def __init__(self, binary):
self.__binary = binary
self.__arch_mode = self.__binary.architecture_mode
self.__arch = X86ArchitectureInformation(self.__arch_mode)
self.__disassembler = X86Disassembler(self.__arch_mode)
self.__translator = X86Translator(self.__arch_mode)
self.__bb_builder = CFGRecoverer(
RecursiveDescent(self.__disassembler, self.__binary.text_section,
self.__translator, self.__arch))
def test_emulate_x86_64(self):
binary = BinaryFile(get_full_path("./samples/bin/loop-simple.x86_64"))
arch_mode = ARCH_X86_MODE_64
arch_info = X86ArchitectureInformation(arch_mode)
ir_emulator = ReilEmulator(arch_info)
disassembler = X86Disassembler(ARCH_X86_MODE_64)
ir_translator = X86Translator(ARCH_X86_MODE_64)
emu = Emulator(arch_info, ir_emulator, ir_translator, disassembler)
emu.load_binary(binary)
emu.emulate(0x4004d6, 0x400507, {}, None, False)
def __init__(self, binary, symbols):
self.__binary = binary
self.__arch_mode = self.__binary.architecture_mode
self.__arch = X86ArchitectureInformation(self.__arch_mode)
self.__disassembler = X86Disassembler(self.__arch_mode)
self.__translator = X86Translator(self.__arch_mode)
self.__bb_builder = CFGRecoverer(
RecursiveDescent(self.__disassembler, self.__binary.text_section,
self.__translator, self.__arch))
self.__container = {}
self.__symbols = symbols
self.__symbols_by_addr = {}
for name, start, end in symbols:
self.__symbols_by_addr[start] = (name, end)
def __init__(self, arch, trace, start_address, options):
AsmTraceAnalyzer.__init__(self, arch, trace)
self._options = options
disassembler = X86Disassembler(arch.architecture_mode)
ir_translator = X86Translator(arch.architecture_mode)
self._emulator = Emulator(arch, ReilEmulator(arch), ir_translator,
disassembler)
self._undefined_flags = {
"bsf": ["cf", "of", "sf", "af", "pf"],
"bt": ["pf"], # TODO Check.
"div": ["cf", "of", "sf", "zf", "af", "pf"],
"imul": ["pf"], # TODO Check.
"shl": ["of"], # TODO Check.
"shr": ["of"], # TODO Check.
}
self._set_regs = True
self._next_addr = start_address
def raw_to_IRBlock(raw, thumb=False):
# Check for Architecture
if (curr_arch_type() == ArchType.ARCH_X86):
disassembler = X86Disassembler(architecture_mode=ARCH_X86_MODE_32)
ir_translator = X86Translator(architecture_mode=ARCH_X86_MODE_32)
alias_mapper = X86ArchitectureInformation(
ARCH_X86_MODE_32).alias_mapper
elif (curr_arch_type() == ArchType.ARCH_X64):
disassembler = X86Disassembler(architecture_mode=ARCH_X86_MODE_64)
ir_translator = X86Translator(architecture_mode=ARCH_X86_MODE_64)
alias_mapper = X86ArchitectureInformation(
ARCH_X86_MODE_64).alias_mapper
elif (curr_arch_type() == ArchType.ARCH_ARM32 and not thumb):
disassembler = ArmDisassembler(architecture_mode=ARCH_ARM_MODE_ARM)
ir_translator = ArmTranslator(architecture_mode=ARCH_ARM_MODE_ARM)
alias_mapper = ArmArchitectureInformation(
ARCH_ARM_MODE_ARM).alias_mapper
elif (curr_arch_type() == ArchType.ARCH_ARM32 and thumb):
disassembler = ArmDisassembler(architecture_mode=ARCH_ARM_MODE_THUMB)
ir_translator = ArmTranslator(architecture_mode=ARCH_ARM_MODE_THUMB)
alias_mapper = ArmArchitectureInformation(
ARCH_ARM_MODE_THUMB).alias_mapper
else:
raise Exception("ARCH TYPE NOT SUPPORTED")
(irsb, string) = raw_to_REIL(raw, disassembler, ir_translator)
if (irsb is None):
return (None, string)
asm_instr_string = '; '.join(str(i) for i in string)
# Check if branch instructions in the middle of the gadget
for ins in string[:-1]:
if (str(ins)[0:2] == "bl"):
return (None, "Branch in the middle of the gadget")
res = IRBlock()
# Translate instruction by instruction
try:
for instr in irsb:
# print(instr) # DEBUG
i = None
if (instr.mnemonic == ReilMnemonic.NOP):
pass
elif (is_calculation_instr(instr.mnemonic)):
i = IRInstruction(
barf_operation_to_IR(instr.mnemonic),
barf_operand_to_IR(instr.operands[0], alias_mapper),
barf_operand_to_IR(instr.operands[1], alias_mapper),
barf_operand_to_IR(instr.operands[2], alias_mapper))
elif (is_load_instr(instr.mnemonic)):
i = IRInstruction(
IROperation.LDM,
barf_operand_to_IR(instr.operands[0], alias_mapper),
ArgEmpty(),
barf_operand_to_IR(instr.operands[2], alias_mapper))
elif (is_store_instr(instr.mnemonic)):
i = IRInstruction(
IROperation.STM,
barf_operand_to_IR(instr.operands[0], alias_mapper),
ArgEmpty(),
barf_operand_to_IR(instr.operands[2], alias_mapper))
elif (is_put_instr(instr.mnemonic)):
i = IRInstruction(
IROperation.STR,
barf_operand_to_IR(instr.operands[0], alias_mapper),
ArgEmpty(),
barf_operand_to_IR(instr.operands[2], alias_mapper))
elif (instr.mnemonic == ReilMnemonic.BISZ):
i = IRInstruction(
IROperation.UNKNOWN, ArgEmpty(), ArgEmpty(),
barf_operand_to_IR(instr.operands[2], alias_mapper))
elif (instr.mnemonic == ReilMnemonic.JCC):
if (isinstance(instr.operands[0], ReilImmediateOperand)
and instr.operands[0]._immediate != 0):
if (instr.operands[2].size > curr_arch_bits()):
i = IRInstruction(
IROperation.BSH,
barf_operand_to_IR(instr.operands[2],
alias_mapper),
ArgCst(curr_arch_bits() - instr.operands[2].size,
curr_arch_bits()),
ArgReg(curr_arch_ip(), curr_arch_bits()))
else:
i = IRInstruction(
IROperation.STR,
barf_operand_to_IR(instr.operands[2],
alias_mapper), ArgEmpty(),
ArgReg(curr_arch_ip(), curr_arch_bits()))
else:
i = IRInstruction(IROperation.UNKNOWN, ArgEmpty(),
ArgEmpty(),
ArgReg(curr_arch_ip(), curr_arch_bits()))
break
elif (instr.mnemonic == ReilMnemonic.BISZ):
raise REILOperationNotSupported(
"REIL Operation 'BISZ' not supported")
else:
return (None, string)
if (i):
res.add_instr(i)
# Possible exceptions
except RegNotSupported as e:
log("In " + asm_instr_string + " | " + str(e))
return (None, string)
except CstTooBig as e:
log("In " + asm_instr_string + " | " + str(e))
return (None, string)
except REILOperationNotSupported as e:
log("In " + asm_instr_string + " | " + str(e))
return (None, string)
# Succesful return
return (res, string)
def setUp(self):
self._arch_mode = ARCH_X86_MODE_32
self._arch_info = X86ArchitectureInformation(self._arch_mode)
self._disassembler = X86Disassembler(ARCH_X86_MODE_32)
self._translator = X86Translator(ARCH_X86_MODE_32)