Initiation au langage d'assemblage

 % cat main.c 
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char** argv) {
    printf("Hello, world!\n");
    return EXIT_SUCCESS;
}

% gcc -o main main.c -m32

% file main
main: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0xbb18920a5be16ccd8f707db06e5abf964f9bcf7c, not stripped

 % readelf -h main
ELF Header:
  Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Intel 80386
  Version:                           0x1
  Entry point address:               0x8048320
  Start of program headers:          52 (bytes into file)
  Start of section headers:          1964 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         8
  Size of section headers:           40 (bytes)
  Number of section headers:         31
  Section header string table index: 28

 % cat naive_disassembler.py 
#!/usr/bin/env python3
import sys

if len(sys.argv) < 2:
    print("Usage: %s <binary>" % (sys.argv[0]))
    sys.exit(-1)

with open(sys.argv[1], "rb") as file_handle:
    binary_content = file_handle.read()
    file_handle.close()

    with open("%s.asm" % (sys.argv[1]), "w") as output_asm_file:
        output_asm_file.write("bits 32\n\n")
        for c in binary_content:
            output_asm_file.write("db 0x%02X\n" % (c & 0xff))
        output_asm_file.close()
        print("Written %d bytes into output file!" % len(binary_content))

ge0@samaritan ~/python/retrodisass
 % ./naive_disassembler.py              
Usage: ./naive_disassembler.py <binary>
ge0@samaritan ~/python/retrodisass
 % ./naive_disassembler.py ./main
Written 4868 bytes into output file!
ge0@samaritan ~/python/retrodisass
 % head main.asm 
bits 32

db 0x7F
db 0x45
db 0x4C
db 0x46
db 0x01
db 0x01
db 0x01
db 0x00

% nasm -f bin main.asm -o main_assembled

% md5sum main_assembled             
d63e1c7dee081a3a1f5c210481ef928f  main_assembled
 % md5sum main                   
d63e1c7dee081a3a1f5c210481ef928f  main

% cat helloworld.asm 
bits 32

extern printf

section .data ; section des données (format ELF)
helloWorld db "Hello world", 10, 0 ; 10 = Line Feed, 0 = Null-Byte

section .text ; section du code (format ELF)

global main ; pour le linker

main:
    push ebp ; prologue
    mov ebp, esp
    sub esp, 4 ; on alloue de l'espace mémoire au sein de la pile
    mov dword [esp], helloWorld ; dépose l'argument sur la pile
    call printf
    xor eax, eax ; return 0
    leave
    ret ; épilogue / fin de la fonction

 % nasm -f elf32 helloworld.asm -o helloworld.o      
ge0@samaritan ~/python/retrodisass
 % gcc -o helloworld helloworld.o -m32
% ./helloworld
Hello world

Pour chaque segment:
    si le point d'entrée est supérieur ou égal à l'adresse de base du segment ET
    inférieur à l'adresse de base + la taille du segment alors :
         offset_point_d_entree = offset_base_segment + (adresse_point_d_entree - adresse_base_segment)

#!/usr/bin/env python3
import sys
import logging
from elftools.elf.elffile import ELFFile
from elftools.elf.descriptions import describe_p_type

if len(sys.argv) < 2:
    print("Usage: %s <binary>" % (sys.argv[0]))
    sys.exit(-1)

with open(sys.argv[1], "rb") as file_handle:
    binary_content = file_handle.read()
    elf_file       = ELFFile(file_handle)
    entry_point    = elf_file['e_entry']
    #print(entry_point)
    print("Entry point: %08X\n" % (entry_point))
    print("Retrieving appropriated offset...")
    start_offset = -1
    for segment in elf_file.iter_segments():

        start = segment['p_vaddr']
        size  = segment['p_filesz']

        print("Segment '%s' starting at %08X with size of %d bytes" %
            (describe_p_type(segment['p_type']), segment['p_vaddr'], segment['p_filesz']))

        if(entry_point >= start and entry_point < (start+size)):
            print("\t*** Entry point is located here! ***")
            start_offset = segment['p_offset'] + (entry_point - start)

    if start_offset >= 0:
        print("Start offset computed at %08X" % (start_offset))

    with open("%s.asm" % (sys.argv[1]), "w") as output_asm_file:
        output_asm_file.write("bits 32\n\n")
        i = 0
        for c in binary_content:
            if i == start_offset:
                output_asm_file.write("_start:\n")
            output_asm_file.write("\tdb 0x%02X\n" % (c & 0xff))
            i += 1
        output_asm_file.close()
        print("Written %d bytes into output file!" % len(binary_content))

    file_handle.close()

ge0@samaritan ~/python/retrodisass
 % ./naive_disassembler2.py 
Usage: ./naive_disassembler2.py <binary>
ge0@samaritan ~/python/retrodisass
 % ./naive_disassembler2.py ./main
Entry point: 08048320

Retrieving appropriated offset...
Segment 'PHDR' starting at 08048034 with size of 256 bytes
Segment 'INTERP' starting at 08048134 with size of 19 bytes
Segment 'LOAD' starting at 08048000 with size of 1356 bytes
        *** Entry point is located here! ***
Segment 'LOAD' starting at 0804954C with size of 288 bytes
Segment 'DYNAMIC' starting at 08049558 with size of 240 bytes
Segment 'NOTE' starting at 08048148 with size of 68 bytes
Segment 'GNU_EH_FRAME' starting at 080484D0 with size of 28 bytes
Segment 'GNU_STACK' starting at 00000000 with size of 0 bytes
Start offset computed at 00000320
Written 4868 bytes into output file!
ge0@samaritan ~/python/retrodisass
 % nasm -f bin main.asm -o main_assembled
ge0@samaritan ~/python/retrodisass
 % md5sum ./main ./main_assembled 
d63e1c7dee081a3a1f5c210481ef928f  ./main
d63e1c7dee081a3a1f5c210481ef928f  ./main_assembled

code_coverage = create_code_coverage(elf_file)

asm_file = disassemble(code_coverage, elf_file)

class CodeCoverage(object):
    def __init__(self, disassembler, regions, base_address=0x0):
        """ Init a CodeCoverage class, which aims at "covering" a whole binary by
        locating/differentiating code from (relevant) data, and so on."""
        self._base_address = base_address
        self._disassembler = disassembler
        if regions is None:
            self._regions = []
        else:
            self._regions = regions

    @property
    def base_address():
        """ Retrieve the base memory address used by the code coverage """
        return self._base_address

    @property
    def regions():
        """ Retrieve the regions handled by the code coverage """
        return self._regions

    @property
    def disassembler(self):
        """ Get the current disassembler instance """
        return self._disassembler

    def disassemble(self, data):
        self._disassembler.set_org(self._base_address)
        offset = 0
        for region in self._regions:
            region.get_disassembled(self._disassembler, data[offset:offset+region.size])
            offset += region.size

class BinaryRegion(object):
    def __init__(self, label, size, base_address):
        self._size = size
        self._label = label
        self._base_address = base_address

    @property
    def size(self):
        """ Retrieve the size of the region """
        return self._size

    @property
    def label(self):
        """ Retrieve the label of the region """
        return self._label

    @property
    def base_address(self):
        """ Retrieve the base address of the region """
        return self._base_address

    def get_disassembled(self, disassembler, data):
        pass

class UnknownRegion(BinaryRegion):
    def get_disassembled(self, disassembler, data):
        disassembler.disassemble_unknown_region(self, data)

class CodeRegion(BinaryRegion):
    def get_disassembled(self, disassembler, data):
        disassembler.disassemble_code_region(self, data)

class DataRegion(BinaryRegion):
    def get_disassembled(self, disassembler, data):
        disassembler.disassemble_data_region(self, data)

import capstone

class BinaryDisassembler(object):
    def set_org(self, org):
        pass
    def disassemble_unknown_region(self, region):
        pass
    def disassemble_code_region(self, region):
        pass
    def disassemble_data_region(self, region):
        pass

class NaiveBinaryDisassembler(BinaryDisassembler):
    def __init__(self, output_file):
        self._handle = open("%s_naive_disass.asm" % (output_file), "w")
        self._handle.write("bits 32\n") # For the beauty of the PoC

    def _output_region_comments(self, region, comment="REGION"):
        self._handle.write("; ---------------- %s ----------------\n"
        "; Name: %s\n"
        "; Base Address: %08X\n"
        "; Size: %d bytes\n" % (comment, region.label, region.base_address, region.size))

    def set_org(self, org):
        self._handle.write("ORG 0x%08X\n" % (org))

    def disassemble_unknown_region(self, region, data):
        self._output_region_comments(region, "UNKNOWN REGION")
        self._handle.write("%s:\n" % (region.label))
        self._handle.write("db 0x%02X" % (data[0]))
        i = 1
        while i < len(data):
            if(i % 16 == 0):
                self._handle.write("\ndb 0x%02X" % (data[i]))
            else:
                self._handle.write(", 0x%02X" % (data[i]))
            i += 1
        self._handle.write("\n")

        self._handle.write("; ------------------------------------------------\n\n")

    def disassemble_code_region(self, region, data):
        self._output_region_comments(region, "EXECUTABLE CODE")
        # TODO: check the target architecture.
        md  = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
        for instruction in md.disasm(data, region.base_address):
            self._handle.write("\t%s %s\n" % (instruction.mnemonic, instruction.op_str))
        #self.disassemble_unknown_region(region, data)

    def disassemble_data_region(region):
        # TODO
        self.disassemble_unknown_region(region, data)

#!/usr/bin/env python3
import sys
import logging
from elftools.elf.elffile import ELFFile
from elftools.elf.descriptions import describe_p_type
import capstone
import code_coverage
import binary_disassembler

def linear_sweep_disassemble(base_addr, code, arch, mode):
    # Dumb strategy, disass until:
    #   - end of code reached OR
    #   - ret or hlt instruction is met
    disassembler = capstone.Cs(arch, mode)
    for current_instruction in disassembler.disasm(code, base_addr):
        print("%s\t%s" % (current_instruction.mnemonic, current_instruction.op_str))

def create_start_proc_region(content, base_address):
    region = code_coverage.CodeRegion("start", 0, base_address)
    disassembler = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
    for instruction in disassembler.disasm(content, 0x00000000):
        region._size += instruction.size
        if instruction.mnemonic == "ret" or instruction.mnemonic == "hlt":
            break
    return region

if len(sys.argv) < 2:
    print("Usage: %s <binary>" % (sys.argv[0]))
    sys.exit(-1)

def get_elf_information(elf_file):
    base_address = 0
    start_offset = 0
    for segment in elf_file.iter_segments():
        if(segment['p_type'] == 'PT_LOAD' and segment['p_offset'] == 0):
            base_address = segment['p_vaddr']
        if(elf_file['e_entry'] >= segment['p_vaddr'] and elf_file['e_entry'] < (segment['p_vaddr'] + segment['p_filesz'])):
            start_offset = segment['p_offset'] + (elf_file['e_entry'] - base_address)
    return (base_address, start_offset)

def elf_gen_code_coverage(elf_file):
    elf_base_address, start_offset = get_elf_information(elf_file)

    disasm = binary_disassembler.NaiveBinaryDisassembler(sys.argv[1])
    regions = [ code_coverage.UnknownRegion("before_start", size=start_offset, base_address=elf_base_address) ]

    # start code until ret/hlt
    regions.append(create_start_proc_region(binary_content[start_offset:], elf_file['e_entry']))

    # rest of the code
    regions.append(code_coverage.UnknownRegion("after_start", len(binary_content) - (start_offset + regions[-1].size), elf_file['e_entry'] + (start_offset +regions[-1].size)))

    cover = code_coverage.CodeCoverage(disasm, regions, base_address=elf_base_address)
    return cover


with open(sys.argv[1], "rb") as file_handle:
    binary_content = file_handle.read()
    elf_file       = ELFFile(file_handle)

    print("Creating code coverage...")
    cover = elf_gen_code_coverage(elf_file)
    print("Disassembling the file...")
    cover.disassemble(binary_content)
    print("Done.")
    file_handle.close()

ge0@samaritan ~/python/retrodisass
 % ./naive_disassembler3.py
Usage: ./naive_disassembler3.py <binary>
ge0@samaritan ~/python/retrodisass
 % ./naive_disassembler3.py ./main
Creating code coverage...
Disassembling the file...
Done.

_start:
        xor ebp, ebp
        pop esi
        mov ecx, esp
        and esp, 0xfffffff0
        push eax
        push esp
        push edx
        push 0x8048430
        push 0x8048440
        push ecx
        push esi
        push 0x804840c
        call 0x8048310
        hlt

ge0@samaritan ~/python/retrodisass
 % nasm -f bin main_naive_disass.asm -o main_naive_disass
ge0@samaritan ~/python/retrodisass
 % chmod +x ./main_naive_disass
ge0@samaritan ~/python/retrodisass
 % ./main_naive_disass
Hello, world!
ge0@samaritan ~/python/retrodisass
 % md5sum ./main_naive_disass ./main
d63e1c7dee081a3a1f5c210481ef928f  ./main_naive_disass
d63e1c7dee081a3a1f5c210481ef928f  ./main

; These constants are for the segment types stored in the image headers
%define PT_NULL    0
%define PT_LOAD    1
%define PT_DYNAMIC 2
%define PT_INTERP  3
%define PT_NOTE    4
%define PT_SHLIB   5
%define PT_PHDR    6
%define PT_TLS     7        /* Thread local storage segment */
%define PT_LOOS    0x60000000   /* OS-specific */
%define PT_HIOS    0x6fffffff   /* OS-specific */
%define PT_LOPROC  0x70000000
%define PT_HIPROC  0x7fffffff
%define PT_GNU_EH_FRAME     0x6474e550

%define PT_GNU_STACK    (PT_LOOS + 0x474e551)

; These constants define the different elf file types
%define ET_NONE   0
%define ET_REL    1
%define ET_EXEC   2
%define ET_DYN    3
%define ET_CORE   4
%define ET_LOPROC 0xff00
%define ET_HIPROC 0xffff

; These constants define the various ELF target machines
%define EM_NONE         0
%define EM_M32          1
%define EM_SPARC        2
%define EM_386          3
%define EM_68K          4
%define EM_88K          5
%define EM_860          6
%define EM_MIPS         7
%define EM_PARISC       8
%define EM_SPARC32PLUS  9
%define EM_PPC          10
%define EM_PPC64        11
%define EM_S390         12
%define EM_ARM          13
%define EM_SH           14
%define EM_SPARCV9      15
%define EM_IA_64        16
%define EM_X86_64       17
%define EM_VAX          18

%define EI_NIDENT   16

struc Elf32_Ehdr
    .e_ident:        resb    16
    .e_type:         resw    1
    .e_machine:      resw    1
    .e_version:      resd    1
    .e_entry:        resd    1
    .e_phoff:        resd    1
    .e_shoff:        resd    1
    .e_flags:        resd    1
    .e_ehsize:       resw    1
    .e_phentsize:    resw    1
    .e_phnum:        resw    1
    .e_shentsize:    resw    1
    .e_shnum:        resw    1
    .e_shstrndx:     resw    1

    .size:
endstruc

; These constants define the permissions on sections in the program
; header, p_flags.
%define PF_R        0x4
%define PF_W        0x2
%define PF_X        0x1

struc Elf32_Phdr
    .p_type:         resd    1
    .p_offset:       resd    1
    .p_vaddr:        resd    1
    .p_paddr:        resd    1
    .p_filesz:       resd    1
    .p_memsz:        resd    1
    .p_flags:        resd    1
    .p_align:        resd    1

    .size:
endstruc

%define EI_MAG0     0   ; e_ident[] indexes
%define EI_MAG1     1
%define EI_MAG2     2
%define EI_MAG3     3
%define EI_CLASS    4
%define EI_DATA     5
%define EI_VERSION  6
%define EI_OSABI    7
%define EI_PAD      8

%define ELFMAG0     0x7f    ; EI_MAG
%define ELFMAG1     'E'
%define ELFMAG2     'L'
%define ELFMAG3     'F'
%define ELFMAG      `\177ELF`
%define SELFMAG     4

%define ELFCLASSNONE    0   ; EI_CLASS
%define ELFCLASS32  1
%define ELFCLASS64  2
%define ELFCLASSNUM 3

%define ELFDATANONE 0   ; e_ident[EI_DATA]
%define ELFDATA2LSB 1
%define ELFDATA2MSB 2

%define EV_NONE     0   ; e_version, EI_VERSION
%define EV_CURRENT  1
%define EV_NUM      2

%define ELFOSABI_NONE   0
%define ELFOSABI_LINUX  3

bits 32
ORG 0x08048000
header:
    istruc Elf32_Ehdr
        at Elf32_Ehdr.e_ident,      db `\x7FELF`, ELFCLASS32, ELFDATA2LSB, EV_CURRENT, ELFOSABI_NONE, 0, 0, 0, 0
        at Elf32_Ehdr.e_type,       dw ET_EXEC
        at Elf32_Ehdr.e_machine,    dw EM_386
        at Elf32_Ehdr.e_version,    dd EV_CURRENT
        at Elf32_Ehdr.e_entry,      dd _start
        at Elf32_Ehdr.e_phoff,      dd (program_section_headers - header)
        at Elf32_Ehdr.e_shoff,      dd 0
        at Elf32_Ehdr.e_flags,      dd 0
        at Elf32_Ehdr.e_ehsize,     dw Elf32_Ehdr.size
        at Elf32_Ehdr.e_phentsize,  dw Elf32_Phdr.size
        at Elf32_Ehdr.e_phnum,      dw 1
        at Elf32_Ehdr.e_shentsize,  dw 0
        at Elf32_Ehdr.e_shnum,      dw 0
        at Elf32_Ehdr.e_shstrndx,   dw 0
    iend

program_section_headers:
    istruc Elf32_Phdr
        at Elf32_Phdr.p_type,   db PT_LOAD
        at Elf32_Phdr.p_offset, dd 0
        at Elf32_Phdr.p_vaddr,  dd header
        at Elf32_Phdr.p_paddr,  dd header
        at Elf32_Phdr.p_filesz, dd (end - header)
        at Elf32_Phdr.p_memsz,  dd (end - header)
        at Elf32_Phdr.p_flags,  dd PF_X | PF_R
        at Elf32_Phdr.p_align,  dd 0x1000
    iend


data:
    HelloWorld  db "Hello world!", 10
_start:
    mov eax, 4 ; sys_write
    mov ebx, 1 ; stdout
    mov ecx, HelloWorld
    mov edx, 13
    int 0x80

    mov eax, 1 ; sys_exit
    xor ebx, ebx
    int 0x80

end:

% nasm -f bin ./test_elf.asm -o test_elf
% chmod +x ./test_elf
% ./test_elf
Hello world
% echo $?
0