def emul(self, ctx=None, step=False): """Symbolic execution of relevant nodes according to the history Return the values of inputs nodes' elements @ctx: (optional) Initial context as dictionnary @step: (optional) Verbose execution Warning: The emulation is not sound if the inputs nodes depend on loop variant. """ # Init ctx_init = self._ira.arch.regs.regs_init if ctx is not None: ctx_init.update(ctx) assignblks = [] # Build a single affectation block according to history last_index = len(self.relevant_loc_keys) for index, loc_key in enumerate(reversed(self.relevant_loc_keys), 1): if index == last_index and loc_key == self.initial_state.loc_key: line_nb = self.initial_state.line_nb else: line_nb = None assignblks += self.irblock_slice(self._ira.blocks[loc_key], line_nb).assignblks # Eval the block loc_db = LocationDB() temp_loc = loc_db.get_or_create_name_location("Temp") symb_exec = SymbolicExecutionEngine(self._ira, ctx_init) symb_exec.eval_updt_irblock(IRBlock(temp_loc, assignblks), step=step) # Return only inputs values (others could be wrongs) return {element: symb_exec.symbols[element] for element in self.inputs}
def emul(self, ir_arch, ctx=None, step=False): """Symbolic execution of relevant nodes according to the history Return the values of inputs nodes' elements @ir_arch: IntermediateRepresentation instance @ctx: (optional) Initial context as dictionnary @step: (optional) Verbose execution Warning: The emulation is not sound if the inputs nodes depend on loop variant. """ # Init ctx_init = {} if ctx is not None: ctx_init.update(ctx) assignblks = [] # Build a single affectation block according to history last_index = len(self.relevant_loc_keys) for index, loc_key in enumerate(reversed(self.relevant_loc_keys), 1): if index == last_index and loc_key == self.initial_state.loc_key: line_nb = self.initial_state.line_nb else: line_nb = None assignblks += self.irblock_slice(self._ircfg.blocks[loc_key], line_nb).assignblks # Eval the block loc_db = LocationDB() temp_loc = loc_db.get_or_create_name_location("Temp") symb_exec = SymbolicExecutionEngine(ir_arch, ctx_init) symb_exec.eval_updt_irblock(IRBlock(temp_loc, assignblks), step=step) # Return only inputs values (others could be wrongs) return {element: symb_exec.symbols[element] for element in self.inputs}
loc_db.remove_location_name(loc_key5, name1) has_raised = False except KeyError: has_raised = True try: loc_db.add_location_name(loc_key1, name2) has_raised = False except KeyError: has_raised = True try: loc_db.add_location(name=name2) has_raised = False except ValueError: has_raised = True assert loc_db.add_location(name=name2, strict=False) == loc_key5 assert loc_db.get_or_create_name_location(name2) == loc_key5 loc_key5_bis = loc_db.get_or_create_name_location(name3) assert loc_db.get_name_location(name3) == loc_key5_bis loc_db.consistency_check() # Name and offset manipulation assert loc_db.get_name_offset(name2) is None assert loc_db.get_name_offset("unk_name") is None assert loc_db.get_name_offset("first_name") == 0x5678 # Merge loc_db2 = LocationDB() loc_db2.add_location(offset=0x3344) loc_db2.add_location(name=name2) loc_db.merge(loc_db2) assert 0x3344 in loc_db.offsets
loc_db.remove_location_name(loc_key5, name1) has_raised = False except KeyError: has_raised = True try: loc_db.add_location_name(loc_key1, name2) has_raised = False except KeyError: has_raised = True try: loc_db.add_location(name=name2) has_raised = False except ValueError: has_raised = True assert loc_db.add_location(name=name2, strict=False) == loc_key5 assert loc_db.get_or_create_name_location(name2) == loc_key5 loc_key5_bis = loc_db.get_or_create_name_location(name3) assert loc_db.get_name_location(name3) == loc_key5_bis loc_db.consistency_check() # Merge loc_db2 = LocationDB() loc_db2.add_location(offset=0x3344) loc_db2.add_location(name=name2) loc_db.merge(loc_db2) assert 0x3344 in loc_db.offsets assert name2 in loc_db.names loc_db.consistency_check() assert loc_db.get_name_location(name2) == loc_key5 # Delete
# Get and parse the source code with open(args.source) as fstream: source = fstream.read() loc_db = LocationDB() asmcfg, loc_db = parse_asm.parse_txt(machine.mn, attrib, source, loc_db) # Fix shellcode addrs loc_db.set_location_offset(loc_db.get_name_location("main"), addr_main) if args.PE: loc_db.set_location_offset(loc_db.get_or_create_name_location("MessageBoxA"), pe.DirImport.get_funcvirt('USER32.dll', 'MessageBoxA')) # Print and graph firsts blocks before patching it for block in asmcfg.blocks: print block open("graph.dot", "w").write(asmcfg.dot()) # Apply patches patches = asmblock.asm_resolve_final(machine.mn, asmcfg, loc_db, dst_interval) if args.encrypt: # Encrypt code