From 93ca252a09d8dc018fe8d96485a6a8883a8b2f15 Mon Sep 17 00:00:00 2001 From: Ajax Date: Fri, 6 Nov 2015 17:19:05 +0100 Subject: Example/UnpackUPX: useless variable --- example/jitter/unpack_upx.py | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'example/jitter/unpack_upx.py') diff --git a/example/jitter/unpack_upx.py b/example/jitter/unpack_upx.py index 2d0a02ea..0a299e97 100644 --- a/example/jitter/unpack_upx.py +++ b/example/jitter/unpack_upx.py @@ -46,13 +46,10 @@ else: if options.verbose is True: print sb.jitter.vm - -ep = sb.entry_point - # Ensure there is one and only one leave (for OEP discovering) mdis = sb.machine.dis_engine(sb.jitter.bs) mdis.dont_dis_nulstart_bloc = True -ab = mdis.dis_multibloc(ep) +ab = mdis.dis_multibloc(sb.entry_point) bb = asmbloc.basicblocs(ab) leaves = bb.get_bad_dst() -- cgit 1.4.1 From c8f6c2ce5a7cdc553cc752c18aa17c009467b619 Mon Sep 17 00:00:00 2001 From: Ajax Date: Fri, 6 Nov 2015 17:19:31 +0100 Subject: Example/UnpackUPX: entrypoint was fixed twice --- example/jitter/unpack_upx.py | 1 - 1 file changed, 1 deletion(-) (limited to 'example/jitter/unpack_upx.py') diff --git a/example/jitter/unpack_upx.py b/example/jitter/unpack_upx.py index 0a299e97..244be3c5 100644 --- a/example/jitter/unpack_upx.py +++ b/example/jitter/unpack_upx.py @@ -108,7 +108,6 @@ sb.pe.DirImport.set_rva(s_myimp.addr) # XXXX TODO sb.pe.NThdr.optentries[pe.DIRECTORY_ENTRY_DELAY_IMPORT].rva = 0 -sb.pe.Opthdr.AddressOfEntryPoint = sb.pe.virt2rva(end_label) bname, fname = os.path.split(options.filename) fname = os.path.join(bname, fname.replace('.', '_')) open(fname + '_unupx.bin', 'w').write(str(sb.pe)) -- cgit 1.4.1 From f1783d86be0593de00782b75c10c54ef3ce35a79 Mon Sep 17 00:00:00 2001 From: Ajax Date: Fri, 6 Nov 2015 17:22:08 +0100 Subject: Example/UnpackUPX: hint on an alternative solution for PE rebuilding --- example/jitter/unpack_upx.py | 2 ++ 1 file changed, 2 insertions(+) (limited to 'example/jitter/unpack_upx.py') diff --git a/example/jitter/unpack_upx.py b/example/jitter/unpack_upx.py index 244be3c5..808dd134 100644 --- a/example/jitter/unpack_upx.py +++ b/example/jitter/unpack_upx.py @@ -89,6 +89,8 @@ sb.jitter.add_breakpoint(end_label, update_binary) sb.run() # Rebuild PE +# Alternative solution: miasm2.jitter.loader.pe.vm2pe(sb.jitter, out_fname, +# libs=sb.libs, e_orig=sb.pe) new_dll = [] sb.pe.SHList.align_sections(0x1000, 0x1000) -- cgit 1.4.1 From 20d61892896d3d2e766dc7801d9c9b6154276fd1 Mon Sep 17 00:00:00 2001 From: Ajax Date: Fri, 6 Nov 2015 17:26:58 +0100 Subject: Example/UnpackUPX: comment GetProcAddress hook --- example/jitter/unpack_upx.py | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'example/jitter/unpack_upx.py') diff --git a/example/jitter/unpack_upx.py b/example/jitter/unpack_upx.py index 808dd134..f22dd445 100644 --- a/example/jitter/unpack_upx.py +++ b/example/jitter/unpack_upx.py @@ -13,15 +13,19 @@ if filename and os.path.isfile(filename): # User defined methods def kernel32_GetProcAddress(jitter): + """Hook on GetProcAddress to note where UPX store imports pointer""" ret_ad, args = jitter.func_args_stdcall(["libbase", "fname"]) + # When the function is called, EBX is a pointer on the destination buffer dst_ad = jitter.cpu.EBX logging.info('EBX ' + hex(dst_ad)) + # Handle ordinal imports fname = (args.fname if args.fname < 0x10000 else jitter.get_str_ansi(args.fname)) logging.info(fname) + # Get the generated address of the library, and store it in memory to dst_ad ad = sb.libs.lib_get_add_func(args.libbase, fname, dst_ad) jitter.func_ret_stdcall(ret_ad, ad) -- cgit 1.4.1 From 34948365493c9a65a0264d495d8070e45eae1a38 Mon Sep 17 00:00:00 2001 From: Ajax Date: Fri, 6 Nov 2015 17:28:31 +0100 Subject: Example/UnpackUPX: call handle_function in GetProcAddress hook (skeleton) --- example/jitter/unpack_upx.py | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'example/jitter/unpack_upx.py') diff --git a/example/jitter/unpack_upx.py b/example/jitter/unpack_upx.py index f22dd445..09bd801e 100644 --- a/example/jitter/unpack_upx.py +++ b/example/jitter/unpack_upx.py @@ -27,6 +27,10 @@ def kernel32_GetProcAddress(jitter): # Get the generated address of the library, and store it in memory to dst_ad ad = sb.libs.lib_get_add_func(args.libbase, fname, dst_ad) + # Add a breakpoint in case of a call on the resolved function + # NOTE: never append in UPX, just for skeleton + jitter.handle_function(ad) + jitter.func_ret_stdcall(ret_ad, ad) -- cgit 1.4.1 From 5c6b3d0c002cbdf5665cc90aed43e0687cfc1672 Mon Sep 17 00:00:00 2001 From: Ajax Date: Mon, 9 Nov 2015 13:35:23 +0100 Subject: Example/UnpackUPX: PR #256 comments (creds @p-l-, @fmonjalet) --- example/jitter/unpack_upx.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'example/jitter/unpack_upx.py') diff --git a/example/jitter/unpack_upx.py b/example/jitter/unpack_upx.py index 09bd801e..eb03209b 100644 --- a/example/jitter/unpack_upx.py +++ b/example/jitter/unpack_upx.py @@ -13,10 +13,10 @@ if filename and os.path.isfile(filename): # User defined methods def kernel32_GetProcAddress(jitter): - """Hook on GetProcAddress to note where UPX store imports pointer""" + """Hook on GetProcAddress to note where UPX stores import pointers""" ret_ad, args = jitter.func_args_stdcall(["libbase", "fname"]) - # When the function is called, EBX is a pointer on the destination buffer + # When the function is called, EBX is a pointer to the destination buffer dst_ad = jitter.cpu.EBX logging.info('EBX ' + hex(dst_ad)) @@ -28,7 +28,7 @@ def kernel32_GetProcAddress(jitter): # Get the generated address of the library, and store it in memory to dst_ad ad = sb.libs.lib_get_add_func(args.libbase, fname, dst_ad) # Add a breakpoint in case of a call on the resolved function - # NOTE: never append in UPX, just for skeleton + # NOTE: never happens in UPX, just for skeleton jitter.handle_function(ad) jitter.func_ret_stdcall(ret_ad, ad) -- cgit 1.4.1