LyScript插件实现了针对特定汇编指令片段的批量搜索功能,用户传入一个汇编指令列表,然后循环遍历列表中的所有指令特性,如果找到则返回该指令内存地址。插件地址:https://github.com/lyshark/Ly...获取汇编指令的机器码:该功能主要实现获取用户传入的汇编指令对应的机器码。您可以通过这种方式实现此代码。fromLyScript32importMyDebugif__name__=="__main__":dbg=MyDebug()connect_flag=dbg.connect()print("连接状态:{}".format(connect_flag))addr=dbg.create_alloc(1024)print("heap空格:{}".format(hex(addr)))asm_size=dbg.assemble_code_size("moveax,1")print("汇编代码占用字节数:{}".format(asm_size))write=dbg.assemble_write_memory(addr,"moveax,1")byte_code=bytearray()forindexinrange(0,asm_size):read=dbg.read_memory_byte(addr+index)print("{:02x}".format(read),end="")dbg.delete_alloc(addr)封装了上述代码接口,实现了get_opcode_from_assemble(),用户传入一条汇编指令,获取该指令对应的机器码。fromLyScript32importMyDebug#传入汇编代码,得到对应的机器码defget_opcode_from_assemble(dbg_ptr,asm):byte_code=bytearray()addr=dbg_ptr.create_alloc(1024)ifaddr!=0:asm_size=dbg_ptr.assemble_code_size(asm)#print("汇编代码占用字节数:{}".format(asm_size))write=dbg_ptr.assemble_write_memory(addr,asm)ifwrite==True:forindexinrange(0,asm_size):read=dbg_ptr.read_memory_byte(addr+index)#print("{:02x}".format(read),end="")byte_code.append(read)dbg_ptr.delete_alloc(addr)returnbyte_codeelse:returnbytearray(0)if__name__==复制代码"__main__":dbg=MyDebug()connect_flag=dbg.connect()print("Connectionstatus:{}".format(connect_flag))#获取索引的汇编代码byte_array=get_opcode_from_assemble(dbg,"xoreax,eax")在byte_array中:print(hex(index),end="")print()#组装一个序列asm_list=["xoreax,eax","xorebx,ebx","moveax,1"]forindexinasm_list:byte_array=get_opcode_from_assemble(dbg,index)forindexinbyte_array:print(hex(index),end="")print()dbg.close()运行上面的代码找出符合条件的内存地址批量搜索反汇编代码:类似于搜索机器码,该函数实现搜索代码段中的所有指令匹配列表中的集合是否存在,存在则返回地址。fromLyScript32importMyDebugif__name__=="__main__":dbg=MyDebug()dbg.connect()local_base_start=dbg.get_local_base()local_base_end=local_base_start+dbg.get_local_size()print("起始地址:{}-->结束地址:{}".format(hex(local_base_start),hex(local_base_end)))search_asm=['testeax,eax','cmpesi,edi','popedi','cmpesi,edi','jmpesp']whilelocal_base_start<=local_base_end:disasm=dbg.get_disasm_one_code(local_base_start)print("Address:0x{:08x}-->disassembly:{}".format(local_base_start,disasm))#查找范围内索引的指令(0,len(search_asm)):ifdisasm==search_asm[index]:print("address:{}-->disassembly:{}".format(hex(local_base_start),disasm))#递增计数器local_base_start=local_base_start+dbg.get_disasm_operand_size(local_base_start)dbg.close()查找反汇编列表特点:使用python实现方法,通过特定方法扫描内存范围,如果出现我们需要的指令集序列,输出特定的指令集序列身体记忆地址fromLyScript32importMyDebug#传入汇编代码,得到对应的机器码defget_opcode_from_assemble(dbg_ptr,asm):byte_code=bytearray()addr=dbg_ptr.create_alloc(1024)ifaddr!=0:asm_size=dbg_ptr.assemble_code_size(asm)#print("汇编代码占用字节数:{}".format(asm_size))write=dbg_ptr.assemble_write_memory(addr,asm)ifwrite==True:forindexinrange(0,asm_size):read=dbg_ptr.read_memory_byte(addr+index)#print("{:02x}".format(read),end="")byte_code.append(read)dbg_ptr.delete_alloc(addr)returnbyte_codeelse:returnbytearray(0)#搜索机器码,如果存在则返回defSearchOpCode(dbg_ptr,Search):#搜索机器码并转换为列表op_code=[]forindexinSearch:byte_array=get_opcode_from_assemble(dbg,index)forindexinbyte_array:op_code.append(hex(index))#print("机器码列表:{}".format(op_code))#转换机器码将列表转为字符串#1.先转为字符串列表x=[str(i)foriinop_code]#2.将字符串列表转为字符串#search_code=''.join(x).replace("0x","")search_code=[]#在0前面加上少于3位forlinrange(0,len(x)):iflen(x[l])<=3:#如果是少于3位数字前面加0#print(''.join(x[l]).replace("0x","").zfill(2))search_code.append(''.join(x[l]).replace("0x","").zfill(2))else:search_code.append(''.join(x[l]).replace("0x",""))#3.成为字符串search_code=''.join(search_code).replace("0x","")print("Searchedstring:{}".format(search_code))#调用搜索命令ref=dbg.scan_memory_one(search_code)如果参考!=Noneorref!=0:returnrefelse:return0return0if__name__=="__main__":dbg=MyDebug()connect_flag=dbg.connect()print("连接状态:{}".format(connect_flag))#搜索指令序列以快速找到并构建利用代码SearchCode=[["popecx","popebp","ret","pushebp"],["pushebp","movebp,esp"],["movecx,dwordptrds:[eax+0x3C]","addecx,eax"]]#为iteminrange(0,len(SearchCode)):Search=SearchCode[item]搜索内存指令集ret=SearchOpCode(dbg,Search)print("搜索到的指令所在内存:{}".format(hex(ret)))dbg.close()如上代码,第一个函数get_opcode_from_assemble(dbg_ptr,asm)是利用用户传入的汇编指令获取机器码,利用函数SearchOpCode(dbg_ptr,Search)将用户传入的汇编列表转换为连续的字符串1。分片1实现转换机器代码到十六进制数组op_code=[]forindexinSearch:byte_array=get_opcode_from_assemble(dbg,index)forindexinbyte_array:op_code.append(hex(index))2.片段2从十六进制中删除0x前缀十进制机器码,判断十进制数是否小于等于3位,如果是,则在输出前缀前加0,否则直接输出到search_code变量。#将机器码列表转换为字符串#1.首先转换为字符串列表x=[str(i)foriinop_code]#2.将字符串列表转换为字符串#search_code=''.join(x).replace("0x","")search_code=[]#在range(0,len(x)):iflen(x[l])<=3:#if如果小于3位以上,前面加0#print(''.join(x[l]).replace("0x","").zfill(2))search_code.append(''.join(x[l]).replace("0x","").zfill(2))else:search_code.append(''.join(x[l]).replace("0x",""))3.Fragment3和最后调用搜索机器码命令,首先将字符串列表转换为字符串,然后调用dbg.scan_memory_one(search_code)完成整个搜索过程。search_code=''.join(search_code).replace("0x","")print("Searchedstring:{}".format(search_code))#调用搜索命令ref=dbg.scan_memory_one(search_code)ifref!=Noneorref!=0:returnrefelse:return0return0最后调用,用户传入一个二维列表,然后在列表中依次查找所有符合条件的内存地址。
