def post_add_bloc(self, block, ir_blocks): IntermediateRepresentation.post_add_bloc(self, block, ir_blocks) for irb in ir_blocks: pc_val = None lr_val = None for assignblk in irb.irs: pc_val = assignblk.get(self.arch.regs.PC, pc_val) lr_val = assignblk.get(self.arch.regs.RA, lr_val) if pc_val is None or lr_val is None: continue if not expr_is_int_or_label(lr_val): continue if expr_is_label(lr_val): lr_val = ExprInt32(lr_val.name.offset) line = block.lines[-2] if lr_val.arg != line.offset + 8: raise ValueError("Wrong arg") # CALL lbl = block.get_next() new_lbl = self.gen_label() irs = self.call_effects(pc_val, line) irs.append(AssignBlock([ExprAff(self.IRDst, ExprId(lbl, size=self.pc.size))])) nblock = IRBlock(new_lbl, irs) nblock.lines = [line] * len(irs) self.blocks[new_lbl] = nblock irb.dst = ExprId(new_lbl, size=self.pc.size)
def decode(self, v): v = v & self.lmask v <<= 2 v = cpu.sign_ext(v, 16 + 2, 32) # Add pipeline offset self.expr = ExprInt32(v + 4) return True
def test_ExprSlice_strcst(self): from miasm2.expression.expression import ExprInt32, ExprSlice import miasm2.expression.stp # /!\ REALLY DIRTY HACK args = [ExprInt32(i) for i in xrange(9)] self.assertEqual(args[0][1:2].strcst(), r'(0bin00000000000000000000000000000000)[1:1]') self.assertRaises(ValueError, args[0].__getitem__, slice(1, 7, 2))
def fixDstOffset(self): ndx = self.get_dst_num() e = self.args[ndx] if self.offset is None: raise ValueError('symbol not resolved %s' % self.l) if not isinstance(e, ExprInt): return off = e.arg - self.offset if int(off % 4): raise ValueError('strange offset! %r' % off) self.args[ndx] = ExprInt32(off)
def test_ExprOp_toC(self): from miasm2.expression.expression import ExprInt32, ExprOp from miasm2.ir.translators.C import Translator args = [ExprInt32(i) for i in xrange(9)] translator = Translator.to_language("C") # Unary operators self.translationTest( ExprOp('parity', *args[:1]), r'parity(0x0&0xffffffff)') self.translationTest( ExprOp('!', *args[:1]), r'(~ 0x0)&0xffffffff') self.translationTest( ExprOp('hex2bcd', *args[:1]), r'hex2bcd_32(0x0)') self.translationTest(ExprOp('fabs', *args[:1]), r'fabs(0x0)') self.assertRaises(NotImplementedError, translator.from_expr, ExprOp('X', *args[:1])) # Binary operators self.translationTest( ExprOp('==', *args[:2]), r'(((0x0&0xffffffff) == (0x1&0xffffffff))?1:0)') self.translationTest( ExprOp('%', *args[:2]), r'(((0x0&0xffffffff)%(0x1&0xffffffff))&0xffffffff)') self.translationTest( ExprOp('-', *args[:2]), r'(((0x0&0xffffffff) - (0x1&0xffffffff))&0xffffffff)') self.translationTest( ExprOp('bsr', *args[:1]), r'x86_bsr(0x0, 0x20)') self.translationTest( ExprOp('cpuid0', *args[:2]), r'cpuid0(0x0, 0x1)') self.translationTest( ExprOp('fcom0', *args[:2]), r'fcom0(0x0, 0x1)') self.translationTest( ExprOp('fadd', *args[:2]), r'fadd(0x0, 0x1)') self.translationTest( ExprOp('segm', *args[:2]), r'segm2addr(jitcpu, 0x0, 0x1)') self.translationTest( ExprOp('imod', *args[:2]), r'imod32(jitcpu, 0x0, 0x1)') self.translationTest( ExprOp('bcdadd', *args[:2]), r'bcdadd_32(0x0, 0x1)') self.assertRaises(NotImplementedError, translator.from_expr, ExprOp('X', *args[:2])) # Ternary operators self.translationTest( ExprOp('div8', *args[:3]), r'(div_op(32, 0x0, 0x1, 0x2) &0xffffffff)') # Other cases self.translationTest( ExprOp('+', *args[:3]), r'(((0x0&0xffffffff)+(0x1&0xffffffff)+(0x2&0xffffffff))&0xffffffff)') self.assertRaises(NotImplementedError, translator.from_expr, ExprOp('X', *args[:3]))
def encode(self): e = self.expr if not isinstance(e, ExprMem): return False arg = e.arg if isinstance(arg, ExprId): self.parent.imm.expr = ExprInt32(0) r = arg elif len(arg.args) == 2 and arg.op == "+": self.parent.imm.expr = arg.args[1] r = arg.args[0] else: return False self.value = gpregs.expr.index(r) return True
def fixDstOffset(self): ndx = self.get_dst_num() e = self.args[ndx] print 'FIX', ndx, e, self.offset, self.l if self.offset is None: raise ValueError('symbol not resolved %s' % self.l) if not isinstance(e, ExprInt): return off = e.arg - self.offset print "diff", e, hex(self.offset) print hex(off) if int(off % 4): raise ValueError('strange offset! %r' % off) self.args[ndx] = ExprInt32(off) print 'final', self
def test_ExprOp_toC(self): from miasm2.expression.expression import ExprInt32, ExprOp import miasm2.ir.ir2C # /!\ REALLY DIRTY HACK args = [ExprInt32(i) for i in xrange(9)] # Unary operators self.assertEqual( ExprOp('parity', *args[:1]).toC(), r'parity(0x0&0xffffffff)') self.assertEqual( ExprOp('!', *args[:1]).toC(), r'(~ 0x0)&0xffffffff') self.assertEqual( ExprOp('hex2bcd', *args[:1]).toC(), r'hex2bcd_32(0x0)') self.assertEqual(ExprOp('fabs', *args[:1]).toC(), r'fabs(0x0)') self.assertRaises(ValueError, ExprOp('X', *args[:1]).toC) # Binary operators self.assertEqual( ExprOp('==', *args[:2]).toC(), r'(((0x0&0xffffffff) == (0x1&0xffffffff))?1:0)') self.assertEqual( ExprOp('%', *args[:2]).toC(), r'(((0x0&0xffffffff)%(0x1&0xffffffff))&0xffffffff)') self.assertEqual( ExprOp('-', *args[:2]).toC(), r'(((0x0&0xffffffff) - (0x1&0xffffffff))&0xffffffff)') self.assertEqual( ExprOp('bsr', *args[:2]).toC(), r'my_bsr(0x0, 0x1)') self.assertEqual( ExprOp('cpuid0', *args[:2]).toC(), r'cpuid0(0x0, 0x1)') self.assertEqual( ExprOp('fcom0', *args[:2]).toC(), r'fcom0(0x0, 0x1)') self.assertEqual( ExprOp('fadd', *args[:2]).toC(), r'fadd(0x0, 0x1)') self.assertEqual( ExprOp('segm', *args[:2]).toC(), r'segm2addr(vmcpu, 0x0, 0x1)') self.assertEqual( ExprOp('imod', *args[:2]).toC(), r'imod32(vmcpu, 0x0, 0x1)') self.assertEqual( ExprOp('bcdadd', *args[:2]).toC(), r'bcdadd_32(0x0, 0x1)') self.assertRaises(ValueError, ExprOp('X', *args[:2]).toC) # Ternary operators self.assertEqual( ExprOp('div8', *args[:3]).toC(), r'(div_op(32, 0x0, 0x1, 0x2) &0xffffffff)') # Other cases self.assertEqual( ExprOp('+', *args[:3]).toC(), r'(((0x0&0xffffffff)+(0x1&0xffffffff)+(0x2&0xffffffff))&0xffffffff)') self.assertRaises(NotImplementedError, ExprOp('X', *args[:3]).toC)
def test_ExprOp_strcst(self): from miasm2.expression.expression import ExprInt32, ExprOp import miasm2.expression.stp # /!\ REALLY DIRTY HACK args = [ExprInt32(i) for i in xrange(9)] self.assertEqual( ExprOp('|', *args[:2]).strcst(), r'(0bin00000000000000000000000000000000 | 0bin00000000000000000000000000000001)' ) self.assertEqual( ExprOp('-', *args[:2]).strcst(), r'BVUMINUS(0bin00000000000000000000000000000000)') self.assertEqual( ExprOp('+', *args[:3]).strcst(), r'BVPLUS(32,BVPLUS(32,0bin00000000000000000000000000000000, 0bin00000000000000000000000000000001), 0bin00000000000000000000000000000010)' ) self.assertRaises(ValueError, ExprOp('X', *args[:1]).strcst)
def decode(self, v): v = v & self.lmask self.expr = ExprInt32(v + 1) return True
from pdb import pm a = ExprId("a") b = ExprId("b") c = ExprId("c") d = ExprId("d") a_init = ExprId("a_init") b_init = ExprId("b_init") c_init = ExprId("c_init") d_init = ExprId("d_init") pc = ExprId("pc") sp = ExprId("sp") cst1 = ExprInt32(0x11) cst2 = ExprInt32(0x12) cst3 = ExprInt32(0x13) lbl0 = asm_label("lbl0") lbl1 = asm_label("lbl1") lbl2 = asm_label("lbl2") lbl3 = asm_label("lbl3") lbl4 = asm_label("lbl4") lbl5 = asm_label("lbl5") lbl6 = asm_label("lbl6") def gen_irbloc(lbl, exprs): lines = [None for i in xrange(len(exprs))] irb = irbloc(lbl, exprs, lines)
def test_ClassDef(self): from miasm2.expression.expression import ExprInt32, ExprId, ExprMem, \ ExprCompose, ExprAff from miasm2.arch.x86.sem import ir_x86_32 from miasm2.ir.symbexec import symbexec addrX = ExprInt32(-1) addr0 = ExprInt32(0) addr1 = ExprInt32(1) addr8 = ExprInt32(8) addr9 = ExprInt32(9) addr20 = ExprInt32(20) addr40 = ExprInt32(40) addr50 = ExprInt32(50) mem0 = ExprMem(addr0) mem1 = ExprMem(addr1) mem8 = ExprMem(addr8) mem9 = ExprMem(addr9) mem20 = ExprMem(addr20) mem40v = ExprMem(addr40, 8) mem40w = ExprMem(addr40, 16) mem50v = ExprMem(addr50, 8) mem50w = ExprMem(addr50, 16) id_x = ExprId('x') id_y = ExprId('y', 8) id_a = ExprId('a') id_eax = ExprId('eax_init') e = symbexec( ir_x86_32(), { mem0: id_x, mem1: id_y, mem9: id_x, mem40w: id_x, mem50v: id_y, id_a: addr0, id_eax: addr0 }) self.assertEqual(e.find_mem_by_addr(addr0), mem0) self.assertEqual(e.find_mem_by_addr(addrX), None) self.assertEqual(e.eval_ExprMem(ExprMem(addr1 - addr1)), id_x) self.assertEqual(e.eval_ExprMem(ExprMem(addr1, 8)), id_y) self.assertEqual( e.eval_ExprMem(ExprMem(addr1 + addr1)), ExprCompose([(id_x[16:32], 0, 16), (ExprMem(ExprInt32(4), 16), 16, 32)])) self.assertEqual( e.eval_ExprMem(mem8), ExprCompose([(id_x[0:24], 0, 24), (ExprMem(ExprInt32(11), 8), 24, 32)])) self.assertEqual(e.eval_ExprMem(mem40v), id_x[:8]) self.assertEqual( e.eval_ExprMem(mem50w), ExprCompose([(id_y, 0, 8), (ExprMem(ExprInt32(51), 8), 8, 16)])) self.assertEqual(e.eval_ExprMem(mem20), mem20) e.func_read = lambda x: x self.assertEqual(e.eval_ExprMem(mem20), mem20) self.assertEqual(set(e.modified()), set(e.symbols)) self.assertRaises(KeyError, e.symbols.__getitem__, ExprMem(ExprInt32(100))) self.assertEqual(e.apply_expr(id_eax), addr0) self.assertEqual(e.apply_expr(ExprAff(id_eax, addr9)), addr9) self.assertEqual(e.apply_expr(id_eax), addr9)
STEP_COUNTER = count() A = ExprId("a") B = ExprId("b") C = ExprId("c") D = ExprId("d") R = ExprId("r") A_INIT = ExprId("a_init") B_INIT = ExprId("b_init") C_INIT = ExprId("c_init") D_INIT = ExprId("d_init") PC = ExprId("pc") SP = ExprId("sp") CST0 = ExprInt32(0x0) CST1 = ExprInt32(0x1) CST2 = ExprInt32(0x2) CST3 = ExprInt32(0x3) CST22 = ExprInt32(0x22) CST23 = ExprInt32(0x23) CST24 = ExprInt32(0x24) CST33 = ExprInt32(0x33) CST35 = ExprInt32(0x35) CST37 = ExprInt32(0x37) LBL0 = asm_label("lbl0") LBL1 = asm_label("lbl1") LBL2 = asm_label("lbl2") LBL3 = asm_label("lbl3") LBL4 = asm_label("lbl4")
from pdb import pm a = ExprId("a") b = ExprId("b") c = ExprId("c") d = ExprId("d") a_init = ExprId("a_init") b_init = ExprId("b_init") c_init = ExprId("c_init") d_init = ExprId("d_init") pc = ExprId("pc") sp = ExprId("sp") cst1 = ExprInt32(0x11) cst2 = ExprInt32(0x12) cst3 = ExprInt32(0x13) lbl0 = asm_label("lbl0") lbl1 = asm_label("lbl1") lbl2 = asm_label("lbl2") lbl3 = asm_label("lbl3") lbl4 = asm_label("lbl4") lbl5 = asm_label("lbl5") lbl6 = asm_label("lbl6") def gen_irbloc(lbl, exprs): lines = [None for i in xrange(len(exprs))]
jitter.pc = 0 return True myjit.push_uint32_t(0x1337beef) myjit.add_breakpoint(0x1337beef, code_sentinelle) # Run myjit.init_run(run_addr) myjit.continue_run() # Check end assert myjit.run is False # Check resulting state / accessors assert myjit.cpu.EAX == 0 assert myjit.cpu.ECX == 4 # Check eval_expr eax = ExprId("RAX", 64)[:32] imm0, imm4, imm4_64 = ExprInt32(0), ExprInt32(4), ExprInt64(4) memdata = ExprMem(ExprInt32(run_addr), len(data) * 8) assert myjit.eval_expr(eax) == imm0 ## Due to ExprAff construction, imm4 is "promoted" to imm4_64 assert myjit.eval_expr(ExprAff(eax, imm4)) == imm4_64 assert myjit.eval_expr(eax) == imm4 ## Changes must be passed on myjit.cpu instance assert myjit.cpu.EAX == 4 ## Memory assert myjit.eval_expr(memdata).arg.arg == int(data[::-1].encode("hex"), 16)
def ast_int2expr(a): return ExprInt32(a)
STEP_COUNTER = count() A = ExprId("a") B = ExprId("b") C = ExprId("c") D = ExprId("d") R = ExprId("r") A_INIT = ExprId("a_init") B_INIT = ExprId("b_init") C_INIT = ExprId("c_init") D_INIT = ExprId("d_init") PC = ExprId("pc") SP = ExprId("sp") CST0 = ExprInt32(0x0) CST1 = ExprInt32(0x11) CST2 = ExprInt32(0x12) CST3 = ExprInt32(0x13) CST22 = ExprInt32(0x22) CST23 = ExprInt32(0x23) CST24 = ExprInt32(0x24) CST33 = ExprInt32(0x33) CST35 = ExprInt32(0x35) CST37 = ExprInt32(0x37) LBL0 = asm_label("lbl0") LBL1 = asm_label("lbl1") LBL2 = asm_label("lbl2") LBL3 = asm_label("lbl3") LBL4 = asm_label("lbl4")
def test_ClassDef(self): from miasm2.expression.expression import ExprInt32, ExprId, ExprMem, \ ExprCompose, ExprAff from miasm2.arch.x86.sem import ir_x86_32 from miasm2.ir.symbexec import symbexec from miasm2.ir.ir import AssignBlock addrX = ExprInt32(-1) addr0 = ExprInt32(0) addr1 = ExprInt32(1) addr8 = ExprInt32(8) addr9 = ExprInt32(9) addr20 = ExprInt32(20) addr40 = ExprInt32(40) addr50 = ExprInt32(50) mem0 = ExprMem(addr0) mem1 = ExprMem(addr1, 8) mem8 = ExprMem(addr8) mem9 = ExprMem(addr9) mem20 = ExprMem(addr20) mem40v = ExprMem(addr40, 8) mem40w = ExprMem(addr40, 16) mem50v = ExprMem(addr50, 8) mem50w = ExprMem(addr50, 16) id_x = ExprId('x') id_y = ExprId('y', 8) id_a = ExprId('a') id_eax = ExprId('eax_init') e = symbexec( ir_x86_32(), { mem0: id_x, mem1: id_y, mem9: id_x, mem40w: id_x[:16], mem50v: id_y, id_a: addr0, id_eax: addr0 }) self.assertEqual(e.find_mem_by_addr(addr0), mem0) self.assertEqual(e.find_mem_by_addr(addrX), None) self.assertEqual(e.eval_expr(ExprMem(addr1 - addr1)), id_x) self.assertEqual(e.eval_expr(ExprMem(addr1, 8)), id_y) self.assertEqual(e.eval_expr(ExprMem(addr1 + addr1)), ExprCompose(id_x[16:32], ExprMem(ExprInt32(4), 16))) self.assertEqual(e.eval_expr(mem8), ExprCompose(id_x[0:24], ExprMem(ExprInt32(11), 8))) self.assertEqual(e.eval_expr(mem40v), id_x[:8]) self.assertEqual(e.eval_expr(mem50w), ExprCompose(id_y, ExprMem(ExprInt32(51), 8))) self.assertEqual(e.eval_expr(mem20), mem20) e.func_read = lambda x: x self.assertEqual(e.eval_expr(mem20), mem20) self.assertEqual(set(e.modified()), set(e.symbols)) self.assertRaises(KeyError, e.symbols.__getitem__, ExprMem(ExprInt32(100))) self.assertEqual(e.apply_expr(id_eax), addr0) self.assertEqual(e.apply_expr(ExprAff(id_eax, addr9)), addr9) self.assertEqual(e.apply_expr(id_eax), addr9) # apply_change / eval_ir / apply_expr ## x = a (with a = 0x0) assignblk = AssignBlock() assignblk[id_x] = id_a e.eval_ir(assignblk) self.assertEqual(e.apply_expr(id_x), addr0) ## x = a (without replacing 'a' with 0x0) e.apply_change(id_x, id_a) self.assertEqual(e.apply_expr(id_x), id_a) ## x = a (with a = 0x0) self.assertEqual(e.apply_expr(assignblk.dst2ExprAff(id_x)), addr0) self.assertEqual(e.apply_expr(id_x), addr0)
a = ExprId("a") b = ExprId("b") c = ExprId("c") d = ExprId("d") r = ExprId("r") a_init = ExprId("a_init") b_init = ExprId("b_init") c_init = ExprId("c_init") d_init = ExprId("d_init") r_init = ExprId("r_init") # Return register pc = ExprId("pc") sp = ExprId("sp") CST1 = ExprInt32(0x11) CST2 = ExprInt32(0x12) CST3 = ExprInt32(0x13) LBL0 = asm_label("lbl0") LBL1 = asm_label("lbl1") LBL2 = asm_label("lbl2") LBL3 = asm_label("lbl3") LBL4 = asm_label("lbl4") LBL5 = asm_label("lbl5") LBL6 = asm_label("lbl6") def gen_irbloc(label, exprs_list): lines = [None for _ in xrange(len(exprs_list))] irs = []
def decode(self, v): v = v & self.lmask v = cpu.sign_ext(v, 16, 32) self.expr = ExprInt32(v) return True
for element in args.element: try: elements.add(regs[element.upper()]) except KeyError: raise ValueError("Unknown element '%s'" % element) mdis = machine.dis_engine(cont.bin_stream, dont_dis_nulstart_bloc=True) ir_arch = machine.ira(mdis.symbol_pool) # Common argument forms init_ctx = {} if args.rename_args: if arch == "x86_32": # StdCall example for i in xrange(4): e_mem = ExprMem(ExprId("ESP_init") + ExprInt32(4 * (i + 1)), 32) init_ctx[e_mem] = ExprId("arg%d" % i) # Disassemble the targeted function blocks = mdis.dis_multibloc(int(args.func_addr, 0)) # Generate IR for block in blocks: ir_arch.add_bloc(block) # Get the instance dg = DependencyGraph(ir_arch, implicit=args.implicit, apply_simp=not (args.do_not_simplify), follow_mem=not (args.unfollow_mem), follow_call=not (args.unfollow_call))
def decode(self, v): self.expr = ExprInt32(v - int(self.parent.epos.expr.arg) + 1) return True