Skip to content

Instantly share code, notes, and snippets.

@hikalium hikalium/print.js
Created Dec 22, 2019

Embed
What would you like to do?
Parser for SECCON 2019 final q4 box4
// box4
const fs = require('fs');
const filename = process.argv[2];
const parseTrace =
(fileName) => {
const trace = JSON.parse(fs.readFileSync(fileName, 'utf-8'));
const base_addr = parseInt(trace[0].base_addr, 16);
const branches = trace.filter(e => (e.inst_addr != undefined)).map(e => {
if (e.event === 'call') {
return {
'addr': (parseInt(e.inst_addr, 16) - base_addr).toString(16),
'target': (parseInt(e.target_addr, 16) - base_addr).toString(16)
};
}
return {
'addr': (parseInt(e.inst_addr, 16) - base_addr).toString(16),
'taken': e.branch_taken
};
});
return branches;
}
const print =
(branches) => {
for (var i = 0; i < branches.length;) {
const b = branches[i];
var count = 0;
if (b.target === '1ead') {
console.log('ADD Ev,Gv');
i += 17;
continue;
}
if (b.target === '2159') {
var zf = false;
for (;;) {
const c = branches[i];
if (c.addr == '21f8') break;
if (c.addr == '1d06') zf = true;
i++;
}
i++;
console.log(`CMP Ev,Gv ZF=${zf}`);
continue;
}
if (b.target === '2389') {
console.log('INC r32');
i += 5;
continue;
}
if (b.target === '28fd') {
console.log('JNLE / JG');
i += 3;
continue;
}
if (b.addr === '2949') {
console.log('JNLE / JG taken');
i += 1;
continue;
}
if (b.target === '2ebd') {
console.log('mov r32, imm32');
i += 8;
continue;
}
if (b.target === '317d') {
console.log('short Jb');
i += 5;
continue;
}
if (b.target === '3269') {
console.log('HLT->END');
i += 33;
continue;
}
if (b.addr === '97e') {
console.log('PROLOGUE');
i += 79;
continue;
}
if (b.target === '2645') {
console.log('JZ/JE');
i += 2;
continue;
}
if (b.addr === '2672') {
console.log('JZ/JE taken');
i += 1;
continue;
}
if (b.target === '2695') {
console.log('JNZ/JNE');
i += 2;
continue;
}
if (b.addr === '26c2') {
console.log('JNZ/JNE taken?');
i += 1;
continue;
}
if (b.target === '23e7') {
var zf = false;
var of = false;
for (;;) {
const c = branches[i];
if (c.addr === '1d67') break;
if (c.addr === '1d41') of = true;
if (c.addr === '1d06') zf = true;
i++;
}
i++;
console.log(`DEC r32 ZF=${zf} OF=${of}`);
// console.log(`DEC r32`);
// i++;
continue;
}
if (b.target === '251a') {
console.log('PUSH imm32');
i += 13;
continue;
}
if (b.target === '24c3') {
console.log('POP r32');
i += 7;
continue;
}
if (b.target === '2c33') {
console.log('MOV r/m32,r32');
i += 11;
continue;
}
if (b.target === '3144') {
console.log('JMP near Jz');
i += 7;
continue;
}
if (parseInt(b.addr, 16) >= 0x39e7 && parseInt(b.addr, 16) < 0x3b86) {
i += 1;
continue;
}
while (i < branches.length && branches[i].addr == b.addr &&
branches[i].taken == b.taken) {
count++;
i++;
}
console.log(`${JSON.stringify(b)} * ${count}`);
}
console.log(branches.length);
}
const branches = parseTrace(filename);
print(branches);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.