def get_funcs_arg0(ctx, ira, lbl_head): g_dep = DependencyGraph(ira, follow_call=False) element = ira.arch.regs.RSI for irb, index in find_call(ira): line = irb.lines[index] print 'Analysing references from:', hex(line.offset), line g_list = g_dep.get(irb.label, set([element]), index, set([lbl_head])) for dep in g_list: emul_result = dep.emul(ctx) value = emul_result[element] yield value
def get_funcs_arg0(ctx, ira, lbl_head): """Compute DependencyGraph on the func @lbl_head""" g_dep = DependencyGraph(ira, follow_call=False) element = ira.arch.regs.RSI for irb, index in find_call(ira): instr = irb.irs[index].instr print 'Analysing references from:', hex(instr.offset), instr g_list = g_dep.get(irb.label, set([element]), index, set([lbl_head])) for dep in g_list: emul_result = dep.emul(ctx) value = emul_result[element] yield value
ir_arch = machine.ira(mdis.symbol_pool) # Disassemble the targeted function blocks = mdis.dis_multibloc(int(args.func_addr, 16)) # Generate IR for block in blocks: ir_arch.add_bloc(block) # Build the IRA Graph ir_arch.gen_graph() # Get the instance dg = DependencyGraph(ir_arch, implicit=args.implicit, apply_simp=not (args.do_not_simplify), follow_mem=not (args.unfollow_mem), follow_call=not (args.unfollow_call)) # Build information target_addr = int(args.target_addr, 16) current_block = list(ir_arch.getby_offset(target_addr))[0] line_nb = 0 for line_nb, line in enumerate(current_block.lines): if line.offset == target_addr: break # Enumerate solutions for sol_nb, sol in enumerate( dg.get(current_block.label, elements, line_nb, set())): fname = "sol_%d.dot" % sol_nb
def depgraph(self): value = self.cMethod.value return DependencyGraph(self.ira, implicit=value & 4, follow_mem=value & 1, follow_call=value & 2)
(g2_ira, g2_input, [g2_output1]), (g3_ira, g3_input, [g3_output1, g3_output2]), (g4_ira, g4_input, [g4_output1]), (g5_ira, g5_input, [g5_output1]), (g6_ira, g6_input, [g6_output1]), (g7_ira, g7_input, [g7_output1]), (g8_ira, g8_input, [g8_output1, g8_output2]), (g8_ira, g9_input, [g9_output1, g9_output2]), (g10_ira, g10_input, [g10_output1]), ]): # Extract test elements print "[+] Test", i + 1 g_ira, (depnodes, heads), g_test_list = test open("graph_%02d.dot" % (i + 1), "w").write(g_ira.g.dot()) # Test classes for g_dep in [DependencyGraph(g_ira), DependencyGraph_NoMemory(g_ira)]: print " - Class %s" % g_dep.__class__.__name__ ## Test public APIs for api_i, g_list in enumerate([ g_dep.get_fromDepNodes(depnodes, heads), g_dep.get( list(depnodes)[0].label, [depnode.element for depnode in depnodes], list(depnodes)[0].line_nb, heads) ]): print " - - API %s" % ("get_fromDepNodes" if api_i == 0 else "get") ### Expand result iterator g_list = list(g_list) ### Dump outputs graphs for debug means
(G16_IRA, G16_INPUT), (G17_IRA, G17_INPUT), ]): # Extract test elements print "[+] Test", test_nb + 1 g_ira, (depnodes, heads) = test open("graph_%02d.dot" % (test_nb + 1), "w").write(g_ira.graph.dot()) open("graph_%02d.dot" % (test_nb + 1), "w").write(bloc2graph(g_ira)) # Different options suffix_key_list = ["", "_nosimp", "_nomem", "_nocall", "_implicit"] # Test classes for g_ind, g_dep in enumerate([DependencyGraph(g_ira), DependencyGraph(g_ira, apply_simp=False), DependencyGraph(g_ira, follow_mem=False), DependencyGraph(g_ira, follow_mem=False, follow_call=False), # DependencyGraph(g_ira, implicit=True), ]): # if g_ind == 4: # TODO: Implicit specifications # continue print " - Class %s - %s" % (g_dep.__class__.__name__, suffix_key_list[g_ind]) # Select the correct result key mode_suffix = suffix_key_list[g_ind] graph_test_key = "graph" + mode_suffix
(g3_ira, g3_input, [g3_output1, g3_output2]), (g4_ira, g4_input, [g4_output1]), (g5_ira, g5_input, [g5_output1]), (g6_ira, g6_input, [g6_output1]), (g7_ira, g7_input, [g7_output1]), (g8_ira, g8_input, [g8_output1, g8_output2]), (g8_ira, g9_input, [g9_output1, g9_output2]), (g10_ira, g10_input, [g10_output1]), (g11_ira, g11_input, [g11_output1]), ]): # Extract test elements print "[+] Test", i+1 g_ira, (depnodes, heads), g_test_list = test open("graph_%02d.dot" % (i+1), "w").write(g_ira.g.dot()) # Test classes for g_dep in [DependencyGraph(g_ira), DependencyGraph_NoMemory(g_ira)]: print " - Class %s" % g_dep.__class__.__name__ ## Test public APIs for api_i, g_list in enumerate([g_dep.get_fromDepNodes(depnodes, heads), g_dep.get(list(depnodes)[0].label, [depnode.element for depnode in depnodes], list(depnodes)[0].line_nb, heads)]): print " - - API %s" % ("get_fromDepNodes" if api_i == 0 else "get") ### Expand result iterator g_list = list(g_list) ### Dump outputs graphs for debug means
# StdCall example for i in xrange(4): e_mem = ExprMem( ExprId("ESP_init", 32) + ExprInt(4 * (i + 1), 32), 32) init_ctx[e_mem] = ExprId("arg%d" % i, 32) # Disassemble the targeted function asmcfg = mdis.dis_multiblock(int(args.func_addr, 0)) # Generate IR ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg) # Get the instance dg = DependencyGraph(ircfg, implicit=args.implicit, apply_simp=not args.do_not_simplify, follow_mem=not args.unfollow_mem, follow_call=not args.unfollow_call) # Build information target_addr = int(args.target_addr, 0) current_block = list(ircfg.getby_offset(target_addr))[0] assignblk_index = 0 for assignblk_index, assignblk in enumerate(current_block): if assignblk.instr.offset == target_addr: break # Enumerate solutions json_solutions = [] for sol_nb, sol in enumerate( dg.get(current_block.loc_key, elements, assignblk_index, set())):
(g4_ira, g4_input, [g4_output1]), (g5_ira, g5_input, [g5_output1]), (g6_ira, g6_input, [g6_output1]), (g7_ira, g7_input, [g7_output1]), (g8_ira, g8_input, [g8_output1, g8_output2]), (g8_ira, g9_input, [g9_output1, g9_output2]), (g10_ira, g10_input, [g10_output1]), (g11_ira, g11_input, [g11_output1]), ]): # Extract test elements print "[+] Test", i + 1 g_ira, (depnodes, heads), g_test_list = test open("graph_%02d.dot" % (i + 1), "w").write(g_ira.g.dot()) # Test classes for g_dep in [ DependencyGraph(g_ira), DependencyGraph(g_ira, apply_simp=False), DependencyGraph(g_ira, follow_mem=False), DependencyGraph(g_ira, follow_mem=False, follow_call=False) ]: print " - Class %s" % g_dep.__class__.__name__ ## Test public APIs for api_i, g_list in enumerate([ g_dep.get_fromDepNodes(depnodes, heads), g_dep.get( list(depnodes)[0].label, [depnode.element for depnode in depnodes], list(depnodes)[0].line_nb, heads) ]): print " - - API %s" % ("get_fromDepNodes" if api_i == 0 else "get")