public static UInt64 StrToQWord(String str) { if (str.Length > 0 && str[0] == '$') { str = "0x" + str.Substring(1); } return(UStringUtils.StringToUInt64(str)); }
public static Int32 StrToInt(String str) { if (str.Length > 0 && str[0] == '$') { str = "0x" + str.Substring(1); } return(UStringUtils.StringToInt32(str)); }
public UIntPtr GetAddressFromName(String name, Boolean waitForSymbols) { var result = GetAddressFromName(name, waitForSymbols, out var x); if (x) { throw new Exception(UStringUtils.Sprintf("Failure determining what %s means", name)); } return(result); }
public static String BinToHexStr(Byte[] bin) { var HexSymbols = "0123456789ABCDEF"; var str = UStringUtils.StrNew('\0', 2 * bin.Length); using (var p = new UCharPtr(str)) { for (var i = 0; i < bin.Length; i++) { p[2 * i + 0] = HexSymbols[1 + (bin[i] >> 4) - 1]; p[2 * i + 1] = HexSymbols[1 + (bin[i] & 0xf) - 1]; } } return(str); }
public static void a() { UTokenSp.Activate(); AAsmTools.InitTools(new ASymbolHandler()); var m = AAsmTools.SelfSymbolHandler.Process; AAsmTools.SymbolHandler.Process = m; var aa = AAsmTools.AutoAssembler; var cc = @" [ENABLE] alloc(func, $1000) registersymbol(func) func: mov eax, ecx add dword ptr[data], eax mov eax, dword ptr[data] ret data: db 00 00 00 00 [DISABLE] unregistersymbol(func) ".Trim(); var code = new ARefStringArray(); code.Assign(UStringUtils.GetLines(cc).ToArray()); aa.RemoveComments(code); var scr = new AScriptBytesArray(); var info = new ADisableInfo(); var ret = aa.AutoAssemble(m, code, false, true, false, false, info, false, scr); Console.WriteLine("Result: " + ret); var procAddress = AAsmTools.SymbolHandler.GetUserDefinedSymbolByName("func"); Console.WriteLine("Symbol: " + procAddress.ToUInt64().ToString("X")); iTest = (ITest)Marshal.GetDelegateForFunctionPointer(procAddress.ToIntPtr(), typeof(ITest)); Console.WriteLine(iTest.Invoke(1)); Console.ReadKey(); Environment.Exit(1); }
public static int RPos(String needle, String str, Boolean ignoreCase) { return(UStringUtils.LastIndexOf(str, needle, ignoreCase)); }
public static int RPos(String needle, String str) { return(UStringUtils.LastIndexOf(str, needle)); }
public static int RPos(Char needle, String str) { return(UStringUtils.LastIndexOf(str, needle.ToString())); }
public void ParseStringAndWriteToAddress(String value, UIntPtr address, AVariableType variableType, Boolean hexadecimal = false) { var v = 0UL; var s = 0.0f; var d = 0.0; var x = UIntPtr.Zero; if (hexadecimal && (variableType == AVariableType.Single || variableType == AVariableType.Double)) { if (variableType == AVariableType.Single) { variableType = AVariableType.DWord; } else { variableType = AVariableType.QWord; } } if (variableType == AVariableType.ByteArray) { var b = new ATByteArray(); AStringUtils.ConvertStringToBytes(value, hexadecimal, b); for (var i = 0; i < b.Length; i++) { Proc.Memory.Write(UIntPtr.Add(address, i).ToIntPtr(), (Byte)b[i]); } } else { if (variableType == AVariableType.Single || variableType == AVariableType.Double) { d = UStringUtils.StringToDouble(value); s = UStringUtils.StringToFloat(value); } else { if (!(variableType == AVariableType.String || variableType == AVariableType.UnicodeString)) { if (hexadecimal) { value = "0x" + value; } v = AStringUtils.StrToQWordEx(value); // todo make custom work //if ((variableType == AVariableType.Custom) && (customtype != nil) & customtype.scriptusesfloat) //s = UStringUtils.StringToFloat(value); } } switch (variableType) { case AVariableType.Byte: Proc.Memory.Write(address.ToIntPtr(), (Byte)v); break; case AVariableType.Word: Proc.Memory.Write(address.ToIntPtr(), (UInt16)v); break; case AVariableType.DWord: Proc.Memory.Write(address.ToIntPtr(), (UInt32)v); break; case AVariableType.QWord: Proc.Memory.Write(address.ToIntPtr(), v); break; case AVariableType.Single: Proc.Memory.Write(address.ToIntPtr(), s); break; case AVariableType.Double: Proc.Memory.Write(address.ToIntPtr(), d); break; case AVariableType.String: Proc.Memory.Write(address.ToIntPtr(), value, Encoding.ASCII); break; case AVariableType.UnicodeString: Proc.Memory.Write(address.ToIntPtr(), value, Encoding.UTF8); break; case AVariableType.Custom: // todo make custom work //{ // if (customtype != nil) // { // getmem(ba, customtype.bytesize); // //try // if (readprocessmemory(processhandle, (pointer)(address), ba, customtype.bytesize, x)) // { // if (customtype.scriptusesfloat) // customtype.convertfloattodata(s, ba, address); // else // customtype.convertintegertodata(v, ba, address); // // writeprocessmemory(processhandle, (pointer)(address), ba, customtype.bytesize, x); // } // //finally // freememandnil(ba); // //end; // } //} break; } } }
public void AddWideString(AByteArray bytes, String s) { var t = UStringUtils.SubStr(s, 1, -1); //not the quotes; Add(bytes, USpk.SpkEncoding.GetBytes(t)); }
public static int Pos(Char needle, String str, Boolean ignoreCase) { return(UStringUtils.IndexOf(str, needle.ToString(), ignoreCase)); }
public static String Copy(String str, int start, int length) { return(UStringUtils.SubStr(str, start, length)); }
public static String Copy(String str) { return(UStringUtils.Copy(str)); }
static void Main(string[] args) { //test.a(); //var Brackets = new ACharArray('(', ')', '[', ']', '{', '}'); //var StdWordDelims = new ACharArray(',', '.', ';', '/', '\\', ':', '\'', '"', '`', '(', ')', '[', ']', '{', '}'); //StdWordDelims.AddRange(Brackets.TakeAll()); //StdWordDelims.AddRange(ACharUtils.Range('\0', ' ').TakeAll()); // //Console.WriteLine("done"); var m = new AProcessSharp(System.Diagnostics.Process.GetProcessesByName("pacwin")[0], AMemoryType.Remote); UTokenSp.Activate(); AAsmTools.InitTools(new ASymbolHandler()); AAsmTools.SymbolHandler.Process = m; var a = AAsmTools.Assembler; var b1 = new AByteArray(); //var m2 = new AProcessSharp(System.Diagnostics.Process.GetCurrentProcess(), AMemoryType.Remote); a.SymbolHandler.Process = m; var aa = AAsmTools.AutoAssembler; //var result = a.Assemble("mov eax, [edx+esi+66]", 0x400300, b1); // E9 FB 01 00 00 //var result = a.Assemble("mov rax,[1122334455778899]", 0x400300, b1); // E9 FB 01 00 00 //Console.WriteLine("Result: " + result); //Console.WriteLine("Bytes:"); //Console.WriteLine(UBinaryUtils.Expand(b1.TakeAll())); // // var d = AAsmTools.Disassembler; //var sd = ""; //using (var pt = new UBytePtr(b1.TakeAll())) //{ // var ptt = pt.ToIntPtr().ToUIntPtr(); // d.Disassemble(ref ptt, ref sd); //} //Console.WriteLine(d.LastDisassembleData.Prefix + ' ' + d.LastDisassembleData.OpCode + ' ' + d.LastDisassembleData.Parameters); var bi = AAsmTools.ByteInterpreter; var bp = m.Memory.Read((IntPtr)0x411C88, 32); using (var bip = new UBytePtr(bp)) { Console.WriteLine("Found dataType: " + bi.FindTypeOfData((UIntPtr)0x411C88, bip, 8)); Console.WriteLine("Found dataType: " + bi.DataToString(bp, 8, AVariableType.Double)); } // aa.Assembler.SymHandler.Process = m; // var cd = @" // 400300: // mov rax, [411c88] // mov rax, dword ptr[11223344556677] // ".Trim(); // var codex = new ARefStringArray(); // codex.Assign(UStringUtils.GetLines(cd).ToArray()); // aa.RemoveComments(codex); // // var b = aa.Assemble(aa.SelfSymbolHandler.Process, codex); d.IsDataOnly = false; // d.Is64Bit = true; // d.SymbolHandler.Process = m; var s1 = ""; // var bytes = new UBytePtr(b[0].Bytes.TakeAll()); // //var ptr = bytes.ToIntPtr().ToUIntPtr(); // var ptr = (UIntPtr)0x40230F; var i = 30; while (i-- > 0) { try { var dis = d.Disassemble(ref ptr, ref s1); var cl = d.LastDisassembleData.Prefix + ' ' + d.LastDisassembleData.OpCode + ' ' + d.LastDisassembleData.Parameters; var dec = d.DecodeLastParametersToString(); //Console.WriteLine(cl + " ; " + dec); d.SplitDisassembledString(dis, false, out var address, out var bytes, out var opcode, out var special); Console.WriteLine($"0x{address.PadRight(8)} {bytes.PadRight(20)} {opcode} {special} ; {dec}"); } catch (Exception e) { Console.WriteLine("Error " + e.Message); Console.WriteLine(e.Source); Console.WriteLine(e.StackTrace); break; } } // Console.ReadKey(); // Environment.Exit(1); a.SymbolHandler.Process = m; var cc = @" [ENABLE] 400300: mov edx, dword ptr[411c88] reassemble(40230f); reassemble(pacwin.exe+2379); cat: reassemble(pacwin.exe+237C); call messageboxa jmp cat 400314: [DISABLE] ".Trim(); var code = new ARefStringArray(); code.Assign(UStringUtils.GetLines(cc).ToArray()); aa.RemoveComments(code); var scr = new AScriptBytesArray(); var info = new ADisableInfo(); var ret = aa.AutoAssemble(m, code, false, true, false, false, info, false, scr); Console.WriteLine("Loaded 2"); Console.WriteLine("Result: " + ret); aa.AutoAssemble(m, code, false, true, false, false, info, true, scr); Console.WriteLine("Loaded 3"); foreach (var o in scr) { Console.WriteLine("Line: " + o.Type + " " + o.Address.ToUInt64().ToString("X") + " " + AStringUtils.BinToHexStr(o.Bytes.TakeAll())); } // var f = new AAssemblyFactory(m, new ASharpAsm()); // f.Inject( // new[] // { // "mov, eax 7", // "push 0", // "add esp, 4", // "retn" // }, // (IntPtr) 0x400310); // // var v = f.Execute<int>((IntPtr)0x400310); // Console.WriteLine("Return: " + v); //f.InjectAndExecute( // new[] // { // "alloc(storage, 1000)", // "label(caption)", // "label(message)", // "push 0", // "push caption", // "push message", // "push 0", // "call MessageBoxA", // "push 0", // "add esp, 4", // "retn", // // storage zone // "storage:", // "caption:", // " db 'caption', 00", // "message:", // " db 'message', 00", // }, // (IntPtr)0x400300); Console.ReadKey(); //aa.AutoAssemble(m, code, false, false, false, false, info, false, scr); Environment.Exit(1); }
public void SetUserDefinedSymbolAllocSize(String name, UInt32 size, UIntPtr preferredAddress) { const String PREV_DEC = "The symbol named %s was previously declared with a size of %s instead of %s." + " all scripts that use this memory must give the same size. " + "Adjust the size, or delete the old alloc from the userdefined symbol list"; if (size == 0) { throw new Exception("Please provide a bigger size"); } UIntPtr p; int i; for (i = 0; i < UserDefinedSymbols.Length; i++) { if (!UserDefinedSymbols[i].IsMatch(name)) { continue; //it exists, check first } if (UserDefinedSymbols[i].AllocSize > 0 && UserDefinedSymbols[i].ProcessId == Process.Native.Id) { if (size != UserDefinedSymbols[i].AllocSize) { throw new Exception(UStringUtils.Sprintf(PREV_DEC, UserDefinedSymbols[i].Name, UserDefinedSymbols[i].AllocSize, size)); } } if (UserDefinedSymbols[i].ProcessId != Process.Native.Id) { if (preferredAddress != UIntPtr.Zero) { p = AMemoryHelper.Allocate(Process.Handle, preferredAddress.ToIntPtr(), (int)size).ToUIntPtr(); } else { p = AMemoryHelper.Allocate(Process.Handle, (int)size).ToUIntPtr(); } if (p == UIntPtr.Zero) { throw new Exception("Error allocating memory"); } UserDefinedSymbols[i].Address = p; UserDefinedSymbols[i].AddressString = AStringUtils.IntToHex(p, 8); UserDefinedSymbols[i].AllocSize = size; UserDefinedSymbols[i].ProcessId = Process.Native.Id; } return; // Redefined the symbol and exit; } //Still here, symbol Not exists, let's define a new one. if (preferredAddress != UIntPtr.Zero) { p = AMemoryHelper.Allocate(Process.Handle, preferredAddress.ToIntPtr(), (int)size).ToUIntPtr(); } else { p = AMemoryHelper.Allocate(Process.Handle, (int)size).ToUIntPtr(); } if (p == UIntPtr.Zero) { throw new Exception("Error allocating memory"); } AddUserDefinedSymbol(AStringUtils.IntToHex(p, 8), name); UserDefinedSymbols[i].AllocSize = size; UserDefinedSymbols[i].ProcessId = Process.Native.Id; }
public static int RPosEx(Char needle, String str, int start) { return(UStringUtils.LastIndexOf(str, needle.ToString(), start)); }
public static int RPosEx(String needle, String str, int start) { return(UStringUtils.LastIndexOf(str, needle, start)); }
public static void ConvertStringToBytes(String aobStr, Boolean hex, ATByteArray bytes) { // vars int i, j, k; String temp; // wildcard for AoBScan and AoBAssert.Bigger than $FF is ok. var wildCard = (UInt16)0xf521; var wildcardChars = new[] { 'x', 'X', '?', '*' }; // size check bytes.SetLength(0); if (aobStr.Length == 0) { return; } aobStr = aobStr.Trim(); if ((Pos("-", aobStr) != -1) || (Pos(" ", aobStr) != -1) || (Pos(",", aobStr) != -1)) { /*syntax is : (1)xx-xx-xx (2)or xx xx xx (3)or xx,xx,xx*/ j = 0; k = 0; aobStr += ' '; for (i = 0; i < aobStr.Length; i++) { if (UArrayUtils.InArray(aobStr[i], ' ', '-', ',')) { temp = Copy(aobStr, j, i - j); j = i + 1; bytes.SetLength(k + 1); if (UStringUtils.IndexOfAny(temp, wildcardChars) == -1) { switch (hex) { case true: bytes[k] = (UInt16)StrToInt("0x" + temp); break; case false: bytes[k] = (UInt16)StrToInt(temp); break; } } else { bytes[k] = wildCard; } k += 1; } } } else { /*syntax is: xxxxxx*/ k = 0; j = 1; for (i = 1; i <= aobStr.Length; i++) { if ((i % 2) != 0) { continue; } temp = Copy(aobStr, j, i - j + 1); j = i + 1; bytes.SetLength(k + 1); if (UStringUtils.IndexOfAny(temp, wildcardChars) == -1) { bytes[k] = (UInt16)StrToInt("0x" + temp); } else { bytes[k] = wildCard; } k += 1; } } }
public ATokenType GetTokenType(ref String token, String token2) { var result = ATokenType.Invalid; if (token.Length == 0) { return(result); } result = TokenToRegisterBit(token); // filter these 2 words token = UStringUtils.Replace(token, "LONG ", "", true); token = UStringUtils.Replace(token, "SHORT ", "", true); token = UStringUtils.Replace(token, "FAR ", "", true); var temp = AStringUtils.ConvertHexStrToRealStr(token); AStringUtils.Val(temp, out UInt64 _, out var err); if (err == 0) { result = ATokenType.Value; token = temp; } var brp = AStringUtils.Pos("[", token); if (brp != -1) { if (UStringUtils.IndexOf(token, "YMMWORD", 0, brp) != -1) { result = ATokenType.MemoryLocation256; } else if (UStringUtils.IndexOf(token, "XMMWORD", 0, brp) != -1) { result = ATokenType.MemoryLocation128; } else if (UStringUtils.IndexOf(token, "DQWORD", 0, brp) != -1) { result = ATokenType.MemoryLocation128; } else if (UStringUtils.IndexOf(token, "TBYTE", 0, brp) != -1) { result = ATokenType.MemoryLocation80; } else if (UStringUtils.IndexOf(token, "TWORD", 0, brp) != -1) { result = ATokenType.MemoryLocation80; } else if (UStringUtils.IndexOf(token, "QWORD", 0, brp) != -1) { result = ATokenType.MemoryLocation64; } else if (UStringUtils.IndexOf(token, "DWORD", 0, brp) != -1) { result = ATokenType.MemoryLocation32; } else if (UStringUtils.IndexOf(token, "WORD", 0, brp) != -1) { result = ATokenType.MemoryLocation16; } else if (UStringUtils.IndexOf(token, "BYTE", 0, brp) != -1) { result = ATokenType.MemoryLocation8; } else { result = ATokenType.MemoryLocation; } } if (result == ATokenType.MemoryLocation) { if (token2 == "") { result = ATokenType.MemoryLocation32; return(result); } // I need the helper param to figure it out switch (TokenToRegisterBit(token2)) { case ATokenType.Register8Bit: case ATokenType.Register8BitWithPrefix: result = ATokenType.MemoryLocation8; break; case ATokenType.RegisterSReg: case ATokenType.Register16Bit: result = ATokenType.MemoryLocation16; break; case ATokenType.Register64Bit: result = ATokenType.MemoryLocation64; break; default: result = ATokenType.MemoryLocation32; break; } } return(result); }
public String DataToString(UBytePtr buf, int size, AVariableType varType, Boolean clean = false) { String result; switch (varType) { case AVariableType.Byte: { if (clean) { result = AStringUtils.IntToHex(buf[0], 2); } else { result = "(byte)" + AStringUtils.IntToHex(buf[0], 2) + '(' + buf[0] + ')'; } break; } case AVariableType.Word: { if (clean) { result = AStringUtils.IntToHex(buf.ReadUInt16(), 4); } else { result = "(word)" + AStringUtils.IntToHex(buf.ReadUInt16(), 4) + '(' + buf.ReadUInt16() + ')'; } break; } case AVariableType.DWord: { if (clean) { result = AStringUtils.IntToHex(buf.ReadUInt32(), 8); } else { result = "(dword)" + AStringUtils.IntToHex(buf.ReadUInt32(), 8) + '(' + buf.ReadUInt32() + ')'; } break; } case AVariableType.QWord: { if (clean) { result = AStringUtils.IntToHex(buf.ReadUInt64(), 16); } else { result = "(qword)" + AStringUtils.IntToHex(buf.ReadUInt64(), 16) + '(' + buf.ReadUInt64() + ')'; } break; } case AVariableType.Single: { if (clean) { result = UStringUtils.Sprintf("%.2f", buf.ReadFloat()); } else { result = "(float)" + UStringUtils.Sprintf("%.2f", buf.ReadFloat()); } break; } case AVariableType.Double: { if (clean) { result = UStringUtils.Sprintf("%.2f", buf.ReadDouble()); } else { result = "(double)" + UStringUtils.Sprintf("%.2f", buf.ReadDouble()); } break; } case AVariableType.String: { using (var p = new UBytePtr(size + 1)) { AArrayUtils.CopyMemory(p, buf, size); p[size] = 0; result = UBitConverter.UnpackSingle("z1", 0, p.ToByteArray()); } break; } case AVariableType.UnicodeString: { using (var p = new UBytePtr(size + 2)) { AArrayUtils.CopyMemory(p, buf, size); p[size] = 0; p[size + 1] = 0; result = UBitConverter.UnpackSingle("z7", 0, p.ToByteArray()); } break; } case AVariableType.Pointer: { UIntPtr a; if (Proc.IsX64) { a = (UIntPtr)buf.ReadUInt64(); } else { a = (UIntPtr)buf.ReadUInt32(); } if (clean) { result = ""; } else { result = "(pointer)"; } result += SymbolHandler.GetNameFromAddress(a, true, true, false); break; } default: { result = "(...)"; for (var i = 0; i <= Math.Min(size, 8) - 1; i++) { result = result + AStringUtils.IntToHex(buf[i], 2) + ' '; } break; } } return(result); }