github
/
widevine-l3-guesser
mirror of https://github.com/Satsuoni/widevine-l3-guesser
1
Fork 0
Code Releases Activity
widevine-l3-guesser/ghidra_scripts/Deobfuscatorr.py

1040 lines
36 KiB
Python
Raw Permalink Blame History

# Simple attempt to follow obfuscated code. Mostly copied from SwitchOverride.java. Incomplete, please only use as reference.
#@author Satsuoni
#@category Deobfuscation
#@keybinding
#@menupath
#@toolbar
from binascii import hexlify
import logging
from ghidra.app.emulator import EmulatorHelper
from ghidra.util.task import ConsoleTaskMonitor
from ghidra.program.model.pcode import PcodeOp
from ghidra.program.model.symbol import *
from ghidra.program.model.pcode import JumpTable
from java.util import LinkedList, Arrays, ArrayList
from ghidra.app.cmd.function import CreateFunctionCmd
from ghidra.app.cmd.disassemble import DisassembleCommand
from ghidra.program.model.lang import Register
from ghidra.program.model.lang import OperandType
from ghidra.program.model.lang import RegisterManager
import sys
DATA_FILE="runData.json"
logger = logging.getLogger("")
logger.setLevel(logging.DEBUG)
handler1=logging.StreamHandler(sys.stdout)
# from StackOverflow
class WarnFormatter(logging.Formatter):
err_fmt = "ERROR: %(msg)s"
warn_fmt = "Warning: %(msg)s"
dbg_fmt = "DBG: %(module)s: %(lineno)d: %(msg)s"
info_fmt = "%(msg)s"
def __init__(self, fmt="%(levelno)s: %(msg)s"):
logging.Formatter.__init__(self, fmt)
def format(self, record):
# Save the original format configured by the user
# when the logger formatter was instantiated
format_orig = self._fmt
# Replace the original format with one customized by logging level
if record.levelno == logging.DEBUG:
self._fmt = WarnFormatter.dbg_fmt
elif record.levelno == logging.INFO:
self._fmt = WarnFormatter.info_fmt
elif record.levelno == logging.ERROR:
self._fmt = WarnFormatter.err_fmt
elif record.levelno == logging.WARNING:
self._fmt = WarnFormatter.warn_fmt
# Call the original formatter class to do the grunt work
result = logging.Formatter.format(self, record)
# Restore the original format configured by the user
self._fmt = format_orig
return result
formatter = WarnFormatter('%(message)s')
handler1.setFormatter(formatter)
handler2=logging.FileHandler("testlog.log", mode='w', encoding="utf-8")
handler2.setFormatter(formatter)
logger.addHandler(handler1)
logger.addHandler(handler2)
def getAddress(offset):
return currentProgram.getAddressFactory().getDefaultAddressSpace().getAddress(offset)
def getProgramRegisterList(currentProgram):
pc = currentProgram.getProgramContext()
return pc.registers
state = getState()
currentProgram = state.getCurrentProgram()
name = currentProgram.getName()
listing = currentProgram.getListing()
logger.info("Starting working on {}".format(name))
def getPossibleConstAddressFromInstruction(instr):
raw_pcode = instr.getPcode()
for code in raw_pcode:
if code.getOpcode()==PcodeOp.COPY:
inp=code.getInputs()[0]
if inp.size==8 and inp.isConstant():
return getAddress(inp.getOffset())
return None
def isReturn(instr):
if instr is None:
return False
raw_pcode = instr.getPcode()
for code in raw_pcode:
if code.getOpcode()==PcodeOp.RETURN:
return True
return False
def isComputedBranchInstruction( instr):
if instr is None:
return False
flowType = instr.getFlowType()
if flowType == RefType.COMPUTED_JUMP:
return True
if (flowType.isCall()):
#is it a callfixup?
referencesFrom = instr.getReferencesFrom()
for reference in referencesFrom:
if reference.getReferenceType().isCall():
func = currentProgram.getFunctionManager().getFunctionAt(reference.getToAddress())
if func is not None and func.getCallFixup() is not None:
return True
return False
def isCallInstruction(instr):
if instr is None:
return False
flowType = instr.getFlowType()
if flowType.isCall():
return True
return False
def isCallOther(instr):
if instr is None:
return False
raw_pcode = instr.getPcode()
for code in raw_pcode:
if code.getOpcode()==PcodeOp.CALLOTHER:
return True
return False
def getCondmoveInstruction(instr):
if instr is None:
return None
raw_pcode = instr.getPcode()
for entry in raw_pcode:
if entry.getOpcode()==PcodeOp.CBRANCH:
addr=entry.getInput(0)
if addr is None: continue
if addr.size==8 :
maybeaddr=getAddress(addr.getOffset())
nextInstr=instr.getNext()
if nextInstr is None:
return None
if nextInstr.getAddress()==maybeaddr:
return (instr.getAddress(),instr.getDefaultOperandRepresentation(0),
instr.getDefaultOperandRepresentation(1))
return None
def getPotentialJtableAccess(instr): #use mnemonic? movsx(d), add, jmp, returns None or (jtableReg,offsetReg,jumpAddr)
if instr is None:
return False
mnem=instr.getMnemonicString().lower()
if "movsx" in mnem:
nxt=instr.getNext()
if nxt is None: return None
nx=nxt.getMnemonicString().lower()
if not "add" in nx: return None
nxt=nxt.getNext()
if nxt is None: return None
if isComputedBranchInstruction(nxt):
objects=instr.getOpObjects(1)
if len(objects)!=3 or int(str(objects[2]),0)!=4:
return None
return (objects[0],objects[1],nxt.getAddress())
return None
def skip(emu):
executionAddress = emu.getExecutionAddress()
instr=getInstructionAt(executionAddress)
nextInstr=instr.getNext()
lval = int("0x{}".format(nextInstr.getAddress()), 16)
emu.writeRegister(emu.getPCRegister(), lval)
#there can be several cmove in one code step...
class Branch(object):
def __init__(self, addr, to, frm):
self.address=addr
self.true=frm
self.false=to
self.target=to
self.isTrueTaken=False
self.isFalseTaken=False
self.trueIndex=None
self.falseIndex=None
self.lastTaken=None
def take(self,pth,emu):
if emu.getExecutionAddress() !=self.address:
logger.warning("Trying to take branch {} at address {}".format(self.address,emu.getExecutionAddress()))
return
if pth:
val=emu.readRegister(self.true)
else:
val=emu.readRegister(self.false)
emu.writeRegister(self.target,val)
self.lastTaken=pth
skip(emu)
def registerOutput(self,output): #output is a tuple (type, value)
if self.lastTaken is None:
logger.warning("Trying to write output for branch {} that was not triggered".format(self.address))
return
if self.lastTaken:
if self.isTrueTaken:
if self.trueIndex[0]!=output[0] or self.trueIndex[1]!=output[1]:
logger.warning("Trying to overwrite true output for branch {} ".format(self.address))
return
else:
self.isTrueTaken=True
self.trueIndex=output
else:
if self.isFalseTaken:
if self.falseIndex[0]!=output[0] or self.falseIndex[1]!=output[1]:
logger.warning("Trying to overwrite false output for branch {} ".format(self.address))
return
else:
self.isFalseTaken=True
self.falseIndex=output
def hasUntakenPaths(self):
return not (self.isFalseTaken and self.isTrueTaken)
def getNextUntaken(self):
if not self.isFalseTaken: return False
if not self.isTrueTaken: return True
return None
def getExpectedOutput(self):
if self.lastTaken is None:
return None
if self.lastTaken:
return self.trueIndex
else:
return self.falseIndex
class BranchBox(object):
def __init__(self,index):
self.branches=[]
self.curbranch=None
self.trace=None
self.index=index # number in obfuscated jump
self.pathTaken=[]
self.pathToBox=[] #a path to retrace if you want to get to this box, I guess
logger.info("Registering new branch box at 0x{}".format(index))
def hasUntakenPaths(self):
for br in self.branches:
if br.hasUntakenPaths():
return True
return False
def registerBranch(self,condmove): # tuple..
#logger.info("Register branch {} {}".format(condmove,self.curbranch))
if self.curbranch is None:
if len(self.branches)==0:
br=Branch(condmove[0],condmove[1],condmove[2])
self.branches.append(br)
self.curbranch=self.branches[0]
return True
else:
self.curbranch=self.branches[0]
if self.curbranch.lastTaken is None:
if self.curbranch.address==condmove[0]: #goto next branch/ wait for taking
return True
else:
logger.warning("Trying to add branch for branch {} that was not triggered".format(self.curbranch.address))
return False
eo=self.curbranch.getExpectedOutput()
if eo is not None: #already have output, got there or fail
if eo[0]=="branch" and self.branches[eo[1]].address==condmove[0]:
self.curbranch=self.branches[eo[1]]
return True
else:
logger.warning("Failed following trace")
return False
#new branch
logger.info("new branch {} {} {}".format(self.index, self.curbranch.lastTaken,condmove[0]))
br=Branch(condmove[0],condmove[1],condmove[2])
self.curbranch.registerOutput(("branch",len(self.branches)))
self.branches.append(br)
self.curbranch=br
if len(self.branches)>1024:
logger.warning("Too many branches in one box")
return False
return True
def registerIndexOutput(self,index):
if self.curbranch is None:
logger.warning("Trying to put output to empty branchbox")
return False
if self.curbranch.lastTaken is None:
logger.warning("Trying to add branch for branch {} that was not triggered".format(self.curbranch.address))
return False
self.curbranch.registerOutput(("index",index))
return True
def reset(self):
self.trace=None
self.pathTaken=[]
self.curbranch=None
for br in self.branches:
br.lastTaken=None
if len(self.branches)>0:
self.curbranch=self.branches[0]
def loadTrace(self,trace):
self.trace=trace
def isTracing(self):
return self.trace is not None
def searchUntakenInTree(self, inindex):
dbranch=self.branches[inindex]
if dbranch.hasUntakenPaths(): return True
if dbranch.trueIndex[0]=="branch":
if self.searchUntakenInTree(dbranch.trueIndex[1]): return True
if dbranch.falseIndex[0]=="branch":
if self.searchUntakenInTree(dbranch.falseIndex[1]): return True
return False
def findNextUntakenStep(self):
pth=self.curbranch.getNextUntaken()
if pth is not None: return pth
#recursive search...
if self.curbranch.trueIndex[0]=="branch":
if self.searchUntakenInTree(self.curbranch.trueIndex[1]): return True
if self.curbranch.falseIndex[0]=="branch":
if self.searchUntakenInTree(self.curbranch.falseIndex[1]): return False
return None
def takeUntakenOrTrace(self,emu):
if len(self.branches)==0:
logger.warning("Branch box not initialized")
return
if self.curbranch is None:
self.curbranch=self.branches[0]
if self.curbranch.address!=emu.getExecutionAddress():
logger.warning("Branch box broken?")
return
if self.isTracing():
if len(self.trace)>0:
logger.info("Taking trace {}".format(self.trace[0]))
self.curbranch.take(self.trace[0],emu)
self.pathTaken.append(self.trace[0])
out=self.curbranch.getExpectedOutput()
self.trace=self.trace[1:]
if out is None:
logger.waring("Trace failed...")
return
#if out[0] is not "branch":
# self.curbranch=None
# return
#self.curbranch=self.branches[out[1]]
else:
logger.warning("Trace bound violation")
return
else:
pth=self.findNextUntakenStep()
if pth is None:
logger.warning("No untaken paths left for {}".format(self.index))
return
self.pathTaken.append(pth)
logger.info("Taking {}".format(pth))
self.curbranch.take(pth,emu)
class CPath(object):
def __init__(self):
self.path=[]
self.ending=None #path can end in branch, return, baddata, basic loop or infinite loop (iloop)
self.endJump=None
self.multiend=False
def contains(self,index):
return index in self.path
def addIndex(self,index):
if not self.contains(index):
self.path.append(index)
def estimateTableLen(table_addr,first_addr): # a rough estimate to be sure... the "switch guard" thing on top is usually lower
cnt=0
table=table_addr
while getInt(table)<0:
naddr=table_addr.add(getInt(table))
if naddr<first_addr or naddr>table_addr: break
cnt+=1
table=table.add(4)
return cnt
def tryGetSwitchGuard(instr): #also mnemonic based, so fragile
prev=instr.getPrevious()
if prev is None: return -1
prev=prev.getPrevious()
nx=prev.getMnemonicString().lower()
if nx == "cmp":
objects=prev.getOpObjects(1)
if len(objects)!=1: return -1
try:
return int(str(objects[0]),0)
except:
return -1
return -1
#bVar2 = (**(code **)(*plVar5 + 0x20))(plVar5);
def hexornot(hon):
try:
return "{:X}".format(hon)
except:
return str(hon)
class Operand(object):
def getVal(self,emu):
if self.type=="const":
return self.value
elif self.type=="register":
return emu.readRegister(self.value)
elif self.type=="stackvar":
return emu.readStackValue(int(self.value,0),self.length,False)
elif self.type=="memconst":
return 0 #need implementation?
def __hash__(self):
return hash((self.type, self.value))
def __eq__(self, other):
return (self.type, self.value) == (other.type, other.value)
def __ne__(self, other):
return not(self == other)
def __init__(self,instr,num):
self.type="unknown"
if instr is None:
return
if num>=instr.getNumOperands():
return
tp=instr.getOperandType(num)
objlist=instr.getOpObjects(num)
ln=len(objlist)
if ln==0:
return
if tp&OperandType.SCALAR: #const
self.type="const"
self.value=int(str(objlist[0]),16)
return
if tp&OperandType.REGISTER and len(objlist)==1: #pure register
self.type="register"
self.value=str(objlist[0])
return
if len(objlist)==2 and str(objlist[0])=="RSP":
self.type="stackvar"
self.value="0x{:x}".format(int(str(objlist[1]),0))
self.offset=int(str(objlist[1]),0)
self.len=1
oprep=instr.getDefaultOperandRepresentation(num)
if "xword" in oprep:
self.length=16
elif "qword" in oprep:
self.length=8
elif "dword" in oprep:
self.length=4
elif "word ptr" in oprep:
self.length=2
elif "byte ptr" in oprep:
self.length=1
return
if len(objlist)==2 and tp&OperandType.DYNAMIC and tp&OperandType.ADDRESS : #dword ptr [RCX + -0x4]
self.type="memconst"
self.value=str(objlist[1])
self.olist=objlist
return
if len(objlist)==2 and str(objlist[0])=="GS":
self.type="debugho"
self.value="__0x{:x}".format(int(str(objlist[1]),0))
return
if len(objlist)==3 and isinstance(objlist[0],Register): #not quite correct, but. uff
self.type="register"
self.value=str(objlist[0])
return
logger.warning("{} {:x} {} needs operand implementation {}".format(instr,tp,num,objlist))
class BasicDataGraph(object):
def __init__(self):
self.registers={}
self.variables={}
self.inputs=set([])
#logger.info(instr.getDefaultOperandRepresentation(0))
#logger.info(instr.getDefaultOperandRepresentation(1))
def maybeInput(self,inp):
if inp.type=="register" or inp.type=="stackvar":
if not inp.value in self.registers and not inp.value in self.variables:
if not inp.value in self.inputs:
self.inputs.add(inp.value)
def getDeps(self,inp):
if inp.type=="register":
if inp.value in self.registers:
return set(self.registers[inp.value])
if inp.type=="stackvar":
if inp.value in self.variables:
return set(self.variables[inp.value])
if inp.value in self.inputs:
return set([inp.value])
return set([])
def assign(self,outp,inp):
self.maybeInput(inp)
ival=self.getDeps(inp)
if outp.type=="register":
self.registers[outp.value]=ival
elif outp.type=="stackvar":
self.variables[outp.value]=ival
else:
log.warning("Weird assign to {}".format(outp.type))
def addDependency(self,recv,incoming):
if recv.type=="register":
if not recv.value in self.registers:
self.registers[recv.value]=set()
receiver=self.registers[recv.value]
elif recv.type=="stackvar":
if not recv.value in self.variables:
self.variables[recv.value]=set()
receiver=self.variables[recv.value]
else:
return # we don't care?
for inp in incoming: #add direct ,leave propagation for later
self.maybeInput(inp)
ival=self.getDeps(inp)
if inp.type=="register":
receiver.update(ival)
elif inp.type=="stackvar":
receiver.update(ival)
else:
continue #consts, etc should not matter
def scrambleRegisters(self): #we lose depedency over call
for reg in self.registers:
self.registers[reg]=set([])
def add(self,instr):
logger.info(instr)
mn=instr.getMnemonicString().lower()
if mn== "call":
self.scrambleRegisters()
elif mn=="mov" or "movzx" in mn: #assign
output=Operand(instr,0)
input=Operand(instr,1)
self.assign(output,input)
elif mn=="imul"or mn=="sub" or mn=="add" or mn=="and" or mn=="xor":
no=c_instr.getNumOperands()
output=Operand(instr,0)
inputs=[Operand(instr,1)]
if no==3:
inputs.append(Operand(instr,2))
self.addDependency(output,inputs)
else:
pass #maybe do not matter
def getByMnem(self,mnem):
root=set([])
if mnem in self.variables:
root=set(self.variables[mnem])
rgs=currentProgram.getRegister(str(mnem))
if rgs is not None:
rgs=rgs.getBaseRegister()
if str(rgs) in self.registers:
root=self.registers[str(rgs)]
else:
root=set([])
for r in rgs.getChildRegisters():
if str(r) in self.registers:
root.update(self.registers[str(r)])
if mnem in self.registers:
return set(self.registers[mnem])
return root
def linksTo(self,mnem):
logger.info("mnem")
logger.info(mnem)
root=self.getByMnem(mnem)
logger.info("added")
logger.info(self.variables)
logger.info(self.registers)
logger.info(self.inputs)
return root
class mchain(object):
def __init__(self,primary):
self.mainRef=primary
self.secref=set([])
def addSecondary(self,mnem):
self.secref.add(mnem)
def string(self,emu):
index=emu.readRegister(self.mainRef)
ihash=0
istr=""
for scr in self.secref:
reg=currentProgram.getRegister(str(scr))
if reg is not None:
ro=0
ref=emu.readRegister(reg)
else:
ro=int(scr,0)
ref=emu.readStackValue(ro,4,False)
istr=istr+"_{:x}_{:x}|".format(ro,ref)
ihash = (ref + (ihash << 6) + (ihash << 16) - ihash*ro)&0xffffffff
return "0x{:x}_{}".format(index,istr)
#readStackValue
import os
import json
#needs checksum detection! checksum has 3 stackvars: checksum, current addr and final addr
class ObfuscatedPath(object):
def __init__(self):
self.switchAddr=None # jmp RAX instruction/ switch that controls flow. should be first cbranch, usually
self.jtableBreakpoint=None # movsxd instruction
self.jtableRef=None
self.jindexRef=None #register that contains jump index at jtableBreakpoint
self.estimatedTableLen=-1
self.paths=[]
self.cpi=-1 #current path index
self.branchboxes={}
self.lastindex=-1
self.loadedBox=None
self.trace=None
self.curFullPath=[]
self.startpoint=state.getCurrentLocation()
self.cur_fun=getFunctionContaining(self.startpoint.address)
self.emu=None
self.monitor=ConsoleTaskMonitor()
self.loopAvoider=1000
self.loopAvoid=self.loopAvoider
self.mchl=1 #ok, memory chain does not really work XD Needs to check for hidden variables/ pathbox...
self.mch=None
self.instructionBlock=[]
self.maxflushes=10
self.curflushes=0
self.flushed=False
self.saveregs= ["RIP", "RAX","RBX", "RCX", "RDX", "RSI", "RDI", "RSP", "RBP", "R15","rflags","R8","R9"]
self.stackvars=set()
self.collectedData={}
self.entry="0x{}".format(self.cur_fun.getEntryPoint())
if os.path.isfile(DATA_FILE):
with open(DATA_FILE,"rb") as fl:
dat=fl.read()
if len(dat)>0:
try:
self.collectedData=json.loads(dat)
except Exception as e:
logger.warning("Error reading data file: {}".format(e))
self.collectedData={}
if not self.entry in self.collectedData :
self.collectedData[self.entry]={"step":0}
def initEmulator(self):
if self.emu is not None:
self.emu.dispose()
self.emu=EmulatorHelper(currentProgram)
mainFunctionEntryLong = int("0x{}".format(self.cur_fun.getEntryPoint()), 16)
self.emu.writeRegister(self.emu.getPCRegister(), mainFunctionEntryLong)
self.emu.writeRegister("RSP", 0x000000002FFF0000)
self.emu.writeRegister("RBP", 0x000000002FFF0000)
def indexInPaths(self, index):
for pth in self.paths:
if pth.contains(index): return True
return False
def loadBox(self):
self.loadedBox=None
si=self.mch.string(self.emu)
if si in self.branchboxes:
logger.info("Loaded box {}".format(si))
self.loadedBox=self.branchboxes[si]
self.loadedBox.reset()
def findUntakenBranch(self):
for bb in self.branchboxes:
if self.branchboxes[bb].hasUntakenPaths():
logger.info("Branch box at {} has untaken path, restarting".format(bb))
return self.branchboxes[bb]
return None
def restart(self):
self.initEmulator()
self.loadedBox=None
self.cpi=-1
self.curFullPath=[]
self.instructionBlock=[]
self.flushed=True
def run(self):
for a in range(170000):
if not self.process():
bb=self.findUntakenBranch()
if bb is None:
logger.info("No untaken paths left, stopping")
return
self.trace=bb.pathToBox
logger.info(bb.pathToBox)
self.restart()
def initNewPath(self,index):
ind=len(self.paths)
npath=CPath()
npath.addIndex(index)
self.paths.append(npath)
self.cpi=ind
def endPath(self,cause,jmp=None): #iloop, loop, branch, ret, baddata
if self.cpi==-1:
logger.warning("Trying to end path as {} when not on path".format(cause))
return
logger.info("Ending path {} ({}) as {}".format(self.cpi,self.paths[self.cpi].path,cause))
pth=self.paths[self.cpi]
pth.ending=cause
pth.endJump=jmp
self.cpi=-1
def runStraight(self,nl):
for a in range(nl):
executionAddress = self.emu.getExecutionAddress()
logger.info("Address: 0x{} ({})".format(executionAddress, getInstructionAt(executionAddress)))
ein=getInstructionAt(executionAddress)
if "{}".format(ein)=="CMP EAX,0x347":
reg_value = self.emu.readRegister("EAX")
logger.info("EAX: 0x{:x}".format(reg_value))
if not self.step(): return
def flush(self):
if self.curflushes>=self.maxflushes: return
self.trace=None
self.branchboxes={}
self.paths=[]
self.restart()
logger.info("Flushed branches, rebuilding, current secondary: {}".format(self.mch.secref))
self.curflushes+=1
def analyzeInstrBlock(self):
if len(self.instructionBlock)<10: return False
if self.curflushes>=self.maxflushes: raise NotImplementedError
if self.flushed:
self.flushed=False
return False
bdg=BasicDataGraph()
for instr in self.instructionBlock:
bdg.add(instr)
affects=bdg.linksTo(self.jindexRef)
logger.info(affects)
prelen=len(self.mch.secref)
for a in affects:
if currentProgram.getRegister(str(a)) is not None: continue # avoid registers for now
self.mch.addSecondary(a)
if len(self.mch.secref)!=prelen:
return True
#self.curflushes+=1
return False
def save(self):
with open(DATA_FILE,"wb") as fl:
fl.write(json.dumps(self.collectedData).encode("utf-8"))
def detectLongLoops(self):
marks={}
prev=None
maxLoop=10
window=[]
cloop=None
coffs=0
clc=0
cnt=0
loopBreaks=[]
loops=[]
for ind in self.collectedData[self.entry]["basicChain"]:
if cloop is not None:
if ind != cloop[coffs]:
#loop break
logger.warning("Lbreak {} {} ".format(ind,cloop))
loopBreaks.append(cnt-1)
if clc>=5:
loops.append((clc,cloop))
cloop=None
clc=0
coffs=0
else:
coffs+=1
if coffs>=len(cloop):
clc+=1
coffs=0
else:
if ind in window:
cloop=window[window.index(ind):]
while ind in cloop[1:]:
l=cloop[1:]
cloop=l[l.index(ind):]
clc=0
coffs=1
window.append(ind)
if len(window)>maxLoop:
window=window[1:]
cnt+=1
logger.info("Detected loops: {}".format(loops))
logger.info("Detected loop breaks: {}".format(loopBreaks))
self.collectedData[self.entry]["basicLoops"]=loops
self.collectedData[self.entry]["basicLoopBreaks"]=loopBreaks
def getState(self):
state={}
for reg in self.saveregs:
val=self.emu.readRegister(reg)
state[reg]=val
for v in self.stackvars:
val=self.emu.readStackValue(int(v.value,16),v.length,False)
state["{}_{}".format(v.value,v.length)]=val
return state
def writeState(self,state):
for reg in self.saveregs:
if reg in state and reg!="RIP":
self.emu.writeRegister(reg,state[reg])
for v in self.stackvars:
ref="{}_{}".format(v.value,v.length)
if ref in state:
self.emu.writeStackValue(int(v.value,16),v.length,state[ref])
def tryRun(self,nl):
step=self.collectedData[self.entry]["step"]
if step==0:
while self.jtableBreakpoint is None:
self.process() #replace with initCollect
self.flush()
self.collectedData[self.entry]["jtableBreakpoint"]="0x{}".format(self.jtableBreakpoint)
self.collectedData[self.entry]["jindexRef"]=str(self.jindexRef)
self.collectedData[self.entry]["estimatedTableLen"]=self.estimatedTableLen
self.collectedData[self.entry]["stackvars"]=[]
self.collectedData[self.entry]["callIndices"]=[]
for sv in self.stackvars:
self.collectedData[self.entry]["stackvars"].append([sv.type,sv.value,sv.length])
self.collectedData[self.entry]["step"]=1
step=1
self.save()
else:
eaddr = self.emu.getExecutionAddress()
ein=getInstructionAt(eaddr)
if self.jtableBreakpoint is None:
self.jtableBreakpoint=getAddress(int(self.collectedData[self.entry]["jtableBreakpoint"],16))
self.jindexRef=self.collectedData[self.entry]["jindexRef"]
self.estimatedTableLen=self.collectedData[self.entry]["estimatedTableLen"]
for sv in self.collectedData[self.entry]["stackvars"]:
op=Operand(None,0)
op.type=sv[0]
op.value=sv[1]
op.length=sv[2]
self.stackvars.add(op)
if step==1: #run till the end, marking indices
self.collectedData[self.entry]["basicChain"]=[]
while(True):
executionAddress = self.emu.getExecutionAddress()
ein=getInstructionAt(executionAddress)
if executionAddress==self.jtableBreakpoint:
#index=self.mch.string(self.emu)
index=self.emu.readRegister(self.jindexRef)
self.collectedData[self.entry]["basicChain"].append(index)
logger.info("At index: {:X}".format(index))
if index>self.estimatedTableLen:
logger.info("Hit switch guard")
break
if isReturn(ein):
logger.info("Got to return scessfully")
break
branch=getCondmoveInstruction(ein)
if branch is not None:
logger.info("Address: 0x{} ({})".format(executionAddress, ein))
if isCallInstruction(ein):
logger.info("Skipping call : 0x{} ({})".format(executionAddress, ein))
self.collectedData[self.entry]["callIndices"].append(index)
skip(self.emu)
elif isCallOther(ein):
logger.info("Skipping : 0x{} ({})".format(executionAddress, ein))
skip(self.emu)
else:
#logger.info("Address: 0x{} ({})".format(executionAddress, getInstructionAt(executionAddress)))
if not self.step(): break
self.detectLongLoops()
self.collectedData[self.entry]["step"]=2
step=2
self.save()
else:
pass
self.restart()
if step==2:
self.detectLongLoops()
lbr=self.collectedData[self.entry]["basicLoopBreaks"]
if len(lbr)>0:
cnt=0
while(True):
executionAddress = self.emu.getExecutionAddress()
ein=getInstructionAt(executionAddress)
if executionAddress==self.jtableBreakpoint:
index=self.emu.readRegister(self.jindexRef)
if cnt in lbr:
logger.info("At loop break {:x}".format(index))
state=self.getState()
if not "breakStates" in self.entry:
self.collectedData[self.entry]["breakStates"]={}
self.collectedData[self.entry]["breakStates"][cnt]={}
self.collectedData[self.entry]["breakStates"][cnt][index]=state
if index>self.estimatedTableLen:
logger.info("Hit switch guard")
break
cnt+=1
if isReturn(ein):
logger.info("Got to return scessfully")
break
if isCallInstruction(ein):
logger.info("Skipping call : 0x{} ({})".format(executionAddress, ein))
self.collectedData[self.entry]["callIndices"].append(index)
skip(self.emu)
elif isCallOther(ein):
logger.info("Skipping : 0x{} ({})".format(executionAddress, ein))
skip(self.emu)
else:
if not self.step(): break
self.collectedData[self.entry]["step"]=3
step=3
self.save()
if step==3: #need to track the indices, jump the loops and jigger the non-loop conditions
self.restart()
def process(self): #todo: needs to check for intersections... memory chain, maybe? Nope XD
eaddr = self.emu.getExecutionAddress()
ein=getInstructionAt(eaddr)
if self.jtableBreakpoint is None: #initialization of jump table
jt=getPotentialJtableAccess(ein)
# try to find local variables... poorly XD
if ein is not None:
for nop in range(ein.getNumOperands()):
op=Operand(ein,nop)
if op.type=="stackvar":
self.stackvars.add(op)
if jt is not None:
logger.info("Found assumed jump at 0x{}".format(eaddr))
self.jtableBreakpoint=eaddr
self.switchAddr=jt[2]
self.jtableRef=jt[0]
jtableAddr=getAddress(self.emu.readRegister(self.jtableRef))
self.jindexRef=jt[1]
self.mch=mchain(self.jindexRef)
self.estimatedTableLen=estimateTableLen(jtableAddr,self.cur_fun.getEntryPoint())
logger.info("Jump table length estimated to be {}".format(self.estimatedTableLen))
sGuard=tryGetSwitchGuard(ein)
if sGuard>0:
logger.info("Replacing jump table length with switch guard of {}".format(sGuard))
self.estimatedTableLen=sGuard
self.jtableBreakpoint=ein.getPrevious().getAddress()
lval = int("0x{}".format(self.jtableBreakpoint), 16)
self.emu.writeRegister(self.emu.getPCRegister(), lval)
logger.info("Moving breakpoint to switch guard at 0x{}".format(self.jtableBreakpoint))
return self.process()
return self.step()
if eaddr==self.switchAddr: # at switch
self.instructionBlock=[]
else:
self.instructionBlock.append(ein)
if eaddr==self.jtableBreakpoint:
if self.analyzeInstrBlock(): # see if there are any more hidden variables...
self.flush()
return True #to avoid second restart
self.loopAvoid=self.loopAvoider #did not hit infinite loop on the way
index=self.mch.string(self.emu)#self.emu.readRegister(self.jindexRef)
activePath=None
if self.cpi!=-1:
activePath=self.paths[self.cpi]
if self.loadedBox is not None:
if self.trace is None and self.cpi>=0: #degenerate 1-step loop is possible...
self.endPath("branch",self.lastindex)
self.loadedBox.registerIndexOutput(index)
self.curFullPath[-1].append(self.loadedBox.pathTaken)
if self.trace is None and self.indexInPaths(index):
if self.lastindex==index: #degenerate
npath=CPath()
npath.ending="loop"
npath.endJump=index
self.paths.append(npath)
else:
if self.cpi!=-1:
self.endPath("loop") # most loops end in branches? though not all
else:
if activePath is not None:
activePath.multiend=True
logger.info("Found potential obfuscated loop to 0x{:x}".format(index))
return False
if self.trace is None:
if self.cpi==-1:
self.initNewPath(index) #self.mch.string()
else:
self.paths[self.cpi].addIndex(index)
self.curFullPath.append([index])
logger.info("At index {}".format(index))
self.lastindex=index
self.loadBox()
if self.trace is not None:
tpt=self.trace[0]
self.trace=self.trace[1:]
if len(self.trace)==0:
self.trace=None
if tpt[0]!=index:
logger.warning("Trace error, index mismatch!")
return False
if len(tpt)>1:
if self.loadedBox is None:
logger.warning("Trace error, should be branch box here!")
return False
self.loadedBox.loadTrace(tpt[1])
if self.emu.readRegister(self.jindexRef)>self.estimatedTableLen:
logger.info("Hit switch guard, retracing")
self.endPath("iloop")
#self.restart()
return False
branch=getCondmoveInstruction(ein)
if branch is not None:
if self.loadedBox is None:
bbox=BranchBox(self.lastindex)
bbox.pathToBox=[list(k) for k in self.curFullPath] #deep copy
self.branchboxes[self.lastindex]=bbox
self.loadedBox=bbox
self.loadedBox.registerBranch(branch)
self.loadedBox.takeUntakenOrTrace(self.emu)
return True
if isCallInstruction(ein):
logger.info("Skipping call : 0x{} ({})".format(eaddr, ein))
skip(self.emu)
return True
self.loopAvoid-=1
if self.loopAvoid<0:
self.endPath("iloop")
return False
if isReturn(ein):
if self.cpi!=-1:
self.endPath("return")
return False
return self.step()
def step(self):
success = self.emu.step(self.monitor)
if (success == False):
lastError = self.emu.getLastError()
logger.error("Emulation Error: '{}'".format(lastError))
if self.cpi!=-1:
self.endPath("baddata")
return success
location=state.getCurrentLocation()
print(location.address)
c_instr=getInstructionAt(location.address)
print(c_instr)
print(c_instr.getNumOperands())
print(type(c_instr.getOpObjects(0)[0]))
print(c_instr.getOpObjects(1))
print(listing.getInstructionBefore(c_instr.address))
print(c_instr.getOperandType(0))
print("{:x}".format(c_instr.getOperandType(1)))
print("{:x}".format(c_instr.getOperandType(2)))
cur_fun=getFunctionContaining(location.address)
print(cur_fun)
print(currentProgram.getRegister("ECX"))
print(currentProgram.getRegister("EdCX"))
print(c_instr.getDefaultOperandRepresentation(1))
#emuHelper = EmulatorHelper(currentProgram)
mainFunctionEntryLong = int("0x{}".format(cur_fun.getEntryPoint()), 16)
#emuHelper.writeRegister(emuHelper.getPCRegister(), mainFunctionEntryLong)
registers = getProgramRegisterList(currentProgram)
reg_filter = [
"RIP", "RAX"]#, "RBX", "RCX", "RDX", "RSI", "RDI",
# "RSP", "RBP", "rflags"
op=ObfuscatedPath()
op.initEmulator()
op.tryRun(50000000)
#op.restart()
#op.runStraight(5000)
op.emu.dispose()
View Git Blame Copy Permalink