ProMiNick
Joined: 24 Mar 2012
Posts: 770
Location: Russian Federation, Sochi
|
Let suppose that we have code of packer no matter in form of text or binary on architecture where unpacker(or debugger/or emulator) is unaccessible.
And we want to unpack binary code just right in fasmg.
example code: (fasmg has no macros for encoding arm, but they don`t needed - because we creating macros for emulating arm, not for encoding)
sub_19FD0 ; CODE XREF: start+14�p
; FUNCTION CHUNK AT 0001A0DC SIZE 00000008 BYTES
STMFD SP!, {LR}
BL sub_1A0E4
LDR R0, =dword_11000
MOV R2, 0
LDR R12, =dword_13E00
loc_19FE4: ; CODE XREF: sub_19FD0+48�j
CMP R0, R12
BEQ loc_1A024
LDR R3, [R0]
AND R1, R3, 0xF000000
CMP R1, 0xB000000
BNE loc_1A010
AND R1, R3, 0xFF000000
SUB R3, R3, R2
BIC R3, R3, 0xFF000000
ORR R3, R3, R1
STR R3, [R0]
loc_1A010: ; CODE XREF: sub_19FD0+28�j
ADD R0, R0, 4
ADD R2, R2, 1
B loc_19FE4
; ---------------------------------------------------------------------------
off_1A01C DCD dword_11000 ; DATA XREF: sub_19FD0+8�r
off_1A020 DCD dword_13E00 ; DATA XREF: sub_19FD0+10�r
; ---------------------------------------------------------------------------
loc_1A024: ; CODE XREF: sub_19FD0+18�j
SUB SP, SP, 0x800
LDR R4, =dword_18000
loc_1A02C: ; CODE XREF: sub_19FD0+A8�j
MOV R0, R4
BL sub_1A0B0
BEQ loc_1A0DC
LDR R1, =__IMPORT_DESCRIPTOR_COREDLL
ADD R0, R0, R1
MOV R1, SP
loc_1A044: ; CODE XREF: sub_19FD0+80�j
LDRB R2, [R0], 1
STRH R2, [R1], 2
CMP R2, 0
BNE loc_1A044
MOV R0, SP
BL sub_1A0CC
; ---------------------------------------------------------------------------
MOV R6, R0
ADD R0, R4, 4
BL sub_1A0B0
ADD R5, R9, R0
ADD R4, R4, 8
loc_1A070: ; CODE XREF: sub_19FD0+DC�j
LDRB R0, [R4], 1
CMP R0, 1
BMI loc_1A02C
BNE loc_1A094
MOV R1, R4
loc_1A084: ; CODE XREF: sub_19FD0+BC�j
LDRB R0, [R4], 1
CMP R0, 0
BNE loc_1A084
B loc_1A0A0
; ---------------------------------------------------------------------------
loc_1A094: ; CODE XREF: sub_19FD0+AC�j
LDRB R0, [R4], 1
LDRB R1, [R4], 1
ADD R1, R0, R1,LSL 8
loc_1A0A0: ; CODE XREF: sub_19FD0+C0�j
MOV R0, R6
BL sub_1A0D0
; ---------------------------------------------------------------------------
STR R0, [R5], 4
B loc_1A070
; End of function sub_19FD0
; =============== S U B R O U T I N E =======================================
sub_1A0B0: ; CODE XREF: sub_19FD0+60�p
; sub_19FD0+94�p
MOV R2, 3
loc_1A0B4: ; CODE XREF: sub_1A0B0+10�j
LDRB R3, [R0,R2]
SUBS R2, R2, 1
ADD R1, R3, R1,LSL 8
BPL loc_1A0B4
MOVS R0, R1
RET
; End of function sub_1A0B0
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
sub_1A0CC: ; CODE XREF: sub_19FD0+88�p
MOV PC, R10
; End of function sub_1A0CC
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
sub_1A0D0: ; CODE XREF: sub_19FD0+D4�p
MOV PC, R11
; End of function sub_1A0D0
; ---------------------------------------------------------------------------
off_1A0D4 DCD dword_18000 ; DATA XREF: sub_19FD0+58�r
off_1A0D8 DCD __IMPORT_DESCRIPTOR_COREDLL ; DATA XREF: sub_19FD0+68�r
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_19FD0
loc_1A0DC: ; CODE XREF: sub_19FD0+64�j
ADD SP, SP, 0x800
LDMFD SP!, {PC}
; END OF FUNCTION CHUNK FOR sub_19FD0
; =============== S U B R O U T I N E =======================================
sub_1A0E4: ; CODE XREF: sub_19FD0+4�p
STMFD SP!, {R2-R7,LR}
ADD R7, R1, R0
MOV R5, 0xFFFFFFFF
MOV R4, 0x80000000
B loc_1A100
; ---------------------------------------------------------------------------
loc_1A0F8: ; CODE XREF: sub_1A0E4+20�j
LDRB R3, [R0], 1
STRB R3, [R2], 1
loc_1A100: ; CODE XREF: sub_1A0E4+10�j
; sub_1A0E4+C0�j
BL sub_1A1BC
BCS loc_1A0F8
MOV R1, 1
B loc_1A11C
; ---------------------------------------------------------------------------
loc_1A110: ; CODE XREF: sub_1A0E4+44�j
SUB R1, R1, 1
BL sub_1A1BC
ADC R1, R1, R1
loc_1A11C: ; CODE XREF: sub_1A0E4+28�j
BL sub_1A1BC
ADC R1, R1, R1
BL sub_1A1BC
BCC loc_1A110
SUBS R3, R1, 3
MOV R1, 0
BCC loc_1A154
LDRB R5, [R0], 1
ORR R5, R5, R3,LSL 8
MVNS R5, R5
BEQ loc_1A1A8
MOVS R5, R5,ASR 1
BCS loc_1A180
B loc_1A15C
; ---------------------------------------------------------------------------
loc_1A154: ; CODE XREF: sub_1A0E4+50�j
BL sub_1A1BC
BCS loc_1A180
loc_1A15C: ; CODE XREF: sub_1A0E4+6C�j
MOV R1, 1
BL sub_1A1BC
BCS loc_1A180
loc_1A168: ; CODE XREF: sub_1A0E4+90�j
BL sub_1A1BC
ADC R1, R1, R1
BL sub_1A1BC
BCC loc_1A168
ADD R1, R1, 4
B loc_1A18C
; ---------------------------------------------------------------------------
loc_1A180: ; CODE XREF: sub_1A0E4+68�j
; sub_1A0E4+74�j ...
BL sub_1A1BC
ADC R1, R1, R1
ADD R1, R1, 2
loc_1A18C: ; CODE XREF: sub_1A0E4+98�j
CMN R5, 0x500
ADDCC R1, R1, 1
loc_1A194: ; CODE XREF: sub_1A0E4+BC�j
LDRB R3, [R2,R5]
STRB R3, [R2], 1
SUBS R1, R1, 1
BNE loc_1A194
B loc_1A100
; ---------------------------------------------------------------------------
loc_1A1A8: ; CODE XREF: sub_1A0E4+60�j
LDMFD SP!, {R3,R4}
SUB R0, R0, R7
SUB R2, R2, R3
STR R2, [R4]
LDMFD SP!, {R4-R7,PC}
; End of function sub_1A0E4
; =============== S U B R O U T I N E =======================================
sub_1A1BC: ; CODE XREF: sub_1A0E4:loc_1A100�p
; sub_1A0E4+30�p ...
ADDS R4, R4, R4
MOVNE PC, LR
LDRB R4, [R0], 1
ADC R4, R4, R4
MOVS R4, R4,LSL 24
RET
the very begining of implementation of emulator: ; initialization
virtual at $00018000 ;packed code
___18000::
file 'ROMExtractor3.exe':400,$1F76
end virtual
virtual at $00011000 as 'bin' ; executable code
___11000::
dd $1F76 dup 0
end virtual
R_5 = $F7FFFFFF
R_6 = $F7FFFFFF
R_0 = $18000
R_1 = $1F76
R_2 = $11000
R_3 = $19FAC
R_4 = $72A4
R_9 = $11000
R_10 = $72A4
R_11 = $72A4
SAVE_R_2 = R_2
SAVE_R_3 = R_3
SAVE_R_4 = R_4
SAVE_R_5 = R_5
SAVE_R_6 = R_6
SAVE_R_7 = R_7
R_7 = R_1+R_0
R_5 = $FFFFFFFF
R_4 = $80000000
; emulator macros
macro S statement&
calcf = 1
match I,statement
I
end match
calcf = 0
end macro
macro calcflags operation
?c = 0
?z = 0
if operation and $FFFFFFFF <> operation
?c = 1
end if
if ~(operation and $FFFFFFFF)
?z = 1
end if
end macro
macro _fini op
if calcf
calcflags op
end if
op = op and $FFFFFFFF
end macro
macro calcshifter shifter,op1,op2
match =LSL amount,op2
shifter = op1 shl amount
end match
end macro
macro m_ADD op1,op2,op3,op4:LSL 0
local shifter
calcshifter shifter,op3,op4
op1 = op2 + shifter
_fini op1
end macro
macro m_ADC op1,op2,op3,op4:LSL 0
local shifter
calcshifter shifter,op3,op4
op1 = op2 + shifter + ?c
_fini op1
end macro
macro m_SUB op1,op2,op3,op4:LSL 0
local shifter
calcshifter shifter,op3,op4
op1 = op2 - shifter
_fini op1
end macro
macro m_MOV op1,op2,op3:LSL 0
local shifter
calcshifter shifter,op2,op3
op1 = shifter
_fini op1
end macro
; for checks
macro disphex number*,digits:8
repeat digits
digit = ((number) shr ((%%-%) shl 2)) and 0Fh
if digit < 10
display '0'+digit
else
display 'A'+digit-10
end if
end repeat
end macro
; instruction flow implementation
macro sub_1A1BC
S m_ADD R_4,R_4,R_4 ;ADDS
if ?z
load R_4:byte from ___18000:R_0
R_0 = R_0+1
m_ADC R_4,R_4,R_4
S m_MOV R_4,R_4,LSL 24
end if
end macro
;disphex R_4
;display 13,10
sub_1A1BC
while ?c
load R_3:byte from ___18000:R_0
R_0 = R_0+1
store R_3:byte at ___11000:R_2
R_2 = R_2+1
sub_1A1BC
end while
m_MOV R_1,1
sub_1A1BC
m_ADC R_1,R_1,R_1
sub_1A1BC
while not ?c
m_SUB R_1,R_1,1
sub_1A1BC
m_ADC R_1,R_1,R_1
sub_1A1BC
m_ADC R_1,R_1,R_1
sub_1A1BC
end while
;disphex R_4
;display 13,10
jumps - are bit unconvinient things in realisation because in code execution can jumps to everywhere while source text operated only line by line.
May be it will be continued - with complete emulation of packing algorithm.
_________________
I don`t like to refer by "you" to one person.
My soul requires acronim "thou" instead.
|
Index
> Projects and Ideas > FASMG as emulator(debugger) of sorce text or binary
