def compute(asm, inputstate={}, debug=False): loc_db = LocationDB() sympool = dict(regs_init) sympool.update({k: ExprInt(v, k.size) for k, v in viewitems(inputstate)}) ir_tmp = ir_arch(loc_db) ircfg = ir_tmp.new_ircfg() symexec = SymbolicExecutionEngine(ir_tmp, sympool) instr = mn.fromstring(asm, loc_db, "b") code = mn.asm(instr)[0] instr = mn.dis(code, "b") instr.offset = inputstate.get(PC, 0) lbl = ir_tmp.add_instr_to_ircfg(instr, ircfg) symexec.run_at(ircfg, lbl) if debug: for k, v in viewitems(symexec.symbols): if regs_init.get(k, None) != v: print(k, v) out = {} for k, v in viewitems(symexec.symbols): if k in EXCLUDE_REGS: continue elif regs_init.get(k, None) == v: continue elif isinstance(v, ExprInt): out[k] = int(v) else: out[k] = v return out
def compute(asm, inputstate={}, debug=False): loc_db = LocationDB() sympool = dict(regs_init) sympool.update({k: ExprInt(v, k.size) for k, v in viewitems(inputstate)}) ir_tmp = ir_arch(loc_db) ircfg = ir_tmp.new_ircfg() symexec = SymbolicExecutionEngine(ir_tmp, sympool) instr = mn.fromstring(asm, loc_db, "l") code = mn.asm(instr)[0] instr = mn.dis(code, "l") instr.offset = inputstate.get(PC, 0) lbl = ir_tmp.add_instr_to_ircfg(instr, ircfg) symexec.run_at(ircfg, lbl) if debug: for k, v in viewitems(symexec.symbols): if regs_init.get(k, None) != v: print(k, v) out = {} for k, v in viewitems(symexec.symbols): if k in EXCLUDE_REGS: continue elif regs_init.get(k, None) == v: continue elif isinstance(v, ExprInt): out[k] = int(v) else: out[k] = v return out
def symb_exec(lbl, ir_arch, ircfg, inputstate, debug): sympool = dict(regs_init) sympool.update(inputstate) symexec = SymbolicExecutionEngine(ir_arch, sympool) symexec.run_at(ircfg, lbl) if debug: for k, v in viewitems(symexec.symbols): if regs_init.get(k, None) != v: print(k, v) return { k: v for k, v in viewitems(symexec.symbols) if k not in EXCLUDE_REGS and regs_init.get(k, None) != v }
def symb_exec(lbl, lifter, ircfg, inputstate, debug): sympool = dict(regs_init) sympool.update(inputstate) symexec = SymbolicExecutionEngine(lifter, sympool) symexec.run_at(ircfg, lbl) if debug: for k, v in viewitems(symexec.symbols): if regs_init.get(k, None) != v: print(k, v) return { k: v for k, v in viewitems(symexec.symbols) if k not in EXCLUDE_REGS and regs_init.get(k, None) != v }
def ExecuteSymbolicSingleStep(addr, state=INIT_REG): size = idc.ItemSize(addr) code = idc.GetManyBytes(addr, size) loc_db = LocationDB() base = addr try: ins = mn_x86.dis(bin_stream_str(code, base_address=base), 64, base) except: return state.copy() ira = machine.ira(loc_db) ircfg = ira.new_ircfg() try: ira.add_instr_to_ircfg(ins, ircfg) sb = SymbolicExecutionEngine(ira, state) symbolic_pc = sb.run_at(ircfg, base) except: return state.copy() ret = state.copy() for key, value in sb.modified(): if isinstance(value, ExprOp) and value.op == "call_func_ret": value = ExprInt(0, 64) ret[key] = value return ret
def sym(data, addr, status): cont = Container.from_string(data, loc_db=loc_db, addr=addr) mdis = machine.dis_engine(cont.bin_stream, loc_db=loc_db) asm_block = mdis.dis_block(addr) # Translate ASM -> IR ircfg = ira.new_ircfg() try: ira.add_asmblock_to_ircfg(asm_block, ircfg) except NotImplementedError: return None # Instantiate a Symbolic Execution engine with default value for registers regs_init = regs.regs_init sympool = copy.deepcopy(regs_init) sympool.update(status) symb = SymbolicExecutionEngine(ira, sympool) # Emulate one IR basic block ## Emulation of several basic blocks can be done through .emul_ir_blocks cur_addr = symb.run_at(ircfg, addr) IRDst = symb.symbols[ira.IRDst] expr = expr_simp_explicit(IRDst) #if isinstance(expr, ExprMem): # expr = expr.ptr return expr
def compute(asm, inputstate={}, debug=False): loc_db = LocationDB() sympool = dict(regs_init) sympool.update({k: ExprInt(v, k.size) for k, v in viewitems(inputstate)}) ir_tmp = ir_arch(loc_db) ircfg = ir_tmp.new_ircfg() symexec = SymbolicExecutionEngine(ir_tmp, sympool) instr = mn.fromstring(asm, mode) code = mn.asm(instr)[0] instr = mn.dis(code, mode) instr.offset = inputstate.get(PC, 0) loc_key = ir_tmp.add_instr_to_ircfg(instr, ircfg) symexec.run_at(ircfg, loc_key) if debug: for k, v in viewitems(symexec.symbols): if regs_init.get(k, None) != v: print(k, v) return { k: v.arg.arg for k, v in viewitems(symexec.symbols) if k not in EXCLUDE_REGS and regs_init.get(k, None) != v }
def compute(asm, inputstate={}, debug=False): loc_db = LocationDB() sympool = dict(regs_init) sympool.update({k: ExprInt(v, k.size) for k, v in viewitems(inputstate)}) ir_tmp = ir_arch(loc_db) ircfg = ir_tmp.new_ircfg() symexec = SymbolicExecutionEngine(ir_tmp, sympool) instr = mn.fromstring(asm, mode) code = mn.asm(instr)[0] instr = mn.dis(code, mode) instr.offset = inputstate.get(PC, 0) loc_key = ir_tmp.add_instr_to_ircfg(instr, ircfg) symexec.run_at(ircfg, loc_key) if debug: for k, v in viewitems(symexec.symbols): if regs_init.get(k, None) != v: print(k, v) return { k: v.arg.arg for k, v in viewitems(symexec.symbols) if k not in EXCLUDE_REGS and regs_init.get(k, None) != v }
def symbolic_exec(): from miasm.ir.symbexec import SymbolicExecutionEngine from miasm.core.bin_stream_ida import bin_stream_ida from utils import guess_machine start, end = idc.read_selection_start(), idc.read_selection_end() loc_db = LocationDB() bs = bin_stream_ida() machine = guess_machine(addr=start) mdis = machine.dis_engine(bs, loc_db=loc_db) if start == idc.BADADDR and end == idc.BADADDR: start = idc.get_screen_ea() end = idc.next_head(start) # Get next instruction address mdis.dont_dis = [end] asmcfg = mdis.dis_multiblock(start) ira = machine.ira(loc_db=loc_db) ircfg = ira.new_ircfg_from_asmcfg(asmcfg) print("Run symbolic execution...") sb = SymbolicExecutionEngine(ira, machine.mn.regs.regs_init) sb.run_at(ircfg, start) modified = {} for dst, src in sb.modified(init_state=machine.mn.regs.regs_init): modified[dst] = src view = symbolicexec_t() all_views.append(view) if not view.Create( modified, machine, loc_db, "Symbolic Execution - 0x%x to 0x%x" % (start, idc.prev_head(end))): return view.Show()
def symbolic_exec(): from miasm.ir.symbexec import SymbolicExecutionEngine from miasm.core.bin_stream_ida import bin_stream_ida from utils import guess_machine start, end = idc.SelStart(), idc.SelEnd() bs = bin_stream_ida() machine = guess_machine(addr=start) mdis = machine.dis_engine(bs) if start == idc.BADADDR and end == idc.BADADDR: start = idc.ScreenEA() end = idc.next_head(start) # Get next instruction address mdis.dont_dis = [end] asmcfg = mdis.dis_multiblock(start) ira = machine.ira(loc_db=mdis.loc_db) ircfg = ira.new_ircfg_from_asmcfg(asmcfg) print("Run symbolic execution...") sb = SymbolicExecutionEngine(ira, machine.mn.regs.regs_init) sb.run_at(ircfg, start) modified = {} for dst, src in sb.modified(init_state=machine.mn.regs.regs_init): modified[dst] = src view = symbolicexec_t() all_views.append(view) if not view.Create(modified, machine, mdis.loc_db, "Symbolic Execution - 0x%x to 0x%x" % (start, idc.prev_head(end))): return view.Show()
# ircfg = ira.new_ircfg(asmcfg) # print(loc_db._offset_to_loc_key.keys()[0]) sb = SymbolicExecutionEngine(ira) # symbolic_pc = sb.run_at(ircfg, loc_db._offset_to_loc_key.keys()[0]) # for index, info in enumerate(sb.info_ids): # print('###### step', index+1) # print('\t', info[0]) # for reg in info[1]: # print('\t\t', reg, ':', info[1][reg]) # dse = DSEEngine(machine) # sb.symbols[machine.mn.regs.ECX] = ExprInt(253, 32) # sb.symbols[machine.mn.regs.EBP] = ExprOp('+', ExprId('ESP', 32), ExprInt(0xFFFFFFFC, 32)) # memory_expr = dse.memory_to_expr(0x40000004) # sb.symbols[machine.mn.regs.EBP] = dse.eval_expr(memory_expr) symbolic_pc = sb.run_at(ircfg, loc_db._offset_to_loc_key.keys()[0]) print('###### modified state step by step') for step, info in enumerate(sb.info_ids): print('###### step', step + 1) print('\t', info[0]) print('\t### info_ids') print('\t\t', info[1]) # for reg in info[1]: # print('\t\t', reg, ':', info[1][reg]) print('\t### info_mems') print('\t\t', sb.info_mems[step][1]) print() translator = TranslatorZ3(endianness="<", loc_db=loc_db) z3_expr_dict = dict() print('###### z3_expr about variable step by step')
asm = machine.mn.asm(line)[0] # Get back block cont = Container.from_string(asm, loc_db = loc_db) mdis = machine.dis_engine(cont.bin_stream, loc_db=loc_db) mdis.lines_wd = 1 asm_block = mdis.dis_block(START_ADDR) # Translate ASM -> IR lifter_model_call = machine.lifter_model_call(mdis.loc_db) ircfg = lifter_model_call.new_ircfg() lifter_model_call.add_asmblock_to_ircfg(asm_block, ircfg) # Instantiate a Symbolic Execution engine with default value for registers symb = SymbolicExecutionEngine(lifter_model_call) # Emulate one IR basic block ## Emulation of several basic blocks can be done through .emul_ir_blocks cur_addr = symb.run_at(ircfg, START_ADDR) # Modified elements print('Modified registers:') symb.dump(mems=False) print('Modified memory (should be empty):') symb.dump(ids=False) # Check final status eax, ebx = lifter_model_call.arch.regs.EAX, lifter_model_call.arch.regs.EBX assert symb.symbols[eax] == ebx assert eax in symb.symbols
lifter = LifterModelCall_x86_32(loc_db) ircfg = lifter.new_ircfg() first_block = list(asmcfg.blocks)[0] lifter.add_asmblock_to_ircfg(first_block, ircfg) # --- Symbolic execution --- # from miasm.ir.symbexec import SymbolicExecutionEngine from miasm.expression.expression import * symb = SymbolicExecutionEngine(lifter, machine.mn.regs.regs_init) # irDst contains the offset of next IR basic block to execute irDst = symb.run_at(ircfg, entry_addr, step=False) print("IR Dest = ", irDst) # Provide symbolic context to irDst expr_flag = ExprId("flag", 32) result = symb.eval_expr( expr_simp( irDst.replace_expr( { expr_simp( ExprMem(machine.mn.regs.EBP_init - ExprInt(0x4, 32), 32)): expr_flag, }))) print("IR Dest Semantics = ", result) # Dump the final state of symbolic execution
asm = machine.mn.asm(line)[0] # Get back block cont = Container.from_string(asm, loc_db = loc_db) mdis = machine.dis_engine(cont.bin_stream, loc_db=loc_db) mdis.lines_wd = 1 asm_block = mdis.dis_block(START_ADDR) # Translate ASM -> IR ira = machine.ira(mdis.loc_db) ircfg = ira.new_ircfg() ira.add_asmblock_to_ircfg(asm_block, ircfg) # Instantiate a Symbolic Execution engine with default value for registers symb = SymbolicExecutionEngine(ira) # Emulate one IR basic block ## Emulation of several basic blocks can be done through .emul_ir_blocks cur_addr = symb.run_at(ircfg, START_ADDR) # Modified elements print('Modified registers:') symb.dump(mems=False) print('Modified memory (should be empty):') symb.dump(ids=False) # Check final status eax, ebx = ira.arch.regs.EAX, ira.arch.regs.EBX assert symb.symbols[eax] == ebx assert eax in symb.symbols