This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from miasm.analysis.binary import Container | |
from miasm.analysis.machine import Machine | |
from miasm.analysis.simplifier import IRCFGSimplifierCommon | |
from miasm.core.locationdb import LocationDB | |
from miasm.expression.expression import ExprCond, ExprLoc, LocKey, ExprMem | |
from miasm.ir.ir import IRBlock, AssignBlock | |
from miasm.ir.symbexec import SymbolicExecutionEngine | |
# Init Binary | |
binary = "quarkslab.elf" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
baseList = [1] | |
table1 = [0, 1, 0, 1, 0, 1] | |
table2 = [1, 1, 0, 0, -1, -1] | |
#Kiem tra moi phan tu deu khac 0 | |
def noZero(aList): | |
return all(c != 0 for c in aList) | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from z3 import * | |
char = [Int('char[' + str(i) + ']') for i in range(0, 16)] | |
s = Solver() | |
s.add(((char[0] * 10) + (char[1] * 12) + (char[6] * 62) + (char[3] * 15) + (char[10] * 95) + (char[9] * 2) + (char[13] * 38) + (char[12] * 17) + (char[15] * 25) + (char[14] * 67)) == 0x8120) | |
s.add(((char[2] * 15) + (char[0] * 8) + (char[7] * 50) + (char[5] * 25) + (char[12] * 64) + (char[8] * 13) + (char[13] * 85))== 0x6002) | |
s.add(((char[0] * 58) + (char[5] * 55) + (char[2] * 25) + (char[9] * 12) + (char[14] * 86) + (char[13] * 57) + (char[1] * 35) + (char[7] * 35))== 0x7C2D) | |
s.add(((char[0] * 67) + (char[3] * 71) + (char[7] * 97) + (char[5] * 39) + (char[11] * 10) + (char[10] * 60))== 0x6D22) | |
s.add(((char[0] * 85) + (char[2] * 5) + (char[4] * 25) + (char[3] * 38) + (char[11] * 16) + (char[10] * 83) + (char[13] * 53) + (char[12] * 29))== 0x7550) | |
s.add(((char[0] * 0x3A) + (char[1] * 28) + (char[2]) + (char[8] * 3) + (char[4] * 65) + (char[10] * 81) + (char[9] * 6) + (char[14] * 78) + (char[12] * 62)) == 0x85F9) | |
s.add(((cha |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def detectR26(i): | |
for i in range(i - 1, -1, -1): | |
if 'ldi r26' in data[i]: | |
tmp = data[i].split() | |
return int(tmp[2].strip().replace('0x',''), 16) | |
for n in range(1, 17): | |
with open("part" + str(n) + ".txt", "r") as f: | |
data = f.readlines() | |
data = [line.strip() for line in data] | |
expression = [] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import math | |
rotate_amounts = [7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22, | |
5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20, | |
4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23, | |
6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21] | |
constants = [int(abs(math.sin(i+1)) * 2**32) & 0xFFFFFFFF for i in range(64)] | |
init_values = [0x67452301, 0xefcdab89, 0x0ABCDEF00, 0x12345678] | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
randomFile = open('randoms.bin', 'r') | |
randoms = randomFile.readlines() | |
randoms = [x.strip() for x in randoms] | |
randomFile.close() | |
initFile = open('init.bin', 'rb') | |
base = initFile.read() | |
base = [ord(x) for x in base] | |
initFile.close() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
with open('Protected.exe', 'rb') as f: | |
data = f.read() | |
data = [ord(x) for x in data] | |
data = data[0x7B8:] | |
regs = {1 : 'eax', 2: 'ebx', 3: 'ecx', 4: 'edx', 5: 'esi', 6: 'edi', 7:'esp', 8:'eip', 9:'ebp'} | |
baseAddr = 0 | |
f = open('asm', 'w') | |
while baseAddr < len(data): | |
buffer = data[baseAddr:baseAddr+5] | |
if buffer[0] == 0: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Dynamic libary link: | |
+ Ảnh hưởng tính năng emulate, symbolic execution, ... | |
+ Mô tả: các hàm liên kết động không thể emulate (chạy thử) vì nó không có nằm trong binary mà do hệ điều hành xử lý, tool chỉ làm việc trên binary | |
+ Hướng giải quyết: | |
* Cách 1: Bỏ qua các hàm này. Emualte chỉ hướng đến việc hiểu code không phải hiểu thư viện hoạt động nên bỏ qua | |
* Cách 2: Implement các hàm liên kết động (Miasm đã implement một số lơn rồi). Miasm cho phép implement bằng python các hàm này. Vấn đề nảy sinh số lượng hàm liên kết động qua lớn => Chúng ta có thể limit tính năng lại ví dụ chỉ trên linux thì cho emulate thư viện liên kết động | |
* Cách 3: Tìm hiểu thêm về vấn đề này. Mình đã tìm hiểu một ít về nó gần như chưa có thằng nào giải quyết hoàn hảo về nó cả | |
- Vẽ Control Flow Graph: | |
+ Vấn đề 1: Miasm nó hiểu call giống như jmp nên nó tách ra 2 block khác nhau ngăn cách bởi call trong khi đáng nhẽ 2 cái phải merge lại. Hình ảnh mô tả: https://i.imgur.com/KLseTCh.png | |
* Giải quyết: có thể chấp n |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
const BigNumber = require('bignumber.js'); | |
BigNumber['config']({ | |
'POW_PRECISION': 0x0 | |
}); | |
var arr = [0x4df, 0x20c, 0x3f5, 0xe7, 0x50a, 0xc0, 0x31e, 0x44e, 0x1a0, 0x409, 0x3a0, 0x48f, 0x54, 0x114, 0x48f, 0x158, 0x4a3, 0xb7, 0x36e, 0x25, 0x26a, 0x14, 0x3d, 0xf5, 0x328, 0x3, 0x9, 0x29f, 0x223, 0x162, 0x2, 0xc3, 0x16c, 0x4b5, 0x14c, 0x26e, 0x18a, 0x1f6, 0x38e, 0x48a, 0x399, 0xd4, 0xb, 0x339, 0x439, 0x35a]; | |
var res = ['28147733412126416143356431805908788848700221138704543049914240750210634423746310795983766007927465537337773675180806753151701119440592637649120674223666407488884928441158916203204899710775857273445369674102642893364763591400590102447525349505851152484162354348321887410090849255334994123327420802898472430345805178661836803666639323568991', '44739967243685248337863914331088443081198599520326829360275842053865868965509446402750217938832017007005145519067323650440191044221746295537611058520025099295621434699975231171245068093245660890690731285740946539394957013242861263238724032038431179977090332829 |