diff options
Diffstat (limited to 'example')
| -rw-r--r-- | example/asm_x86.py | 60 | ||||
| -rw-r--r-- | example/expression/manip_expression2.py | 10 | ||||
| -rw-r--r-- | example/expression/manip_expression4.py | 34 | ||||
| -rw-r--r-- | example/expression/manip_expression6.py | 16 | ||||
| -rw-r--r-- | example/expression/solve_condition_stp.py | 37 | ||||
| -rw-r--r-- | example/symbol_exec.py | 2 | ||||
| -rw-r--r-- | example/test_dis.py | 12 | ||||
| -rw-r--r-- | example/test_ida.py | 74 | ||||
| -rw-r--r-- | example/test_jit_arm.py | 2 |
9 files changed, 137 insertions, 110 deletions
diff --git a/example/asm_x86.py b/example/asm_x86.py index 3e0ab1bb..92d5029a 100644 --- a/example/asm_x86.py +++ b/example/asm_x86.py @@ -22,27 +22,49 @@ base_expr.setParseAction(my_var_parser) blocs, symbol_pool = parse_asm.parse_txt(mn_x86, 32, ''' main: - PUSH EBP - MOV EBP, ESP - SUB ESP, 0x100 - MOV EAX, 0x1337 - LEA ESI, DWORD PTR [mystr] - CALL toto -toto: - POP EDI - - PUSH 0 - FLD1 - FLD1 - FADD ST, ST(1) - FIST DWORD PTR [ESP] - POP EAX - - MOV ESP, EBP - POP EBP - RET + PUSH EBP + MOV EBP, ESP + SUB ESP, 0x100 + MOV EAX, 0x1337 + ; test ptr manip + LEA ESI, DWORD PTR [mystr^toto] + CALL toto mystr: .string "test string" + toto: + POP EDI + + PUSH EDI + ; test scasb + XOR EAX, EAX + XOR ECX, ECX + DEC ECX + REPNE SCASB + NOT ECX + DEC ECX + + ; test movsb + POP ESI + LEA EDI, DWORD PTR [EBP-0x100] + REPE MOVSB + + ; test float + PUSH 0 + FLD1 + FLD1 + FADD ST, ST(1) + FIST DWORD PTR [ESP] + POP EAX + + ; test cond mnemo + NOP + NOP + CMOVZ EAX, EBX + MOV ESP, EBP + POP EBP + RET + + ''') # fix shellcode addr diff --git a/example/expression/manip_expression2.py b/example/expression/manip_expression2.py index 4153f875..faa3f9df 100644 --- a/example/expression/manip_expression2.py +++ b/example/expression/manip_expression2.py @@ -7,20 +7,20 @@ Get read/written registers for a given instruction """ arch = mn_x86 -my_ir = ir_a_x86_32() +ir_arch = ir_a_x86_32() l = arch.fromstring('LODSB', 32) l.offset, l.l = 0, 15 -my_ir.add_instr(l) +ir_arch.add_instr(l) print '*' * 80 -for lbl, b in my_ir.blocs.items(): +for lbl, b in ir_arch.blocs.items(): print b for irs in b.irs: o_r, o_w = get_rw(irs) print 'read: ', [str(x) for x in o_r] print 'written:', [str(x) for x in o_w] print -my_ir.gen_graph() -g = my_ir.graph() +ir_arch.gen_graph() +g = ir_arch.graph() open('graph_instr.txt', 'w').write(g) diff --git a/example/expression/manip_expression4.py b/example/expression/manip_expression4.py index f4a55a3c..bbf721f7 100644 --- a/example/expression/manip_expression4.py +++ b/example/expression/manip_expression4.py @@ -71,11 +71,11 @@ def get_modified_symbols(sb): return out -def intra_bloc_flow_symb(my_ir, flow_graph, irbloc): +def intra_bloc_flow_symb(ir_arch, flow_graph, irbloc): symbols_init = {} for i, r in enumerate(all_regs_ids): symbols_init[r] = all_regs_ids_init[i] - sb = symbexec(mn_x86, symbols_init) + sb = symbexec(ir_arch, symbols_init) sb.emulbloc(irbloc) print '*' * 40 print irbloc @@ -138,19 +138,19 @@ def node2str(self, n): return out -def gen_bloc_data_flow_graph(my_ir, in_str, ad): # arch, attrib, pool_bin, bloc, symbol_pool): +def gen_bloc_data_flow_graph(ir_arch, in_str, ad): # arch, attrib, pool_bin, bloc, symbol_pool): out_str = "" - # my_ir = ir_x86_32(symbol_pool) + # ir_arch = ir_x86_32(symbol_pool) - for irbloc in my_ir.blocs.values(): + for irbloc in ir_arch.blocs.values(): print irbloc - my_ir.gen_graph() - my_ir.dead_simp() + ir_arch.gen_graph() + ir_arch.dead_simp() irbloc_0 = None - for irbloc in my_ir.blocs.values(): + for irbloc in ir_arch.blocs.values(): if irbloc.label.offset == ad: irbloc_0 = irbloc break @@ -162,17 +162,17 @@ def gen_bloc_data_flow_graph(my_ir, in_str, ad): # arch, attrib, pool_bin, bloc bloc2w = {} - for irbloc in my_ir.blocs.values(): - intra_bloc_flow_raw(my_ir, flow_graph, irbloc) - # intra_bloc_flow_symb(my_ir, flow_graph, irbloc) + for irbloc in ir_arch.blocs.values(): + intra_bloc_flow_raw(ir_arch, flow_graph, irbloc) + # intra_bloc_flow_symb(ir_arch, flow_graph, irbloc) - for irbloc in my_ir.blocs.values(): + for irbloc in ir_arch.blocs.values(): print irbloc print 'IN', [str(x) for x in irbloc.in_nodes] print 'OUT', [str(x) for x in irbloc.out_nodes] print '*' * 20, 'interbloc', '*' * 20 - inter_bloc_flow(my_ir, flow_graph, irbloc_0.label) + inter_bloc_flow(ir_arch, flow_graph, irbloc_0.label) # sys.path.append('/home/serpilliere/projet/m2_devel/miasm2/core') # from graph_qt import graph_qt @@ -191,19 +191,19 @@ print 'ok' print 'generating dataflow graph for:' -my_ir = ir_a_x86_32(mdis.symbol_pool) +ir_arch = ir_a_x86_32(mdis.symbol_pool) blocs = ab for bloc in blocs: print bloc - my_ir.add_bloc(bloc) -for irbloc in my_ir.blocs.values(): + ir_arch.add_bloc(bloc) +for irbloc in ir_arch.blocs.values(): print irbloc if irbloc.label.offset != 0: continue -out_str = gen_bloc_data_flow_graph(my_ir, mdis.bs, ad) +out_str = gen_bloc_data_flow_graph(ir_arch, mdis.bs, ad) print '*' * 40 print """ diff --git a/example/expression/manip_expression6.py b/example/expression/manip_expression6.py index 45a6c8c1..b5fe0ec5 100644 --- a/example/expression/manip_expression6.py +++ b/example/expression/manip_expression6.py @@ -42,26 +42,26 @@ print symbol_pool resolved_b, patches = asmbloc.asm_resolve_final(mn_x86, 32, blocs, symbol_pool) # Translate to IR -my_ir = ir_a_x86_32(symbol_pool) +ir_arch = ir_a_x86_32(symbol_pool) for b in blocs: print 'add bloc' print b - my_ir.add_bloc(b) + ir_arch.add_bloc(b) # Display IR -for lbl, b in my_ir.blocs.items(): +for lbl, b in ir_arch.blocs.items(): print b # Dead propagation -my_ir.gen_graph() -out = my_ir.graph() +ir_arch.gen_graph() +out = ir_arch.graph() open('graph.txt', 'w').write(out) print '*' * 80 -my_ir.dead_simp() -out2 = my_ir.graph() +ir_arch.dead_simp() +out2 = ir_arch.graph() open('graph2.txt', 'w').write(out2) # Display new IR print 'new ir blocs' -for lbl, b in my_ir.blocs.items(): +for lbl, b in ir_arch.blocs.items(): print b diff --git a/example/expression/solve_condition_stp.py b/example/expression/solve_condition_stp.py index 828629fc..659124d1 100644 --- a/example/expression/solve_condition_stp.py +++ b/example/expression/solve_condition_stp.py @@ -17,6 +17,8 @@ from elfesteem.strpatchwork import StrPatchwork from miasm2.arch.x86.disasm import dis_x86_32 as dis_engine +from pdb import pm + filename = os.environ.get('PYTHONSTARTUP') if filename and os.path.isfile(filename): @@ -35,22 +37,22 @@ if not args: sys.exit(0) -def get_bloc(my_ir, mdis, ad): +def get_bloc(ir_arch, mdis, ad): if isinstance(ad, asmbloc.asm_label): l = ad else: l = mdis.symbol_pool.getby_offset_create(ad) - if not l in my_ir.blocs: + if not l in ir_arch.blocs: ad = l.offset b = mdis.dis_bloc(ad) - my_ir.add_bloc(b) - b = my_ir.get_bloc(l) + ir_arch.add_bloc(b) + b = ir_arch.get_bloc(l) if b is None: raise LookupError('no bloc found at that address: %s' % l) return b -def emul_symb(my_ir, mdis, states_todo, states_done): +def emul_symb(ir_arch, mdis, states_todo, states_done): while states_todo: ad, symbols, conds = states_todo.pop() print '*' * 40, "addr", ad, '*' * 40 @@ -58,11 +60,11 @@ def emul_symb(my_ir, mdis, states_todo, states_done): print 'skip', ad continue states_done.add((ad, symbols, conds)) - sb = symbexec(mn, {}) + sb = symbexec(ir_arch, {}) sb.symbols = symbols.copy() - if my_ir.pc in sb.symbols: - del(sb.symbols[my_ir.pc]) - b = get_bloc(my_ir, mdis, ad) + if ir_arch.pc in sb.symbols: + del(sb.symbols[ir_arch.pc]) + b = get_bloc(ir_arch, mdis, ad) print 'run bloc' print b @@ -156,7 +158,9 @@ if __name__ == '__main__': my_symbols = dict([(x.name, x) for x in my_symbols]) my_symbols.update(mn_x86.regs.all_regs_ids_byname) - sb = symbexec(mn, symbols_init) + ir_arch = ir_x86_32(mdis.symbol_pool) + + sb = symbexec(ir_arch, symbols_init) blocs, symbol_pool = parse_asm.parse_txt(mn_x86, 32, ''' PUSH argv @@ -164,27 +168,26 @@ if __name__ == '__main__': PUSH ret_addr ''') - my_ir = ir_x86_32(mdis.symbol_pool) b = blocs[0][0] print b # add fake address and len to parsed instructions for i, l in enumerate(b.lines): l.offset, l.l = i, 1 - my_ir.add_bloc(b) - irb = get_bloc(my_ir, mdis, 0) + ir_arch.add_bloc(b) + irb = get_bloc(ir_arch, mdis, 0) sb.emulbloc(irb) sb.dump_mem() - # reset my_ir blocs - my_ir.blocs = {} + # reset ir_arch blocs + ir_arch.blocs = {} states_todo = set() states_done = set() states_todo.add((uint32(ad), sb.symbols, ())) # emul blocs, propagate states - emul_symb(my_ir, mdis, states_todo, states_done) + emul_symb(ir_arch, mdis, states_todo, states_done) all_info = [] @@ -199,7 +202,7 @@ if __name__ == '__main__': all_cases = set() - sb = symbexec(mn, symbols_init) + sb = symbexec(ir_arch, symbols_init) for ad, reqs_cond in all_info: all_ids = set() for k, v in reqs_cond: diff --git a/example/symbol_exec.py b/example/symbol_exec.py index 6d7457aa..416909f2 100644 --- a/example/symbol_exec.py +++ b/example/symbol_exec.py @@ -21,7 +21,7 @@ for bbl in disasm: ir.add_bloc(bbl) symbols_init = {} for i, r in enumerate(all_regs_ids): symbols_init[r] = all_regs_ids_init[i] -symb = symbexec(mn_x86, symbols_init) +symb = symbexec(ir, symbols_init) block = ir.get_bloc(0) diff --git a/example/test_dis.py b/example/test_dis.py index ef314893..dc3f7274 100644 --- a/example/test_dis.py +++ b/example/test_dis.py @@ -223,19 +223,19 @@ log.info('total lines %s' % total_l) if options.gen_ir: log.info("generating IR") - my_ir = ira(mdis.symbol_pool) - my_ir.blocs = {} + ir_arch = ira(mdis.symbol_pool) + ir_arch.blocs = {} for ad, all_bloc in all_funcs_blocs.items(): log.info("generating IR... %x" % ad) for b in all_bloc: - my_ir.add_bloc(b) + ir_arch.add_bloc(b) log.info("Gen Graph... %x" % ad) - my_ir.gen_graph() + ir_arch.gen_graph() if options.simplify: - my_ir.dead_simp() + ir_arch.dead_simp() - out = my_ir.graph() + out = ir_arch.graph() open('graph_irflow.txt', 'w').write(out) diff --git a/example/test_ida.py b/example/test_ida.py index 405696de..5ea32395 100644 --- a/example/test_ida.py +++ b/example/test_ida.py @@ -52,21 +52,21 @@ class bin_stream_ida(bin_stream_str): return 0x7FFFFFFF - self.offset - self.shift -def expr2colorstr(my_ir, e): +def expr2colorstr(ir_arch, e): # print "XXX", e if isinstance(e, ExprId): s = str(e) - if e in my_ir.arch.regs.all_regs_ids: + if e in ir_arch.arch.regs.all_regs_ids: s = idaapi.COLSTR(s, idaapi.SCOLOR_REG) elif isinstance(e, ExprInt): s = str(e) s = idaapi.COLSTR(s, idaapi.SCOLOR_NUMBER) elif isinstance(e, ExprMem): - s = '@%d[%s]' % (e.size, expr2colorstr(my_ir, e.arg)) + s = '@%d[%s]' % (e.size, expr2colorstr(ir_arch, e.arg)) elif isinstance(e, ExprOp): out = [] for a in e.args: - s = expr2colorstr(my_ir, a) + s = expr2colorstr(ir_arch, a) if isinstance(a, ExprOp): s = "(%s)" % s out.append(s) @@ -76,14 +76,14 @@ def expr2colorstr(my_ir, e): s = (" " + e.op + " ").join(out) elif isinstance(e, ExprAff): s = "%s = %s" % ( - expr2colorstr(my_ir, e.dst), expr2colorstr(my_ir, e.src)) + expr2colorstr(ir_arch, e.dst), expr2colorstr(ir_arch, e.src)) elif isinstance(e, ExprCond): - cond = expr2colorstr(my_ir, e.cond) - src1 = expr2colorstr(my_ir, e.src1) - src2 = expr2colorstr(my_ir, e.src2) + cond = expr2colorstr(ir_arch, e.cond) + src1 = expr2colorstr(ir_arch, e.src1) + src2 = expr2colorstr(ir_arch, e.src2) s = "(%s?%s:%s)" % (cond, src1, src2) elif isinstance(e, ExprSlice): - s = "(%s)[%d:%d]" % (expr2colorstr(my_ir, e.arg), e.start, e.stop) + s = "(%s)[%d:%d]" % (expr2colorstr(ir_arch, e.arg), e.start, e.stop) else: s = str(e) # print repr(s) @@ -97,7 +97,7 @@ def color_irbloc(irbloc): o.append(lbl) for i, expr in enumerate(irbloc.irs): for e in expr: - s = expr2colorstr(my_ir, e) + s = expr2colorstr(ir_arch, e) s = idaapi.COLSTR(s, idaapi.SCOLOR_INSN) o.append(' %s' % s) o.append("") @@ -112,10 +112,10 @@ def color_irbloc(irbloc): class GraphMiasmIR(GraphViewer): - def __init__(self, my_ir, title, result): + def __init__(self, ir_arch, title, result): GraphViewer.__init__(self, title) print 'init' - self.my_ir = my_ir + self.ir_arch = ir_arch self.result = result self.names = {} @@ -123,22 +123,22 @@ class GraphMiasmIR(GraphViewer): print 'refresh' self.Clear() addr_id = {} - for irbloc in self.my_ir.blocs.values(): + for irbloc in self.ir_arch.blocs.values(): id_irbloc = self.AddNode(color_irbloc(irbloc)) addr_id[irbloc] = id_irbloc - for irbloc in self.my_ir.blocs.values(): + for irbloc in self.ir_arch.blocs.values(): if not irbloc: continue - dst = my_ir.dst_trackback(irbloc) + dst = ir_arch.dst_trackback(irbloc) for d in dst: - if not self.my_ir.ExprIsLabel(d): + if not self.ir_arch.ExprIsLabel(d): continue d = d.name - if not d in self.my_ir.blocs: + if not d in self.ir_arch.blocs: continue - b = self.my_ir.blocs[d] + b = self.ir_arch.blocs[d] node1 = addr_id[irbloc] node2 = addr_id[b] self.AddEdge(node1, node2) @@ -228,7 +228,7 @@ print fname bs = bin_stream_ida() mdis = dis_engine(bs) -my_ir = ira(mdis.symbol_pool) +ir_arch = ira(mdis.symbol_pool) # populate symbols with ida names for ad, name in Names(): @@ -253,24 +253,24 @@ print "generating IR... %x" % ad for b in ab: print 'ADD' print b - my_ir.add_bloc(b) + ir_arch.add_bloc(b) print "IR ok... %x" % ad -for irb in my_ir.blocs.values(): +for irb in ir_arch.blocs.values(): for irs in irb.irs: for i, e in enumerate(irs): e.dst, e.src = expr_simp(e.dst), expr_simp(e.src) -my_ir.gen_graph() -out = my_ir.graph() +ir_arch.gen_graph() +out = ir_arch.graph() open('/tmp/graph.txt', 'w').write(out) -# my_ir.dead_simp() +# ir_arch.dead_simp() -g = GraphMiasmIR(my_ir, "Miasm IR graph", None) +g = GraphMiasmIR(ir_arch, "Miasm IR graph", None) def mycb(*test): @@ -319,14 +319,14 @@ def get_modified_symbols(sb): return out -def gen_bloc_data_flow_graph(my_ir, in_str, ad): # arch, attrib, pool_bin, bloc, symbol_pool): +def gen_bloc_data_flow_graph(ir_arch, in_str, ad): # arch, attrib, pool_bin, bloc, symbol_pool): out_str = "" - my_ir.gen_graph() - # my_ir.dead_simp() + ir_arch.gen_graph() + # ir_arch.dead_simp() irbloc_0 = None - for irbloc in my_ir.blocs.values(): + for irbloc in ir_arch.blocs.values(): if irbloc.label.offset == ad: irbloc_0 = irbloc break @@ -337,23 +337,23 @@ def gen_bloc_data_flow_graph(my_ir, in_str, ad): # arch, attrib, pool_bin, bloc bloc2w = {} - for irbloc in my_ir.blocs.values(): - # intra_bloc_flow_raw(my_ir, flow_graph, irbloc) - intra_bloc_flow_symbexec(my_ir, flow_graph, irbloc) - # intra_bloc_flow_symb(my_ir, flow_graph, irbloc) + for irbloc in ir_arch.blocs.values(): + # intra_bloc_flow_raw(ir_arch, flow_graph, irbloc) + intra_bloc_flow_symbexec(ir_arch, flow_graph, irbloc) + # intra_bloc_flow_symb(ir_arch, flow_graph, irbloc) - for irbloc in my_ir.blocs.values(): + for irbloc in ir_arch.blocs.values(): print irbloc print 'IN', [str(x) for x in irbloc.in_nodes] print 'OUT', [str(x) for x in irbloc.out_nodes] print '*' * 20, 'interbloc', '*' * 20 - inter_bloc_flow(my_ir, flow_graph, irbloc_0.label, False) + inter_bloc_flow(ir_arch, flow_graph, irbloc_0.label, False) print 'Dataflow roots:' for node in flow_graph.roots(): lbl, i, n = node - if n in my_ir.arch.regs.all_regs_ids: + if n in ir_arch.arch.regs.all_regs_ids: print node open('data.txt', 'w').write(flow_graph.dot()) @@ -408,7 +408,7 @@ class GraphMiasmIRFlow(GraphViewer): #print "gen bloc data flow" -#flow_graph = gen_bloc_data_flow_graph(my_ir, bs, ad) +#flow_graph = gen_bloc_data_flow_graph(ir_arch, bs, ad) #def node2str(self, n): # return "%s, %s\\l%s" % n #flow_graph.node2str = lambda n: node2str(flow_graph, n) diff --git a/example/test_jit_arm.py b/example/test_jit_arm.py index e73f22db..df36ce16 100644 --- a/example/test_jit_arm.py +++ b/example/test_jit_arm.py @@ -6,6 +6,8 @@ from miasm2.analysis import debugging, gdbserver from miasm2.jitter.jitload import vm_load_elf, libimp, preload_elf from miasm2.analysis.machine import Machine +from pdb import pm + parser = ArgumentParser( description="""Sandbox an elf binary with arm engine (ex: test_jit_arm.py example/md5_arm A684)""") |