serpilliere
commented
3 years ago Hi @P1224 When doing memory propagation, Miasm has some hypothesis and constraints. For example: if you have the following sequence of assignments (suppose memory accesses are 1 byte long:
[A] = 1
[A+4] = 2
B = [A]the [A] = 1 can be propagated through the [A+4] = 2, has [A] and [A+4] won't interfer here. So we will have:
[A] = 1
[A+4] = 2
B = 1The rule is: we can compare two 'symbolic' memory values based on the same symbolic pointer (Ex [A] and [A+1]. But we cannot determine if 2 symbolic memories based on different symbolic base pointer (Ex: [A] and [B+1]``) This is because we know that[A]and[A+1]won't alias (ok, there may be special cases with dual mapped memory) but[A]and[B+1]` may alias here.
But in your case, I think this should be ok. So I recoded your example. First the source::
main:
MOV EAX, EDX
AND EAX, 1
MOV DWORD PTR [ESI + 4], 0x123
MOV DWORD PTR [ESI], 0x456
MOV EDX, DWORD PTR [ESI + EAX * 4]
MOV EAX, EDX
RETThen the test code. It's a merge between miasm/example/disasm/dis_binary_lift_model_call.py and miasm/example/expression/simplification_add.py:
from __future__ import print_function
import sys
from future.utils import viewvalues
from miasm.analysis.binary import Container
from miasm.analysis.machine import Machine
from miasm.core.locationdb import LocationDB
from miasm.analysis.simplifier import IRCFGSimplifierCommon, IRCFGSimplifierSSA
from miasm.expression.simplifications import expr_simp
from miasm.expression.expression import *
#####################################
# Common section from dis_binary.py #
#####################################
fdesc = open(sys.argv[1], 'rb')
loc_db = LocationDB()
cont = Container.from_stream(fdesc, loc_db)
machine = Machine(cont.arch)
mdis = machine.dis_engine(cont.bin_stream, loc_db=cont.loc_db)
addr = cont.entry_point
head = loc_db.get_or_create_offset_location(addr)
asmcfg = mdis.dis_multiblock(addr)
#####################################
# End common section #
#####################################
# Get an IRA converter
# The sub call are modelised by default operators
# call_func_ret and call_func_stack
lifter = machine.lifter_model_call(mdis.loc_db)
# Get the IR of the asmcfg
ircfg_analysis = lifter.new_ircfg_from_asmcfg(asmcfg)
# Display each IR basic blocks
for irblock in viewvalues(ircfg_analysis.blocks):
print(irblock)
# Output ir control flow graph in a dot file
open('bin_lifter_model_call_cfg.dot', 'w').write(ircfg_analysis.dot())
# Create joker for match expr
joker1 = ExprId('joker1', 32)
joker2 = ExprId('joker2', 32)
pattern = expr_simp(joker1 + (joker2 & ExprInt(1, 32)) * ExprInt(4, 32))
# Add simplification pass
def simp_lookup(expr_simp, expr):
"""
Add simplification:
@32[X + Y & 1] => ExprCond(Y & 1, @32[X+4], @32[X])
"""
if expr.size != 32:
return expr
ptr = expr.ptr
found = {}
result = match_expr(ptr, pattern, set([joker1, joker2]), found)
if not result:
return expr
base = found[joker1]
index = found[joker2]
print("found pattern in %s with %s %s" % (expr, base, index))
src1 = expr_simp(ExprMem(base + ExprInt(4, 32), 32))
src2 = expr_simp(ExprMem(base, 32))
result = ExprCond(index & ExprInt(1, 32), src1, src2)
result = expr_simp(result)
return result
# Enable pass
expr_simp.enable_passes({ExprMem: [simp_lookup]})
simplifier = IRCFGSimplifierSSA(lifter)
ircfg = simplifier.simplify(ircfg_analysis, head)
open('final.dot', 'w').write(ircfg.dot())And here is the result:
It seems that the simplification is applied. Are you ok with this? Maybe there is a bug in your implementation of the simplification ?
P1224
Hi, I'm dealing with some obfuscations with
SymbolicExecutionEngineand i'm stuck with the following sample:I want to transfrom it to
edx = (xxx & 1) ? 123 : 456, so i wrote a custom simplifier callback to transfromeax & 1to(eax & 1) ? 1 : 0and combined it with built-in simplifiersimp_cond_op_int, but only getedx = (xxx & 1) ? [esp + 4] : [esp].I looked into
SymbolicExecutionEngine.eval_expr_visitor, and it seems to work asIt is obvious that expression propagation is not applied to
[esp + 4]and[esp].How could I fix this behavior?