from miasm.analysis.machine import Machine from miasm.jitter.llvmconvert import LLVMType, LLVMContext_IRCompilation, LLVMFunction_IRCompilation from llvmlite import ir as llvm_ir from miasm.expression.simplifications import expr_simp_high_to_explicit from miasm.core.locationdb import LocationDB parser = ArgumentParser("LLVM export example") parser.add_argument("target", help="Target binary") parser.add_argument("addr", help="Target address") parser.add_argument("--architecture", "-a", help="Force architecture") args = parser.parse_args() loc_db = LocationDB() # This part focus on obtaining an IRCFG to transform # cont = Container.from_stream(open(args.target, 'rb'), loc_db) machine = Machine(args.architecture if args.architecture else cont.arch) lifter = machine.lifter(loc_db) dis = machine.dis_engine(cont.bin_stream, loc_db=loc_db) asmcfg = dis.dis_multiblock(int(args.addr, 0)) ircfg = lifter.new_ircfg_from_asmcfg(asmcfg) ircfg.simplify(expr_simp_high_to_explicit) ###################################################### # Instantiate a context and the function to fill context = LLVMContext_IRCompilation() context.lifter = lifter func = LLVMFunction_IRCompilation(context, name="test") func.ret_type = llvm_ir.VoidType() func.init_fc() # Here, as an example, we arbitrarily represent registers with global
states_todo.add((addr, symbexec.symbols.copy(), tuple(conds))) elif addr.is_loc(): states_todo.add((addr, symbexec.symbols.copy(), tuple(conds))) else: raise ValueError("Unsupported destination") if __name__ == '__main__': loc_db = LocationDB() translator_smt2 = Translator.to_language("smt2") addr = int(options.address, 16) cont = Container.from_stream(open(args[0], 'rb'), loc_db) mdis = machine.dis_engine(cont.bin_stream, loc_db=loc_db) lifter = machine.lifter(mdis.loc_db) ircfg = lifter.new_ircfg() symbexec = SymbolicExecutionEngine(lifter) asmcfg = parse_asm.parse_txt( machine.mn, 32, ''' init: PUSH argv PUSH argc PUSH ret_addr ''', loc_db ) argc_lbl = loc_db.get_name_location('argc')