def test_ei(self): """Test EI execution""" # EI exec_instruction("EI", [(ExprId("PSW", 32), ExprInt(0, 32))], [(ExprId("PSW", 32), ExprInt(1, 32))])
def test_di(self): """Test DI execution""" # DI exec_instruction("DI", [(ExprId("PSW", 32), ExprInt(1, 32))], [(ExprId("PSW", 32), ExprInt(0, 32))])
def arm_guess_jump_table(mnemo, attrib, pool_bin, cur_bloc, offsets_to_dis, symbol_pool): ira = get_ira(mnemo, attrib) jra = ExprId('jra') jrb = ExprId('jrb') sp = asm_symbol_pool() ir_arch = ira(sp) ir_arch.add_bloc(cur_bloc) ir_blocs = ir_arch.blocs.values() for irb in ir_blocs: # print 'X'*40 # print irb pc_val = None # lr_val = None for exprs in irb.irs: for e in exprs: if e.dst == ir_arch.pc: pc_val = e.src # if e.dst == mnemo.regs.LR: # lr_val = e.src if pc_val is None: continue if not isinstance(pc_val, ExprMem): continue assert (pc_val.size == 32) print pc_val ad = pc_val.arg ad = expr_simp(ad) print ad res = MatchExpr(ad, jra + jrb, set([jra, jrb])) if res is False: raise NotImplementedError('not fully functional') print res if not isinstance(res[jrb], ExprInt): raise NotImplementedError('not fully functional') base_ad = int(res[jrb]) print base_ad addrs = set() i = -1 max_table_entry = 10000 max_diff_addr = 0x100000 # heuristic while i < max_table_entry: i += 1 try: ad = upck32(pool_bin.getbytes(base_ad + 4 * i, 4)) except: break if abs(ad - base_ad) > max_diff_addr: break addrs.add(ad) print[hex(x) for x in addrs] for ad in addrs: offsets_to_dis.add(ad) l = symbol_pool.getby_offset_create(ad) c = asm_constraint_to(l) cur_bloc.addto(c)
def test_and3(self): """Test AND3 execution""" # AND3 Rn,Rm,imm16 exec_instruction("AND3 R1, R2, 0", [(ExprId("R2", 32), ExprInt(1, 32))], [(ExprId("R1", 32), ExprInt(0, 32))])
def post_add_bloc(self, block, ir_blocks): IntermediateRepresentation.post_add_bloc(self, block, ir_blocks) for irb in ir_blocks: pc_val = None lr_val = None for assignblk in irb.irs: pc_val = assignblk.get(self.arch.regs.PC, pc_val) lr_val = assignblk.get(self.arch.regs.RA, lr_val) if pc_val is None or lr_val is None: continue if not expr_is_int_or_label(lr_val): continue if expr_is_label(lr_val): lr_val = ExprInt32(lr_val.name.offset) line = block.lines[-2] if lr_val.arg != line.offset + 8: raise ValueError("Wrong arg") # CALL lbl = block.get_next() new_lbl = self.gen_label() irs = self.call_effects(pc_val, line) irs.append(AssignBlock([ExprAff(self.IRDst, ExprId(lbl, size=self.pc.size))])) nblock = IRBlock(new_lbl, irs) nblock.lines = [line] * len(irs) self.blocks[new_lbl] = nblock irb.dst = ExprId(new_lbl, size=self.pc.size)
def test_xor3(self): """Test XOR3 execution""" # XOR3 Rn,Rm,imm16 exec_instruction("XOR3 R1, R2, 1", [(ExprId("R2", 32), ExprInt(0, 32))], [(ExprId("R1", 32), ExprInt(1, 32))])
def test_ldc(self): """Test LDC execution""" # LDC Rn,imm5 exec_instruction("LDC R1, SAR", [(ExprId("SAR", 32), ExprInt(0x28, 32))], [(ExprId("R1", 32), ExprInt(0x28, 32))])
def test_xor(self): """Test XOR execution""" # XOR Rn, Rm exec_instruction("XOR R1, R2", [(ExprId("R1", 32), ExprInt(1, 32)), (ExprId("R2", 32), ExprInt(0, 32))], [(ExprId("R1", 32), ExprInt(1, 32))])
def test_sub(self): """Test SUB execution""" # SUB Rn,Rm exec_instruction("SUB R1, R2", [(ExprId("R1", 32), ExprInt(0x28, 32)), (ExprId("R2", 32), ExprInt(0x7, 32))], [(ExprId("R1", 32), ExprInt(0x21, 32))])
def test_and(self): """Test AND execution""" # AND Rn, Rm exec_instruction("AND R1, R2", [(ExprId("R1", 32), ExprInt(1, 32)), (ExprId("R2", 32), ExprInt(0, 32))], [(ExprId("R1", 32), ExprInt(0, 32))])
def post_add_asmblock_to_ircfg(self, block, ircfg, ir_blocks): IntermediateRepresentation.post_add_asmblock_to_ircfg(self, block, ircfg, ir_blocks) new_irblocks = [] for irb in ir_blocks: pc_val = None lr_val = None for assignblk in irb: pc_val = assignblk.get(self.arch.regs.PC, pc_val) lr_val = assignblk.get(self.arch.regs.RA, lr_val) if pc_val is None or lr_val is None: new_irblocks.append(irb) continue if lr_val.is_loc(): offset = self.loc_db.get_location_offset(lr_val.loc_key) if offset is not None: lr_val = ExprInt(offset, 32) if not lr_val.is_int(): continue instr = block.lines[-2] if int(lr_val) != instr.offset + 8: raise ValueError("Wrong arg") # CALL lbl = block.get_next() new_lbl = self.gen_label() call_assignblks, extra_irblocks = self.call_effects(pc_val, instr) ir_blocks += extra_irblocks irs.append(AssignBlock([ExprAff(self.IRDst, ExprId(lbl, size=self.pc.size))], instr)) new_irblocks.append(IRBlock(new_lbl, call_assignblks)) new_irblocks.append(irb.set_dst(ExprId(new_lbl, size=self.pc.size))) return new_irblocks
def post_add_block(self, block, ir_blocks): IntermediateRepresentation.post_add_block(self, block, ir_blocks) new_irblocks = [] for irb in ir_blocks: pc_val = None lr_val = None for assignblk in irb.irs: pc_val = assignblk.get(self.arch.regs.PC, pc_val) lr_val = assignblk.get(self.arch.regs.RA, lr_val) if pc_val is None or lr_val is None: new_irblocks.append(irb) continue if not expr_is_int_or_label(lr_val): new_irblocks.append(irb) continue if expr_is_label(lr_val): lr_val = ExprInt(lr_val.name.offset, 32) instr = block.lines[-2] if lr_val.arg != instr.offset + 8: raise ValueError("Wrong arg") # CALL lbl = block.get_next() new_lbl = self.gen_label() irs = self.call_effects(pc_val, instr) irs.append( AssignBlock( [ExprAff(self.IRDst, ExprId(lbl, size=self.pc.size))], instr)) new_irblocks.append(IRBlock(new_lbl, irs)) new_irblocks.append(irb.set_dst(ExprId(new_lbl, size=self.pc.size))) return new_irblocks
def test_erepeat(self): """Test EREPEAT execution""" # EREPEAT disp17.align2 exec_instruction("EREPEAT 0x42", [(ExprId("PC", 32), ExprInt(0, 32))], [(ExprId("RPB", 32), ExprInt(4, 32)), (ExprId("RPE", 32), ExprInt(0x43, 32))])
def post_add_bloc(self, bloc, ir_blocs): ir.post_add_bloc(self, bloc, ir_blocs) if not bloc.lines: return l = bloc.lines[-1] sub_call_dst = None if not l.is_subcall(): return sub_call_dst = l.args[0] if expr_is_label(sub_call_dst): sub_call_dst = sub_call_dst.name for irb in ir_blocs: l = irb.lines[-1] sub_call_dst = None if not l.is_subcall(): continue sub_call_dst = l.args[0] if expr_is_label(sub_call_dst): sub_call_dst = sub_call_dst.name lbl = bloc.get_next() new_lbl = self.gen_label() irs = self.call_effects(l.args[0]) irs.append( AssignBlock( [ExprAff(self.IRDst, ExprId(lbl, size=self.pc.size))])) nbloc = irbloc(new_lbl, irs) nbloc.lines = [l] * len(irs) self.blocs[new_lbl] = nbloc irb.dst = ExprId(new_lbl, size=self.pc.size) return
def test_jsr(self): """Test JSR execution""" # JSR Rm exec_instruction("JSR R1", [(ExprId("R1", 32), ExprInt(0x2807, 32))], [(ExprId("PC", 32), ExprInt(0x2807, 32)), (ExprId("LP", 32), ExprInt(0x2, 32))])
def test_nor(self): """Test NOR execution""" # NOR Rn, Rm exec_instruction("NOR R1, R2", [(ExprId("R1", 32), ExprInt(1, 32)), (ExprId("R2", 32), ExprInt(0, 32))], [(ExprId("R1", 32), ExprInt(0xFFFFFFFE, 32))])
def test_stc(self): """Test STC execution""" # STC Rn,imm5 exec_instruction("STC R1, SAR", [(ExprId("R1", 32), ExprInt(0x28, 32))], [(ExprId("SAR", 32), ExprInt(0x28, 32))])
def test_ClassDef(self): from miasm2.expression.expression import ExprInt32, ExprId, ExprMem, ExprCompose from miasm2.arch.x86.sem import ir_x86_32 from miasm2.ir.symbexec import symbexec addrX = ExprInt32(-1) addr0 = ExprInt32(0) addr1 = ExprInt32(1) addr8 = ExprInt32(8) addr9 = ExprInt32(9) addr20 = ExprInt32(20) addr40 = ExprInt32(40) addr50 = ExprInt32(50) mem0 = ExprMem(addr0) mem1 = ExprMem(addr1) mem8 = ExprMem(addr8) mem9 = ExprMem(addr9) mem20 = ExprMem(addr20) mem40v = ExprMem(addr40, 8) mem40w = ExprMem(addr40, 16) mem50v = ExprMem(addr50, 8) mem50w = ExprMem(addr50, 16) id_x = ExprId('x') id_y = ExprId('y', 8) id_a = ExprId('a') id_eax = ExprId('eax_init') e = symbexec( ir_x86_32(), { mem0: id_x, mem1: id_y, mem9: id_x, mem40w: id_x, mem50v: id_y, id_a: addr0, id_eax: addr0 }) self.assertEqual(e.find_mem_by_addr(addr0), mem0) self.assertEqual(e.find_mem_by_addr(addrX), None) self.assertEqual(e.eval_ExprMem(ExprMem(addr1 - addr1)), id_x) self.assertEqual(e.eval_ExprMem(ExprMem(addr1, 8)), id_y) self.assertEqual( e.eval_ExprMem(ExprMem(addr1 + addr1)), ExprCompose([(id_x[16:32], 0, 16), (ExprMem(ExprInt32(4), 16), 16, 32)])) self.assertEqual( e.eval_ExprMem(mem8), ExprCompose([(id_x[0:24], 0, 24), (ExprMem(ExprInt32(11), 8), 24, 32)])) self.assertEqual(e.eval_ExprMem(mem40v), id_x[:8]) self.assertEqual( e.eval_ExprMem(mem50w), ExprCompose([(id_y, 0, 8), (ExprMem(ExprInt32(51), 8), 8, 16)])) self.assertEqual(e.eval_ExprMem(mem20), mem20) e.func_read = lambda x: x self.assertEqual(e.eval_ExprMem(mem20), mem20) self.assertEqual(set(e.modified()), set(e.symbols)) self.assertRaises(KeyError, e.symbols.__getitem__, ExprMem(ExprInt32(100)))
def test_sl2ad3(self): """Test SL2AD3 execution""" # SL2AD3 R0,Rn,Rm exec_instruction("SL2AD3 R0, R1, R2", [(ExprId("R1", 32), ExprInt(0x2, 32)), (ExprId("R2", 32), ExprInt(0x20, 32))], [(ExprId("R0", 32), ExprInt(0x28, 32))])
def test_btstm(self): """Test BTSTM execution""" # BTSTM R0,(Rm),imm3 exec_instruction("BTSTM R0, (R1), 1", [(ExprId("R1", 32), ExprInt(0x28, 32)), (ExprMem(ExprInt(0x28, 32), 8), ExprInt(0x2, 8))], [(ExprId("R0", 32), ExprInt(0x2, 32))])
def test_tas(self): """Test TAS execution""" # TAS Rn,(Rm) exec_instruction("TAS R0, (R1)", [(ExprId("R1", 32), ExprInt(0x28, 32)), (ExprMem(ExprInt(0x28, 32), 8), ExprInt(0x2, 8))], [(ExprId("R0", 32), ExprInt(0x2, 32)), (ExprMem(ExprInt(0x28, 32), 8), ExprInt(0x1, 8))])
def test_smcpi(self): """Test SMCPI execution""" # SMCPI CRn[0-15],(Rm+) exec_instruction( "SMCPI C1, (R2+)", [(ExprId("C1", 32), ExprInt(0x28071010, 32)), (ExprId("R2", 32), ExprInt(0x17, 32))], [(ExprMem(ExprInt(0x10, 32), 32), ExprInt(0x28071010, 32)), (ExprId("R2", 32), ExprInt(0x1F, 32))])
def test_neg(self): """Test NEG execution""" # NEG Rn,Rm exec_instruction("NEG R1, R2", [(ExprId("R2", 32), ExprInt(1, 32))], [(ExprId("R1", 32), ExprInt(0xFFFFFFFF, 32))]) exec_instruction("NEG R1, R2", [(ExprId("R2", 32), ExprInt(0x42, 32))], [(ExprId("R1", 32), ExprInt(0xFFFFFFBE, 32))])
def test_movh(self): """Test MOVH execution""" # MOVH Rn,imm16 exec_instruction("MOVH R1, 1", [], [(ExprId("R1", 32), ExprInt(0x10000, 32))]) exec_instruction("MOVH R1, 0xFFFF", [], [(ExprId("R1", 32), ExprInt(0xFFFF0000, 32))])
def arm_guess_jump_table(mnemo, attrib, pool_bin, cur_bloc, offsets_to_dis, loc_db): ira = get_ira(mnemo, attrib) jra = ExprId('jra') jrb = ExprId('jrb') sp = LocationDB() ir_arch = ira(sp) ircfg = ira.new_ircfg() ir_arch.add_asmblock_to_ircfg(cur_bloc, ircfg) ir_blocks = ircfg.blocks.values() for irblock in ir_blocks: pc_val = None for exprs in irblock: for e in exprs: if e.dst == ir_arch.pc: pc_val = e.src if pc_val is None: continue if not isinstance(pc_val, ExprMem): continue assert (pc_val.size == 32) print pc_val ad = pc_val.arg ad = expr_simp(ad) print ad res = match_expr(ad, jra + jrb, set([jra, jrb])) if res is False: raise NotImplementedError('not fully functional') print res if not isinstance(res[jrb], ExprInt): raise NotImplementedError('not fully functional') base_ad = int(res[jrb]) print base_ad addrs = set() i = -1 max_table_entry = 10000 max_diff_addr = 0x100000 # heuristic while i < max_table_entry: i += 1 try: ad = upck32(pool_bin.getbytes(base_ad + 4 * i, 4)) except: break if abs(ad - base_ad) > max_diff_addr: break addrs.add(ad) print[hex(x) for x in addrs] for ad in addrs: offsets_to_dis.add(ad) l = loc_db.get_or_create_offset_location(ad) c = AsmConstraintTo(l) cur_bloc.addto(c)
def test_bgei(self): """Test BGEI execution""" # BGEI Rn,imm4,disp17.align2 exec_instruction( "BGEI R1, 0x5, 0x10000", [(ExprId("R1", 32), ExprInt(0x10, 32))], [(ExprId("PC", 32), ExprCond(ExprOp(">=", ExprInt(0x10, 32), ExprInt(0x5, 32)), ExprInt(0xFFFF0010, 32), ExprInt(0x14, 32)))], offset=0x10)
def test_lwcpi(self): """Test LWCPI execution""" # LWCPI CRn[0-15],(Rm+) exec_instruction( "LWCPI C1, (R2+)", [(ExprId("R2", 32), ExprInt(0x11, 32)), (ExprMem(ExprInt(0x10, 32), 32), ExprInt(0xABCD, 32))], [(ExprId("C1", 32), ExprInt(0xABCD, 32)), (ExprId("R2", 32), ExprInt(0x15, 32))])
def test_repeat(self): """Test REPEAT execution""" # REPEAT Rn, disp17.align2 exec_instruction("REPEAT R0, 0x42", [(ExprId("PC", 32), ExprInt(2, 32)), (ExprId("R0", 32), ExprInt(0x28, 32))], [(ExprId("RPB", 32), ExprInt(6, 32)), (ExprId("RPE", 32), ExprInt(0x44, 32)), (ExprId("RPC", 32), ExprInt(0x28, 32))])
def test_mulr(self): """Test MULR execution""" # MULR Rn,Rm exec_instruction("MULR R0, R1", [(ExprId("R0", 32), ExprInt(0x80, 32)), (ExprId("R1", 32), ExprInt(0xFFFFFFFF, 32))], [(ExprId("HI", 32), ExprInt(0xFFFFFFFF, 32)), (ExprId("LO", 32), ExprInt(0xFFFFFF80, 32)), (ExprId("R0", 32), ExprInt(0xFFFFFF80, 32))])
def test_mulru(self): """Test MULRU execution""" # MULRU Rn,Rm exec_instruction("MULRU R0, R1", [(ExprId("R0", 32), ExprInt(0x2, 32)), (ExprId("R1", 32), ExprInt(0xFFFFFFFF, 32))], [(ExprId("HI", 32), ExprInt(0x1, 32)), (ExprId("LO", 32), ExprInt(0xFFFFFFFE, 32)), (ExprId("R0", 32), ExprInt(0xFFFFFFFE, 32))])
def intra_bloc_flow_symbexec(ir_arch, flow_graph, irb): """ Create data flow for an irbloc using symbolic execution """ in_nodes = {} out_nodes = {} current_nodes = {} symbols_init = {} for r in ir_arch.arch.regs.all_regs_ids: # symbols_init[r] = ir_arch.arch.regs.all_regs_ids_init[i] x = ExprId(r.name, r.size) x.is_term = True symbols_init[r] = x sb = symbexec(ir_arch, dict(symbols_init)) sb.emulbloc(irb) # print "*"*40 # print irb # print sb.dump_id() # print sb.dump_mem() for n_w in sb.symbols: # print n_w v = sb.symbols[n_w] if n_w in symbols_init and symbols_init[n_w] == v: continue read_values = v.get_r(cst_read=True) # print n_w, v, [str(x) for x in read_values] node_n_w = get_node_name(irb.label, len(irb.lines), n_w) for n_r in read_values: if n_r in current_nodes: node_n_r = current_nodes[n_r] else: node_n_r = get_node_name(irb.label, 0, n_r) current_nodes[n_r] = node_n_r in_nodes[n_r] = node_n_r out_nodes[n_w] = node_n_w flow_graph.add_uniq_edge(node_n_r, node_n_w) irb.in_nodes = in_nodes irb.out_nodes = out_nodes
def gen_equations(self): for irb in self.blocs.values(): symbols_init = {} for r in self.arch.regs.all_regs_ids: x = ExprId(r.name, r.size) x.is_term = True symbols_init[r] = x sb = symbexec(self, dict(symbols_init)) sb.emulbloc(irb) eqs = [] for n_w in sb.symbols: v = sb.symbols[n_w] if n_w in symbols_init and symbols_init[n_w] == v: continue eqs.append(ExprAff(n_w, v)) print '*' * 40 print irb irb.irs = [eqs] irb.lines = [None]