diff options
| author | bloodstalker <thabogre@gmail.com> | 2018-01-20 00:11:24 +0000 |
|---|---|---|
| committer | bloodstalker <thabogre@gmail.com> | 2018-01-20 00:11:24 +0000 |
| commit | 6fb05b832ff4937572e75ca2ecd9efc84de910ea (patch) | |
| tree | 12141a2f09de22448e742009325fe039419ac602 | |
| parent | update (diff) | |
| download | mutator-6fb05b832ff4937572e75ca2ecd9efc84de910ea.tar.gz mutator-6fb05b832ff4937572e75ca2ecd9efc84de910ea.zip | |
update
| -rwxr-xr-x | bfd/codegen.py | 81 | ||||
| -rwxr-xr-x | bfd/load.py | 35 | ||||
| -rw-r--r-- | bfd/makefile | 2 | ||||
| -rw-r--r-- | bfd/test/makefile | 6 | ||||
| -rw-r--r-- | bruiser/bruiser-extra.h | 4 | ||||
| -rw-r--r-- | bruiser/bruiser.cpp | 52 | ||||
| -rw-r--r-- | bruiser/bruiser.h | 6 | ||||
| -rw-r--r-- | bruiser/executioner.h | 50 | ||||
| -rw-r--r-- | bruiser/lua-scripts/demo1.lua | 30 | ||||
| -rw-r--r-- | bruiser/makefile | 2 | ||||
| -rw-r--r-- | makefile | 2 | ||||
| -rw-r--r-- | obfuscator/makefile | 2 | ||||
| -rw-r--r-- | safercpp/makefile | 2 |
13 files changed, 251 insertions, 23 deletions
diff --git a/bfd/codegen.py b/bfd/codegen.py new file mode 100755 index 0000000..fbac4a8 --- /dev/null +++ b/bfd/codegen.py @@ -0,0 +1,81 @@ +#!/bin/python3 + +import argparse +import code +import readline + +default_header="#include <stdint.h>\n" +main_sig="int main(int argc, char** argv)>" +def_kw="#define " +def_name = [] +separator="fff" +def_value = [] + +class Argparser(object): + def __init__(self): + parser = argparse.ArgumentParser() + parser.add_argument("--arglist", nargs="+", type=str, help="list of args") + parser.add_argument("--hex", action="store_true", help="generate hex(string) code, otherwise generate int", default=False) + self.args = parser.parse_args() + self.code = {} + +class CodeGen_Arg(object): + def __init__(self, arglist): + self.arglist = arglist + self.def_name = [] + self.def_value = [] + + def get_ret_type(self, type): + pass + + def gen_cast(self): + for argtype in self.arglist: + if argtype == "int8": self.def_name.append("i8") + elif argtype == "uint8":self.def_name.append("u8") + elif argtype == "uchar":self.def_name.append("c") + elif argtype == "char":self.def_name.append("c") + elif argtype == "lightuserdata":self.def_name.append("p") + elif argtype == "bool":self.def_name.append("b") + elif argtype == "int16":self.def_name.append("i16") + elif argtype == "uint16":self.def_name.append("u16") + elif argtype == "int32":self.def_name.append("i32") + elif argtype == "uint32":self.def_name.append("u32") + elif argtype == "int64":self.def_name.append("i64") + elif argtype == "uint64":self.def_name.append("u64") + elif argtype == "int128":self.def_name.append("i128") + elif argtype == "uint128":self.def_name.append("u128") + elif argtype == "float":self.def_name.append("f") + elif argtype == "double":self.def_name.append("d") + elif argtype == "long double":self.def_name.append("ld") + elif argtype == "string":self.def_name.append("s") + elif argtype == "custom":self.def_name.append("x") + else: + raise Exception("codegen : unknown type") + + def debugdump(self): + for argtype in self.arglist: + print(argtype) + + def genhex(): + pass + + def genint(): + pass + +# write code here +def premain(): + argparser = Argparser() + codegen = CodeGen_Arg(argparser.args.arglist) + codegen.debugdump() + +def main(): + try: + premain() + except: + variables = globals().copy() + variables.update(locals()) + shell = code.InteractiveConsole(variables) + shell.interact(banner="DEBUG REPL") + +if __name__ == "__main__": + main() diff --git a/bfd/load.py b/bfd/load.py index 08adfc5..ae984c8 100755 --- a/bfd/load.py +++ b/bfd/load.py @@ -24,6 +24,8 @@ class CLIArgParser(object): parser.add_argument("--objcode", action='store_true', help="dump objects", default=False) parser.add_argument("--test", action='store_true', help="test switch", default=False) parser.add_argument("--dynsym", action='store_true', help="dump dynamic symbol table", default=False) + parser.add_argument("--dlpath", action='store_true', help="dump dynamic linker path", default=False) + parser.add_argument("--section", type=str, help="dump a section") self.args = parser.parse_args() if self.args.obj is None: raise Exception("no object file provided. please specify an object with --obj.") @@ -296,6 +298,7 @@ class ELF(object): self.symbol_table_e = [] self.data_section = [] self.text_section = [] + self.dlpath = str() def init(self, size): self.size = size @@ -449,6 +452,36 @@ class ELF(object): print(name) return ret_list + def dump_section(self, section_name): + for section in self.shhdr: + name = self.read_section_name(byte2int(section.sh_name)) + if name == section_name: + self.so.seek(byte2int(section.sh_offset)) + obj = self.so.read(byte2int(section.sh_size)) + if section_name == ".interp": self.dlpath = repr(obj) + count = int() + strrep = [] + for byte in obj: + if count%16 == 0: + for ch in strrep: + if ord(ch) > 16: print(ch, end = '') + else: pass + print() + strrep = [] + print(format(count, "06x"), ': ', end='') + strrep.append(str(chr(byte))) + print(format(byte, '02x') + ' ', end='') + else: + strrep += str(chr(byte)) + print(format(byte, '02x') + ' ', end='') + count += 1 + for i in range(0, 16-count%16): print(" ", end="") + for ch in strrep: + if ord(ch) > 16: print(ch, end = '') + else: pass + print() + return self.dlpath + def dump_obj_size(self, stt_type, dump_b): ret_list = [] for entry in self.string_tb_e: @@ -706,6 +739,8 @@ def main(): elif argparser.args.test: elf.dump_symbol_string(ELF_ST_TYPE.STT_FUNC, True) elif argparser.args.test: elf.dump_symbol_string(ELF_ST_TYPE.STT_OBJECT, True) elif argparser.args.dynsym: elf.dump_st_entries_dyn() + elif argparser.args.dlpath: elf.dump_section(".interp") + elif argparser.args.section: elf.dump_section(argparser.args.section) except: variables = globals().copy() variables.update(locals()) diff --git a/bfd/makefile b/bfd/makefile index 2720678..0788260 100644 --- a/bfd/makefile +++ b/bfd/makefile @@ -7,7 +7,7 @@ TARGET=main ##################################RULES################################ .DEFAULT:all -.PHONY:all clean help $(TARGET) $(TARGET).so test +.PHONY:all clean help test all:$(TARGET) $(TARGET).so test diff --git a/bfd/test/makefile b/bfd/test/makefile index 8282536..7115100 100644 --- a/bfd/test/makefile +++ b/bfd/test/makefile @@ -7,9 +7,9 @@ TARGET=test ##################################RULES################################ .DEFAULT:all -.PHONY:all clean help $(TARGET) ASM +.PHONY:all clean help -all:$(TARGET) $(TARGET).so ASM +all:$(TARGET) $(TARGET).so $(TARGET).asm .c.o: $(CC) $(CC_FLAGS) -c $< -o $@ @@ -17,7 +17,7 @@ all:$(TARGET) $(TARGET).so ASM $(TARGET): $(TARGET).o $(CC) $^ $(LD_FLAGS) -o $@ -ASM: $(TARGET).o +$(TARGET).asm: $(TARGET).o objdump -d -M intel -S $(TARGET).o > $(TARGET).asm $(TARGET).so: $(TARGET).o diff --git a/bruiser/bruiser-extra.h b/bruiser/bruiser-extra.h index d6232a9..ac02451 100644 --- a/bruiser/bruiser-extra.h +++ b/bruiser/bruiser-extra.h @@ -125,6 +125,10 @@ std::vector<std::string> LUA_FUNCS = "listObjects", "xobjregister", "xobjwrapper", + "xcall(", + "xobjlist()", + "xallocglobal(", + "xallocallglobals()", "_G", "_VERSION", "assert", diff --git a/bruiser/bruiser.cpp b/bruiser/bruiser.cpp index 114b0ec..17e2a51 100644 --- a/bruiser/bruiser.cpp +++ b/bruiser/bruiser.cpp @@ -1250,6 +1250,7 @@ class LuaWrapper std::cout << "xobj will be registered as " << YELLOW << xobj_name << NORMAL << ". " << "it is recommended to use a post- or pre-fix for the xobj names to avoid namespace pollution." "\n"; std::cout << GREEN << "pointer: " << BLUE << xobj.first << " " << GREEN << "size: " << BLUE << xobj.second << NORMAL << "\n"; XObject ptr = (XObject)xobj.first; + executioner.pushvptr(xobj.first, xobj_name); ptr(); xobj_2int ptr2; ptr2 = (xobj_2int)ptr; @@ -1258,6 +1259,49 @@ class LuaWrapper return 0; } + int BruiserLuaCallX(lua_State* __ls) { + int numargs = lua_gettop(__ls); + if (numargs != 2) {PRINT_WITH_COLOR_LB(RED, "bad number of args. expected exactly two.");} + int x_index = lua_tointeger(__ls, 1); + int x_arg_num = lua_tointeger(__ls, 2); + xobj_2int ptr; + auto dummy = executioner.getvptrbyindex(x_index).first; + if (dummy != nullptr) { + ptr = (xobj_2int)dummy; + int result = ptr(30, 20); + std::cout << "call made to xobj named " << GREEN << executioner.getvptrbyindex(x_index).second << NORMAL << "\n"; + lua_pushnumber(__ls, result); + return 1; + } else { + PRINT_WITH_COLOR_LB(RED, "the index is too high into the xobj vector."); + return 0; + } + } + + int BruiserLuaXObjGetList(lua_State* __ls) { + auto xlist = executioner.getvptrs(); + lua_newtable(__ls); + if (!lua_checkstack(__ls, xlist.size() * 2)) { + PRINT_WITH_COLOR_LB(RED, "cant grow lua stack. current size is too small."); + } + for (auto& iter : xlist) { + std::cout << CYAN << iter.second << NORMAL <<"\n"; + lua_pushstring(__ls, iter.second.c_str()); + std::cout << MAGENTA << (long int)iter.first << NORMAL <<"\n"; + lua_pushinteger(__ls, (long int)iter.first); + lua_settable(__ls, -3); + } + return 1; + } + + int BruiserLuaXObjAllocGlobal(lua_State* __ls) { + int nuamrgs = lua_gettop(__ls); + std::string glob_name = lua_tostring(__ls , 1); + size_t size = lua_tointeger(__ls, 2); + return 0; + } + int BruiserLuaXObjAllocAllGlobals(lua_State* __ls) {return 0;} + /*read the m0 report*/ int BruiserLuaM0(lua_State* __ls) { @@ -1785,8 +1829,10 @@ int main(int argc, const char **argv) { /*initializing the log*/ bruiser::BruiserReport BruiserLog; - /*initing executioner*/ + /*initing xobj stuff*/ Executioner executioner; + Arguary arguary; + XGlobals xglobals; /*gets the compilation database and options for the clang instances that we would later run*/ CommonOptionsParser op(argc, argv, BruiserCategory); @@ -1857,6 +1903,10 @@ int main(int argc, const char **argv) { lua_register(LE.GetLuaState(), "objload", &LuaDispatch<&LuaWrapper::BruiserPyLoader>); lua_register(LE.GetLuaState(), "listObjects", &LuaDispatch<&LuaWrapper::BruiserLuaListObjects>); lua_register(LE.GetLuaState(), "xobjregister", &LuaDispatch<&LuaWrapper::BruiserLuaxobjRegister>); + lua_register(LE.GetLuaState(), "xcall", &LuaDispatch<&LuaWrapper::BruiserLuaCallX>); + lua_register(LE.GetLuaState(), "xobjlist", &LuaDispatch<&LuaWrapper::BruiserLuaXObjGetList>); + lua_register(LE.GetLuaState(), "xallocglobal", &LuaDispatch<&LuaWrapper::BruiserLuaXObjAllocGlobal>); + lua_register(LE.GetLuaState(), "xallocallglobals", &LuaDispatch<&LuaWrapper::BruiserLuaXObjAllocAllGlobals>); /*its just regisering the List function from LuaWrapper with X-macros.*/ #define X(__x1, __x2) lua_register(LE.GetLuaState(), #__x1, &LuaDispatch<&LuaWrapper::List##__x1>); diff --git a/bruiser/bruiser.h b/bruiser/bruiser.h index 0dce545..ed7fe85 100644 --- a/bruiser/bruiser.h +++ b/bruiser/bruiser.h @@ -153,7 +153,11 @@ help CMDHelp[] = { {"objload()", "objload(\"main\", \"../bfd/test/test.so\")", "load the compiled functions into bruiser", "string", "success or failure"}, {"listObjects()", "listObjects(\"function\")", "lists the loaded objects of the given type", "string", "success or failure"}, {"xobjwrapper()", "xobjwrapper(\"function\")", "call an xobject", "", "success or failure"}, - {"xobjregister", "xobjregister(code_table, registration_name)", "registers an xobject as a callable function from lua", "", "pointer to the function"} + {"xobjregister", "xobjregister(code_table, registration_name)", "registers an xobject as a callable function from lua", "", "pointer to the function"}, + {"xcall", "xcall(index, num_args)", "call xobj with the given index in to the xobj vector with the given number of args", "", "returns the xobj call result"}, + {"xobjlist", "xobjlist()", "return a table containing xobj pointers and names. names are keys, values are the pointers.", "", "table of pairs"}, + {"xallocglobal", "xallocglobal(index)", "allocate a global value with index index", "", ""}, + {"xallocallglobals", "xallocallglobals()", "allocate all globals", "", ""} }; /**********************************************************************************************************************/ /** diff --git a/bruiser/executioner.h b/bruiser/executioner.h index 98bd08b..5c04be1 100644 --- a/bruiser/executioner.h +++ b/bruiser/executioner.h @@ -227,6 +227,14 @@ class Executioner { } void pusheph(std::function<int(lua_State*)> __eph) {ephs.push_back(__eph);} + void pushvptr(void* _vptr, std::string _name) {vptrs.push_back(std::make_pair(_vptr, _name));} + std::vector<std::pair<void*, std::string>> getvptrs(void) {return vptrs;} + std::pair<void*, std::string> getvptrbyindex(unsigned int _index) { + if (vptrs.size() - 1 >= _index) { + return vptrs[_index]; + } + return std::make_pair(nullptr, ""); + } private: std::vector<std::pair<void*, size_t>> obj_mem_ptrs; @@ -235,6 +243,7 @@ class Executioner { std::vector<XObject> xobjs; std::vector<void*> xvoidptrs; std::vector<std::function<int(lua_State*)>> ephs; + std::vector<std::pair<void*, std::string>> vptrs; }; /**********************************************************************************************************************/ /**********************************************************************************************************************/ @@ -281,6 +290,47 @@ int devi_luareg(lua_State* __ls, xobj_2int __xobj, std::string __name, Execution #endif /**********************************************************************************************************************/ /**********************************************************************************************************************/ +class Arguary { + public: + Arguary() = default; + ~Arguary() {} + + void pass_ptr(void* _arg) {ptr_stack.push_back(_arg);} + void pass_int(int _arg) {int_stack.push_back(_arg);} + void pass_uint64(uint64_t _arg) {uint64_stack.push_back(_arg);} + void pass_string(char* _arg) {string_stack.push_back(_arg);} + void pass_float(float _arg) {float_stack.push_back(_arg);} + void pass_double(double _arg) {double_stack.push_back(_arg);} + void pass_llint(long long int _arg) {llint_stack.push_back(_arg);} + void clear_arg_stacks(void) { + ptr_stack.clear(); + int_stack.clear(); + uint64_stack.clear(); + string_stack.clear(); + float_stack.clear(); + double_stack.clear(); + llint_stack.clear(); + } + + private: + std::vector<void*> ptr_stack; + std::vector<int> int_stack; + std::vector<uint64_t> uint64_stack; + std::vector<char*> string_stack; + std::vector<float> float_stack; + std::vector<double> double_stack; + std::vector<long long int> llint_stack; +}; +/**********************************************************************************************************************/ +/**********************************************************************************************************************/ +class XGlobals { + public: + XGlobals() {} + ~XGlobals() {} + private: +}; +/**********************************************************************************************************************/ +/**********************************************************************************************************************/ #endif /**********************************************************************************************************************/ /*last line intentionally left blank.*/ diff --git a/bruiser/lua-scripts/demo1.lua b/bruiser/lua-scripts/demo1.lua index eb55acb..0bf26f6 100644 --- a/bruiser/lua-scripts/demo1.lua +++ b/bruiser/lua-scripts/demo1.lua @@ -12,29 +12,32 @@ -- objload("elf_get_func_code", "../bfd/test/test.so", "code_list") -- -------------------------------------------------------------------------------------------------------------- +elf_file = "../bfd/test/test.so" +--elf_file = "../bfd/test/test" + function printObjNames() - local c = objload("elf_get_obj_names", "../bfd/test/test.so", "symbol_list") + local c = objload("elf_get_obj_names", elf_file, "symbol_list") for k,v in ipairs(c) do print(k,v) end end function printObjSizes() - local c = objload("elf_get_obj_sizes", "../bfd/test/test.so", "symbol_list") + local c = objload("elf_get_obj_sizes", elf_file, "symbol_list") for k,v in ipairs(c) do print(k,v) end end function printFuncNames() - local c = objload("elf_get_func_names", "../bfd/test/test.so", "symbol_list") + local c = objload("elf_get_func_names", elf_file, "symbol_list") for k,v in ipairs(c) do print(k,v) end end function printFuncCode() - local c = objload("elf_get_func_code", "../bfd/test/test.so", "code_list") + local c = objload("elf_get_func_code", elf_file, "code_list") for k,v in ipairs(c) do print(k,v) if #v ~= 0 then @@ -47,7 +50,7 @@ function printFuncCode() end function findMain() - local c = objload("elf_get_func_names", "../bfd/test/test.so", "symbol_list") + local c = objload("elf_get_func_names", elf_file, "symbol_list") for k,v in ipairs(c) do if v == "'main'" then io.write("main index is".." "..k.."\n") @@ -58,8 +61,8 @@ end function codeTables() local return_table = {} - local func_name_table = objload("elf_get_func_names", "../bfd/test/test.so", "symbol_list") - local code_table = objload("elf_get_func_code", "../bfd/test/test.so", "code_list") + local func_name_table = objload("elf_get_func_names", elf_file, "symbol_list") + local code_table = objload("elf_get_func_code", elf_file, "code_list") for i=1,#func_name_table,1 do return_table[func_name_table[i]] = code_table[i] end @@ -68,8 +71,8 @@ end function codeTableByName(name) local return_table = {} - local func_name_table = objload("elf_get_func_names", "../bfd/test/test.so", "symbol_list") - local code_table = objload("elf_get_func_code", "../bfd/test/test.so", "code_list") + local func_name_table = objload("elf_get_func_names", elf_file, "symbol_list") + local code_table = objload("elf_get_func_code", elf_file, "code_list") for k,v in ipairs(func_name_table) do if v == name then for k1, v1 in ipairs(code_table[k]) do @@ -83,8 +86,8 @@ end function codeTableByName_number(name) local return_table = {} - local func_name_table = objload("elf_get_func_names", "../bfd/test/test.so", "symbol_list") - local code_table = objload("elf_get_func_code", "../bfd/test/test.so", "code_list") + local func_name_table = objload("elf_get_func_names", elf_file, "symbol_list") + local code_table = objload("elf_get_func_code", elf_file, "code_list") for k,v in ipairs(func_name_table) do if v == name then for k1, v1 in ipairs(code_table[k]) do @@ -97,8 +100,8 @@ function codeTableByName_number(name) end function printFuncSizes() - local func_name_table = objload("elf_get_func_names", "../bfd/test/test.so", "symbol_list") - local code_table = objload("elf_get_func_code", "../bfd/test/test.so", "code_list") + local func_name_table = objload("elf_get_func_names", elf_file, "symbol_list") + local code_table = objload("elf_get_func_code", elf_file, "code_list") local counter = 1 print("function sizes:") for k, v in ipairs(code_table) do @@ -142,6 +145,7 @@ function main() printFuncSizes() + pwd() xobjregister(add2_code, "add2") xobjregister(sub2_code, "sub2") end diff --git a/bruiser/makefile b/bruiser/makefile index 680d314..9bc142f 100644 --- a/bruiser/makefile +++ b/bruiser/makefile @@ -17,7 +17,7 @@ EXTRA_LD_FLAGS+=$(shell $(PY_CONF) --ldflags) ######################################RULES#################################### .DEFAULT: all -.PHONY: all clean help $(BRUISER) +.PHONY: all clean help all: $(BRUISER) @@ -19,7 +19,7 @@ OBSC=obfuscator ######################################RULES#################################### .DEFAULT: all -.PHONY:all clean install help $(TARGET0) $(TARGET1) $(TARGET2) TAGS $(SFCPP01) $(BRUISER) $(OBSC) +.PHONY:all clean install help TAGS $(BRUISER) $(OBSC) $(TARGETC) $(TARGETD) $(TARGETS) $(SFCPP01) all: $(TARGET0) $(TARGET1) $(TARGET2) $(TARGETC) $(TARGETD) $(TARGETS) $(SFCPP01) $(BRUISER) $(OBSC) diff --git a/obfuscator/makefile b/obfuscator/makefile index dee61e2..ccfc405 100644 --- a/obfuscator/makefile +++ b/obfuscator/makefile @@ -7,7 +7,7 @@ OBSC=obfuscator ######################################RULES#################################### .DEFAULT: all -.PHONY: all clean help $(OBSC) +.PHONY: all clean help all: $(OBSC) diff --git a/safercpp/makefile b/safercpp/makefile index cd5a0b8..5c5791f 100644 --- a/safercpp/makefile +++ b/safercpp/makefile @@ -12,7 +12,7 @@ endif ######################################RULES#################################### .DEFAULT: all -.PHONY: all clean help $(SFCPP01) +.PHONY: all clean help all: $(SFCPP01) |