def _fn(instr, dat, addr): txt, code, length = instr immdata = dat[len(code):] info = InstructionInfo() info.length = length dst, src = txt.split()[1].split(',') p_dst_w = set_op(dst, immdata, addr) p_dst_r = load_op(dst, immdata, addr) p_src_r = load_op(src, immdata, addr) fn = None if p_dst_r[1] is not None and p_src_r[1] is not None and p_dst_w[1] is not None: fn = [lambda il: il.append(p_dst_w[1](il, getattr(il, il_op)(p_dst_r[2], p_dst_r[1](il), p_src_r[1](il), flags = flags if flags else None )))] return ( [tT(op), tS(' '), *p_dst_w[0], tS(', '), *p_src_r[0]], info, fn )
def get_instruction_info(self, data, addr): (instruction_text, instruction_len) = dis.lazy_disasm(data) if instruction_len == 0: return None result = InstructionInfo() result.length = instruction_len if len(instruction_text) == 0: return result if instruction_text[0].lower() == 'b': tokens = instruction_text.split() token = tokens[1] # Unconditional Branch if all(char in string.hexdigits for char in token): # --HACK: base address offset dest = int('0x' + token, 16) - 0x400000 result.add_branch(BranchType.UnconditionalBranch, dest) return result # Conditional Branch if op.is_conditional_branch(instruction_text): tokens = instruction_text.split() for token in tokens: csv = token.split(",") check = csv[-1] if all(char in string.hexdigits for char in check): # --HACK: base address offset dest = int('0x' + check, 16) - 0x400000 result.add_branch(BranchType.TrueBranch, dest) result.add_branch(BranchType.FalseBranch, addr + instruction_len) return result return result
def get_instruction_info(self, data, addr): inst,args = self._get_asm(data, addr) if inst == "ill": return None res = InstructionInfo() res.length = self._inst_length(inst) if inst in ("jx"): if args[0] in self.regs: res.add_branch(BranchType.IndirectBranch) else: res.add_branch(BranchType.UnconditionalBranch, int(args[0], 16)) elif inst in ("callx0", "callx4", "callx8", "callx12"): res.add_branch(BranchType.CallDestination) elif inst in ("ret", "retw", "ret.n", "retw.n"): res.add_branch(BranchType.FunctionReturn) elif inst == "j": res.add_branch(BranchType.UnconditionalBranch, int(args[0], 16)) elif inst in ("call0", "call4", "call8", "call12"): res.add_branch(BranchType.CallDestination, int(args[0], 16)) elif inst in ("loopgtz", "loopnez"): res.add_branch(BranchType.FalseBranch, int(args[1], 16)) res.add_branch(BranchType.TrueBranch, addr + res.length) elif inst in self._branch_instrs or (inst.endswith(".n") and inst[:-2] in self._branch_instrs): res.add_branch(BranchType.TrueBranch, int(args[-1], 16)) res.add_branch(BranchType.FalseBranch, addr + res.length) return res
def get_instruction_info(self, data, addr): result = InstructionInfo() result.length = 1 if self.vtil == None: try: self.vtil = VTILParser.from_file(get_filename()) except Exception as ex: log_error(str(ex)) return result next_vip, _, _, _, code = find_instruction(addr, self.vtil) if code != None and code.startswith("js"): _, _, true, false = code.split(" ") true = find_block_address(int(true, 16), self.vtil) false = find_block_address(int(false, 16), self.vtil) result.add_branch(BranchType.TrueBranch, true) result.add_branch(BranchType.FalseBranch, false) elif code != None and code.startswith("vxcall"): addr = find_block_address(next_vip[0], self.vtil) result.add_branch(BranchType.UnconditionalBranch, addr) elif code != None and code.startswith("jmp"): if len(next_vip) == 1: addr = find_block_address(next_vip[0], self.vtil) result.add_branch(BranchType.UnconditionalBranch, addr) else: result.add_branch(BranchType.IndirectBranch) for vip in next_vip: result.add_branch(BranchType.UnconditionalBranch, find_block_address(vip, self.vtil)) elif code != None and code.startswith("vexit"): result.add_branch(BranchType.FunctionReturn) return result
def djr(instr, dat, addr): txt, code, length = instr immdata = dat[len(code):] rel = immdata[0] if rel & 0x80: rel -= 0x100 target = (addr + rel + length - 1) & 0xffff info = InstructionInfo() info.length = length info.add_branch(BranchType.TrueBranch, target) info.add_branch(BranchType.FalseBranch, addr + length) return ( [tT('DJR'), tS(' '), tA(hex(target), target)], info, [ lambda il: il_branch( il, il.compare_not_equal(1, il.reg(1, 'B'), il.const(1, 0)), il.const_pointer(2, target), il.const_pointer(2, addr + length)) ] )
def get_instruction_info(self, data, addr): (instrTxt, instrLen) = skwrapper.disasm(data, addr) if instrLen == 0: return None result = InstructionInfo() result.length = instrLen return result
def dec(instr, dat, addr): txt, code, length = instr immdata = dat[len(code):] info = InstructionInfo() info.length = length dst = txt.split()[1] p_dst_w = set_op(dst, immdata, addr) p_dst_r = load_op(dst, immdata, addr) fn = None if p_dst_r[1] is not None and p_dst_w[1] is not None: fn = [lambda il: il.append(p_dst_w[1](il, il.sub(p_dst_r[2], p_dst_r[1](il), il.const(p_dst_r[2], 1), flags="z", )))] return ( [tT('DEC'), tS(' '), *p_dst_w[0]], info, fn )
def ex(instr, dat, addr): txt, code, length = instr immdata = dat[len(code):] info = InstructionInfo() info.length = length dst, src = txt.split()[1].split(',') p_dst_w = set_op(dst, immdata, addr) p_dst_r = load_op(dst, immdata, addr) p_src_w = set_op(src, immdata, addr) p_src_r = load_op(src, immdata, addr) fn = None if p_dst_r[1] is not None and p_src_r[1] is not None and p_dst_w[1] is not None and p_src_w[1] is not None: fn = [ lambda il: il.append(p_dst_w[1](il, p_src_r[1](il))), lambda il: il.append(p_src_w[1](il, p_dst_r[1](il))) ] return ( [tT('EX'), tS(' '), *p_dst_w[0], tS(', '), *p_src_r[0]], info, fn )
def get_instruction_info(self, data, addr): global active_vtil_file result = InstructionInfo() result.length = 1 next_vip, _, _, _, code = find_instruction(addr, active_vtil_file) if code != None and code.startswith("js"): _, _, true, false = code.split(" ") true = find_block_address(int(true, 16), active_vtil_file) false = find_block_address(int(false, 16), active_vtil_file) result.add_branch(BranchType.TrueBranch, true) result.add_branch(BranchType.FalseBranch, false) elif code != None and code.startswith("vxcall"): addr = find_block_address(next_vip[0], active_vtil_file) result.add_branch(BranchType.UnconditionalBranch, addr) elif code != None and code.startswith("jmp"): if len(next_vip) == 1: addr = find_block_address(next_vip[0], active_vtil_file) result.add_branch(BranchType.UnconditionalBranch, addr) else: result.add_branch(BranchType.IndirectBranch) for vip in next_vip: result.add_branch(BranchType.UnconditionalBranch, find_block_address(vip, active_vtil_file)) elif code != None and code.startswith("vexit"): result.add_branch(BranchType.FunctionReturn) return result
def jrs(instr, dat, addr): txt, code, length = instr immdata = dat[len(code):] ops = txt.split()[1].split(',') if len(ops) == 1: # JRS {2} if ops[0] != '{2}': return None rel = immdata[0] if rel & 0x80: rel -= 0x100 target = (addr + rel + length - 1) & 0xffff info = InstructionInfo() info.length = length info.add_branch(BranchType.UnconditionalBranch, target) return ( [tT('JRS'), tS(' '), tA(hex(target), target)], info, [lambda il: il.append(il.jump(il.const_pointer(2, target)))] ) else: # Conditional if ops[1] != '{2}': return None rel = immdata[0] if rel & 0x80: rel -= 0x100 target = (addr + rel + length - 1) & 0xffff info = InstructionInfo() info.length = length info.add_branch(BranchType.TrueBranch, target) info.add_branch(BranchType.FalseBranch, addr + length) return ( [tT('JRS'), tS(' '), tT(ops[0]), tS(', '), tA(hex(target), target)], info, [lambda il: il_branch(il, make_condition(il, ops[0].lower()), il.const_pointer(2, target), il.const_pointer(2, addr + length))] )
def rete(instr, dat, addr): txt, code, length = instr info = InstructionInfo() info.length = length info.add_branch(BranchType.FunctionReturn) return ( [tT('RETE')], info, [lambda il: il.append(il.ret(il.pop(2)))] )
def perform_get_instruction_info(self, data, addr): if len(data) < 2: print "perform_get_instruction_info(%s, 0x%04x), not enough data!" % ( tohex(data), addr) return None if addr % 2 != 0: print "perform_get_instruction_info(%s, 0x%04x), address not aligned!" % ( tohex(data), addr) return None #print "perform_get_instruction_info(%s, 0x%04x)" % (tohex(data), addr) info = InstructionInfo() info.length = self.max_instr_length # workaround for a Binary Ninja bug, data is not guaranteed to be max_instr_length bytes data = data[:self.max_instr_length] instruction = unpack('<H', data)[0] bincode = instruction >> 8 if bincode >= 0x80: opcode_key = bincode & 0xc0 is_bit = False elif bincode >= 0x40: opcode_key = bincode & 0xf8 is_bit = True else: opcode_key = bincode is_bit = False try: mask, opspace, jump_action, opcode, caption = opcode_dict[ opcode_key] except KeyError: return None # TODO is it possible to get more information? operand = instruction & mask branches = { NONXT: lambda: [(BranchType.FunctionReturn, 0)], NEXTI: lambda: [], BRNCH: lambda: [(BranchType.TrueBranch, addr + 4), (BranchType.FalseBranch, addr + 2)], JUMPI: lambda: [(BranchType.UnconditionalBranch, operand * 2) ], # ROM addresses are 16 bits of data per address CALLI: lambda: [(BranchType.CallDestination, operand * 2) ] # ROM addresses are 16 bits of data per address }[jump_action]() for type, address in branches: info.add_branch(type, address) return info
def perform_get_instruction_info(self, data, addr): valid, instr = get_instruction(data, addr) result = InstructionInfo() if valid: result.length = 8 if instr.opcode in InstructionInfoModders: InstructionInfoModders[instr.opcode](result, instr) return result else: # This is _EXCEEDINGLY_ important to return on failure. # Things will break in creative ways if anything other than None # is returned for invalid data return None
def mlt(instr, dat, addr): txt, code, length = instr info = InstructionInfo() info.length = length return ( [tT('MLT')], info, [lambda il: il.append(il.set_reg(2, 'HL', il.mult(2, il.zero_extend(2, il.reg(1, 'A')), il.zero_extend(2, il.reg(1, 'L')), )))] )
def get_instruction_info(self, data, addr): (instrTxt, instrLen) = skwrapper.disasm(data, addr) if instrLen == 0: return None result = InstructionInfo() result.length = instrLen rccs = r'(?:C|NC|Z|NZ|M|P|PE|PO)' regexes = [ \ r'^(?:JP|JR) '+rccs+r',\$(.*)$', # 0: conditional jump eg: JP PE,#DEAD r'^(?:JP|JR) \$(.*)$', # 1: unconditional jump eg: JP #DEAD r'^(?:JP|JR) \((?:HL|IX|IY)\)$', # 2: unconditional indirect eg: JP (IX) r'^DJNZ \$(.*)$', # 3: dec, jump if not zero eg: DJNZ #DEAD r'^CALL '+rccs+r',\$(.*)$', # 4: conditional call eg: CALL PE,#DEAD r'^CALL \$(.*)$', # 5: unconditional call eg: CALL #DEAD r'^RET '+rccs+'$', # 6: conditional return r'^(?:RET|RETN|RETI)$', # 7: return, return (nmi), return (interrupt) ] m = None for (i,regex) in enumerate(regexes): m = re.match(regex, instrTxt) if not m: continue if i==0 or i==3: dest = int(m.group(1), 16) result.add_branch(BranchType.TrueBranch, dest) result.add_branch(BranchType.FalseBranch, addr + instrLen) pass elif i==1: dest = int(m.group(1), 16) result.add_branch(BranchType.UnconditionalBranch, dest) pass elif i==2: result.add_branch(BranchType.IndirectBranch) pass elif i==4 or i==5: dest = int(m.group(1), 16) result.add_branch(BranchType.CallDestination, dest) pass elif i==6: pass # conditional returns don't end block elif i==7: result.add_branch(BranchType.FunctionReturn) break return result
def get_instruction_info(self, data, addr): tmp = self.qualifies(data, addr) if not tmp: return super(X86DeobfuscateHook, self).get_instruction_info(data, addr) (push_addr, length) = tmp print( '%08X: push+ret found, informing binja of unconditional branch to 0x%X' % (addr, push_addr)) result = InstructionInfo() result.length = length result.add_branch(BranchType.UnconditionalBranch, push_addr) return result
def push(instr, dat, addr): txt, code, length = instr immdata = dat[len(code):] op = txt.split()[1] p_op = load_op(op, immdata, addr) info = InstructionInfo() info.length = length return ( [tT('PUSH'), tS(' '), *p_op[0]], info, [lambda il: il.append(il.push(p_op[2], p_op[1](il)))] )
def decode(dat, addr): if len(dat) < 1: return None b0 = dat[0] instr = instructions[b0] if instr is not None and len(instr) != 3: # multi-byte encoding if len(dat) < 2: return None b1 = dat[1] instr = instr[b1] if instr is None or len(dat) < instr[2]: return None txt, code, length = instr info = InstructionInfo() info.length = length op = txt.split()[0] if op == 'LD': return load(instr, dat, addr) elif op == 'JRL': return jrl(instr, dat, addr) elif op == 'JRS': return jrs(instr, dat, addr) elif op == 'CARL': return carl(instr, dat, addr) elif op == 'RET': return ret(instr, dat, addr) elif op == 'RETE': return rete(instr, dat, addr) elif op == 'PUSH': return push(instr, dat, addr) elif op == 'POP': return pop(instr, dat, addr) elif op == 'MLT': return mlt(instr, dat, addr) elif op == 'ADD': return add(instr, dat, addr) elif op == 'SUB': return sub(instr, dat, addr) elif op == 'AND': return f_and(instr, dat, addr) elif op == 'OR': return f_or(instr, dat, addr) elif op == 'XOR': return f_xor(instr, dat, addr) elif op == 'INC': return inc(instr, dat, addr) elif op == 'DEC': return dec(instr, dat, addr) elif op == 'CP': return cp(instr, dat, addr) elif op == 'EX': return ex(instr, dat, addr) elif op == 'INT': return f_int(instr, dat, addr) elif op == 'DJR': return djr(instr, dat, addr) return ([tT(txt)], info, None)
def carl(instr, dat, addr): txt, code, length = instr immdata = dat[len(code):] if txt.split()[1] != '{3}': return None rel = immdata[0] + (immdata[1] << 8) target = (addr + rel + length - 1) & 0xffff info = InstructionInfo() info.length = length info.add_branch(BranchType.CallDestination, target) return ( [tT('CARL'), tS(' '), tA(hex(target), target)], info, [lambda il: il_jump(il, il.const_pointer(2, target), is_call=True)] )
def get_instruction_info(self, data, addr): if len(data) < 2 or len(data) > 3: return None obj = decode(data, addr) if obj.name == "UNKNOWN": return None result = InstructionInfo() result.length = obj.len if obj.name in ["RET", "RET.N"]: # RETURN result.add_branch(BranchType.FunctionReturn) if obj.name in [ "BALL", "BNALL", "BANY", "BNONE", "BBC", "BBCI", "BBS", "BBSI", "BEQ", "BEQI", "BEQZ", "BNE", "BNEI", "BNEZ", "BGE", "BGEI", "BGEU", "BGEUI", "BGEZ", "BLT", "BLTI", "BLTU", "BLTUI", "BLTZ" ]: # CONDITIONAL BRANCH for l in obj.prop["format"]: if l[0] == "TYPE_LABEL": result.add_branch(BranchType.TrueBranch, l[1]) result.add_branch(BranchType.FalseBranch, addr + obj.len) if obj.name in ["J"]: # UNCONDITIONAL JUMP for l in obj.prop["format"]: if l[0] == "TYPE_LABEL": result.add_branch(BranchType.UnconditionalBranch, l[1]) if obj.name in ["CALL0", "CALL4", "CALL8", "CALL12"]: # DIRECT CALL for l in obj.prop["format"]: if l[0] == "TYPE_LABEL": result.add_branch(BranchType.CallDestination, l[1]) if obj.name in ["JX"]: # UNCONDITIONAL JUMP TO REGISTER result.add_branch(BranchType.IndirectBranch) #if obj.name in ["CALLX0", "CALLX4", "CALLX8", "CALLX12"]: # CALL TO REGISTER # result.add_branch(BranchType.IndirectBranch) return result
def get_instruction_info(self, data: bytes, addr: int): ins_mnem, ins_len, _, _, _ = self._decode_instruction(data, addr) if not ins_mnem: return None result = InstructionInfo() result.length = ins_len ins_end = addr + ins_len opcode = data[0] if ins_mnem == 'JR': offset = struct.unpack('<b', data[1:2])[0] if opcode == 0x28 or opcode == 0x38: result.add_branch(BranchType.TrueBranch, ins_end + offset) result.add_branch(BranchType.FalseBranch, ins_end) elif opcode == 0x20 or opcode == 0x30: result.add_branch(BranchType.TrueBranch, ins_end) result.add_branch(BranchType.FalseBranch, ins_end + offset) else: result.add_branch( BranchType.UnconditionalBranch, ins_end + offset) elif ins_mnem == 'JP': if opcode == 0xe9: result.add_branch(BranchType.IndirectBranch) else: arg = struct.unpack('<H', data[1:3])[0] if opcode == 0xca or opcode == 0xda: result.add_branch(BranchType.TrueBranch, arg) result.add_branch(BranchType.FalseBranch, ins_end) elif opcode == 0xc2 or opcode == 0xd2: result.add_branch(BranchType.TrueBranch, ins_end) result.add_branch(BranchType.FalseBranch, arg) else: result.add_branch(BranchType.UnconditionalBranch, arg) elif ins_mnem == 'RET': result.add_branch(BranchType.FunctionReturn) elif ins_mnem == 'RETI': result.add_branch(BranchType.FunctionReturn) elif ins_mnem == 'CALL': result.add_branch(BranchType.CallDestination, struct.unpack("<H", data[1:3])[0]) return result
def get_instruction_info(self, data, addr): """ Establishes instruction length and branch info """ if len(data) > 2: data = data[:2] result = InstructionInfo() result.length = 2 vars = self.dis._vars(data) baddr = vars['addr'] binfo = self.dis.get_branch_info(data) if binfo == BranchType.UnconditionalBranch or binfo == BranchType.CallDestination: result.add_branch(binfo, baddr) elif binfo == BranchType.FunctionReturn or binfo == BranchType.IndirectBranch: result.add_branch(binfo) elif binfo == BranchType.TrueBranch: result.add_branch(BranchType.TrueBranch, addr + 4) result.add_branch(BranchType.FalseBranch, addr + 2) elif binfo == BranchType.FalseBranch: result.add_branch(BranchType.TrueBranch, addr + 4) result.add_branch(BranchType.FalseBranch, addr + 2) return result
def perform_get_instruction_info(self, data, addr): if not len(data): return # edge case during linear sweep nfo = InstructionInfo() # ana size, branch = self.lut.branches[ord(data[0])] nfo.length = size # emu if branch: branch_type, target = branch if callable(target): target = target(data, addr, size) if size <= len(data) else 0 if branch_type == BranchType.CallDestination: # TODO: keep track of return-effect functions, tweak target +=dx pass # TODO: arch is probably global; need to store this in bv somehow :| nfo.add_branch(branch_type, target=target) if branch_type == BranchType.TrueBranch: nfo.add_branch(BranchType.FalseBranch, addr + size) return nfo
def perform_get_instruction_info(self, data, addr): instr, operand, length, value = self.decode_instruction(data, addr) if instr is None: return None result = InstructionInfo() result.length = length if instr == "jmp": if operand == ADDR: result.add_branch(BranchType.UnconditionalBranch, struct.unpack("<H", data[1:3])[0]) else: result.add_branch(BranchType.UnresolvedBranch) elif instr == "jsr": result.add_branch(BranchType.CallDestination, struct.unpack("<H", data[1:3])[0]) elif instr in ["rti", "rts"]: result.add_branch(BranchType.FunctionReturn) if instr in ["bcc", "bcs", "beq", "bmi", "bne", "bpl", "bvc", "bvs"]: dest = (addr + 2 + struct.unpack("b", data[1])[0]) & 0xffff result.add_branch(BranchType.TrueBranch, dest) result.add_branch(BranchType.FalseBranch, addr + 2) return result
def f_int(instr, dat, addr): txt, code, length = instr immdata = dat[len(code):] op = txt.split()[1] if op != '[{0}h]': return None rel = immdata[0] target = rel & 0xff info = InstructionInfo() info.length = length info.add_branch(BranchType.CallDestination, target) return ( [tT('INT'), tS(' '), tA(hex(target), target)], info, [lambda il: il.append(il.jump(il.const_pointer(2, target)))] )
def pop(instr, dat, addr): txt, code, length = instr immdata = dat[len(code):] op = txt.split()[1] info = InstructionInfo() info.length = length sz = 0 if op in REGS_1: sz = 1 elif op in REGS_2: sz = 2 else: return None return ( [tT('POP'), tS(' '), tR(op)], info, [lambda il: il.append(il.set_reg(sz, op, il.pop(sz)))] )
def get_instruction_info(self, data, addr): # instruction lookup instruction = self.instructions[ord(data[0])] if instruction is None: return None (opcode, length) = instruction[0] result = InstructionInfo() result.length = length # add branches if opcode in ['RET', 'RETI', 'RETR']: result.add_branch(BranchType.FunctionReturn) elif opcode in ['JMP']: # TODO: memory bank selection result.add_branch(BranchType.UnconditionalBranch, CODE_ADDR((ord(data[0]) & 0xe0) << 3, ord(data[1]))) elif opcode in ['JMPP']: result.add_branch(BranchType.UnresolvedBranch) elif opcode == 'DJNZ' or opcode[0] == 'J': # conditional branches result.add_branch(BranchType.TrueBranch, CODE_ADDR(addr, ord(data[1]))) result.add_branch(BranchType.FalseBranch, addr + length) elif opcode == 'CALL': # TODO: memory bank selection result.add_branch(BranchType.CallDestination, CODE_ADDR((ord(data[0]) & 0xe0) << 3, ord(data[1]))) elif opcode == 'SEL': # FIXME: fake branches to support bank switching if instruction[1][0] == 'RB0': result.add_branch(BranchType.UnconditionalBranch, addr + length, Architecture['{}_rb{}mb{}'.format(self.device, 0, self.mb)]) elif instruction[1][0] == 'RB1': result.add_branch(BranchType.UnconditionalBranch, addr + length, Architecture['{}_rb{}mb{}'.format(self.device, 1, self.mb)]) elif instruction[1][0] == 'MB0': result.add_branch(BranchType.UnconditionalBranch, addr + length, Architecture['{}_rb{}mb{}'.format(self.device, self.rb, 0)]) elif instruction[1][0] == 'MB1': result.add_branch(BranchType.UnconditionalBranch, addr + length, Architecture['{}_rb{}mb{}'.format(self.device, self.rb, 1)]) return result
def perform_get_instruction_info(self, data, addr): instr, length, operands, flags, value = self.decode_instruction( data, addr) if instr is None: return None result = InstructionInfo() result.length = length opcode = data[0] if instr == 'JR': arg = data[1] dest = arg if arg < 128 else (256 - arg) * (-1) if opcode == 0x28 or opcode == 0x38: result.add_branch(BranchType.TrueBranch, addr + 2 + dest) result.add_branch(BranchType.FalseBranch, addr + 2) elif opcode == 0x20 or opcode == 0x30: result.add_branch(BranchType.TrueBranch, addr + 2) result.add_branch(BranchType.FalseBranch, addr + 2 + dest) else: result.add_branch(BranchType.UnconditionalBranch, addr + 2 + dest) elif instr == 'JP': if opcode == 0xe9: result.add_branch(BranchType.UnconditionalBranch, 0xdead) else: arg = struct.unpack('<H', data[1:3])[0] if opcode == 0xca or opcode == 0xda: result.add_branch(BranchType.TrueBranch, arg) result.add_branch(BranchType.FalseBranch, addr + 3) elif opcode == 0xc2 or opcode == 0xd2: result.add_branch(BranchType.TrueBranch, addr + 3) result.add_branch(BranchType.FalseBranch, arg) else: result.add_branch(BranchType.UnconditionalBranch, arg) elif instr == 'RET': result.add_branch(BranchType.FunctionReturn) elif instr == 'CALL': result.add_branch(BranchType.CallDestination, struct.unpack("<H", data[1:3])[0]) return result
def get_instruction_info(self, data, addr): instr = self.disassembler.instrs[addr // self.address_size] if instr is None: return None result = InstructionInfo() result.length = instr.width * self.address_size next_addr = instr.get_next_addr() if isinstance(instr, Call): result.add_branch(BranchType.CallDestination, instr.c * self.address_size) elif isinstance(instr, Ret) or isinstance(instr, Exit): result.add_branch(BranchType.FunctionReturn) else: if len(next_addr) == 2: result.add_branch(BranchType.TrueBranch, next_addr[1] * self.address_size) result.add_branch(BranchType.FalseBranch, next_addr[0] * self.address_size) elif len(next_addr) == 1: result.add_branch(BranchType.UnconditionalBranch, next_addr[0] * self.address_size) return result
def get_instruction_info(self, data, addr): (instruction_text, instruction_len) = dis.lazy_disasm(addr) if instruction_len == 0: return None result = InstructionInfo() result.length = instruction_len if len(instruction_text) == 0: return result tokens = instruction_text.split() arch = tokens[0] instruction = tokens[1].lower() raw_offset = tokens[-1] if 'ret' in instruction: result.add_branch(BranchType.FunctionReturn) return result if op.instruction_is_call(instruction): call_offset = addr + int(raw_offset, 16) result.add_branch(BranchType.CallDestination, call_offset) return result if not op.instruction_is_branch(instruction): return result if arch == "MIPS": # b 0x10184 # bgtz $zero, -0x6c90 # bgez $zero, 0x14ca0 # bne $v0, $s2, 0x12508 # bnez $t8, 0x14d94 # bltzall $v0, 0x13cd8 # bltzal $t3, -0x7018 # bltz $t0, 0x1371c # bltz $zero, -0x69e0 # bltz $at, 0x1502c if op.is_conditional_branch(instruction_text): branch_offset = addr + int(raw_offset, 16) result.add_branch(BranchType.TrueBranch, branch_offset) result.add_branch(BranchType.FalseBranch, addr + instruction_len) else: # UNCONDITIONAL BRANCH branch_offset = int(raw_offset, 16) result.add_branch(BranchType.UnconditionalBranch, branch_offset) elif arch == "ARM": # bicsvs r8, sl, #0x8000000 # bicsls r2, r0, r0, lsl r0 # bicsls r2, r0, r0, lsl r0 # bicsls r2, r0, r0, lsl r0 # blgt #0x814c9c # bge #0xfffd0b78 # bhi #0x200b08 # bhi #0x419078 # bvs #0x11e10 # bvs #0x1225c is_overflow_set = 'bvs' in instruction_text if op.is_conditional_branch(instruction_text) or is_overflow_set: branch_offset = int(raw_offset.replace("#", ""), 16) - BASE_ADDR result.add_branch(BranchType.TrueBranch, branch_offset) result.add_branch(BranchType.FalseBranch, addr + instruction_len) elif arch == "RISCV": # blez s8, 0x20 # bge t0, a2, 0x24 # bge sp, t2, 0x164 # bge t2, sp, 0x15c # bge t0, sp, 0x1c # bge t2, s0, 0x34 # bge s1, t0, 0x1c # j -0x24 # j -0x130 # j -0x140 # j -0x1b4 # j -0x260 # j 0x1bc # j 0x4a8 # j 0x15c # j 0x4a8 # bne t1, t0, 0x110 # bne t1, t0, 0x100 # bne t1, t0, 0xf4 # bne t1, t0, 0x48c # bnez sp, 0x40 # beqz sp, 0x148 # beqz sp, 0x140 # beqz t0, 0x20 # beqz sp, -0xbc # beq tp, t0, 0x78 # beq tp, t0, 8 if op.is_conditional_branch(instruction_text): branch_offset = addr + int(raw_offset, 16) result.add_branch(BranchType.TrueBranch, branch_offset) result.add_branch(BranchType.FalseBranch, addr + instruction_len) else: # UNCONDITIONAL JUMP branch_offset = addr + int(raw_offset, 16) result.add_branch(BranchType.UnconditionalBranch, branch_offset) elif arch == "SPARC": # brz,pn %o3, 0x15240 # bn %icc, -0x46210 # bg,a -0x6927dc # bn,a -0x3cf180 # bn,a -0x6af488 # bn,pn %icc, 0x38e98 # bn,pn %xcc, 0x90fd0 # fbne -0x69bc14 # fbn %fcc0, -0x46b2c # fbn -0x36edec # fbn 0x3b969c # fbn 0x26d94 # fbn 0x7722f0 # fblg,pn %fcc3, 0x390f4 is_branch = 'bn' in instruction_text if is_branch: branch_offset = int(raw_offset, 16) + addr result.add_branch(BranchType.UnconditionalBranch, branch_offset) return result