aboutsummaryrefslogtreecommitdiffstats
path: root/bruiser
diff options
context:
space:
mode:
Diffstat (limited to 'bruiser')
-rw-r--r--bruiser/asmrewriter.c133
-rw-r--r--bruiser/asmrewriter.h30
-rw-r--r--bruiser/bruiser.cpp7
-rw-r--r--bruiser/bruisercapstone.c53
-rw-r--r--bruiser/bruisercapstone.h5
-rw-r--r--bruiser/lua-scripts/asmtest.lua6
-rw-r--r--bruiser/lua-scripts/demo2.lua42
-rw-r--r--bruiser/makefile2
8 files changed, 214 insertions, 64 deletions
diff --git a/bruiser/asmrewriter.c b/bruiser/asmrewriter.c
index 6226419..0cff6d6 100644
--- a/bruiser/asmrewriter.c
+++ b/bruiser/asmrewriter.c
@@ -28,7 +28,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.*
/**********************************************************************************************************************/
static JMP_S_T* convert_jmpt(lua_State* __ls, int index) {
JMP_S_T* dummy = (JMP_S_T*)lua_touserdata(__ls, index);
- //if (dummy == NULL) luaL_typerror(__ls, index, dummy);
+ if (dummy == NULL) printf("bad user data type.\n");
return dummy;
}
@@ -36,11 +36,11 @@ static JMP_S_T* check_jmpt(lua_State* __ls, int index) {
JMP_S_T* dummy;
luaL_checktype(__ls, index, LUA_TUSERDATA);
dummy = (JMP_S_T*)luaL_checkudata(__ls, index, "jmp_s_t");
- //if (dummy == NULL) luaL_typerror(__ls, index, dummy);
+ if (dummy == NULL) printf("bad user data type.\n");
return dummy;
}
-static JMP_S_T* push_jmpt(lua_State* __ls) {
+JMP_S_T* push_jmpt(lua_State* __ls) {
JMP_S_T* dummy = (JMP_S_T*)lua_newuserdata(__ls, sizeof(JMP_S_T));
luaL_getmetatable(__ls, "jmp_s_t");
lua_setmetatable(__ls, -2);
@@ -48,12 +48,13 @@ static JMP_S_T* push_jmpt(lua_State* __ls) {
}
static int new_jmpt(lua_State* __ls) {
+ lua_checkstack(__ls, 12);
JMP_T jmp_t = luaL_optinteger(__ls, 1, 0);
uint64_t location = luaL_optinteger(__ls, 2, 0);
uint8_t size = luaL_optinteger(__ls, 3, 0);
- //
- //
- //
+ JMP_S_T* next = lua_touserdata(__ls, 4);
+ JMP_S_T* next_y = lua_touserdata(__ls, 5);
+ JMP_S_T* next_n = lua_touserdata(__ls, 6);
uint64_t address = luaL_optinteger(__ls, 7, 0);
uint64_t address_y = luaL_optinteger(__ls, 8, 0);
uint64_t address_n = luaL_optinteger(__ls, 9, 0);
@@ -64,9 +65,9 @@ static int new_jmpt(lua_State* __ls) {
dummy->type = jmp_t;
dummy->location = location;
dummy->size = size;
- //dummy->next =;
- //dummy->next_y =;
- //dummy->next_n =;
+ dummy->next = next;
+ dummy->next_y = next_y;
+ dummy->next_n = next_n;
dummy->address = address;
dummy->address_y = address_y;
dummy->address_n = address_n;
@@ -78,26 +79,70 @@ static int new_jmpt(lua_State* __ls) {
static int jmpt_custom(lua_State* __ls) {
JMP_S_T* dummy = check_jmpt(__ls, 1);
- printf("this is the jump table custom function.\n");
- lua_pushnumber(__ls, dummy->type);
- lua_pushnumber(__ls, dummy->location);
- lua_pushnumber(__ls, dummy->size);
+ //printf("this is the jump table custom function.\n");
+ //lua_checkstack(__ls, 12);
+ lua_pushinteger(__ls, dummy->type);
+ lua_pushinteger(__ls, dummy->location);
+ lua_pushinteger(__ls, dummy->size);
lua_pushlightuserdata(__ls, dummy->next);
lua_pushlightuserdata(__ls, dummy->next_y);
lua_pushlightuserdata(__ls, dummy->next_n);
- lua_pushnumber(__ls, dummy->address);
- lua_pushnumber(__ls, dummy->address_y);
- lua_pushnumber(__ls, dummy->address_n);
- lua_pushnumber(__ls, dummy->y);
- lua_pushnumber(__ls, dummy->n);
- lua_pushnumber(__ls, dummy->z);
+ lua_pushinteger(__ls, dummy->address);
+ lua_pushinteger(__ls, dummy->address_y);
+ lua_pushinteger(__ls, dummy->address_n);
+ lua_pushinteger(__ls, dummy->y);
+ lua_pushinteger(__ls, dummy->n);
+ lua_pushinteger(__ls, dummy->z);
return 12;
}
+#define GET_GENERATOR(X) \
+static int X(lua_State* __ls) { \
+ JMP_S_T* dummy = check_jmpt(__ls, 1);\
+ lua_pop(__ls, -1);\
+ lua_pushinteger(__ls, dummy->X);\
+ return 1;\
+}
+
+#define X_LIST_GEN \
+ X(type, "getter method for type")\
+ X(location, "getter method for location")\
+ X(size, "getter method for size")\
+ X(address, "getter method for address")\
+ X(address_y, "getter method for address_y")\
+ X(address_n, "getter method for address_n")\
+ X(y, "getter method for y")\
+ X(n, "getter method for n")\
+ X(z, "getter method for z")
+
+#define X(X1,X2) GET_GENERATOR(X1)
+X_LIST_GEN
+#undef X
+#undef X_LIST_GEN
+#undef SET_GENERATOR
+
+static int next(lua_State* __ls) {
+ JMP_S_T* dummy = check_jmpt(__ls, 1);
+ lua_pushlightuserdata(__ls, dummy->next);
+ return 1;
+}
+
+static int next_y(lua_State* __ls) {
+ JMP_S_T* dummy = check_jmpt(__ls, 1);
+ lua_pushlightuserdata(__ls, dummy->next_y);
+ return 1;
+}
+
+static int next_n(lua_State* __ls) {
+ JMP_S_T* dummy = check_jmpt(__ls, 1);
+ lua_pushlightuserdata(__ls, dummy->next_n);
+ return 1;
+}
+
#define SET_GENERATOR(X) \
static int jmpt_set_##X(lua_State* __ls) {\
JMP_S_T* dummy = check_jmpt(__ls,1);\
- dummy->type = luaL_checkinteger(__ls, 2);\
+ dummy->X = luaL_checkinteger(__ls, 2);\
lua_settop(__ls, 1);\
return 1;\
}
@@ -119,11 +164,37 @@ X_LIST_GEN
#undef X_LIST_GEN
#undef SET_GENERATOR
-static int jmpt_set_next(lua_State* __ls) {}
-static int jmpt_set_next_y(lua_State* __ls) {}
-static int jmpt_set_next_n(lua_State* __ls) {}
+static int jmpt_set_next(lua_State* __ls) {
+ JMP_S_T* dummy = check_jmpt(__ls,1);
+ dummy->next = luaL_checkudata(__ls, 2, "jmp_s_t");
+ lua_settop(__ls, 1);
+ return 1;
+}
+
+static int jmpt_set_next_y(lua_State* __ls) {
+ JMP_S_T* dummy = check_jmpt(__ls,1);
+ dummy->next_y = luaL_checkudata(__ls, 2, "jmp_s_t");
+ lua_settop(__ls, 1);
+ return 1;
+}
+static int jmpt_set_next_n(lua_State* __ls) {
+ JMP_S_T* dummy = check_jmpt(__ls,1);
+ dummy->next_n = luaL_checkudata(__ls, 2, "jmp_s_t");
+ lua_settop(__ls, 1);
+ return 1;
+}
-static int jmpt_gc(lua_State* __ls) {}
+static int jmpt_gc(lua_State* __ls) {
+ JMP_S_T* dummy = check_jmpt(__ls,1);
+ //freejmptable(dummy);
+}
+
+static int jmpt_tostring(lua_State* __ls) {
+ char buff[32];
+ sprintf(buff, "%p", convert_jmpt(__ls , 1));
+ lua_pushfstring(__ls, "jmp_s_t (%s)", buff);
+ return 1;
+}
static const luaL_Reg jmpt_methods[] = {
{"new", new_jmpt},
@@ -139,11 +210,25 @@ static const luaL_Reg jmpt_methods[] = {
{"set_y", jmpt_set_y},
{"set_n", jmpt_set_n},
{"set_z", jmpt_set_z},
+ {"custom", jmpt_custom},
+ {"type", type},
+ {"location", location},
+ {"size", size},
+ {"next", next},
+ {"next_y", next_y},
+ {"next_n", next_n},
+ {"address", address},
+ {"address_y", address_y},
+ {"address_n", address_n},
+ {"y", y},
+ {"n", n},
+ {"z", z},
{0,0}
};
static const luaL_Reg jmpt_meta[] = {
{"__gc", jmpt_gc},
+ {"__tostring", jmpt_tostring},
{0, 0}
};
diff --git a/bruiser/asmrewriter.h b/bruiser/asmrewriter.h
index e8cd3c7..d700a8d 100644
--- a/bruiser/asmrewriter.h
+++ b/bruiser/asmrewriter.h
@@ -31,9 +31,10 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.*
#ifdef __cplusplus
extern "C" {
#endif
+
static JMP_S_T* convert_jmpt(lua_State* __ls, int index);
static JMP_S_T* check_jmpt(lua_State* __ls, int index);
-static JMP_S_T* push_jmpt(lua_State* __ls);
+JMP_S_T* push_jmpt(lua_State* __ls);
static int new_jmpt(lua_State* __ls);
static int jmpt_custom(lua_State* __ls);
@@ -57,6 +58,30 @@ X_LIST_GEN
#undef X_LIST_GEN
#undef SET_GENERATOR
+#define GET_GENERATOR(X) \
+static int X(lua_State* __ls);
+
+#define X_LIST_GEN \
+ X(type, "setter method for type")\
+ X(location, "setter method for location")\
+ X(size, "setter method for size")\
+ X(address, "setter method for address")\
+ X(address_y, "setter method for address_y")\
+ X(address_n, "setter method for address_n")\
+ X(y, "setter method for y")\
+ X(n, "setter method for n")\
+ X(z, "setter method for z")
+
+#define X(X1,X2) GET_GENERATOR(X1)
+X_LIST_GEN
+#undef X
+#undef X_LIST_GEN
+#undef SET_GENERATOR
+
+static int next(lua_State* __ls);
+static int next(lua_State* __ls);
+static int next(lua_State* __ls);
+
static int jmpt_set_next(lua_State* __ls);
static int jmpt_set_next_y(lua_State* __ls);
static int jmpt_set_next_n(lua_State* __ls);
@@ -65,10 +90,11 @@ static int jmpt_gc(lua_State* __ls);
int jmpt_register(lua_State* __ls);
-#endif
#ifdef __cplusplus
}
#endif
+
+#endif
/**********************************************************************************************************************/
/*last line intentionally left blank.*/
diff --git a/bruiser/bruiser.cpp b/bruiser/bruiser.cpp
index b7db84a..ae7359a 100644
--- a/bruiser/bruiser.cpp
+++ b/bruiser/bruiser.cpp
@@ -1602,9 +1602,10 @@ class LuaWrapper
if (numargs != 2) {PRINT_WITH_COLOR_LB(RED, "expected exactly two args. did not get that.");return 0;}
uint64_t size = lua_tointeger(__ls, 1);
std::vector<uint8_t> code_v = getLuaTableInt<uint8_t>(__ls, 2, 2);
- auto ptr = makejmptable(size, code_v.data());
- std::cout << RED << &ptr << NORMAL << "\n";
- lua_pushlightuserdata(__ls, ptr);
+ JMP_S_T* head = makejmptable(size, code_v.data(), Verbose);
+ JMP_S_T* dummy = push_jmpt(__ls);
+ dummy = head;
+ dumpjmptable(dummy);
return 1;
}
diff --git a/bruiser/bruisercapstone.c b/bruiser/bruisercapstone.c
index 8e190c5..21b1743 100644
--- a/bruiser/bruisercapstone.c
+++ b/bruiser/bruisercapstone.c
@@ -31,8 +31,6 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.*
#include <string.h>
/**********************************************************************************************************************/
/**********************************************************************************************************************/
-JMP_S_T* head = NULL;
-JMP_S_T* tail = NULL;
extern char etext, edata, end;
// quad
#define CODE_1 "\x55\x48\x89\xe5\x48\x83\xec\x20\x89\x7d\xfc\x89\x75\xf8\x89\x55\xf4\x89\x4d\xf0\x8b\x7d\xfc\x8b\x75\xf8\xe8\xd1\xfd\xff\xff\x8b\x7d\xf4\x8b\x75\xf0\x89\x45\xec\xe8\xc3\xfd\xff\xff\x8b\x4d\xec\x1\xc1\x89\xc8\x48\x83\xc4\x20\x5d\xc3"
@@ -215,7 +213,7 @@ int call_rewriter(int offset, size_t size, uint8_t* asm_code, const char* obj) {
}
/**********************************************************************************************************************/
/**********************************************************************************************************************/
-JMP_S_T* makejmptable(size_t size, uint8_t* obj) {
+JMP_S_T* makejmptable(size_t size, uint8_t* obj, bool Verbose) {
csh handle;
cs_insn* insn;
size_t count;
@@ -223,8 +221,8 @@ JMP_S_T* makejmptable(size_t size, uint8_t* obj) {
uint8_t code[16];
size_t size_counter = 0;
- head = malloc(sizeof(JMP_S_T));
- tail = malloc(sizeof(JMP_S_T));
+ JMP_S_T* head = malloc(sizeof(JMP_S_T));
+ JMP_S_T* tail = malloc(sizeof(JMP_S_T));
head->type = NONE;
head->next = NULL;
tail = head;
@@ -234,27 +232,27 @@ JMP_S_T* makejmptable(size_t size, uint8_t* obj) {
#pragma GCC diagnostic ignored "-Wpointer-sign"
count = cs_disasm(handle, obj, size, 0x0, 0, &insn);
#pragma GCC diagnostic pop
- printf("number of instructions: %zu.\n\n", count);
+ if (Verbose) printf("number of instructions: %zu.\n\n", count);
cs_option(handle, CS_OPT_DETAIL, CS_OPT_ON);
intmax_t address;
if (count > 0) {
size_t j;
for (j = 0; j < count; ++j) {
- printf(CYAN"%zu.\t"NORMAL, j);
- printf(GREEN"0x%"PRIx64":\t%s""\t\t%s\t"NORMAL, insn[j].address, insn[j].mnemonic, insn[j].op_str);
- for (int i = 0; i < 16; ++i) {code[i] = insn[j].bytes[i]; printf(BLUE"%02x "NORMAL, code[i]);}
- printf("\n");
+ if (Verbose) printf(CYAN"%zu.\t"NORMAL, j);
+ if (Verbose) printf(GREEN"0x%"PRIx64":\t%s""\t\t%s\t"NORMAL, insn[j].address, insn[j].mnemonic, insn[j].op_str);
+ if (Verbose) for (int i = 0; i < 16; ++i) {code[i] = insn[j].bytes[i]; printf(BLUE"%02x "NORMAL, code[i]);}
+ if (Verbose) printf("\n");
if (strcmp(insn[j].mnemonic, "jmp") == 0) {
char* endptr;
address = strtoumax(insn[j].op_str, &endptr, 0);
#if 1
- printf(RED"found a jmp\n");
- for (int i = 0; i < 16; ++i) {code[i] = insn[j].bytes[i]; printf(RED"%02x "NORMAL, code[i]);}
- printf("\n");
- printf(RED"%jx\n", address);
- printf(RED"%d\n", insn[j].size);
+ if (Verbose) printf(RED"found a jmp\n");
+ if (Verbose) for (int i = 0; i < 16; ++i) {code[i] = insn[j].bytes[i]; printf(RED"%02x "NORMAL, code[i]);}
+ if (Verbose) printf("\n");
+ if (Verbose) printf(RED"%jx\n", address);
+ if (Verbose) printf(RED"%d\n", insn[j].size);
#endif
JMP_S_T* dummy = malloc(sizeof(JMP_S_T));
dummy->location = insn[j].address;
@@ -270,11 +268,11 @@ JMP_S_T* makejmptable(size_t size, uint8_t* obj) {
char* endptr;
address = strtoimax(insn[j].op_str, &endptr, 0);
#if 1
- printf(RED"found a je\n");
- for (int i = 0; i < 16; ++i) {code[i] = insn[j].bytes[i]; printf(RED"%02x "NORMAL, code[i]);}
- printf("\n");
- printf(RED"%jx\n", address);
- printf(RED"%d\n", insn[j].size);
+ if (Verbose) printf(RED"found a je\n");
+ if (Verbose) for (int i = 0; i < 16; ++i) {code[i] = insn[j].bytes[i]; printf(RED"%02x "NORMAL, code[i]);}
+ if (Verbose) printf("\n");
+ if (Verbose) printf(RED"%jx\n", address);
+ if (Verbose) printf(RED"%d\n", insn[j].size);
#endif
JMP_S_T* dummy = malloc(sizeof(JMP_S_T));
dummy->location = insn[j].address;
@@ -290,11 +288,11 @@ JMP_S_T* makejmptable(size_t size, uint8_t* obj) {
char* endptr;
address = strtoimax(insn[j].op_str, &endptr, 0);
#if 1
- printf(RED"found a jne\n");
- for (int i = 0; i < 16; ++i) {code[i] = insn[j].bytes[i]; printf(RED"%02x "NORMAL, code[i]);}
- printf("\n");
- printf(RED"%lx\n", address);
- printf(RED"%d\n", insn[j].size);
+ if (Verbose) printf(RED"found a jne\n");
+ if (Verbose) for (int i = 0; i < 16; ++i) {code[i] = insn[j].bytes[i]; printf(RED"%02x "NORMAL, code[i]);}
+ if (Verbose) printf("\n");
+ if (Verbose) printf(RED"%lx\n", address);
+ if (Verbose) printf(RED"%d\n", insn[j].size);
#endif
JMP_S_T* dummy = malloc(sizeof(JMP_S_T));
dummy->location = insn[j].address;
@@ -335,9 +333,10 @@ int freejmptable(JMP_S_T* _head) {
/**********************************************************************************************************************/
int dumpjmptable(JMP_S_T* current) {
while (current != NULL) {
- printf("jump location: %lx", current->location);
+ printf("jump location: %ld", current->location);
printf("\tjump address: %lu", current->address);
printf("\tjump type: %d", current->type);
+ printf("\tjump next: %x", &current->next);
printf("\tinstruction size: %d\n", current->size);
current = current->next;
}
@@ -402,7 +401,7 @@ int main(int argc, char** argv) {
tail = head;
#endif
uint8_t asm_code3[834];
- JMP_S_T* current = makejmptable(834, CODE_3);
+ JMP_S_T* current = makejmptable(834, CODE_3, true);
#if 0
while (current != NULL) {
diff --git a/bruiser/bruisercapstone.h b/bruiser/bruisercapstone.h
index 6f9707e..1b4879f 100644
--- a/bruiser/bruisercapstone.h
+++ b/bruiser/bruisercapstone.h
@@ -51,8 +51,6 @@ typedef struct jmp_s_t {
JMP_S_T* iter_next(JMP_S_T* arg);
JMP_S_T* iter_next_y(JMP_S_T* arg);
JMP_S_T* iter_next_n(JMP_S_T* arg);
-extern JMP_S_T* head;
-extern JMP_S_T* tail;
uint32_t get_textsection_length(void);
uintptr_t get_symbol_rt_address(const char* symbol_name);
@@ -64,7 +62,7 @@ void leb128_decode_u(uint32_t value, uint8_t* ret_value, size_t size);
int ks_write(ks_arch arch, int mode, const char* assembly, int syntax, unsigned char* encode);
int global_rewriter(int offset, size_t size, uint8_t* asm_code, const char* obj);
int call_rewriter(int offset, size_t size, uint8_t* asm_code, const char* obj);
-JMP_S_T* makejmptable(size_t size, uint8_t* obj);
+JMP_S_T* makejmptable(size_t size, uint8_t* obj, bool Verbose);
int freejmptable(JMP_S_T* _head);
int dumpjmptable(JMP_S_T* head);
void jmprewriter_j(JMP_S_T* jmp, uint8_t* code, JMP_T type, uint8_t* rewritten);
@@ -74,6 +72,7 @@ void jmprewriter_je(JMP_S_T* jmp, uint8_t* code, JMP_T type, uint8_t* rewritten)
#ifdef __cplusplus
}
#endif
+
#endif
/**********************************************************************************************************************/
/*last line intentionally left blank.*/
diff --git a/bruiser/lua-scripts/asmtest.lua b/bruiser/lua-scripts/asmtest.lua
index 529b7a7..83b523a 100644
--- a/bruiser/lua-scripts/asmtest.lua
+++ b/bruiser/lua-scripts/asmtest.lua
@@ -1,6 +1,10 @@
function test()
print("running asmtest.lua")
- for k,v in pairs(jmp_s_t) do print(k,v) end
+ --for k,v in pairs(jmp_s_t) do print(k,v) end
+ local t = jmp_s_t.new()
+ print(t)
+ t:set_type(3)
+ print(t.type)
end
test()
diff --git a/bruiser/lua-scripts/demo2.lua b/bruiser/lua-scripts/demo2.lua
index 03d6089..fc50cc1 100644
--- a/bruiser/lua-scripts/demo2.lua
+++ b/bruiser/lua-scripts/demo2.lua
@@ -55,13 +55,49 @@ function asm_rewriter()
freejmptable(haed)
end
+setmetatable(jmp_s_t, {__call = function(self, arg1,arg2,arg3,arg4,arg5,arg6,arg7,arg8,arg9,arg10,arg11,arg12)
+ local t = self.new(arg1,arg2,arg3,arg4,arg5,arg6,arg7,arg8,arg9,arg10,arg11,arg12)
+ print("created", t)
+ return t
+ end})
+
+function jmp_s_t:show(msg)
+ print(msg, self, self:custom())
+ return self
+end
+
function jmp_t_test()
- for k,v in pairs(jmp_s_t) do print(k,v) end
- local t = jmp_s_t.new()
+ local t = jmp_s_t.new(1,2,3,nil,nil,nil,7,8,9,0,0,1)
+ t:show("t is")
+ local t_next = jmp_s_t.new()
+ local t_next_y = jmp_s_t.new()
+ local t_next_n = jmp_s_t.new()
+ t:set_next(t_next)
+ t:set_next_y(t_next_y)
+ t:set_next_n(t_next_n)
+ t:show("t is")
+ tt = jmp_s_t()
+ tt:show("tt is")
+ --collectgarbage()
+ --t:show("t is")
+end
+
+function integ_test()
+ local text_section = xobj.getTextSection()
+ local head = jmp_s_t.new()
+ head = getjmptable(#text_section, text_section)
+ head:show("XXXXXhead is")
+ print(head:location())
+ --while head:next() ~= nil do
+ for i=1,11,1 do
+ head = head:next()
+ head:show("next is")
+ end
end
--main()
--pretty_dump()
--test()
--asm_rewriter()
-jmp_t_test()
+--jmp_t_test()
+integ_test()
diff --git a/bruiser/makefile b/bruiser/makefile
index 62c954b..5f16931 100644
--- a/bruiser/makefile
+++ b/bruiser/makefile
@@ -52,7 +52,7 @@ $(LIB_LUA_JIT):
$(MAKE) -C LuaJIT
@echo "building with jit"
-$(BRUISER): $(BRUISER).o ../mutator_aux.o ../tinyxml2/tinyxml2.o linenoise.o CompletionHints.o mutagen.o ORCmutation.o bruiserffi.o bruisercapstone.o $(LIB_LUA) asmrewriter.o
+$(BRUISER): $(BRUISER).o ../mutator_aux.o ../tinyxml2/tinyxml2.o linenoise.o CompletionHints.o mutagen.o ORCmutation.o bruiserffi.o bruisercapstone.o asmrewriter.o $(LIB_LUA)
$(CXX) $^ $(LD_FLAGS) -o $@
clean: