;\UASM64\bin\uasm64 -c -win64
;\UASM64\bin\Link /ENTRY:entry_point /SUBSYSTEM:console /MACHINE:X64 /nologo /LARGEADDRESSAWARE
option casemap:none
option win64:3
include \UASM64\include\windows.inc
includelib \UASM64\Lib\user32.lib
includelib \UASM64\Lib\kernel32.lib
.data
_void dq 0
txt db "12345678901234567890123456789012345678901234567890",0
ptxt dq txt
align 16
; ----------
; algorithms
; ----------
string_length \
db 72,139,193,72,131,232,1,72,131,192,1,128,56,0,116,63
db 72,131,192,1,128,56,0,116,54,72,131,192,1,128,56,0
db 116,45,72,131,192,1,128,56,0,116,36,72,131,192,1,128
db 56,0,116,27,72,131,192,1,128,56,0,116,18,72,131,192
db 1,128,56,0,116,9,72,131,192,1,128,56,0,117,184,72
db 43,193,195
memory_copy \
db 76,139,222,76,139,215,252,72,139,241,72,139,250,73,139,200
db 72,193,233,3,243,72,165,73,139,200,72,131,225,7,243,164
db 73,139,250,73,139,243,195
llen dq 83
plen dq string_length ; length & pointer to str len
lcpy dq 39
pcpy dq memory_copy ; length & pointer to mem copy
.code
mcopy proc
; rcx = source address
; rdx = destination address
; r8 = byte count
; --------------
; save rsi & rdi
; --------------
mov r11, rsi
mov r10, rdi
cld
mov rsi, rcx
mov rdi, rdx
mov rcx, r8
shr rcx, 3
rep movsq
mov rcx, r8
and rcx, 7
rep movsb
; -----------------
; restore rsi & rdi
; -----------------
mov rdi, r10
mov rsi, r11
ret
mcopy endp
StdOut proc
; rcx = text address
LOCAL bWritten :QWORD
LOCAL @r12:QWORD
LOCAL @r13:QWORD
LOCAL @r14:QWORD
LOCAL dwBytesWrite:DWORD
mov @r12, r12 ; preserve non-volatile registers
mov @r13, r13
mov @r14, r14
mov r12, rcx ; store address in r12
invoke GetStdHandle,STD_OUTPUT_HANDLE
mov r13, rax
mov rax, r12
sub rax, 1
@@:
add rax, 1
cmp BYTE PTR [rax], 0 ; get the text length
jne @B
sub rax, r12 ; sub original address from RAX
mov r14, rax ; save string length into r14
mov dwBytesWrite,eax
invoke WriteFile,r13,r12,dwBytesWrite,ADDR bWritten,NULL
mov rax, bWritten
mov r12, @r12 ; restore non-volatile registers
mov r13, @r13
mov r14, @r14
ret
StdOut endp
strHex2str proc inQword:QWORD,outFmt:QWORD,outBuf:QWORD
invoke RtlZeroMemory, outBuf, 128
invoke wsprintf,outBuf,outFmt,inQword
ret
strHex2str endp
entry_point proc
LOCAL hMem :QWORD ; original memory pointer
LOCAL pMem :QWORD ; variable pointer for code locations
LOCAL cpym :QWORD ; memory pointer for memcopy
LOCAL slen :QWORD ; memory pointer for string length
LOCAL buffer[128]:byte
invoke VirtualAlloc,0,1024,MEM_COMMIT or MEM_RESERVE,PAGE_EXECUTE_READWRITE
mov hMem, rax ; allocate executable memory
mov pMem, rax
mov r8,lcpy
mov rdx,pMem
mov rcx,pcpy
call mcopy
mov rax,pMem
mov cpym,rax
add pMem, 128 ; next 128 byte location
mov r8,llen
mov rdx,pMem
mov rcx,plen
call cpym ; copy slen algo using algo in memory
mov rax,pMem
mov slen,rax
mov rcx,ptxt
call slen ;; run the string length algo
invoke strHex2str,rax,CStr("%u = string length",13,10),addr buffer
lea rcx,buffer
call StdOut
invoke VirtualFree,hMem,0,MEM_RELEASE
mov _void, rax ; release original memory address
invoke strHex2str,_void,CStr("%u = free memory return value"),addr buffer
lea rcx,buffer
call StdOut
invoke ExitProcess,NULL
entry_point endp
end
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
