def main():
buf = assemble_text(test_code, [("L_MAIN", 0)])
mdis = dis_engine(buf)
disasm = mdis.dis_multibloc(0)
ir = ir_a_x86_64(mdis.symbol_pool)
for bbl in disasm:
ir.add_bloc(bbl)
symbols_init = {}
for i, r in enumerate(all_regs_ids):
symbols_init[r] = all_regs_ids_init[i]
conds = find_goal(ir, 0, symbols_init, rax_is_one)
if conds == None:
print "Goal was not found"
sys.exit(-1)
solver = z3.Solver()
for lval, rval in conds:
z3_cond = Translator.to_language("z3").from_expr(lval)
solver.add(z3_cond == int(rval.arg))
rslt = solver.check()
if rslt == z3.sat:
m = solver.model()
for var in m:
print "%s: %d" % (var.name(), m[var].as_long())
else:
print "No solution"
sys.exit(-1)
def main():
buf = assemble_text(test_code, [("L_MAIN", 0)])
mdis = dis_engine(buf)
disasm = mdis.dis_multibloc(0)
ir = ir_a_x86_64(mdis.symbol_pool)
for bbl in disasm:
ir.add_bloc(bbl)
symbols_init = {}
for i, r in enumerate(all_regs_ids):
symbols_init[r] = all_regs_ids_init[i]
conds = find_goal(ir, 0, symbols_init, rax_is_one)
if conds == None:
print "Goal was not found"
sys.exit(-1)
solver = z3.Solver()
for lval, rval in conds:
z3_cond = Translator.to_language("z3").from_expr(lval)
solver.add(z3_cond == int(rval.arg))
rslt = solver.check()
if rslt == z3.sat:
m = solver.model()
for var in m:
print "%s: %d" % (var.name(), m[var].as_long())
else:
print "No solution"
sys.exit(-1)
from miasm2.arch.mips32.ira import ir_a_mips32 as ira
elif processor_name == "mipsb":
from miasm2.arch.mips32.disasm import dis_mips32b as dis_engine
from miasm2.arch.mips32.ira import ir_a_mips32 as ira
else:
print repr(processor_name)
raise NotImplementedError('not fully functional')
print "Arch", dis_engine
fname = GetInputFile()
print fname
bs = bin_stream_ida()
mdis = dis_engine(bs)
ir_arch = ira(mdis.symbol_pool)
# populate symbols with ida names
for ad, name in Names():
# print hex(ad), repr(name)
if name is None:
continue
mdis.symbol_pool.add_label(name, ad)
print "start disasm"
ad = ScreenEA()
print hex(ad)
ab = mdis.dis_multibloc(ad)
addr = addr.name
states_todo.add((addr, symbexec.symbols.copy(), tuple(conds)))
elif addr == ret_addr:
print 'Return address reached'
continue
else:
raise ValueError("Unsupported destination")
if __name__ == '__main__':
translator_smt2 = Translator.to_language("smt2")
data = open(args[0]).read()
bs = bin_stream_str(data)
mdis = dis_engine(bs)
addr = int(options.address, 16)
symbols_init = dict(machine.mn.regs.regs_init)
# config parser for 32 bit
reg_and_id = dict(machine.mn.regs.all_regs_ids_byname)
def my_ast_int2expr(name):
return ExprInt(name, 32)
# Modifify parser to avoid label creation in PUSH argc
def my_ast_id2expr(string_parsed):
if string_parsed in reg_and_id:
return reg_and_id[string_parsed]
# Minimalist Symbol Exec example
from miasm2.core.bin_stream import bin_stream_str
from miasm2.arch.x86.arch import mn_x86
from miasm2.arch.x86.ira import ir_a_x86_32
from miasm2.arch.x86.regs import all_regs_ids, all_regs_ids_init
from miasm2.ir.symbexec import symbexec
from miasm2.arch.x86.disasm import dis_x86_32 as dis_engine
import miasm2.expression.expression as m2_expr
l = mn_x86.fromstring("MOV EAX, EBX", 32)
asm = mn_x86.asm(l)[0]
bin_stream = bin_stream_str(asm)
mdis = dis_engine(bin_stream)
disasm = mdis.dis_multibloc(0)
ir = ir_a_x86_32(mdis.symbol_pool)
for bbl in disasm: ir.add_bloc(bbl)
symbols_init = {}
for i, r in enumerate(all_regs_ids):
symbols_init[r] = all_regs_ids_init[i]
symb = symbexec(ir, symbols_init)
block = ir.get_bloc(0)
cur_addr = symb.emulbloc(block)
assert(symb.symbols[m2_expr.ExprId("EAX")] == symbols_init[m2_expr.ExprId("EBX")])
print 'modified registers:'
symb.dump_id()
parser = ArgumentParser("Constant expression propagation")
parser.add_argument('filename', help="File to analyze")
parser.add_argument('address', help="Starting address for disassembly engine")
parser.add_argument(
'-s',
"--simplify",
action="store_true",
help="Apply simplifications rules (liveness, graph simplification, ...)")
args = parser.parse_args()
machine = Machine("x86_32")
cont = Container.from_stream(open(args.filename))
ira, dis_engine = machine.ira, machine.dis_engine
mdis = dis_engine(cont.bin_stream)
ir_arch = ira(mdis.loc_db)
addr = int(args.address, 0)
asmcfg = mdis.dis_multiblock(addr)
ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg)
entry_points = set([mdis.loc_db.get_offset_location(addr)])
init_infos = ir_arch.arch.regs.regs_init
cst_propag_link = propagate_cst_expr(ir_arch, ircfg, addr, init_infos)
if args.simplify:
ircfg.simplify(expr_simp)
modified = True
while modified:
modified = False
parser = ArgumentParser("Constant expression propagation")
parser.add_argument('filename', help="File to analyze")
parser.add_argument('address', help="Starting address for disassembly engine")
parser.add_argument('-s', "--simplify", action="store_true",
help="Apply simplifications rules (liveness, graph simplification, ...)")
args = parser.parse_args()
machine = Machine("x86_32")
cont = Container.from_stream(open(args.filename))
ira, dis_engine = machine.ira, machine.dis_engine
mdis = dis_engine(cont.bin_stream)
ir_arch = ira(mdis.symbol_pool)
addr = int(args.address, 0)
asmcfg = mdis.dis_multiblock(addr)
for block in asmcfg.blocks:
ir_arch.add_block(block)
init_infos = ir_arch.arch.regs.regs_init
cst_propag_link = propagate_cst_expr(ir_arch, addr, init_infos)
if args.simplify:
ir_arch.simplify(expr_simp)
modified = True