def _remove_to_son(ircfg, loc_key, son_loc_key):
"""
Merge irblocks; The final block has the @son_loc_key loc_key
Update references
Condition:
- irblock at @loc_key is a pure jump block
- @loc_key is not an entry point (can be removed)
@irblock: IRCFG instance
@loc_key: LocKey instance of the parent irblock
@son_loc_key: LocKey instance of the son irblock
"""
# Ircfg loop => don't mess
if loc_key == son_loc_key:
return False
# Unlink block destinations
ircfg.del_edge(loc_key, son_loc_key)
del ircfg.blocks[loc_key]
replace_dct = {
ExprLoc(loc_key, ircfg.IRDst.size):ExprLoc(son_loc_key, ircfg.IRDst.size)
}
_relink_block_node(ircfg, loc_key, son_loc_key, replace_dct)
return True
def dstflow2label(self, symbol_pool):
if self.name in ["J", 'JAL']:
expr = self.args[0].arg
addr = (self.offset & (0xFFFFFFFF ^ ((1 << 28) - 1))) + expr
label = symbol_pool.getby_offset_create(addr)
self.args[0] = ExprLoc(label.loc_key, expr.size)
return
ndx = self.get_dst_num()
expr = self.args[ndx]
if not isinstance(expr, ExprInt):
return
addr = expr.arg + self.offset
loc_key = symbol_pool.getby_offset_create(addr)
self.args[ndx] = ExprLoc(loc_key, expr.size)
def dstflow2label(self, loc_db):
if self.name in ["J", 'JAL']:
expr = self.args[0].arg
addr = (self.offset & (0xFFFFFFFF ^ ((1 << 28) - 1))) + expr
loc_key = loc_db.get_or_create_offset_location(addr)
self.args[0] = ExprLoc(loc_key, expr.size)
return
ndx = self.get_dst_num()
expr = self.args[ndx]
if not isinstance(expr, ExprInt):
return
addr = expr.arg + self.offset
loc_key = loc_db.get_or_create_offset_location(addr)
self.args[ndx] = ExprLoc(loc_key, expr.size)
def emul(self, ir_arch, ctx=None, step=False):
# Init
ctx_init = {}
if ctx is not None:
ctx_init.update(ctx)
solver = z3.Solver()
symb_exec = SymbolicExecutionEngine(ir_arch, ctx_init)
history = self.history[::-1]
history_size = len(history)
translator = Translator.to_language("z3")
size = self._ircfg.IRDst.size
for hist_nb, loc_key in enumerate(history, 1):
if hist_nb == history_size and loc_key == self.initial_state.loc_key:
line_nb = self.initial_state.line_nb
else:
line_nb = None
irb = self.irblock_slice(self._ircfg.blocks[loc_key], line_nb)
# Emul the block and get back destination
dst = symb_exec.eval_updt_irblock(irb, step=step)
# Add constraint
if hist_nb < history_size:
next_loc_key = history[hist_nb]
expected = symb_exec.eval_expr(ExprLoc(next_loc_key, size))
solver.add(self._gen_path_constraints(translator, dst, expected))
# Save the solver
self._solver = solver
# Return only inputs values (others could be wrongs)
return {element: symb_exec.eval_expr(element)
for element in self.inputs}
def eval_updt_irblock(self, irb, step=False):
"""
Symbolic execution of the @irb on the current state
@irb: irbloc instance
@step: display intermediate steps
"""
for assignblk in irb:
if step:
print 'Instr', assignblk.instr
print 'Assignblk:'
print assignblk
print '_' * 80
self.eval_updt_assignblk(assignblk)
if step:
self.dump(mems=False)
self.dump(ids=False)
print '_' * 80
dst = self.eval_expr(self.ir_arch.IRDst)
# Best effort to resolve destination as ExprLoc
if dst.is_loc():
ret = dst
elif dst.is_int():
label = self.ir_arch.symbol_pool.getby_offset_create(int(dst))
ret = ExprLoc(label, dst.size)
else:
ret = dst
return ret
def call_effects(self, ad, instr):
call_assignblk = AssignBlock(
[
ExprAff(
self.ret_reg,
ExprOp(
'call_func_ret',
ad,
self.arch.regs.R0,
self.arch.regs.R1,
self.arch.regs.R2,
self.arch.regs.R3,
)
),
ExprAff(
self.sp,
ExprOp('call_func_stack', ad, self.sp)
),
],
instr
)
cond = instr.additional_info.cond
if cond == 14: # COND_ALWAYS:
return [call_assignblk], []
# Call is a conditional instruction
cond = tab_cond[cond]
loc_next = self.get_next_loc_key(instr)
loc_next_expr = ExprLoc(loc_next, 32)
loc_do = self.loc_db.add_location()
loc_do_expr = ExprLoc(loc_do, 32)
dst_cond = ExprCond(cond, loc_do_expr, loc_next_expr)
call_assignblks = [
call_assignblk,
AssignBlock([ExprAff(self.IRDst, loc_next_expr)], instr),
]
e_do = IRBlock(loc_do, call_assignblks)
assignblks_out = [
AssignBlock([ExprAff(self.IRDst, dst_cond)], instr)
]
return assignblks_out, [e_do]
def replace_expr_labels(expr, symbol_pool, replace_id):
"""Create LocKey of the expression @expr in the @symbol_pool
Update @replace_id"""
if not expr.is_loc():
return expr
old_name = symbol_pool.loc_key_to_name(expr.loc_key)
new_lbl = symbol_pool.getby_name_create(old_name)
replace_id[expr] = ExprLoc(new_lbl, expr.size)
return replace_id[expr]
def canonize_to_exprloc(self, expr):
"""
If expr is ExprInt, return ExprLoc with corresponding loc_key
Else, return expr
@expr: Expr instance
"""
if expr.is_int():
loc_key = self.get_or_create_offset_location(int(expr))
ret = ExprLoc(loc_key, expr.size)
return ret
return expr
def casp(ir, instr, arg1, arg2, arg3):
# XXX TODO: memory barrier
e = []
if arg1.size == 32:
regs = gpregs32_expr
else:
regs = gpregs64_expr
index1 = regs.index(arg1)
index2 = regs.index(arg2)
# TODO endianness
comp_value = ExprCompose(regs[index1], regs[index1 + 1])
new_value = ExprCompose(regs[index2], regs[index2 + 1])
assert arg3.is_op('preinc')
ptr = arg3.args[0]
data = ExprMem(ptr, comp_value.size)
loc_store = ExprLoc(ir.loc_db.add_location(), ir.IRDst.size)
loc_do = ExprLoc(ir.loc_db.add_location(), ir.IRDst.size)
loc_next = ExprLoc(ir.get_next_loc_key(instr), ir.IRDst.size)
e.append(
ExprAssign(
ir.IRDst,
ExprCond(ExprOp("FLAG_EQ_CMP", data, comp_value), loc_do,
loc_store)))
e_store = []
e_store.append(ExprAssign(data, new_value))
e_store.append(ExprAssign(ir.IRDst, loc_do))
blk_store = IRBlock(loc_store.loc_key, [AssignBlock(e_store, instr)])
e_do = []
e_do.append(ExprAssign(regs[index1], data[:data.size / 2]))
e_do.append(ExprAssign(regs[index1 + 1], data[data.size / 2:]))
e_do.append(ExprAssign(ir.IRDst, loc_next))
blk_do = IRBlock(loc_do.loc_key, [AssignBlock(e_do, instr)])
return e, [blk_store, blk_do]
def assignblk_to_irbloc(self, instr, assignblk):
"""
Ensure IRDst is always set in the head @assignblk of the @instr
@instr: an instruction instance
@assignblk: Assignblk instance
"""
new_assignblk = dict(assignblk)
if self.ir_arch.IRDst not in assignblk:
offset = instr.offset + instr.l
loc_key = self.ir_arch.loc_db.get_or_create_offset_location(offset)
dst = ExprLoc(loc_key, self.ir_arch.IRDst.size)
new_assignblk[self.ir_arch.IRDst] = dst
irs = [AssignBlock(new_assignblk, instr)]
return IRBlock(self.ir_arch.get_loc_key_for_instr(instr), irs)
def asm_ast_to_expr(self, arg, loc_db):
if isinstance(arg, AstId):
if isinstance(arg.name, ExprId):
return arg.name
if arg.name in gpregs.str:
return None
loc_key = loc_db.get_or_create_name_location(arg.name)
return ExprLoc(loc_key, 32)
if isinstance(arg, AstOp):
args = [self.asm_ast_to_expr(tmp, loc_db) for tmp in arg.args]
if None in args:
return None
return ExprOp(arg.op, *args)
if isinstance(arg, AstInt):
return ExprInt(arg.value, 32)
if isinstance(arg, AstMem):
ptr = self.asm_ast_to_expr(arg.ptr, loc_db)
if ptr is None:
return None
return ExprMem(ptr, arg.size)
return None
def asm_ast_to_expr(self, arg, symbol_pool):
if isinstance(arg, AstId):
if isinstance(arg.name, ExprId):
return arg.name
if arg.name in gpregs.str:
return None
loc_key = symbol_pool.getby_name_create(arg.name)
return ExprLoc(loc_key, 32)
if isinstance(arg, AstOp):
args = [self.asm_ast_to_expr(tmp, symbol_pool) for tmp in arg.args]
if None in args:
return None
return ExprOp(arg.op, *args)
if isinstance(arg, AstInt):
return ExprInt(arg.value, 32)
if isinstance(arg, AstMem):
ptr = self.asm_ast_to_expr(arg.ptr, symbol_pool)
if ptr is None:
return None
return ExprMem(ptr, arg.size)
return None
def tbnz(arg1, arg2, arg3):
bitmask = ExprInt(1, arg1.size) << arg2
dst = arg3 if arg1 & bitmask else ExprLoc(ir.get_next_loc_key(instr), 64)
PC = dst
ir.IRDst = dst
def cbnz(arg1, arg2):
dst = arg2 if arg1 else ExprLoc(ir.get_next_loc_key(instr), 64)
PC = dst
ir.IRDst = dst
def cbz(arg1, arg2):
dst = ExprLoc(ir.get_next_loc_key(instr), 64) if arg1 else arg2
PC = dst
ir.IRDst = dst
from miasm2.expression.parser import str_to_expr
from miasm2.expression.expression import ExprInt, ExprId, ExprSlice, ExprMem, \
ExprCond, ExprCompose, ExprOp, ExprAff, ExprLoc, LocKey
for expr_test in [
ExprInt(0x12, 32),
ExprId('test', 32),
ExprLoc(LocKey(12), 32),
ExprSlice(ExprInt(0x10, 32), 0, 8),
ExprMem(ExprInt(0x10, 32), 32),
ExprCond(ExprInt(0x10, 32), ExprInt(0x11, 32), ExprInt(0x12, 32)),
ExprCompose(ExprInt(0x10, 16), ExprInt(0x11, 8), ExprInt(0x12, 8)),
ExprInt(0x11, 8) + ExprInt(0x12, 8),
ExprAff(ExprId('EAX', 32), ExprInt(0x12, 32)),
]:
print 'Test: %s' % expr_test
assert str_to_expr(repr(expr_test)) == expr_test
def myfunc(cpu):
"""Execute the function according to cpu and vmmngr states
@cpu: JitCpu instance
"""
# Get virtual memory handler
vmmngr = cpu.vmmngr
# Get execution engine (EmulatedSymbExec instance)
exec_engine = self.symbexec
# Refresh CPU values according to @cpu instance
exec_engine.update_engine_from_cpu()
# Get initial loc_key
cur_loc_key = asmblock.loc_key
# Update PC helper
update_pc = lambda value: setattr(cpu, self.ir_arch.pc.name, value)
while True:
# Retrieve the expected irblock
for instr, irblocks in zip(asmblock.lines, irblocks_list):
for index, irblock in enumerate(irblocks):
if irblock.loc_key == cur_loc_key:
break
else:
continue
break
else:
raise RuntimeError("Unable to find the block for %r" % cur_loc_key)
instr_attrib, irblocks_attributes = codegen.get_attributes(
instr, irblocks, self.log_mn, self.log_regs
)
irblock_attributes = irblocks_attributes[index]
# Do IRBlock
new_irblock = self.ir_arch.irbloc_fix_regs_for_mode(
irblock, self.ir_arch.attrib
)
if index == 0:
# Pre code
if instr_attrib.log_mn:
print "%.8X %s" % (
instr_attrib.instr.offset,
instr_attrib.instr.to_string(loc_db)
)
# Exec IRBlock
instr = instr_attrib.instr
for index, assignblk in enumerate(irblock):
attributes = irblock_attributes[index]
# Eval current instruction (in IR)
exec_engine.eval_updt_assignblk(assignblk)
# Check memory access / write exception
# TODO: insert a check between memory reads and writes
if attributes.mem_read or attributes.mem_write:
# Restricted exception
flag = ~csts.EXCEPT_CODE_AUTOMOD & csts.EXCEPT_DO_NOT_UPDATE_PC
if (vmmngr.get_exception() & flag != 0):
# Do not update registers
update_pc(instr.offset)
return instr.offset
# Update registers values
exec_engine.update_cpu_from_engine()
# Check post assignblk exception flags
if attributes.set_exception:
# Restricted exception
if cpu.get_exception() > csts.EXCEPT_NUM_UPDT_EIP:
# Update PC
update_pc(instr.offset)
return instr.offset
dst = exec_engine.eval_expr(self.ir_arch.IRDst)
if dst.is_int():
loc_key = loc_db.get_or_create_offset_location(int(dst))
dst = ExprLoc(loc_key, dst.size)
assert dst.is_loc()
loc_key = dst.loc_key
offset = loc_db.get_location_offset(loc_key)
if offset is None:
# Avoid checks on generated label
cur_loc_key = loc_key
continue
if instr_attrib.log_regs:
update_pc(offset)
cpu.dump_gpregs_with_attrib(self.ir_arch.attrib)
# Post-instr checks
if instr_attrib.mem_read | instr_attrib.mem_write:
vmmngr.check_memory_breakpoint()
vmmngr.check_invalid_code_blocs()
if vmmngr.get_exception():
update_pc(offset)
return offset
if instr_attrib.set_exception:
if cpu.get_exception():
update_pc(offset)
return offset
if instr_attrib.mem_read | instr_attrib.mem_write:
vmmngr.reset_memory_access()
# Manage resulting address
if (loc_key in local_loc_keys and
offset > instr.offset):
# Forward local jump
# Note: a backward local jump has to be promoted to extern,
# for max_exec_per_call support
cur_loc_key = loc_key
continue
# Delay slot
if has_delayslot:
delay_slot_set = exec_engine.eval_expr(codegen.delay_slot_set)
if delay_slot_set.is_int() and int(delay_slot_set) != 0:
return int(exec_engine.eval_expr(codegen.delay_slot_dst))
# Extern of asmblock, must have an offset
assert offset is not None
return offset
for assignblk in xx:
for dst in assignblk:
if str(dst).startswith("r"):
out.add(dst)
"""
out.add(r)
return out
IRA = IRATest(loc_db)
END = ExprId("END", IRDst.size)
G0_IRA = IRA.new_ircfg()
G0_IRB0 = gen_irblock(LBL0, [
[ExprAssign(a, CST1)],
[ExprAssign(IRDst, ExprLoc(LBL1, 32))]
])
G0_IRB1 = gen_irblock(LBL1, [
[ExprAssign(a, a+CST1)],
[ExprAssign(IRDst, ExprCond(x,
ExprLoc(LBL1, 32),
ExprLoc(LBL2, 32)
)
)]
])
G0_IRB2 = gen_irblock(LBL2, [
[ExprAssign(r, a)],
[ExprAssign(IRDst, END)]
])
for irb in [G0_IRB0, G0_IRB1, G0_IRB2]:
def analyse_function():
# Get settings
settings = TypePropagationForm()
ret = settings.Execute()
if not ret:
return
end = None
if settings.cScope.value == 0:
addr = settings.functionAddr.value
else:
addr = settings.startAddr.value
if settings.cScope.value == 2:
end = settings.endAddr
# Init
machine = guess_machine(addr=addr)
mn, dis_engine, ira = machine.mn, machine.dis_engine, machine.ira
bs = bin_stream_ida()
mdis = dis_engine(bs, dont_dis_nulstart_bloc=True)
if end is not None:
mdis.dont_dis = [end]
iraCallStackFixer = get_ira_call_fixer(ira)
ir_arch = iraCallStackFixer(mdis.loc_db)
asmcfg = mdis.dis_multiblock(addr)
# Generate IR
ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg)
cst_propag_link = {}
if settings.cUnalias.value:
init_infos = {ir_arch.sp: ir_arch.arch.regs.regs_init[ir_arch.sp]}
cst_propag_link = propagate_cst_expr(ir_arch, ircfg, addr, init_infos)
types_mngr = get_types_mngr(settings.headerFile.value, settings.arch.value)
mychandler = MyCHandler(types_mngr, {})
infos_types = {}
infos_types_raw = []
if settings.cTypeFile.value:
infos_types_raw = open(settings.typeFile.value).read().split('\n')
else:
infos_types_raw = settings.strTypesInfo.value.split('\n')
for line in infos_types_raw:
if not line:
continue
expr_str, ctype_str = line.split(':')
expr_str, ctype_str = expr_str.strip(), ctype_str.strip()
expr = str_to_expr(expr_str)
ast = mychandler.types_mngr.types_ast.parse_c_type(ctype_str)
ctype = mychandler.types_mngr.types_ast.ast_parse_declaration(
ast.ext[0])
objc = types_mngr.get_objc(ctype)
print '=' * 20
print expr, objc
infos_types[expr] = set([objc])
# Add fake head
lbl_real_start = ir_arch.loc_db.get_offset_location(addr)
lbl_head = ir_arch.loc_db.get_or_create_name_location("start")
first_block = asmcfg.label2block(lbl_real_start)
assignblk_head = AssignBlock([
ExprAff(ir_arch.IRDst, ExprLoc(lbl_real_start, ir_arch.IRDst.size)),
ExprAff(ir_arch.sp, ir_arch.arch.regs.regs_init[ir_arch.sp])
], first_block.lines[0])
irb_head = IRBlock(lbl_head, [assignblk_head])
ircfg.blocks[lbl_head] = irb_head
ircfg.add_uniq_edge(lbl_head, lbl_real_start)
state = TypePropagationEngine.StateEngine(infos_types)
states = {lbl_head: state}
todo = set([lbl_head])
done = set()
while todo:
lbl = todo.pop()
state = states[lbl]
if (lbl, state) in done:
continue
done.add((lbl, state))
if lbl not in ircfg.blocks:
continue
symbexec_engine = TypePropagationEngine(ir_arch, types_mngr, state)
addr = symbexec_engine.run_block_at(ircfg, lbl)
symbexec_engine.del_mem_above_stack(ir_arch.sp)
sons = ircfg.successors(lbl)
for son in sons:
add_state(ircfg, todo, states, son, symbexec_engine.get_state())
for lbl, state in states.iteritems():
if lbl not in ircfg.blocks:
continue
symbexec_engine = CTypeEngineFixer(ir_arch, types_mngr, state,
cst_propag_link)
addr = symbexec_engine.run_block_at(ircfg, lbl)
symbexec_engine.del_mem_above_stack(ir_arch.sp)
def parse_loc_key(t):
assert len(t) == 2
loc_key, size = LocKey(t[0]), t[1]
return ExprLoc(loc_key, size)
irs.append(AssignBlock(exprs))
irbl = IRBlock(label, irs)
return irbl
############# Tests #############
IRA = IRATest(loc_db)
########## G1 ##########
# Input
G1 = IRA.new_ircfg()
G1_IRB0 = gen_irblock(LBL0, [[
ExprAff(B, C),
ExprAff(IRDst, ExprLoc(LBL1, 32)),
]])
G1_IRB1 = gen_irblock(LBL1, [[
ExprAff(IRDst, ExprLoc(LBL2, 32)),
]])
G1_IRB2 = gen_irblock(LBL2, [[
ExprAff(A, B),
ExprAff(IRDst, C),
]])
for irb in [G1_IRB0, G1_IRB1, G1_IRB2]:
G1.add_irblock(irb)
# Result
def b_lt(arg1):
cond = cond2expr['LT']
dst = arg1 if cond else ExprLoc(ir.get_next_loc_key(instr), 64)
PC = dst
ir.IRDst = dst
def blr(arg1):
PC = arg1
ir.IRDst = arg1
LR = ExprLoc(ir.get_next_loc_key(instr), 64)
G3_IRA.graph.add_uniq_edge(G3_IRB0.loc_key, G3_IRB1.loc_key)
G3_IRA.graph.add_uniq_edge(G3_IRB0.loc_key, G3_IRB2.loc_key)
G3_IRA.graph.add_uniq_edge(G3_IRB1.loc_key, G3_IRB3.loc_key)
G3_IRA.graph.add_uniq_edge(G3_IRB2.loc_key, G3_IRB3.loc_key)
G3_IRA.blocks = dict([(irb.loc_key, irb) for irb in [G3_IRB0, G3_IRB1,
G3_IRB2, G3_IRB3]])
# graph 4
G4_IRA = IRATest(symbol_pool)
G4_IRB0 = gen_irblock(LBL0, [[ExprAff(C, CST1)]])
G4_IRB1 = gen_irblock(LBL1, [[ExprAff(C, C + CST2)],
[ExprAff(G4_IRA.IRDst,
ExprCond(C, ExprLoc(LBL2, 32),
ExprLoc(LBL1, 32)))]])
G4_IRB2 = gen_irblock(LBL2, [[ExprAff(A, B)]])
G4_IRA.graph.add_uniq_edge(G4_IRB0.loc_key, G4_IRB1.loc_key)
G4_IRA.graph.add_uniq_edge(G4_IRB1.loc_key, G4_IRB2.loc_key)
G4_IRA.graph.add_uniq_edge(G4_IRB1.loc_key, G4_IRB1.loc_key)
G4_IRA.blocks = dict([(irb.loc_key, irb) for irb in [G4_IRB0, G4_IRB1, G4_IRB2]])
# graph 5
G5_IRA = IRATest(symbol_pool)
asmcfg, loc_db = parse_asm.parse_txt(machine.mn,
32,
'''
init:
PUSH argv
PUSH argc
PUSH ret_addr
''',
loc_db=mdis.loc_db)
argc_lbl = loc_db.get_name_location('argc')
argv_lbl = loc_db.get_name_location('argv')
ret_addr_lbl = loc_db.get_name_location('ret_addr')
init_lbl = loc_db.get_name_location('init')
argc_loc = ExprLoc(argc_lbl, 32)
argv_loc = ExprLoc(argv_lbl, 32)
ret_addr_loc = ExprLoc(ret_addr_lbl, 32)
ret_addr = ExprId("ret_addr", ret_addr_loc.size)
fix_args = {
argc_loc: ExprId("argc", argc_loc.size),
argv_loc: ExprId("argv", argv_loc.size),
ret_addr_loc: ret_addr,
}
block = asmcfg.loc_key_to_block(init_lbl)
for instr in block.lines:
for i, arg in enumerate(instr.args):
instr.args[i] = arg.replace_expr(fix_args)
DNA = DependencyNode(LBL2, A, 0)
DNB = DependencyNode(LBL1, B, 1)
DNC = DependencyNode(LBL1, C, 0)
DNB2 = DependencyNode(LBL1, B, 1)
DNC2 = DependencyNode(LBL1, C, 0)
DNB3 = DependencyNode(LBL1, B, 1)
DNC3 = DependencyNode(LBL1, C, 0)
IRA = IRATest(loc_db)
IRDst = IRA.IRDst
END = ExprId("END", IRDst.size)
# graph 1
G1_IRA = IRA.new_ircfg()
G1_IRB0 = gen_irblock(LBL0, [[ExprAssign(C, CST1), ExprAssign(IRDst, ExprLoc(LBL1, 32))]])
G1_IRB1 = gen_irblock(LBL1, [[ExprAssign(B, C), ExprAssign(IRDst, ExprLoc(LBL2, 32))]])
G1_IRB2 = gen_irblock(LBL2, [[ExprAssign(A, B), ExprAssign(IRDst, END)]])
for irb in [G1_IRB0, G1_IRB1, G1_IRB2]:
G1_IRA.add_irblock(irb)
# graph 2
G2_IRA = IRA.new_ircfg()
G2_IRB0 = gen_irblock(LBL0, [[ExprAssign(C, CST1), ExprAssign(IRDst, ExprLoc(LBL1, 32))]])
G2_IRB1 = gen_irblock(LBL1, [[ExprAssign(B, CST2), ExprAssign(IRDst, ExprLoc(LBL2, 32))]])
G2_IRB2 = gen_irblock(LBL2, [[ExprAssign(A, B + C), ExprAssign(IRDst, END)]])
for irb in [G2_IRB0, G2_IRB1, G2_IRB2]: