t()) + log.debug('%s %s %s' % (whoami(), hex(ret_ad), [hex(x) for x in args])) + return ret_ad, args + + def func_ret_stdcall(self, ret_addr, ret_value1=None, ret_value2=None): + self.cpu.EIP = ret_addr + if ret_value1 is not None: + self.cpu.EAX = ret_value1 + if ret_value2 is not None: + self.cpu.EDX = ret_value + + # cdecl + def func_args_cdecl(self, n_args, dolog=True): + ret_ad = self.vm_pop_uint32_t() + args = [] + for i in xrange(n_args): + args.append(self.get_stack_arg(i)) + if dolog: + log.debug('%s %s %s' % + (whoami(), hex(ret_ad), [hex(x) for x in args])) + return ret_ad, args + + def func_ret_cdecl(self, ret_addr, ret_value): + self.cpu.EIP = ret_addr + self.cpu.EAX = ret_value + + def add_lib_handler(self, libs, user_globals=None): + """Add a function to handle libs call with breakpoints + @libs: libimp instance + @user_globals: dictionnary for defined user function + """ + if user_globals is None: + user_globals = {} + + from miasm2.jitter.os_dep import win_api_x86_32 + + def handle_lib(jitter): + fname = libs.fad2cname[jitter.pc] + if fname in user_globals: + f = user_globals[fname] + elif fname in win_api_x86_32.__dict__: + f = win_api_x86_32.__dict__[fname] + else: + log.debug('%s' % repr(fname)) + raise ValueError('unknown api', hex(jitter.vm_pop_uint32_t()), repr(fname)) + f(jitter) + jitter.pc = getattr(jitter.cpu, jitter.my_ir.pc.name) + return True + + for f_addr in libs.fad2cname: + self.add_breakpoint(f_addr, handle_lib) + + def init_run(self, *args, **kwargs): + jitter.init_run(self, *args, **kwargs) + self.cpu.EIP = self.pc + + +class jitter_x86_64(jitter): + + def __init__(self, *args, **kwargs): + sp = asmbloc.asm_symbol_pool() + jitter.__init__(self, ir_x86_64(sp), *args, **kwargs) + self.my_ir.jit_pc = self.my_ir.arch.regs.RIP + self.my_ir.do_stk_segm = False + + self.orig_irbloc_fix_regs_for_mode = self.my_ir.irbloc_fix_regs_for_mode + self.my_ir.irbloc_fix_regs_for_mode = self.my_irbloc_fix_regs_for_mode + + def my_irbloc_fix_regs_for_mode(self, irbloc, attrib=64): + self.orig_irbloc_fix_regs_for_mode(irbloc, 64) + + def vm_push_uint64_t(self, v): + self.cpu.RSP -= self.my_ir.sp.size / 8 + self.vm.vm_set_mem(self.cpu.RSP, pck64(v)) + + def vm_pop_uint64_t(self): + x = upck64(self.vm.vm_get_mem(self.cpu.RSP, self.my_ir.sp.size / 8)) + self.cpu.RSP += self.my_ir.sp.size / 8 + return x + + def get_stack_arg(self, n): + x = upck64(self.vm.vm_get_mem(self.cpu.RSP + 8 * n, 8)) + return x + + def init_run(self, *args, **kwargs): + jitter.init_run(self, *args, **kwargs) + self.cpu.RIP = self.pc diff --git a/miasm2/core/utils.py b/miasm2/core/utils.py index ebffd786..360deb8d 100644 --- a/miasm2/core/utils.py +++ b/miasm2/core/utils.py @@ -1,4 +1,5 @@ import struct +import inspect upck8 = lambda x: struct.unpack('B', x)[0] upck16 = lambda x: struct.unpack('H', x)[0] @@ -44,3 +45,6 @@ class keydefaultdict(collections.defaultdict): raise KeyError(key) value = self[key] = self.default_factory(key) return value + +def whoami(): + return inspect.stack()[2][3] diff --git a/miasm2/jitter/jitload.py b/miasm2/jitter/jitload.py index a7249f78..959c9d4a 100644 --- a/miasm2/jitter/jitload.py +++ b/miasm2/jitter/jitload.py @@ -785,222 +785,6 @@ class jitter: self.vm.vm_set_mem(addr, s) -class jitter_x86_16(jitter): - - def __init__(self, *args, **kwargs): - from miasm2.arch.x86.sem import ir_x86_16 - sp = asmbloc.asm_symbol_pool() - jitter.__init__(self, ir_x86_16(sp), *args, **kwargs) - self.my_ir.jit_pc = self.my_ir.arch.regs.RIP - self.my_ir.do_stk_segm = False - self.orig_irbloc_fix_regs_for_mode = self.my_ir.irbloc_fix_regs_for_mode - self.my_ir.irbloc_fix_regs_for_mode = self.my_irbloc_fix_regs_for_mode - - def my_irbloc_fix_regs_for_mode(self, irbloc, attrib=64): - self.orig_irbloc_fix_regs_for_mode(irbloc, 64) - - def vm_push_uint16_t(self, v): - self.cpu.SP -= self.my_ir.sp.size / 8 - self.vm.vm_set_mem(self.cpu.SP, pck16(v)) - - def vm_pop_uint16_t(self): - x = upck16(self.vm.vm_get_mem(self.cpu.SP, self.my_ir.sp.size / 8)) - self.cpu.SP += self.my_ir.sp.size / 8 - return x - - def get_stack_arg(self, n): - x = upck16(self.vm.vm_get_mem(self.cpu.SP + 4 * n, 4)) - return x - - def init_run(self, *args, **kwargs): - jitter.init_run(self, *args, **kwargs) - self.cpu.IP = self.pc - - -class jitter_x86_32(jitter): - - def __init__(self, *args, **kwargs): - from miasm2.arch.x86.sem import ir_x86_32 - sp = asmbloc.asm_symbol_pool() - jitter.__init__(self, ir_x86_32(sp), *args, **kwargs) - self.my_ir.jit_pc = self.my_ir.arch.regs.RIP - self.my_ir.do_stk_segm = False - - self.orig_irbloc_fix_regs_for_mode = self.my_ir.irbloc_fix_regs_for_mode - self.my_ir.irbloc_fix_regs_for_mode = self.my_irbloc_fix_regs_for_mode - - def my_irbloc_fix_regs_for_mode(self, irbloc, attrib=64): - self.orig_irbloc_fix_regs_for_mode(irbloc, 64) - - def vm_push_uint32_t(self, v): - self.cpu.ESP -= self.my_ir.sp.size / 8 - self.vm.vm_set_mem(self.cpu.ESP, pck32(v)) - - def vm_pop_uint32_t(self): - x = upck32(self.vm.vm_get_mem(self.cpu.ESP, self.my_ir.sp.size / 8)) - self.cpu.ESP += self.my_ir.sp.size / 8 - return x - - def get_stack_arg(self, n): - x = upck32(self.vm.vm_get_mem(self.cpu.ESP + 4 * n, 4)) - return x - - # calling conventions - - # stdcall - def func_args_stdcall(self, n_args): - ret_ad = self.vm_pop_uint32_t() - args = [] - for _ in xrange(n_args): - args.append(self.vm_pop_uint32_t()) - log.debug('%s %s %s' % (whoami(), hex(ret_ad), [hex(x) for x in args])) - return ret_ad, args - - def func_ret_stdcall(self, ret_addr, ret_value1=None, ret_value2=None): - self.cpu.EIP = ret_addr - if ret_value1 is not None: - self.cpu.EAX = ret_value1 - if ret_value2 is not None: - self.cpu.EDX = ret_value - - # cdecl - def func_args_cdecl(self, n_args, dolog=True): - ret_ad = self.vm_pop_uint32_t() - args = [] - for i in xrange(n_args): - args.append(self.get_stack_arg(i)) - if dolog: - log.debug('%s %s %s' % - (whoami(), hex(ret_ad), [hex(x) for x in args])) - return ret_ad, args - - def func_ret_cdecl(self, ret_addr, ret_value): - self.cpu.EIP = ret_addr - self.cpu.EAX = ret_value - - def add_lib_handler(self, libs, user_globals=None): - """Add a function to handle libs call with breakpoints - @libs: libimp instance - @user_globals: dictionnary for defined user function - """ - if user_globals is None: - user_globals = {} - - from miasm2.jitter.os_dep import win_api_x86_32 - - def handle_lib(jitter): - fname = libs.fad2cname[jitter.pc] - if fname in user_globals: - f = user_globals[fname] - elif fname in win_api_x86_32.__dict__: - f = win_api_x86_32.__dict__[fname] - else: - log.debug('%s' % repr(fname)) - raise ValueError('unknown api', hex(jitter.vm_pop_uint32_t()), repr(fname)) - f(jitter) - jitter.pc = getattr(jitter.cpu, jitter.my_ir.pc.name) - return True - - for f_addr in libs.fad2cname: - self.add_breakpoint(f_addr, handle_lib) - - def init_run(self, *args, **kwargs): - jitter.init_run(self, *args, **kwargs) - self.cpu.EIP = self.pc - - -class jitter_x86_64(jitter): - - def __init__(self, *args, **kwargs): - from miasm2.arch.x86.sem import ir_x86_64 - sp = asmbloc.asm_symbol_pool() - jitter.__init__(self, ir_x86_64(sp), *args, **kwargs) - self.my_ir.jit_pc = self.my_ir.arch.regs.RIP - self.my_ir.do_stk_segm = False - - self.orig_irbloc_fix_regs_for_mode = self.my_ir.irbloc_fix_regs_for_mode - self.my_ir.irbloc_fix_regs_for_mode = self.my_irbloc_fix_regs_for_mode - - def my_irbloc_fix_regs_for_mode(self, irbloc, attrib=64): - self.orig_irbloc_fix_regs_for_mode(irbloc, 64) - - def vm_push_uint64_t(self, v): - self.cpu.RSP -= self.my_ir.sp.size / 8 - self.vm.vm_set_mem(self.cpu.RSP, pck64(v)) - - def vm_pop_uint64_t(self): - x = upck64(self.vm.vm_get_mem(self.cpu.RSP, self.my_ir.sp.size / 8)) - self.cpu.RSP += self.my_ir.sp.size / 8 - return x - - def get_stack_arg(self, n): - x = upck64(self.vm.vm_get_mem(self.cpu.RSP + 8 * n, 8)) - return x - - def init_run(self, *args, **kwargs): - jitter.init_run(self, *args, **kwargs) - self.cpu.RIP = self.pc - - -class jitter_arm(jitter): - - def __init__(self, *args, **kwargs): - from miasm2.arch.arm.sem import ir_arm - sp = asmbloc.asm_symbol_pool() - jitter.__init__(self, ir_arm(sp), *args, **kwargs) - self.my_ir.jit_pc = self.my_ir.arch.regs.PC - - def vm_push_uint32_t(self, v): - self.cpu.SP -= 4 - self.vm.vm_set_mem(self.cpu.SP, pck32(v)) - - def vm_pop_uint32_t(self): - x = upck32(self.vm.vm_get_mem(self.cpu.SP, 4)) - self.cpu.SP += 4 - return x - - def get_stack_arg(self, n): - x = upck32(self.vm.vm_get_mem(self.cpu.SP + 4 * n, 4)) - return x - - # calling conventions - - def func_args_stdcall(self, n_args): - args = [] - for i in xrange(min(n_args, 4)): - args.append(self.cpu.vm_get_gpreg()['R%d' % i]) - for i in xrange(max(0, n_args - 4)): - args.append(self.get_stack_arg(i)) - - ret_ad = self.cpu.LR - log.debug('%s %s %s' % (whoami(), hex(ret_ad), [hex(x) for x in args])) - return ret_ad, args - - def func_ret_stdcall(self, ret_addr, ret_value=None): - self.pc = self.cpu.PC = ret_addr - if ret_value is not None: - self.cpu.R0 = ret_value - return True - - def get_arg_n_stdcall(self, n): - if n < 4: - arg = self.cpu.vm_get_gpreg()['R%d' % n] - else: - arg = self.get_stack_arg(n-4) - return arg - - def add_lib_handler(self, libs): - from miasm2.jitter.os_dep import linux_stdlib - for offset, fname in libs.fad2cname.iteritems(): - if fname in linux_stdlib.__dict__: - self.add_breakpoint(offset, linux_stdlib.__dict__[fname]) - else: - log.warning( - 'jitter libhandler: %s function not found!' % fname) - - def init_run(self, *args, **kwargs): - jitter.init_run(self, *args, **kwargs) - self.cpu.PC = self.pc def vm2pe(myjit, fname, libs=None, e_orig=None, @@ -1069,34 +853,3 @@ def vm2pe(myjit, fname, libs=None, e_orig=None, # generation open(fname, 'w').write(str(mye)) - -class jitter_msp430(jitter): - - def __init__(self, *args, **kwargs): - from miasm2.arch.msp430.sem import ir_msp430 - sp = asmbloc.asm_symbol_pool() - jitter.__init__(self, ir_msp430(sp), *args, **kwargs) - self.my_ir.jit_pc = self.my_ir.arch.regs.PC - - def vm_push_uint16_t(self, v): - regs = self.cpu.vm_get_gpreg() - regs['SP'] -= 2 - self.cpu.vm_set_gpreg(regs) - self.vm.vm_set_mem(regs['SP'], pck16(v)) - - def vm_pop_uint16_t(self): - regs = self.cpu.vm_get_gpreg() - x = upck16(self.vm.vm_get_mem(regs['SP'], 2)) - regs['SP'] += 2 - self.cpu.vm_set_gpreg(regs) - return x - - def get_stack_arg(self, n): - regs = self.cpu.vm_get_gpreg() - x = upck16(self.vm.vm_get_mem(regs['SP'] + 2 * n, 2)) - return x - - def init_run(self, *args, **kwargs): - jitter.init_run(self, *args, **kwargs) - self.cpu.PC = self.pc - diff --git a/test/jitter/os_dep/win_api_x86_32.py b/test/jitter/os_dep/win_api_x86_32.py index a3b89305..08611af4 100644 --- a/test/jitter/os_dep/win_api_x86_32.py +++ b/test/jitter/os_dep/win_api_x86_32.py @@ -3,11 +3,12 @@ import unittest import logging - -from miasm2.jitter.jitload import jitter_x86_32 +from miasm2.analysis.machine import Machine import miasm2.jitter.os_dep.win_api_x86_32 as winapi -jit = jitter_x86_32() +machine = Machine("x86_32") + +jit = machine.jitter() jit.init_stack() diff --git a/test/test_all.py b/test/test_all.py index 039234db..77bb7ada 100644 --- a/test/test_all.py +++ b/test/test_all.py @@ -65,6 +65,7 @@ all_tests = { ["asm_box_x86_32_mod.py"], ["asm_box_x86_32_mod_self.py"], ["asm_box_x86_32_repmod.py"], + ["asm_msp430_sc.py"], ["disasm_01.py"], ["disasm_02.py"], ["disasm_03.py", "box_upx.exe", "0x410f90"], @@ -82,6 +83,7 @@ all_tests = { ["test_dis.py", "-g", "-s", "-m", "arm", "demo_arm.bin", "0"], ["test_dis.py", "-g", "-s", "-m", "x86_32", "box_x86_32.bin", "0x401000"], + ["test_dis.py", "-g", "-s", "-m", "msp430", "msp430_sc.bin", "0"], ["expression/solve_condition_stp.py", "expression/simple_test.bin"], ], @@ -90,6 +92,7 @@ all_tests = { ["unpack_upx.py", "box_upx.exe"], # Take 5 mins on a Core i5 ["test_jit_x86_32.py", "x86_32_sc.bin"], ["test_jit_arm.py", "md5_arm", "A684"], + ["test_jit_msp430.py", "msp430_sc.bin", "0"], ["sandbox_pe_x86_32.py", "box_x86_32.bin"], ["sandbox_pe_x86_32.py", "box_x86_32_enc.bin"], ["sandbox_pe_x86_32.py", "box_x86_32_mod.bin"], |