def exec_instruction(hex_asm, init_values):
"""Symbolically execute an instruction"""
print "Hex:", hex_asm
# Disassemble an instruction
mn = mn_mep.dis(hex_asm.decode("hex"), "b")
print "Dis:", mn
# Get the IR
im = ir_mepb()
iir, eiir, = im.get_ir(mn)
print "\nInternal representation:", iir
# Symbolic execution
loc_db = LocationDB()
sb = SymbolicExecutionEngine(ir_a_mepb(loc_db), regs_init)
# Assign register values before symbolic evaluation
for reg_expr_id, reg_expr_value in init_values:
sb.symbols[reg_expr_id] = reg_expr_value
print "\nModified registers:", [reg for reg in sb.modified(mems=False)]
print "Modified memories:", [mem for mem in sb.modified()]
print "\nFinal registers:"
sb.dump(mems=False)
print "\nFinal mems:"
sb.dump()
def exec_instruction(hex_asm, init_values):
"""Symbolically execute an instruction"""
print "Hex:", hex_asm
# Disassemble an instruction
mn = mn_mep.dis(hex_asm.decode("hex"), "b")
print "Dis:", mn
# Get the IR
im = ir_mepb()
iir, eiir, = im.get_ir(mn)
print "\nInternal representation:", iir
# Symbolic execution
loc_db = LocationDB()
sb = SymbolicExecutionEngine(ir_a_mepb(loc_db), regs_init)
# Assign register values before symbolic evaluation
for reg_expr_id, reg_expr_value in init_values:
sb.symbols[reg_expr_id] = reg_expr_value
print "\nModified registers:", [
reg for reg in sb.modified(mems=False)
]
print "Modified memories:", [mem for mem in sb.modified()]
print "\nFinal registers:"
sb.dump(mems=False)
print "\nFinal mems:"
sb.dump()
def test(self):
# Disassemble & assemble unit tests
unit_tests = [("ADD R1, 2", "6108")]
unit_tests += [("JMP 0xC3FA38", "d9c8c3fa")]
unit_tests += [("SLT3 R0, R8, R10", "08a2")]
unit_tests += [("SB R9, (R4)", "0948")]
unit_tests += [("SSARB 3(GP)", "13ec")]
unit_tests += [("SWCPI C13, (R2+)", "3d20")]
unit_tests += [("ADD3 R2, SP, 0x1C", "421c")]
unit_tests += [("SW R7, 0x50(SP)", "4752")]
for mn_str, mn_hex in unit_tests:
print "-" * 49 # Tests separation
# Dissassemble
mn_bin = mn_hex.decode("hex")
mn = mn_mep.dis(mn_bin, "b")
print "dis: %s -> %s" % (mn_hex.rjust(20), str(mn).rjust(20))
assert (str(mn) == mn_str) # dissassemble assertion
# Assemble and return all possible candidates
instr = mn_mep.fromstring(str(mn), "b")
instr.mode = "b"
asm_list = [i.encode("hex") for i in mn_mep.asm(instr)]
# Print the results
print "asm: %s -> %s" % (mn_str.rjust(20),
", ".join(asm_list).rjust(20))
assert (mn_hex in asm_list) # assemble assertion
def dis(mn_hex):
"""Disassembly helper"""
mn_bin = mn_hex.decode("hex")
try:
return mn_mep.dis(mn_bin, "b")
except Disasm_Exception:
assert (False) # miasm don't know what to do
def test(self):
# Disassemble & assemble unit tests
unit_tests = [("ADD R1, 2", "6108")]
unit_tests += [("JMP 0xC3FA38", "d9c8c3fa")]
unit_tests += [("SLT3 R0, R8, R10", "08a2")]
unit_tests += [("SB R9, (R4)", "0948")]
unit_tests += [("SSARB 3(GP)", "13ec")]
unit_tests += [("SWCPI C13, (R2+)", "3d20")]
unit_tests += [("ADD3 R2, SP, 0x1C", "421c")]
unit_tests += [("SW R7, 0x50(SP)", "4752")]
for mn_str, mn_hex in unit_tests:
print "-" * 49 # Tests separation
# Dissassemble
mn_bin = mn_hex.decode("hex")
mn = mn_mep.dis(mn_bin, "b")
print "dis: %s -> %s" % (mn_hex.rjust(20), str(mn).rjust(20))
assert(str(mn) == mn_str) # dissassemble assertion
# Assemble and return all possible candidates
instr = mn_mep.fromstring(str(mn), "b")
instr.mode = "b"
asm_list = [i.encode("hex") for i in mn_mep.asm(instr)]
# Print the results
print "asm: %s -> %s" % (mn_str.rjust(20),
", ".join(asm_list).rjust(20))
assert(mn_hex in asm_list) # assemble assertion
def dis(mn_hex):
"""Disassembly helper"""
mn_bin = mn_hex.decode("hex")
try:
return mn_mep.dis(mn_bin, "b")
except Disasm_Exception:
assert(False) # miasm don't know what to do
def exec_instruction(mn_str, init_values, results, index=0, offset=0):
"""Symbolically execute an instruction and check the expected results."""
# Assemble and disassemble the instruction
instr = mn_mep.fromstring(mn_str, "b")
instr.mode = "b"
mn_bin = mn_mep.asm(instr)[index]
try:
instr = mn_mep.dis(mn_bin, "b")
except Disasm_Exception:
assert (False) # miasm don't know what to do
# Specify the instruction offset and compute the destination label
instr.offset = offset
loc_db = LocationDB()
if instr.dstflow():
instr.dstflow2label(loc_db)
# Get the IR
im = ir_mepb(loc_db)
iir, eiir = im.get_ir(instr)
# Filter out IRDst
iir = [
ir for ir in iir
if not (isinstance(ir, ExprAff) and isinstance(ir.dst, ExprId)
and ir.dst.name == "IRDst")
]
# Prepare symbolic execution
sb = SymbolicExecutionEngine(ir_a_mepb(loc_db), regs_init)
# Assign int values before symbolic evaluation
for expr_id, expr_value in init_values:
sb.symbols[expr_id] = expr_value
# Execute the IR
ab = AssignBlock(iir)
sb.eval_updt_assignblk(ab)
# Check if expected expr_id were modified
matched_results = 0
for expr_id, expr_value in results:
result = sb.eval_expr(expr_id)
if isinstance(result, ExprLoc):
addr = loc_db.get_location_offset(result.loc_key)
if expr_value.arg == addr:
matched_results += 1
continue
elif result == expr_value:
matched_results += 1
continue
# Ensure that all expected results were verified
if len(results) is not matched_results:
print "Expected:", results
print "Modified:", [r for r in sb.modified(mems=False)]
assert (False)
def exec_instruction(mn_str, init_values, results, index=0, offset=0):
"""Symbolically execute an instruction and check the expected results."""
# Assemble and disassemble the instruction
instr = mn_mep.fromstring(mn_str, "b")
instr.mode = "b"
mn_bin = mn_mep.asm(instr)[index]
try:
instr = mn_mep.dis(mn_bin, "b")
except Disasm_Exception:
assert(False) # miasm don't know what to do
# Specify the instruction offset and compute the destination label
instr.offset = offset
loc_db = LocationDB()
if instr.dstflow():
instr.dstflow2label(loc_db)
# Get the IR
im = ir_mepb(loc_db)
iir, eiir = im.get_ir(instr)
# Filter out IRDst
iir = [ir for ir in iir if not (isinstance(ir, ExprAssign) and
isinstance(ir.dst, ExprId) and
ir.dst.name == "IRDst")]
# Prepare symbolic execution
sb = SymbolicExecutionEngine(ir_a_mepb(loc_db), regs_init)
# Assign int values before symbolic evaluation
for expr_id, expr_value in init_values:
sb.symbols[expr_id] = expr_value
# Execute the IR
ab = AssignBlock(iir)
sb.eval_updt_assignblk(ab)
# Check if expected expr_id were modified
matched_results = 0
for expr_id, expr_value in results:
result = sb.eval_expr(expr_id)
if isinstance(result, ExprLoc):
addr = loc_db.get_location_offset(result.loc_key)
if expr_value.arg == addr:
matched_results += 1
continue
elif result == expr_value:
matched_results += 1
continue
# Ensure that all expected results were verified
if len(results) is not matched_results:
print "Expected:", results
print "Modified:", [r for r in sb.modified(mems=False)]
assert(False)