xpn/alpha_mixed.py

## alpha_mixed.py
# r2pipe script using ESIL to decode the msfvenom x86/alpha_mixed encoder

import r2pipe
import sys

def dump(addr):
        pass

def startEsil():
    r.cmd('e io.cache=true')
    r.cmd('e asm.bits=32')
    r.cmd('e asm.arch=x86')
    r.cmd('aei')
    r.cmd('aeip')
    r.cmd('aeim 0xffffd000 0x2000 stack')

def emulate():
    # First we need to find our current address
    cmd = r.cmdj('pdj 1')
    base = cmd[0]['offset']
    print "Base address: %x" % (base)

    # Now we grab the size of the payload
    cmd = r.cmdj('oj')
    end = cmd[0]['size']
    print "Size of payload: %x" % (end)

    lastfpu = 0

    # We need to fudge the FPU call, as Radare doesn't support this yet
    for i in range(10000):

        # Get reg values
        regs = r.cmdj('aerj')

        # Retrieve current EIP value
        cmd = r.cmdj('pdj 1 @ ' + str(regs['eip']))[0]
        if cmd['family'] == 'fpu':
            if cmd['opcode'].startswith('fnstenv'):
                # If we have our FPU instruction, we dump the location of the last FPU instruction (mock)
                r.cmd('wv %d @ %d' % (lastfpu, regs['esp']))
            else:
                lastfpu = cmd['offset']

        # The 'jne' call is the final call before our payload
        if cmd['opcode'].startswith('jne'):
            decoded = cmd['offset'] + cmd['size']

            # We can ask the emulator to break after the jne call, which will be our decoded payload
            r.cmd('aecu ' + str(decoded))

            # Finally, we extract the original payload
            print r.cmd('pD %d @ %d' % (end - (decoded - base), base + (decoded - base)))

            raw = r.cmdj('p8j %d @ %d' % (end - (decoded - base), decoded))
            with open('out.bin', 'w') as f:
                f.write(''.join(map(chr, raw)))

            print "Raw code is now in ./out.bin"
            quit(0)


        r.cmd('aes')

r = r2pipe.open(sys.argv[1])
r.cmd('e asm.comments=false');
r.cmd('e asm.lines=false');
r.cmd('e asm.flags=false');
startEsil()
emulate()
	# r2pipe script using ESIL to decode the msfvenom x86/alpha_mixed encoder

	import r2pipe
	import sys

	def dump(addr):
	pass

	def startEsil():
	r.cmd('e io.cache=true')
	r.cmd('e asm.bits=32')
	r.cmd('e asm.arch=x86')
	r.cmd('aei')
	r.cmd('aeip')
	r.cmd('aeim 0xffffd000 0x2000 stack')

	def emulate():
	# First we need to find our current address
	cmd = r.cmdj('pdj 1')
	base = cmd[0]['offset']
	print "Base address: %x" % (base)

	# Now we grab the size of the payload
	cmd = r.cmdj('oj')
	end = cmd[0]['size']
	print "Size of payload: %x" % (end)

	lastfpu = 0

	# We need to fudge the FPU call, as Radare doesn't support this yet
	for i in range(10000):

	# Get reg values
	regs = r.cmdj('aerj')

	# Retrieve current EIP value
	cmd = r.cmdj('pdj 1 @ ' + str(regs['eip']))[0]
	if cmd['family'] == 'fpu':
	if cmd['opcode'].startswith('fnstenv'):
	# If we have our FPU instruction, we dump the location of the last FPU instruction (mock)
	r.cmd('wv %d @ %d' % (lastfpu, regs['esp']))
	else:
	lastfpu = cmd['offset']

	# The 'jne' call is the final call before our payload
	if cmd['opcode'].startswith('jne'):
	decoded = cmd['offset'] + cmd['size']

	# We can ask the emulator to break after the jne call, which will be our decoded payload
	r.cmd('aecu ' + str(decoded))

	# Finally, we extract the original payload
	print r.cmd('pD %d @ %d' % (end - (decoded - base), base + (decoded - base)))

	raw = r.cmdj('p8j %d @ %d' % (end - (decoded - base), decoded))
	with open('out.bin', 'w') as f:
	f.write(''.join(map(chr, raw)))

	print "Raw code is now in ./out.bin"
	quit(0)


	r.cmd('aes')

	r = r2pipe.open(sys.argv[1])
	r.cmd('e asm.comments=false');
	r.cmd('e asm.lines=false');
	r.cmd('e asm.flags=false');
	startEsil()
	emulate()