bool X86RTLGenerator::generateRTL(const LoaderBase::tCollData &collData, tCollRTLOps &collRTLOps)
{
unsigned uIdx = 0;
while(uIdx < 52)
//while(uIdx < collData.size())
{
x86_insn_t aInsn;
uIdx += x86_disasm((unsigned char *)&collData[0], collData.size(), 0, uIdx, &aInsn);
RTLOp aRTLOp;
if(!parseInsn(aInsn, aRTLOp))
{
return false;
}
collRTLOps.push_back(aRTLOp);
char buf[1024];
x86_format_insn(&aInsn, buf, sizeof(buf), intel_syntax);
printf("0x%08X: %s\n", uIdx, buf);
}
return true;
}
char *ropit_x86_list_disasm (uint8_t *bytes, int len) {
int pos = 0; // current position in buffer
int size; // size of instruction
x86_insn_t insn; // instruction
char line[4096] = {0};
int linelen = 4096;
char *listing = NULL;
listing = calloc(2048, sizeof(*listing));
x86_init(opt_none, NULL, NULL);
while ( pos < len ) {
// disassemble address
size = x86_disasm(bytes, len, 0, pos, &insn);
if ( size ) {
// print instruction
x86_format_insn(&insn, line, linelen, intel_syntax);
// printf("%s\n", line);
strcat(listing, line);
strcat(listing, "\n");
pos += size;
}
else {
pos++;
}
x86_oplist_free(&insn);
}
x86_cleanup();
return listing;
}
void debug_print_instruction(disassembly_t *da)
{
struct xref *xr;
BOOL previous_xrefs = FALSE;
char *line[512];
assert(da != NULL);
x86_format_insn(&da->Instruction, line, sizeof line, intel_syntax);
printf("%08X: %s", da->MemoryAddress, line);
for (xr = da->xrefs_from; xr != NULL; xr = xr->next) {
if (previous_xrefs) {
printf(", ");
} else {
printf("\t\t");
previous_xrefs = TRUE;
}
printf("xref_from:%08X", xr->insn->MemoryAddress);
}
for (xr = da->xrefs_to; xr != NULL; xr = xr->next) {
if (previous_xrefs) {
printf(", ");
} else {
printf("\t\t");
previous_xrefs = TRUE;
}
printf("xref_to:%08X", xr->insn->MemoryAddress);
}
printf("\n");
}
void gadget_print(gadget_t *gadgets)
{
/* If we're at a leaf node in the tree... */
if (gadgets->previous.head == NULL) {
/* Print instructions from the leaf up to the root as a gadget. */
x86_insn_t instr;
char line[1000];
gadget_t *cursor = gadgets;
while (cursor != NULL) {
x86_disasm(cursor->instr, cursor->instr_len, 0, 0, &instr);
x86_format_insn(&instr, line, sizeof(line), intel_syntax);
rstrip(line);
tab_to_space(line);
printf("0x%08x: %-50s\n", cursor->virtual_address, line);
/* Set cursor to its parent in the tree (closer to the RET). */
cursor = cursor->next;
}
printf("-----------------------\n");
} else {
/* We're not at a leaf, so recursively print all of the children. */
gadget_list_item_t *cursor = gadgets->previous.head;
while (cursor != NULL) {
gadget_print(cursor->gadget);
cursor = cursor->next;
}
}
}
void perplex_section(pefile_t *pefile, int section_number)
{
char *data;
size_t size;
x86_insn_t insn;
int pos = 0;
int section_start;
assert(pefile != NULL);
section_start = pefile->pimage_section_headers[section_number].VirtualAddress + pefile->image_nt_headers.OptionalHeader.ImageBase;
data = get_section_data(pefile, section_number, &size);
if (data == NULL)
return;
x86_init(opt_none, 0);
while (pos < size) {
char line[512];
int insn_size = x86_disasm(data, size, 0, pos, &insn);
if (insn_size > 0) {
x86_format_insn(&insn, line, sizeof line, intel_syntax);
//printf("%08X: %s\n", pos + section_start, line);
pos += insn_size;
} else {
//printf("%08X: Invalid Instruction\n", pos + section_start);
pos++;
}
}
x86_cleanup();
}
void func_display_blocks(FuncState *fs, const char *symname)
{
printf("\n*** Disassembly of %s(...)\n", symname);
int block_num = 0;
int insn_idx;
for (insn_idx=0; insn_idx<fs->insn_count; insn_idx++)
{
InstructionState *is = &fs->instructions[insn_idx];
char blockinfo[200];
blockinfo[0] = '\0';
BlockState *bs = &fs->blocks[block_num];
while (true)
{
if (block_num >= fs->block_count)
{
// no more blockinfo
break;
}
if (insn_idx >= bs->insn_idx+bs->insn_count)
{
// ooooh, ran off end of block. Fetch
// next one before we decide if we're in it or not yet.
block_num += 1;
bs = &fs->blocks[block_num];
// go back to top, because we may have just finished
// the last block
continue;
}
// okay, now we should either be before block_num
// or in it.
assert(insn_idx < bs->insn_idx+bs->insn_count);
if (insn_idx >= bs->insn_idx)
{
sprintf(blockinfo, "b#%3d (%c %3dins %3d bytes)",
block_num,
bs->wants_rewrite ? 'R' : '_',
bs->insn_count,
bs->byte_count);
}
break;
}
char buf[500];
x86_format_insn(&is->insn, buf, sizeof(buf), att_syntax);
printf("%08x #%03d %27s %s\n",
fs->virt_addr + is->pos, insn_idx, blockinfo, buf);
if (is->short_loop_candidate_target!=0)
{
printf(" jumps to %08x\n", is->short_loop_candidate_target);
}
}
}
void _disasm_dbg_display_func(Disassembler *disasm, unsigned char *start, unsigned int len, uint32_t virt_addr, const char *prefix)
{
int pos = 0;
while (pos < len)
{
x86_insn_t insn;
int insn_size = x86_disasm(start, len, 0, pos, &insn);
assert(insn_size>0);
char buf[500];
x86_format_insn(&insn, buf, sizeof(buf), att_syntax);
fprintf(stderr, "%s0x%08x %s\n", prefix, virt_addr+pos, buf);
pos += insn_size;
}
}
// disasm 1 instruction
char *ropit_x86_disasm (uint8_t *bytes, int len, int *sz_dis)
{
int sz_inst, len_disasm; /* sz_inst of instruction */
x86_insn_t insn; /* instruction */
char line[1024];
int sz_line = 1024;
char *disasm;
if (!bytes || len <= 0 || !sz_dis) {
debug_printf (MESSAGE_ERROR, stderr, "error: ropit_x86_disasm(): Bad parameter(s)\n");
return NULL;
}
len_disasm = 0;
x86_init(opt_none, NULL, NULL);
sz_inst = x86_disasm (bytes, len, 0, 0, &insn);
if (sz_inst > 0) {
len_disasm = x86_format_insn (&insn, line, sz_line, intel_syntax);
*sz_dis = sz_inst;
}
x86_oplist_free (&insn);
x86_cleanup();
if (len_disasm == 0)
return NULL;
disasm = calloc (len_disasm, sizeof(*disasm));
if (!disasm) {
debug_printf (MESSAGE_ERROR, stderr, "error: ropit_x86_disasm(): Failed disasm alloc\n");
return NULL;
}
memcpy (disasm, line, len_disasm);
return disasm;
}
void hack_patch_init_tls(ElfObj *eo, FuncEntry *fe, Disassembler *disasm)
{
Elf32_Sym *sym = &fe->sym;
const char *symname = elfobj_get_string(eo, eo->strtable, sym->st_name);
if (strcmp(symname, "init_tls")!=0)
{
return;
}
uint32_t vaddr = sym->st_value;
Elf32_Off offset = elfobj_map_virtual_to_offset(eo, vaddr);
uint32_t len = sym->st_size;
uint8_t *mapped = (uint8_t*)
(eo->eri->elf_read_alloc)(eo->eri, offset, len);
int pos = 0;
while (pos < len)
{
x86_insn_t insn;
int size = x86_disasm(mapped, len, vaddr, pos, &insn);
// change 'mov -1,blahblah' to -2, to signal to xax_posix_emulation
// that we expect a gs descriptor, not an entry number, back in
// the user_desc entry_number field.
if (
insn.type==insn_mov
&& insn.operand_count==2
&& insn.operands->next[0].op.type==op_immediate
&& insn.operands->next[0].op.datatype==op_dword
&& insn.operands->next[0].op.data.sdword==-1
&& insn.size == 7)
{
((int32_t *)(mapped+pos+3))[0] = -2;
}
// change from eax=(eax*8)|3 to nops.
if (
insn.type==insn_mov
&& insn.operand_count==2
&& insn.operands[0].op.type==op_register
&& strcmp(insn.operands[0].op.data.reg.name, "eax")==0
&& insn.operands->next[0].op.type==op_expression
&& insn.operands->next[0].op.data.expression.scale == 8
&& insn.operands->next[0].op.data.expression.disp == 3
&& strcmp(insn.operands->next[0].op.data.expression.index.name, "eax")==0)
{
memset(mapped+pos, x86_nop, size);
}
#if 0
// redo the disassembly so the format&print is correct
size = x86_disasm(mapped, len, vaddr, pos, &insn);
char buf[800];
x86_format_insn(&insn, buf, sizeof(buf), att_syntax);
fprintf(stdout, "@+%3d %s\n", pos, buf);
#endif
assert(size!=0);
pos += size;
}
}
int main(int argc, char *argv[])
{
char line[128];
struct stat sbuf;
char *input = NULL;
char *buf = NULL;
FILE *fd = NULL;
int ret = 0;
int offset = 0;
int size = 0;
x86_insn_t x86dis;
printf("\n[*] simple x86 shellcode disassembler\n");
printf("[*] trivially implemented thanks 2 libdisasm!\n");
printf("[*] written by [email protected]\n");
input = argv[1];
if (!argv[1])
{
printf("[*] usage: %s <shellcode as binary.file>\n", argv[0]);
ret = 1;
goto die;
}
memset((char *)&sbuf, 0, sizeof(sbuf));
if (stat(input, &sbuf) == -1)
{
printf("[!] unable to stat %s!\n", input);
ret = 1;
goto die;
}
buf = malloc(sbuf.st_size);
if (!buf)
{
printf("[!] failed to allocate %u bytes!\n", sbuf.st_size);
ret = 1;
goto die;
}
fd = fopen(input, "r");
if (!fd)
{
printf("[!] unable to open %s\n", input);
ret = 1;
goto die;
}
if (fread(buf, 1, sbuf.st_size, fd) != sbuf.st_size)
{
printf("[!] failed to read in %u bytes!\n", sbuf.st_size);
ret = 1;
goto die;
}
fclose(fd);
fd = NULL;
printf("\n");
x86_init(opt_none, NULL, NULL);
while (offset < sbuf.st_size)
{
size = x86_disasm(buf, sbuf.st_size, 0, offset, &x86dis);
if (!size)
{
printf("[!] invalid op at %i!\n", offset);
break;
}
memset(line, 0, sizeof(line));
x86_format_insn(&x86dis, line, sizeof(line), intel_syntax);
printf("%08X: %s\n", offset, line);
offset += size;
}
x86_cleanup();
die:
printf("\n");
if (buf)
{
free(buf);
}
if (fd)
{
fclose(fd);
}
return ret;
}
void ApiHook_asmToString(x86_insn_t* insn, char* line, size_t lineLength)
{
x86_format_insn(insn, line, lineLength, intel_syntax);
}