def compute(asm, inputstate={}, debug=False):
loc_db = LocationDB()
sympool = dict(regs_init)
sympool.update({k: ExprInt(v, k.size) for k, v in viewitems(inputstate)})
ir_tmp = ir_arch(loc_db)
ircfg = ir_tmp.new_ircfg()
symexec = SymbolicExecutionEngine(ir_tmp, sympool)
instr = mn.fromstring(asm, loc_db, "b")
code = mn.asm(instr)[0]
instr = mn.dis(code, "b")
instr.offset = inputstate.get(PC, 0)
lbl = ir_tmp.add_instr_to_ircfg(instr, ircfg)
symexec.run_at(ircfg, lbl)
if debug:
for k, v in viewitems(symexec.symbols):
if regs_init.get(k, None) != v:
print(k, v)
out = {}
for k, v in viewitems(symexec.symbols):
if k in EXCLUDE_REGS:
continue
elif regs_init.get(k, None) == v:
continue
elif isinstance(v, ExprInt):
out[k] = int(v)
else:
out[k] = v
return out
def compute(asm, inputstate={}, debug=False):
loc_db = LocationDB()
sympool = dict(regs_init)
sympool.update({k: ExprInt(v, k.size) for k, v in viewitems(inputstate)})
ir_tmp = ir_arch(loc_db)
ircfg = ir_tmp.new_ircfg()
symexec = SymbolicExecutionEngine(ir_tmp, sympool)
instr = mn.fromstring(asm, loc_db, "l")
code = mn.asm(instr)[0]
instr = mn.dis(code, "l")
instr.offset = inputstate.get(PC, 0)
lbl = ir_tmp.add_instr_to_ircfg(instr, ircfg)
symexec.run_at(ircfg, lbl)
if debug:
for k, v in viewitems(symexec.symbols):
if regs_init.get(k, None) != v:
print(k, v)
out = {}
for k, v in viewitems(symexec.symbols):
if k in EXCLUDE_REGS:
continue
elif regs_init.get(k, None) == v:
continue
elif isinstance(v, ExprInt):
out[k] = int(v)
else:
out[k] = v
return out
def symb_exec(lbl, ir_arch, ircfg, inputstate, debug):
sympool = dict(regs_init)
sympool.update(inputstate)
symexec = SymbolicExecutionEngine(ir_arch, sympool)
symexec.run_at(ircfg, lbl)
if debug:
for k, v in viewitems(symexec.symbols):
if regs_init.get(k, None) != v:
print(k, v)
return {
k: v for k, v in viewitems(symexec.symbols)
if k not in EXCLUDE_REGS and regs_init.get(k, None) != v
}
def symb_exec(lbl, lifter, ircfg, inputstate, debug):
sympool = dict(regs_init)
sympool.update(inputstate)
symexec = SymbolicExecutionEngine(lifter, sympool)
symexec.run_at(ircfg, lbl)
if debug:
for k, v in viewitems(symexec.symbols):
if regs_init.get(k, None) != v:
print(k, v)
return {
k: v
for k, v in viewitems(symexec.symbols)
if k not in EXCLUDE_REGS and regs_init.get(k, None) != v
}
def ExecuteSymbolicSingleStep(addr, state=INIT_REG):
size = idc.ItemSize(addr)
code = idc.GetManyBytes(addr, size)
loc_db = LocationDB()
base = addr
try:
ins = mn_x86.dis(bin_stream_str(code, base_address=base), 64, base)
except:
return state.copy()
ira = machine.ira(loc_db)
ircfg = ira.new_ircfg()
try:
ira.add_instr_to_ircfg(ins, ircfg)
sb = SymbolicExecutionEngine(ira, state)
symbolic_pc = sb.run_at(ircfg, base)
except:
return state.copy()
ret = state.copy()
for key, value in sb.modified():
if isinstance(value, ExprOp) and value.op == "call_func_ret":
value = ExprInt(0, 64)
ret[key] = value
return ret
def sym(data, addr, status):
cont = Container.from_string(data, loc_db=loc_db, addr=addr)
mdis = machine.dis_engine(cont.bin_stream, loc_db=loc_db)
asm_block = mdis.dis_block(addr)
# Translate ASM -> IR
ircfg = ira.new_ircfg()
try:
ira.add_asmblock_to_ircfg(asm_block, ircfg)
except NotImplementedError:
return None
# Instantiate a Symbolic Execution engine with default value for registers
regs_init = regs.regs_init
sympool = copy.deepcopy(regs_init)
sympool.update(status)
symb = SymbolicExecutionEngine(ira, sympool)
# Emulate one IR basic block
## Emulation of several basic blocks can be done through .emul_ir_blocks
cur_addr = symb.run_at(ircfg, addr)
IRDst = symb.symbols[ira.IRDst]
expr = expr_simp_explicit(IRDst)
#if isinstance(expr, ExprMem):
# expr = expr.ptr
return expr
def compute(asm, inputstate={}, debug=False):
loc_db = LocationDB()
sympool = dict(regs_init)
sympool.update({k: ExprInt(v, k.size) for k, v in viewitems(inputstate)})
ir_tmp = ir_arch(loc_db)
ircfg = ir_tmp.new_ircfg()
symexec = SymbolicExecutionEngine(ir_tmp, sympool)
instr = mn.fromstring(asm, mode)
code = mn.asm(instr)[0]
instr = mn.dis(code, mode)
instr.offset = inputstate.get(PC, 0)
loc_key = ir_tmp.add_instr_to_ircfg(instr, ircfg)
symexec.run_at(ircfg, loc_key)
if debug:
for k, v in viewitems(symexec.symbols):
if regs_init.get(k, None) != v:
print(k, v)
return {
k: v.arg.arg for k, v in viewitems(symexec.symbols)
if k not in EXCLUDE_REGS and regs_init.get(k, None) != v
}
def compute(asm, inputstate={}, debug=False):
loc_db = LocationDB()
sympool = dict(regs_init)
sympool.update({k: ExprInt(v, k.size) for k, v in viewitems(inputstate)})
ir_tmp = ir_arch(loc_db)
ircfg = ir_tmp.new_ircfg()
symexec = SymbolicExecutionEngine(ir_tmp, sympool)
instr = mn.fromstring(asm, mode)
code = mn.asm(instr)[0]
instr = mn.dis(code, mode)
instr.offset = inputstate.get(PC, 0)
loc_key = ir_tmp.add_instr_to_ircfg(instr, ircfg)
symexec.run_at(ircfg, loc_key)
if debug:
for k, v in viewitems(symexec.symbols):
if regs_init.get(k, None) != v:
print(k, v)
return {
k: v.arg.arg
for k, v in viewitems(symexec.symbols)
if k not in EXCLUDE_REGS and regs_init.get(k, None) != v
}
def symbolic_exec():
from miasm.ir.symbexec import SymbolicExecutionEngine
from miasm.core.bin_stream_ida import bin_stream_ida
from utils import guess_machine
start, end = idc.read_selection_start(), idc.read_selection_end()
loc_db = LocationDB()
bs = bin_stream_ida()
machine = guess_machine(addr=start)
mdis = machine.dis_engine(bs, loc_db=loc_db)
if start == idc.BADADDR and end == idc.BADADDR:
start = idc.get_screen_ea()
end = idc.next_head(start) # Get next instruction address
mdis.dont_dis = [end]
asmcfg = mdis.dis_multiblock(start)
ira = machine.ira(loc_db=loc_db)
ircfg = ira.new_ircfg_from_asmcfg(asmcfg)
print("Run symbolic execution...")
sb = SymbolicExecutionEngine(ira, machine.mn.regs.regs_init)
sb.run_at(ircfg, start)
modified = {}
for dst, src in sb.modified(init_state=machine.mn.regs.regs_init):
modified[dst] = src
view = symbolicexec_t()
all_views.append(view)
if not view.Create(
modified, machine, loc_db, "Symbolic Execution - 0x%x to 0x%x" %
(start, idc.prev_head(end))):
return
view.Show()
def symbolic_exec():
from miasm.ir.symbexec import SymbolicExecutionEngine
from miasm.core.bin_stream_ida import bin_stream_ida
from utils import guess_machine
start, end = idc.SelStart(), idc.SelEnd()
bs = bin_stream_ida()
machine = guess_machine(addr=start)
mdis = machine.dis_engine(bs)
if start == idc.BADADDR and end == idc.BADADDR:
start = idc.ScreenEA()
end = idc.next_head(start) # Get next instruction address
mdis.dont_dis = [end]
asmcfg = mdis.dis_multiblock(start)
ira = machine.ira(loc_db=mdis.loc_db)
ircfg = ira.new_ircfg_from_asmcfg(asmcfg)
print("Run symbolic execution...")
sb = SymbolicExecutionEngine(ira, machine.mn.regs.regs_init)
sb.run_at(ircfg, start)
modified = {}
for dst, src in sb.modified(init_state=machine.mn.regs.regs_init):
modified[dst] = src
view = symbolicexec_t()
all_views.append(view)
if not view.Create(modified, machine, mdis.loc_db,
"Symbolic Execution - 0x%x to 0x%x"
% (start, idc.prev_head(end))):
return
view.Show()
# ircfg = ira.new_ircfg(asmcfg)
# print(loc_db._offset_to_loc_key.keys()[0])
sb = SymbolicExecutionEngine(ira)
# symbolic_pc = sb.run_at(ircfg, loc_db._offset_to_loc_key.keys()[0])
# for index, info in enumerate(sb.info_ids):
# print('###### step', index+1)
# print('\t', info[0])
# for reg in info[1]:
# print('\t\t', reg, ':', info[1][reg])
# dse = DSEEngine(machine)
# sb.symbols[machine.mn.regs.ECX] = ExprInt(253, 32)
# sb.symbols[machine.mn.regs.EBP] = ExprOp('+', ExprId('ESP', 32), ExprInt(0xFFFFFFFC, 32))
# memory_expr = dse.memory_to_expr(0x40000004)
# sb.symbols[machine.mn.regs.EBP] = dse.eval_expr(memory_expr)
symbolic_pc = sb.run_at(ircfg, loc_db._offset_to_loc_key.keys()[0])
print('###### modified state step by step')
for step, info in enumerate(sb.info_ids):
print('###### step', step + 1)
print('\t', info[0])
print('\t### info_ids')
print('\t\t', info[1])
# for reg in info[1]:
# print('\t\t', reg, ':', info[1][reg])
print('\t### info_mems')
print('\t\t', sb.info_mems[step][1])
print()
translator = TranslatorZ3(endianness="<", loc_db=loc_db)
z3_expr_dict = dict()
print('###### z3_expr about variable step by step')
asm = machine.mn.asm(line)[0]
# Get back block
cont = Container.from_string(asm, loc_db = loc_db)
mdis = machine.dis_engine(cont.bin_stream, loc_db=loc_db)
mdis.lines_wd = 1
asm_block = mdis.dis_block(START_ADDR)
# Translate ASM -> IR
lifter_model_call = machine.lifter_model_call(mdis.loc_db)
ircfg = lifter_model_call.new_ircfg()
lifter_model_call.add_asmblock_to_ircfg(asm_block, ircfg)
# Instantiate a Symbolic Execution engine with default value for registers
symb = SymbolicExecutionEngine(lifter_model_call)
# Emulate one IR basic block
## Emulation of several basic blocks can be done through .emul_ir_blocks
cur_addr = symb.run_at(ircfg, START_ADDR)
# Modified elements
print('Modified registers:')
symb.dump(mems=False)
print('Modified memory (should be empty):')
symb.dump(ids=False)
# Check final status
eax, ebx = lifter_model_call.arch.regs.EAX, lifter_model_call.arch.regs.EBX
assert symb.symbols[eax] == ebx
assert eax in symb.symbols
lifter = LifterModelCall_x86_32(loc_db)
ircfg = lifter.new_ircfg()
first_block = list(asmcfg.blocks)[0]
lifter.add_asmblock_to_ircfg(first_block, ircfg)
# --- Symbolic execution --- #
from miasm.ir.symbexec import SymbolicExecutionEngine
from miasm.expression.expression import *
symb = SymbolicExecutionEngine(lifter, machine.mn.regs.regs_init)
# irDst contains the offset of next IR basic block to execute
irDst = symb.run_at(ircfg, entry_addr, step=False)
print("IR Dest = ", irDst)
# Provide symbolic context to irDst
expr_flag = ExprId("flag", 32)
result = symb.eval_expr(
expr_simp(
irDst.replace_expr(
{
expr_simp(
ExprMem(machine.mn.regs.EBP_init - ExprInt(0x4, 32), 32)):
expr_flag,
})))
print("IR Dest Semantics = ", result)
# Dump the final state of symbolic execution
asm = machine.mn.asm(line)[0]
# Get back block
cont = Container.from_string(asm, loc_db = loc_db)
mdis = machine.dis_engine(cont.bin_stream, loc_db=loc_db)
mdis.lines_wd = 1
asm_block = mdis.dis_block(START_ADDR)
# Translate ASM -> IR
ira = machine.ira(mdis.loc_db)
ircfg = ira.new_ircfg()
ira.add_asmblock_to_ircfg(asm_block, ircfg)
# Instantiate a Symbolic Execution engine with default value for registers
symb = SymbolicExecutionEngine(ira)
# Emulate one IR basic block
## Emulation of several basic blocks can be done through .emul_ir_blocks
cur_addr = symb.run_at(ircfg, START_ADDR)
# Modified elements
print('Modified registers:')
symb.dump(mems=False)
print('Modified memory (should be empty):')
symb.dump(ids=False)
# Check final status
eax, ebx = ira.arch.regs.EAX, ira.arch.regs.EBX
assert symb.symbols[eax] == ebx
assert eax in symb.symbols
