In this guide we will try to explore if we can check for any mnemonics which we don’t want the CPU to execute. In the below example, we will try to block some specific commands from being executed in the CPU. The challenge is to convert rawbytes to assembly language again and check for prohibited mnemonics.

code#

# prohibit command
# the objective is to block certain commands

from qiling import Qiling
from qiling.const import QL_VERBOSE
from pwn import asm, disasm
import sys

def Is_prohibited_MNEMONIC_present(code : bytes, prohibited_mnemonics: str):
    dis = disasm(code,offset=False, byte=False)
    for l in dis.splitlines():
        for ll in l.split():
            for blocked_mne in prohibited_mnemonics:
                if blocked_mne.lower() == ll:
                    print("blocked item found !!")
                    return True
            # we are only checked the first mnemonics so break
            break
        # debug purpose
        #print(l)

    return False

def main():
    code = asm('''
        pop eax
        pop ebx
        add eax, ebx
    ''')
    prohibited = ['add']
    if Is_prohibited_MNEMONIC_present(code, prohibited) == True :
        print("prohibited mnemonic present... ",flush=True)
        sys.exit()
        
    ql = Qiling(code=code, archtype='x86', ostype='Linux', verbose=QL_VERBOSE.DISASM)
    ql.stack_push(0x3)
    ql.stack_push(0x4)
    
    ql.run()
    print("after addtion the value of eax: " + str(ql.arch.regs.eax))
    ql.stop()

main()

Output:

   ...: main()
blocked item found !!
prohibited mnemonic present... 

From the code we can see that we can filter specific commands. In this case we have filtered add.