Example 1 with ReilFunction
use of com.google.security.zynamics.reil.ReilFunction in project binnavi by google.
the class CDataflowViewCreator method create.
/**
* Creates a new dataflow view.
*
* @param container The container in which the dataflow view is created.
* @param view The normal view that provides the control-flow information.
*
* @return The created dataflow view.
*
* @throws InternalTranslationException Thrown if the input view could not be translated to REIL.
*/
public static INaviView create(final IViewContainer container, final INaviView view) throws InternalTranslationException {
Preconditions.checkNotNull(container, "IE00411: Module argument can not be null");
Preconditions.checkNotNull(view, "IE00414: View argument can not be null");
final Map<IAddress, INaviInstruction> instructions = new HashMap<IAddress, INaviInstruction>();
for (final CCodeNode codeNode : view.getBasicBlocks()) {
for (final INaviInstruction instruction : codeNode.getInstructions()) {
instructions.put(instruction.getAddress(), instruction);
}
}
final ReilFunction function = view.getContent().getReilCode();
final OperandGraph operandGraph = OperandGraph.create(function.getGraph());
final INaviView dfView = container.createView(String.format("Data flow view of '%s'", view.getName()), "");
final Map<OperandGraphNode, INaviCodeNode> nodeMap = new HashMap<OperandGraphNode, INaviCodeNode>();
final Map<INaviInstruction, CCodeNode> instructionMap = new HashMap<INaviInstruction, CCodeNode>();
for (final OperandGraphNode operandGraphNode : operandGraph) {
final ReilInstruction reilInstruction = operandGraphNode.getInstruction();
final INaviInstruction instruction = instructions.get(ReilHelpers.toNativeAddress(reilInstruction.getAddress()));
if (instructionMap.containsKey(instruction)) {
nodeMap.put(operandGraphNode, instructionMap.get(instruction));
continue;
}
final CCodeNode codeNode = dfView.getContent().createCodeNode(null, Lists.newArrayList(instruction));
codeNode.setColor(ConfigManager.instance().getColorSettings().getBasicBlocksColor());
nodeMap.put(operandGraphNode, codeNode);
instructionMap.put(instruction, codeNode);
}
for (final OperandGraphEdge edge : operandGraph.getEdges()) {
final INaviCodeNode source = nodeMap.get(edge.getSource());
final INaviCodeNode target = nodeMap.get(edge.getTarget());
if (source.equals(target)) {
continue;
}
dfView.getContent().createEdge(source, target, EdgeType.JUMP_UNCONDITIONAL);
}
return dfView;
}
Also used :
ReilInstruction(com.google.security.zynamics.reil.ReilInstruction)
HashMap(java.util.HashMap)
ReilFunction(com.google.security.zynamics.reil.ReilFunction)
IAddress(com.google.security.zynamics.zylib.disassembly.IAddress)
OperandGraph(com.google.security.zynamics.reil.algorithms.mono.OperandGraph)
INaviCodeNode(com.google.security.zynamics.binnavi.disassembly.INaviCodeNode)
INaviView(com.google.security.zynamics.binnavi.disassembly.views.INaviView)
OperandGraphEdge(com.google.security.zynamics.reil.algorithms.mono.OperandGraphEdge)
CCodeNode(com.google.security.zynamics.binnavi.disassembly.CCodeNode)
OperandGraphNode(com.google.security.zynamics.reil.algorithms.mono.OperandGraphNode)
INaviInstruction(com.google.security.zynamics.binnavi.disassembly.INaviInstruction)
Example 2 with ReilFunction
use of com.google.security.zynamics.reil.ReilFunction in project binnavi by google.
the class ReilTranslator method translate.
/**
* Translates a disassembled function to REIL code.
*
* @param environment The translation environment for the translation process
* @param function The disassembled function
*
* @return The function translated to REIL code
*
* @throws InternalTranslationException Thrown if an internal error occurs
*/
public ReilFunction translate(final ITranslationEnvironment environment, final IBlockContainer<InstructionType> function, final List<ITranslationExtension<InstructionType>> extensions) throws InternalTranslationException {
final LinkedHashMap<ICodeContainer<InstructionType>, List<ReilInstruction>> instructionMap = new LinkedHashMap<ICodeContainer<InstructionType>, List<ReilInstruction>>();
final Map<IInstruction, ReilInstruction> firstMap = new HashMap<IInstruction, ReilInstruction>();
final Map<IInstruction, ReilInstruction> lastMap = new HashMap<IInstruction, ReilInstruction>();
final List<List<ReilInstruction>> delayedTrueBranches = new ArrayList<List<ReilInstruction>>();
for (final ICodeContainer<InstructionType> block : function.getBasicBlocks()) {
final Iterable<InstructionType> blockInstructions = block.getInstructions();
final IInstruction lastBlockInstruction = Iterables.getLast(blockInstructions);
final boolean endsWithInlining = isInlineSource(block);
final ArrayList<ReilInstruction> instructions = new ArrayList<ReilInstruction>();
instructionMap.put(block, instructions);
for (final InstructionType instruction : blockInstructions) {
environment.nextInstruction();
final ITranslator<InstructionType> translator = m_translators.get(instruction.getArchitecture().toUpperCase());
if (translator == null) {
throw new InternalTranslationException("Could not translate instruction from unknown architecture " + instruction.getArchitecture());
}
try {
final List<ReilInstruction> result = translator.translate(environment, instruction, extensions);
instructions.addAll(result);
if (endsWithInlining && (instruction == lastBlockInstruction)) {
// We skip the last JCC instruction of blocks that were split by inlining. In 99%
// of all cases this should be the inlined call; unless the user removed the
// call from the block.
final ReilInstruction lastInstruction = instructions.get(instructions.size() - 1);
if (lastInstruction.getMnemonic().equals(ReilHelpers.OPCODE_JCC) && lastInstruction.getMetaData().containsKey("isCall")) {
instructions.remove(instructions.size() - 1);
result.remove(result.size() - 1);
}
}
firstMap.put(instruction, getFirstInstruction(result));
lastMap.put(instruction, getLastInstruction(result));
} catch (final InternalTranslationException exception) {
exception.setInstruction(instruction);
throw exception;
}
}
// In this step we have to consider delayed branches of the form
//
// BRANCH CONDITION, SOMEWHERE
// EXECUTE ALWAYS
//
// We basically re-order the instructions to
//
// EVALUATE CONDITION -> TEMP
// EXECUTE ALWAYS
// BRANCH TEMP, SOMEWHERE
final IInstruction secondLastInstruction = Iterables.size(block.getInstructions()) > 2 ? Iterables.get(block.getInstructions(), Iterables.size(block.getInstructions()) - 2, null) : null;
if (secondLastInstruction != null) {
final List<ReilInstruction> secondLastReil = getReilInstructions(secondLastInstruction, instructions);
if (ReilHelpers.isDelayedBranch(secondLastReil.get(secondLastReil.size() - 1))) {
final IInstruction lastInstruction = getLastInstruction(block);
final List<ReilInstruction> lastReil = getReilInstructions(lastInstruction, instructions);
if (secondLastReil.get(secondLastReil.size() - 1).getMnemonic().equals(ReilHelpers.OPCODE_JCC)) {
instructions.removeAll(lastReil);
instructions.addAll(instructions.size() - 1, lastReil);
}
} else if (ReilHelpers.isDelayedTrueBranch(secondLastReil.get(secondLastReil.size() - 1))) {
final IInstruction lastInstruction = getLastInstruction(block);
final List<ReilInstruction> lastReil = getReilInstructions(lastInstruction, instructions);
delayedTrueBranches.add(lastReil);
}
}
}
// In this step we determine all jump targets of the input graph.
// We need them later because not all original jump targets can be
// found in the translated REIL graph. The reason for this is that
// source instructions of edges in the input graph do not necessarily
// have a reference to the address of the edge target. This happens
// for example when removing the first instruction from a code node.
// The edge still goes to the code node, but the jump instruction now
// refers to the removed instruction.
final Collection<IAddress> nativeJumpTargets = getBlockAddresses(function);
final Pair<List<ReilBlock>, List<ReilEdge>> pair = ReilGraphGenerator.createGraphElements(instructionMap.values(), nativeJumpTargets);
final List<ReilBlock> nodes = pair.first();
final List<ReilEdge> edges = pair.second();
// In a post-processing step all edges which could not be determined
// from the REIL instructions alone are inserted into the graph.
insertNativeEdges(function.getBasicBlockEdges(), nodes, edges, firstMap, lastMap);
handleDelayedTrueBranches(nodes, edges, delayedTrueBranches);
return new ReilFunction("REIL - " + function.getName(), new ReilGraph(nodes, edges));
}
Also used :
HashMap(java.util.HashMap)
LinkedHashMap(java.util.LinkedHashMap)
ArrayList(java.util.ArrayList)
LinkedHashMap(java.util.LinkedHashMap)
IInstruction(com.google.security.zynamics.zylib.disassembly.IInstruction)
ICodeContainer(com.google.security.zynamics.zylib.disassembly.ICodeContainer)
ArrayList(java.util.ArrayList)
List(java.util.List)
ReilGraph(com.google.security.zynamics.reil.ReilGraph)
ReilInstruction(com.google.security.zynamics.reil.ReilInstruction)
ReilEdge(com.google.security.zynamics.reil.ReilEdge)
ReilBlock(com.google.security.zynamics.reil.ReilBlock)
ReilFunction(com.google.security.zynamics.reil.ReilFunction)
IAddress(com.google.security.zynamics.zylib.disassembly.IAddress)
Example 3 with ReilFunction
use of com.google.security.zynamics.reil.ReilFunction in project binnavi by google.
the class TestFollowZFIncomingBackwards method testTransformFollowZFinStream2.
@Test
public void testTransformFollowZFinStream2() {
final MockOperandTree operandTreeFirst1 = new MockOperandTree();
operandTreeFirst1.root = new MockOperandTreeNode(ExpressionType.SIZE_PREFIX, "dword");
operandTreeFirst1.root.m_children.add(new MockOperandTreeNode(ExpressionType.IMMEDIATE_INTEGER, "16827245"));
final List<MockOperandTree> operandsFirst = Lists.newArrayList(operandTreeFirst1);
m_options = new RegisterTrackingOptions(true, new HashSet<String>(), true, AnalysisDirection.UP);
final List<String> instructionStrings0 = new ArrayList<String>();
instructionStrings0.add("000000010025C500: str [DWORD edi, EMPTY , DWORD edi]");
instructionStrings0.add("000000010025C700: sub [DWORD esp, DWORD 4, QWORD t0]");
instructionStrings0.add("000000010025C701: and [QWORD t0, DWORD 4294967295, DWORD esp]");
instructionStrings0.add("000000010025C702: stm [DWORD ebp, EMPTY , DWORD esp]");
instructionStrings0.add("000000010025C800: str [DWORD esp, EMPTY , DWORD ebp]");
instructionStrings0.add("000000010025CA00: add [DWORD 12, DWORD ebp, QWORD t0]");
instructionStrings0.add("000000010025CA01: and [QWORD t0, DWORD 4294967295, DWORD t1]");
instructionStrings0.add("000000010025CA02: ldm [DWORD t1, EMPTY , DWORD t2]");
instructionStrings0.add("000000010025CA03: str [DWORD t2, EMPTY , DWORD eax]");
instructionStrings0.add("000000010025CD00: sub [DWORD esp, DWORD 4, QWORD t0]");
instructionStrings0.add("000000010025CD01: and [QWORD t0, DWORD 4294967295, DWORD esp]");
instructionStrings0.add("000000010025CD02: stm [DWORD esi, EMPTY , DWORD esp]");
instructionStrings0.add("000000010025CE00: sub [DWORD esp, DWORD 4, QWORD t0]");
instructionStrings0.add("000000010025CE01: and [QWORD t0, DWORD 4294967295, DWORD esp]");
instructionStrings0.add("000000010025CE02: stm [DWORD edi, EMPTY , DWORD esp]");
instructionStrings0.add("000000010025CF00: str [DWORD ecx, EMPTY , DWORD esi]");
instructionStrings0.add("000000010025D100: and [DWORD eax, DWORD 2147483648, DWORD t0]");
instructionStrings0.add("000000010025D101: and [DWORD 4294967295, DWORD 2147483648, DWORD t1]");
instructionStrings0.add("000000010025D102: sub [DWORD eax, DWORD 4294967295, QWORD t2]");
instructionStrings0.add("000000010025D103: and [QWORD t2, QWORD 2147483648, DWORD t3]");
instructionStrings0.add("000000010025D104: bsh [DWORD t3, DWORD -31, BYTE SF]");
instructionStrings0.add("000000010025D105: xor [DWORD t0, DWORD t1, DWORD t4]");
instructionStrings0.add("000000010025D106: xor [DWORD t0, DWORD t3, DWORD t5]");
instructionStrings0.add("000000010025D107: and [DWORD t4, DWORD t5, DWORD t6]");
instructionStrings0.add("000000010025D108: bsh [DWORD t6, DWORD -31, BYTE OF]");
instructionStrings0.add("000000010025D109: and [QWORD t2, QWORD 4294967296, QWORD t7]");
instructionStrings0.add("000000010025D10A: bsh [QWORD t7, QWORD -32, BYTE CF]");
instructionStrings0.add("000000010025D10B: and [QWORD t2, QWORD 4294967295, DWORD t8]");
instructionStrings0.add("000000010025D10C: bisz [DWORD t8, EMPTY , BYTE ZF]");
instructionStrings0.add("000000010025D400: bisz [BYTE ZF, EMPTY , BYTE t0]");
instructionStrings0.add("000000010025D401: jcc [BYTE t0, EMPTY , DWORD 16945901]");
final List<String> instructionStrings1 = new ArrayList<String>();
// mov
instructionStrings1.add("000000010025DA00: add [DWORD 8, DWORD ebp, QWORD t0]");
instructionStrings1.add("000000010025DA01: and [QWORD t0, DWORD 4294967295, DWORD t1]");
instructionStrings1.add("000000010025DA02: ldm [DWORD t1, EMPTY , DWORD t2]");
instructionStrings1.add("000000010025DA03: str [DWORD t2, EMPTY , DWORD edi]");
// test
instructionStrings1.add("000000010025DD00: and [DWORD edi, DWORD edi, DWORD t0]");
instructionStrings1.add("000000010025DD01: and [DWORD t0, DWORD 2147483648, DWORD t1]");
instructionStrings1.add("000000010025DD02: bsh [DWORD t1, DWORD -31, BYTE SF]");
instructionStrings1.add("000000010025DD03: bisz [DWORD t0, EMPTY , BYTE ZF]");
instructionStrings1.add("000000010025DD04: str [BYTE 0, EMPTY , BYTE CF]");
instructionStrings1.add("000000010025DD05: str [BYTE 0, EMPTY , BYTE OF]");
// jz
instructionStrings1.add("000000010025DF00: jcc [BYTE ZF, EMPTY , DWORD 16880362]");
final List<String> instructionStrings2 = new ArrayList<String>();
instructionStrings2.add("000000010025E500: add [DWORD 8, DWORD esi, QWORD t0]");
instructionStrings2.add("000000010025E501: and [QWORD t0, DWORD 4294967295, DWORD t1]");
instructionStrings2.add("000000010025E502: ldm [DWORD t1, EMPTY , DWORD t2]");
instructionStrings2.add("000000010025E503: and [DWORD edi, DWORD 2147483648, DWORD t3]");
instructionStrings2.add("000000010025E504: and [DWORD t2, DWORD 2147483648, DWORD t4]");
instructionStrings2.add("000000010025E505: sub [DWORD edi, DWORD t2, QWORD t5]");
instructionStrings2.add("000000010025E506: and [QWORD t5, QWORD 2147483648, DWORD t6]");
instructionStrings2.add("000000010025E507: bsh [DWORD t6, DWORD -31, BYTE SF]");
instructionStrings2.add("000000010025E508: xor [DWORD t3, DWORD t4, DWORD t7]");
instructionStrings2.add("000000010025E509: xor [DWORD t3, DWORD t6, DWORD t8]");
instructionStrings2.add("000000010025E50A: and [DWORD t7, DWORD t8, DWORD t9]");
instructionStrings2.add("000000010025E50B: bsh [DWORD t9, DWORD -31, BYTE OF]");
instructionStrings2.add("000000010025E50C: and [QWORD t5, QWORD 4294967296, QWORD t10]");
instructionStrings2.add("000000010025E50D: bsh [QWORD t10, QWORD -32, BYTE CF]");
instructionStrings2.add("000000010025E50E: and [QWORD t5, QWORD 4294967295, DWORD t11]");
instructionStrings2.add("000000010025E50F: bisz [DWORD t11, EMPTY , BYTE ZF]");
instructionStrings2.add("000000010025E800: or [BYTE CF, BYTE ZF, BYTE t0]");
instructionStrings2.add("000000010025E801: jcc [BYTE t0, EMPTY , DWORD 16880391]");
final List<String> instructionStrings3 = new ArrayList<String>();
instructionStrings3.add("000000010025EE00: sub [DWORD esp, DWORD 4, QWORD t0]");
instructionStrings3.add("000000010025EE01: and [QWORD t0, DWORD 4294967295, DWORD esp]");
instructionStrings3.add("000000010025EE02: stm [DWORD edi, EMPTY , DWORD esp]");
instructionStrings3.add("000000010025EF00: sub [DWORD esp, DWORD 4, QWORD t0]");
instructionStrings3.add("000000010025EF01: and [QWORD t0, DWORD 4294967295, DWORD esp]");
instructionStrings3.add("000000010025EF02: stm [DWORD 16786932, EMPTY , DWORD esp]");
instructionStrings3.add("000000010025EF03: jcc [DWORD 1, EMPTY , DWORD 16792317]");
final List<String> instructionStrings4 = new ArrayList<String>();
instructionStrings4.add("000000010025F400: and [DWORD eax, BYTE 255, BYTE t1]");
instructionStrings4.add("000000010025F401: and [DWORD eax, BYTE 255, BYTE t3]");
instructionStrings4.add("000000010025F402: and [BYTE t1, BYTE t3, BYTE t4]");
instructionStrings4.add("000000010025F403: and [BYTE t4, BYTE 128, BYTE t5]");
instructionStrings4.add("000000010025F404: bsh [BYTE t5, BYTE -7, BYTE SF]");
instructionStrings4.add("000000010025F405: bisz [BYTE t4, EMPTY , BYTE ZF]");
instructionStrings4.add("000000010025F406: str [BYTE 0, EMPTY , BYTE CF]");
instructionStrings4.add("000000010025F407: str [BYTE 0, EMPTY , BYTE OF]");
instructionStrings4.add("000000010025F600: jcc [BYTE ZF, EMPTY , DWORD 16786960]");
final List<String> instructionStrings5 = new ArrayList<String>();
instructionStrings5.add("000000010025F800: add [DWORD 4, DWORD esi, QWORD t0]");
instructionStrings5.add("000000010025F801: and [QWORD t0, DWORD 4294967295, DWORD t1]");
instructionStrings5.add("000000010025F802: ldm [DWORD t1, EMPTY , DWORD t2]");
instructionStrings5.add("000000010025F803: str [DWORD t2, EMPTY , DWORD eax]");
final List<String> instructionStrings6 = new ArrayList<String>();
instructionStrings6.add("000000010025FB00: str [DWORD edi, EMPTY , DWORD ecx]");
instructionStrings6.add("000000010025FD00: and [DWORD ecx, DWORD 2147483648, DWORD t0]");
instructionStrings6.add("000000010025FD01: and [DWORD eax, DWORD 2147483648, DWORD t1]");
instructionStrings6.add("000000010025FD02: sub [DWORD ecx, DWORD eax, QWORD t2]");
instructionStrings6.add("000000010025FD03: and [QWORD t2, QWORD 2147483648, DWORD t3]");
instructionStrings6.add("000000010025FD04: bsh [DWORD t3, DWORD -31, BYTE SF]");
instructionStrings6.add("000000010025FD05: xor [DWORD t0, DWORD t1, DWORD t4]");
instructionStrings6.add("000000010025FD06: xor [DWORD t0, DWORD t3, DWORD t5]");
instructionStrings6.add("000000010025FD07: and [DWORD t4, DWORD t5, DWORD t6]");
instructionStrings6.add("000000010025FD08: bsh [DWORD t6, DWORD -31, BYTE OF]");
instructionStrings6.add("000000010025FD09: and [QWORD t2, QWORD 4294967296, QWORD t7]");
instructionStrings6.add("000000010025FD0A: bsh [QWORD t7, QWORD -32, BYTE CF]");
instructionStrings6.add("000000010025FD0B: and [QWORD t2, QWORD 4294967295, DWORD t8]");
instructionStrings6.add("000000010025FD0C: bisz [DWORD t8, EMPTY , BYTE ZF]");
instructionStrings6.add("000000010025FD0D: str [DWORD t8, EMPTY , DWORD ecx]");
instructionStrings6.add("000000010025FF00: sub [DWORD esp, DWORD 4, QWORD t0]");
instructionStrings6.add("000000010025FF01: and [QWORD t0, DWORD 4294967295, DWORD esp]");
instructionStrings6.add("000000010025FF02: stm [DWORD ecx, EMPTY , DWORD esp]");
instructionStrings6.add("0000000100260000: ldm [DWORD esi, EMPTY , DWORD t0]");
instructionStrings6.add("0000000100260001: str [DWORD t0, EMPTY , DWORD ecx]");
instructionStrings6.add("0000000100260200: mul [DWORD 4, DWORD eax, QWORD t0]");
instructionStrings6.add("0000000100260201: add [QWORD t0, DWORD ecx, QWORD t2]");
instructionStrings6.add("0000000100260202: and [QWORD t2, DWORD 4294967295, DWORD t3]");
instructionStrings6.add("0000000100260203: str [DWORD t3, EMPTY , DWORD eax]");
instructionStrings6.add("0000000100260500: sub [DWORD esp, DWORD 4, QWORD t0]");
instructionStrings6.add("0000000100260501: and [QWORD t0, DWORD 4294967295, DWORD esp]");
instructionStrings6.add("0000000100260502: stm [DWORD eax, EMPTY , DWORD esp]");
instructionStrings6.add("0000000100260600: sub [DWORD esp, DWORD 4, QWORD t0]");
instructionStrings6.add("0000000100260601: and [QWORD t0, DWORD 4294967295, DWORD esp]");
instructionStrings6.add("0000000100260602: stm [DWORD 16786955, EMPTY , DWORD esp]");
instructionStrings6.add("0000000100260603: jcc [DWORD 1, EMPTY , DWORD 16792263]");
final List<String> instructionStrings7 = new ArrayList<String>();
instructionStrings7.add("0000000100260B00: add [DWORD 4, DWORD esi, QWORD t0]");
instructionStrings7.add("0000000100260B01: and [QWORD t0, DWORD 4294967295, DWORD t1]");
instructionStrings7.add("0000000100260B02: stm [DWORD edi, EMPTY , DWORD t1]");
final List<String> instructionStrings8 = new ArrayList<String>();
instructionStrings8.add("0000000100260E00: and [DWORD eax, DWORD 4294967040, DWORD t1]");
instructionStrings8.add("0000000100260E01: or [BYTE 1, DWORD t1, DWORD eax]");
final List<String> instructionStrings9 = new ArrayList<String>();
instructionStrings9.add("0000000100261000: ldm [DWORD esp, EMPTY , DWORD t0]");
instructionStrings9.add("0000000100261001: add [DWORD esp, DWORD 4, QWORD t1]");
instructionStrings9.add("0000000100261002: and [QWORD t1, DWORD 4294967295, DWORD esp]");
instructionStrings9.add("0000000100261003: str [DWORD t0, EMPTY , DWORD edi]");
instructionStrings9.add("0000000100261100: ldm [DWORD esp, EMPTY , DWORD t0]");
instructionStrings9.add("0000000100261101: add [DWORD esp, DWORD 4, QWORD t1]");
instructionStrings9.add("0000000100261102: and [QWORD t1, DWORD 4294967295, DWORD esp]");
instructionStrings9.add("0000000100261103: str [DWORD t0, EMPTY , DWORD esi]");
instructionStrings9.add("0000000100261200: ldm [DWORD esp, EMPTY , DWORD t0]");
instructionStrings9.add("0000000100261201: add [DWORD esp, DWORD 4, QWORD t1]");
instructionStrings9.add("0000000100261202: and [QWORD t1, DWORD 4294967295, DWORD esp]");
instructionStrings9.add("0000000100261203: str [DWORD t0, EMPTY , DWORD ebp]");
instructionStrings9.add("0000000100261300: ldm [DWORD esp, EMPTY , DWORD t0]");
instructionStrings9.add("0000000100261301: add [DWORD esp, DWORD 12, QWORD t1]");
instructionStrings9.add("0000000100261302: and [QWORD t1, QWORD 4294967295, DWORD esp]");
instructionStrings9.add("0000000100261303: jcc [DWORD 1, EMPTY , DWORD t0]");
final List<String> instructionStrings10 = new ArrayList<String>();
instructionStrings10.add("000000010192EA00: ldm [DWORD esi, EMPTY , DWORD t0]");
instructionStrings10.add("000000010192EA01: str [DWORD t0, EMPTY , DWORD eax]");
instructionStrings10.add("000000010192EC00: and [DWORD eax, DWORD eax, DWORD t0]");
instructionStrings10.add("000000010192EC01: and [DWORD t0, DWORD 2147483648, DWORD t1]");
instructionStrings10.add("000000010192EC02: bsh [DWORD t1, DWORD -31, BYTE SF]");
instructionStrings10.add("000000010192EC03: bisz [DWORD t0, EMPTY , BYTE ZF]");
instructionStrings10.add("000000010192EC04: str [BYTE 0, EMPTY , BYTE CF]");
instructionStrings10.add("000000010192EC05: str [BYTE 0, EMPTY , BYTE OF]");
instructionStrings10.add("000000010192EE00: jcc [BYTE ZF, EMPTY , DWORD 16880378]");
final List<String> instructionStrings11 = new ArrayList<String>();
instructionStrings11.add("000000010192F000: sub [DWORD esp, DWORD 4, QWORD t0]");
instructionStrings11.add("000000010192F001: and [QWORD t0, DWORD 4294967295, DWORD esp]");
instructionStrings11.add("000000010192F002: stm [DWORD eax, EMPTY , DWORD esp]");
instructionStrings11.add("000000010192F100: sub [DWORD esp, DWORD 4, QWORD t0]");
instructionStrings11.add("000000010192F101: and [QWORD t0, DWORD 4294967295, DWORD esp]");
instructionStrings11.add("000000010192F102: stm [DWORD 16880375, EMPTY , DWORD esp]");
instructionStrings11.add("000000010192F103: ldm [DWORD 16782844, EMPTY , DWORD t1]");
instructionStrings11.add("000000010192F104: jcc [DWORD 1, EMPTY , DWORD t1]");
final List<String> instructionStrings12 = new ArrayList<String>();
instructionStrings12.add("000000010192F700: ldm [DWORD esi, EMPTY , DWORD t0]");
instructionStrings12.add("000000010192F701: and [DWORD edi, DWORD t0, DWORD t1]");
instructionStrings12.add("000000010192F702: and [DWORD t1, DWORD 2147483648, DWORD t2]");
instructionStrings12.add("000000010192F703: bsh [DWORD t2, DWORD -31, BYTE SF]");
instructionStrings12.add("000000010192F704: bisz [DWORD t1, EMPTY , BYTE ZF]");
instructionStrings12.add("000000010192F705: str [BYTE 0, EMPTY , BYTE CF]");
instructionStrings12.add("000000010192F706: str [BYTE 0, EMPTY , BYTE OF]");
instructionStrings12.add("000000010192F707: stm [DWORD t1, EMPTY , DWORD esi]");
instructionStrings12.add("000000010192F900: ldm [DWORD esp, EMPTY , DWORD t0]");
instructionStrings12.add("000000010192F901: add [DWORD esp, DWORD 4, QWORD t1]");
instructionStrings12.add("000000010192F902: and [QWORD t1, DWORD 4294967295, DWORD esp]");
instructionStrings12.add("000000010192F903: str [DWORD t0, EMPTY , DWORD ecx]");
final List<String> instructionStrings13 = new ArrayList<String>();
instructionStrings13.add("000000010192FA00: add [DWORD 4, DWORD esi, QWORD t0]");
instructionStrings13.add("000000010192FA01: and [QWORD t0, DWORD 4294967295, DWORD t1]");
instructionStrings13.add("000000010192FA02: ldm [DWORD t1, EMPTY , DWORD t2]");
instructionStrings13.add("000000010192FA03: and [DWORD 0, DWORD t2, DWORD t3]");
instructionStrings13.add("000000010192FA04: and [DWORD t3, DWORD 2147483648, DWORD t4]");
instructionStrings13.add("000000010192FA05: bsh [DWORD t4, DWORD -31, BYTE SF]");
instructionStrings13.add("000000010192FA06: bisz [DWORD t3, EMPTY , BYTE ZF]");
instructionStrings13.add("000000010192FA07: str [BYTE 0, EMPTY , BYTE CF]");
instructionStrings13.add("000000010192FA08: str [BYTE 0, EMPTY , BYTE OF]");
instructionStrings13.add("000000010192FA09: stm [DWORD t3, EMPTY , DWORD t1]");
instructionStrings13.add("000000010192FE00: add [DWORD 8, DWORD esi, QWORD t0]");
instructionStrings13.add("000000010192FE01: and [QWORD t0, DWORD 4294967295, DWORD t1]");
instructionStrings13.add("000000010192FE02: ldm [DWORD t1, EMPTY , DWORD t2]");
instructionStrings13.add("000000010192FE03: and [DWORD 0, DWORD t2, DWORD t3]");
instructionStrings13.add("000000010192FE04: and [DWORD t3, DWORD 2147483648, DWORD t4]");
instructionStrings13.add("000000010192FE05: bsh [DWORD t4, DWORD -31, BYTE SF]");
instructionStrings13.add("000000010192FE06: bisz [DWORD t3, EMPTY , BYTE ZF]");
instructionStrings13.add("000000010192FE07: str [BYTE 0, EMPTY , BYTE CF]");
instructionStrings13.add("000000010192FE08: str [BYTE 0, EMPTY , BYTE OF]");
instructionStrings13.add("000000010192FE09: stm [DWORD t3, EMPTY , DWORD t1]");
instructionStrings13.add("0000000101930200: jcc [BYTE 1, EMPTY , DWORD 16786958]");
final List<String> instructionStrings14 = new ArrayList<String>();
instructionStrings14.add("0000000101930700: add [DWORD 4, DWORD esi, QWORD t0]");
instructionStrings14.add("0000000101930701: and [QWORD t0, DWORD 4294967295, DWORD t1]");
instructionStrings14.add("0000000101930702: ldm [DWORD t1, EMPTY , DWORD t2]");
instructionStrings14.add("0000000101930703: str [DWORD t2, EMPTY , DWORD eax]");
instructionStrings14.add("0000000101930A00: and [DWORD edi, DWORD 2147483648, DWORD t0]");
instructionStrings14.add("0000000101930A01: and [DWORD eax, DWORD 2147483648, DWORD t1]");
instructionStrings14.add("0000000101930A02: sub [DWORD edi, DWORD eax, QWORD t2]");
instructionStrings14.add("0000000101930A03: and [QWORD t2, QWORD 2147483648, DWORD t3]");
instructionStrings14.add("0000000101930A04: bsh [DWORD t3, DWORD -31, BYTE SF]");
instructionStrings14.add("0000000101930A05: xor [DWORD t0, DWORD t1, DWORD t4]");
instructionStrings14.add("0000000101930A06: xor [DWORD t0, DWORD t3, DWORD t5]");
instructionStrings14.add("0000000101930A07: and [DWORD t4, DWORD t5, DWORD t6]");
instructionStrings14.add("0000000101930A08: bsh [DWORD t6, DWORD -31, BYTE OF]");
instructionStrings14.add("0000000101930A09: and [QWORD t2, QWORD 4294967296, QWORD t7]");
instructionStrings14.add("0000000101930A0A: bsh [QWORD t7, QWORD -32, BYTE CF]");
instructionStrings14.add("0000000101930A0B: and [QWORD t2, QWORD 4294967295, DWORD t8]");
instructionStrings14.add("0000000101930A0C: bisz [DWORD t8, EMPTY , BYTE ZF]");
instructionStrings14.add("0000000101930C00: bisz [BYTE ZF, EMPTY , BYTE t0]");
instructionStrings14.add("0000000101930C01: bisz [BYTE CF, EMPTY , BYTE t1]");
instructionStrings14.add("0000000101930C02: and [BYTE t0, BYTE t1, BYTE t2]");
instructionStrings14.add("0000000101930C03: jcc [BYTE t2, EMPTY , DWORD 16786939]");
final List<String> instructionStrings15 = new ArrayList<String>();
instructionStrings15.add("0000000101931200: jcc [BYTE 1, EMPTY , DWORD 16786955]");
final List<String> instructionStrings16 = new ArrayList<String>();
instructionStrings16.add("000000010292ED00: add [DWORD 12, DWORD esi, QWORD t0]");
instructionStrings16.add("000000010292ED01: and [QWORD t0, DWORD 4294967295, DWORD t1]");
instructionStrings16.add("000000010292ED02: stm [DWORD eax, EMPTY , DWORD t1]");
instructionStrings16.add("000000010292F000: jcc [BYTE 1, EMPTY , DWORD 16786906]");
final List<String> edgeStrings = new ArrayList<String>();
edgeStrings.add("000000010025C500 [JUMP_CONDITIONAL_TRUE]-> 000000010292ED00");
edgeStrings.add("000000010025C500 [JUMP_CONDITIONAL_FALSE]-> 000000010025DA00");
edgeStrings.add("000000010025DA00 [JUMP_CONDITIONAL_FALSE]-> 000000010025E500");
edgeStrings.add("000000010025DA00 [JUMP_CONDITIONAL_TRUE]-> 000000010192EA00");
edgeStrings.add("000000010025E500 [JUMP_CONDITIONAL_FALSE]-> 000000010025EE00");
edgeStrings.add("000000010025E500 [JUMP_CONDITIONAL_TRUE]-> 0000000101930700");
edgeStrings.add("000000010025EE00 [JUMP_UNCONDITIONAL]-> 000000010025F400");
edgeStrings.add("000000010025F400 [JUMP_CONDITIONAL_TRUE]-> 0000000100261000");
edgeStrings.add("000000010025F400 [JUMP_CONDITIONAL_FALSE]-> 000000010025F800");
edgeStrings.add("000000010025F800 [JUMP_UNCONDITIONAL]-> 000000010025FB00");
edgeStrings.add("000000010025FB00 [JUMP_UNCONDITIONAL]-> 0000000100260B00");
edgeStrings.add("0000000100260B00 [JUMP_UNCONDITIONAL]-> 0000000100260E00");
edgeStrings.add("0000000100260E00 [JUMP_UNCONDITIONAL]-> 0000000100261000");
edgeStrings.add("000000010192EA00 [JUMP_CONDITIONAL_TRUE]-> 000000010192FA00");
edgeStrings.add("000000010192EA00 [JUMP_CONDITIONAL_FALSE]-> 000000010192F000");
edgeStrings.add("000000010192F000 [JUMP_UNCONDITIONAL]-> 000000010192F700");
edgeStrings.add("000000010192F700 [JUMP_UNCONDITIONAL]-> 000000010192FA00");
edgeStrings.add("000000010192FA00 [JUMP_UNCONDITIONAL]-> 0000000100260E00");
edgeStrings.add("0000000101930700 [JUMP_CONDITIONAL_FALSE]-> 0000000101931200");
edgeStrings.add("0000000101930700 [JUMP_CONDITIONAL_TRUE]-> 000000010025FB00");
edgeStrings.add("0000000101931200 [JUMP_UNCONDITIONAL]-> 0000000100260B00");
edgeStrings.add("000000010292ED00 [JUMP_UNCONDITIONAL]-> 000000010025DA00");
final List<List<String>> reilBlocks = new ArrayList<List<String>>();
reilBlocks.add(instructionStrings0);
reilBlocks.add(instructionStrings1);
reilBlocks.add(instructionStrings2);
reilBlocks.add(instructionStrings3);
reilBlocks.add(instructionStrings4);
reilBlocks.add(instructionStrings5);
reilBlocks.add(instructionStrings6);
reilBlocks.add(instructionStrings7);
reilBlocks.add(instructionStrings8);
reilBlocks.add(instructionStrings9);
reilBlocks.add(instructionStrings10);
reilBlocks.add(instructionStrings11);
reilBlocks.add(instructionStrings12);
reilBlocks.add(instructionStrings13);
reilBlocks.add(instructionStrings14);
reilBlocks.add(instructionStrings15);
reilBlocks.add(instructionStrings16);
generateReilGraph(reilBlocks, edgeStrings);
m_function = new ReilFunction("FOLLOWZF", m_graph1);
final String trackedRegister = "ZF";
conditionalJumpInstruction1 = new MockInstruction(Long.parseLong("10025DF", 16), "jz", operandsFirst);
final MonoReilSolverResult<RegisterSetLatticeElement> result = RegisterTracker.track(m_function, conditionalJumpInstruction1, trackedRegister, m_options);
final Map<IAddress, RegisterSetLatticeElement> resultMap = result.generateAddressToStateMapping(conditionalJumpInstruction1, m_options.trackIncoming());
for (final Entry<IAddress, RegisterSetLatticeElement> resultEntry : resultMap.entrySet()) {
if (resultEntry.getKey().toLong() == Long.parseLong("000000010025DF00", 16)) {
final RegisterSetLatticeElement jzElement = resultEntry.getValue();
assertTrue(jzElement.getNewlyTaintedRegisters().contains("ZF"));
assertTrue(jzElement.getReadRegisters().isEmpty());
assertTrue(jzElement.getTaintedRegisters().contains("ZF"));
assertTrue(jzElement.getUntaintedRegisters().isEmpty());
assertTrue(jzElement.getUpdatedRegisters().isEmpty());
}
if (resultEntry.getKey().toLong() == Long.parseLong("000000010025DD00", 16)) {
final RegisterSetLatticeElement cmpElement = resultEntry.getValue();
assertTrue(cmpElement.getNewlyTaintedRegisters().contains("edi"));
assertTrue(cmpElement.getReadRegisters().contains("ZF"));
assertTrue(cmpElement.getTaintedRegisters().contains("edi"));
assertTrue(cmpElement.getUntaintedRegisters().contains("ZF"));
assertTrue(cmpElement.getUpdatedRegisters().isEmpty());
}
if (resultEntry.getKey().toLong() == Long.parseLong("000000010025DA00", 16)) {
final RegisterSetLatticeElement cmpElement = resultEntry.getValue();
assertTrue(cmpElement.getNewlyTaintedRegisters().isEmpty());
assertTrue(cmpElement.getReadRegisters().contains("edi"));
assertTrue(cmpElement.getTaintedRegisters().isEmpty());
assertTrue(cmpElement.getUntaintedRegisters().contains("edi"));
assertTrue(cmpElement.getUpdatedRegisters().isEmpty());
}
}
final Map<IAddress, RegisterSetLatticeElement> perInstructionElement = result.generateAddressToStateMapping(conditionalJumpInstruction1, m_options.trackIncoming());
for (final Entry<IAddress, RegisterSetLatticeElement> element : perInstructionElement.entrySet()) {
System.out.println(element.getKey() + ":::" + element.getValue());
}
}
Also used :
MockOperandTreeNode(com.google.security.zynamics.zylib.disassembly.MockOperandTreeNode)
ReilFunction(com.google.security.zynamics.reil.ReilFunction)
ArrayList(java.util.ArrayList)
IAddress(com.google.security.zynamics.zylib.disassembly.IAddress)
MockInstruction(com.google.security.zynamics.zylib.disassembly.MockInstruction)
MockOperandTree(com.google.security.zynamics.zylib.disassembly.MockOperandTree)
ArrayList(java.util.ArrayList)
List(java.util.List)
HashSet(java.util.HashSet)
Test(org.junit.Test)
Example 4 with ReilFunction
use of com.google.security.zynamics.reil.ReilFunction in project binnavi by google.
the class CombineTest method testSimple.
@Test
public void testSimple() {
final ReilInstruction instruction1 = ReilHelpers.createStr(100, OperandSize.DWORD, "0", OperandSize.DWORD, "eax");
final ReilInstruction instruction2 = ReilHelpers.createJcc(101, OperandSize.DWORD, "eax", OperandSize.DWORD, "104");
final ReilInstruction instruction3 = ReilHelpers.createAdd(102, OperandSize.DWORD, "eax", OperandSize.DWORD, "4", OperandSize.DWORD, "ebx");
final ReilInstruction instruction4 = ReilHelpers.createJcc(103, OperandSize.DWORD, "1", OperandSize.DWORD, "104");
final ReilInstruction instruction5 = ReilHelpers.createAdd(104, OperandSize.DWORD, "eax", OperandSize.DWORD, "8", OperandSize.DWORD, "ebx");
final ReilInstruction instruction6 = ReilHelpers.createStr(105, OperandSize.DWORD, "ebx", OperandSize.DWORD, "ecx");
final ReilBlock block1 = new ReilBlock(Lists.newArrayList(instruction1, instruction2));
final ReilBlock block2 = new ReilBlock(Lists.newArrayList(instruction3, instruction4));
final ReilBlock block3 = new ReilBlock(Lists.newArrayList(instruction5));
final ReilBlock block4 = new ReilBlock(Lists.newArrayList(instruction6));
final ReilEdge edge1 = new ReilEdge(block1, block2, EdgeType.JUMP_UNCONDITIONAL);
final ReilEdge edge2 = new ReilEdge(block1, block3, EdgeType.JUMP_UNCONDITIONAL);
final ReilEdge edge3 = new ReilEdge(block2, block4, EdgeType.JUMP_UNCONDITIONAL);
final ReilEdge edge4 = new ReilEdge(block3, block4, EdgeType.JUMP_UNCONDITIONAL);
ReilBlock.link(block1, block2, edge1);
ReilBlock.link(block1, block3, edge2);
ReilBlock.link(block2, block4, edge3);
ReilBlock.link(block3, block4, edge4);
final ReilFunction function = new ReilFunction("Fark", new ReilGraph(Lists.newArrayList(block1, block2, block3, block4), Lists.newArrayList(edge1, edge2, edge3, edge4)));
System.out.println(function.getGraph());
final IStateVector<InstructionGraphNode, ValueTrackerElement> result = ValueTracker.track(function);
System.out.println(result);
}
Also used :
ReilGraph(com.google.security.zynamics.reil.ReilGraph)
ReilInstruction(com.google.security.zynamics.reil.ReilInstruction)
ReilEdge(com.google.security.zynamics.reil.ReilEdge)
ReilBlock(com.google.security.zynamics.reil.ReilBlock)
ReilFunction(com.google.security.zynamics.reil.ReilFunction)
ValueTrackerElement(com.google.security.zynamics.reil.algorithms.mono.valuetracking.ValueTrackerElement)
InstructionGraphNode(com.google.security.zynamics.reil.algorithms.mono.InstructionGraphNode)
Test(org.junit.Test)
Example 5 with ReilFunction
use of com.google.security.zynamics.reil.ReilFunction in project binnavi by google.
the class SimpleTest method simpleTracking.
@Test
public void simpleTracking() throws CouldntLoadDataException, InternalTranslationException, CPartialLoadException, LoadCancelledException {
final INaviModule module = m_database.getContent().getModules().get(0);
module.load();
final INaviView view = module.getViewsWithAddresses(Lists.newArrayList(new UnrelocatedAddress(new CAddress(0x10044BB))), true).get(0);
assertEquals(0x10044BB, module.getContent().getViewContainer().getFunction(view).getAddress().toLong());
view.load();
final ReilTranslator<INaviInstruction> translator = new ReilTranslator<INaviInstruction>();
final ReilFunction reilFunction = translator.translate(new StandardEnvironment(), view);
assertEquals(0, reilFunction.getGraph().getEdges().size());
final IStateVector<InstructionGraphNode, ValueTrackerElement> result = ValueTracker.track(reilFunction);
System.out.println(result);
}
Also used :
INaviView(com.google.security.zynamics.binnavi.disassembly.views.INaviView)
ReilTranslator(com.google.security.zynamics.reil.translators.ReilTranslator)
INaviModule(com.google.security.zynamics.binnavi.disassembly.INaviModule)
UnrelocatedAddress(com.google.security.zynamics.binnavi.disassembly.UnrelocatedAddress)
ReilFunction(com.google.security.zynamics.reil.ReilFunction)
ValueTrackerElement(com.google.security.zynamics.reil.algorithms.mono.valuetracking.ValueTrackerElement)
CAddress(com.google.security.zynamics.zylib.disassembly.CAddress)
INaviInstruction(com.google.security.zynamics.binnavi.disassembly.INaviInstruction)
StandardEnvironment(com.google.security.zynamics.reil.translators.StandardEnvironment)
InstructionGraphNode(com.google.security.zynamics.reil.algorithms.mono.InstructionGraphNode)
Test(org.junit.Test)
Aggregations
ReilFunction (com.google.security.zynamics.reil.ReilFunction)12
Test (org.junit.Test)9
IAddress (com.google.security.zynamics.zylib.disassembly.IAddress)6
HashSet (java.util.HashSet)6
MockInstruction (com.google.security.zynamics.zylib.disassembly.MockInstruction)5
MockOperandTree (com.google.security.zynamics.zylib.disassembly.MockOperandTree)5
ArrayList (java.util.ArrayList)5
List (java.util.List)5
ReilInstruction (com.google.security.zynamics.reil.ReilInstruction)4
MockOperandTreeNode (com.google.security.zynamics.zylib.disassembly.MockOperandTreeNode)4
ReilBlock (com.google.security.zynamics.reil.ReilBlock)3
ReilEdge (com.google.security.zynamics.reil.ReilEdge)3
ReilGraph (com.google.security.zynamics.reil.ReilGraph)3
InstructionGraphNode (com.google.security.zynamics.reil.algorithms.mono.InstructionGraphNode)3
ValueTrackerElement (com.google.security.zynamics.reil.algorithms.mono.valuetracking.ValueTrackerElement)3
StandardEnvironment (com.google.security.zynamics.reil.translators.StandardEnvironment)3
MockCodeContainer (com.google.security.zynamics.zylib.disassembly.MockCodeContainer)3
INaviInstruction (com.google.security.zynamics.binnavi.disassembly.INaviInstruction)2
INaviView (com.google.security.zynamics.binnavi.disassembly.views.INaviView)2
RegisterSetLatticeElement (com.google.security.zynamics.reil.algorithms.mono2.registertracking.RegisterSetLatticeElement)2
