public Instructions() { instructions["ST"] = new ST(); instructions["LD"] = new LD(); instructions["ADD"] = new ADD(); instructions["SUB"] = new SUB(); instructions["JMP"] = new JMP(); instructions["JN"] = new JN(); instructions["JP"] = new JP(); instructions["JZ"] = new JZ(); instructions["JNZ"] = new JNZ(); instructions["HALT"] = new HALT(); //Second architecture functions. instructions["LD2"] = new LD2(); instructions["LD3"] = new LD3(); instructions["ST2"] = new ST2(); instructions["ST3"] = new ST3(); instructions["POS"] = new POS(); instructions["PXL"] = new PXL(); instructions["RND"] = new RND(); instructions["CLR"] = new CLR(); instructions["COS"] = new COS(); instructions["SIN"] = new SIN(); instructions["IN"] = new IN(); }
public static void AssociateOpcodes() { instructions[0] = new NOP(); instructions[1] = new PRNT(); instructions[16] = new PUSH(); instructions[17] = new POP(); instructions[18] = new SAVE(); instructions[19] = new CPY(); instructions[20] = new RNDM(); instructions[21] = new EMPTY(); instructions[128] = new ADD(); instructions[129] = new SUB(); instructions[130] = new MUL(); instructions[131] = new DIV(); instructions[132] = new SUB2(); instructions[133] = new DIV2(); instructions[134] = new NEG(); instructions[135] = new ABS(); instructions[144] = new INC(); instructions[145] = new DEC(); instructions[64] = new JMP(); instructions[65] = new JGZ(); instructions[66] = new JLZ(); instructions[67] = new JEZ(); instructions[68] = new JNZ(); instructions[69] = new CALL(); instructions[70] = new RET(); instructions[71] = new LDLOC(); instructions[72] = new STLOC(); instructions[73] = new LDARG(); instructions[74] = new STARG(); instructions[0b10100100] = new CMP();
public static Instruction[] PeToInstructions(string FilePath) { UnmanagedBuffer buffer = new UnmanagedBuffer(File.ReadAllBytes(FilePath)); List <Instruction> instructs = new List <Instruction>(); Disasm disasm = new Disasm(); disasm.EIP = new IntPtr(buffer.Ptr.ToInt64() + 0x400); List <int> Addresses = new List <int>(); while (true) { int result = Asm.Net.src.BeaEngine.BeaEngine.Disasm(disasm); Addresses.Add(disasm.EIP.ToInt32()); if (result == (int)BeaConstants.SpecialInfo.UNKNOWN_OPCODE) { break; } //Console.WriteLine("0x" + disasm.EIP.ToString("X") + " " + disasm.CompleteInstr); //convert the data to instructions so we are able to execute it in Asm.Net //We also need to change the pointers for push, call, inc, dec etc... so Asm.Net is able to understand it switch (disasm.Instruction.Opcode) { case (int)OpcodeList.CALL: { string tmp = disasm.Argument1.ArgMnemonic.Substring(0, disasm.Argument1.ArgMnemonic.Length - 1).Replace("FFFFFFFF", ""); int Jmpvalue = Convert.ToInt32(tmp, 16); CALL call = new CALL(Jmpvalue); call.NativeVirtualAddress.Address = disasm.EIP.ToInt32(); instructs.Add(call); break; } case (int)OpcodeList.INC_EAX: { INC_EAX IncEax = new INC_EAX(); IncEax.NativeVirtualAddress.Address = disasm.EIP.ToInt32(); instructs.Add(IncEax); break; } case (int)OpcodeList.INC_EDX: { break; } case (int)OpcodeList.JE: { break; } case (int)OpcodeList.JMP: { string tmp = disasm.Argument1.ArgMnemonic.Substring(0, disasm.Argument1.ArgMnemonic.Length - 1); int Jmpvalue = Convert.ToInt32(tmp.Replace("FFFFFFFF", ""), 16); JMP jmp = new JMP(Jmpvalue); jmp.NativeVirtualAddress.Address = disasm.EIP.ToInt32(); //instructs.Add(jmp); break; } case (int)OpcodeList.JNZ: { string tmp = disasm.Argument1.ArgMnemonic.Substring(0, disasm.Argument1.ArgMnemonic.Length - 1); int Jmpvalue = Convert.ToInt32(tmp.Replace("FFFFFFFF", ""), 16); JNZ jnz = new JNZ(Jmpvalue); jnz.NativeVirtualAddress.Address = disasm.EIP.ToInt32(); //instructs.Add(jnz); break; } case (int)OpcodeList.MOV_EAX: { string tmp = disasm.Argument2.ArgMnemonic.Substring(0, disasm.Argument2.ArgMnemonic.Length - 1); int MovValue = Convert.ToInt32(tmp, 16); MOV_EAX MovEAX = new MOV_EAX(new VirtualAddress(0, MovValue)); MovEAX.NativeVirtualAddress.Address = disasm.EIP.ToInt32(); instructs.Add(MovEAX); break; } case (int)OpcodeList.NOP: { NOP nop = new NOP(); nop.NativeVirtualAddress.Address = disasm.EIP.ToInt32(); instructs.Add(nop); break; } case (int)OpcodeList.PUSH_EAX: { break; } case (int)OpcodeList.RET: { RET ret = new RET(); ret.NativeVirtualAddress.Address = disasm.EIP.ToInt32(); instructs.Add(ret); break; } case (int)OpcodeList.ADD: { //need to reverse check the opcodes... Instruction ADD = null; switch (disasm.Argument1.ArgMnemonic) { case "eax": { switch (disasm.Argument2.ArgMnemonic) { case "al": { ADD = new ADD_BYTE_PTR_EAX_AL(); break; } } break; } } if (ADD != null) { ADD.NativeVirtualAddress.Address = disasm.EIP.ToInt32(); instructs.Add(ADD); } break; } case (int)OpcodeList.XOR_REGISTER: { Instruction xor = null; switch (disasm.Argument1.ArgMnemonic) { case "eax": { switch (disasm.Argument2.ArgMnemonic) { case "eax": { xor = new XOR_EAX_EAX(); break; } case "ecx": { xor = new XOR_EAX_ECX(); break; } case "edx": { xor = new XOR_EAX_EDX(); break; } case "ebx": { xor = new XOR_EAX_EBX(); break; } case "esp": { xor = new XOR_EAX_ESP(); break; } case "ebp": { xor = new XOR_EAX_EBP(); break; } case "esi": { xor = new XOR_EAX_ESI(); break; } case "edi": { xor = new XOR_EAX_EDI(); break; } } break; } case "ecx": { switch (disasm.Argument2.ArgMnemonic) { case "eax": { xor = new XOR_ECX_EAX(); break; } case "ecx": { xor = new XOR_ECX_ECX(); break; } case "edx": { xor = new XOR_ECX_EDX(); break; } case "ebx": { xor = new XOR_ECX_EBX(); break; } case "esp": { xor = new XOR_ECX_ESP(); break; } case "ebp": { xor = new XOR_ECX_EBP(); break; } case "esi": { xor = new XOR_ECX_ESI(); break; } case "edi": { xor = new XOR_ECX_EDI(); break; } } break; } case "edx": { switch (disasm.Argument2.ArgMnemonic) { case "eax": { xor = new XOR_EDX_EAX(); break; } case "ecx": { xor = new XOR_EDX_ECX(); break; } case "edx": { xor = new XOR_EDX_EDX(); break; } case "ebx": { xor = new XOR_EDX_EBX(); break; } case "esp": { xor = new XOR_EDX_ESP(); break; } case "ebp": { xor = new XOR_EDX_EBP(); break; } case "esi": { xor = new XOR_EDX_ESI(); break; } case "edi": { xor = new XOR_EDX_EDI(); break; } } break; } case "ebx": { switch (disasm.Argument2.ArgMnemonic) { case "eax": { xor = new XOR_EBX_EAX(); break; } case "ecx": { xor = new XOR_EBX_ECX(); break; } case "edx": { xor = new XOR_EBX_EDX(); break; } case "ebx": { xor = new XOR_EBX_EBX(); break; } case "esp": { xor = new XOR_EBX_ESP(); break; } case "ebp": { xor = new XOR_EBX_EBP(); break; } case "esi": { xor = new XOR_EBX_ESI(); break; } case "edi": { xor = new XOR_EBX_EDI(); break; } } break; } case "esp": { switch (disasm.Argument2.ArgMnemonic) { case "eax": { xor = new XOR_ESP_EAX(); break; } case "ecx": { xor = new XOR_ESP_ECX(); break; } case "edx": { xor = new XOR_ESP_EDX(); break; } case "ebx": { xor = new XOR_ESP_EBX(); break; } case "esp": { xor = new XOR_ESP_ESP(); break; } case "ebp": { xor = new XOR_ESP_EBP(); break; } case "esi": { xor = new XOR_ESP_ESI(); break; } case "edi": { xor = new XOR_ESP_EDI(); break; } } break; } case "ebp": { switch (disasm.Argument2.ArgMnemonic) { case "eax": { xor = new XOR_EBP_EAX(); break; } case "ecx": { xor = new XOR_EBP_ECX(); break; } case "edx": { xor = new XOR_EBP_EDX(); break; } case "ebx": { xor = new XOR_EBP_EBX(); break; } case "esp": { xor = new XOR_EBP_ESP(); break; } case "ebp": { xor = new XOR_EBP_EBP(); break; } case "esi": { xor = new XOR_EBP_ESI(); break; } case "edi": { xor = new XOR_EBP_EDI(); break; } } break; } case "esi": { switch (disasm.Argument2.ArgMnemonic) { case "eax": { xor = new XOR_ESI_EAX(); break; } case "ecx": { xor = new XOR_ESI_ECX(); break; } case "edx": { xor = new XOR_ESI_EDX(); break; } case "ebx": { xor = new XOR_ESI_EBX(); break; } case "esp": { xor = new XOR_ESI_ESP(); break; } case "ebp": { xor = new XOR_ESI_EBP(); break; } case "esi": { xor = new XOR_ESI_ESI(); break; } case "edi": { xor = new XOR_ESI_EDI(); break; } } break; } case "edi": { switch (disasm.Argument2.ArgMnemonic) { case "eax": { xor = new XOR_EDI_EAX(); break; } case "ecx": { xor = new XOR_EDI_ECX(); break; } case "edx": { xor = new XOR_EDI_EDX(); break; } case "ebx": { xor = new XOR_EDI_EBX(); break; } case "esp": { xor = new XOR_EDI_ESP(); break; } case "ebp": { xor = new XOR_EDI_EBP(); break; } case "esi": { xor = new XOR_EDI_ESI(); break; } case "edi": { xor = new XOR_EDI_EDI(); break; } } break; } } if (xor != null) //this check is just for temp, not all the XOR instructions are added { xor.NativeVirtualAddress.Address = disasm.EIP.ToInt32(); instructs.Add(xor); } break; } } disasm.EIP = new IntPtr(disasm.EIP.ToInt64() + result); } //set all the pointers correct int offset = Options.MemoryBaseAddress; foreach (Instruction instruction in instructs) { switch (instruction.ToByteArray()[0]) { case (int)OpcodeList.CALL: { break; } case (int)OpcodeList.INC_EAX: { break; } case (int)OpcodeList.INC_EDX: { break; } case (int)OpcodeList.JE: { break; } case (int)OpcodeList.JMP: { //lets set our new jmp pointer, We also should load the modules which are required to run this program //We need to load the Import Table and get all the .dll's from it and getting all the instructions from it bool NewSet = false; foreach (Instruction instruct in instructs) { if (Addresses.Contains(((IJump)instruction).JumpAddress)) { //Set the ASM.net pointer int index = Addresses.IndexOf(((IJump)instruction).JumpAddress) - 1; } //if (((IJump)instruction).JumpAddress == instruct.NativeVirtualAddress.Address) //{ //} } //if (!NewSet) // throw new Exception("Unable to find the JMP Pointer, Invalid memory address ?"); break; } case (int)OpcodeList.MOV_EAX: { break; } case (int)OpcodeList.NOP: { break; } case (int)OpcodeList.PUSH_EAX: { break; } case (int)OpcodeList.RET: { break; } } instruction.VirtualAddress.Address = offset; offset += instruction.VirtualAddress.Size; } return(instructs.ToArray()); }