Ejemplo n.º 1
0
    def test_ei(self):
        """Test EI execution"""

        # EI
        exec_instruction("EI",
                         [(ExprId("PSW", 32), ExprInt(0, 32))],
                         [(ExprId("PSW", 32), ExprInt(1, 32))])
Ejemplo n.º 2
0
    def test_di(self):
        """Test DI execution"""

        # DI
        exec_instruction("DI",
                         [(ExprId("PSW", 32), ExprInt(1, 32))],
                         [(ExprId("PSW", 32), ExprInt(0, 32))])
Ejemplo n.º 3
0
def arm_guess_jump_table(mnemo, attrib, pool_bin, cur_bloc, offsets_to_dis,
                         symbol_pool):
    ira = get_ira(mnemo, attrib)

    jra = ExprId('jra')
    jrb = ExprId('jrb')

    sp = asm_symbol_pool()
    ir_arch = ira(sp)
    ir_arch.add_bloc(cur_bloc)

    ir_blocs = ir_arch.blocs.values()
    for irb in ir_blocs:
        # print 'X'*40
        # print irb
        pc_val = None
        # lr_val = None
        for exprs in irb.irs:
            for e in exprs:
                if e.dst == ir_arch.pc:
                    pc_val = e.src
                # if e.dst == mnemo.regs.LR:
                #    lr_val = e.src
        if pc_val is None:
            continue
        if not isinstance(pc_val, ExprMem):
            continue
        assert (pc_val.size == 32)
        print pc_val
        ad = pc_val.arg
        ad = expr_simp(ad)
        print ad
        res = MatchExpr(ad, jra + jrb, set([jra, jrb]))
        if res is False:
            raise NotImplementedError('not fully functional')
        print res
        if not isinstance(res[jrb], ExprInt):
            raise NotImplementedError('not fully functional')
        base_ad = int(res[jrb])
        print base_ad
        addrs = set()
        i = -1
        max_table_entry = 10000
        max_diff_addr = 0x100000  # heuristic
        while i < max_table_entry:
            i += 1
            try:
                ad = upck32(pool_bin.getbytes(base_ad + 4 * i, 4))
            except:
                break
            if abs(ad - base_ad) > max_diff_addr:
                break
            addrs.add(ad)
        print[hex(x) for x in addrs]

        for ad in addrs:
            offsets_to_dis.add(ad)
            l = symbol_pool.getby_offset_create(ad)
            c = asm_constraint_to(l)
            cur_bloc.addto(c)
Ejemplo n.º 4
0
    def test_and3(self):
        """Test AND3 execution"""

        # AND3 Rn,Rm,imm16
        exec_instruction("AND3 R1, R2, 0",
                         [(ExprId("R2", 32), ExprInt(1, 32))],
                         [(ExprId("R1", 32), ExprInt(0, 32))])
Ejemplo n.º 5
0
    def post_add_bloc(self, block, ir_blocks):
        IntermediateRepresentation.post_add_bloc(self, block, ir_blocks)
        for irb in ir_blocks:
            pc_val = None
            lr_val = None
            for assignblk in irb.irs:
                pc_val = assignblk.get(self.arch.regs.PC, pc_val)
                lr_val = assignblk.get(self.arch.regs.RA, lr_val)

            if pc_val is None or lr_val is None:
                continue
            if not expr_is_int_or_label(lr_val):
                continue
            if expr_is_label(lr_val):
                lr_val = ExprInt32(lr_val.name.offset)

            line = block.lines[-2]
            if lr_val.arg != line.offset + 8:
                raise ValueError("Wrong arg")

            # CALL
            lbl = block.get_next()
            new_lbl = self.gen_label()
            irs = self.call_effects(pc_val, line)
            irs.append(AssignBlock([ExprAff(self.IRDst,
                                            ExprId(lbl, size=self.pc.size))]))
            nblock = IRBlock(new_lbl, irs)
            nblock.lines = [line] * len(irs)
            self.blocks[new_lbl] = nblock
            irb.dst = ExprId(new_lbl, size=self.pc.size)
Ejemplo n.º 6
0
    def test_xor3(self):
        """Test XOR3 execution"""

        # XOR3 Rn,Rm,imm16
        exec_instruction("XOR3 R1, R2, 1",
                         [(ExprId("R2", 32), ExprInt(0, 32))],
                         [(ExprId("R1", 32), ExprInt(1, 32))])
Ejemplo n.º 7
0
    def test_ldc(self):
        """Test LDC execution"""

        # LDC Rn,imm5
        exec_instruction("LDC R1, SAR",
                         [(ExprId("SAR", 32), ExprInt(0x28, 32))],
                         [(ExprId("R1", 32), ExprInt(0x28, 32))])
Ejemplo n.º 8
0
    def test_xor(self):
        """Test XOR execution"""

        # XOR Rn, Rm
        exec_instruction("XOR R1, R2",
                         [(ExprId("R1", 32), ExprInt(1, 32)), (ExprId("R2", 32), ExprInt(0, 32))],
                         [(ExprId("R1", 32), ExprInt(1, 32))])
Ejemplo n.º 9
0
    def test_sub(self):
        """Test SUB execution"""

        # SUB Rn,Rm
        exec_instruction("SUB R1, R2", [(ExprId("R1", 32), ExprInt(0x28, 32)),
                                        (ExprId("R2", 32), ExprInt(0x7, 32))],
                         [(ExprId("R1", 32), ExprInt(0x21, 32))])
Ejemplo n.º 10
0
    def test_and(self):
        """Test AND  execution"""

        # AND Rn, Rm
        exec_instruction("AND R1, R2",
                         [(ExprId("R1", 32), ExprInt(1, 32)), (ExprId("R2", 32), ExprInt(0, 32))],
                         [(ExprId("R1", 32), ExprInt(0, 32))])
Ejemplo n.º 11
0
    def post_add_asmblock_to_ircfg(self, block, ircfg, ir_blocks):
        IntermediateRepresentation.post_add_asmblock_to_ircfg(self, block, ircfg, ir_blocks)
        new_irblocks = []
        for irb in ir_blocks:
            pc_val = None
            lr_val = None
            for assignblk in irb:
                pc_val = assignblk.get(self.arch.regs.PC, pc_val)
                lr_val = assignblk.get(self.arch.regs.RA, lr_val)

            if pc_val is None or lr_val is None:
                new_irblocks.append(irb)
                continue
            if lr_val.is_loc():
                offset = self.loc_db.get_location_offset(lr_val.loc_key)
                if offset is not None:
                    lr_val = ExprInt(offset, 32)
            if not lr_val.is_int():
                continue

            instr = block.lines[-2]
            if int(lr_val) != instr.offset + 8:
                raise ValueError("Wrong arg")

            # CALL
            lbl = block.get_next()
            new_lbl = self.gen_label()
            call_assignblks, extra_irblocks = self.call_effects(pc_val, instr)
            ir_blocks += extra_irblocks
            irs.append(AssignBlock([ExprAff(self.IRDst,
                                            ExprId(lbl, size=self.pc.size))],
                                   instr))
            new_irblocks.append(IRBlock(new_lbl, call_assignblks))
            new_irblocks.append(irb.set_dst(ExprId(new_lbl, size=self.pc.size)))
        return new_irblocks
Ejemplo n.º 12
0
    def post_add_block(self, block, ir_blocks):
        IntermediateRepresentation.post_add_block(self, block, ir_blocks)
        new_irblocks = []
        for irb in ir_blocks:
            pc_val = None
            lr_val = None
            for assignblk in irb.irs:
                pc_val = assignblk.get(self.arch.regs.PC, pc_val)
                lr_val = assignblk.get(self.arch.regs.RA, lr_val)

            if pc_val is None or lr_val is None:
                new_irblocks.append(irb)
                continue
            if not expr_is_int_or_label(lr_val):
                new_irblocks.append(irb)
                continue
            if expr_is_label(lr_val):
                lr_val = ExprInt(lr_val.name.offset, 32)

            instr = block.lines[-2]
            if lr_val.arg != instr.offset + 8:
                raise ValueError("Wrong arg")

            # CALL
            lbl = block.get_next()
            new_lbl = self.gen_label()
            irs = self.call_effects(pc_val, instr)
            irs.append(
                AssignBlock(
                    [ExprAff(self.IRDst, ExprId(lbl, size=self.pc.size))],
                    instr))
            new_irblocks.append(IRBlock(new_lbl, irs))
            new_irblocks.append(irb.set_dst(ExprId(new_lbl,
                                                   size=self.pc.size)))
        return new_irblocks
Ejemplo n.º 13
0
    def test_erepeat(self):
        """Test EREPEAT execution"""

        # EREPEAT disp17.align2
        exec_instruction("EREPEAT 0x42", [(ExprId("PC", 32), ExprInt(0, 32))],
                         [(ExprId("RPB", 32), ExprInt(4, 32)),
                          (ExprId("RPE", 32), ExprInt(0x43, 32))])
Ejemplo n.º 14
0
    def post_add_bloc(self, bloc, ir_blocs):
        ir.post_add_bloc(self, bloc, ir_blocs)
        if not bloc.lines:
            return
        l = bloc.lines[-1]
        sub_call_dst = None
        if not l.is_subcall():
            return
        sub_call_dst = l.args[0]
        if expr_is_label(sub_call_dst):
            sub_call_dst = sub_call_dst.name
        for irb in ir_blocs:
            l = irb.lines[-1]
            sub_call_dst = None
            if not l.is_subcall():
                continue
            sub_call_dst = l.args[0]
            if expr_is_label(sub_call_dst):
                sub_call_dst = sub_call_dst.name
            lbl = bloc.get_next()
            new_lbl = self.gen_label()
            irs = self.call_effects(l.args[0])
            irs.append(
                AssignBlock(
                    [ExprAff(self.IRDst, ExprId(lbl, size=self.pc.size))]))

            nbloc = irbloc(new_lbl, irs)
            nbloc.lines = [l] * len(irs)
            self.blocs[new_lbl] = nbloc
            irb.dst = ExprId(new_lbl, size=self.pc.size)
        return
Ejemplo n.º 15
0
    def test_jsr(self):
        """Test JSR execution"""

        # JSR Rm
        exec_instruction("JSR R1", [(ExprId("R1", 32), ExprInt(0x2807, 32))],
                         [(ExprId("PC", 32), ExprInt(0x2807, 32)),
                          (ExprId("LP", 32), ExprInt(0x2, 32))])
Ejemplo n.º 16
0
    def test_nor(self):
        """Test NOR execution"""

        # NOR Rn, Rm
        exec_instruction("NOR R1, R2",
                         [(ExprId("R1", 32), ExprInt(1, 32)), (ExprId("R2", 32), ExprInt(0, 32))],
                         [(ExprId("R1", 32), ExprInt(0xFFFFFFFE, 32))])
Ejemplo n.º 17
0
    def test_stc(self):
        """Test STC execution"""

        # STC Rn,imm5
        exec_instruction("STC R1, SAR",
                         [(ExprId("R1", 32), ExprInt(0x28, 32))],
                         [(ExprId("SAR", 32), ExprInt(0x28, 32))])
Ejemplo n.º 18
0
    def test_ClassDef(self):
        from miasm2.expression.expression import ExprInt32, ExprId, ExprMem, ExprCompose
        from miasm2.arch.x86.sem import ir_x86_32
        from miasm2.ir.symbexec import symbexec

        addrX = ExprInt32(-1)
        addr0 = ExprInt32(0)
        addr1 = ExprInt32(1)
        addr8 = ExprInt32(8)
        addr9 = ExprInt32(9)
        addr20 = ExprInt32(20)
        addr40 = ExprInt32(40)
        addr50 = ExprInt32(50)
        mem0 = ExprMem(addr0)
        mem1 = ExprMem(addr1)
        mem8 = ExprMem(addr8)
        mem9 = ExprMem(addr9)
        mem20 = ExprMem(addr20)
        mem40v = ExprMem(addr40, 8)
        mem40w = ExprMem(addr40, 16)
        mem50v = ExprMem(addr50, 8)
        mem50w = ExprMem(addr50, 16)
        id_x = ExprId('x')
        id_y = ExprId('y', 8)
        id_a = ExprId('a')
        id_eax = ExprId('eax_init')

        e = symbexec(
            ir_x86_32(), {
                mem0: id_x,
                mem1: id_y,
                mem9: id_x,
                mem40w: id_x,
                mem50v: id_y,
                id_a: addr0,
                id_eax: addr0
            })
        self.assertEqual(e.find_mem_by_addr(addr0), mem0)
        self.assertEqual(e.find_mem_by_addr(addrX), None)
        self.assertEqual(e.eval_ExprMem(ExprMem(addr1 - addr1)), id_x)
        self.assertEqual(e.eval_ExprMem(ExprMem(addr1, 8)), id_y)
        self.assertEqual(
            e.eval_ExprMem(ExprMem(addr1 + addr1)),
            ExprCompose([(id_x[16:32], 0, 16),
                         (ExprMem(ExprInt32(4), 16), 16, 32)]))
        self.assertEqual(
            e.eval_ExprMem(mem8),
            ExprCompose([(id_x[0:24], 0, 24),
                         (ExprMem(ExprInt32(11), 8), 24, 32)]))
        self.assertEqual(e.eval_ExprMem(mem40v), id_x[:8])
        self.assertEqual(
            e.eval_ExprMem(mem50w),
            ExprCompose([(id_y, 0, 8), (ExprMem(ExprInt32(51), 8), 8, 16)]))
        self.assertEqual(e.eval_ExprMem(mem20), mem20)
        e.func_read = lambda x: x
        self.assertEqual(e.eval_ExprMem(mem20), mem20)
        self.assertEqual(set(e.modified()), set(e.symbols))
        self.assertRaises(KeyError, e.symbols.__getitem__,
                          ExprMem(ExprInt32(100)))
Ejemplo n.º 19
0
    def test_sl2ad3(self):
        """Test SL2AD3 execution"""

        # SL2AD3 R0,Rn,Rm
        exec_instruction("SL2AD3 R0, R1, R2",
                         [(ExprId("R1", 32), ExprInt(0x2, 32)),
                          (ExprId("R2", 32), ExprInt(0x20, 32))],
                         [(ExprId("R0", 32), ExprInt(0x28, 32))])
Ejemplo n.º 20
0
    def test_btstm(self):
        """Test BTSTM execution"""

        # BTSTM R0,(Rm),imm3
        exec_instruction("BTSTM R0, (R1), 1",
                         [(ExprId("R1", 32), ExprInt(0x28, 32)),
                          (ExprMem(ExprInt(0x28, 32), 8), ExprInt(0x2, 8))],
                         [(ExprId("R0", 32), ExprInt(0x2, 32))])
Ejemplo n.º 21
0
    def test_tas(self):
        """Test TAS execution"""

        # TAS Rn,(Rm)
        exec_instruction("TAS R0, (R1)",
                         [(ExprId("R1", 32), ExprInt(0x28, 32)),
                          (ExprMem(ExprInt(0x28, 32), 8), ExprInt(0x2, 8))],
                         [(ExprId("R0", 32), ExprInt(0x2, 32)),
                          (ExprMem(ExprInt(0x28, 32), 8), ExprInt(0x1, 8))])
Ejemplo n.º 22
0
    def test_smcpi(self):
        """Test SMCPI execution"""

        # SMCPI CRn[0-15],(Rm+)
        exec_instruction(
            "SMCPI C1, (R2+)", [(ExprId("C1", 32), ExprInt(0x28071010, 32)),
                                (ExprId("R2", 32), ExprInt(0x17, 32))],
            [(ExprMem(ExprInt(0x10, 32), 32), ExprInt(0x28071010, 32)),
             (ExprId("R2", 32), ExprInt(0x1F, 32))])
Ejemplo n.º 23
0
    def test_neg(self):
        """Test NEG execution"""

        # NEG Rn,Rm
        exec_instruction("NEG R1, R2", [(ExprId("R2", 32), ExprInt(1, 32))],
                         [(ExprId("R1", 32), ExprInt(0xFFFFFFFF, 32))])

        exec_instruction("NEG R1, R2", [(ExprId("R2", 32), ExprInt(0x42, 32))],
                         [(ExprId("R1", 32), ExprInt(0xFFFFFFBE, 32))])
Ejemplo n.º 24
0
    def test_movh(self):
        """Test MOVH execution"""

        # MOVH Rn,imm16
        exec_instruction("MOVH R1, 1", [],
                         [(ExprId("R1", 32), ExprInt(0x10000, 32))])

        exec_instruction("MOVH R1, 0xFFFF", [],
                         [(ExprId("R1", 32), ExprInt(0xFFFF0000, 32))])
Ejemplo n.º 25
0
def arm_guess_jump_table(mnemo, attrib, pool_bin, cur_bloc, offsets_to_dis,
                         loc_db):
    ira = get_ira(mnemo, attrib)

    jra = ExprId('jra')
    jrb = ExprId('jrb')

    sp = LocationDB()
    ir_arch = ira(sp)
    ircfg = ira.new_ircfg()
    ir_arch.add_asmblock_to_ircfg(cur_bloc, ircfg)

    ir_blocks = ircfg.blocks.values()
    for irblock in ir_blocks:
        pc_val = None
        for exprs in irblock:
            for e in exprs:
                if e.dst == ir_arch.pc:
                    pc_val = e.src
        if pc_val is None:
            continue
        if not isinstance(pc_val, ExprMem):
            continue
        assert (pc_val.size == 32)
        print pc_val
        ad = pc_val.arg
        ad = expr_simp(ad)
        print ad
        res = match_expr(ad, jra + jrb, set([jra, jrb]))
        if res is False:
            raise NotImplementedError('not fully functional')
        print res
        if not isinstance(res[jrb], ExprInt):
            raise NotImplementedError('not fully functional')
        base_ad = int(res[jrb])
        print base_ad
        addrs = set()
        i = -1
        max_table_entry = 10000
        max_diff_addr = 0x100000  # heuristic
        while i < max_table_entry:
            i += 1
            try:
                ad = upck32(pool_bin.getbytes(base_ad + 4 * i, 4))
            except:
                break
            if abs(ad - base_ad) > max_diff_addr:
                break
            addrs.add(ad)
        print[hex(x) for x in addrs]

        for ad in addrs:
            offsets_to_dis.add(ad)
            l = loc_db.get_or_create_offset_location(ad)
            c = AsmConstraintTo(l)
            cur_bloc.addto(c)
Ejemplo n.º 26
0
    def test_bgei(self):
        """Test BGEI execution"""

        # BGEI Rn,imm4,disp17.align2
        exec_instruction(
            "BGEI R1, 0x5, 0x10000", [(ExprId("R1", 32), ExprInt(0x10, 32))],
            [(ExprId("PC", 32),
              ExprCond(ExprOp(">=", ExprInt(0x10, 32), ExprInt(0x5, 32)),
                       ExprInt(0xFFFF0010, 32), ExprInt(0x14, 32)))],
            offset=0x10)
Ejemplo n.º 27
0
    def test_lwcpi(self):
        """Test LWCPI execution"""

        # LWCPI CRn[0-15],(Rm+)
        exec_instruction(
            "LWCPI C1, (R2+)",
            [(ExprId("R2", 32), ExprInt(0x11, 32)),
             (ExprMem(ExprInt(0x10, 32), 32), ExprInt(0xABCD, 32))],
            [(ExprId("C1", 32), ExprInt(0xABCD, 32)),
             (ExprId("R2", 32), ExprInt(0x15, 32))])
Ejemplo n.º 28
0
    def test_repeat(self):
        """Test REPEAT execution"""

        # REPEAT Rn, disp17.align2
        exec_instruction("REPEAT R0, 0x42",
                         [(ExprId("PC", 32), ExprInt(2, 32)),
                          (ExprId("R0", 32), ExprInt(0x28, 32))],
                         [(ExprId("RPB", 32), ExprInt(6, 32)),
                          (ExprId("RPE", 32), ExprInt(0x44, 32)),
                          (ExprId("RPC", 32), ExprInt(0x28, 32))])
Ejemplo n.º 29
0
    def test_mulr(self):
        """Test MULR execution"""

        # MULR Rn,Rm
        exec_instruction("MULR R0, R1",
                         [(ExprId("R0", 32), ExprInt(0x80, 32)),
                          (ExprId("R1", 32), ExprInt(0xFFFFFFFF, 32))],
                         [(ExprId("HI", 32), ExprInt(0xFFFFFFFF, 32)),
                          (ExprId("LO", 32), ExprInt(0xFFFFFF80, 32)),
                          (ExprId("R0", 32), ExprInt(0xFFFFFF80, 32))])
Ejemplo n.º 30
0
    def test_mulru(self):
        """Test MULRU execution"""

        # MULRU Rn,Rm
        exec_instruction("MULRU R0, R1",
                         [(ExprId("R0", 32), ExprInt(0x2, 32)),
                          (ExprId("R1", 32), ExprInt(0xFFFFFFFF, 32))],
                         [(ExprId("HI", 32), ExprInt(0x1, 32)),
                          (ExprId("LO", 32), ExprInt(0xFFFFFFFE, 32)),
                          (ExprId("R0", 32), ExprInt(0xFFFFFFFE, 32))])
Ejemplo n.º 31
0
def intra_bloc_flow_symbexec(ir_arch, flow_graph, irb):
    """
    Create data flow for an irbloc using symbolic execution
    """
    in_nodes = {}
    out_nodes = {}
    current_nodes = {}

    symbols_init = {}
    for r in ir_arch.arch.regs.all_regs_ids:
        # symbols_init[r] = ir_arch.arch.regs.all_regs_ids_init[i]
        x = ExprId(r.name, r.size)
        x.is_term = True
        symbols_init[r] = x

    sb = symbexec(ir_arch, dict(symbols_init))
    sb.emulbloc(irb)
    # print "*"*40
    # print irb
    # print sb.dump_id()
    # print sb.dump_mem()

    for n_w in sb.symbols:
        # print n_w
        v = sb.symbols[n_w]
        if n_w in symbols_init and symbols_init[n_w] == v:
            continue
        read_values = v.get_r(cst_read=True)
        # print n_w, v, [str(x) for x in read_values]
        node_n_w = get_node_name(irb.label, len(irb.lines), n_w)

        for n_r in read_values:
            if n_r in current_nodes:
                node_n_r = current_nodes[n_r]
            else:
                node_n_r = get_node_name(irb.label, 0, n_r)
                current_nodes[n_r] = node_n_r
                in_nodes[n_r] = node_n_r

            out_nodes[n_w] = node_n_w
            flow_graph.add_uniq_edge(node_n_r, node_n_w)

    irb.in_nodes = in_nodes
    irb.out_nodes = out_nodes
Ejemplo n.º 32
0
 def gen_equations(self):
     for irb in self.blocs.values():
         symbols_init = {}
         for r in self.arch.regs.all_regs_ids:
             x = ExprId(r.name, r.size)
             x.is_term = True
             symbols_init[r] = x
         sb = symbexec(self, dict(symbols_init))
         sb.emulbloc(irb)
         eqs = []
         for n_w in sb.symbols:
             v = sb.symbols[n_w]
             if n_w in symbols_init and symbols_init[n_w] == v:
                 continue
             eqs.append(ExprAff(n_w, v))
         print '*' * 40
         print irb
         irb.irs = [eqs]
         irb.lines = [None]