Triton学习笔记(二)

对常用的功能进行研究

//test3.c
#include <stdio.h>

int main(void)
{
	int i;
	i = 1;
	if (i)
		printf("lose");
	else
		printf("win");
	return 0;
}
//gcc test3.c -o test3

# test3.py
#!/usr/bin/env python2
## -*- coding: utf-8 -*-

import pdb

from pintool import *
from triton  import *

def before(inst):
    if inst.getAddress() == 0x400535:
        pdb.set_trace()

if __name__ == '__main__':
    setArchitecture(ARCH.X86_64)
    setupImageBlacklist(["libc", "ld-linux"])
    startAnalysisFromSymbol("main")
    insertCall(before, INSERT_POINT.BEFORE)
    runProgram()

编译出来的代码:

$ objdump -d test3 -M intel
...
0000000000400526 <main>:
  400526:	55                   	push   rbp
  400527:	48 89 e5             	mov    rbp,rsp
  40052a:	48 83 ec 10          	sub    rsp,0x10
  40052e:	c7 45 fc 01 00 00 00 	mov    DWORD PTR [rbp-0x4],0x1
  400535:	83 7d fc 00          	cmp    DWORD PTR [rbp-0x4],0x0
  400539:	74 11                	je     40054c <main+0x26>
  40053b:	bf f4 05 40 00       	mov    edi,0x4005f4
  400540:	b8 00 00 00 00       	mov    eax,0x0
  400545:	e8 b6 fe ff ff       	call   400400 <printf@plt>
  40054a:	eb 0f                	jmp    40055b <main+0x35>
  40054c:	bf f9 05 40 00       	mov    edi,0x4005f9
  400551:	b8 00 00 00 00       	mov    eax,0x0
  400556:	e8 a5 fe ff ff       	call   400400 <printf@plt>
  40055b:	b8 00 00 00 00       	mov    eax,0x0
  400560:	c9                   	leave  
  400561:	c3                   	ret
...

$ build/triton /tmp/test3.py /tmp/test3 
--Return--
> /tmp/test3.py(11)before()->None
-> pdb.set_trace()
(Pdb) 

使用pdb进行测试

• 获取当前指令地址:

(Pdb) print hex(inst.getAddress())
0x400535L

• 获取当前函数名

(Pdb) inst.getAddress()
4195653L
(Pdb) getRoutineName(4195653L)
'main'

• 获取寄存器的值

(Pdb) print hex(getCurrentRegisterValue(REG.RBP))
0x7ffc3d9791c0L
(Pdb) print dir(REG)
['AF', 'AH', 'AL', 'AX', 'BH', 'BL', 'BP', 'BPL', 'BX', 'CF', 'CH', 'CL', 'CR0', 'CR1', 'CR10', 'CR11', 'CR12', 'CR13', 'CR14', 'CR15', 'CR2', 'CR3', 'CR4', 'CR5', 'CR6', 'CR7', 'CR8', 'CR9', 'CS', 'CX', 'DAZ', 'DE', 'DF', 'DH', 'DI', 'DIL', 'DL', 'DM', 'DS', 'DX', 'EAX', 'EBP', 'EBX', 'ECX', 'EDI', 'EDX', 'EFLAGS', 'EIP', 'ES', 'ESI', 'ESP', 'FS', 'FZ', 'GS', 'IE', 'IF', 'IM', 'IP', 'MM0', 'MM1', 'MM2', 'MM3', 'MM4', 'MM5', 'MM6', 'MM7', 'MXCSR', 'OE', 'OF', 'OM', 'PE', 'PF', 'PM', 'R10', 'R10B', 'R10D', 'R10W', 'R11', 'R11B', 'R11D', 'R11W', 'R12', 'R12B', 'R12D', 'R12W', 'R13', 'R13B', 'R13D', 'R13W', 'R14', 'R14B', 'R14D', 'R14W', 'R15', 'R15B', 'R15D', 'R15W', 'R8', 'R8B', 'R8D', 'R8W', 'R9', 'R9B', 'R9D', 'R9W', 'RAX', 'RBP', 'RBX', 'RCX', 'RDI', 'RDX', 'RH', 'RIP', 'RL', 'RSI', 'RSP', 'SF', 'SI', 'SIL', 'SP', 'SPL', 'SS', 'TF', 'UE', 'UM', 'XMM0', 'XMM1', 'XMM10', 'XMM11', 'XMM12', 'XMM13', 'XMM14', 'XMM15', 'XMM2', 'XMM3', 'XMM4', 'XMM5', 'XMM6', 'XMM7', 'XMM8', 'XMM9', 'YMM0', 'YMM1', 'YMM10', 'YMM11', 'YMM12', 'YMM13', 'YMM14', 'YMM15', 'YMM2', 'YMM3', 'YMM4', 'YMM5', 'YMM6', 'YMM7', 'YMM8', 'YMM9', 'ZE', 'ZF', 'ZM', 'ZMM0', 'ZMM1', 'ZMM10', 'ZMM11', 'ZMM12', 'ZMM13', 'ZMM14', 'ZMM15', 'ZMM16', 'ZMM17', 'ZMM18', 'ZMM19', 'ZMM2', 'ZMM20', 'ZMM21', 'ZMM22', 'ZMM23', 'ZMM24', 'ZMM25', 'ZMM26', 'ZMM27', 'ZMM28', 'ZMM29', 'ZMM3', 'ZMM30', 'ZMM31', 'ZMM4', 'ZMM5', 'ZMM6', 'ZMM7', 'ZMM8', 'ZMM9']

• 获取内存值

(Pdb) getCurrentMemoryValue(getCurrentRegisterValue(REG.RBP)-4)
1L

我们可以看到上一句指令是: mov DWORD PTR [rbp-0x4],0x1

• 设置内存值

(Pdb) setCurrentMemoryValue(getCurrentRegisterValue(REG.RBP)-4,0)
(Pdb) getCurrentMemoryValue(getCurrentRegisterValue(REG.RBP)-4)
0L

来继续运行程序查看结果:

(Pdb) c
win

修该下test3.py:

def before(inst):
    if inst.getAddress() == 0x400545:
        pdb.set_trace()

$ build/triton /tmp/test3.py /tmp/test3
--Return--
> /tmp/test3.py(11)before()->None
-> pdb.set_trace()
(Pdb) getCurrentMemoryValue(getCurrentRegisterValue(REG.RDI), CPUSIZE.QWORD)
7956021060312461164L
(Pdb) hex(7956021060312461164L)
'0x6e69770065736f6cL'
(Pdb) "6e69770065736f6c".decode('hex')
'niw\x00esol'

• 设置寄存器的值

$ build/triton /tmp/test3.py /tmp/test3
--Return--
> /tmp/test3.py(11)before()->None
-> pdb.set_trace()
(Pdb) setCurrentRegisterValue(REG.RSI, 0x4005f9)
(Pdb) c
lose

设置失败了, 看看文档:

void setCurrentRegisterValue(Register reg, integer value)
Sets the current register value from a Register. This method can only be called into a BEFORE_SYMPROC and AFTER callback. This method also synchronizes the Triton’s register.

只有在BEFORE_SYMPROC和AFTER回调的情况下才能设置寄存器

• 获取当前指令基本信息

(Pdb) print inst
0x400545: call 0x400400

• 获取当前指令的二进制值

(Pdb) inst.getOpcodes()
'\xe8\xb6\xfe\xff\xff'

总结

目前介绍的都是些挺容易理解的东西，下一部分开始就是我毕设的内容了, 应该是从符号表达式开始讲, 对着文档看, 也不算太难