flat assembler
Message board for the users of flat assembler.

flat assembler > Heap > FASMG as emulator(debugger) of sorce text or binary

Author
Thread Post new topic Reply to topic
ProMiNick



Joined: 24 Mar 2012
Posts: 315
Location: Russian Federation, Sochi
Let suppose that we have code of packer no matter in form of text or binary on architecture where unpacker(or debugger/or emulator) is unaccessible.
And we want to unpack binary code just right in fasmg.

example code: (fasmg has no macros for encoding arm, but they don`t needed - because we creating macros for emulating arm, not for encoding)
Code:
sub_19FD0                               ; CODE XREF: start+14p

; FUNCTION CHUNK AT 0001A0DC SIZE 00000008 BYTES

                STMFD           SP!, {LR}
                BL              sub_1A0E4
                LDR             R0, =dword_11000
                MOV             R2,  0
                LDR             R12, =dword_13E00

loc_19FE4:                               ; CODE XREF: sub_19FD0+48j
                CMP             R0, R12
                BEQ             loc_1A024
                LDR             R3, [R0]
                AND             R1, R3,  0xF000000
                CMP             R1,  0xB000000
                BNE             loc_1A010
                AND             R1, R3,  0xFF000000
                SUB             R3, R3, R2
                BIC             R3, R3,  0xFF000000
                ORR             R3, R3, R1
                STR             R3, [R0]

loc_1A010:                               ; CODE XREF: sub_19FD0+28j
                ADD             R0, R0,  4
                ADD             R2, R2,  1
                B               loc_19FE4
; ---------------------------------------------------------------------------
off_1A01C       DCD dword_11000         ; DATA XREF: sub_19FD0+8r
off_1A020       DCD dword_13E00         ; DATA XREF: sub_19FD0+10r
; ---------------------------------------------------------------------------

loc_1A024:                               ; CODE XREF: sub_19FD0+18j
                SUB             SP, SP,  0x800
                LDR             R4, =dword_18000

loc_1A02C:                               ; CODE XREF: sub_19FD0+A8j
                MOV             R0, R4
                BL              sub_1A0B0
                BEQ             loc_1A0DC
                LDR             R1, =__IMPORT_DESCRIPTOR_COREDLL
                ADD             R0, R0, R1
                MOV             R1, SP

loc_1A044:                               ; CODE XREF: sub_19FD0+80j
                LDRB            R2, [R0], 1
                STRH            R2, [R1], 2
                CMP             R2,  0
                BNE             loc_1A044
                MOV             R0, SP
                BL              sub_1A0CC
; ---------------------------------------------------------------------------
                MOV             R6, R0
                ADD             R0, R4,  4
                BL              sub_1A0B0
                ADD             R5, R9, R0
                ADD             R4, R4,  8

loc_1A070:                               ; CODE XREF: sub_19FD0+DCj
                LDRB            R0, [R4], 1
                CMP             R0,  1
                BMI             loc_1A02C
                BNE             loc_1A094
                MOV             R1, R4

loc_1A084:                               ; CODE XREF: sub_19FD0+BCj
                LDRB            R0, [R4], 1
                CMP             R0,  0
                BNE             loc_1A084
                B               loc_1A0A0
; ---------------------------------------------------------------------------

loc_1A094:                               ; CODE XREF: sub_19FD0+ACj
                LDRB            R0, [R4], 1
                LDRB            R1, [R4], 1
                ADD             R1, R0, R1,LSL 8

loc_1A0A0:                               ; CODE XREF: sub_19FD0+C0j
                MOV             R0, R6
                BL              sub_1A0D0
; ---------------------------------------------------------------------------
                STR             R0, [R5], 4
                B               loc_1A070
; End of function sub_19FD0


; =============== S U B R O U T I N E =======================================


sub_1A0B0:                               ; CODE XREF: sub_19FD0+60p
                                        ; sub_19FD0+94p
                MOV             R2,  3

loc_1A0B4:                               ; CODE XREF: sub_1A0B0+10j
                LDRB            R3, [R0,R2]
                SUBS            R2, R2,  1
                ADD             R1, R3, R1,LSL 8
                BPL             loc_1A0B4
                MOVS            R0, R1
                RET
; End of function sub_1A0B0


; =============== S U B R O U T I N E =======================================

; Attributes: noreturn

sub_1A0CC:                               ; CODE XREF: sub_19FD0+88p
                MOV             PC, R10
; End of function sub_1A0CC


; =============== S U B R O U T I N E =======================================

; Attributes: noreturn

sub_1A0D0:                               ; CODE XREF: sub_19FD0+D4p
                MOV             PC, R11
; End of function sub_1A0D0

; ---------------------------------------------------------------------------
off_1A0D4       DCD dword_18000         ; DATA XREF: sub_19FD0+58r
off_1A0D8       DCD __IMPORT_DESCRIPTOR_COREDLL ; DATA XREF: sub_19FD0+68r
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_19FD0

loc_1A0DC:                               ; CODE XREF: sub_19FD0+64j
                ADD             SP, SP,  0x800
                LDMFD           SP!, {PC}
; END OF FUNCTION CHUNK FOR sub_19FD0

; =============== S U B R O U T I N E =======================================


sub_1A0E4:                               ; CODE XREF: sub_19FD0+4p
                STMFD           SP!, {R2-R7,LR}
                ADD             R7, R1, R0
                MOV             R5,  0xFFFFFFFF
                MOV             R4,  0x80000000
                B               loc_1A100
; ---------------------------------------------------------------------------

loc_1A0F8:                               ; CODE XREF: sub_1A0E4+20j
                LDRB            R3, [R0], 1
                STRB            R3, [R2], 1

loc_1A100:                               ; CODE XREF: sub_1A0E4+10j
                                        ; sub_1A0E4+C0j
                BL              sub_1A1BC
                BCS             loc_1A0F8
                MOV             R1,  1
                B               loc_1A11C
; ---------------------------------------------------------------------------

loc_1A110:                               ; CODE XREF: sub_1A0E4+44j
                SUB             R1, R1,  1
                BL              sub_1A1BC
                ADC             R1, R1, R1

loc_1A11C:                               ; CODE XREF: sub_1A0E4+28j
                BL              sub_1A1BC
                ADC             R1, R1, R1
                BL              sub_1A1BC
                BCC             loc_1A110
                SUBS            R3, R1,  3
                MOV             R1,  0
                BCC             loc_1A154
                LDRB            R5, [R0], 1
                ORR             R5, R5, R3,LSL 8
                MVNS            R5, R5
                BEQ             loc_1A1A8
                MOVS            R5, R5,ASR 1
                BCS             loc_1A180
                B               loc_1A15C
; ---------------------------------------------------------------------------

loc_1A154:                               ; CODE XREF: sub_1A0E4+50j
                BL              sub_1A1BC
                BCS             loc_1A180

loc_1A15C:                               ; CODE XREF: sub_1A0E4+6Cj
                MOV             R1,  1
                BL              sub_1A1BC
                BCS             loc_1A180

loc_1A168:                               ; CODE XREF: sub_1A0E4+90j
                BL              sub_1A1BC
                ADC             R1, R1, R1
                BL              sub_1A1BC
                BCC             loc_1A168
                ADD             R1, R1,  4
                B               loc_1A18C
; ---------------------------------------------------------------------------

loc_1A180:                               ; CODE XREF: sub_1A0E4+68j
                                        ; sub_1A0E4+74j ...
                BL              sub_1A1BC
                ADC             R1, R1, R1
                ADD             R1, R1,  2

loc_1A18C:                               ; CODE XREF: sub_1A0E4+98j
                CMN             R5,  0x500
                ADDCC           R1, R1,  1

loc_1A194:                               ; CODE XREF: sub_1A0E4+BCj
                LDRB            R3, [R2,R5]
                STRB            R3, [R2], 1
                SUBS            R1, R1,  1
                BNE             loc_1A194
                B               loc_1A100
; ---------------------------------------------------------------------------

loc_1A1A8:                               ; CODE XREF: sub_1A0E4+60j
                LDMFD           SP!, {R3,R4}
                SUB             R0, R0, R7
                SUB             R2, R2, R3
                STR             R2, [R4]
                LDMFD           SP!, {R4-R7,PC}
; End of function sub_1A0E4


; =============== S U B R O U T I N E =======================================


sub_1A1BC:                               ; CODE XREF: sub_1A0E4:loc_1A100p
                                        ; sub_1A0E4+30p ...
                ADDS            R4, R4, R4
                MOVNE           PC, LR
                LDRB            R4, [R0], 1
                ADC             R4, R4, R4
                MOVS            R4, R4,LSL 24
                RET    


the very begining of implementation of emulator:
Code:
; initialization

virtual at $00018000 ;packed code
        ___18000::
file 'ROMExtractor3.exe':400,$1F76
end virtual
virtual at $00011000 as 'bin' ; executable code
        ___11000::
        dd $1F76 dup 0
end virtual

R_5 = $F7FFFFFF
R_6 = $F7FFFFFF

R_0 = $18000
R_1 = $1F76
R_2 = $11000
R_3 = $19FAC
R_4 = $72A4
R_9 = $11000
R_10 = $72A4
R_11 = $72A4

SAVE_R_2 = R_2
SAVE_R_3 = R_3
SAVE_R_4 = R_4
SAVE_R_5 = R_5
SAVE_R_6 = R_6
SAVE_R_7 = R_7

R_7 = R_1+R_0
R_5 = $FFFFFFFF
R_4 = $80000000

; emulator macros

macro S statement&
        calcf = 1
        match I,statement
                I
        end match
        calcf = 0
end macro

macro calcflags operation
        ?c = 0
        ?z = 0
        if operation and $FFFFFFFF <> operation
                ?c = 1
        end if
        if ~(operation and $FFFFFFFF)
                ?z = 1
        end if
end macro

macro _fini op
        if calcf
                calcflags op
        end if
        op = op and $FFFFFFFF
end macro

macro calcshifter shifter,op1,op2
        match   =LSL amount,op2
                shifter = op1 shl amount
        end match
end macro

macro m_ADD op1,op2,op3,op4:LSL 0
        local shifter
        calcshifter shifter,op3,op4
        op1 = op2 + shifter
        _fini op1
end macro

macro m_ADC op1,op2,op3,op4:LSL 0
        local shifter
        calcshifter shifter,op3,op4
        op1 = op2 + shifter + ?c
        _fini op1
end macro

macro m_SUB op1,op2,op3,op4:LSL 0
        local shifter
        calcshifter shifter,op3,op4
        op1 = op2 - shifter
        _fini op1
end macro

macro m_MOV op1,op2,op3:LSL 0
        local shifter
        calcshifter shifter,op2,op3
        op1 = shifter
        _fini op1
end macro

; for checks
macro disphex number*,digits:8
        repeat digits
                digit = ((number) shr ((%%-%) shl 2)) and 0Fh
                if digit < 10
                        display '0'+digit
                else
                        display 'A'+digit-10
                end if
        end repeat
end macro



; instruction flow implementation




macro sub_1A1BC
        S m_ADD         R_4,R_4,R_4 ;ADDS
        if ?z
                load R_4:byte from ___18000:R_0
                R_0 = R_0+1
                m_ADC   R_4,R_4,R_4
                S m_MOV R_4,R_4,LSL 24
        end if
end macro





;disphex R_4
;display 13,10
sub_1A1BC
while ?c
        load R_3:byte from ___18000:R_0
                R_0 = R_0+1
        store R_3:byte at ___11000:R_2
                R_2 = R_2+1
        sub_1A1BC
end while
m_MOV           R_1,1
sub_1A1BC
m_ADC           R_1,R_1,R_1
sub_1A1BC
while not ?c
        m_SUB   R_1,R_1,1
        sub_1A1BC
        m_ADC   R_1,R_1,R_1
        sub_1A1BC
        m_ADC   R_1,R_1,R_1
        sub_1A1BC
end while
;disphex R_4
;display 13,10     


jumps - are bit unconvinient things in realisation because in code execution can jumps to everywhere while source text operated only line by line.
May be it will be continued - with complete emulation of packing algorithm.

_________________
I don`t like to refer by "you" to one person.
My soul requires acronim "thou" instead.
Post 09 Apr 2019, 11:10
View user's profile Send private message Send e-mail Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2019, Tomasz Grysztar.

Powered by rwasa.