From 2a093a3f2aed8398359c1fd7d3b45d8e8f615b4c Mon Sep 17 00:00:00 2001
From: pusscat <>
Date: Mon, 25 Aug 2008 20:51:17 +0000
Subject: [PATCH] Add searchOpcode tag for !jutsu

git-svn-id: file:///home/svn/framework3/trunk@5642 4d416f70-5f16-0410-b530-b9f4589650da
---
 external/source/byakugan/README    | 12 ++++
 external/source/byakugan/exts.cpp  |  7 +++
 external/source/byakugan/jutsu.cpp | 98 ++++++++++++++++++++++++------
 external/source/byakugan/jutsu.h   |  1 +
 4 files changed, 100 insertions(+), 18 deletions(-)

diff --git a/external/source/byakugan/README b/external/source/byakugan/README
index 38ffe76534..80f4f82757 100644
--- a/external/source/byakugan/README
+++ b/external/source/byakugan/README
@@ -78,6 +78,18 @@ D. Usage:
 		f. Use !jutsu findReturn to find valid return addresses
 			1. hunt will use all knowledge about controlled registers and buffer offsets
 			   to find all possible usable return addresses
+		g. Use !jutsu searchOpcode to fine opcodes in executable memory
+			1. delimit instructions with pipes - example:
+
+			0:000> !jutsu searchOpcode  pop ecx | pop ecx | ret
+			[J] Searching for:
+			>  pop ecx
+			>  pop ecx
+			>  ret
+			[J] Machine Code:
+			> 59 59 c3
+			[J] Opcode sequence found at: 0x004012f9
+
 	3. Mushishi (Anti-debugging detection / removal)
 		a. Not much in here now, but growing
 		b. !mushishi detect - detects several methods
diff --git a/external/source/byakugan/exts.cpp b/external/source/byakugan/exts.cpp
index cc39ae903a..f2d190e312 100755
--- a/external/source/byakugan/exts.cpp
+++ b/external/source/byakugan/exts.cpp
@@ -97,6 +97,13 @@ HRESULT CALLBACK jutsu(PDEBUG_CLIENT4 Client, PCSTR args) {
 			helpJutsu();
 			return (S_OK);
 		}
+		if (!_stricmp(command, "searchOpcode")) {
+			char	*instructions;
+			
+			instructions = (char *) args + strlen(command) + 1;
+			searchOpcodes(instructions);
+			return (S_OK);
+		}
 		if (!_stricmp(command, "listen")) {
 			bindPort = strtok(NULL, " ");
 			if (bindPort == NULL)
diff --git a/external/source/byakugan/jutsu.cpp b/external/source/byakugan/jutsu.cpp
index 670de923db..62ef2c591b 100644
--- a/external/source/byakugan/jutsu.cpp
+++ b/external/source/byakugan/jutsu.cpp
@@ -413,30 +413,39 @@ unsigned short getInstructionBytes(char * instruction, unsigned char * opcodeBuf
 	ULONG64 byteEnd = 0;
 	BYTE i = 0;
 
+    if(!disassemblyBuffer){
+        if(!(disassemblyBuffer = allocateMemoryBlock(0x1000))){
+            dprintf("[J] allocateMemoryBlock failed\n");
+            return (0);
+        }
+    }
+	
+
 	if(g_ExtControl->Assemble(disassemblyBuffer, instruction, &byteEnd) != S_OK){
 		dprintf("[J] failed to assemble instruction\n");
-		return 0;
+		return (0);
 	}
 
 	if(!ReadMemory(disassemblyBuffer, opcodeBuffer, (byteEnd-disassemblyBuffer), NULL)){
 		dprintf("[J] failed to read opcode sequence\n");
-		return 0;
+		return (0);
 	}
 
 	for(i=0; i<(byteEnd-disassemblyBuffer); i++){
 		if(!WriteMemory((disassemblyBuffer+i), &zero, 1, NULL)){ 
 			dprintf("[J] failed to zero memory\n");
-			return 0;
+			return (0);
 		}
 	}
-
-	//dprintf("[J] Opcode sequence for instruction %s:", instruction);
+#if 0
+	dprintf("[J] Opcode sequence for instruction %s:", instruction);
 
 	for(byteCounter=0; ((disassemblyBuffer+byteCounter)<byteEnd); byteCounter++){
 		dprintf("%02x ", opcodeBuffer[byteCounter]);
 	}
 
 	dprintf("\n");
+#endif
 	return (byteEnd-disassemblyBuffer);
 }
 
@@ -454,9 +463,11 @@ ULONG64 searchMemory(unsigned char * byteBuffer, unsigned long length){
 				dprintf("[J] byte search failed for another reason\n");
 			}
 #endif
-			return 0;
+			return (0);
 	}
-	return addressHit;
+	if (!(addressHit >= disassemblyBuffer && addressHit <= (disassemblyBuffer+0x1000)))
+		return (addressHit);
+	return (0);
 }
 
 BOOL checkExecutability(ULONG64 checkAddress){
@@ -467,16 +478,76 @@ BOOL checkExecutability(ULONG64 checkAddress){
 		return FALSE;
 	}
 
-	dprintf("allocation info: 0x%08x and 0x%08x\n", protectionInfo.AllocationProtect, protectionInfo.Protect);
+	//dprintf("allocation info: 0x%08x and 0x%08x\n", protectionInfo.AllocationProtect, protectionInfo.Protect);
 
 	if((protectionInfo.Protect & PAGE_EXECUTE_READ) != 0)
 		return TRUE;
 
-	dprintf("[J] 0x%08x isn't executable\n");
+	//dprintf("[J] 0x%08x isn't executable\n");
 	return FALSE;
 }
 
+void searchOpcodes(char *instructions) {
+	char			**instructionList;
+	unsigned char	*byteSequence;
+	DWORD			length, i, j, semiCount = 1, offset = 0; 
+	ULONG64			ptr;
 
+	// Split instructions into seperate strings at pipes
+	length = 0;
+	while (instructions[length] != NULL) {
+		if (instructions[length] == '|')
+			semiCount++; 
+		length++;
+	}
+
+	// Malloc space for instructionList;
+	instructionList = (char **) malloc((semiCount+1) * sizeof (char *));
+	if (instructionList == NULL) {
+		dprintf("[J] OOM!\n");
+		return;
+	}
+	instructionList[0] = instructions;
+	dprintf("[J] Searching for:\n");
+	i = 0; j = 0;
+	while (i < length) {
+		if (instructions[i] == '|') {
+			instructions[i] = '\x00';
+			dprintf("> %s\n", instructionList[j++]);
+			instructionList[j] = &(instructions[i+1]);
+		}
+		i++;
+	}
+	dprintf("> %s\n", instructionList[j]);
+
+
+	// Allocate space for byteSequence
+	byteSequence = (unsigned char *) malloc(semiCount * 6);
+	if (byteSequence == NULL) {
+		dprintf("[J] OOM!\n");
+		return;
+	}
+
+	// Generate byte sequence and display it
+	for (i = 0; i < semiCount; i++) {
+		unsigned char	tmpbuf[8];
+		offset += getInstructionBytes(instructionList[i], byteSequence+offset);
+	}
+	
+	dprintf("[J] Machine Code:\n> ");
+	for (i = 0; i < offset; i++) {
+		dprintf("%02x ", byteSequence[i]);
+		if (i != 0 && !(i % 16))
+			dprintf("\n> ");
+	}
+	dprintf("\n");
+
+	// Search for sequence in executable memory
+	ptr = searchMemory(byteSequence, offset);
+	if (ptr && checkExecutability(ptr))
+		dprintf("[J] Executable opcode sequence found at: 0x%08x\n", ptr);
+	return;
+}
 
 void returnAddressHuntJutsu(){
 	struct trackedBuf *curBuf;
@@ -492,15 +563,6 @@ void returnAddressHuntJutsu(){
 	unsigned short instructionLength = 0;
 	dprintf("[J] started return address hunt\n");
 
-	//this part might need to be changed
-	if(!disassemblyBuffer){
-		if(!(disassemblyBuffer = allocateMemoryBlock(0x1000))){
-			dprintf("[J] allocateMemoryBlock failed\n");
-			return;
-		}
-	}
-
-	dprintf("opcode test buffer starts at 0x%08x\n", disassemblyBuffer);
 
 	for(i; i<6; i++){			//6, because we don't want to waste time on the eip register
 		curBuf = trackedBufList;	
diff --git a/external/source/byakugan/jutsu.h b/external/source/byakugan/jutsu.h
index 5c2421cc55..03847472eb 100644
--- a/external/source/byakugan/jutsu.h
+++ b/external/source/byakugan/jutsu.h
@@ -59,6 +59,7 @@ struct bufInstance {
 
 void    helpJutsu(void);
 void    bindJutsu(char *);
+void	searchOpcodes(char *);
 DWORD WINAPI listenJutsu(LPVOID lpvParam);
 void	parseJutsu(char *, ULONG);
 void	identBufJutsu(char *, char *);