文件列表:

CodeGenerator.py (4868, 2021-08-31)
Instructions.py (4191, 2021-08-31)
LICENSE (1061, 2021-08-31)
Operand.py (1551, 2021-08-31)
cisol.py (961, 2021-08-31)
environment.h (3210, 2021-08-31)

# cisol - C isolation tool --- # Introduction Mini tool to translating fragments of x86 asm to C code. When i was doing CTF task, i rewritten a large part of program because i wanted to understand how it works (and write a keygen, ofc). Rewritting code, instruction by instruction took too long time. So i thinked about this simple tool, that might be useful for CTF's. For now, is definitely not useful for anything, and supports only basic instructions. Feel free to contribute! :) --- # Simple example ``` int main() { char a[4] = {1, 2, 3, 4}; unsigned int sum = 0; for(unsigned char i=0;i<4;++i) sum += a[i]; printf("%d\n", sum); } ``` ### Dump of main. (From radare2) ``` ;-- main: 0x00000710 55 push rbp 0x00000711 4889e5 mov rbp, rsp 0x00000714 4883ec20 sub rsp, 0x20 0x00000718 ***488b042528. mov rax, qword fs:[0x28] ; [0x28:8]=0x19d8 ; '(' 0x00000721 488945f8 mov qword [rbp - 8], rax 0x00000725 31c0 xor eax, eax 0x00000727 c***5f401 mov byte [rbp - 0xc], 1 0x0000072b c***5f502 mov byte [rbp - 0xb], 2 0x0000072f c***5f603 mov byte [rbp - 0xa], 3 0x00000733 c***5f704 mov byte [rbp - 9], 4 0x00000737 c745f0000000. mov dword [rbp - 0x10], 0 0x0000073e c***5ef00 mov byte [rbp - 0x11], 0 ,=< 0x00000742 eb15 jmp 0x759 ;[1] .--> 0x00000744 0fb***5ef movzx eax, byte [rbp - 0x11] || 0x00000748 48*** cdqe || 0x0000074a 0fb***405f4 movzx eax, byte [rbp + rax - 0xc] || 0x0000074f 0fbec0 movsx eax, al || 0x00000752 0145f0 add dword [rbp - 0x10], eax || 0x00000755 8045ef01 add byte [rbp - 0x11], 1 |`-> 0x00000759 807def03 cmp byte [rbp - 0x11], 3 ; [0x3:1]=70 `==< 0x0000075d 76e5 jbe 0x744 ;[2] 0x0000075f 8b45f0 mov eax, dword [rbp - 0x10] 0x00000762 89c6 mov esi, eax 0x000007*** 488d3da90000. lea rdi, 0x00000814 ; "%d\n" 0x0000076b b800000000 mov eax, 0 0x00000770 e853feffff call sym.imp.printf ;[3] 0x00000775 b800000000 mov eax, 0 0x0000077a 488b55f8 mov rdx, qword [rbp - 8] 0x0000077e ***4833142528. xor rdx, qword fs:[0x28] ,=< 0x00000787 7405 je 0x78e ;[4] | 0x00000789 e832feffff call sym.imp.__stack_chk_fail ;[5] `-> 0x0000078e c9 leave 0x0000078f c3 ret ``` ### Finally, cisol translate this code (in range 0x727-0x760) to equivalent C code ```./cisol.py -f bin/main -o out.c -b 0x727 -e 0x760``` ``` void func() { MEMORY(uint8_t, rbp-12) = 1; // mov byte ptr [rbp - 0xc], 1 MEMORY(uint8_t, rbp-11) = 2; // mov byte ptr [rbp - 0xb], 2 MEMORY(uint8_t, rbp-10) = 3; // mov byte ptr [rbp - 0xa], 3 MEMORY(uint8_t, rbp-9) = 4; // mov byte ptr [rbp - 9], 4 MEMORY(uint32_t, rbp-16) = 0; // mov dword ptr [rbp - 0x10], 0 MEMORY(uint8_t, rbp-17) = 0; // mov byte ptr [rbp - 0x11], 0 goto _32; // jmp 0x32 _1d:; rbx = 0, eax = MEMORY(uint8_t, rbp-17); // movzx eax, byte ptr [rbp - 0x11] // cdqe not implemented yet; rbx = 0, eax = MEMORY(uint8_t, rbp+rax*1-12); // movzx eax, byte ptr [rbp + rax - 0xc] rbx = 0, eax = al; // movsx eax, al TMP32(MEMORY(uint32_t, rbp-16), +, eax); // add dword ptr [rbp - 0x10], eax SET_CF_ADD(32, MEMORY(uint32_t, rbp-16)); SET_ZF(32); SET_AF_0(MEMORY(uint8_t, rbp-16), al); SET_OF_ADD(MEMORY(uint32_t, rbp-16), eax, 32, 0x80000000); MEMORY(uint32_t, rbp-16) = tmp32; TMP8(MEMORY(uint8_t, rbp-17), +, 1); // add byte ptr [rbp - 0x11], 1 SET_CF_ADD(8, MEMORY(uint8_t, rbp-17)); SET_ZF(8); SET_AF_0(MEMORY(uint8_t, rbp-17), 1); SET_OF_ADD(MEMORY(uint8_t, rbp-17), 1, 8, 0x80); MEMORY(uint8_t, rbp-17) = tmp8; _32:; TMP8(MEMORY(uint8_t, rbp-17), -, 3); // cmp byte ptr [rbp - 0x11], 3 SET_CF_SUB(MEMORY(uint8_t, rbp-17), 3); SET_ZF(8); SET_AF_0(MEMORY(uint8_t, rbp-17), 3); SET_OF_SUB(MEMORY(uint8_t, rbp-17), 3, 8, 0x80); if(cf == 1 || zf == 1) goto _1d; // jbe 0x1d } int main() { rbp = 20; // here we set env (regs, memory) func(); // sum is 10 printf("%d\n", MEMORY(uint8_t, rbp-0x10)); } ```

近期下载者：

相关文件：

评论：[我要评论] [举报此文件]

收藏者：