1 |
2 |
alfik |
/*
|
2 |
|
|
* Copyright (c) 2014, Aleksander Osman
|
3 |
|
|
* All rights reserved.
|
4 |
|
|
*
|
5 |
|
|
* Redistribution and use in source and binary forms, with or without
|
6 |
|
|
* modification, are permitted provided that the following conditions are met:
|
7 |
|
|
*
|
8 |
|
|
* * Redistributions of source code must retain the above copyright notice, this
|
9 |
|
|
* list of conditions and the following disclaimer.
|
10 |
|
|
*
|
11 |
|
|
* * Redistributions in binary form must reproduce the above copyright notice,
|
12 |
|
|
* this list of conditions and the following disclaimer in the documentation
|
13 |
|
|
* and/or other materials provided with the distribution.
|
14 |
|
|
*
|
15 |
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
16 |
|
|
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
17 |
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
18 |
|
|
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
19 |
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
20 |
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
21 |
|
|
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
22 |
|
|
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
23 |
|
|
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
24 |
|
|
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
25 |
|
|
*/
|
26 |
|
|
|
27 |
|
|
package ao486.test.branch;
|
28 |
|
|
|
29 |
|
|
import ao486.test.TestUnit;
|
30 |
|
|
import static ao486.test.TestUnit.run_test;
|
31 |
|
|
import ao486.test.layers.FlagsLayer;
|
32 |
|
|
import ao486.test.layers.GeneralRegisterLayer;
|
33 |
|
|
import ao486.test.layers.HandleModeChangeLayer;
|
34 |
|
|
import ao486.test.layers.IOLayer;
|
35 |
|
|
import ao486.test.layers.InstructionLayer;
|
36 |
|
|
import ao486.test.layers.Layer;
|
37 |
|
|
import ao486.test.layers.MemoryLayer;
|
38 |
|
|
import ao486.test.layers.MemoryPatchLayer;
|
39 |
|
|
import ao486.test.layers.OtherLayer;
|
40 |
|
|
import ao486.test.layers.Pair;
|
41 |
|
|
import ao486.test.layers.SegmentLayer;
|
42 |
|
|
import ao486.test.layers.StackLayer;
|
43 |
|
|
import java.io.*;
|
44 |
|
|
import java.util.LinkedList;
|
45 |
|
|
import java.util.Random;
|
46 |
|
|
|
47 |
|
|
|
48 |
|
|
public class TestRET_near extends TestUnit implements Serializable {
|
49 |
|
|
public static void main(String args[]) throws Exception {
|
50 |
|
|
run_test(TestRET_near.class);
|
51 |
|
|
}
|
52 |
|
|
|
53 |
|
|
//--------------------------------------------------------------------------
|
54 |
|
|
@Override
|
55 |
|
|
public int get_test_count() throws Exception {
|
56 |
|
|
return 100;
|
57 |
|
|
}
|
58 |
|
|
|
59 |
|
|
@Override
|
60 |
|
|
public void init() throws Exception {
|
61 |
|
|
|
62 |
|
|
random = new Random(8+index);
|
63 |
|
|
|
64 |
|
|
String instruction;
|
65 |
|
|
while(true) {
|
66 |
|
|
layers.clear();
|
67 |
|
|
|
68 |
|
|
LinkedList<Pair<Long, Long>> prohibited_list = new LinkedList<>();
|
69 |
|
|
|
70 |
|
|
InstructionLayer instr = new InstructionLayer(random, prohibited_list);
|
71 |
|
|
layers.add(instr);
|
72 |
|
|
StackLayer stack = new StackLayer(random, prohibited_list);
|
73 |
|
|
layers.add(stack);
|
74 |
|
|
layers.add(new OtherLayer(OtherLayer.Type.RANDOM, random));
|
75 |
|
|
layers.add(new FlagsLayer(FlagsLayer.Type.RANDOM, random));
|
76 |
|
|
layers.add(new GeneralRegisterLayer(random));
|
77 |
|
|
layers.add(new SegmentLayer(random));
|
78 |
|
|
layers.add(new MemoryLayer(random));
|
79 |
|
|
layers.add(new IOLayer(random));
|
80 |
|
|
layers.addFirst(new HandleModeChangeLayer(
|
81 |
|
|
getInput("cr0_pe"),
|
82 |
|
|
getInput("vmflag"),
|
83 |
|
|
getInput("cs_rpl"),
|
84 |
|
|
getInput("cs_p"),
|
85 |
|
|
getInput("cs_s"),
|
86 |
|
|
getInput("cs_type")
|
87 |
|
|
));
|
88 |
|
|
|
89 |
|
|
// instruction size
|
90 |
|
|
boolean cs_d_b = getInput("cs_d_b") == 1;
|
91 |
|
|
|
92 |
|
|
boolean a32 = random.nextBoolean();
|
93 |
|
|
boolean o32 = random.nextBoolean();
|
94 |
|
|
|
95 |
|
|
layers.addFirst(new Layer() {
|
96 |
|
|
public long tflag() { return 0; }
|
97 |
|
|
});
|
98 |
|
|
|
99 |
|
|
|
100 |
|
|
//target memory patch
|
101 |
|
|
long cs_base = getInput("cs_base");
|
102 |
|
|
long cs_limit = getInput("cs_limit");
|
103 |
|
|
long eip = getInput("eip");
|
104 |
|
|
|
105 |
|
|
int offset = 0x20 + random.nextInt(0x0FFF);
|
106 |
|
|
|
107 |
|
|
if(o32 == false) eip &= 0xFFFF;
|
108 |
|
|
|
109 |
|
|
long sum = eip + offset;
|
110 |
|
|
if(o32 == false) sum &= 0xFFFF;
|
111 |
|
|
|
112 |
|
|
long dest = cs_base + sum;
|
113 |
|
|
|
114 |
|
|
System.out.printf("cs_base: %08x\n", cs_base);
|
115 |
|
|
System.out.printf("eip: %08x\n", eip);
|
116 |
|
|
System.out.printf("offset: %08x\n", offset);
|
117 |
|
|
System.out.printf("final: %08x\n", cs_base + sum);
|
118 |
|
|
System.out.printf("cs_d_b: %b\n", cs_d_b);
|
119 |
|
|
|
120 |
|
|
|
121 |
|
|
MemoryPatchLayer patch = new MemoryPatchLayer(random, prohibited_list, (int)dest, 0x0F,0x0F);
|
122 |
|
|
layers.addFirst(patch);
|
123 |
|
|
|
124 |
|
|
// stack
|
125 |
|
|
if(o32) {
|
126 |
|
|
stack.push_dword((int)sum); //eip
|
127 |
|
|
}
|
128 |
|
|
else {
|
129 |
|
|
stack.push_word((int)sum); //eip
|
130 |
|
|
}
|
131 |
|
|
|
132 |
|
|
// instruction
|
133 |
|
|
instruction = prepare_instr(cs_d_b, a32, o32, null);
|
134 |
|
|
|
135 |
|
|
instruction += "0F0F";
|
136 |
|
|
|
137 |
|
|
// add instruction
|
138 |
|
|
instr.add_instruction(instruction);
|
139 |
|
|
|
140 |
|
|
// end condition
|
141 |
|
|
break;
|
142 |
|
|
}
|
143 |
|
|
|
144 |
|
|
System.out.println("Instruction: [" + instruction + "]");
|
145 |
|
|
}
|
146 |
|
|
|
147 |
|
|
|
148 |
|
|
int imm_len(boolean a16, boolean o16, int opcode) {
|
149 |
|
|
return opcode == 0xC2 ? 2 : 0;
|
150 |
|
|
}
|
151 |
|
|
String prepare_instr(boolean cs_d_b, boolean a32, boolean o32, byte modregrm_bytes[]) throws Exception {
|
152 |
|
|
int opcodes[] = {
|
153 |
|
|
0xC2,0xC3
|
154 |
|
|
};
|
155 |
|
|
|
156 |
|
|
String prefix = "";
|
157 |
|
|
if(cs_d_b != o32) { prefix = "66" + prefix; }
|
158 |
|
|
if(cs_d_b != a32) { prefix = "67" + prefix; }
|
159 |
|
|
|
160 |
|
|
int opcode = opcodes[random.nextInt(opcodes.length)];
|
161 |
|
|
boolean is_modregrm = false;
|
162 |
|
|
|
163 |
|
|
byte possible_modregrm = (byte)random.nextInt();
|
164 |
|
|
byte possible_sib = (byte)random.nextInt();
|
165 |
|
|
|
166 |
|
|
int len = (is_modregrm == false)? 1 : 1 + modregrm_len(!a32, unsigned(possible_modregrm), unsigned(possible_sib));
|
167 |
|
|
len += imm_len(!a32, !o32, opcode);
|
168 |
|
|
System.out.println("[len final: " + len + "]");
|
169 |
|
|
|
170 |
|
|
byte instr[] = new byte[len];
|
171 |
|
|
instr[0] = (byte)opcode;
|
172 |
|
|
for(int i=1; i<len; i++) {
|
173 |
|
|
if(i==1) instr[1] = possible_modregrm;
|
174 |
|
|
else if(i==2) instr[2] = possible_sib;
|
175 |
|
|
else instr[i] = (byte)random.nextInt();
|
176 |
|
|
}
|
177 |
|
|
|
178 |
|
|
return prefix + bytesToHex(instr);
|
179 |
|
|
}
|
180 |
|
|
}
|
181 |
|
|
|
182 |
|
|
|
183 |
|
|
|
184 |
|
|
|
185 |
|
|
|
186 |
|
|
/*
|
187 |
|
|
public class TestRET_near {
|
188 |
|
|
public static void main(String args[]) throws Exception {
|
189 |
|
|
TestManager manager = new TestManager();
|
190 |
|
|
|
191 |
|
|
TestRET_near_Serializable test = new TestRET_near_Serializable();
|
192 |
|
|
|
193 |
|
|
if(false) {
|
194 |
|
|
ObjectInputStream ois = new ObjectInputStream(new FileInputStream("test.obj"));
|
195 |
|
|
test = (TestRET_near_Serializable)ois.readObject();
|
196 |
|
|
ois.close();
|
197 |
|
|
}
|
198 |
|
|
|
199 |
|
|
for(; test.index<test.get_test_count(); test.index++) {
|
200 |
|
|
System.out.println(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Running test " + (test.index+1) + "/" + test.get_test_count());
|
201 |
|
|
|
202 |
|
|
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("test.obj"));
|
203 |
|
|
oos.writeObject(test);
|
204 |
|
|
oos.close();
|
205 |
|
|
|
206 |
|
|
boolean passed = manager.run_test_and_print_result(test);
|
207 |
|
|
if(passed == false) break;
|
208 |
|
|
}
|
209 |
|
|
}
|
210 |
|
|
}
|
211 |
|
|
class TestRET_near_Serializable extends TestBase implements Test, Serializable {
|
212 |
|
|
TestRET_near_Serializable() {
|
213 |
|
|
random = new Random(0);
|
214 |
|
|
}
|
215 |
|
|
|
216 |
|
|
Random random;
|
217 |
|
|
int index;
|
218 |
|
|
|
219 |
|
|
boolean d_b;
|
220 |
|
|
|
221 |
|
|
//--------------------------------------------------------------------------
|
222 |
|
|
@Override
|
223 |
|
|
public int get_test_count() throws Exception {
|
224 |
|
|
return 2000;
|
225 |
|
|
}
|
226 |
|
|
|
227 |
|
|
@Override
|
228 |
|
|
public void init() throws Exception {
|
229 |
|
|
instructions = null;
|
230 |
|
|
d_b = random.nextBoolean();
|
231 |
|
|
}
|
232 |
|
|
|
233 |
|
|
@Override
|
234 |
|
|
public boolean fini() throws Exception {
|
235 |
|
|
return index < get_test_count();
|
236 |
|
|
}
|
237 |
|
|
|
238 |
|
|
int imm_len(boolean a16, boolean o16, int opcode) {
|
239 |
|
|
return opcode == 0xC2 ? 2 : 0;
|
240 |
|
|
}
|
241 |
|
|
String prepare_instr() throws Exception {
|
242 |
|
|
int opcodes[] = {
|
243 |
|
|
0xC2,0xC3
|
244 |
|
|
};
|
245 |
|
|
|
246 |
|
|
boolean a16 = !d_b;
|
247 |
|
|
boolean o16 = !d_b;
|
248 |
|
|
String prefix = "";
|
249 |
|
|
if(random.nextBoolean()) { prefix = "66" + prefix; o16 = !o16; }
|
250 |
|
|
if(random.nextBoolean()) { prefix = "67" + prefix; a16 = !a16; }
|
251 |
|
|
|
252 |
|
|
int opcode = opcodes[random.nextInt(opcodes.length)];
|
253 |
|
|
boolean is_modregrm = false;
|
254 |
|
|
|
255 |
|
|
byte possible_modregrm = (byte)random.nextInt();
|
256 |
|
|
byte possible_sib = (byte)random.nextInt();
|
257 |
|
|
|
258 |
|
|
int len = (is_modregrm == false)? 1 : 1 + modregrm_len(!d_b, unsigned(possible_modregrm), unsigned(possible_sib));
|
259 |
|
|
System.out.printf("[len: %d, d_b: %b, modregrm: %02x, sib: %02x]\n", len, d_b, unsigned(possible_modregrm), unsigned(possible_sib));
|
260 |
|
|
len += imm_len(a16, o16, opcode);
|
261 |
|
|
System.out.println("[len final: " + len + "]");
|
262 |
|
|
|
263 |
|
|
byte instr[] = new byte[len];
|
264 |
|
|
instr[0] = (byte)opcode;
|
265 |
|
|
for(int i=1; i<len; i++) {
|
266 |
|
|
if(i==1) instr[1] = possible_modregrm;
|
267 |
|
|
else if(i==2) instr[2] = possible_sib;
|
268 |
|
|
else instr[i] = (byte)random.nextInt();
|
269 |
|
|
}
|
270 |
|
|
|
271 |
|
|
return prefix + bytesToHex(instr);
|
272 |
|
|
}
|
273 |
|
|
|
274 |
|
|
public String get_instructions() throws Exception {
|
275 |
|
|
String instr = "";
|
276 |
|
|
|
277 |
|
|
while(instr.length() < 2*15) {
|
278 |
|
|
instr += prepare_instr();
|
279 |
|
|
}
|
280 |
|
|
instr = instr.substring(0, 2*15);
|
281 |
|
|
|
282 |
|
|
System.out.println("[get_instructions: " + instr + "]");
|
283 |
|
|
return instr;
|
284 |
|
|
}
|
285 |
|
|
|
286 |
|
|
byte instructions[];
|
287 |
|
|
|
288 |
|
|
@Override
|
289 |
|
|
public byte get_memory(int address) throws Exception {
|
290 |
|
|
if(instructions == null) instructions = hexToBytes(get_instructions() + "0F0F");
|
291 |
|
|
|
292 |
|
|
if(address >= 0 && address < instructions.length) return instructions[address];
|
293 |
|
|
|
294 |
|
|
return 0x0F;
|
295 |
|
|
}
|
296 |
|
|
@Override
|
297 |
|
|
public int eax() throws Exception {
|
298 |
|
|
return random.nextInt() & ((random.nextInt(3) == 0)? 0xFFFFFFFF : 0x00000FFF);
|
299 |
|
|
}
|
300 |
|
|
@Override
|
301 |
|
|
public int get_ebx() throws Exception {
|
302 |
|
|
return random.nextInt() & ((random.nextInt(3) == 0)? 0xFFFFFFFF : 0x00000FFF);
|
303 |
|
|
}
|
304 |
|
|
@Override
|
305 |
|
|
public int get_ecx() throws Exception {
|
306 |
|
|
return random.nextInt() & ((random.nextInt(3) == 0)? 0xFFFFFFFF : 0x00000FFF);
|
307 |
|
|
}
|
308 |
|
|
@Override
|
309 |
|
|
public int get_edx() throws Exception {
|
310 |
|
|
return random.nextInt() & ((random.nextInt(3) == 0)? 0xFFFFFFFF : 0x00000FFF);
|
311 |
|
|
}
|
312 |
|
|
@Override
|
313 |
|
|
public int get_esi() throws Exception {
|
314 |
|
|
return random.nextInt() & ((random.nextInt(3) == 0)? 0xFFFFFFFF : 0x00000FFF);
|
315 |
|
|
}
|
316 |
|
|
@Override
|
317 |
|
|
public int get_edi() throws Exception {
|
318 |
|
|
return random.nextInt() & ((random.nextInt(3) == 0)? 0xFFFFFFFF : 0x00000FFF);
|
319 |
|
|
}
|
320 |
|
|
@Override
|
321 |
|
|
public int get_ebp() throws Exception {
|
322 |
|
|
return random.nextInt() & ((random.nextInt(3) == 0)? 0xFFFFFFFF : 0x00000FFF);
|
323 |
|
|
}
|
324 |
|
|
@Override
|
325 |
|
|
public int get_esp() throws Exception {
|
326 |
|
|
return random.nextInt() & ((random.nextInt(3) == 0)? 0xFFFFFFFF : 0x00000FFF);
|
327 |
|
|
}
|
328 |
|
|
@Override
|
329 |
|
|
public boolean get_cf() throws Exception {
|
330 |
|
|
return random.nextBoolean();
|
331 |
|
|
}
|
332 |
|
|
@Override
|
333 |
|
|
public boolean get_pf() throws Exception {
|
334 |
|
|
return random.nextBoolean();
|
335 |
|
|
}
|
336 |
|
|
@Override
|
337 |
|
|
public boolean get_af() throws Exception {
|
338 |
|
|
return random.nextBoolean();
|
339 |
|
|
}
|
340 |
|
|
@Override
|
341 |
|
|
public boolean get_zf() throws Exception {
|
342 |
|
|
return random.nextBoolean();
|
343 |
|
|
}
|
344 |
|
|
@Override
|
345 |
|
|
public boolean get_sf() throws Exception {
|
346 |
|
|
return random.nextBoolean();
|
347 |
|
|
}
|
348 |
|
|
@Override
|
349 |
|
|
public boolean get_tf() throws Exception {
|
350 |
|
|
return random.nextBoolean();
|
351 |
|
|
}
|
352 |
|
|
@Override
|
353 |
|
|
public boolean get_if() throws Exception {
|
354 |
|
|
return random.nextBoolean();
|
355 |
|
|
}
|
356 |
|
|
@Override
|
357 |
|
|
public boolean get_df() throws Exception {
|
358 |
|
|
return random.nextBoolean();
|
359 |
|
|
}
|
360 |
|
|
@Override
|
361 |
|
|
public boolean get_of() throws Exception {
|
362 |
|
|
return random.nextBoolean();
|
363 |
|
|
}
|
364 |
|
|
@Override
|
365 |
|
|
public int get_iopl() throws Exception {
|
366 |
|
|
return random.nextInt(4);
|
367 |
|
|
}
|
368 |
|
|
@Override
|
369 |
|
|
public boolean get_nt() throws Exception {
|
370 |
|
|
return random.nextBoolean();
|
371 |
|
|
}
|
372 |
|
|
@Override
|
373 |
|
|
public boolean get_rf() throws Exception {
|
374 |
|
|
return random.nextBoolean();
|
375 |
|
|
}
|
376 |
|
|
@Override
|
377 |
|
|
public boolean get_vm() throws Exception {
|
378 |
|
|
return random.nextBoolean();
|
379 |
|
|
}
|
380 |
|
|
@Override
|
381 |
|
|
public boolean get_ac() throws Exception {
|
382 |
|
|
return random.nextBoolean();
|
383 |
|
|
}
|
384 |
|
|
@Override
|
385 |
|
|
public boolean get_id() throws Exception {
|
386 |
|
|
return random.nextBoolean();
|
387 |
|
|
}
|
388 |
|
|
@Override
|
389 |
|
|
public int get_cs_base() throws Exception {
|
390 |
|
|
return 0;
|
391 |
|
|
}
|
392 |
|
|
@Override
|
393 |
|
|
public int get_cs_limit() throws Exception {
|
394 |
|
|
return 0x000FFFFF;
|
395 |
|
|
}
|
396 |
|
|
@Override
|
397 |
|
|
public boolean get_cs_d_b() throws Exception {
|
398 |
|
|
return d_b;
|
399 |
|
|
}
|
400 |
|
|
@Override
|
401 |
|
|
public int get_ds_base() throws Exception {
|
402 |
|
|
return 0;
|
403 |
|
|
}
|
404 |
|
|
@Override
|
405 |
|
|
public int get_ds_limit() throws Exception {
|
406 |
|
|
return 0x000FFFFF;
|
407 |
|
|
}
|
408 |
|
|
@Override
|
409 |
|
|
public int get_es_base() throws Exception {
|
410 |
|
|
return 0;
|
411 |
|
|
}
|
412 |
|
|
@Override
|
413 |
|
|
public int get_es_limit() throws Exception {
|
414 |
|
|
return 0x000FFFFF;
|
415 |
|
|
}
|
416 |
|
|
@Override
|
417 |
|
|
public int get_fs_base() throws Exception {
|
418 |
|
|
return 0;
|
419 |
|
|
}
|
420 |
|
|
@Override
|
421 |
|
|
public int get_fs_limit() throws Exception {
|
422 |
|
|
return 0x000FFFFF;
|
423 |
|
|
}
|
424 |
|
|
@Override
|
425 |
|
|
public int get_gs_base() throws Exception {
|
426 |
|
|
return 0;
|
427 |
|
|
}
|
428 |
|
|
@Override
|
429 |
|
|
public int get_gs_limit() throws Exception {
|
430 |
|
|
return 0x000FFFFF;
|
431 |
|
|
}
|
432 |
|
|
@Override
|
433 |
|
|
public int get_ss_base() throws Exception {
|
434 |
|
|
return 0;
|
435 |
|
|
}
|
436 |
|
|
@Override
|
437 |
|
|
public int get_ss_limit() throws Exception {
|
438 |
|
|
return 0x000FFFFF;
|
439 |
|
|
}
|
440 |
|
|
}
|
441 |
|
|
*/
|