def post_add_bloc(self, block, ir_blocks):
IntermediateRepresentation.post_add_bloc(self, block, ir_blocks)
for irb in ir_blocks:
pc_val = None
lr_val = None
for assignblk in irb.irs:
pc_val = assignblk.get(self.arch.regs.PC, pc_val)
lr_val = assignblk.get(self.arch.regs.RA, lr_val)
if pc_val is None or lr_val is None:
continue
if not expr_is_int_or_label(lr_val):
continue
if expr_is_label(lr_val):
lr_val = ExprInt32(lr_val.name.offset)
line = block.lines[-2]
if lr_val.arg != line.offset + 8:
raise ValueError("Wrong arg")
# CALL
lbl = block.get_next()
new_lbl = self.gen_label()
irs = self.call_effects(pc_val, line)
irs.append(AssignBlock([ExprAff(self.IRDst,
ExprId(lbl, size=self.pc.size))]))
nblock = IRBlock(new_lbl, irs)
nblock.lines = [line] * len(irs)
self.blocks[new_lbl] = nblock
irb.dst = ExprId(new_lbl, size=self.pc.size)
def decode(self, v):
v = v & self.lmask
v <<= 2
v = cpu.sign_ext(v, 16 + 2, 32)
# Add pipeline offset
self.expr = ExprInt32(v + 4)
return True
def test_ExprSlice_strcst(self):
from miasm2.expression.expression import ExprInt32, ExprSlice
import miasm2.expression.stp # /!\ REALLY DIRTY HACK
args = [ExprInt32(i) for i in xrange(9)]
self.assertEqual(args[0][1:2].strcst(),
r'(0bin00000000000000000000000000000000)[1:1]')
self.assertRaises(ValueError, args[0].__getitem__, slice(1, 7, 2))
def fixDstOffset(self):
ndx = self.get_dst_num()
e = self.args[ndx]
if self.offset is None:
raise ValueError('symbol not resolved %s' % self.l)
if not isinstance(e, ExprInt):
return
off = e.arg - self.offset
if int(off % 4):
raise ValueError('strange offset! %r' % off)
self.args[ndx] = ExprInt32(off)
def test_ExprOp_toC(self):
from miasm2.expression.expression import ExprInt32, ExprOp
from miasm2.ir.translators.C import Translator
args = [ExprInt32(i) for i in xrange(9)]
translator = Translator.to_language("C")
# Unary operators
self.translationTest(
ExprOp('parity', *args[:1]), r'parity(0x0&0xffffffff)')
self.translationTest(
ExprOp('!', *args[:1]), r'(~ 0x0)&0xffffffff')
self.translationTest(
ExprOp('hex2bcd', *args[:1]), r'hex2bcd_32(0x0)')
self.translationTest(ExprOp('fabs', *args[:1]), r'fabs(0x0)')
self.assertRaises(NotImplementedError, translator.from_expr,
ExprOp('X', *args[:1]))
# Binary operators
self.translationTest(
ExprOp('==', *args[:2]), r'(((0x0&0xffffffff) == (0x1&0xffffffff))?1:0)')
self.translationTest(
ExprOp('%', *args[:2]), r'(((0x0&0xffffffff)%(0x1&0xffffffff))&0xffffffff)')
self.translationTest(
ExprOp('-', *args[:2]), r'(((0x0&0xffffffff) - (0x1&0xffffffff))&0xffffffff)')
self.translationTest(
ExprOp('bsr', *args[:1]), r'x86_bsr(0x0, 0x20)')
self.translationTest(
ExprOp('cpuid0', *args[:2]), r'cpuid0(0x0, 0x1)')
self.translationTest(
ExprOp('fcom0', *args[:2]), r'fcom0(0x0, 0x1)')
self.translationTest(
ExprOp('fadd', *args[:2]), r'fadd(0x0, 0x1)')
self.translationTest(
ExprOp('segm', *args[:2]), r'segm2addr(jitcpu, 0x0, 0x1)')
self.translationTest(
ExprOp('imod', *args[:2]), r'imod32(jitcpu, 0x0, 0x1)')
self.translationTest(
ExprOp('bcdadd', *args[:2]), r'bcdadd_32(0x0, 0x1)')
self.assertRaises(NotImplementedError, translator.from_expr,
ExprOp('X', *args[:2]))
# Ternary operators
self.translationTest(
ExprOp('div8', *args[:3]), r'(div_op(32, 0x0, 0x1, 0x2) &0xffffffff)')
# Other cases
self.translationTest(
ExprOp('+', *args[:3]), r'(((0x0&0xffffffff)+(0x1&0xffffffff)+(0x2&0xffffffff))&0xffffffff)')
self.assertRaises(NotImplementedError, translator.from_expr,
ExprOp('X', *args[:3]))
def encode(self):
e = self.expr
if not isinstance(e, ExprMem):
return False
arg = e.arg
if isinstance(arg, ExprId):
self.parent.imm.expr = ExprInt32(0)
r = arg
elif len(arg.args) == 2 and arg.op == "+":
self.parent.imm.expr = arg.args[1]
r = arg.args[0]
else:
return False
self.value = gpregs.expr.index(r)
return True
def fixDstOffset(self):
ndx = self.get_dst_num()
e = self.args[ndx]
print 'FIX', ndx, e, self.offset, self.l
if self.offset is None:
raise ValueError('symbol not resolved %s' % self.l)
if not isinstance(e, ExprInt):
return
off = e.arg - self.offset
print "diff", e, hex(self.offset)
print hex(off)
if int(off % 4):
raise ValueError('strange offset! %r' % off)
self.args[ndx] = ExprInt32(off)
print 'final', self
def test_ExprOp_toC(self):
from miasm2.expression.expression import ExprInt32, ExprOp
import miasm2.ir.ir2C # /!\ REALLY DIRTY HACK
args = [ExprInt32(i) for i in xrange(9)]
# Unary operators
self.assertEqual(
ExprOp('parity', *args[:1]).toC(), r'parity(0x0&0xffffffff)')
self.assertEqual(
ExprOp('!', *args[:1]).toC(), r'(~ 0x0)&0xffffffff')
self.assertEqual(
ExprOp('hex2bcd', *args[:1]).toC(), r'hex2bcd_32(0x0)')
self.assertEqual(ExprOp('fabs', *args[:1]).toC(), r'fabs(0x0)')
self.assertRaises(ValueError, ExprOp('X', *args[:1]).toC)
# Binary operators
self.assertEqual(
ExprOp('==', *args[:2]).toC(), r'(((0x0&0xffffffff) == (0x1&0xffffffff))?1:0)')
self.assertEqual(
ExprOp('%', *args[:2]).toC(), r'(((0x0&0xffffffff)%(0x1&0xffffffff))&0xffffffff)')
self.assertEqual(
ExprOp('-', *args[:2]).toC(), r'(((0x0&0xffffffff) - (0x1&0xffffffff))&0xffffffff)')
self.assertEqual(
ExprOp('bsr', *args[:2]).toC(), r'my_bsr(0x0, 0x1)')
self.assertEqual(
ExprOp('cpuid0', *args[:2]).toC(), r'cpuid0(0x0, 0x1)')
self.assertEqual(
ExprOp('fcom0', *args[:2]).toC(), r'fcom0(0x0, 0x1)')
self.assertEqual(
ExprOp('fadd', *args[:2]).toC(), r'fadd(0x0, 0x1)')
self.assertEqual(
ExprOp('segm', *args[:2]).toC(), r'segm2addr(vmcpu, 0x0, 0x1)')
self.assertEqual(
ExprOp('imod', *args[:2]).toC(), r'imod32(vmcpu, 0x0, 0x1)')
self.assertEqual(
ExprOp('bcdadd', *args[:2]).toC(), r'bcdadd_32(0x0, 0x1)')
self.assertRaises(ValueError, ExprOp('X', *args[:2]).toC)
# Ternary operators
self.assertEqual(
ExprOp('div8', *args[:3]).toC(), r'(div_op(32, 0x0, 0x1, 0x2) &0xffffffff)')
# Other cases
self.assertEqual(
ExprOp('+', *args[:3]).toC(), r'(((0x0&0xffffffff)+(0x1&0xffffffff)+(0x2&0xffffffff))&0xffffffff)')
self.assertRaises(NotImplementedError, ExprOp('X', *args[:3]).toC)
def test_ExprOp_strcst(self):
from miasm2.expression.expression import ExprInt32, ExprOp
import miasm2.expression.stp # /!\ REALLY DIRTY HACK
args = [ExprInt32(i) for i in xrange(9)]
self.assertEqual(
ExprOp('|', *args[:2]).strcst(),
r'(0bin00000000000000000000000000000000 | 0bin00000000000000000000000000000001)'
)
self.assertEqual(
ExprOp('-', *args[:2]).strcst(),
r'BVUMINUS(0bin00000000000000000000000000000000)')
self.assertEqual(
ExprOp('+', *args[:3]).strcst(),
r'BVPLUS(32,BVPLUS(32,0bin00000000000000000000000000000000, 0bin00000000000000000000000000000001), 0bin00000000000000000000000000000010)'
)
self.assertRaises(ValueError, ExprOp('X', *args[:1]).strcst)
def decode(self, v):
v = v & self.lmask
self.expr = ExprInt32(v + 1)
return True
from pdb import pm
a = ExprId("a")
b = ExprId("b")
c = ExprId("c")
d = ExprId("d")
a_init = ExprId("a_init")
b_init = ExprId("b_init")
c_init = ExprId("c_init")
d_init = ExprId("d_init")
pc = ExprId("pc")
sp = ExprId("sp")
cst1 = ExprInt32(0x11)
cst2 = ExprInt32(0x12)
cst3 = ExprInt32(0x13)
lbl0 = asm_label("lbl0")
lbl1 = asm_label("lbl1")
lbl2 = asm_label("lbl2")
lbl3 = asm_label("lbl3")
lbl4 = asm_label("lbl4")
lbl5 = asm_label("lbl5")
lbl6 = asm_label("lbl6")
def gen_irbloc(lbl, exprs):
lines = [None for i in xrange(len(exprs))]
irb = irbloc(lbl, exprs, lines)
def test_ClassDef(self):
from miasm2.expression.expression import ExprInt32, ExprId, ExprMem, \
ExprCompose, ExprAff
from miasm2.arch.x86.sem import ir_x86_32
from miasm2.ir.symbexec import symbexec
addrX = ExprInt32(-1)
addr0 = ExprInt32(0)
addr1 = ExprInt32(1)
addr8 = ExprInt32(8)
addr9 = ExprInt32(9)
addr20 = ExprInt32(20)
addr40 = ExprInt32(40)
addr50 = ExprInt32(50)
mem0 = ExprMem(addr0)
mem1 = ExprMem(addr1)
mem8 = ExprMem(addr8)
mem9 = ExprMem(addr9)
mem20 = ExprMem(addr20)
mem40v = ExprMem(addr40, 8)
mem40w = ExprMem(addr40, 16)
mem50v = ExprMem(addr50, 8)
mem50w = ExprMem(addr50, 16)
id_x = ExprId('x')
id_y = ExprId('y', 8)
id_a = ExprId('a')
id_eax = ExprId('eax_init')
e = symbexec(
ir_x86_32(), {
mem0: id_x,
mem1: id_y,
mem9: id_x,
mem40w: id_x,
mem50v: id_y,
id_a: addr0,
id_eax: addr0
})
self.assertEqual(e.find_mem_by_addr(addr0), mem0)
self.assertEqual(e.find_mem_by_addr(addrX), None)
self.assertEqual(e.eval_ExprMem(ExprMem(addr1 - addr1)), id_x)
self.assertEqual(e.eval_ExprMem(ExprMem(addr1, 8)), id_y)
self.assertEqual(
e.eval_ExprMem(ExprMem(addr1 + addr1)),
ExprCompose([(id_x[16:32], 0, 16),
(ExprMem(ExprInt32(4), 16), 16, 32)]))
self.assertEqual(
e.eval_ExprMem(mem8),
ExprCompose([(id_x[0:24], 0, 24),
(ExprMem(ExprInt32(11), 8), 24, 32)]))
self.assertEqual(e.eval_ExprMem(mem40v), id_x[:8])
self.assertEqual(
e.eval_ExprMem(mem50w),
ExprCompose([(id_y, 0, 8), (ExprMem(ExprInt32(51), 8), 8, 16)]))
self.assertEqual(e.eval_ExprMem(mem20), mem20)
e.func_read = lambda x: x
self.assertEqual(e.eval_ExprMem(mem20), mem20)
self.assertEqual(set(e.modified()), set(e.symbols))
self.assertRaises(KeyError, e.symbols.__getitem__,
ExprMem(ExprInt32(100)))
self.assertEqual(e.apply_expr(id_eax), addr0)
self.assertEqual(e.apply_expr(ExprAff(id_eax, addr9)), addr9)
self.assertEqual(e.apply_expr(id_eax), addr9)
STEP_COUNTER = count()
A = ExprId("a")
B = ExprId("b")
C = ExprId("c")
D = ExprId("d")
R = ExprId("r")
A_INIT = ExprId("a_init")
B_INIT = ExprId("b_init")
C_INIT = ExprId("c_init")
D_INIT = ExprId("d_init")
PC = ExprId("pc")
SP = ExprId("sp")
CST0 = ExprInt32(0x0)
CST1 = ExprInt32(0x1)
CST2 = ExprInt32(0x2)
CST3 = ExprInt32(0x3)
CST22 = ExprInt32(0x22)
CST23 = ExprInt32(0x23)
CST24 = ExprInt32(0x24)
CST33 = ExprInt32(0x33)
CST35 = ExprInt32(0x35)
CST37 = ExprInt32(0x37)
LBL0 = asm_label("lbl0")
LBL1 = asm_label("lbl1")
LBL2 = asm_label("lbl2")
LBL3 = asm_label("lbl3")
LBL4 = asm_label("lbl4")
from pdb import pm
a = ExprId("a")
b = ExprId("b")
c = ExprId("c")
d = ExprId("d")
a_init = ExprId("a_init")
b_init = ExprId("b_init")
c_init = ExprId("c_init")
d_init = ExprId("d_init")
pc = ExprId("pc")
sp = ExprId("sp")
cst1 = ExprInt32(0x11)
cst2 = ExprInt32(0x12)
cst3 = ExprInt32(0x13)
lbl0 = asm_label("lbl0")
lbl1 = asm_label("lbl1")
lbl2 = asm_label("lbl2")
lbl3 = asm_label("lbl3")
lbl4 = asm_label("lbl4")
lbl5 = asm_label("lbl5")
lbl6 = asm_label("lbl6")
def gen_irbloc(lbl, exprs):
lines = [None for i in xrange(len(exprs))]
jitter.pc = 0
return True
myjit.push_uint32_t(0x1337beef)
myjit.add_breakpoint(0x1337beef, code_sentinelle)
# Run
myjit.init_run(run_addr)
myjit.continue_run()
# Check end
assert myjit.run is False
# Check resulting state / accessors
assert myjit.cpu.EAX == 0
assert myjit.cpu.ECX == 4
# Check eval_expr
eax = ExprId("RAX", 64)[:32]
imm0, imm4, imm4_64 = ExprInt32(0), ExprInt32(4), ExprInt64(4)
memdata = ExprMem(ExprInt32(run_addr), len(data) * 8)
assert myjit.eval_expr(eax) == imm0
## Due to ExprAff construction, imm4 is "promoted" to imm4_64
assert myjit.eval_expr(ExprAff(eax, imm4)) == imm4_64
assert myjit.eval_expr(eax) == imm4
## Changes must be passed on myjit.cpu instance
assert myjit.cpu.EAX == 4
## Memory
assert myjit.eval_expr(memdata).arg.arg == int(data[::-1].encode("hex"), 16)
def ast_int2expr(a):
return ExprInt32(a)
STEP_COUNTER = count()
A = ExprId("a")
B = ExprId("b")
C = ExprId("c")
D = ExprId("d")
R = ExprId("r")
A_INIT = ExprId("a_init")
B_INIT = ExprId("b_init")
C_INIT = ExprId("c_init")
D_INIT = ExprId("d_init")
PC = ExprId("pc")
SP = ExprId("sp")
CST0 = ExprInt32(0x0)
CST1 = ExprInt32(0x11)
CST2 = ExprInt32(0x12)
CST3 = ExprInt32(0x13)
CST22 = ExprInt32(0x22)
CST23 = ExprInt32(0x23)
CST24 = ExprInt32(0x24)
CST33 = ExprInt32(0x33)
CST35 = ExprInt32(0x35)
CST37 = ExprInt32(0x37)
LBL0 = asm_label("lbl0")
LBL1 = asm_label("lbl1")
LBL2 = asm_label("lbl2")
LBL3 = asm_label("lbl3")
LBL4 = asm_label("lbl4")
def test_ClassDef(self):
from miasm2.expression.expression import ExprInt32, ExprId, ExprMem, \
ExprCompose, ExprAff
from miasm2.arch.x86.sem import ir_x86_32
from miasm2.ir.symbexec import symbexec
from miasm2.ir.ir import AssignBlock
addrX = ExprInt32(-1)
addr0 = ExprInt32(0)
addr1 = ExprInt32(1)
addr8 = ExprInt32(8)
addr9 = ExprInt32(9)
addr20 = ExprInt32(20)
addr40 = ExprInt32(40)
addr50 = ExprInt32(50)
mem0 = ExprMem(addr0)
mem1 = ExprMem(addr1, 8)
mem8 = ExprMem(addr8)
mem9 = ExprMem(addr9)
mem20 = ExprMem(addr20)
mem40v = ExprMem(addr40, 8)
mem40w = ExprMem(addr40, 16)
mem50v = ExprMem(addr50, 8)
mem50w = ExprMem(addr50, 16)
id_x = ExprId('x')
id_y = ExprId('y', 8)
id_a = ExprId('a')
id_eax = ExprId('eax_init')
e = symbexec(
ir_x86_32(), {
mem0: id_x,
mem1: id_y,
mem9: id_x,
mem40w: id_x[:16],
mem50v: id_y,
id_a: addr0,
id_eax: addr0
})
self.assertEqual(e.find_mem_by_addr(addr0), mem0)
self.assertEqual(e.find_mem_by_addr(addrX), None)
self.assertEqual(e.eval_expr(ExprMem(addr1 - addr1)), id_x)
self.assertEqual(e.eval_expr(ExprMem(addr1, 8)), id_y)
self.assertEqual(e.eval_expr(ExprMem(addr1 + addr1)),
ExprCompose(id_x[16:32], ExprMem(ExprInt32(4), 16)))
self.assertEqual(e.eval_expr(mem8),
ExprCompose(id_x[0:24], ExprMem(ExprInt32(11), 8)))
self.assertEqual(e.eval_expr(mem40v), id_x[:8])
self.assertEqual(e.eval_expr(mem50w),
ExprCompose(id_y, ExprMem(ExprInt32(51), 8)))
self.assertEqual(e.eval_expr(mem20), mem20)
e.func_read = lambda x: x
self.assertEqual(e.eval_expr(mem20), mem20)
self.assertEqual(set(e.modified()), set(e.symbols))
self.assertRaises(KeyError, e.symbols.__getitem__,
ExprMem(ExprInt32(100)))
self.assertEqual(e.apply_expr(id_eax), addr0)
self.assertEqual(e.apply_expr(ExprAff(id_eax, addr9)), addr9)
self.assertEqual(e.apply_expr(id_eax), addr9)
# apply_change / eval_ir / apply_expr
## x = a (with a = 0x0)
assignblk = AssignBlock()
assignblk[id_x] = id_a
e.eval_ir(assignblk)
self.assertEqual(e.apply_expr(id_x), addr0)
## x = a (without replacing 'a' with 0x0)
e.apply_change(id_x, id_a)
self.assertEqual(e.apply_expr(id_x), id_a)
## x = a (with a = 0x0)
self.assertEqual(e.apply_expr(assignblk.dst2ExprAff(id_x)), addr0)
self.assertEqual(e.apply_expr(id_x), addr0)
a = ExprId("a")
b = ExprId("b")
c = ExprId("c")
d = ExprId("d")
r = ExprId("r")
a_init = ExprId("a_init")
b_init = ExprId("b_init")
c_init = ExprId("c_init")
d_init = ExprId("d_init")
r_init = ExprId("r_init") # Return register
pc = ExprId("pc")
sp = ExprId("sp")
CST1 = ExprInt32(0x11)
CST2 = ExprInt32(0x12)
CST3 = ExprInt32(0x13)
LBL0 = asm_label("lbl0")
LBL1 = asm_label("lbl1")
LBL2 = asm_label("lbl2")
LBL3 = asm_label("lbl3")
LBL4 = asm_label("lbl4")
LBL5 = asm_label("lbl5")
LBL6 = asm_label("lbl6")
def gen_irbloc(label, exprs_list):
lines = [None for _ in xrange(len(exprs_list))]
irs = []
def decode(self, v):
v = v & self.lmask
v = cpu.sign_ext(v, 16, 32)
self.expr = ExprInt32(v)
return True
for element in args.element:
try:
elements.add(regs[element.upper()])
except KeyError:
raise ValueError("Unknown element '%s'" % element)
mdis = machine.dis_engine(cont.bin_stream, dont_dis_nulstart_bloc=True)
ir_arch = machine.ira(mdis.symbol_pool)
# Common argument forms
init_ctx = {}
if args.rename_args:
if arch == "x86_32":
# StdCall example
for i in xrange(4):
e_mem = ExprMem(ExprId("ESP_init") + ExprInt32(4 * (i + 1)), 32)
init_ctx[e_mem] = ExprId("arg%d" % i)
# Disassemble the targeted function
blocks = mdis.dis_multibloc(int(args.func_addr, 0))
# Generate IR
for block in blocks:
ir_arch.add_bloc(block)
# Get the instance
dg = DependencyGraph(ir_arch,
implicit=args.implicit,
apply_simp=not (args.do_not_simplify),
follow_mem=not (args.unfollow_mem),
follow_call=not (args.unfollow_call))
def decode(self, v):
self.expr = ExprInt32(v - int(self.parent.epos.expr.arg) + 1)
return True