xorhex
/ Pin to Unpin - Code Snippet 4 - Pin Tool Replacement Function
Created
September 15, 2019 23:17
Code Snippet 4 - Pin Tool Replacement Function
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| UINT16 __stdcall SetSystemDefaultUILanguage() { | |
| return (UINT16)newLangCode; | |
| } |
xorhex
/ Pin to Unpin - Code Snippet 5 - Pin Tool KNOB
Last active
September 15, 2019 23:19
Code Snippet 5 - Pin Tool KNOB
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| KNOB<UINT32> KnobLangugeCode(KNOB_MODE_WRITEONCE, "pintool", | |
| "c", "", "value of the language code to set"); |
xorhex
/ Pin to Unpin - Code Snippet 6 - Get KNOB Value
Created
September 15, 2019 23:19
Code Snippet 6 - Get KNOB Value
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| newLangCode = KnobLangugeCode.Value(); |
xorhex
/ Pin to Unpin - Code Snippet 7 - Complete Code
Created
September 15, 2019 23:22
Code Snippet 7 - Complete Code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /*! @file | |
| * This is the PIN tool example modified to replace the | |
| * GetSystemDefaultUILanguage function to return a value we | |
| * control via a command line parameter. | |
| */ | |
| #include "pin.H" | |
| #include <iostream> | |
| #include <fstream> |
xorhex
/ FlareOn 2017, 3 - Code Snippet 1: `sub_40011E6` Function Call
Created
September 15, 2019 23:36
Code Snippet 1: `sub_40011E6` Function Call
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .text:00401047 mov eax, offset loc_40107C | |
| .text:0040104C mov [ebp+var_C], eax | |
| .text:0040104F push 79h | |
| .text:00401051 push [ebp+var_C] | |
| .text:00401054 call sub_4011E6 |
xorhex
/ FlareOn 2017, 3 - Code Snippet 2: Copy Bytes Out Using IDA
Created
September 15, 2019 23:37
Code Snippet 2: Copy Bytes Out Using IDA
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| with open('greek_to_me_buffer.asm', 'wb') as f: | |
| f.write(idaapi.get_many_bytes(0x40107C, 0x79)) |
xorhex
/ FlareOn 2017, 3 - Code Snippet 3: Loop Through Possible Input Values
Created
September 15, 2019 23:38
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| for buf in xrange(0x100): | |
| print("Using {0}".format(buf)) |
xorhex
/ FlareOn 2017, 3 - Code Snippet 4: First De-Obfuscation Routine
Created
September 15, 2019 23:39
Code Snippet 4: First De-Obfuscation Routine
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Variable to store the bits written to disk using IDA | |
| asm = None | |
| # Store the output from the first de-obfuscation routine | |
| b2 = [] | |
| # Read in bytes written to file from IDA | |
| with open('greek_to_me_buffer.asm', 'rb') as f: | |
| asm = f.read() | |
| # Re-implement loc_401039 | |
| dl = buf |
xorhex
/ FlareOn 2017, 3 - Code Snippet 5: Angr Project
Created
September 15, 2019 23:40
Code Snippet 5: Angr Project
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| p = angr.Project('greek_to_me.exe', load_options={'auto_load_libs': False}) |
xorhex
/ FlareOn 2017, 3 - Code Snippet 6: Angr Simulating Function
Created
September 15, 2019 23:40
Code Snippet 6: Angr Simulating Function
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Set up angr to "run" sub_4011E6 | |
| s = p.factory.blank_state(addr=0x4011E6) | |
| s.mem[s.regs.esp+4:].dword = 1 # Angr memory location to hold the xor'ed and add'ed bytes | |
| s.mem[s.regs.esp+8:].dword = 0x79 # Length of ASM | |
| # Copy bytes output from loc_401039 into address 0x1 so Angr can run it | |
| asm = ''.join(map(lambda x: chr(x), b2)) | |
| s.memory.store(1, s.se.BVV(int(asm.encode('hex'), 16), 0x79 * 8 )) | |
| # Create a simulation manager... |