In this section we will use another code to push and set various variable into the emulator prior running the code and set appropriate registers and stack so that we can simulate the code. In the previous writeup, we have used rar bytes code from the

In this segment we will just add values for a predefined value in eax and ebx. The below segment uses asmmethod found from pwntools . Using this eliminates the need for additional website and conversion to rawbytes as well as it improves the overall experience as we can directly see what code we are trying to execute.

add eax, ebx

After conversion we get the following:

01D8

Here above code will be executed after setting the values in the eax and ebx registers.

# test manually setting registers 
from qiling import Qiling
from qiling.const import QL_VERBOSE
from pwn import asm

def main():
    shellcode = asm('add eax, ebx')
    ql = Qiling(code=shellcode, archtype='x86', ostype='Linux', verbose=QL_VERBOSE.DISASM)
    ql.arch.regs.eax = 0x2
    ql.arch.regs.ebx = 0x3
    ql.run()
    print("after addtion the value of eax: " + str(ql.arch.regs.eax))
    ql.stop()
	
main()

The output is as expected:

In [16]: main()
[+] 	Profile: default
[+] 	Mapping GDT at 0x30000 with limit 0x1000
[=] 	011ff000 [[shellcode_stack]    + 0x1ff000]  01 d8                add                  eax, ebx
[+] 	
[+] 	syscalls called
[+] 	------------------------
[+] 	
[+] 	strings ocurrences
[+] 	------------------------
after addtion the value of eax: 5

set stack#

Now at the same time we will push some values onto the stack from qilingand call our code to retrieve the data from the stack by calling pop and adding them.

# test manually setting registers 
from qiling import Qiling
from qiling.const import QL_VERBOSE
from pwn import asm

def main():
    code = asm('''
        pop eax
        pop ebx
        add eax,ebx
    ''')
    ql = Qiling(code=code, archtype='x86', ostype='Linux', verbose=QL_VERBOSE.DISASM)
    ql.stack_push(0x3)
    ql.stack_push(0x4)
    ql.run()
    print("after addtion the value of eax: " + str(ql.arch.regs.eax))
    ql.stop()

main()

Output:

   ...: main()
[+] 	Profile: default
[+] 	Mapping GDT at 0x30000 with limit 0x1000
[=] 	011ff000 [[shellcode_stack]    + 0x1ff000]  58                   pop                  eax
[=] 	011ff001 [[shellcode_stack]    + 0x1ff001]  5b                   pop                  ebx
[=] 	011ff002 [[shellcode_stack]    + 0x1ff002]  01 d8                add                  eax, ebx
[+] 	
[+] 	syscalls called
[+] 	------------------------
[+] 	
[+] 	strings ocurrences
[+] 	------------------------
after addtion the value of eax: 7

As we can see that the summation of the values of 0x3 and 0x4 which are stored in the stack was successfully added and the result is obtained.