某算法的python执行汇编

weixin_470740362025-08-24 1:34
python 复制代码 
#!/usr/bin/env python3
import struct
import unicorn as uc
import unicorn.arm64_const as arm64
from capstone import CS_ARCH_ARM64, CS_MODE_ARM, Cs, CS_MODE_LITTLE_ENDIAN
from keystone import Ks, KS_ARCH_ARM64, KS_MODE_LITTLE_ENDIAN
from unicorn import UcError, UC_HOOK_CODE

# ---------- 1. 汇编 ----------
ASM = """
mov x11, #0xd21
ldr x8, [x0, #0x20]
mov w9, #0x5680
movk x11, #0x20d2, lsl #16
mov w10, #0xb0df
movk w9, #0x9d2c, lsl #16
movk x11, #0xd20d, lsl #32
movk w10, #0x9908, lsl #16
movk x11, #0xd20, lsl #48
mov w8, wzr
mov x13, xzr
mov w15, #0x270
mov w16, #-0x103a0000
ldr x17, [x14, #0x1380]
mov x12, x17
add x17, x17, #1
lsr x1, x17, #4
add x2, x12, #0x18d
lsl x12, x12, #3
lsr x3, x2, #4
umulh x1, x1, x11
umulh x3, x3, x11
lsr x1, x1, #1
msub x17, x1, x15, x17
lsr x1, x3, #1
msub x1, x1, x15, x2
ldr x2, [x14, x12]
and x2, x2, #0xffffffff80000000
ldr x3, [x14, x17, lsl #3]
and x4, x3, #0x7ffffffe
ldr x1, [x14, x1, lsl #3]
sbfx x3, x3, #0, #1
orr x2, x4, x2
eor x1, x1, x2, lsr #1
and x2, x3, x10
eor x1, x1, x2
str x1, [x14, x12]
ldr x12, [x14, #0x1380]
ldr x12, [x14, x12, lsl #3]
str x17, [x14, #0x1380]
ubfx x1, x12, #0xb, #0x20
eor x12, x1, x12
lsl w1, w12, #7
and x1, x1, x9
eor x12, x1, x12
lsl w1, w12, #0xf
and x1, x1, x16
eor x12, x1, x12
eor x1, x12, x12, lsr #18
ldr x12, [x0, #0x28]
ldr x2, [x0, #0x10]
ldr w3, [x0, #0x38]
add x13, x13, #1
ldr x12, [x0, #0x20]
lsl w8, w8, w2
cmp x2, #0x20
and w1, w3, w1
"""


# ---------- 2. 编译 ----------
ks = Ks(KS_ARCH_ARM64, KS_MODE_LITTLE_ENDIAN)
code = bytes(ks.asm(ASM)[0])

# ---------- 3. 内存布局(一般可以不变) ----------
BASE = 0x1000000  #代码段起始内存
BASE_SIZE = 0x4000 #代码区的大小
STACK = 0x2000000  #栈空间起始内存
STACK_SIZE = 0x20000  #栈空间的大小
DATA = 0x3000000  #数据区起始内存
DATA_SIZE = 0x5000  #数据区的大小

mu = uc.Uc(uc.UC_ARCH_ARM64, uc.UC_MODE_ARM)
mu.mem_map(BASE, BASE_SIZE, uc.UC_PROT_READ | uc.UC_PROT_EXEC)
mu.mem_map(STACK, STACK_SIZE, uc.UC_PROT_READ | uc.UC_PROT_WRITE)
mu.mem_map(DATA, DATA_SIZE, uc.UC_PROT_READ | uc.UC_PROT_WRITE)

# ---------- 4. 写入代码和数据 ----------
mu.mem_write(BASE, code)
mu.mem_write(DATA, b'\x00' * DATA_SIZE) #给数据区初始化填充0

# X0 指向 DATA
mu.reg_write(arm64.UC_ARM64_REG_X0, DATA) #根据汇编把x0和x14指向了DATA
mu.reg_write(arm64.UC_ARM64_REG_X14, DATA)

mu.mem_write(DATA + 0x1380, struct.pack('<Q', 0x9)) #根据汇编调整数据区的数据
mu.mem_write(DATA + 0x48, struct.pack('<Q', 0xbd2a6569))
mu.mem_write(DATA + (0xa<<3), struct.pack('<Q', 0x3bed4641))
mu.mem_write(DATA + (0x196<<3), struct.pack('<Q', 0x9d8e582b))
mu.mem_write(DATA + 0x38, struct.pack('<Q', 0x3ff))
# ---------- 5. 初始化寄存器 ----------
mu.reg_write(arm64.UC_ARM64_REG_SP, STACK + STACK_SIZE//2) #初始化栈内存的起始地址,设置SP在栈空间中间

# ---------- 4. Trace 回调 ----------
md = Cs(CS_ARCH_ARM64, CS_MODE_LITTLE_ENDIAN) #打印每一步汇编的流程
def hook_code(uc, address, size, user_data):
    code = uc.mem_read(address, size)
    for insn in md.disasm(code, address):
        print(f"0x{insn.address:x}:\t{insn.mnemonic}\t{insn.op_str}")
        # 打印关键寄存器
        x1 = uc.reg_read(arm64.UC_ARM64_REG_X1)
        x2 = uc.reg_read(arm64.UC_ARM64_REG_X2)
        x3 = uc.reg_read(arm64.UC_ARM64_REG_X3)
        x4 = uc.reg_read(arm64.UC_ARM64_REG_X4)
        print(f"    X1=0x{x1:x}, X2=0x{x2:x},X3=0x{x3:x}, X4=0x{x4:x}")

mu.hook_add(UC_HOOK_CODE, hook_code)
try:
    #开始执行汇编
    mu.emu_start(BASE, BASE + len(code))
except UcError as e:
    #打印执行异常的汇编位置
    pc = mu.reg_read(arm64.UC_ARM64_REG_PC)
    md = Cs(CS_ARCH_ARM64, CS_MODE_ARM)
    for i in md.disasm(code, BASE):
        print("0x%x:\t%s\t%s" % (i.address, i.mnemonic, i.op_str))
    print("Error at PC = 0x%x" % pc)
    raise
# ---------- 7. 读取寄存器 ----------
x1_val = mu.reg_read(arm64.UC_ARM64_REG_X1)
x2_val = mu.reg_read(arm64.UC_ARM64_REG_X2)
print("x1",hex(x1_val))
print("x2",hex(x2_val))

java运行

打印python的code值

python 复制代码 
code = bytes(ks.asm(ASM)[0])
print(", ".join(f"(byte)0x{b:02x}" for b in code))

引入依赖

xml 复制代码 
<dependency>
    <groupId>com.github.zhkl0228</groupId>
    <artifactId>unicorn</artifactId>
    <version>1.0.14</version>
</dependency>
java 复制代码 
package org.example.demo1boot.util;

import unicorn.Unicorn;
import unicorn.UnicornConst;
import unicorn.Arm64Const;

import java.nio.ByteBuffer;
import java.nio.ByteOrder;

public class UnicornDemo {

    // 内存布局
    static final long BASE       = 0x1000000L;
    static final long STACK      = 0x2000000L;
    static final int  STACK_SIZE = 0x20000;
    static final long DATA       = 0x3000000L;
    static final int  DATA_SIZE  = 0x5000;

    public static void main(String[] args) {
        // 初始化 Unicorn,ARM64 模式
        Unicorn mu = new Unicorn(UnicornConst.UC_ARCH_ARM64, UnicornConst.UC_MODE_ARM);

        // 映射内存
        mu.mem_map(BASE, 0x4000, UnicornConst.UC_PROT_ALL);
        mu.mem_map(STACK, STACK_SIZE, UnicornConst.UC_PROT_ALL);
        mu.mem_map(DATA, DATA_SIZE, UnicornConst.UC_PROT_ALL);

        // TODO: 在 Java 里没有 Keystone,所以机器码要自己准备
        // 这里先假设你用 Python 把 ASM 编译好,得到 byte[] code
        byte[] code = new byte[] {
            // TODO: 填入 keystone 编译出的 ARM64 机器码
                (byte)0x2b, (byte)0xa4, (byte)0x81, (byte)0xd2, (byte)0x4b, (byte)0x1a, (byte)0xa4, (byte)0xf2, (byte)0xab, (byte)0x41, (byte)0xda, (byte)0xf2, (byte)0x0b, (byte)0xa4, (byte)0xe1, (byte)0xf2, (byte)0x08, (byte)0x10, (byte)0x40, (byte)0xf9, (byte)0x09, (byte)0xd0, (byte)0x8a, (byte)0x52, (byte)0x89, (byte)0xa5, (byte)0xb3, (byte)0x72, (byte)0xea, (byte)0x1b, (byte)0x96, (byte)0x52, (byte)0x0a, (byte)0x21, (byte)0xb3, (byte)0x72, (byte)0xe8, (byte)0x03, (byte)0x1f, (byte)0x2a, (byte)0xed, (byte)0x03, (byte)0x1f, (byte)0xaa, (byte)0x0f, (byte)0x4e, (byte)0x80, (byte)0x52, (byte)0xd0, (byte)0xf8, (byte)0xbd, (byte)0x52, (byte)0xd1, (byte)0xc1, (byte)0x49, (byte)0xf9, (byte)0xec, (byte)0x03, (byte)0x11, (byte)0xaa, (byte)0x31, (byte)0x06, (byte)0x00, (byte)0x91, (byte)0x21, (byte)0xfe, (byte)0x44, (byte)0xd3, (byte)0x82, (byte)0x35, (byte)0x06, (byte)0x91, (byte)0x8c, (byte)0xf1, (byte)0x7d, (byte)0xd3, (byte)0x43, (byte)0xfc, (byte)0x44, (byte)0xd3, (byte)0x21, (byte)0x7c, (byte)0xcb, (byte)0x9b, (byte)0x63, (byte)0x7c, (byte)0xcb, (byte)0x9b, (byte)0x21, (byte)0xfc, (byte)0x41, (byte)0xd3, (byte)0x31, (byte)0xc4, (byte)0x0f, (byte)0x9b, (byte)0x61, (byte)0xfc, (byte)0x41, (byte)0xd3, (byte)0x21, (byte)0x88, (byte)0x0f, (byte)0x9b, (byte)0xc2, (byte)0x69, (byte)0x6c, (byte)0xf8, (byte)0x42, (byte)0x80, (byte)0x61, (byte)0x92, (byte)0xc3, (byte)0x79, (byte)0x71, (byte)0xf8, (byte)0x64, (byte)0x74, (byte)0x7f, (byte)0x92, (byte)0xc1, (byte)0x79, (byte)0x61, (byte)0xf8, (byte)0x63, (byte)0x00, (byte)0x40, (byte)0x93, (byte)0x82, (byte)0x00, (byte)0x02, (byte)0xaa, (byte)0x21, (byte)0x04, (byte)0x42, (byte)0xca, (byte)0x62, (byte)0x00, (byte)0x0a, (byte)0x8a, (byte)0x21, (byte)0x00, (byte)0x02, (byte)0xca, (byte)0xc1, (byte)0x69, (byte)0x2c, (byte)0xf8, (byte)0xcc, (byte)0xc1, (byte)0x49, (byte)0xf9, (byte)0xcc, (byte)0x79, (byte)0x6c, (byte)0xf8, (byte)0xd1, (byte)0xc1, (byte)0x09, (byte)0xf9, (byte)0x81, (byte)0xa9, (byte)0x4b, (byte)0xd3, (byte)0x2c, (byte)0x00, (byte)0x0c, (byte)0xca, (byte)0x81, (byte)0x61, (byte)0x19, (byte)0x53, (byte)0x21, (byte)0x00, (byte)0x09, (byte)0x8a, (byte)0x2c, (byte)0x00, (byte)0x0c, (byte)0xca, (byte)0x81, (byte)0x41, (byte)0x11, (byte)0x53, (byte)0x21, (byte)0x00, (byte)0x10, (byte)0x8a, (byte)0x2c, (byte)0x00, (byte)0x0c, (byte)0xca, (byte)0x81, (byte)0x49, (byte)0x4c, (byte)0xca, (byte)0x03, (byte)0x38, (byte)0x40, (byte)0xb9, (byte)0x61, (byte)0x00, (byte)0x01, (byte)0x0a

        };
        mu.mem_write(BASE, code);

        // 初始化数据区(全 0)
        mu.mem_write(DATA, new byte[DATA_SIZE]);

        // 设置寄存器
        mu.reg_write(Arm64Const.UC_ARM64_REG_X0, DATA);
        mu.reg_write(Arm64Const.UC_ARM64_REG_X14, DATA);

        // 写入测试数据
        mu.mem_write(DATA + 0x1380, pack64(0x9L));
        mu.mem_write(DATA + 0x48,   pack64(0xbd2a6569L));
        mu.mem_write(DATA + (0xa << 3), pack64(0x3bed4641L));
        mu.mem_write(DATA + (0x196 << 3), pack64(0x9d8e582bL));
        mu.mem_write(DATA + 0x38, pack64(0x3ffL));

        // 设置 SP
        mu.reg_write(Arm64Const.UC_ARM64_REG_SP, STACK + STACK_SIZE/2);
        // 启动执行
        try {
            mu.emu_start(BASE, BASE + code.length, 0, 0);
        } catch (Exception e) {
            e.printStackTrace();
        }

        // 取寄存器结果
        long x1_val = (long) mu.reg_read(Arm64Const.UC_ARM64_REG_X1);
        long x2_val = (long) mu.reg_read(Arm64Const.UC_ARM64_REG_X2);
        System.out.printf("x1=0x%x\n", x1_val);
        System.out.printf("x2=0x%x\n", x2_val);
    }

    // 工具函数:小端打包 long → byte[]
    private static byte[] pack64(long value) {
        ByteBuffer buffer = ByteBuffer.allocate(8);
        buffer.order(ByteOrder.LITTLE_ENDIAN);
        buffer.putLong(value);
        return buffer.array();
    }
}
相关推荐
踩坑记录21 小时前
leetcode hot100 easy 101. 对称二叉树 递归 层序遍历 bfs
算法·leetcode·宽度优先
2501_940315261 天前
leetcode182动态口令(将字符的前几个元素放在字符串后面)
算法
老鼠只爱大米1 天前
LeetCode经典算法面试题 #98:验证二叉搜索树(递归法、迭代法等五种实现方案详解)
算法·leetcode·二叉树·递归·二叉搜索树·迭代
共享家95271 天前
搭建 AI 聊天机器人:”我的人生我做主“
前端·javascript·css·python·pycharm·html·状态模式
疯狂的喵1 天前
C++编译期多态实现
开发语言·c++·算法
scx201310041 天前
20260129LCA总结
算法·深度优先·图论
2301_765703141 天前
C++中的协程编程
开发语言·c++·算法
m0_748708051 天前
实时数据压缩库
开发语言·c++·算法
小魏每天都学习1 天前
【算法——c/c++]
c语言·c++·算法
Hgfdsaqwr1 天前
Python在2024年的主要趋势与发展方向
jvm·数据库·python
热门推荐
01GitHub 镜像站点02Clawdbot 中文汉化版 接入微信、飞书03OpenClaw部署与配置教程:在Mac mini上接入国产大模型与飞书042026美赛A题智能手机电池续航时间预测的连续时间数学模型05OpenCode 入门教程:介绍 · 安装 · 配置第三方 API (如 Claude)06UV安装并设置国内源07Linux下V2Ray安装配置指南08Claude Code + GLM4.7 避坑指南:解决 Unable to connect to Anthropic services092025 年大语言模型发展回顾:关键突破、意外转折与 2026 年展望10Claude Code Skills 实用使用手册