Created
July 9, 2020 11:59
-
-
Save y0ug/a113a5a91918462cd8aeeb6ff4151b9d to your computer and use it in GitHub Desktop.
PE x64 emulation with Triton
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| ## -*- coding: utf-8 -*- | |
| from __future__ import print_function | |
| from triton import TritonContext, ARCH, CPUSIZE, MemoryAccess, OPCODE, Instruction | |
| import os | |
| import sys | |
| import string | |
| Triton = TritonContext() | |
| def getMemoryString(addr): | |
| s = str() | |
| index = 0 | |
| while Triton.getConcreteMemoryValue(addr+index): | |
| c = chr(Triton.getConcreteMemoryValue(addr+index)) | |
| if c not in string.printable: c = "" | |
| s += c | |
| index += 1 | |
| return s | |
| def getFormatString(addr): | |
| return getMemoryString(addr) \ | |
| .replace("%s", "{}").replace("%d", "{:d}").replace("%#02x", "{:#02x}") \ | |
| .replace("%#x", "{:#x}").replace("%x", "{:x}").replace("%02X", "{:02x}") \ | |
| .replace("%c", "{:c}").replace("%02x", "{:02x}").replace("%ld", "{:d}") \ | |
| .replace("%*s", "").replace("%lX", "{:x}").replace("%08x", "{:08x}") \ | |
| .replace("%u", "{:d}") \ | |
| # Simulate the strlen() function | |
| def strlenHandler(): | |
| print('[+] Strlen hooked') | |
| # Get arguments | |
| arg1 = getMemoryString(Triton.getConcreteRegisterValue(Triton.registers.rdi)) | |
| # Return value | |
| return len(arg1) | |
| def putsHandler(): | |
| print('[+] puts hooked') | |
| # Get arguments | |
| arg1 = getMemoryString(Triton.getConcreteRegisterValue(Triton.registers.rcx)) | |
| print(arg1) | |
| return 1 | |
| # Simulate the printf() function | |
| def printfHandler(): | |
| print('[+] printf hooked') | |
| # Get arguments | |
| arg1 = getFormatString(Triton.getConcreteRegisterValue(Triton.registers.rdi)) | |
| arg2 = Triton.getConcreteRegisterValue(Triton.registers.rsi) | |
| arg3 = Triton.getConcreteRegisterValue(Triton.registers.rdx) | |
| arg4 = Triton.getConcreteRegisterValue(Triton.registers.rcx) | |
| arg5 = Triton.getConcreteRegisterValue(Triton.registers.r8) | |
| arg6 = Triton.getConcreteRegisterValue(Triton.registers.r9) | |
| nbArgs = arg1.count("{") | |
| args = [arg2, arg3, arg4, arg5, arg6][:nbArgs] | |
| s = arg1.format(*args) | |
| sys.stdout.write(s) | |
| # Return value | |
| return len(s) | |
| hookTable = [ | |
| ('msvcrt.dll::strlen', strlenHandler), | |
| ('msvcrt.dll::printf', printfHandler), | |
| ('msvcrt.dll::puts', putsHandler), | |
| ] | |
| importTableBaseAddr = 0x10000000 | |
| importTable = [ | |
| ] | |
| haltFct = [ | |
| 'msvcrt.dll::exit', | |
| ] | |
| def hookingHandler(): | |
| pc = Triton.getConcreteRegisterValue(Triton.registers.rip) | |
| for entry in importTable: | |
| if entry[1] == pc: | |
| print('[*] call %s' % entry[0]) | |
| if entry[0] in haltFct: | |
| print('[*] byebye!') | |
| Triton.setConcreteRegisterValue(Triton.registers.rip, 0) | |
| return | |
| # default set EAX to 0 in case no hook are process | |
| Triton.setConcreteRegisterValue(Triton.registers.rax, 0) | |
| for hk in hookTable: | |
| if hk[0] == entry[0]: | |
| # Emulate the routine and the return value | |
| ret_value = hk[1]() | |
| Triton.setConcreteRegisterValue(Triton.registers.rax, ret_value) | |
| # Get the return address | |
| ret_addr = Triton.getConcreteMemoryValue(MemoryAccess(Triton.getConcreteRegisterValue(Triton.registers.rsp), CPUSIZE.QWORD)) | |
| # Hijack RIP to skip the call | |
| Triton.setConcreteRegisterValue(Triton.registers.rip, ret_addr) | |
| # Restore RSP (simulate the ret) | |
| Triton.setConcreteRegisterValue(Triton.registers.rsp, Triton.getConcreteRegisterValue(Triton.registers.rsp)+CPUSIZE.QWORD) | |
| return | |
| return | |
| # Emulate the CheckSolution() function. | |
| def emulate(pc): | |
| print('[+] Starting emulation.') | |
| i= 0 | |
| while pc: | |
| # Fetch opcode | |
| opcode = Triton.getConcreteMemoryAreaValue(pc, 16) | |
| # Create the Triton instruction | |
| instruction = Instruction() | |
| instruction.setOpcode(opcode) | |
| instruction.setAddress(pc) | |
| # Process | |
| if not Triton.processing(instruction): | |
| print('[*] failed to process instruction, skipping it') | |
| Triton.setConcreteRegisterValue(Triton.registers.rip, instruction.getNextAddress()) | |
| print(instruction) | |
| if instruction.getType() == OPCODE.X86.HLT: | |
| break | |
| # Simulate routines | |
| hookingHandler() | |
| # Next | |
| pc = Triton.getConcreteRegisterValue(Triton.registers.rip) | |
| i += 1 | |
| if i == 1000: break | |
| print('[+] Emulation done.') | |
| return | |
| def loadBinary(path): | |
| import lief | |
| binary = lief.parse(path) | |
| baddr = binary.optional_header.imagebase | |
| for s in binary.sections: | |
| vaddr = baddr + s.virtual_address | |
| size = s.virtual_size | |
| print('[+] Loading %s 0x%06x - 0x%06x' %(s.name, vaddr, vaddr + size)) | |
| Triton.setConcreteMemoryAreaValue(vaddr, s.content) | |
| return binary | |
| def makeImport(binary): | |
| # Perform our own import resolving | |
| baddr = binary.optional_header.imagebase | |
| cur_addr = importTableBaseAddr | |
| for imp in binary.imports: | |
| for fct in imp.entries: | |
| name = '%s::%s' % (imp.name, fct.name) | |
| Triton.setConcreteMemoryValue(MemoryAccess(baddr + fct.iat_address, CPUSIZE.QWORD), cur_addr) | |
| print('[+] Import %s 0x%08x -> 0x%08x' % ( name, | |
| baddr + fct.iat_address, cur_addr)) | |
| importTable.append([name, cur_addr]) | |
| cur_addr += 1 | |
| return | |
| if __name__ == '__main__': | |
| # Set the architecture | |
| Triton.setArchitecture(ARCH.X86_64) | |
| # Load the binary | |
| binary = loadBinary(sys.argv[1]) | |
| # Perform our own relocations | |
| makeImport(binary) | |
| # Define a fake stack | |
| Triton.setConcreteRegisterValue(Triton.registers.rbp, 0x7fffffff) | |
| Triton.setConcreteRegisterValue(Triton.registers.rsp, 0x6fffffff) | |
| # Let's emulate the binary from the entry point | |
| emulate(binary.entrypoint) | |
| sys.exit(0) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [+] Loading .text 0x401000 - 0x402b88 | |
| [+] Loading .data 0x403000 - 0x4030c0 | |
| [+] Loading .rdata 0x404000 - 0x404880 | |
| [+] Loading .pdata 0x405000 - 0x405270 | |
| [+] Loading .xdata 0x406000 - 0x4061f0 | |
| [+] Loading .bss 0x407000 - 0x407980 | |
| [+] Loading .idata 0x408000 - 0x40876c | |
| [+] Loading .CRT 0x409000 - 0x409068 | |
| [+] Loading .tls 0x40a000 - 0x40a010 | |
| [+] Loading /4 0x40b000 - 0x40b480 | |
| [+] Loading /19 0x40c000 - 0x44f18b | |
| [+] Loading /31 0x450000 - 0x452967 | |
| [+] Loading /45 0x453000 - 0x456476 | |
| [+] Loading /57 0x457000 - 0x457a68 | |
| [+] Loading /70 0x458000 - 0x45880e | |
| [+] Loading /81 0x459000 - 0x45bfb9 | |
| [+] Loading /92 0x45c000 - 0x45c4d0 | |
| [+] Import KERNEL32.dll::DeleteCriticalSection 0x004081d4 -> 0x10000000 | |
| [+] Import KERNEL32.dll::EnterCriticalSection 0x004081dc -> 0x10000001 | |
| [+] Import KERNEL32.dll::GetCurrentProcess 0x004081e4 -> 0x10000002 | |
| [+] Import KERNEL32.dll::GetCurrentProcessId 0x004081ec -> 0x10000003 | |
| [+] Import KERNEL32.dll::GetCurrentThreadId 0x004081f4 -> 0x10000004 | |
| [+] Import KERNEL32.dll::GetLastError 0x004081fc -> 0x10000005 | |
| [+] Import KERNEL32.dll::GetStartupInfoA 0x00408204 -> 0x10000006 | |
| [+] Import KERNEL32.dll::GetSystemTimeAsFileTime 0x0040820c -> 0x10000007 | |
| [+] Import KERNEL32.dll::GetTickCount 0x00408214 -> 0x10000008 | |
| [+] Import KERNEL32.dll::InitializeCriticalSection 0x0040821c -> 0x10000009 | |
| [+] Import KERNEL32.dll::LeaveCriticalSection 0x00408224 -> 0x1000000a | |
| [+] Import KERNEL32.dll::QueryPerformanceCounter 0x0040822c -> 0x1000000b | |
| [+] Import KERNEL32.dll::RtlAddFunctionTable 0x00408234 -> 0x1000000c | |
| [+] Import KERNEL32.dll::RtlCaptureContext 0x0040823c -> 0x1000000d | |
| [+] Import KERNEL32.dll::RtlLookupFunctionEntry 0x00408244 -> 0x1000000e | |
| [+] Import KERNEL32.dll::RtlVirtualUnwind 0x0040824c -> 0x1000000f | |
| [+] Import KERNEL32.dll::SetUnhandledExceptionFilter 0x00408254 -> 0x10000010 | |
| [+] Import KERNEL32.dll::Sleep 0x0040825c -> 0x10000011 | |
| [+] Import KERNEL32.dll::TerminateProcess 0x00408264 -> 0x10000012 | |
| [+] Import KERNEL32.dll::TlsGetValue 0x0040826c -> 0x10000013 | |
| [+] Import KERNEL32.dll::UnhandledExceptionFilter 0x00408274 -> 0x10000014 | |
| [+] Import KERNEL32.dll::VirtualProtect 0x0040827c -> 0x10000015 | |
| [+] Import KERNEL32.dll::VirtualQuery 0x00408284 -> 0x10000016 | |
| [+] Import msvcrt.dll::__C_specific_handler 0x00408294 -> 0x10000017 | |
| [+] Import msvcrt.dll::__getmainargs 0x0040829c -> 0x10000018 | |
| [+] Import msvcrt.dll::__initenv 0x004082a4 -> 0x10000019 | |
| [+] Import msvcrt.dll::__iob_func 0x004082ac -> 0x1000001a | |
| [+] Import msvcrt.dll::__lconv_init 0x004082b4 -> 0x1000001b | |
| [+] Import msvcrt.dll::__set_app_type 0x004082bc -> 0x1000001c | |
| [+] Import msvcrt.dll::__setusermatherr 0x004082c4 -> 0x1000001d | |
| [+] Import msvcrt.dll::_acmdln 0x004082cc -> 0x1000001e | |
| [+] Import msvcrt.dll::_amsg_exit 0x004082d4 -> 0x1000001f | |
| [+] Import msvcrt.dll::_cexit 0x004082dc -> 0x10000020 | |
| [+] Import msvcrt.dll::_fmode 0x004082e4 -> 0x10000021 | |
| [+] Import msvcrt.dll::_initterm 0x004082ec -> 0x10000022 | |
| [+] Import msvcrt.dll::_onexit 0x004082f4 -> 0x10000023 | |
| [+] Import msvcrt.dll::abort 0x004082fc -> 0x10000024 | |
| [+] Import msvcrt.dll::calloc 0x00408304 -> 0x10000025 | |
| [+] Import msvcrt.dll::exit 0x0040830c -> 0x10000026 | |
| [+] Import msvcrt.dll::fprintf 0x00408314 -> 0x10000027 | |
| [+] Import msvcrt.dll::free 0x0040831c -> 0x10000028 | |
| [+] Import msvcrt.dll::fwrite 0x00408324 -> 0x10000029 | |
| [+] Import msvcrt.dll::malloc 0x0040832c -> 0x1000002a | |
| [+] Import msvcrt.dll::memcpy 0x00408334 -> 0x1000002b | |
| [+] Import msvcrt.dll::puts 0x0040833c -> 0x1000002c | |
| [+] Import msvcrt.dll::signal 0x00408344 -> 0x1000002d | |
| [+] Import msvcrt.dll::strlen 0x0040834c -> 0x1000002e | |
| [+] Import msvcrt.dll::strncmp 0x00408354 -> 0x1000002f | |
| [+] Import msvcrt.dll::vfprintf 0x0040835c -> 0x10000030 | |
| [+] Starting emulation. | |
| 0x4014a0: sub rsp, 0x28 | |
| 0x4014a4: mov rax, qword ptr [rip + 0x2fe5] | |
| 0x4014ab: mov dword ptr [rax], 0 | |
| 0x4014b1: call 0x401620 | |
| 0x401620: push r12 | |
| 0x401622: push rbp | |
| 0x401623: push rdi | |
| 0x401624: push rsi | |
| 0x401625: push rbx | |
| 0x401626: sub rsp, 0x30 | |
| 0x40162a: mov rbx, qword ptr [rip + 0x1a6f] | |
| 0x401631: movabs rax, 0x2b992ddfa232 | |
| 0x40163b: mov qword ptr [rsp + 0x20], 0 | |
| 0x401644: cmp rbx, rax | |
| 0x401647: je 0x40165e | |
| 0x40165e: lea rcx, [rsp + 0x20] | |
| 0x401663: call qword ptr [rip + 0x6ba3] | |
| [*] call KERNEL32.dll::GetSystemTimeAsFileTime | |
| 0x401669: mov rsi, qword ptr [rsp + 0x20] | |
| 0x40166e: call qword ptr [rip + 0x6b78] | |
| [*] call KERNEL32.dll::GetCurrentProcessId | |
| 0x401674: mov ebp, eax | |
| 0x401676: call qword ptr [rip + 0x6b78] | |
| [*] call KERNEL32.dll::GetCurrentThreadId | |
| 0x40167c: mov edi, eax | |
| 0x40167e: call qword ptr [rip + 0x6b90] | |
| [*] call KERNEL32.dll::GetTickCount | |
| 0x401684: lea rcx, [rsp + 0x28] | |
| 0x401689: mov r12d, eax | |
| 0x40168c: call qword ptr [rip + 0x6b9a] | |
| [*] call KERNEL32.dll::QueryPerformanceCounter | |
| 0x401692: xor rsi, qword ptr [rsp + 0x28] | |
| 0x401697: mov eax, ebp | |
| 0x401699: movabs rdx, 0xffffffffffff | |
| 0x4016a3: xor rax, rsi | |
| 0x4016a6: mov esi, edi | |
| 0x4016a8: xor rsi, rax | |
| 0x4016ab: mov eax, r12d | |
| 0x4016ae: xor rax, rsi | |
| 0x4016b1: and rax, rdx | |
| 0x4016b4: cmp rax, rbx | |
| 0x4016b7: je 0x4016d8 | |
| 0x4016b9: mov rdx, rax | |
| 0x4016bc: not rdx | |
| 0x4016bf: mov qword ptr [rip + 0x19da], rax | |
| 0x4016c6: mov qword ptr [rip + 0x19e3], rdx | |
| 0x4016cd: add rsp, 0x30 | |
| 0x4016d1: pop rbx | |
| 0x4016d2: pop rsi | |
| 0x4016d3: pop rdi | |
| 0x4016d4: pop rbp | |
| 0x4016d5: pop r12 | |
| 0x4016d7: ret | |
| 0x4014b6: call 0x401170 | |
| 0x401170: push r13 | |
| 0x401172: push r12 | |
| 0x401174: push rbp | |
| 0x401175: push rdi | |
| 0x401176: push rsi | |
| 0x401177: push rbx | |
| 0x401178: sub rsp, 0x98 | |
| 0x40117f: mov ecx, 0xd | |
| 0x401184: xor eax, eax | |
| 0x401186: lea r8, [rsp + 0x20] | |
| 0x40118b: mov rdi, r8 | |
| 0x40118e: rep stosq qword ptr [rdi], rax | |
| 0x40118e: rep stosq qword ptr [rdi], rax | |
| 0x40118e: rep stosq qword ptr [rdi], rax | |
| 0x40118e: rep stosq qword ptr [rdi], rax | |
| 0x40118e: rep stosq qword ptr [rdi], rax | |
| 0x40118e: rep stosq qword ptr [rdi], rax | |
| 0x40118e: rep stosq qword ptr [rdi], rax | |
| 0x40118e: rep stosq qword ptr [rdi], rax | |
| 0x40118e: rep stosq qword ptr [rdi], rax | |
| 0x40118e: rep stosq qword ptr [rdi], rax | |
| 0x40118e: rep stosq qword ptr [rdi], rax | |
| 0x40118e: rep stosq qword ptr [rdi], rax | |
| 0x40118e: rep stosq qword ptr [rdi], rax | |
| 0x401191: mov rdi, qword ptr [rip + 0x32f8] | |
| 0x401198: mov r9d, dword ptr [rdi] | |
| 0x40119b: test r9d, r9d | |
| 0x40119e: jne 0x40141b | |
| 0x4011a4: mov rax, qword ptr gs:[0x30] | |
| 0x4011ad: mov rbx, qword ptr [rip + 0x322c] | |
| 0x4011b4: mov rsi, qword ptr [rax + 8] | |
| 0x4011b8: xor ebp, ebp | |
| 0x4011ba: mov r12, qword ptr [rip + 0x709b] | |
| 0x4011c1: jmp 0x4011d4 | |
| 0x4011d4: mov rax, rbp | |
| 0x4011d7: lock cmpxchg qword ptr [rbx], rsi | |
| 0x4011dc: test rax, rax | |
| 0x4011df: jne 0x4011c3 | |
| 0x4011e1: mov rsi, qword ptr [rip + 0x3208] | |
| 0x4011e8: xor ebp, ebp | |
| 0x4011ea: mov eax, dword ptr [rsi] | |
| 0x4011ec: cmp eax, 1 | |
| 0x4011ef: je 0x4013db | |
| 0x4011f5: mov eax, dword ptr [rsi] | |
| 0x4011f7: test eax, eax | |
| 0x4011f9: je 0x401444 | |
| 0x401444: mov rdx, qword ptr [rip + 0x2fe5] | |
| 0x40144b: mov rcx, qword ptr [rip + 0x2fce] | |
| 0x401452: mov dword ptr [rsi], 1 | |
| 0x401458: call 0x4029e0 | |
| 0x4029e0: jmp qword ptr [rip + 0x5906] | |
| [*] call msvcrt.dll::_initterm | |
| 0x40145d: jmp 0x401209 | |
| 0x401209: mov eax, dword ptr [rsi] | |
| 0x40120b: cmp eax, 1 | |
| 0x40120e: je 0x4013f0 | |
| 0x4013f0: mov rdx, qword ptr [rip + 0x3019] | |
| 0x4013f7: mov rcx, qword ptr [rip + 0x3002] | |
| 0x4013fe: call 0x4029e0 | |
| 0x4029e0: jmp qword ptr [rip + 0x5906] | |
| [*] call msvcrt.dll::_initterm | |
| 0x401403: mov dword ptr [rsi], 2 | |
| 0x401409: test ebp, ebp | |
| 0x40140b: jne 0x40121c | |
| 0x401411: xor eax, eax | |
| 0x401413: xchg qword ptr [rbx], rax | |
| 0x401416: jmp 0x40121c | |
| 0x40121c: mov rax, qword ptr [rip + 0x315d] | |
| 0x401223: mov rax, qword ptr [rax] | |
| 0x401226: test rax, rax | |
| 0x401229: je 0x401237 | |
| 0x40122b: xor r8d, r8d | |
| 0x40122e: mov edx, 2 | |
| 0x401233: xor ecx, ecx | |
| 0x401235: call rax | |
| 0x401820: push rsi | |
| 0x401821: push rbx | |
| 0x401822: sub rsp, 0x28 | |
| 0x401826: mov rax, qword ptr [rip + 0x2b03] | |
| 0x40182d: cmp dword ptr [rax], 2 | |
| 0x401830: je 0x401838 | |
| 0x401838: cmp edx, 2 | |
| 0x40183b: je 0x40184e | |
| 0x40184e: lea rbx, [rip + 0x780b] | |
| 0x401855: lea rsi, [rip + 0x7804] | |
| 0x40185c: cmp rsi, rbx | |
| 0x40185f: je 0x401842 | |
| 0x401842: mov eax, 1 | |
| 0x401847: add rsp, 0x28 | |
| 0x40184b: pop rbx | |
| 0x40184c: pop rsi | |
| 0x40184d: ret | |
| 0x401237: call 0x401c80 | |
| 0x401c80: push rbp | |
| 0x401c81: push r15 | |
| 0x401c83: push r14 | |
| 0x401c85: push r13 | |
| 0x401c87: push r12 | |
| 0x401c89: push rdi | |
| 0x401c8a: push rsi | |
| 0x401c8b: push rbx | |
| 0x401c8c: sub rsp, 0x38 | |
| 0x401c90: lea rbp, [rsp + 0x80] | |
| 0x401c98: mov esi, dword ptr [rip + 0x5982] | |
| 0x401c9e: test esi, esi | |
| 0x401ca0: je 0x401cb3 | |
| 0x401cb3: mov dword ptr [rip + 0x5963], 1 | |
| 0x401cbd: call 0x402720 | |
| 0x402720: sub rsp, 0x28 | |
| 0x402724: mov rcx, qword ptr [rip + 0x1c65] | |
| 0x40272b: xor eax, eax | |
| 0x40272d: cmp word ptr [rcx], 0x5a4d | |
| 0x402732: jne 0x402746 | |
| 0x402746: add rsp, 0x28 | |
| 0x40274a: ret | |
| 0x401cc2: cdqe | |
| 0x401cc4: lea rax, [rax + rax*4] | |
| 0x401cc8: lea rax, [rax*8 + 0xf] | |
| 0x401cd0: and rax, 0xfffffffffffffff0 | |
| 0x401cd4: call 0x402930 | |
| 0x402930: push rcx | |
| 0x402931: push rax | |
| 0x402932: cmp rax, 0x1000 | |
| 0x402938: lea rcx, [rsp + 0x18] | |
| 0x40293d: jb 0x402958 | |
| 0x402958: sub rcx, rax | |
| 0x40295b: or qword ptr [rcx], 0 | |
| 0x40295f: pop rax | |
| 0x402960: pop rcx | |
| 0x402961: ret | |
| 0x401cd9: mov r12, qword ptr [rip + 0x2680] | |
| 0x401ce0: mov rbx, qword ptr [rip + 0x2689] | |
| 0x401ce7: mov dword ptr [rip + 0x5933], 0 | |
| 0x401cf1: sub rsp, rax | |
| 0x401cf4: lea rax, [rsp + 0x20] | |
| 0x401cf9: mov qword ptr [rip + 0x5928], rax | |
| 0x401d00: mov rax, r12 | |
| 0x401d03: sub rax, rbx | |
| 0x401d06: cmp rax, 7 | |
| 0x401d0a: jle 0x401ca2 | |
| 0x401ca2: lea rsp, [rbp - 0x48] | |
| 0x401ca6: pop rbx | |
| 0x401ca7: pop rsi | |
| 0x401ca8: pop rdi | |
| 0x401ca9: pop r12 | |
| 0x401cab: pop r13 | |
| 0x401cad: pop r14 | |
| 0x401caf: pop r15 | |
| 0x401cb1: pop rbp | |
| 0x401cb2: ret | |
| 0x40123c: lea rcx, [rip + 0xf6d] | |
| 0x401243: call qword ptr [rip + 0x700b] | |
| [*] call KERNEL32.dll::SetUnhandledExceptionFilter | |
| 0x401249: mov rdx, qword ptr [rip + 0x3180] | |
| 0x401250: mov qword ptr [rdx], rax | |
| 0x401253: call 0x4020c0 | |
| 0x4020c0: push r12 | |
| 0x4020c2: push rbp | |
| 0x4020c3: push rdi | |
| 0x4020c4: push rsi | |
| 0x4020c5: push rbx | |
| 0x4020c6: sub rsp, 0x20 | |
| 0x4020ca: call 0x4027c0 | |
| 0x4027c0: sub rsp, 0x28 | |
| 0x4027c4: mov rcx, qword ptr [rip + 0x1bc5] | |
| 0x4027cb: xor r8d, r8d | |
| 0x4027ce: cmp word ptr [rcx], 0x5a4d | |
| 0x4027d3: jne 0x4027e0 | |
| 0x4027e0: mov rax, r8 | |
| 0x4027e3: add rsp, 0x28 | |
| 0x4027e7: ret | |
| 0x4020cf: mov rsi, rax | |
| 0x4020d2: mov eax, dword ptr [rip + 0x5570] | |
| 0x4020d8: test eax, eax | |
| 0x4020da: jne 0x402101 | |
| 0x4020dc: test rsi, rsi | |
| 0x4020df: je 0x402101 | |
| 0x402101: add rsp, 0x20 | |
| 0x402105: pop rbx | |
| 0x402106: pop rsi | |
| 0x402107: pop rdi | |
| 0x402108: pop rbp | |
| 0x402109: pop r12 | |
| 0x40210b: ret | |
| 0x401258: lea rcx, [rip - 0x25f] | |
| 0x40125f: call 0x402a50 | |
| 0x402a50: mov rax, rcx | |
| 0x402a53: xchg qword ptr [rip + 0x4ef6], rax | |
| 0x402a5a: ret | |
| 0x401264: call 0x4019f0 | |
| [*] failed to process instruction, skipping it | |
| 0x4019f0: fninit | |
| 0x4019f2: ret | |
| 0x401269: mov rax, qword ptr [rip + 0x3120] | |
| 0x401270: mov qword ptr [rip + 0x66f1], rax | |
| 0x401277: call 0x402a60 | |
| 0x402a60: mov rax, qword ptr [rip + 0x1949] | |
| 0x402a67: mov rax, qword ptr [rax] | |
| 0x402a6a: ret | |
| 0x40127c: xor ecx, ecx | |
| 0x40127e: mov rax, qword ptr [rax] | |
| 0x401281: test rax, rax | |
| 0x401284: jne 0x40129a | |
| 0x401286: jmp 0x4012ce | |
| 0x4012ce: mov r8d, dword ptr [rdi] | |
| 0x4012d1: test r8d, r8d | |
| 0x4012d4: je 0x4012ec | |
| 0x4012ec: mov ebx, dword ptr [rip + 0x5d36] | |
| 0x4012f2: lea r12d, [rbx + 1] | |
| 0x4012f6: movsxd r12, r12d | |
| 0x4012f9: shl r12, 3 | |
| 0x4012fd: mov rcx, r12 | |
| 0x401300: call 0x4029a0 | |
| 0x4029a0: jmp qword ptr [rip + 0x5986] | |
| [*] call msvcrt.dll::malloc | |
| 0x401305: mov r13, qword ptr [rip + 0x5d14] | |
| 0x40130c: mov rdi, rax | |
| 0x40130f: test ebx, ebx | |
| 0x401311: jle 0x401353 | |
| 0x401353: mov qword ptr [rax], 0 | |
| 0x40135a: mov qword ptr [rip + 0x5cbf], rdi | |
| 0x401361: call 0x4015e0 | |
| 0x4015e0: mov eax, dword ptr [rip + 0x5a4a] | |
| 0x4015e6: test eax, eax | |
| 0x4015e8: je 0x4015eb | |
| 0x4015eb: mov dword ptr [rip + 0x5a3b], 1 | |
| 0x4015f5: jmp 0x401580 | |
| 0x401580: push rsi | |
| 0x401581: push rbx | |
| 0x401582: sub rsp, 0x28 | |
| 0x401586: mov rdx, qword ptr [rip + 0x2dc3] | |
| 0x40158d: mov rax, qword ptr [rdx] | |
| 0x401590: mov ecx, eax | |
| 0x401592: cmp eax, -1 | |
| 0x401595: je 0x4015c9 | |
| 0x4015c9: xor eax, eax | |
| 0x4015cb: lea r8d, [rax + 1] | |
| 0x4015cf: mov ecx, eax | |
| 0x4015d1: cmp qword ptr [rdx + r8*8], 0 | |
| 0x4015d6: mov rax, r8 | |
| 0x4015d9: jne 0x4015cb | |
| 0x4015cb: lea r8d, [rax + 1] | |
| 0x4015cf: mov ecx, eax | |
| 0x4015d1: cmp qword ptr [rdx + r8*8], 0 | |
| 0x4015d6: mov rax, r8 | |
| 0x4015d9: jne 0x4015cb | |
| 0x4015db: jmp 0x401597 | |
| 0x401597: test ecx, ecx | |
| 0x401599: je 0x4015b7 | |
| 0x40159b: mov eax, ecx | |
| 0x40159d: sub ecx, 1 | |
| 0x4015a0: lea rbx, [rdx + rax*8] | |
| 0x4015a4: sub rax, rcx | |
| 0x4015a7: lea rsi, [rdx + rax*8 - 8] | |
| 0x4015ac: call qword ptr [rbx] | |
| 0x402b50: jmp 0x4014f0 | |
| 0x4014f0: lea rcx, [rip + 9] | |
| 0x4014f7: jmp 0x4014d0 | |
| 0x4014d0: sub rsp, 0x28 | |
| 0x4014d4: call 0x4029d8 | |
| 0x4029d8: jmp qword ptr [rip + 0x5916] | |
| [*] call msvcrt.dll::_onexit | |
| 0x4014d9: test rax, rax | |
| 0x4014dc: sete al | |
| 0x4014df: movzx eax, al | |
| 0x4014e2: neg eax | |
| 0x4014e4: add rsp, 0x28 | |
| 0x4014e8: ret | |
| 0x4015ae: sub rbx, 8 | |
| 0x4015b2: cmp rbx, rsi | |
| 0x4015b5: jne 0x4015ac | |
| 0x4015b7: lea rcx, [rip - 0x7e] | |
| 0x4015be: add rsp, 0x28 | |
| 0x4015c2: pop rbx | |
| 0x4015c3: pop rsi | |
| 0x4015c4: jmp 0x4014d0 | |
| 0x4014d0: sub rsp, 0x28 | |
| 0x4014d4: call 0x4029d8 | |
| 0x4029d8: jmp qword ptr [rip + 0x5916] | |
| [*] call msvcrt.dll::_onexit | |
| 0x4014d9: test rax, rax | |
| 0x4014dc: sete al | |
| 0x4014df: movzx eax, al | |
| 0x4014e2: neg eax | |
| 0x4014e4: add rsp, 0x28 | |
| 0x4014e8: ret | |
| 0x401366: mov rax, qword ptr [rip + 0x3033] | |
| 0x40136d: mov r8, qword ptr [rip + 0x5ca4] | |
| 0x401374: mov ecx, dword ptr [rip + 0x5cae] | |
| 0x40137a: mov rax, qword ptr [rax] | |
| 0x40137d: mov qword ptr [rax], r8 | |
| 0x401380: mov rdx, qword ptr [rip + 0x5c99] | |
| 0x401387: call 0x401510 | |
| 0x401510: push rbp | |
| 0x401511: mov rbp, rsp | |
| 0x401514: sub rsp, 0x20 | |
| 0x401518: mov dword ptr [rbp + 0x10], ecx | |
| 0x40151b: mov qword ptr [rbp + 0x18], rdx | |
| 0x40151f: call 0x4015e0 | |
| 0x4015e0: mov eax, dword ptr [rip + 0x5a4a] | |
| 0x4015e6: test eax, eax | |
| 0x4015e8: je 0x4015eb | |
| 0x4015ea: ret | |
| 0x401524: lea rcx, [rip + 0x2ad5] | |
| 0x40152b: call 0x402990 | |
| 0x402990: jmp qword ptr [rip + 0x59a6] | |
| [*] call msvcrt.dll::puts | |
| [+] puts hooked | |
| Hello World! | |
| 0x401530: mov eax, 0 | |
| 0x401535: add rsp, 0x20 | |
| 0x401539: pop rbp | |
| 0x40153a: ret | |
| 0x40138c: mov ecx, dword ptr [rip + 0x5c7a] | |
| 0x401392: mov dword ptr [rip + 0x5c78], eax | |
| 0x401398: test ecx, ecx | |
| 0x40139a: je 0x401462 | |
| 0x401462: mov ecx, eax | |
| 0x401464: call 0x4029c0 | |
| 0x4029c0: jmp qword ptr [rip + 0x5946] | |
| [*] call msvcrt.dll::exit | |
| [*] byebye! | |
| [+] Emulation done. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment