本文讲的是
Manticore:次世代二进制分析工具,
enter code: ==== The meds helped sum is 12
def get_main(bv): entry_fn = bv.entry_function entry_block = entry_fn.low_level_il.basic_blocks[0] assign_rdi_main = entry_block[11] rdi, main_const = assign_rdi_main.operands if rdi != 'rdi' or main_const.operation != LLIL_CONST: raise Exception('Instruction `rdi = main` not found.') main_addr = main_const.operands[0] main_fn = bv.get_function_at(main_addr) return main_fn
def symbolic(m, end_pc): # hook every instruction using None as the address @m.hook(None) def hook_all(state): # read an integer at the program counter cpu = state.cpu pc = cpu.PC instruction = cpu.read_int(pc) # check the instructions match # cmp rdi, ?? # je +0xe if (instruction & 0xFFFFFF == 0xff8348) and (instruction >> 32 & 0xFFFF == 0x0e74): # the positive branch is 0x14 bytes from the beginning of the function target = pc + 0x14 # if the target address is not seen yet # add to list and declare solver hook if target not in m.context['values']: set_hooks(m, pc) # set the end hook to terminate execution end_hook(m, end_pc)
def set_hooks(m, pc): # pre branch @m.hook(pc) def write(state): _pc = state.cpu.PC _target = _pc + 0x14 if _target in m.context['values']: if debug: print 'Writing %s at %s...' % (chr(m.context['values'][_target]), hex(_pc)) state.cpu.write_register('RDI', m.context['values'][_target]) # print state.cpu # negative branch neg = pc + 0x6 @m.hook(neg) def bail(state): if debug: print 'Abandoning state at %s...' % hex(neg) state.abandon() # target branch target = pc + 0x14 @m.hook(target) def solve(state): _cpu = state.cpu _target = _cpu.PC _pc = _target - 0x14 # skip solver step if known if _target in m.context['values']: return val = _cpu.read_register('RDI') solution = state.solve_one(val) values = m.context['values'] values[_target] = solution m.context['values'] = values target_order = m.context['target_order'] target_order.append(_target) m.context['target_order'] = target_order if debug: print 'Reached target %s. Current key: ' % (hex(_target)) print "'%s'" % ''.join([chr(m.context['values'][ea]) for ea in m.context['target_order']])
def end_hook(m, end_pc): @m.hook(end_pc) def hook_end(state): print 'GOAL:' print "'%s'" % ''.join([chr(m.context['values'][ea]) for ea in m.context['target_order']]) m.terminate()
$ ls -d -1 /path/to/magic_dist/* | while read file; do echo -n "'"; grep -ao $'x48x83xff.x74x0e' $file | while read line; do echo $line | head -c 4 | tail -c 1; done; echo "'"; done
def concrete_pcs(m, pcs, end_pc): # for each character checking function address for pc in pcs: @m.hook(pc) def write(state): # retrieve instruction bytes _pc = state.cpu.PC instruction = state.cpu.read_int(_pc) # extract value from instruction val = instruction >> 24 & 0xFF # concretize RDI state.cpu.write_register('RDI', val) # store value for display at end_hook() _target = _pc + 0x14 values = m.context['values'] values[_target] = val m.context['values'] = values target_order = m.context['target_order'] target_order.append(_target) m.context['target_order'] = target_order if debug: print 'Reached target %s. Current key: ' % (hex(_pc)) print "'%s'" % ''.join([chr(m.context['values'][ea]) for ea in m.context['target_order']]) end_hook(m, end_pc)
def symbolic_pcs(m, pcs, end_pc): for pc in pcs: set_hooks(m, pc) end_hook(m, end_pc)
def main(): path = sys.argv[1] m = Manticore(path) m.context['values'] = {} m.context['target_order'] = [] pcs, end_pc = get_pcs(path) # symbolic(m, end_pc) # concrete_pcs(m, pcs, end_pc) symbolic_pcs(m, pcs, end_pc) m.run()
原文发布时间为:2017年5月18日
本文作者:xiaohui
本文来自云栖社区合作伙伴嘶吼,了解相关信息可以关注嘶吼网站。