bool X86RTLGenerator::generateRTL(const LoaderBase::tCollData &collData, tCollRTLOps &collRTLOps) { unsigned uIdx = 0; while(uIdx < 52) //while(uIdx < collData.size()) { x86_insn_t aInsn; uIdx += x86_disasm((unsigned char *)&collData[0], collData.size(), 0, uIdx, &aInsn); RTLOp aRTLOp; if(!parseInsn(aInsn, aRTLOp)) { return false; } collRTLOps.push_back(aRTLOp); char buf[1024]; x86_format_insn(&aInsn, buf, sizeof(buf), intel_syntax); printf("0x%08X: %s\n", uIdx, buf); } return true; }
char *ropit_x86_list_disasm (uint8_t *bytes, int len) { int pos = 0; // current position in buffer int size; // size of instruction x86_insn_t insn; // instruction char line[4096] = {0}; int linelen = 4096; char *listing = NULL; listing = calloc(2048, sizeof(*listing)); x86_init(opt_none, NULL, NULL); while ( pos < len ) { // disassemble address size = x86_disasm(bytes, len, 0, pos, &insn); if ( size ) { // print instruction x86_format_insn(&insn, line, linelen, intel_syntax); // printf("%s\n", line); strcat(listing, line); strcat(listing, "\n"); pos += size; } else { pos++; } x86_oplist_free(&insn); } x86_cleanup(); return listing; }
void debug_print_instruction(disassembly_t *da) { struct xref *xr; BOOL previous_xrefs = FALSE; char *line[512]; assert(da != NULL); x86_format_insn(&da->Instruction, line, sizeof line, intel_syntax); printf("%08X: %s", da->MemoryAddress, line); for (xr = da->xrefs_from; xr != NULL; xr = xr->next) { if (previous_xrefs) { printf(", "); } else { printf("\t\t"); previous_xrefs = TRUE; } printf("xref_from:%08X", xr->insn->MemoryAddress); } for (xr = da->xrefs_to; xr != NULL; xr = xr->next) { if (previous_xrefs) { printf(", "); } else { printf("\t\t"); previous_xrefs = TRUE; } printf("xref_to:%08X", xr->insn->MemoryAddress); } printf("\n"); }
void gadget_print(gadget_t *gadgets) { /* If we're at a leaf node in the tree... */ if (gadgets->previous.head == NULL) { /* Print instructions from the leaf up to the root as a gadget. */ x86_insn_t instr; char line[1000]; gadget_t *cursor = gadgets; while (cursor != NULL) { x86_disasm(cursor->instr, cursor->instr_len, 0, 0, &instr); x86_format_insn(&instr, line, sizeof(line), intel_syntax); rstrip(line); tab_to_space(line); printf("0x%08x: %-50s\n", cursor->virtual_address, line); /* Set cursor to its parent in the tree (closer to the RET). */ cursor = cursor->next; } printf("-----------------------\n"); } else { /* We're not at a leaf, so recursively print all of the children. */ gadget_list_item_t *cursor = gadgets->previous.head; while (cursor != NULL) { gadget_print(cursor->gadget); cursor = cursor->next; } } }
void perplex_section(pefile_t *pefile, int section_number) { char *data; size_t size; x86_insn_t insn; int pos = 0; int section_start; assert(pefile != NULL); section_start = pefile->pimage_section_headers[section_number].VirtualAddress + pefile->image_nt_headers.OptionalHeader.ImageBase; data = get_section_data(pefile, section_number, &size); if (data == NULL) return; x86_init(opt_none, 0); while (pos < size) { char line[512]; int insn_size = x86_disasm(data, size, 0, pos, &insn); if (insn_size > 0) { x86_format_insn(&insn, line, sizeof line, intel_syntax); //printf("%08X: %s\n", pos + section_start, line); pos += insn_size; } else { //printf("%08X: Invalid Instruction\n", pos + section_start); pos++; } } x86_cleanup(); }
void func_display_blocks(FuncState *fs, const char *symname) { printf("\n*** Disassembly of %s(...)\n", symname); int block_num = 0; int insn_idx; for (insn_idx=0; insn_idx<fs->insn_count; insn_idx++) { InstructionState *is = &fs->instructions[insn_idx]; char blockinfo[200]; blockinfo[0] = '\0'; BlockState *bs = &fs->blocks[block_num]; while (true) { if (block_num >= fs->block_count) { // no more blockinfo break; } if (insn_idx >= bs->insn_idx+bs->insn_count) { // ooooh, ran off end of block. Fetch // next one before we decide if we're in it or not yet. block_num += 1; bs = &fs->blocks[block_num]; // go back to top, because we may have just finished // the last block continue; } // okay, now we should either be before block_num // or in it. assert(insn_idx < bs->insn_idx+bs->insn_count); if (insn_idx >= bs->insn_idx) { sprintf(blockinfo, "b#%3d (%c %3dins %3d bytes)", block_num, bs->wants_rewrite ? 'R' : '_', bs->insn_count, bs->byte_count); } break; } char buf[500]; x86_format_insn(&is->insn, buf, sizeof(buf), att_syntax); printf("%08x #%03d %27s %s\n", fs->virt_addr + is->pos, insn_idx, blockinfo, buf); if (is->short_loop_candidate_target!=0) { printf(" jumps to %08x\n", is->short_loop_candidate_target); } } }
void _disasm_dbg_display_func(Disassembler *disasm, unsigned char *start, unsigned int len, uint32_t virt_addr, const char *prefix) { int pos = 0; while (pos < len) { x86_insn_t insn; int insn_size = x86_disasm(start, len, 0, pos, &insn); assert(insn_size>0); char buf[500]; x86_format_insn(&insn, buf, sizeof(buf), att_syntax); fprintf(stderr, "%s0x%08x %s\n", prefix, virt_addr+pos, buf); pos += insn_size; } }
// disasm 1 instruction char *ropit_x86_disasm (uint8_t *bytes, int len, int *sz_dis) { int sz_inst, len_disasm; /* sz_inst of instruction */ x86_insn_t insn; /* instruction */ char line[1024]; int sz_line = 1024; char *disasm; if (!bytes || len <= 0 || !sz_dis) { debug_printf (MESSAGE_ERROR, stderr, "error: ropit_x86_disasm(): Bad parameter(s)\n"); return NULL; } len_disasm = 0; x86_init(opt_none, NULL, NULL); sz_inst = x86_disasm (bytes, len, 0, 0, &insn); if (sz_inst > 0) { len_disasm = x86_format_insn (&insn, line, sz_line, intel_syntax); *sz_dis = sz_inst; } x86_oplist_free (&insn); x86_cleanup(); if (len_disasm == 0) return NULL; disasm = calloc (len_disasm, sizeof(*disasm)); if (!disasm) { debug_printf (MESSAGE_ERROR, stderr, "error: ropit_x86_disasm(): Failed disasm alloc\n"); return NULL; } memcpy (disasm, line, len_disasm); return disasm; }
void hack_patch_init_tls(ElfObj *eo, FuncEntry *fe, Disassembler *disasm) { Elf32_Sym *sym = &fe->sym; const char *symname = elfobj_get_string(eo, eo->strtable, sym->st_name); if (strcmp(symname, "init_tls")!=0) { return; } uint32_t vaddr = sym->st_value; Elf32_Off offset = elfobj_map_virtual_to_offset(eo, vaddr); uint32_t len = sym->st_size; uint8_t *mapped = (uint8_t*) (eo->eri->elf_read_alloc)(eo->eri, offset, len); int pos = 0; while (pos < len) { x86_insn_t insn; int size = x86_disasm(mapped, len, vaddr, pos, &insn); // change 'mov -1,blahblah' to -2, to signal to xax_posix_emulation // that we expect a gs descriptor, not an entry number, back in // the user_desc entry_number field. if ( insn.type==insn_mov && insn.operand_count==2 && insn.operands->next[0].op.type==op_immediate && insn.operands->next[0].op.datatype==op_dword && insn.operands->next[0].op.data.sdword==-1 && insn.size == 7) { ((int32_t *)(mapped+pos+3))[0] = -2; } // change from eax=(eax*8)|3 to nops. if ( insn.type==insn_mov && insn.operand_count==2 && insn.operands[0].op.type==op_register && strcmp(insn.operands[0].op.data.reg.name, "eax")==0 && insn.operands->next[0].op.type==op_expression && insn.operands->next[0].op.data.expression.scale == 8 && insn.operands->next[0].op.data.expression.disp == 3 && strcmp(insn.operands->next[0].op.data.expression.index.name, "eax")==0) { memset(mapped+pos, x86_nop, size); } #if 0 // redo the disassembly so the format&print is correct size = x86_disasm(mapped, len, vaddr, pos, &insn); char buf[800]; x86_format_insn(&insn, buf, sizeof(buf), att_syntax); fprintf(stdout, "@+%3d %s\n", pos, buf); #endif assert(size!=0); pos += size; } }
int main(int argc, char *argv[]) { char line[128]; struct stat sbuf; char *input = NULL; char *buf = NULL; FILE *fd = NULL; int ret = 0; int offset = 0; int size = 0; x86_insn_t x86dis; printf("\n[*] simple x86 shellcode disassembler\n"); printf("[*] trivially implemented thanks 2 libdisasm!\n"); printf("[*] written by [email protected]\n"); input = argv[1]; if (!argv[1]) { printf("[*] usage: %s <shellcode as binary.file>\n", argv[0]); ret = 1; goto die; } memset((char *)&sbuf, 0, sizeof(sbuf)); if (stat(input, &sbuf) == -1) { printf("[!] unable to stat %s!\n", input); ret = 1; goto die; } buf = malloc(sbuf.st_size); if (!buf) { printf("[!] failed to allocate %u bytes!\n", sbuf.st_size); ret = 1; goto die; } fd = fopen(input, "r"); if (!fd) { printf("[!] unable to open %s\n", input); ret = 1; goto die; } if (fread(buf, 1, sbuf.st_size, fd) != sbuf.st_size) { printf("[!] failed to read in %u bytes!\n", sbuf.st_size); ret = 1; goto die; } fclose(fd); fd = NULL; printf("\n"); x86_init(opt_none, NULL, NULL); while (offset < sbuf.st_size) { size = x86_disasm(buf, sbuf.st_size, 0, offset, &x86dis); if (!size) { printf("[!] invalid op at %i!\n", offset); break; } memset(line, 0, sizeof(line)); x86_format_insn(&x86dis, line, sizeof(line), intel_syntax); printf("%08X: %s\n", offset, line); offset += size; } x86_cleanup(); die: printf("\n"); if (buf) { free(buf); } if (fd) { fclose(fd); } return ret; }
void ApiHook_asmToString(x86_insn_t* insn, char* line, size_t lineLength) { x86_format_insn(insn, line, lineLength, intel_syntax); }