-
Notifications
You must be signed in to change notification settings - Fork 9
/
manual_concrete_packed_pe32.py
145 lines (117 loc) · 6.21 KB
/
manual_concrete_packed_pe32.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
import angr
import avatar2
import claripy
import os
from angr_targets import AvatarGDBConcreteTarget
binary_x86 = os.path.join(os.path.dirname(os.path.realpath(__file__)),
os.path.join('..', '..', 'binaries', 'tests', 'x86',
'windows', 'packed_pe32.exe'))
GDB_SERVER_IP = '127.0.0.1'
GDB_SERVER_PORT = 9999
UNPACKING_FINISHED = 0x41EA02
STARTING_DECISION_ADDRESS = 0x401775
DROP_V1 = 0x401807
DROP_V2 = 0x401839
MALWARE_EXECUTION_END = 0x401879
FAKE_CC = 0x401861
VENV_DETECTED = 0x401847
avatar_gdb = None
'''
def setup_x86():
print("Configure a windows machine with a static IP %s. "
"Check windows firewall configurations to be sure that the connections to %s:%s are not blocked\n"
"Install gdbserver on the machine, b"
"e careful the architecture (x86 or x64) of gdbserver should be the same as the debugged binary.\n"
"Currently using Cygwin for 32 bit gdbserver and Cygwin for 64 bit gdbserver" % (GDB_SERVER_IP,
GDB_SERVER_IP,
GDB_SERVER_PORT))
print("On windows machine execute gdbserver %s:%s path/to/simple_crackme.exe" % (GDB_SERVER_IP, GDB_SERVER_PORT))
input("Press enter when gdbserver has been executed")
'''
def teardown():
global avatar_gdb
if avatar_gdb:
avatar_gdb.exit()
def test_concrete_engine_windows_x86_no_simprocedures():
global avatar_gdb
#print("test_concrete_engine_windows_x86_no_simprocedures")
try:
# pylint: disable=no-member
avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86, GDB_SERVER_IP, GDB_SERVER_PORT)
p = angr.Project(binary_x86, concrete_target=avatar_gdb, use_sim_procedures=False,
page_size=0x1000)
entry_state = p.factory.entry_state()
entry_state.options.add(angr.options.SYMBION_SYNC_CLE)
entry_state.options.add(angr.options.SYMBION_KEEP_STUBS_ON_SYNC)
solv_concrete_engine_windows_x86(p, entry_state)
except ValueError:
#print("Failing executing test")
pass
def test_concrete_engine_windows_x86_simprocedures():
global avatar_gdb
print("test_concrete_engine_windows_x86_simprocedures")
try:
# pylint: disable=no-member
avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86, GDB_SERVER_IP, GDB_SERVER_PORT)
p = angr.Project(binary_x86, concrete_target=avatar_gdb, use_sim_procedures=True,
page_size=0x1000)
entry_state = p.factory.entry_state()
entry_state.options.add(angr.options.SYMBION_SYNC_CLE)
entry_state.options.add(angr.options.SYMBION_KEEP_STUBS_ON_SYNC)
solv_concrete_engine_windows_x86(p, entry_state)
except ValueError:
#print("Failing executing test")
pass
def test_concrete_engine_windows_x86_unicorn_no_simprocedures():
global avatar_gdb
#print("test_concrete_engine_windows_x86_unicorn_no_simprocedures")
try:
# pylint: disable=no-member
avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86, GDB_SERVER_IP, GDB_SERVER_PORT)
p = angr.Project(binary_x86, concrete_target=avatar_gdb, use_sim_procedures=False,
page_size=0x1000)
entry_state = p.factory.entry_state(add_options=angr.options.unicorn)
entry_state.options.add(angr.options.SYMBION_SYNC_CLE)
entry_state.options.add(angr.options.SYMBION_KEEP_STUBS_ON_SYNC)
solv_concrete_engine_windows_x86(p, entry_state)
except ValueError:
#print("Failing executing test")
pass
def test_concrete_engine_windows_x86_unicorn_simprocedures():
global avatar_gdb
#print("test_concrete_engine_windows_x86_unicorn_simprocedures")
try:
# pylint: disable=no-member
avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86, GDB_SERVER_IP, GDB_SERVER_PORT)
p = angr.Project(binary_x86, concrete_target=avatar_gdb, use_sim_procedures=True,
page_size=0x1000)
entry_state = p.factory.entry_state(add_options=angr.options.unicorn)
entry_state.options.add(angr.options.SYMBION_SYNC_CLE)
entry_state.options.add(angr.options.SYMBION_KEEP_STUBS_ON_SYNC)
solv_concrete_engine_windows_x86(p, entry_state)
except ValueError:
#print("Failing executing test")
pass
def execute_concretly(p, state, address, memory_concretize=[], register_concretize=[], timeout=0):
simgr = p.factory.simgr(state)
simgr.use_technique(angr.exploration_techniques.Symbion(find=[address], memory_concretize=memory_concretize,
register_concretize=register_concretize, timeout=timeout))
exploration = simgr.run()
return exploration.stashes['found'][0]
def solv_concrete_engine_windows_x86(p, entry_state):
#print("[0]Let the malware unpack itself")
new_state = execute_concretly(p, entry_state, UNPACKING_FINISHED, [])
#print("[1]Executing malware concretely until address: " + hex(STARTING_DECISION_ADDRESS))
new_concrete_state = execute_concretly(p, new_state, STARTING_DECISION_ADDRESS, [])
# declaring symbolic buffer
arg0 = claripy.BVS('arg0', 8 * 32)
symbolic_buffer_address = new_concrete_state.regs.esp + 0x18
new_concrete_state.memory.store(new_concrete_state.solver.eval(symbolic_buffer_address), arg0)
#print("[2]Symbolically executing malware to find dropping of second stage [ address: " + hex(DROP_V1) + " ]")
simgr = p.factory.simgr(new_concrete_state)
exploration = simgr.explore(find=DROP_V1, avoid=[FAKE_CC, DROP_V2, VENV_DETECTED])
new_symbolic_state = exploration.stashes['found'][0]
#print("[3]Executing malware concretely with solution found until the end " + hex(MALWARE_EXECUTION_END))
execute_concretly(p, new_symbolic_state, MALWARE_EXECUTION_END, [(symbolic_buffer_address, arg0)], [])
#print("[4]Malware execution ends, the configuration value is: " + hex(new_symbolic_state.solver.eval(arg0,
# cast_to=int)))