search

JonathanSalwan / Triton

Triton is a dynamic binary analysis library. Build your own program analysis tools, automate your reverse engineering, perform software verification or just emulate code.
https://triton-library.github.io
Apache License 2.0
3.4k stars 524 forks source link

Support for ARM32 ldm<amode> #1278

Open pdamian opened 10 months ago

pdamian commented 10 months ago

Would it be possible to add support for different <amode> (DA: Decrement After, DB: Decrement Before, IA: Increment After and IB: Increment Before) in instructions such as ldm (or stm)? These seem currently not being supported (see example below). Example:

#!/usr/bin/env python3
## -*- coding: utf-8 -*-
from triton import ARCH, EXCEPTION, Instruction, MemoryAccess, MODE, TritonContext

function = {
    0x8000: b"\x06\x00\x90\xe8", # ldm r0, {r1, r2}
    0x8004: b"\x06\x00\x10\xe9", # ldmdb r0, {r1, r2}
}

ctx = TritonContext(ARCH.ARM32)
ctx.setMode(MODE.ALIGNED_MEMORY, True)
ctx.setThumb(False)

ctx.setConcreteRegisterValue(ctx.registers.r0, 0x1000)
ctx.setConcreteMemoryValue(MemoryAccess(0x0ff8, 4), 0x0ff8)
ctx.setConcreteMemoryValue(MemoryAccess(0x0ffc, 4), 0x0ffc)
ctx.setConcreteMemoryValue(MemoryAccess(0x1000, 4), 0x1000)
ctx.setConcreteMemoryValue(MemoryAccess(0x1004, 4), 0x1004)

pc = 0x8000
while pc in function:
    inst = Instruction(pc, function[pc])
    e = ctx.processing(inst)
    print(inst)
    if e != EXCEPTION.NO_FAULT:
        print(f"\tException = {e:d}")
        break
    r0 = ctx.getConcreteRegisterValue(ctx.registers.r0)
    r1 = ctx.getConcreteRegisterValue(ctx.registers.r1)
    r2 = ctx.getConcreteRegisterValue(ctx.registers.r2)
    print(f"\tr0 = 0x{r0:x}")
    print(f"\tr1 = 0x{r1:x}")
    print(f"\tr2 = 0x{r2:x}")
    pc = ctx.getConcreteRegisterValue(ctx.registers.pc)

Output:

0x8000: ldm r0, {r1, r2}
        r0 = 0x1000
        r1 = 0x1000
        r2 = 0x1004
0x8004: ldmdb r0, {r1, r2}
        Exception = 3
cnheitman commented 10 months ago

Hi @pdamian ! I can take a look to this and try to implement the missing modes in the upcoming weeks.

m4drat commented 6 months ago

Hi! While playing with https://github.com/quarkslab/tritondse/ and an ARM32 target I also encountered this problem. Are there any updates on implementation of these instructions?

cnheitman commented 6 months ago

Hi @m4drat ! Unfortunately I did not have much time to spend on this. It is still on my todo list but I cannot give an estimate on when I'll be able to do it.

m4drat commented 6 months ago

Thanks for an answer. Got it! I've come across a couple other instructions that seem to need to be implemented as well, so I might work on this and related issues in the future. Of course, if it makes sense for the project I'm working on right now.

cnheitman commented 6 months ago

Great! Any PR will be very much appreciated :D