def symexec(handler):
inst_bytes = handler.bytes_without_jmp
machine = Machine("x86_32")
cont = Container.from_string(inst_bytes)
bs = cont.bin_stream
mdis = machine.dis_engine(bs, symbol_pool=cont.symbol_pool)
end_offset = len(inst_bytes)
mdis.dont_dis = [end_offset]
asm_block = mdis.dis_block(0)
# print asm_block
ira = machine.ira(mdis.symbol_pool)
ira.add_block(asm_block)
symb = SymbolicExecutionEngine(ira, symbols_init)
cur_addr = symb.emul_ir_block(0)
count = 0
while cur_addr != ExprInt(end_offset, 32): # execute to end
cur_addr = symb.emul_ir_block(cur_addr)
count += 1
if count > 1000:
print '[!] to many loop at %s' % handler.name
break
return symb
from pdb import pm
from miasm2.arch.x86.disasm import dis_x86_32
from miasm2.analysis.binary import Container
from miasm2.core.asmblock import AsmCFG, AsmConstraint, AsmBlock, \
AsmLabel, AsmBlockBad, AsmConstraintTo, AsmConstraintNext, \
bbl_simplifier
from miasm2.core.graph import DiGraphSimplifier, MatchGraphJoker
from miasm2.expression.expression import ExprId
# Initial data: from 'samples/simple_test.bin'
data = "5589e583ec10837d08007509c745fc01100000eb73837d08017709c745fc02100000eb64837d08057709c745fc03100000eb55837d080774138b450801c083f80e7509c745fc04100000eb3c8b450801c083f80e7509c745fc05100000eb298b450883e03085c07409c745fc06100000eb16837d08427509c745fc07100000eb07c745fc081000008b45fcc9c3".decode(
"hex")
cont = Container.from_string(data)
# Test Disasm engine
mdis = dis_x86_32(cont.bin_stream)
## Disassembly of one block
first_block = mdis.dis_block(0)
assert len(first_block.lines) == 5
print first_block
## Test redisassemble blocks
first_block_bis = mdis.dis_block(0)
assert len(first_block.lines) == len(first_block_bis.lines)
print first_block_bis
## Disassembly of several block, with cache
blocks = mdis.dis_multiblock(0)
assert len(blocks) == 17
from miasm2.analysis.binary import Container
from miasm2.analysis.machine import Machine
from miasm2.ir.symbexec import SymbolicExecutionEngine
from miasm2.core.locationdb import LocationDB
START_ADDR = 0
machine = Machine("x86_32")
loc_db = LocationDB()
# Assemble and disassemble a MOV
## Ensure that attributes 'offset' and 'l' are set
line = machine.mn.fromstring("MOV EAX, EBX", loc_db, 32)
asm = machine.mn.asm(line)[0]
# Get back block
cont = Container.from_string(asm, loc_db=loc_db)
mdis = machine.dis_engine(cont.bin_stream, loc_db=loc_db)
mdis.lines_wd = 1
asm_block = mdis.dis_block(START_ADDR)
# Translate ASM -> IR
ira = machine.ira(mdis.loc_db)
ircfg = ira.new_ircfg()
ira.add_asmblock_to_ircfg(asm_block, ircfg)
# Instanciate a Symbolic Execution engine with default value for registers
symb = SymbolicExecutionEngine(ira)
# Emulate one IR basic block
## Emulation of several basic blocks can be done through .emul_ir_blocks
cur_addr = symb.run_at(ircfg, START_ADDR)
from miasm2.analysis.binary import Container
from miasm2.analysis.machine import Machine
# The Container will provide a *bin_stream*, bytes source for the disasm engine
cont = Container.from_string(
"\x83\xf8\x10\x74\x07\x89\xc6\x0f\x47\xc3\xeb\x08\x89\xc8\xe8\x31\x33\x22\x11\x40\xc3"
)
# Instantiate a x86 32 bit architecture
machine = Machine("x86_32")
# Instantiate a disassembler engine, using the previous bin_stream and its
# associated location DB.
mdis = machine.dis_engine(cont.bin_stream, loc_db=cont.loc_db)
# Run a recursive traversal disassembling from address 0
asmcfg = mdis.dis_multiblock(0)
# Display each basic blocks
for block in asmcfg.blocks:
print block
# Output control flow graph in a dot file
open('str_cfg.dot', 'w').write(asmcfg.dot())
# Update next blocks to process in the disassembly engine
cur_bloc.bto.clear()
cur_bloc.add_cst(loc_key, AsmConstraint.c_next)
# Prepare a tiny shellcode
shellcode = ''.join([
"\xe8\x00\x00\x00\x00", # CALL $
"X", # POP EAX
"\xc3", # RET
])
# Instantiate a x86 32 bit architecture
machine = Machine("x86_32")
cont = Container.from_string(shellcode)
mdis = machine.dis_engine(cont.bin_stream, loc_db=cont.loc_db)
print "Without callback:\n"
asmcfg = mdis.dis_multiblock(0)
print "\n".join(str(block) for block in asmcfg.blocks)
# Enable callback
mdis.dis_block_callback = cb_x86_callpop
print "=" * 40
print "With callback:\n"
asmcfg_after = mdis.dis_multiblock(0)
print "\n".join(str(block) for block in asmcfg_after.blocks)
# Ensure the callback has been called
from pdb import pm
from miasm2.arch.x86.disasm import dis_x86_32
from miasm2.analysis.binary import Container
from miasm2.core.asmblock import AsmCFG, AsmConstraint, AsmBlock, \
AsmLabel, AsmBlockBad, AsmConstraintTo, AsmConstraintNext, \
bbl_simplifier
from miasm2.core.graph import DiGraphSimplifier, MatchGraphJoker
from miasm2.expression.expression import ExprId
# Initial data: from 'samples/simple_test.bin'
data = "5589e583ec10837d08007509c745fc01100000eb73837d08017709c745fc02100000eb64837d08057709c745fc03100000eb55837d080774138b450801c083f80e7509c745fc04100000eb3c8b450801c083f80e7509c745fc05100000eb298b450883e03085c07409c745fc06100000eb16837d08427509c745fc07100000eb07c745fc081000008b45fcc9c3".decode("hex")
cont = Container.from_string(data)
# Test Disasm engine
mdis = dis_x86_32(cont.bin_stream)
## Disassembly of one block
first_block = mdis.dis_bloc(0)
assert len(first_block.lines) == 5
print first_block
## Disassembly of several block, with cache
blocks = mdis.dis_multibloc(0)
assert len(blocks) == 0
## Test cache
mdis.job_done.clear()
blocks = mdis.dis_multibloc(0)
assert len(blocks) == 17
## Equality between assembly lines is not yet implemented
assert len(blocks.heads()) == 1
def from_bytecode(self, bytecode):
container = Container.from_string(bytecode)
mdis = self.machine.dis_engine(container.bin_stream)
self.blks = mdis.dis_multibloc(0)
def from_bytecode(self, bytecode):
container = Container.from_string(bytecode)
mdis = self.machine.dis_engine(container.bin_stream)
self.blks = mdis.dis_multibloc(0)
