Esempio n. 1
0
 public static UInt64 StrToQWord(String str)
 {
     if (str.Length > 0 && str[0] == '$')
     {
         str = "0x" + str.Substring(1);
     }
     return(UStringUtils.StringToUInt64(str));
 }
Esempio n. 2
0
 public static Int32 StrToInt(String str)
 {
     if (str.Length > 0 && str[0] == '$')
     {
         str = "0x" + str.Substring(1);
     }
     return(UStringUtils.StringToInt32(str));
 }
Esempio n. 3
0
        public UIntPtr GetAddressFromName(String name, Boolean waitForSymbols)
        {
            var result = GetAddressFromName(name, waitForSymbols, out var x);

            if (x)
            {
                throw new Exception(UStringUtils.Sprintf("Failure determining what %s means", name));
            }
            return(result);
        }
Esempio n. 4
0
        public static String BinToHexStr(Byte[] bin)
        {
            var HexSymbols = "0123456789ABCDEF";
            var str        = UStringUtils.StrNew('\0', 2 * bin.Length);

            using (var p = new UCharPtr(str))
            {
                for (var i = 0; i < bin.Length; i++)
                {
                    p[2 * i + 0] = HexSymbols[1 + (bin[i] >> 4) - 1];
                    p[2 * i + 1] = HexSymbols[1 + (bin[i] & 0xf) - 1];
                }
            }
            return(str);
        }
Esempio n. 5
0
        public static void a()
        {
            UTokenSp.Activate();
            AAsmTools.InitTools(new ASymbolHandler());
            var m = AAsmTools.SelfSymbolHandler.Process;

            AAsmTools.SymbolHandler.Process = m;
            var aa = AAsmTools.AutoAssembler;

            var cc   = @"
[ENABLE]
alloc(func, $1000)
registersymbol(func)

func:
mov eax, ecx
add dword ptr[data], eax
mov eax, dword ptr[data]
ret

data:
    db 00 00 00 00

[DISABLE]
unregistersymbol(func)
            ".Trim();
            var code = new ARefStringArray();

            code.Assign(UStringUtils.GetLines(cc).ToArray());
            aa.RemoveComments(code);
            var scr  = new AScriptBytesArray();
            var info = new ADisableInfo();
            var ret  = aa.AutoAssemble(m, code, false, true, false, false, info, false, scr);

            Console.WriteLine("Result: " + ret);

            var procAddress = AAsmTools.SymbolHandler.GetUserDefinedSymbolByName("func");

            Console.WriteLine("Symbol: " + procAddress.ToUInt64().ToString("X"));

            iTest = (ITest)Marshal.GetDelegateForFunctionPointer(procAddress.ToIntPtr(), typeof(ITest));

            Console.WriteLine(iTest.Invoke(1));


            Console.ReadKey();
            Environment.Exit(1);
        }
Esempio n. 6
0
 public static int RPos(String needle, String str, Boolean ignoreCase)
 {
     return(UStringUtils.LastIndexOf(str, needle, ignoreCase));
 }
Esempio n. 7
0
 public static int RPos(String needle, String str)
 {
     return(UStringUtils.LastIndexOf(str, needle));
 }
Esempio n. 8
0
 public static int RPos(Char needle, String str)
 {
     return(UStringUtils.LastIndexOf(str, needle.ToString()));
 }
Esempio n. 9
0
        public void ParseStringAndWriteToAddress(String value, UIntPtr address, AVariableType variableType, Boolean hexadecimal = false)
        {
            var v = 0UL;
            var s = 0.0f;
            var d = 0.0;
            var x = UIntPtr.Zero;

            if (hexadecimal && (variableType == AVariableType.Single || variableType == AVariableType.Double))
            {
                if (variableType == AVariableType.Single)
                {
                    variableType = AVariableType.DWord;
                }
                else
                {
                    variableType = AVariableType.QWord;
                }
            }
            if (variableType == AVariableType.ByteArray)
            {
                var b = new ATByteArray();
                AStringUtils.ConvertStringToBytes(value, hexadecimal, b);
                for (var i = 0; i < b.Length; i++)
                {
                    Proc.Memory.Write(UIntPtr.Add(address, i).ToIntPtr(), (Byte)b[i]);
                }
            }
            else
            {
                if (variableType == AVariableType.Single || variableType == AVariableType.Double)
                {
                    d = UStringUtils.StringToDouble(value);
                    s = UStringUtils.StringToFloat(value);
                }
                else
                {
                    if (!(variableType == AVariableType.String || variableType == AVariableType.UnicodeString))
                    {
                        if (hexadecimal)
                        {
                            value = "0x" + value;
                        }
                        v = AStringUtils.StrToQWordEx(value);
                        // todo make custom work
                        //if ((variableType == AVariableType.Custom) && (customtype != nil) & customtype.scriptusesfloat)
                        //s = UStringUtils.StringToFloat(value);
                    }
                }
                switch (variableType)
                {
                case AVariableType.Byte:
                    Proc.Memory.Write(address.ToIntPtr(), (Byte)v);
                    break;

                case AVariableType.Word:
                    Proc.Memory.Write(address.ToIntPtr(), (UInt16)v);
                    break;

                case AVariableType.DWord:
                    Proc.Memory.Write(address.ToIntPtr(), (UInt32)v);
                    break;

                case AVariableType.QWord:
                    Proc.Memory.Write(address.ToIntPtr(), v);
                    break;

                case AVariableType.Single:
                    Proc.Memory.Write(address.ToIntPtr(), s);
                    break;

                case AVariableType.Double:
                    Proc.Memory.Write(address.ToIntPtr(), d);
                    break;

                case AVariableType.String:
                    Proc.Memory.Write(address.ToIntPtr(), value, Encoding.ASCII);
                    break;

                case AVariableType.UnicodeString:
                    Proc.Memory.Write(address.ToIntPtr(), value, Encoding.UTF8);
                    break;

                case AVariableType.Custom:     // todo make custom work
                    //{
                    //    if (customtype != nil)
                    //    {
                    //        getmem(ba, customtype.bytesize);
                    //        //try
                    //        if (readprocessmemory(processhandle, (pointer)(address), ba, customtype.bytesize, x))
                    //        {
                    //            if (customtype.scriptusesfloat)
                    //                customtype.convertfloattodata(s, ba, address);
                    //            else
                    //                customtype.convertintegertodata(v, ba, address);
                    //
                    //            writeprocessmemory(processhandle, (pointer)(address), ba, customtype.bytesize, x);
                    //        }
                    //        //finally
                    //        freememandnil(ba);
                    //        //end;
                    //    }
                    //}
                    break;
                }
            }
        }
Esempio n. 10
0
        public void AddWideString(AByteArray bytes, String s)
        {
            var t = UStringUtils.SubStr(s, 1, -1); //not the quotes;

            Add(bytes, USpk.SpkEncoding.GetBytes(t));
        }
Esempio n. 11
0
 public static int Pos(Char needle, String str, Boolean ignoreCase)
 {
     return(UStringUtils.IndexOf(str, needle.ToString(), ignoreCase));
 }
Esempio n. 12
0
 public static String Copy(String str, int start, int length)
 {
     return(UStringUtils.SubStr(str, start, length));
 }
Esempio n. 13
0
 public static String Copy(String str)
 {
     return(UStringUtils.Copy(str));
 }
Esempio n. 14
0
        static void Main(string[] args)
        {
            //test.a();
            //var Brackets = new ACharArray('(', ')', '[', ']', '{', '}');
            //var StdWordDelims = new ACharArray(',', '.', ';', '/', '\\', ':', '\'', '"', '`', '(', ')', '[', ']', '{', '}');
            //StdWordDelims.AddRange(Brackets.TakeAll());
            //StdWordDelims.AddRange(ACharUtils.Range('\0', ' ').TakeAll());
            //
            //Console.WriteLine("done");

            var m = new AProcessSharp(System.Diagnostics.Process.GetProcessesByName("pacwin")[0], AMemoryType.Remote);

            UTokenSp.Activate();
            AAsmTools.InitTools(new ASymbolHandler());
            AAsmTools.SymbolHandler.Process = m;
            var a  = AAsmTools.Assembler;
            var b1 = new AByteArray();

            //var m2 = new AProcessSharp(System.Diagnostics.Process.GetCurrentProcess(), AMemoryType.Remote);
            a.SymbolHandler.Process = m;
            var aa = AAsmTools.AutoAssembler;
            //var result = a.Assemble("mov eax, [edx+esi+66]", 0x400300, b1); // E9 FB 01 00 00
            //var result = a.Assemble("mov rax,[1122334455778899]", 0x400300, b1); // E9 FB 01 00 00
            //Console.WriteLine("Result: " + result);
            //Console.WriteLine("Bytes:");
            //Console.WriteLine(UBinaryUtils.Expand(b1.TakeAll()));
            //
            //
            var d = AAsmTools.Disassembler;
            //var sd = "";
            //using (var pt = new UBytePtr(b1.TakeAll()))
            //{
            //    var ptt = pt.ToIntPtr().ToUIntPtr();
            //    d.Disassemble(ref ptt, ref sd);
            //}
            //Console.WriteLine(d.LastDisassembleData.Prefix + ' ' + d.LastDisassembleData.OpCode + ' ' + d.LastDisassembleData.Parameters);

            var bi = AAsmTools.ByteInterpreter;
            var bp = m.Memory.Read((IntPtr)0x411C88, 32);

            using (var bip = new UBytePtr(bp))
            {
                Console.WriteLine("Found dataType: " + bi.FindTypeOfData((UIntPtr)0x411C88, bip, 8));
                Console.WriteLine("Found dataType: " + bi.DataToString(bp, 8, AVariableType.Double));
            }

            // aa.Assembler.SymHandler.Process = m;
            // var cd = @"
            // 400300:
            // mov rax, [411c88]
            // mov rax, dword ptr[11223344556677]
            // ".Trim();
            // var codex = new ARefStringArray();
            // codex.Assign(UStringUtils.GetLines(cd).ToArray());
            // aa.RemoveComments(codex);
            //
            // var b = aa.Assemble(aa.SelfSymbolHandler.Process, codex);
            d.IsDataOnly = false;
            // d.Is64Bit = true;
            // d.SymbolHandler.Process = m;
            var s1 = "";
            // var bytes = new UBytePtr(b[0].Bytes.TakeAll());
            // //var ptr = bytes.ToIntPtr().ToUIntPtr();
            //
            var ptr = (UIntPtr)0x40230F;
            var i   = 30;

            while (i-- > 0)
            {
                try
                {
                    var dis = d.Disassemble(ref ptr, ref s1);
                    var cl  = d.LastDisassembleData.Prefix + ' ' + d.LastDisassembleData.OpCode + ' ' + d.LastDisassembleData.Parameters;
                    var dec = d.DecodeLastParametersToString();
                    //Console.WriteLine(cl + " ; " + dec);
                    d.SplitDisassembledString(dis, false, out var address, out var bytes, out var opcode, out var special);
                    Console.WriteLine($"0x{address.PadRight(8)} {bytes.PadRight(20)} {opcode} {special} ; {dec}");
                }
                catch (Exception e)
                {
                    Console.WriteLine("Error " + e.Message);
                    Console.WriteLine(e.Source);
                    Console.WriteLine(e.StackTrace);
                    break;
                }
            }
            // Console.ReadKey();
            // Environment.Exit(1);



            a.SymbolHandler.Process = m;

            var cc   = @"
[ENABLE]
400300:
mov edx, dword ptr[411c88]
reassemble(40230f);
reassemble(pacwin.exe+2379);
cat:
reassemble(pacwin.exe+237C);
call messageboxa
jmp cat


400314:
[DISABLE]
            ".Trim();
            var code = new ARefStringArray();

            code.Assign(UStringUtils.GetLines(cc).ToArray());
            aa.RemoveComments(code);
            var scr  = new AScriptBytesArray();
            var info = new ADisableInfo();
            var ret  = aa.AutoAssemble(m, code, false, true, false, false, info, false, scr);

            Console.WriteLine("Loaded 2");
            Console.WriteLine("Result: " + ret);
            aa.AutoAssemble(m, code, false, true, false, false, info, true, scr);
            Console.WriteLine("Loaded 3");
            foreach (var o in scr)
            {
                Console.WriteLine("Line: " + o.Type + " " + o.Address.ToUInt64().ToString("X") + " " + AStringUtils.BinToHexStr(o.Bytes.TakeAll()));
            }

            // var f = new AAssemblyFactory(m, new ASharpAsm());
            // f.Inject(
            //     new[]
            //     {
            //         "mov, eax 7",
            //         "push 0",
            //         "add esp, 4",
            //         "retn"
            //     },
            //     (IntPtr) 0x400310);
            //
            // var v = f.Execute<int>((IntPtr)0x400310);
            // Console.WriteLine("Return: " + v);


            //f.InjectAndExecute(
            //    new[]
            //    {
            //        "alloc(storage, 1000)",
            //        "label(caption)",
            //        "label(message)",
            //        "push 0",
            //        "push caption",
            //        "push message",
            //        "push 0",
            //        "call MessageBoxA",
            //        "push 0",
            //        "add esp, 4",
            //        "retn",
            //        // storage zone
            //        "storage:",
            //        "caption:",
            //        "    db 'caption', 00",
            //        "message:",
            //        "    db 'message', 00",
            //    },
            //    (IntPtr)0x400300);

            Console.ReadKey();
            //aa.AutoAssemble(m, code, false, false, false, false, info, false, scr);
            Environment.Exit(1);
        }
Esempio n. 15
0
        public void SetUserDefinedSymbolAllocSize(String name, UInt32 size, UIntPtr preferredAddress)
        {
            const String PREV_DEC = "The symbol named %s was previously declared with a size of %s instead of %s." +
                                    " all scripts that use this memory must give the same size. " +
                                    "Adjust the size, or delete the old alloc from the userdefined symbol list";

            if (size == 0)
            {
                throw new Exception("Please provide a bigger size");
            }
            UIntPtr p;
            int     i;

            for (i = 0; i < UserDefinedSymbols.Length; i++)
            {
                if (!UserDefinedSymbols[i].IsMatch(name))
                {
                    continue; //it exists, check first
                }
                if (UserDefinedSymbols[i].AllocSize > 0 && UserDefinedSymbols[i].ProcessId == Process.Native.Id)
                {
                    if (size != UserDefinedSymbols[i].AllocSize)
                    {
                        throw new Exception(UStringUtils.Sprintf(PREV_DEC, UserDefinedSymbols[i].Name, UserDefinedSymbols[i].AllocSize, size));
                    }
                }
                if (UserDefinedSymbols[i].ProcessId != Process.Native.Id)
                {
                    if (preferredAddress != UIntPtr.Zero)
                    {
                        p = AMemoryHelper.Allocate(Process.Handle, preferredAddress.ToIntPtr(), (int)size).ToUIntPtr();
                    }
                    else
                    {
                        p = AMemoryHelper.Allocate(Process.Handle, (int)size).ToUIntPtr();
                    }
                    if (p == UIntPtr.Zero)
                    {
                        throw new Exception("Error allocating memory");
                    }
                    UserDefinedSymbols[i].Address       = p;
                    UserDefinedSymbols[i].AddressString = AStringUtils.IntToHex(p, 8);
                    UserDefinedSymbols[i].AllocSize     = size;
                    UserDefinedSymbols[i].ProcessId     = Process.Native.Id;
                }
                return; // Redefined the symbol and exit;
            }
            //Still here, symbol Not exists, let's define a new one.
            if (preferredAddress != UIntPtr.Zero)
            {
                p = AMemoryHelper.Allocate(Process.Handle, preferredAddress.ToIntPtr(), (int)size).ToUIntPtr();
            }
            else
            {
                p = AMemoryHelper.Allocate(Process.Handle, (int)size).ToUIntPtr();
            }
            if (p == UIntPtr.Zero)
            {
                throw new Exception("Error allocating memory");
            }
            AddUserDefinedSymbol(AStringUtils.IntToHex(p, 8), name);
            UserDefinedSymbols[i].AllocSize = size;
            UserDefinedSymbols[i].ProcessId = Process.Native.Id;
        }
Esempio n. 16
0
 public static int RPosEx(Char needle, String str, int start)
 {
     return(UStringUtils.LastIndexOf(str, needle.ToString(), start));
 }
Esempio n. 17
0
 public static int RPosEx(String needle, String str, int start)
 {
     return(UStringUtils.LastIndexOf(str, needle, start));
 }
Esempio n. 18
0
        public static void ConvertStringToBytes(String aobStr, Boolean hex, ATByteArray bytes)
        {
            // vars
            int    i, j, k;
            String temp;
            // wildcard for AoBScan and AoBAssert.Bigger than $FF is ok.
            var wildCard      = (UInt16)0xf521;
            var wildcardChars = new[] { 'x', 'X', '?', '*' };

            // size check
            bytes.SetLength(0);
            if (aobStr.Length == 0)
            {
                return;
            }
            aobStr = aobStr.Trim();
            if ((Pos("-", aobStr) != -1) || (Pos(" ", aobStr) != -1) || (Pos(",", aobStr) != -1))
            {
                /*syntax is : (1)xx-xx-xx (2)or xx xx xx (3)or xx,xx,xx*/
                j       = 0;
                k       = 0;
                aobStr += ' ';
                for (i = 0; i < aobStr.Length; i++)
                {
                    if (UArrayUtils.InArray(aobStr[i], ' ', '-', ','))
                    {
                        temp = Copy(aobStr, j, i - j);
                        j    = i + 1;
                        bytes.SetLength(k + 1);
                        if (UStringUtils.IndexOfAny(temp, wildcardChars) == -1)
                        {
                            switch (hex)
                            {
                            case true:
                                bytes[k] = (UInt16)StrToInt("0x" + temp);
                                break;

                            case false:
                                bytes[k] = (UInt16)StrToInt(temp);
                                break;
                            }
                        }
                        else
                        {
                            bytes[k] = wildCard;
                        }
                        k += 1;
                    }
                }
            }
            else
            {
                /*syntax is: xxxxxx*/
                k = 0;
                j = 1;
                for (i = 1; i <= aobStr.Length; i++)
                {
                    if ((i % 2) != 0)
                    {
                        continue;
                    }
                    temp = Copy(aobStr, j, i - j + 1);
                    j    = i + 1;
                    bytes.SetLength(k + 1);
                    if (UStringUtils.IndexOfAny(temp, wildcardChars) == -1)
                    {
                        bytes[k] = (UInt16)StrToInt("0x" + temp);
                    }
                    else
                    {
                        bytes[k] = wildCard;
                    }
                    k += 1;
                }
            }
        }
Esempio n. 19
0
        public ATokenType GetTokenType(ref String token, String token2)
        {
            var result = ATokenType.Invalid;

            if (token.Length == 0)
            {
                return(result);
            }
            result = TokenToRegisterBit(token);
            // filter these 2 words
            token = UStringUtils.Replace(token, "LONG ", "", true);
            token = UStringUtils.Replace(token, "SHORT ", "", true);
            token = UStringUtils.Replace(token, "FAR ", "", true);
            var temp = AStringUtils.ConvertHexStrToRealStr(token);

            AStringUtils.Val(temp, out UInt64 _, out var err);
            if (err == 0)
            {
                result = ATokenType.Value;
                token  = temp;
            }
            var brp = AStringUtils.Pos("[", token);

            if (brp != -1)
            {
                if (UStringUtils.IndexOf(token, "YMMWORD", 0, brp) != -1)
                {
                    result = ATokenType.MemoryLocation256;
                }
                else if (UStringUtils.IndexOf(token, "XMMWORD", 0, brp) != -1)
                {
                    result = ATokenType.MemoryLocation128;
                }
                else if (UStringUtils.IndexOf(token, "DQWORD", 0, brp) != -1)
                {
                    result = ATokenType.MemoryLocation128;
                }
                else if (UStringUtils.IndexOf(token, "TBYTE", 0, brp) != -1)
                {
                    result = ATokenType.MemoryLocation80;
                }
                else if (UStringUtils.IndexOf(token, "TWORD", 0, brp) != -1)
                {
                    result = ATokenType.MemoryLocation80;
                }
                else if (UStringUtils.IndexOf(token, "QWORD", 0, brp) != -1)
                {
                    result = ATokenType.MemoryLocation64;
                }
                else if (UStringUtils.IndexOf(token, "DWORD", 0, brp) != -1)
                {
                    result = ATokenType.MemoryLocation32;
                }
                else if (UStringUtils.IndexOf(token, "WORD", 0, brp) != -1)
                {
                    result = ATokenType.MemoryLocation16;
                }
                else if (UStringUtils.IndexOf(token, "BYTE", 0, brp) != -1)
                {
                    result = ATokenType.MemoryLocation8;
                }
                else
                {
                    result = ATokenType.MemoryLocation;
                }
            }
            if (result == ATokenType.MemoryLocation)
            {
                if (token2 == "")
                {
                    result = ATokenType.MemoryLocation32;
                    return(result);
                }
                // I need the helper param to figure it out
                switch (TokenToRegisterBit(token2))
                {
                case ATokenType.Register8Bit:
                case ATokenType.Register8BitWithPrefix:
                    result = ATokenType.MemoryLocation8;
                    break;

                case ATokenType.RegisterSReg:
                case ATokenType.Register16Bit:
                    result = ATokenType.MemoryLocation16;
                    break;

                case ATokenType.Register64Bit:
                    result = ATokenType.MemoryLocation64;
                    break;

                default:
                    result = ATokenType.MemoryLocation32;
                    break;
                }
            }
            return(result);
        }
Esempio n. 20
0
        public String DataToString(UBytePtr buf, int size, AVariableType varType, Boolean clean = false)
        {
            String result;

            switch (varType)
            {
            case AVariableType.Byte:
            {
                if (clean)
                {
                    result = AStringUtils.IntToHex(buf[0], 2);
                }
                else
                {
                    result = "(byte)" + AStringUtils.IntToHex(buf[0], 2) + '(' + buf[0] + ')';
                }
                break;
            }

            case AVariableType.Word:
            {
                if (clean)
                {
                    result = AStringUtils.IntToHex(buf.ReadUInt16(), 4);
                }
                else
                {
                    result = "(word)" + AStringUtils.IntToHex(buf.ReadUInt16(), 4) + '(' + buf.ReadUInt16() + ')';
                }
                break;
            }

            case AVariableType.DWord:
            {
                if (clean)
                {
                    result = AStringUtils.IntToHex(buf.ReadUInt32(), 8);
                }
                else
                {
                    result = "(dword)" + AStringUtils.IntToHex(buf.ReadUInt32(), 8) + '(' + buf.ReadUInt32() + ')';
                }
                break;
            }

            case AVariableType.QWord:
            {
                if (clean)
                {
                    result = AStringUtils.IntToHex(buf.ReadUInt64(), 16);
                }
                else
                {
                    result = "(qword)" + AStringUtils.IntToHex(buf.ReadUInt64(), 16) + '(' + buf.ReadUInt64() + ')';
                }
                break;
            }

            case AVariableType.Single:
            {
                if (clean)
                {
                    result = UStringUtils.Sprintf("%.2f", buf.ReadFloat());
                }
                else
                {
                    result = "(float)" + UStringUtils.Sprintf("%.2f", buf.ReadFloat());
                }
                break;
            }

            case AVariableType.Double:
            {
                if (clean)
                {
                    result = UStringUtils.Sprintf("%.2f", buf.ReadDouble());
                }
                else
                {
                    result = "(double)" + UStringUtils.Sprintf("%.2f", buf.ReadDouble());
                }
                break;
            }

            case AVariableType.String:
            {
                using (var p = new UBytePtr(size + 1))
                {
                    AArrayUtils.CopyMemory(p, buf, size);
                    p[size] = 0;
                    result  = UBitConverter.UnpackSingle("z1", 0, p.ToByteArray());
                }
                break;
            }

            case AVariableType.UnicodeString:
            {
                using (var p = new UBytePtr(size + 2))
                {
                    AArrayUtils.CopyMemory(p, buf, size);
                    p[size]     = 0;
                    p[size + 1] = 0;
                    result      = UBitConverter.UnpackSingle("z7", 0, p.ToByteArray());
                }
                break;
            }

            case AVariableType.Pointer:
            {
                UIntPtr a;
                if (Proc.IsX64)
                {
                    a = (UIntPtr)buf.ReadUInt64();
                }
                else
                {
                    a = (UIntPtr)buf.ReadUInt32();
                }
                if (clean)
                {
                    result = "";
                }
                else
                {
                    result = "(pointer)";
                }
                result += SymbolHandler.GetNameFromAddress(a, true, true, false);
                break;
            }

            default:
            {
                result = "(...)";
                for (var i = 0; i <= Math.Min(size, 8) - 1; i++)
                {
                    result = result + AStringUtils.IntToHex(buf[i], 2) + ' ';
                }
                break;
            }
            }
            return(result);
        }