diff options
| -rw-r--r-- | miasm2/analysis/sandbox.py | 65 | ||||
| -rw-r--r-- | miasm2/arch/mips32/arch.py | 6 | ||||
| -rw-r--r-- | miasm2/arch/mips32/jit.py | 38 | ||||
| -rw-r--r-- | miasm2/arch/mips32/regs.py | 5 | ||||
| -rw-r--r-- | miasm2/arch/mips32/sem.py | 42 | ||||
| -rw-r--r-- | miasm2/jitter/arch/JitCore_mips32.c | 20 | ||||
| -rw-r--r-- | miasm2/jitter/arch/JitCore_mips32.h | 15 |
7 files changed, 185 insertions, 6 deletions
diff --git a/miasm2/analysis/sandbox.py b/miasm2/analysis/sandbox.py index 00865311..f29d1776 100644 --- a/miasm2/analysis/sandbox.py +++ b/miasm2/analysis/sandbox.py @@ -429,6 +429,20 @@ class Arch_armtl(Arch): self.jitter.init_stack() +class Arch_mips32b(Arch): + _ARCH_ = "mips32b" + STACK_SIZE = 0x100000 + STACK_BASE = 0x100000 + + def __init__(self, **kwargs): + super(Arch_mips32b, self).__init__(**kwargs) + + # Init stack + self.jitter.stack_size = self.STACK_SIZE + self.jitter.stack_base = self.STACK_BASE + self.jitter.init_stack() + + class Arch_aarch64l(Arch): _ARCH_ = "aarch64l" STACK_SIZE = 0x100000 @@ -745,6 +759,57 @@ class Sandbox_Linux_armtl(Sandbox, Arch_armtl, OS_Linux): super(self.__class__, self).call(prepare_cb, addr, *args) + +class Sandbox_Linux_mips32b(Sandbox, Arch_mips32b, OS_Linux): + + def __init__(self, *args, **kwargs): + Sandbox.__init__(self, *args, **kwargs) + + # Pre-stack some arguments + if self.options.mimic_env: + env_ptrs = [] + for env in self.envp: + env += "\x00" + self.jitter.cpu.SP -= len(env) + ptr = self.jitter.cpu.SP + self.jitter.vm.set_mem(ptr, env) + env_ptrs.append(ptr) + argv_ptrs = [] + for arg in self.argv: + arg += "\x00" + self.jitter.cpu.SP -= len(arg) + ptr = self.jitter.cpu.SP + self.jitter.vm.set_mem(ptr, arg) + argv_ptrs.append(ptr) + + self.jitter.push_uint32_t(0) + for ptr in reversed(env_ptrs): + self.jitter.push_uint32_t(ptr) + self.jitter.push_uint32_t(0) + for ptr in reversed(argv_ptrs): + self.jitter.push_uint32_t(ptr) + self.jitter.push_uint32_t(len(self.argv)) + + self.jitter.cpu.RA = 0x1337beef + + # Set the runtime guard + self.jitter.add_breakpoint(0x1337beef, self.__class__.code_sentinelle) + + def run(self, addr=None): + if addr is None and self.options.address is None: + addr = self.entry_point + super(Sandbox_Linux_mips32b, self).run(addr) + + def call(self, addr, *args, **kwargs): + """ + Direct call of the function at @addr, with arguments @args + @addr: address of the target function + @args: arguments + """ + prepare_cb = kwargs.pop('prepare_cb', self.jitter.func_prepare_systemv) + super(self.__class__, self).call(prepare_cb, addr, *args) + + class Sandbox_Linux_armb_str(Sandbox, Arch_armb, OS_Linux_str): def __init__(self, *args, **kwargs): diff --git a/miasm2/arch/mips32/arch.py b/miasm2/arch/mips32/arch.py index 3abdc053..86e91dee 100644 --- a/miasm2/arch/mips32/arch.py +++ b/miasm2/arch/mips32/arch.py @@ -605,6 +605,8 @@ bs_bcc = cpu.bs_name(l=5, name = {"BGEZ": 0b00001, }) +bs_code = cpu.bs(l=10) + mips32op("addi", [cpu.bs('001000'), rs, rt, s16imm], [rt, rs, s16imm]) mips32op("addiu", [cpu.bs('001001'), rs, rt, s16imm], [rt, rs, s16imm]) @@ -740,3 +742,7 @@ mips32op("tlbp", [cpu.bs('010000'), cpu.bs('1'), cpu.bs('0'*19), cpu.bs('001000')]) mips32op("tlbwi", [cpu.bs('010000'), cpu.bs('1'), cpu.bs('0'*19), cpu.bs('000010')]) + + +mips32op("teq", [cpu.bs('000000'), rs, rt, bs_code, cpu.bs('110100')], + [rs, rt]) diff --git a/miasm2/arch/mips32/jit.py b/miasm2/arch/mips32/jit.py index 1d2ec483..16d88067 100644 --- a/miasm2/arch/mips32/jit.py +++ b/miasm2/arch/mips32/jit.py @@ -1,6 +1,6 @@ import logging -from miasm2.jitter.jitload import jitter +from miasm2.jitter.jitload import jitter, named_arguments from miasm2.core import asmblock from miasm2.core.utils import pck32, upck32 from miasm2.arch.mips32.sem import ir_mips32l, ir_mips32b @@ -104,6 +104,42 @@ class jitter_mips32l(jitter): jitter.init_run(self, *args, **kwargs) self.cpu.PC = self.pc + # calling conventions + + @named_arguments + def func_args_stdcall(self, n_args): + args = [self.get_arg_n_stdcall(i) for i in xrange(n_args)] + ret_ad = self.cpu.RA + return ret_ad, args + + def func_ret_stdcall(self, ret_addr, ret_value1=None, ret_value2=None): + self.pc = self.cpu.PC = ret_addr + if ret_value1 is not None: + self.cpu.V0 = ret_value1 + if ret_value2 is not None: + self.cpu.V1 = ret_value2 + return True + + def func_prepare_stdcall(self, ret_addr, *args): + for index in xrange(min(len(args), 4)): + setattr(self.cpu, 'A%d' % index, args[index]) + for index in xrange(4, len(args)): + self.vm.set_mem(self.cpu.SP + 4 * (index - 4), pck32(args[index])) + self.cpu.RA = ret_addr + + def get_arg_n_stdcall(self, index): + if index < 4: + arg = getattr(self.cpu, 'A%d' % index) + else: + arg = self.get_stack_arg(index-4) + return arg + + + func_args_systemv = func_args_stdcall + func_ret_systemv = func_ret_stdcall + func_prepare_systemv = func_prepare_stdcall + get_arg_n_systemv = get_arg_n_stdcall + class jitter_mips32b(jitter_mips32l): diff --git a/miasm2/arch/mips32/regs.py b/miasm2/arch/mips32/regs.py index afade869..fadf7118 100644 --- a/miasm2/arch/mips32/regs.py +++ b/miasm2/arch/mips32/regs.py @@ -55,11 +55,10 @@ regs_flt_expr, regs_flt_init, fltregs = gen_regs(regs_flt_str, globals(), sz=64) regs_fcc_expr, regs_fcc_init, fccregs = gen_regs(regs_fcc_str, globals()) -all_regs_ids = [PC, PC_FETCH, R_LO, R_HI] + gpregs_expr + regs_flt_expr + \ +all_regs_ids = [PC, PC_FETCH, R_LO, R_HI, exception_flags] + gpregs_expr + regs_flt_expr + \ regs_fcc_expr + regs_cpr0_expr all_regs_ids_byname = dict([(x.name, x) for x in all_regs_ids]) -all_regs_ids_init = [PC_init, PC_FETCH_init, R_LO_init, R_HI_init] + \ - gpregs_init + regs_flt_init + regs_fcc_init + regs_cpr0_init +all_regs_ids_init = [ExprId("%s_init" % reg.name, reg.size) for reg in all_regs_ids] all_regs_ids_no_alias = all_regs_ids[:] attrib_to_regs = { diff --git a/miasm2/arch/mips32/sem.py b/miasm2/arch/mips32/sem.py index 789491f6..99c81a33 100644 --- a/miasm2/arch/mips32/sem.py +++ b/miasm2/arch/mips32/sem.py @@ -1,8 +1,9 @@ import miasm2.expression.expression as m2_expr -from miasm2.ir.ir import IntermediateRepresentation, IRBlock +from miasm2.ir.ir import IntermediateRepresentation, IRBlock, AssignBlock from miasm2.arch.mips32.arch import mn_mips32 -from miasm2.arch.mips32.regs import R_LO, R_HI, PC, RA +from miasm2.arch.mips32.regs import R_LO, R_HI, PC, RA, exception_flags from miasm2.core.sembuilder import SemBuilder +from miasm2.jitter.csts import EXCEPT_DIV_BY_ZERO # SemBuilder context @@ -377,6 +378,18 @@ def multu(arg1, arg2): R_HI = result[32:] @sbuild.parse +def div(arg1, arg2): + """Divide (signed) @arg1 by @arg2 and stores the remaining/result in $R_HI/$R_LO""" + R_LO = ExprOp('idiv' ,arg1, arg2) + R_HI = ExprOp('imod', arg1, arg2) + +@sbuild.parse +def divu(arg1, arg2): + """Divide (unsigned) @arg1 by @arg2 and stores the remaining/result in $R_HI/$R_LO""" + R_LO = ExprOp('udiv', arg1, arg2) + R_HI = ExprOp('umod', arg1, arg2) + +@sbuild.parse def mfhi(arg1): "The contents of register $R_HI are moved to the specified register @arg1." arg1 = R_HI @@ -398,6 +411,30 @@ def ei(arg1): def ehb(arg1): "NOP" + +def teq(ir, instr, arg1, arg2): + e = [] + + lbl_except, lbl_except_expr = ir.gen_label_and_expr(ir.IRDst.size) + lbl_next = ir.get_next_label(instr) + lbl_next_expr = m2_expr.ExprId(lbl_next, ir.IRDst.size) + + do_except = [] + do_except.append(m2_expr.ExprAff(exception_flags, m2_expr.ExprInt( + EXCEPT_DIV_BY_ZERO, exception_flags.size))) + do_except.append(m2_expr.ExprAff(ir.IRDst, lbl_next_expr)) + blk_except = IRBlock(lbl_except, [AssignBlock(do_except, instr)]) + + cond = arg1 - arg2 + + + e = [] + e.append(m2_expr.ExprAff(ir.IRDst, + m2_expr.ExprCond(cond, lbl_next_expr, lbl_except_expr))) + + return e, [blk_except] + + mnemo_func = sbuild.functions mnemo_func.update({ 'add.d': add_d, @@ -423,6 +460,7 @@ mnemo_func.update({ 'subu': l_sub, 'xor': l_xor, 'xori': l_xor, + 'teq': teq, }) def get_mnemo_expr(ir, instr, *args): diff --git a/miasm2/jitter/arch/JitCore_mips32.c b/miasm2/jitter/arch/JitCore_mips32.c index 19b24f1f..7722c055 100644 --- a/miasm2/jitter/arch/JitCore_mips32.c +++ b/miasm2/jitter/arch/JitCore_mips32.c @@ -220,6 +220,26 @@ void check_automod(JitCpu* jitcpu, uint64_t addr, uint64_t size) } + +UDIV(16) +UDIV(32) +UDIV(64) + +UMOD(16) +UMOD(32) +UMOD(64) + + +IDIV(16) +IDIV(32) +IDIV(64) + +IMOD(16) +IMOD(32) +IMOD(64) + + + void MEM_WRITE_08(JitCpu* jitcpu, uint64_t addr, uint8_t src) { vm_MEM_WRITE_08(&((VmMngr*)jitcpu->pyvm)->vm_mngr, addr, src); diff --git a/miasm2/jitter/arch/JitCore_mips32.h b/miasm2/jitter/arch/JitCore_mips32.h index ff2045d7..b45cac2b 100644 --- a/miasm2/jitter/arch/JitCore_mips32.h +++ b/miasm2/jitter/arch/JitCore_mips32.h @@ -335,4 +335,19 @@ typedef struct { void dump_gpregs(vm_cpu_t* vmcpu); +uint64_t udiv64(vm_cpu_t* vmcpu, uint64_t a, uint64_t b); +uint64_t umod64(vm_cpu_t* vmcpu, uint64_t a, uint64_t b); +int64_t idiv64(vm_cpu_t* vmcpu, int64_t a, int64_t b); +int64_t imod64(vm_cpu_t* vmcpu, int64_t a, int64_t b); + +uint32_t udiv32(vm_cpu_t* vmcpu, uint32_t a, uint32_t b); +uint32_t umod32(vm_cpu_t* vmcpu, uint32_t a, uint32_t b); +int32_t idiv32(vm_cpu_t* vmcpu, int32_t a, int32_t b); +int32_t imod32(vm_cpu_t* vmcpu, int32_t a, int32_t b); + +uint16_t udiv16(vm_cpu_t* vmcpu, uint16_t a, uint16_t b); +uint16_t umod16(vm_cpu_t* vmcpu, uint16_t a, uint16_t b); +int16_t idiv16(vm_cpu_t* vmcpu, int16_t a, int16_t b); +int16_t imod16(vm_cpu_t* vmcpu, int16_t a, int16_t b); + #define RETURN_PC return BlockDst; |