def symexec(handler): inst_bytes = handler.bytes_without_jmp machine = Machine("x86_32") cont = Container.from_string(inst_bytes) bs = cont.bin_stream mdis = machine.dis_engine(bs, symbol_pool=cont.symbol_pool) end_offset = len(inst_bytes) mdis.dont_dis = [end_offset] asm_block = mdis.dis_block(0) # print asm_block ira = machine.ira(mdis.symbol_pool) ira.add_block(asm_block) symb = SymbolicExecutionEngine(ira, symbols_init) cur_addr = symb.emul_ir_block(0) count = 0 while cur_addr != ExprInt(end_offset, 32): # execute to end cur_addr = symb.emul_ir_block(cur_addr) count += 1 if count > 1000: print '[!] to many loop at %s' % handler.name break return symb
from pdb import pm from miasm2.arch.x86.disasm import dis_x86_32 from miasm2.analysis.binary import Container from miasm2.core.asmblock import AsmCFG, AsmConstraint, AsmBlock, \ AsmLabel, AsmBlockBad, AsmConstraintTo, AsmConstraintNext, \ bbl_simplifier from miasm2.core.graph import DiGraphSimplifier, MatchGraphJoker from miasm2.expression.expression import ExprId # Initial data: from 'samples/simple_test.bin' data = "5589e583ec10837d08007509c745fc01100000eb73837d08017709c745fc02100000eb64837d08057709c745fc03100000eb55837d080774138b450801c083f80e7509c745fc04100000eb3c8b450801c083f80e7509c745fc05100000eb298b450883e03085c07409c745fc06100000eb16837d08427509c745fc07100000eb07c745fc081000008b45fcc9c3".decode( "hex") cont = Container.from_string(data) # Test Disasm engine mdis = dis_x86_32(cont.bin_stream) ## Disassembly of one block first_block = mdis.dis_block(0) assert len(first_block.lines) == 5 print first_block ## Test redisassemble blocks first_block_bis = mdis.dis_block(0) assert len(first_block.lines) == len(first_block_bis.lines) print first_block_bis ## Disassembly of several block, with cache blocks = mdis.dis_multiblock(0) assert len(blocks) == 17
from miasm2.analysis.binary import Container from miasm2.analysis.machine import Machine from miasm2.ir.symbexec import SymbolicExecutionEngine from miasm2.core.locationdb import LocationDB START_ADDR = 0 machine = Machine("x86_32") loc_db = LocationDB() # Assemble and disassemble a MOV ## Ensure that attributes 'offset' and 'l' are set line = machine.mn.fromstring("MOV EAX, EBX", loc_db, 32) asm = machine.mn.asm(line)[0] # Get back block cont = Container.from_string(asm, loc_db=loc_db) mdis = machine.dis_engine(cont.bin_stream, loc_db=loc_db) mdis.lines_wd = 1 asm_block = mdis.dis_block(START_ADDR) # Translate ASM -> IR ira = machine.ira(mdis.loc_db) ircfg = ira.new_ircfg() ira.add_asmblock_to_ircfg(asm_block, ircfg) # Instanciate a Symbolic Execution engine with default value for registers symb = SymbolicExecutionEngine(ira) # Emulate one IR basic block ## Emulation of several basic blocks can be done through .emul_ir_blocks cur_addr = symb.run_at(ircfg, START_ADDR)
from miasm2.analysis.binary import Container from miasm2.analysis.machine import Machine # The Container will provide a *bin_stream*, bytes source for the disasm engine cont = Container.from_string( "\x83\xf8\x10\x74\x07\x89\xc6\x0f\x47\xc3\xeb\x08\x89\xc8\xe8\x31\x33\x22\x11\x40\xc3" ) # Instantiate a x86 32 bit architecture machine = Machine("x86_32") # Instantiate a disassembler engine, using the previous bin_stream and its # associated location DB. mdis = machine.dis_engine(cont.bin_stream, loc_db=cont.loc_db) # Run a recursive traversal disassembling from address 0 asmcfg = mdis.dis_multiblock(0) # Display each basic blocks for block in asmcfg.blocks: print block # Output control flow graph in a dot file open('str_cfg.dot', 'w').write(asmcfg.dot())
# Update next blocks to process in the disassembly engine cur_bloc.bto.clear() cur_bloc.add_cst(loc_key, AsmConstraint.c_next) # Prepare a tiny shellcode shellcode = ''.join([ "\xe8\x00\x00\x00\x00", # CALL $ "X", # POP EAX "\xc3", # RET ]) # Instantiate a x86 32 bit architecture machine = Machine("x86_32") cont = Container.from_string(shellcode) mdis = machine.dis_engine(cont.bin_stream, loc_db=cont.loc_db) print "Without callback:\n" asmcfg = mdis.dis_multiblock(0) print "\n".join(str(block) for block in asmcfg.blocks) # Enable callback mdis.dis_block_callback = cb_x86_callpop print "=" * 40 print "With callback:\n" asmcfg_after = mdis.dis_multiblock(0) print "\n".join(str(block) for block in asmcfg_after.blocks) # Ensure the callback has been called
from pdb import pm from miasm2.arch.x86.disasm import dis_x86_32 from miasm2.analysis.binary import Container from miasm2.core.asmblock import AsmCFG, AsmConstraint, AsmBlock, \ AsmLabel, AsmBlockBad, AsmConstraintTo, AsmConstraintNext, \ bbl_simplifier from miasm2.core.graph import DiGraphSimplifier, MatchGraphJoker from miasm2.expression.expression import ExprId # Initial data: from 'samples/simple_test.bin' data = "5589e583ec10837d08007509c745fc01100000eb73837d08017709c745fc02100000eb64837d08057709c745fc03100000eb55837d080774138b450801c083f80e7509c745fc04100000eb3c8b450801c083f80e7509c745fc05100000eb298b450883e03085c07409c745fc06100000eb16837d08427509c745fc07100000eb07c745fc081000008b45fcc9c3".decode("hex") cont = Container.from_string(data) # Test Disasm engine mdis = dis_x86_32(cont.bin_stream) ## Disassembly of one block first_block = mdis.dis_bloc(0) assert len(first_block.lines) == 5 print first_block ## Disassembly of several block, with cache blocks = mdis.dis_multibloc(0) assert len(blocks) == 0 ## Test cache mdis.job_done.clear() blocks = mdis.dis_multibloc(0) assert len(blocks) == 17 ## Equality between assembly lines is not yet implemented assert len(blocks.heads()) == 1
def from_bytecode(self, bytecode): container = Container.from_string(bytecode) mdis = self.machine.dis_engine(container.bin_stream) self.blks = mdis.dis_multibloc(0)