def __init__(self):
self.machine = Machine('x86_64')
self.dis_engine, self.ira = self.machine.dis_engine, self.machine.ira
self.bs = bin_stream_ida()
self.mdis = self.dis_engine(self.bs)
self.ssa_cache = {}
self.ssa_with_state_cache = {}
return
def symbolic_exec():
from miasm.ir.symbexec import SymbolicExecutionEngine
from miasm.core.bin_stream_ida import bin_stream_ida
from utils import guess_machine
start, end = idc.read_selection_start(), idc.read_selection_end()
loc_db = LocationDB()
bs = bin_stream_ida()
machine = guess_machine(addr=start)
mdis = machine.dis_engine(bs, loc_db=loc_db)
if start == idc.BADADDR and end == idc.BADADDR:
start = idc.get_screen_ea()
end = idc.next_head(start) # Get next instruction address
mdis.dont_dis = [end]
asmcfg = mdis.dis_multiblock(start)
ira = machine.ira(loc_db=loc_db)
ircfg = ira.new_ircfg_from_asmcfg(asmcfg)
print("Run symbolic execution...")
sb = SymbolicExecutionEngine(ira, machine.mn.regs.regs_init)
sb.run_at(ircfg, start)
modified = {}
for dst, src in sb.modified(init_state=machine.mn.regs.regs_init):
modified[dst] = src
view = symbolicexec_t()
all_views.append(view)
if not view.Create(
modified, machine, loc_db, "Symbolic Execution - 0x%x to 0x%x" %
(start, idc.prev_head(end))):
return
view.Show()
def symbolic_exec():
from miasm.ir.symbexec import SymbolicExecutionEngine
from miasm.core.bin_stream_ida import bin_stream_ida
from utils import guess_machine
start, end = idc.SelStart(), idc.SelEnd()
bs = bin_stream_ida()
machine = guess_machine(addr=start)
mdis = machine.dis_engine(bs)
if start == idc.BADADDR and end == idc.BADADDR:
start = idc.ScreenEA()
end = idc.next_head(start) # Get next instruction address
mdis.dont_dis = [end]
asmcfg = mdis.dis_multiblock(start)
ira = machine.ira(loc_db=mdis.loc_db)
ircfg = ira.new_ircfg_from_asmcfg(asmcfg)
print("Run symbolic execution...")
sb = SymbolicExecutionEngine(ira, machine.mn.regs.regs_init)
sb.run_at(ircfg, start)
modified = {}
for dst, src in sb.modified(init_state=machine.mn.regs.regs_init):
modified[dst] = src
view = symbolicexec_t()
all_views.append(view)
if not view.Create(modified, machine, mdis.loc_db,
"Symbolic Execution - 0x%x to 0x%x"
% (start, idc.prev_head(end))):
return
view.Show()
def build_graph(start_addr, type_graph, simplify=False, dontmodstack=True, loadint=False, verbose=False):
machine = guess_machine(addr=start_addr)
dis_engine, ira = machine.dis_engine, machine.ira
class IRADelModCallStack(ira):
def call_effects(self, addr, instr):
assignblks, extra = super(IRADelModCallStack, self).call_effects(addr, instr)
if not dontmodstack:
return assignblks, extra
out = []
for assignblk in assignblks:
dct = dict(assignblk)
dct = {
dst:src for (dst, src) in viewitems(dct) if dst != self.sp
}
out.append(AssignBlock(dct, assignblk.instr))
return out, extra
if verbose:
print("Arch", dis_engine)
fname = idc.get_root_filename()
if verbose:
print(fname)
bs = bin_stream_ida()
mdis = dis_engine(bs)
ir_arch = IRADelModCallStack(mdis.loc_db)
# populate symbols with ida names
for addr, name in idautils.Names():
if name is None:
continue
if (mdis.loc_db.get_offset_location(addr) or
mdis.loc_db.get_name_location(name)):
# Symbol alias
continue
mdis.loc_db.add_location(name, addr)
if verbose:
print("start disasm")
if verbose:
print(hex(start_addr))
asmcfg = mdis.dis_multiblock(start_addr)
entry_points = set([mdis.loc_db.get_offset_location(start_addr)])
if verbose:
print("generating graph")
open('asm_flow.dot', 'w').write(asmcfg.dot())
print("generating IR... %x" % start_addr)
ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg)
if verbose:
print("IR ok... %x" % start_addr)
for irb in list(viewvalues(ircfg.blocks)):
irs = []
for assignblk in irb:
new_assignblk = {
expr_simp(dst): expr_simp(src)
for dst, src in viewitems(assignblk)
}
irs.append(AssignBlock(new_assignblk, instr=assignblk.instr))
ircfg.blocks[irb.loc_key] = IRBlock(irb.loc_key, irs)
if verbose:
out = ircfg.dot()
open(os.path.join(tempfile.gettempdir(), 'graph.dot'), 'wb').write(out)
title = "Miasm IR graph"
head = list(entry_points)[0]
if simplify:
ircfg_simplifier = IRCFGSimplifierCommon(ir_arch)
ircfg_simplifier.simplify(ircfg, head)
title += " (simplified)"
if type_graph == TYPE_GRAPH_IR:
graph = GraphMiasmIR(ircfg, title, None)
graph.Show()
return
class IRAOutRegs(ira):
def get_out_regs(self, block):
regs_todo = super(IRAOutRegs, self).get_out_regs(block)
out = {}
for assignblk in block:
for dst in assignblk:
reg = self.ssa_var.get(dst, None)
if reg is None:
continue
if reg in regs_todo:
out[reg] = dst
return set(viewvalues(out))
# Add dummy dependency to uncover out regs affectation
for loc in ircfg.leaves():
irblock = ircfg.blocks.get(loc)
if irblock is None:
continue
regs = {}
for reg in ir_arch.get_out_regs(irblock):
regs[reg] = reg
assignblks = list(irblock)
new_assiblk = AssignBlock(regs, assignblks[-1].instr)
assignblks.append(new_assiblk)
new_irblock = IRBlock(irblock.loc_key, assignblks)
ircfg.blocks[loc] = new_irblock
class CustomIRCFGSimplifierSSA(IRCFGSimplifierSSA):
def do_simplify(self, ssa, head):
modified = super(CustomIRCFGSimplifierSSA, self).do_simplify(ssa, head)
if loadint:
modified |= load_from_int(ssa.graph, bs, is_addr_ro_variable)
return modified
def simplify(self, ircfg, head):
ssa = self.ircfg_to_ssa(ircfg, head)
ssa = self.do_simplify_loop(ssa, head)
if type_graph == TYPE_GRAPH_IRSSA:
ret = ssa.graph
elif type_graph == TYPE_GRAPH_IRSSAUNSSA:
ircfg = self.ssa_to_unssa(ssa, head)
ircfg_simplifier = IRCFGSimplifierCommon(self.ir_arch)
ircfg_simplifier.simplify(ircfg, head)
ret = ircfg
else:
raise ValueError("Unknown option")
return ret
head = list(entry_points)[0]
simplifier = CustomIRCFGSimplifierSSA(ir_arch)
ircfg = simplifier.simplify(ircfg, head)
open('final.dot', 'w').write(ircfg.dot())
graph = GraphMiasmIR(ircfg, title, None)
graph.Show()
def launch_depgraph():
global graphs, comments, sol_nb, settings, addr, ir_arch, ircfg
# Get the current function
addr = idc.ScreenEA()
func = ida_funcs.get_func(addr)
# Init
machine = guess_machine(addr=func.startEA)
mn, dis_engine, ira = machine.mn, machine.dis_engine, machine.ira
bs = bin_stream_ida()
mdis = dis_engine(bs, dont_dis_nulstart_bloc=True)
ir_arch = ira(mdis.loc_db)
# Populate symbols with ida names
for ad, name in idautils.Names():
if name is None:
continue
mdis.loc_db.add_location(name, ad)
asmcfg = mdis.dis_multiblock(func.startEA)
# Generate IR
ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg)
# Get settings
settings = depGraphSettingsForm(ir_arch, ircfg)
settings.Execute()
loc_key, elements, line_nb = settings.loc_key, settings.elements, settings.line_nb
# Simplify assignments
for irb in list(viewvalues(ircfg.blocks)):
irs = []
offset = ir_arch.loc_db.get_location_offset(irb.loc_key)
fix_stack = offset is not None and settings.unalias_stack
for assignblk in irb:
if fix_stack:
stk_high = m2_expr.ExprInt(idc.GetSpd(assignblk.instr.offset), ir_arch.sp.size)
fix_dct = {ir_arch.sp: mn.regs.regs_init[ir_arch.sp] + stk_high}
new_assignblk = {}
for dst, src in viewitems(assignblk):
if fix_stack:
src = src.replace_expr(fix_dct)
if dst != ir_arch.sp:
dst = dst.replace_expr(fix_dct)
dst, src = expr_simp(dst), expr_simp(src)
new_assignblk[dst] = src
irs.append(AssignBlock(new_assignblk, instr=assignblk.instr))
ircfg.blocks[irb.loc_key] = IRBlock(irb.loc_key, irs)
# Get dependency graphs
dg = settings.depgraph
graphs = dg.get(loc_key, elements, line_nb,
set([ir_arch.loc_db.get_offset_location(func.startEA)]))
# Display the result
comments = {}
sol_nb = 0
# Register and launch
ida_kernwin.add_hotkey("Shift-N", next_element)
treat_element()
def analyse_function():
# Get settings
settings = TypePropagationForm()
ret = settings.Execute()
if not ret:
return
end = None
if settings.cScope.value == 0:
addr = settings.functionAddr.value
else:
addr = settings.startAddr.value
if settings.cScope.value == 2:
end = settings.endAddr
# Init
machine = guess_machine(addr=addr)
mn, dis_engine, lifter_model_call = machine.mn, machine.dis_engine, machine.lifter_model_call
bs = bin_stream_ida()
loc_db = LocationDB()
mdis = dis_engine(bs, loc_db=loc_db, dont_dis_nulstart_bloc=True)
if end is not None:
mdis.dont_dis = [end]
lifter_model_callCallStackFixer = get_lifter_model_call_call_fixer(
lifter_model_call)
lifter = lifter_model_callCallStackFixer(loc_db)
asmcfg = mdis.dis_multiblock(addr)
# Generate IR
ircfg = lifter.new_ircfg_from_asmcfg(asmcfg)
cst_propag_link = {}
if settings.cUnalias.value:
init_infos = {lifter.sp: lifter.arch.regs.regs_init[lifter.sp]}
cst_propag_link = propagate_cst_expr(lifter, ircfg, addr, init_infos)
types_mngr = get_types_mngr(settings.headerFile.value, settings.arch.value)
mychandler = MyCHandler(types_mngr, {})
infos_types = {}
infos_types_raw = []
if settings.cTypeFile.value:
infos_types_raw = open(settings.typeFile.value).read().split('\n')
else:
infos_types_raw = settings.strTypesInfo.value.split('\n')
for line in infos_types_raw:
if not line:
continue
expr_str, ctype_str = line.split(':')
expr_str, ctype_str = expr_str.strip(), ctype_str.strip()
expr = str_to_expr(expr_str)
ast = mychandler.types_mngr.types_ast.parse_c_type(ctype_str)
ctype = mychandler.types_mngr.types_ast.ast_parse_declaration(
ast.ext[0])
objc = types_mngr.get_objc(ctype)
print('=' * 20)
print(expr, objc)
infos_types[expr] = set([objc])
# Add fake head
lbl_real_start = loc_db.get_offset_location(addr)
lbl_head = loc_db.get_or_create_name_location("start")
first_block = asmcfg.loc_key_to_block(lbl_real_start)
assignblk_head = AssignBlock([
ExprAssign(lifter.IRDst, ExprLoc(lbl_real_start, lifter.IRDst.size)),
ExprAssign(lifter.sp, lifter.arch.regs.regs_init[lifter.sp])
], first_block.lines[0])
irb_head = IRBlock(loc_db, lbl_head, [assignblk_head])
ircfg.blocks[lbl_head] = irb_head
ircfg.add_uniq_edge(lbl_head, lbl_real_start)
state = TypePropagationEngine.StateEngine(infos_types)
states = {lbl_head: state}
todo = set([lbl_head])
done = set()
while todo:
lbl = todo.pop()
state = states[lbl]
if (lbl, state) in done:
continue
done.add((lbl, state))
if lbl not in ircfg.blocks:
continue
symbexec_engine = TypePropagationEngine(lifter, types_mngr, state)
symbexec_engine.run_block_at(ircfg, lbl)
symbexec_engine.del_mem_above_stack(lifter.sp)
sons = ircfg.successors(lbl)
for son in sons:
add_state(ircfg, todo, states, son, symbexec_engine.get_state())
for lbl, state in viewitems(states):
if lbl not in ircfg.blocks:
continue
symbexec_engine = CTypeEngineFixer(lifter, types_mngr, state,
cst_propag_link)
symbexec_engine.run_block_at(ircfg, lbl)
symbexec_engine.del_mem_above_stack(lifter.sp)
def get_stream():
return bin_stream_ida()
def build_graph(start_addr, type_graph, simplify=False, dontmodstack=True, loadint=False, verbose=False):
machine = guess_machine(addr=start_addr)
dis_engine, ira = machine.dis_engine, machine.ira
class IRADelModCallStack(ira):
def call_effects(self, addr, instr):
assignblks, extra = super(IRADelModCallStack, self).call_effects(addr, instr)
if not dontmodstack:
return assignblks, extra
out = []
for assignblk in assignblks:
dct = dict(assignblk)
dct = {
dst:src for (dst, src) in viewitems(dct) if dst != self.sp
}
out.append(AssignBlock(dct, assignblk.instr))
return out, extra
if verbose:
print("Arch", dis_engine)
fname = idc.GetInputFile()
if verbose:
print(fname)
bs = bin_stream_ida()
mdis = dis_engine(bs)
ir_arch = IRADelModCallStack(mdis.loc_db)
# populate symbols with ida names
for addr, name in idautils.Names():
if name is None:
continue
if (mdis.loc_db.get_offset_location(addr) or
mdis.loc_db.get_name_location(name)):
# Symbol alias
continue
mdis.loc_db.add_location(name, addr)
if verbose:
print("start disasm")
if verbose:
print(hex(start_addr))
asmcfg = mdis.dis_multiblock(start_addr)
entry_points = set([mdis.loc_db.get_offset_location(start_addr)])
if verbose:
print("generating graph")
open('asm_flow.dot', 'w').write(asmcfg.dot())
print("generating IR... %x" % start_addr)
ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg)
if verbose:
print("IR ok... %x" % start_addr)
for irb in list(viewvalues(ircfg.blocks)):
irs = []
for assignblk in irb:
new_assignblk = {
expr_simp(dst): expr_simp(src)
for dst, src in viewitems(assignblk)
}
irs.append(AssignBlock(new_assignblk, instr=assignblk.instr))
ircfg.blocks[irb.loc_key] = IRBlock(irb.loc_key, irs)
if verbose:
out = ircfg.dot()
open(os.path.join(tempfile.gettempdir(), 'graph.dot'), 'wb').write(out)
title = "Miasm IR graph"
head = list(entry_points)[0]
if simplify:
ircfg_simplifier = IRCFGSimplifierCommon(ir_arch)
ircfg_simplifier.simplify(ircfg, head)
title += " (simplified)"
if type_graph == TYPE_GRAPH_IR:
graph = GraphMiasmIR(ircfg, title, None)
graph.Show()
return
class IRAOutRegs(ira):
def get_out_regs(self, block):
regs_todo = super(IRAOutRegs, self).get_out_regs(block)
out = {}
for assignblk in block:
for dst in assignblk:
reg = self.ssa_var.get(dst, None)
if reg is None:
continue
if reg in regs_todo:
out[reg] = dst
return set(viewvalues(out))
# Add dummy dependency to uncover out regs affectation
for loc in ircfg.leaves():
irblock = ircfg.blocks.get(loc)
if irblock is None:
continue
regs = {}
for reg in ir_arch.get_out_regs(irblock):
regs[reg] = reg
assignblks = list(irblock)
new_assiblk = AssignBlock(regs, assignblks[-1].instr)
assignblks.append(new_assiblk)
new_irblock = IRBlock(irblock.loc_key, assignblks)
ircfg.blocks[loc] = new_irblock
class CustomIRCFGSimplifierSSA(IRCFGSimplifierSSA):
def do_simplify(self, ssa, head):
modified = super(CustomIRCFGSimplifierSSA, self).do_simplify(ssa, head)
if loadint:
modified |= load_from_int(ssa.graph, bs, is_addr_ro_variable)
return modified
def simplify(self, ircfg, head):
ssa = self.ircfg_to_ssa(ircfg, head)
ssa = self.do_simplify_loop(ssa, head)
if type_graph == TYPE_GRAPH_IRSSA:
ret = ssa.graph
elif type_graph == TYPE_GRAPH_IRSSAUNSSA:
ircfg = self.ssa_to_unssa(ssa, head)
ircfg_simplifier = IRCFGSimplifierCommon(self.ir_arch)
ircfg_simplifier.simplify(ircfg, head)
ret = ircfg
else:
raise ValueError("Unknown option")
return ret
head = list(entry_points)[0]
simplifier = CustomIRCFGSimplifierSSA(ir_arch)
ircfg = simplifier.simplify(ircfg, head)
open('final.dot', 'w').write(ircfg.dot())
graph = GraphMiasmIR(ircfg, title, None)
graph.Show()
def launch_depgraph():
global graphs, comments, sol_nb, settings, addr, ir_arch, ircfg
# Get the current function
addr = idc.get_screen_ea()
func = ida_funcs.get_func(addr)
# Init
machine = guess_machine(addr=func.start_ea)
mn, dis_engine, ira = machine.mn, machine.dis_engine, machine.ira
bs = bin_stream_ida()
mdis = dis_engine(bs, dont_dis_nulstart_bloc=True)
ir_arch = ira(mdis.loc_db)
# Populate symbols with ida names
for ad, name in idautils.Names():
if name is None:
continue
mdis.loc_db.add_location(name, ad)
asmcfg = mdis.dis_multiblock(func.start_ea)
# Generate IR
ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg)
# Get settings
settings = depGraphSettingsForm(ir_arch, ircfg, mn)
settings.Execute()
loc_key, elements, line_nb = settings.loc_key, settings.elements, settings.line_nb
# Simplify assignments
for irb in list(viewvalues(ircfg.blocks)):
irs = []
offset = ir_arch.loc_db.get_location_offset(irb.loc_key)
fix_stack = offset is not None and settings.unalias_stack
for assignblk in irb:
if fix_stack:
stk_high = m2_expr.ExprInt(idc.get_spd(assignblk.instr.offset), ir_arch.sp.size)
fix_dct = {ir_arch.sp: mn.regs.regs_init[ir_arch.sp] + stk_high}
new_assignblk = {}
for dst, src in viewitems(assignblk):
if fix_stack:
src = src.replace_expr(fix_dct)
if dst != ir_arch.sp:
dst = dst.replace_expr(fix_dct)
dst, src = expr_simp(dst), expr_simp(src)
new_assignblk[dst] = src
irs.append(AssignBlock(new_assignblk, instr=assignblk.instr))
ircfg.blocks[irb.loc_key] = IRBlock(irb.loc_key, irs)
# Get dependency graphs
dg = settings.depgraph
graphs = dg.get(loc_key, elements, line_nb,
set([ir_arch.loc_db.get_offset_location(func.start_ea)]))
# Display the result
comments = {}
sol_nb = 0
# Register and launch
ida_kernwin.add_hotkey("Shift-N", next_element)
treat_element()
def analyse_function():
# Get settings
settings = TypePropagationForm()
ret = settings.Execute()
if not ret:
return
end = None
if settings.cScope.value == 0:
addr = settings.functionAddr.value
else:
addr = settings.startAddr.value
if settings.cScope.value == 2:
end = settings.endAddr
# Init
machine = guess_machine(addr=addr)
mn, dis_engine, ira = machine.mn, machine.dis_engine, machine.ira
bs = bin_stream_ida()
mdis = dis_engine(bs, dont_dis_nulstart_bloc=True)
if end is not None:
mdis.dont_dis = [end]
iraCallStackFixer = get_ira_call_fixer(ira)
ir_arch = iraCallStackFixer(mdis.loc_db)
asmcfg = mdis.dis_multiblock(addr)
# Generate IR
ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg)
cst_propag_link = {}
if settings.cUnalias.value:
init_infos = {ir_arch.sp: ir_arch.arch.regs.regs_init[ir_arch.sp] }
cst_propag_link = propagate_cst_expr(ir_arch, ircfg, addr, init_infos)
types_mngr = get_types_mngr(settings.headerFile.value, settings.arch.value)
mychandler = MyCHandler(types_mngr, {})
infos_types = {}
infos_types_raw = []
if settings.cTypeFile.value:
infos_types_raw = open(settings.typeFile.value).read().split('\n')
else:
infos_types_raw = settings.strTypesInfo.value.split('\n')
for line in infos_types_raw:
if not line:
continue
expr_str, ctype_str = line.split(':')
expr_str, ctype_str = expr_str.strip(), ctype_str.strip()
expr = str_to_expr(expr_str)
ast = mychandler.types_mngr.types_ast.parse_c_type(
ctype_str
)
ctype = mychandler.types_mngr.types_ast.ast_parse_declaration(ast.ext[0])
objc = types_mngr.get_objc(ctype)
print('=' * 20)
print(expr, objc)
infos_types[expr] = set([objc])
# Add fake head
lbl_real_start = ir_arch.loc_db.get_offset_location(addr)
lbl_head = ir_arch.loc_db.get_or_create_name_location("start")
first_block = asmcfg.label2block(lbl_real_start)
assignblk_head = AssignBlock(
[
ExprAssign(ir_arch.IRDst, ExprLoc(lbl_real_start, ir_arch.IRDst.size)),
ExprAssign(ir_arch.sp, ir_arch.arch.regs.regs_init[ir_arch.sp])
],
first_block.lines[0]
)
irb_head = IRBlock(lbl_head, [assignblk_head])
ircfg.blocks[lbl_head] = irb_head
ircfg.add_uniq_edge(lbl_head, lbl_real_start)
state = TypePropagationEngine.StateEngine(infos_types)
states = {lbl_head: state}
todo = set([lbl_head])
done = set()
while todo:
lbl = todo.pop()
state = states[lbl]
if (lbl, state) in done:
continue
done.add((lbl, state))
if lbl not in ircfg.blocks:
continue
symbexec_engine = TypePropagationEngine(ir_arch, types_mngr, state)
symbexec_engine.run_block_at(ircfg, lbl)
symbexec_engine.del_mem_above_stack(ir_arch.sp)
sons = ircfg.successors(lbl)
for son in sons:
add_state(
ircfg, todo, states, son,
symbexec_engine.get_state()
)
for lbl, state in viewitems(states):
if lbl not in ircfg.blocks:
continue
symbexec_engine = CTypeEngineFixer(ir_arch, types_mngr, state, cst_propag_link)
symbexec_engine.run_block_at(ircfg, lbl)
symbexec_engine.del_mem_above_stack(ir_arch.sp)
