def analyse_function(): # Init machine = guess_machine() mn, dis_engine, ira = machine.mn, machine.dis_engine, machine.ira bs = bin_stream_ida() mdis = dis_engine(bs, dont_dis_nulstart_bloc=True) iraCallStackFixer = get_ira_call_fixer(ira) ir_arch = iraCallStackFixer(mdis.symbol_pool) # Get the current function func = ida_funcs.get_func(idc.ScreenEA()) addr = func.startEA blocks = mdis.dis_multiblock(addr) # Generate IR for block in blocks: ir_arch.add_block(block) # Get settings settings = TypePropagationForm(ir_arch) ret = settings.Execute() if not ret: return cst_propag_link = {} if settings.cUnalias.value: init_infos = {ir_arch.sp: ir_arch.arch.regs.regs_init[ir_arch.sp]} cst_propag_link = propagate_cst_expr(ir_arch, addr, init_infos) types_mngr = get_types_mngr(settings.headerFile.value, settings.arch.value) mychandler = MyCHandler(types_mngr, {}) infos_types = {} for line in settings.strTypesInfo.value.split('\n'): if not line: continue expr_str, ctype_str = line.split(':') expr_str, ctype_str = expr_str.strip(), ctype_str.strip() expr = str_to_expr(expr_str) ast = mychandler.types_mngr.types_ast.parse_c_type(ctype_str) ctype = mychandler.types_mngr.types_ast.ast_parse_declaration( ast.ext[0]) objc = types_mngr.get_objc(ctype) print '=' * 20 print expr, objc infos_types[expr] = set([objc]) # Add fake head lbl_real_start = ir_arch.symbol_pool.getby_offset(addr) lbl_head = ir_arch.symbol_pool.getby_name_create("start") first_block = blocks.label2block(lbl_real_start) assignblk_head = AssignBlock([ ExprAff(ir_arch.IRDst, ExprId(lbl_real_start, ir_arch.IRDst.size)), ExprAff(ir_arch.sp, ir_arch.arch.regs.regs_init[ir_arch.sp]) ], first_block.lines[0]) irb_head = IRBlock(lbl_head, [assignblk_head]) ir_arch.blocks[lbl_head] = irb_head ir_arch.graph.add_uniq_edge(lbl_head, lbl_real_start) state = TypePropagationEngine.StateEngine(infos_types) states = {lbl_head: state} todo = set([lbl_head]) done = set() while todo: lbl = todo.pop() state = states[lbl] if (lbl, state) in done: continue done.add((lbl, state)) if lbl not in ir_arch.blocks: continue symbexec_engine = TypePropagationEngine(ir_arch, types_mngr, state) addr = symbexec_engine.emul_ir_block(lbl) symbexec_engine.del_mem_above_stack(ir_arch.sp) ir_arch._graph = None sons = ir_arch.graph.successors(lbl) for son in sons: add_state(ir_arch, todo, states, son, symbexec_engine.get_state()) for lbl, state in states.iteritems(): if lbl not in ir_arch.blocks: continue symbexec_engine = CTypeEngineFixer(ir_arch, types_mngr, state, cst_propag_link) addr = symbexec_engine.emul_ir_block(lbl) symbexec_engine.del_mem_above_stack(ir_arch.sp)
def analyse_function(): # Get settings settings = TypePropagationForm() ret = settings.Execute() if not ret: return end = None if settings.cScope.value == 0: addr = settings.functionAddr.value else: addr = settings.startAddr.value if settings.cScope.value == 2: end = settings.endAddr # Init machine = guess_machine(addr=addr) mn, dis_engine, ira = machine.mn, machine.dis_engine, machine.ira bs = bin_stream_ida() mdis = dis_engine(bs, dont_dis_nulstart_bloc=True) if end is not None: mdis.dont_dis = [end] iraCallStackFixer = get_ira_call_fixer(ira) ir_arch = iraCallStackFixer(mdis.loc_db) asmcfg = mdis.dis_multiblock(addr) # Generate IR ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg) cst_propag_link = {} if settings.cUnalias.value: init_infos = {ir_arch.sp: ir_arch.arch.regs.regs_init[ir_arch.sp]} cst_propag_link = propagate_cst_expr(ir_arch, ircfg, addr, init_infos) types_mngr = get_types_mngr(settings.headerFile.value, settings.arch.value) mychandler = MyCHandler(types_mngr, {}) infos_types = {} infos_types_raw = [] if settings.cTypeFile.value: infos_types_raw = open(settings.typeFile.value).read().split('\n') else: infos_types_raw = settings.strTypesInfo.value.split('\n') for line in infos_types_raw: if not line: continue expr_str, ctype_str = line.split(':') expr_str, ctype_str = expr_str.strip(), ctype_str.strip() expr = str_to_expr(expr_str) ast = mychandler.types_mngr.types_ast.parse_c_type(ctype_str) ctype = mychandler.types_mngr.types_ast.ast_parse_declaration( ast.ext[0]) objc = types_mngr.get_objc(ctype) print '=' * 20 print expr, objc infos_types[expr] = set([objc]) # Add fake head lbl_real_start = ir_arch.loc_db.get_offset_location(addr) lbl_head = ir_arch.loc_db.get_or_create_name_location("start") first_block = asmcfg.label2block(lbl_real_start) assignblk_head = AssignBlock([ ExprAff(ir_arch.IRDst, ExprLoc(lbl_real_start, ir_arch.IRDst.size)), ExprAff(ir_arch.sp, ir_arch.arch.regs.regs_init[ir_arch.sp]) ], first_block.lines[0]) irb_head = IRBlock(lbl_head, [assignblk_head]) ircfg.blocks[lbl_head] = irb_head ircfg.add_uniq_edge(lbl_head, lbl_real_start) state = TypePropagationEngine.StateEngine(infos_types) states = {lbl_head: state} todo = set([lbl_head]) done = set() while todo: lbl = todo.pop() state = states[lbl] if (lbl, state) in done: continue done.add((lbl, state)) if lbl not in ircfg.blocks: continue symbexec_engine = TypePropagationEngine(ir_arch, types_mngr, state) addr = symbexec_engine.run_block_at(ircfg, lbl) symbexec_engine.del_mem_above_stack(ir_arch.sp) sons = ircfg.successors(lbl) for son in sons: add_state(ircfg, todo, states, son, symbexec_engine.get_state()) for lbl, state in states.iteritems(): if lbl not in ircfg.blocks: continue symbexec_engine = CTypeEngineFixer(ir_arch, types_mngr, state, cst_propag_link) addr = symbexec_engine.run_block_at(ircfg, lbl) symbexec_engine.del_mem_above_stack(ir_arch.sp)
def analyse_function(): # Init machine = guess_machine() mn, dis_engine, ira = machine.mn, machine.dis_engine, machine.ira bs = bin_stream_ida() mdis = dis_engine(bs, dont_dis_nulstart_bloc=True) iraCallStackFixer = get_ira_call_fixer(ira) ir_arch = iraCallStackFixer(mdis.symbol_pool) # Get settings settings = TypePropagationForm(ir_arch) ret = settings.Execute() if not ret: return if settings.cScope.value == 0: addr = settings.functionAddr.value else: addr = settings.startAddr.value if settings.cScope.value == 2: end = settings.endAddr mdis.dont_dis = [end] blocks = mdis.dis_multiblock(addr) # Generate IR for block in blocks: ir_arch.add_block(block) cst_propag_link = {} if settings.cUnalias.value: init_infos = {ir_arch.sp: ir_arch.arch.regs.regs_init[ir_arch.sp] } cst_propag_link = propagate_cst_expr(ir_arch, addr, init_infos) types_mngr = get_types_mngr(settings.headerFile.value, settings.arch.value) mychandler = MyCHandler(types_mngr, {}) infos_types = {} infos_types_raw = [] if settings.cTypeFile.value: infos_types_raw = open(settings.typeFile.value).read().split('\n') else: infos_types_raw = settings.strTypesInfo.value.split('\n') for line in infos_types_raw: if not line: continue expr_str, ctype_str = line.split(':') expr_str, ctype_str = expr_str.strip(), ctype_str.strip() expr = str_to_expr(expr_str) ast = mychandler.types_mngr.types_ast.parse_c_type( ctype_str) ctype = mychandler.types_mngr.types_ast.ast_parse_declaration(ast.ext[0]) objc = types_mngr.get_objc(ctype) print '=' * 20 print expr, objc infos_types[expr] = set([objc]) # Add fake head lbl_real_start = ir_arch.symbol_pool.getby_offset(addr) lbl_head = ir_arch.symbol_pool.getby_name_create("start") first_block = blocks.label2block(lbl_real_start) assignblk_head = AssignBlock([ExprAff(ir_arch.IRDst, ExprId(lbl_real_start, ir_arch.IRDst.size)), ExprAff( ir_arch.sp, ir_arch.arch.regs.regs_init[ir_arch.sp]) ], first_block.lines[0]) irb_head = IRBlock(lbl_head, [assignblk_head]) ir_arch.blocks[lbl_head] = irb_head ir_arch.graph.add_uniq_edge(lbl_head, lbl_real_start) state = TypePropagationEngine.StateEngine(infos_types) states = {lbl_head: state} todo = set([lbl_head]) done = set() while todo: lbl = todo.pop() state = states[lbl] if (lbl, state) in done: continue done.add((lbl, state)) if lbl not in ir_arch.blocks: continue symbexec_engine = TypePropagationEngine(ir_arch, types_mngr, state) addr = symbexec_engine.run_block_at(lbl) symbexec_engine.del_mem_above_stack(ir_arch.sp) ir_arch._graph = None sons = ir_arch.graph.successors(lbl) for son in sons: add_state(ir_arch, todo, states, son, symbexec_engine.get_state()) for lbl, state in states.iteritems(): if lbl not in ir_arch.blocks: continue symbexec_engine = CTypeEngineFixer(ir_arch, types_mngr, state, cst_propag_link) addr = symbexec_engine.run_block_at(lbl) symbexec_engine.del_mem_above_stack(ir_arch.sp)
action="store_true", help="Apply simplifications rules (liveness, graph simplification, ...)") args = parser.parse_args() machine = Machine("x86_32") cont = Container.from_stream(open(args.filename)) ira, dis_engine = machine.ira, machine.dis_engine mdis = dis_engine(cont.bin_stream) ir_arch = ira(mdis.loc_db) addr = int(args.address, 0) asmcfg = mdis.dis_multiblock(addr) ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg) entry_points = set([mdis.loc_db.get_offset_location(addr)]) init_infos = ir_arch.arch.regs.regs_init cst_propag_link = propagate_cst_expr(ir_arch, ircfg, addr, init_infos) if args.simplify: ircfg.simplify(expr_simp) modified = True while modified: modified = False modified |= dead_simp(ir_arch, ircfg) modified |= remove_empty_assignblks(ircfg) modified |= merge_blocks(ircfg, entry_points) open("%s.propag.dot" % args.filename, 'w').write(ircfg.dot())
machine = Machine("x86_32") cont = Container.from_stream(open(args.filename)) ira, dis_engine = machine.ira, machine.dis_engine mdis = dis_engine(cont.bin_stream) ir_arch = ira(mdis.symbol_pool) addr = int(args.address, 0) asmcfg = mdis.dis_multiblock(addr) for block in asmcfg.blocks: ir_arch.add_block(block) init_infos = ir_arch.arch.regs.regs_init cst_propag_link = propagate_cst_expr(ir_arch, addr, init_infos) if args.simplify: ir_arch.simplify(expr_simp) modified = True while modified: modified = False modified |= dead_simp(ir_arch) modified |= ir_arch.remove_empty_assignblks() modified |= ir_arch.remove_jmp_blocks() modified |= ir_arch.merge_blocks() open("%s.propag.dot" % args.filename, 'w').write(ir_arch.graph.dot())