this month i:
- finally made a ci system so i can continue to avoid github (this time, actions)
- have set a bunch of the yaxpeax-related projects to use it, like so
- made a new
yaxpeax-evalso i can batch execute machine code without needing to stuff it into a .so and run it under gdb to see registers
the last one is the one i really want to poast about. the repo is here, there isn't much code to it. it's published to crates.io, so cargo install yaxpeax-eval works. for x86 linux systems anyway. lookie:
yaxpeax-eval> ./target/release/yaxeval b878563412
loaded code...
00007f774b497000: mov eax, 0x12345678
00007f774b497005: π (int 0x3)
running...
rax: 0000000000000000
to -> 0000000012345678
rip: 00007f774b497000
to -> 00007f774b497006
it takes in x86 bytes, runs them, and that's that. delightful.
so if you're me, and you've forgotten once again what neg reg; sbb reg, reg does, you can just play with some values...
[15:01:57] # iximeow:~> for i in 0 1 2; do echo "when rdx is $i..."; yaxeval --regs rcx=3,rdx=$i,rip=0x10000,eflags=0x297 89d1f7d919c9; done
when rdx is 0...
loaded code...
0000000000010000: mov ecx, edx
0000000000010002: neg ecx
0000000000010004: sbb ecx, ecx
0000000000010006: π (int 0x3)
running...
rcx: 0000000000000003
to -> 0000000000000000
rip: 0000000000010000
to -> 0000000000010007
eflags: 00000297
to -> 00000246
when rdx is 1...
loaded code...
0000000000010000: mov ecx, edx
0000000000010002: neg ecx
0000000000010004: sbb ecx, ecx
0000000000010006: π (int 0x3)
running...
rcx: 0000000000000003
to -> 00000000ffffffff
rip: 0000000000010000
to -> 0000000000010007
when rdx is 2...
loaded code...
0000000000010000: mov ecx, edx
0000000000010002: neg ecx
0000000000010004: sbb ecx, ecx
0000000000010006: π (int 0x3)
running...
rcx: 0000000000000003
to -> 00000000ffffffff
rip: 0000000000010000
to -> 0000000000010007
and when rdx starts at 0, rcx ends up zeroed. when rdx starts at non-0, rcx ends up as 0xffffffff.
(this has a second, and more secret, purpose: yaxpeax-core includes, or will include, semantics for the architectures it can analyze. so i'm going to use this to do differential fuzzing against the local processor to make sure the analysis has some kind of connection to the real thing)