1 |
2 |
alfik |
/*
|
2 |
|
|
* Copyright (c) 2014, Aleksander Osman
|
3 |
|
|
* All rights reserved.
|
4 |
|
|
*
|
5 |
|
|
* Redistribution and use in source and binary forms, with or without
|
6 |
|
|
* modification, are permitted provided that the following conditions are met:
|
7 |
|
|
*
|
8 |
|
|
* * Redistributions of source code must retain the above copyright notice, this
|
9 |
|
|
* list of conditions and the following disclaimer.
|
10 |
|
|
*
|
11 |
|
|
* * Redistributions in binary form must reproduce the above copyright notice,
|
12 |
|
|
* this list of conditions and the following disclaimer in the documentation
|
13 |
|
|
* and/or other materials provided with the distribution.
|
14 |
|
|
*
|
15 |
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
16 |
|
|
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
17 |
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
18 |
|
|
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
19 |
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
20 |
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
21 |
|
|
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
22 |
|
|
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
23 |
|
|
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
24 |
|
|
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
25 |
|
|
*/
|
26 |
|
|
|
27 |
|
|
package ao486.test.interrupt;
|
28 |
|
|
|
29 |
|
|
import ao486.test.TestUnit;
|
30 |
|
|
import ao486.test.layers.FlagsLayer;
|
31 |
|
|
import ao486.test.layers.GeneralRegisterLayer;
|
32 |
|
|
import ao486.test.layers.HandleModeChangeLayer;
|
33 |
|
|
import ao486.test.layers.IOLayer;
|
34 |
|
|
import ao486.test.layers.InstructionLayer;
|
35 |
|
|
import ao486.test.layers.Layer;
|
36 |
|
|
import ao486.test.layers.MemoryLayer;
|
37 |
|
|
import ao486.test.layers.MemoryPatchLayer;
|
38 |
|
|
import ao486.test.layers.OtherLayer;
|
39 |
|
|
import ao486.test.layers.Pair;
|
40 |
|
|
import ao486.test.layers.SegmentLayer;
|
41 |
|
|
import ao486.test.layers.StackLayer;
|
42 |
|
|
import java.io.*;
|
43 |
|
|
import java.util.LinkedList;
|
44 |
|
|
import java.util.Random;
|
45 |
|
|
|
46 |
|
|
|
47 |
|
|
public class TestINT_INT3_INTO_INT1_real extends TestUnit implements Serializable {
|
48 |
|
|
public static void main(String args[]) throws Exception {
|
49 |
|
|
run_test(TestINT_INT3_INTO_INT1_real.class);
|
50 |
|
|
}
|
51 |
|
|
|
52 |
|
|
//--------------------------------------------------------------------------
|
53 |
|
|
@Override
|
54 |
|
|
public int get_test_count() throws Exception {
|
55 |
|
|
return 100;
|
56 |
|
|
}
|
57 |
|
|
|
58 |
|
|
@Override
|
59 |
|
|
public void init() throws Exception {
|
60 |
|
|
|
61 |
|
|
random = new Random(14 + index);
|
62 |
|
|
|
63 |
|
|
String instruction;
|
64 |
|
|
while(true) {
|
65 |
|
|
layers.clear();
|
66 |
|
|
|
67 |
|
|
LinkedList<Pair<Long, Long>> prohibited_list = new LinkedList<>();
|
68 |
|
|
|
69 |
|
|
// if false: v8086 mode
|
70 |
|
|
boolean is_real = true;
|
71 |
|
|
|
72 |
|
|
InstructionLayer instr = new InstructionLayer(random, prohibited_list);
|
73 |
|
|
layers.add(instr);
|
74 |
|
|
StackLayer stack = new StackLayer(random, prohibited_list);
|
75 |
|
|
layers.add(stack);
|
76 |
|
|
layers.add(new OtherLayer(is_real ? OtherLayer.Type.REAL : OtherLayer.Type.PROTECTED_OR_V8086, random));
|
77 |
|
|
layers.add(new FlagsLayer(is_real ? FlagsLayer.Type.RANDOM : FlagsLayer.Type.V8086, random));
|
78 |
|
|
layers.add(new GeneralRegisterLayer(random));
|
79 |
|
|
layers.add(new SegmentLayer(random));
|
80 |
|
|
layers.add(new MemoryLayer(random));
|
81 |
|
|
layers.add(new IOLayer(random));
|
82 |
|
|
layers.addFirst(new HandleModeChangeLayer(
|
83 |
|
|
getInput("cr0_pe"),
|
84 |
|
|
getInput("vmflag"),
|
85 |
|
|
getInput("cs_rpl"),
|
86 |
|
|
getInput("cs_p"),
|
87 |
|
|
getInput("cs_s"),
|
88 |
|
|
getInput("cs_type")
|
89 |
|
|
));
|
90 |
|
|
|
91 |
|
|
// instruction size
|
92 |
|
|
boolean cs_d_b = getInput("cs_d_b") == 1;
|
93 |
|
|
|
94 |
|
|
boolean a32 = random.nextBoolean();
|
95 |
|
|
boolean o32 = random.nextBoolean();
|
96 |
|
|
|
97 |
|
|
long cs_limit = getInput("cs_limit");
|
98 |
|
|
|
99 |
|
|
// type
|
100 |
|
|
|
101 |
|
|
/* 0 - INTO overflow not set
|
102 |
|
|
* 1 - IDTR limit
|
103 |
|
|
* 2 - new_eip out of bounds
|
104 |
|
|
*
|
105 |
|
|
* 3 - all ok
|
106 |
|
|
*/
|
107 |
|
|
int type = random.nextInt(4);
|
108 |
|
|
|
109 |
|
|
|
110 |
|
|
// instruction
|
111 |
|
|
boolean is_into = (type == 0)? true : random.nextInt(3) == 0;
|
112 |
|
|
|
113 |
|
|
instruction = prepare_instr(cs_d_b, a32, o32, is_into);
|
114 |
|
|
|
115 |
|
|
|
116 |
|
|
if(type == 0) {
|
117 |
|
|
|
118 |
|
|
Layer of_layer = new Layer() {
|
119 |
|
|
long oflag() { return 0; }
|
120 |
|
|
};
|
121 |
|
|
layers.addFirst(of_layer);
|
122 |
|
|
|
123 |
|
|
instruction += "0F0F";
|
124 |
|
|
}
|
125 |
|
|
else if(type == 1) {
|
126 |
|
|
|
127 |
|
|
final int limit = random.nextInt(vector * 4 + 3);
|
128 |
|
|
Layer idtr_layer = new Layer() {
|
129 |
|
|
long idtr_limit() { return limit; }
|
130 |
|
|
};
|
131 |
|
|
layers.addFirst(idtr_layer);
|
132 |
|
|
}
|
133 |
|
|
else if(type >= 2) {
|
134 |
|
|
final int limit = vector * 4 + 4 + random.nextInt(5);
|
135 |
|
|
Layer idtr_limit_layer = new Layer() {
|
136 |
|
|
long idtr_limit() { return limit; }
|
137 |
|
|
};
|
138 |
|
|
layers.addFirst(idtr_limit_layer);
|
139 |
|
|
|
140 |
|
|
// set idtr base
|
141 |
|
|
long idtr_base;
|
142 |
|
|
while(true) {
|
143 |
|
|
idtr_base = Layer.norm(random.nextInt());
|
144 |
|
|
|
145 |
|
|
if( idtr_base + limit < 4294967296L &&
|
146 |
|
|
Layer.collides(prohibited_list, (int)idtr_base, (int)(idtr_base + limit)) == false
|
147 |
|
|
) break;
|
148 |
|
|
}
|
149 |
|
|
prohibited_list.add(new Pair<>(idtr_base, idtr_base + limit));
|
150 |
|
|
|
151 |
|
|
final long idtr_base_final = idtr_base;
|
152 |
|
|
Layer idtr_base_layer = new Layer() {
|
153 |
|
|
long idtr_base() { return idtr_base_final; }
|
154 |
|
|
};
|
155 |
|
|
layers.addFirst(idtr_base_layer);
|
156 |
|
|
|
157 |
|
|
//set cs and eip
|
158 |
|
|
long new_cs;
|
159 |
|
|
long new_eip;
|
160 |
|
|
long dest;
|
161 |
|
|
while(true) {
|
162 |
|
|
new_cs = random.nextInt(65536);
|
163 |
|
|
new_eip = random.nextInt(65536);
|
164 |
|
|
|
165 |
|
|
dest = (new_cs << 4) + new_eip;
|
166 |
|
|
|
167 |
|
|
if( dest < 4294967296L &&
|
168 |
|
|
Layer.collides(prohibited_list, (int)dest, (int)(dest + 2)) == false
|
169 |
|
|
) break;
|
170 |
|
|
}
|
171 |
|
|
prohibited_list.add(new Pair<>(dest, dest + 2));
|
172 |
|
|
|
173 |
|
|
if(type == 2 && cs_limit < 0xFFFF) {
|
174 |
|
|
new_eip = cs_limit + 1 + random.nextInt((int)(0xFFFF - cs_limit));
|
175 |
|
|
}
|
176 |
|
|
|
177 |
|
|
// set new_cs and new_eip
|
178 |
|
|
MemoryPatchLayer int_patch = new MemoryPatchLayer(random, prohibited_list, (int)(idtr_base + 4*vector),
|
179 |
|
|
(byte)(new_eip & 0xFF), (byte)((new_eip >> 8) & 0xFF),
|
180 |
|
|
(byte)(new_cs & 0xFF), (byte)((new_cs >> 8) & 0xFF));
|
181 |
|
|
layers.addFirst(int_patch);
|
182 |
|
|
|
183 |
|
|
// set destination
|
184 |
|
|
MemoryPatchLayer patch = new MemoryPatchLayer(random, prohibited_list, (int)dest, 0x0F,0x0F);
|
185 |
|
|
layers.addFirst(patch);
|
186 |
|
|
|
187 |
|
|
System.out.printf("new_cs: %04x\n", new_cs);
|
188 |
|
|
System.out.printf("new_ip: %04x\n", new_eip);
|
189 |
|
|
System.out.printf("dest: %08x\n", dest);
|
190 |
|
|
}
|
191 |
|
|
|
192 |
|
|
|
193 |
|
|
if(type >= 1 && is_into) {
|
194 |
|
|
Layer of_layer = new Layer() {
|
195 |
|
|
boolean get_of() { return true; }
|
196 |
|
|
};
|
197 |
|
|
layers.addFirst(of_layer);
|
198 |
|
|
}
|
199 |
|
|
|
200 |
|
|
|
201 |
|
|
// add instruction
|
202 |
|
|
instr.add_instruction(instruction);
|
203 |
|
|
|
204 |
|
|
// end condition
|
205 |
|
|
break;
|
206 |
|
|
}
|
207 |
|
|
|
208 |
|
|
System.out.println("Instruction: [" + instruction + "]");
|
209 |
|
|
}
|
210 |
|
|
|
211 |
|
|
String prepare_instr(boolean cs_d_b, boolean a32, boolean o32, boolean is_into) throws Exception {
|
212 |
|
|
int opcodes[] = {
|
213 |
|
|
0xCC,0xCD,0xF1,0xCE
|
214 |
|
|
};
|
215 |
|
|
|
216 |
|
|
String prefix = "";
|
217 |
|
|
if(cs_d_b != o32) { prefix = "66" + prefix; }
|
218 |
|
|
if(cs_d_b != a32) { prefix = "67" + prefix; }
|
219 |
|
|
|
220 |
|
|
int opcode = opcodes[(is_into)? 3 : random.nextInt(3)];
|
221 |
|
|
|
222 |
|
|
int len = (opcode == 0xCD)? 2 : 1;
|
223 |
|
|
|
224 |
|
|
byte instr[] = new byte[len];
|
225 |
|
|
instr[0] = (byte)opcode;
|
226 |
|
|
if(len >= 2) instr[1] = (byte)random.nextInt();
|
227 |
|
|
|
228 |
|
|
if(opcode == 0xCC) vector = 3;
|
229 |
|
|
if(opcode == 0xCD) vector = (instr[1] < 0)? instr[1] + 256 : instr[1];
|
230 |
|
|
if(opcode == 0xCE) vector = 4;
|
231 |
|
|
if(opcode == 0xF1) vector = 1;
|
232 |
|
|
|
233 |
|
|
return prefix + bytesToHex(instr);
|
234 |
|
|
}
|
235 |
|
|
int vector;
|
236 |
|
|
}
|