search

cea-sec / miasm

Reverse engineering framework in Python
https://miasm.re/
GNU General Public License v2.0
3.49k stars 475 forks source link

Use GHIDRA Sleigh to convert asm code to IR #1366

Open IridiumXOR opened 3 years ago

IridiumXOR commented 3 years ago

Why do not use Ghidra Sleigh code to disassemble opcodes and produce IR expressions to be used in miasm? Something similar to https://github.com/angr/pypcode So miasm will support new architectures with a reduce effort (define new registers and some other minor things) and leave the complexity of the opcode to IR translation to sleigh implementions

serpilliere commented 3 years ago

Hi @IridiumXOR The question is interesting. Let me rephrase it: You currently have a Volkswagen. Imagine that now, you want the engine of Chevrolet. You buy it and (hopefully) manage to install it on your Volkswagen. That was hard, but you did it. Your car seems to run fine. And another day you want to have the body of a Chevrolet. So you buy one from a scrapyard, and manage to install it on your Volskwagen. Maybe it will run fine as well.

But now, my question is: If you want a Chevrolet, why don't you directly use a Chevrolet ?

You may answer me: "But, man, why don't you drive a Chevrolet instead of Volkswagen"? And I may answer you: "It fits my needs".

That said, I think @commial managed some times ago to do a bridge between the Miasm IR and Ghidra IR. But sadly, if I remember correctly, it's a one way bridge, and it's not in the way you want.

Another point is that in the Rust version of Miasm, we are actually using capstone to do the disassembling work. But we still have to do the IR implementation.

Taste and colours are not always the same!

:car:

commial commented 3 years ago

Hi there,

From what I remember, the Pcode was not that complete; it is enough for decompilation, but lack elements (for instance, some flags) for a correct emulation. It might have changed now.

But you're right, there is something to do here. The question is: should we bring the Miasm IR to Ghidra, to enjoy the decompilation on custom IR implemented in Miasm? Or the inverse, to enjoy maybe easier to implement architecture?

Problem is, it's not that easy to do. Last time I tried, there were some question regarding the difference between IRs.

IridiumXOR commented 3 years ago

Thanks to all for the replies :) Yes, it is not an easy work because Miasm is obviously based on MiasmIR. However, how much different are MiasmIR and GhidraIR? If they are not so different (and GhidraIR are now complete for example in flag settings) it is possible (maybe) to insert a conversion layer between the GhidraIR to the Miasm one. I think that Pcode is able also to define the CPU registers, in that case is it possible (possible, not easy :D) to define them "on the fly" and not hardcode them in Miasm code, definitely abstracting from the CPU architecture.