From b85751a9544860eb711e722ca2f07efc034369e1 Mon Sep 17 00:00:00 2001 From: bloodstalker Date: Sun, 4 Mar 2018 18:03:19 +0330 Subject: wip-the lua syntax is not what i want to be yet and im having trouble with the JMP_S_T pointers --- bruiser/asmrewriter.c | 133 ++++++++++++++++++++++++++++++++-------- bruiser/asmrewriter.h | 30 ++++++++- bruiser/bruiser.cpp | 7 ++- bruiser/bruisercapstone.c | 53 ++++++++-------- bruiser/bruisercapstone.h | 5 +- bruiser/lua-scripts/asmtest.lua | 6 +- bruiser/lua-scripts/demo2.lua | 42 ++++++++++++- bruiser/makefile | 2 +- 8 files changed, 214 insertions(+), 64 deletions(-) (limited to 'bruiser') diff --git a/bruiser/asmrewriter.c b/bruiser/asmrewriter.c index 6226419..0cff6d6 100644 --- a/bruiser/asmrewriter.c +++ b/bruiser/asmrewriter.c @@ -28,7 +28,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.* /**********************************************************************************************************************/ static JMP_S_T* convert_jmpt(lua_State* __ls, int index) { JMP_S_T* dummy = (JMP_S_T*)lua_touserdata(__ls, index); - //if (dummy == NULL) luaL_typerror(__ls, index, dummy); + if (dummy == NULL) printf("bad user data type.\n"); return dummy; } @@ -36,11 +36,11 @@ static JMP_S_T* check_jmpt(lua_State* __ls, int index) { JMP_S_T* dummy; luaL_checktype(__ls, index, LUA_TUSERDATA); dummy = (JMP_S_T*)luaL_checkudata(__ls, index, "jmp_s_t"); - //if (dummy == NULL) luaL_typerror(__ls, index, dummy); + if (dummy == NULL) printf("bad user data type.\n"); return dummy; } -static JMP_S_T* push_jmpt(lua_State* __ls) { +JMP_S_T* push_jmpt(lua_State* __ls) { JMP_S_T* dummy = (JMP_S_T*)lua_newuserdata(__ls, sizeof(JMP_S_T)); luaL_getmetatable(__ls, "jmp_s_t"); lua_setmetatable(__ls, -2); @@ -48,12 +48,13 @@ static JMP_S_T* push_jmpt(lua_State* __ls) { } static int new_jmpt(lua_State* __ls) { + lua_checkstack(__ls, 12); JMP_T jmp_t = luaL_optinteger(__ls, 1, 0); uint64_t location = luaL_optinteger(__ls, 2, 0); uint8_t size = luaL_optinteger(__ls, 3, 0); - // - // - // + JMP_S_T* next = lua_touserdata(__ls, 4); + JMP_S_T* next_y = lua_touserdata(__ls, 5); + JMP_S_T* next_n = lua_touserdata(__ls, 6); uint64_t address = luaL_optinteger(__ls, 7, 0); uint64_t address_y = luaL_optinteger(__ls, 8, 0); uint64_t address_n = luaL_optinteger(__ls, 9, 0); @@ -64,9 +65,9 @@ static int new_jmpt(lua_State* __ls) { dummy->type = jmp_t; dummy->location = location; dummy->size = size; - //dummy->next =; - //dummy->next_y =; - //dummy->next_n =; + dummy->next = next; + dummy->next_y = next_y; + dummy->next_n = next_n; dummy->address = address; dummy->address_y = address_y; dummy->address_n = address_n; @@ -78,26 +79,70 @@ static int new_jmpt(lua_State* __ls) { static int jmpt_custom(lua_State* __ls) { JMP_S_T* dummy = check_jmpt(__ls, 1); - printf("this is the jump table custom function.\n"); - lua_pushnumber(__ls, dummy->type); - lua_pushnumber(__ls, dummy->location); - lua_pushnumber(__ls, dummy->size); + //printf("this is the jump table custom function.\n"); + //lua_checkstack(__ls, 12); + lua_pushinteger(__ls, dummy->type); + lua_pushinteger(__ls, dummy->location); + lua_pushinteger(__ls, dummy->size); lua_pushlightuserdata(__ls, dummy->next); lua_pushlightuserdata(__ls, dummy->next_y); lua_pushlightuserdata(__ls, dummy->next_n); - lua_pushnumber(__ls, dummy->address); - lua_pushnumber(__ls, dummy->address_y); - lua_pushnumber(__ls, dummy->address_n); - lua_pushnumber(__ls, dummy->y); - lua_pushnumber(__ls, dummy->n); - lua_pushnumber(__ls, dummy->z); + lua_pushinteger(__ls, dummy->address); + lua_pushinteger(__ls, dummy->address_y); + lua_pushinteger(__ls, dummy->address_n); + lua_pushinteger(__ls, dummy->y); + lua_pushinteger(__ls, dummy->n); + lua_pushinteger(__ls, dummy->z); return 12; } +#define GET_GENERATOR(X) \ +static int X(lua_State* __ls) { \ + JMP_S_T* dummy = check_jmpt(__ls, 1);\ + lua_pop(__ls, -1);\ + lua_pushinteger(__ls, dummy->X);\ + return 1;\ +} + +#define X_LIST_GEN \ + X(type, "getter method for type")\ + X(location, "getter method for location")\ + X(size, "getter method for size")\ + X(address, "getter method for address")\ + X(address_y, "getter method for address_y")\ + X(address_n, "getter method for address_n")\ + X(y, "getter method for y")\ + X(n, "getter method for n")\ + X(z, "getter method for z") + +#define X(X1,X2) GET_GENERATOR(X1) +X_LIST_GEN +#undef X +#undef X_LIST_GEN +#undef SET_GENERATOR + +static int next(lua_State* __ls) { + JMP_S_T* dummy = check_jmpt(__ls, 1); + lua_pushlightuserdata(__ls, dummy->next); + return 1; +} + +static int next_y(lua_State* __ls) { + JMP_S_T* dummy = check_jmpt(__ls, 1); + lua_pushlightuserdata(__ls, dummy->next_y); + return 1; +} + +static int next_n(lua_State* __ls) { + JMP_S_T* dummy = check_jmpt(__ls, 1); + lua_pushlightuserdata(__ls, dummy->next_n); + return 1; +} + #define SET_GENERATOR(X) \ static int jmpt_set_##X(lua_State* __ls) {\ JMP_S_T* dummy = check_jmpt(__ls,1);\ - dummy->type = luaL_checkinteger(__ls, 2);\ + dummy->X = luaL_checkinteger(__ls, 2);\ lua_settop(__ls, 1);\ return 1;\ } @@ -119,11 +164,37 @@ X_LIST_GEN #undef X_LIST_GEN #undef SET_GENERATOR -static int jmpt_set_next(lua_State* __ls) {} -static int jmpt_set_next_y(lua_State* __ls) {} -static int jmpt_set_next_n(lua_State* __ls) {} +static int jmpt_set_next(lua_State* __ls) { + JMP_S_T* dummy = check_jmpt(__ls,1); + dummy->next = luaL_checkudata(__ls, 2, "jmp_s_t"); + lua_settop(__ls, 1); + return 1; +} + +static int jmpt_set_next_y(lua_State* __ls) { + JMP_S_T* dummy = check_jmpt(__ls,1); + dummy->next_y = luaL_checkudata(__ls, 2, "jmp_s_t"); + lua_settop(__ls, 1); + return 1; +} +static int jmpt_set_next_n(lua_State* __ls) { + JMP_S_T* dummy = check_jmpt(__ls,1); + dummy->next_n = luaL_checkudata(__ls, 2, "jmp_s_t"); + lua_settop(__ls, 1); + return 1; +} -static int jmpt_gc(lua_State* __ls) {} +static int jmpt_gc(lua_State* __ls) { + JMP_S_T* dummy = check_jmpt(__ls,1); + //freejmptable(dummy); +} + +static int jmpt_tostring(lua_State* __ls) { + char buff[32]; + sprintf(buff, "%p", convert_jmpt(__ls , 1)); + lua_pushfstring(__ls, "jmp_s_t (%s)", buff); + return 1; +} static const luaL_Reg jmpt_methods[] = { {"new", new_jmpt}, @@ -139,11 +210,25 @@ static const luaL_Reg jmpt_methods[] = { {"set_y", jmpt_set_y}, {"set_n", jmpt_set_n}, {"set_z", jmpt_set_z}, + {"custom", jmpt_custom}, + {"type", type}, + {"location", location}, + {"size", size}, + {"next", next}, + {"next_y", next_y}, + {"next_n", next_n}, + {"address", address}, + {"address_y", address_y}, + {"address_n", address_n}, + {"y", y}, + {"n", n}, + {"z", z}, {0,0} }; static const luaL_Reg jmpt_meta[] = { {"__gc", jmpt_gc}, + {"__tostring", jmpt_tostring}, {0, 0} }; diff --git a/bruiser/asmrewriter.h b/bruiser/asmrewriter.h index e8cd3c7..d700a8d 100644 --- a/bruiser/asmrewriter.h +++ b/bruiser/asmrewriter.h @@ -31,9 +31,10 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.* #ifdef __cplusplus extern "C" { #endif + static JMP_S_T* convert_jmpt(lua_State* __ls, int index); static JMP_S_T* check_jmpt(lua_State* __ls, int index); -static JMP_S_T* push_jmpt(lua_State* __ls); +JMP_S_T* push_jmpt(lua_State* __ls); static int new_jmpt(lua_State* __ls); static int jmpt_custom(lua_State* __ls); @@ -57,6 +58,30 @@ X_LIST_GEN #undef X_LIST_GEN #undef SET_GENERATOR +#define GET_GENERATOR(X) \ +static int X(lua_State* __ls); + +#define X_LIST_GEN \ + X(type, "setter method for type")\ + X(location, "setter method for location")\ + X(size, "setter method for size")\ + X(address, "setter method for address")\ + X(address_y, "setter method for address_y")\ + X(address_n, "setter method for address_n")\ + X(y, "setter method for y")\ + X(n, "setter method for n")\ + X(z, "setter method for z") + +#define X(X1,X2) GET_GENERATOR(X1) +X_LIST_GEN +#undef X +#undef X_LIST_GEN +#undef SET_GENERATOR + +static int next(lua_State* __ls); +static int next(lua_State* __ls); +static int next(lua_State* __ls); + static int jmpt_set_next(lua_State* __ls); static int jmpt_set_next_y(lua_State* __ls); static int jmpt_set_next_n(lua_State* __ls); @@ -65,9 +90,10 @@ static int jmpt_gc(lua_State* __ls); int jmpt_register(lua_State* __ls); -#endif #ifdef __cplusplus } +#endif + #endif /**********************************************************************************************************************/ /*last line intentionally left blank.*/ diff --git a/bruiser/bruiser.cpp b/bruiser/bruiser.cpp index b7db84a..ae7359a 100644 --- a/bruiser/bruiser.cpp +++ b/bruiser/bruiser.cpp @@ -1602,9 +1602,10 @@ class LuaWrapper if (numargs != 2) {PRINT_WITH_COLOR_LB(RED, "expected exactly two args. did not get that.");return 0;} uint64_t size = lua_tointeger(__ls, 1); std::vector code_v = getLuaTableInt(__ls, 2, 2); - auto ptr = makejmptable(size, code_v.data()); - std::cout << RED << &ptr << NORMAL << "\n"; - lua_pushlightuserdata(__ls, ptr); + JMP_S_T* head = makejmptable(size, code_v.data(), Verbose); + JMP_S_T* dummy = push_jmpt(__ls); + dummy = head; + dumpjmptable(dummy); return 1; } diff --git a/bruiser/bruisercapstone.c b/bruiser/bruisercapstone.c index 8e190c5..21b1743 100644 --- a/bruiser/bruisercapstone.c +++ b/bruiser/bruisercapstone.c @@ -31,8 +31,6 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.* #include /**********************************************************************************************************************/ /**********************************************************************************************************************/ -JMP_S_T* head = NULL; -JMP_S_T* tail = NULL; extern char etext, edata, end; // quad #define CODE_1 "\x55\x48\x89\xe5\x48\x83\xec\x20\x89\x7d\xfc\x89\x75\xf8\x89\x55\xf4\x89\x4d\xf0\x8b\x7d\xfc\x8b\x75\xf8\xe8\xd1\xfd\xff\xff\x8b\x7d\xf4\x8b\x75\xf0\x89\x45\xec\xe8\xc3\xfd\xff\xff\x8b\x4d\xec\x1\xc1\x89\xc8\x48\x83\xc4\x20\x5d\xc3" @@ -215,7 +213,7 @@ int call_rewriter(int offset, size_t size, uint8_t* asm_code, const char* obj) { } /**********************************************************************************************************************/ /**********************************************************************************************************************/ -JMP_S_T* makejmptable(size_t size, uint8_t* obj) { +JMP_S_T* makejmptable(size_t size, uint8_t* obj, bool Verbose) { csh handle; cs_insn* insn; size_t count; @@ -223,8 +221,8 @@ JMP_S_T* makejmptable(size_t size, uint8_t* obj) { uint8_t code[16]; size_t size_counter = 0; - head = malloc(sizeof(JMP_S_T)); - tail = malloc(sizeof(JMP_S_T)); + JMP_S_T* head = malloc(sizeof(JMP_S_T)); + JMP_S_T* tail = malloc(sizeof(JMP_S_T)); head->type = NONE; head->next = NULL; tail = head; @@ -234,27 +232,27 @@ JMP_S_T* makejmptable(size_t size, uint8_t* obj) { #pragma GCC diagnostic ignored "-Wpointer-sign" count = cs_disasm(handle, obj, size, 0x0, 0, &insn); #pragma GCC diagnostic pop - printf("number of instructions: %zu.\n\n", count); + if (Verbose) printf("number of instructions: %zu.\n\n", count); cs_option(handle, CS_OPT_DETAIL, CS_OPT_ON); intmax_t address; if (count > 0) { size_t j; for (j = 0; j < count; ++j) { - printf(CYAN"%zu.\t"NORMAL, j); - printf(GREEN"0x%"PRIx64":\t%s""\t\t%s\t"NORMAL, insn[j].address, insn[j].mnemonic, insn[j].op_str); - for (int i = 0; i < 16; ++i) {code[i] = insn[j].bytes[i]; printf(BLUE"%02x "NORMAL, code[i]);} - printf("\n"); + if (Verbose) printf(CYAN"%zu.\t"NORMAL, j); + if (Verbose) printf(GREEN"0x%"PRIx64":\t%s""\t\t%s\t"NORMAL, insn[j].address, insn[j].mnemonic, insn[j].op_str); + if (Verbose) for (int i = 0; i < 16; ++i) {code[i] = insn[j].bytes[i]; printf(BLUE"%02x "NORMAL, code[i]);} + if (Verbose) printf("\n"); if (strcmp(insn[j].mnemonic, "jmp") == 0) { char* endptr; address = strtoumax(insn[j].op_str, &endptr, 0); #if 1 - printf(RED"found a jmp\n"); - for (int i = 0; i < 16; ++i) {code[i] = insn[j].bytes[i]; printf(RED"%02x "NORMAL, code[i]);} - printf("\n"); - printf(RED"%jx\n", address); - printf(RED"%d\n", insn[j].size); + if (Verbose) printf(RED"found a jmp\n"); + if (Verbose) for (int i = 0; i < 16; ++i) {code[i] = insn[j].bytes[i]; printf(RED"%02x "NORMAL, code[i]);} + if (Verbose) printf("\n"); + if (Verbose) printf(RED"%jx\n", address); + if (Verbose) printf(RED"%d\n", insn[j].size); #endif JMP_S_T* dummy = malloc(sizeof(JMP_S_T)); dummy->location = insn[j].address; @@ -270,11 +268,11 @@ JMP_S_T* makejmptable(size_t size, uint8_t* obj) { char* endptr; address = strtoimax(insn[j].op_str, &endptr, 0); #if 1 - printf(RED"found a je\n"); - for (int i = 0; i < 16; ++i) {code[i] = insn[j].bytes[i]; printf(RED"%02x "NORMAL, code[i]);} - printf("\n"); - printf(RED"%jx\n", address); - printf(RED"%d\n", insn[j].size); + if (Verbose) printf(RED"found a je\n"); + if (Verbose) for (int i = 0; i < 16; ++i) {code[i] = insn[j].bytes[i]; printf(RED"%02x "NORMAL, code[i]);} + if (Verbose) printf("\n"); + if (Verbose) printf(RED"%jx\n", address); + if (Verbose) printf(RED"%d\n", insn[j].size); #endif JMP_S_T* dummy = malloc(sizeof(JMP_S_T)); dummy->location = insn[j].address; @@ -290,11 +288,11 @@ JMP_S_T* makejmptable(size_t size, uint8_t* obj) { char* endptr; address = strtoimax(insn[j].op_str, &endptr, 0); #if 1 - printf(RED"found a jne\n"); - for (int i = 0; i < 16; ++i) {code[i] = insn[j].bytes[i]; printf(RED"%02x "NORMAL, code[i]);} - printf("\n"); - printf(RED"%lx\n", address); - printf(RED"%d\n", insn[j].size); + if (Verbose) printf(RED"found a jne\n"); + if (Verbose) for (int i = 0; i < 16; ++i) {code[i] = insn[j].bytes[i]; printf(RED"%02x "NORMAL, code[i]);} + if (Verbose) printf("\n"); + if (Verbose) printf(RED"%lx\n", address); + if (Verbose) printf(RED"%d\n", insn[j].size); #endif JMP_S_T* dummy = malloc(sizeof(JMP_S_T)); dummy->location = insn[j].address; @@ -335,9 +333,10 @@ int freejmptable(JMP_S_T* _head) { /**********************************************************************************************************************/ int dumpjmptable(JMP_S_T* current) { while (current != NULL) { - printf("jump location: %lx", current->location); + printf("jump location: %ld", current->location); printf("\tjump address: %lu", current->address); printf("\tjump type: %d", current->type); + printf("\tjump next: %x", ¤t->next); printf("\tinstruction size: %d\n", current->size); current = current->next; } @@ -402,7 +401,7 @@ int main(int argc, char** argv) { tail = head; #endif uint8_t asm_code3[834]; - JMP_S_T* current = makejmptable(834, CODE_3); + JMP_S_T* current = makejmptable(834, CODE_3, true); #if 0 while (current != NULL) { diff --git a/bruiser/bruisercapstone.h b/bruiser/bruisercapstone.h index 6f9707e..1b4879f 100644 --- a/bruiser/bruisercapstone.h +++ b/bruiser/bruisercapstone.h @@ -51,8 +51,6 @@ typedef struct jmp_s_t { JMP_S_T* iter_next(JMP_S_T* arg); JMP_S_T* iter_next_y(JMP_S_T* arg); JMP_S_T* iter_next_n(JMP_S_T* arg); -extern JMP_S_T* head; -extern JMP_S_T* tail; uint32_t get_textsection_length(void); uintptr_t get_symbol_rt_address(const char* symbol_name); @@ -64,7 +62,7 @@ void leb128_decode_u(uint32_t value, uint8_t* ret_value, size_t size); int ks_write(ks_arch arch, int mode, const char* assembly, int syntax, unsigned char* encode); int global_rewriter(int offset, size_t size, uint8_t* asm_code, const char* obj); int call_rewriter(int offset, size_t size, uint8_t* asm_code, const char* obj); -JMP_S_T* makejmptable(size_t size, uint8_t* obj); +JMP_S_T* makejmptable(size_t size, uint8_t* obj, bool Verbose); int freejmptable(JMP_S_T* _head); int dumpjmptable(JMP_S_T* head); void jmprewriter_j(JMP_S_T* jmp, uint8_t* code, JMP_T type, uint8_t* rewritten); @@ -74,6 +72,7 @@ void jmprewriter_je(JMP_S_T* jmp, uint8_t* code, JMP_T type, uint8_t* rewritten) #ifdef __cplusplus } #endif + #endif /**********************************************************************************************************************/ /*last line intentionally left blank.*/ diff --git a/bruiser/lua-scripts/asmtest.lua b/bruiser/lua-scripts/asmtest.lua index 529b7a7..83b523a 100644 --- a/bruiser/lua-scripts/asmtest.lua +++ b/bruiser/lua-scripts/asmtest.lua @@ -1,6 +1,10 @@ function test() print("running asmtest.lua") - for k,v in pairs(jmp_s_t) do print(k,v) end + --for k,v in pairs(jmp_s_t) do print(k,v) end + local t = jmp_s_t.new() + print(t) + t:set_type(3) + print(t.type) end test() diff --git a/bruiser/lua-scripts/demo2.lua b/bruiser/lua-scripts/demo2.lua index 03d6089..fc50cc1 100644 --- a/bruiser/lua-scripts/demo2.lua +++ b/bruiser/lua-scripts/demo2.lua @@ -55,13 +55,49 @@ function asm_rewriter() freejmptable(haed) end +setmetatable(jmp_s_t, {__call = function(self, arg1,arg2,arg3,arg4,arg5,arg6,arg7,arg8,arg9,arg10,arg11,arg12) + local t = self.new(arg1,arg2,arg3,arg4,arg5,arg6,arg7,arg8,arg9,arg10,arg11,arg12) + print("created", t) + return t + end}) + +function jmp_s_t:show(msg) + print(msg, self, self:custom()) + return self +end + function jmp_t_test() - for k,v in pairs(jmp_s_t) do print(k,v) end - local t = jmp_s_t.new() + local t = jmp_s_t.new(1,2,3,nil,nil,nil,7,8,9,0,0,1) + t:show("t is") + local t_next = jmp_s_t.new() + local t_next_y = jmp_s_t.new() + local t_next_n = jmp_s_t.new() + t:set_next(t_next) + t:set_next_y(t_next_y) + t:set_next_n(t_next_n) + t:show("t is") + tt = jmp_s_t() + tt:show("tt is") + --collectgarbage() + --t:show("t is") +end + +function integ_test() + local text_section = xobj.getTextSection() + local head = jmp_s_t.new() + head = getjmptable(#text_section, text_section) + head:show("XXXXXhead is") + print(head:location()) + --while head:next() ~= nil do + for i=1,11,1 do + head = head:next() + head:show("next is") + end end --main() --pretty_dump() --test() --asm_rewriter() -jmp_t_test() +--jmp_t_test() +integ_test() diff --git a/bruiser/makefile b/bruiser/makefile index 62c954b..5f16931 100644 --- a/bruiser/makefile +++ b/bruiser/makefile @@ -52,7 +52,7 @@ $(LIB_LUA_JIT): $(MAKE) -C LuaJIT @echo "building with jit" -$(BRUISER): $(BRUISER).o ../mutator_aux.o ../tinyxml2/tinyxml2.o linenoise.o CompletionHints.o mutagen.o ORCmutation.o bruiserffi.o bruisercapstone.o $(LIB_LUA) asmrewriter.o +$(BRUISER): $(BRUISER).o ../mutator_aux.o ../tinyxml2/tinyxml2.o linenoise.o CompletionHints.o mutagen.o ORCmutation.o bruiserffi.o bruisercapstone.o asmrewriter.o $(LIB_LUA) $(CXX) $^ $(LD_FLAGS) -o $@ clean: -- cgit v1.2.3