Example 96 with ReilInstruction
use of com.google.security.zynamics.reil.ReilInstruction in project binnavi by google.
the class Helpers method writeDivResult.
public static ArrayList<ReilInstruction> writeDivResult(final ITranslationEnvironment environment, final long offset, final String realDivResult, final String realModResult, final OperandSize size) {
final ArrayList<ReilInstruction> instructions = new ArrayList<ReilInstruction>();
final OperandSize archSize = environment.getArchitectureSize();
if (size == OperandSize.BYTE) {
final String maskedEax = environment.getNextVariableString();
final String partEax = environment.getNextVariableString();
final String shiftedModResult = environment.getNextVariableString();
// Write the div result into AL
instructions.add(ReilHelpers.createAnd(offset, archSize, "eax", archSize, "4294901760", archSize, maskedEax));
instructions.add(ReilHelpers.createOr(offset + 1, archSize, maskedEax, size, realDivResult, archSize, partEax));
// Write the mod result into AH
instructions.add(ReilHelpers.createBsh(offset + 2, size, realModResult, size, "8", archSize, shiftedModResult));
instructions.add(ReilHelpers.createOr(offset + 3, archSize, partEax, archSize, shiftedModResult, archSize, "eax"));
return instructions;
} else if (size == OperandSize.WORD) {
final String maskedEax = environment.getNextVariableString();
final String maskedEdx = environment.getNextVariableString();
// Write the div result into AX
instructions.add(ReilHelpers.createAnd(offset, archSize, "eax", archSize, "4294901760", archSize, maskedEax));
instructions.add(ReilHelpers.createOr(offset + 1, archSize, maskedEax, size, realDivResult, archSize, "eax"));
// Write the mod result into DX
instructions.add(ReilHelpers.createAnd(offset + 2, archSize, "edx", archSize, "4294901760", archSize, maskedEdx));
instructions.add(ReilHelpers.createOr(offset + 3, archSize, maskedEdx, size, realDivResult, archSize, "edx"));
return instructions;
} else if (size == OperandSize.DWORD) {
instructions.add(ReilHelpers.createStr(offset, size, realDivResult, size, "eax"));
instructions.add(ReilHelpers.createStr(offset + 1, size, realModResult, size, "edx"));
return instructions;
} else {
assert false;
return null;
}
}
Also used :
ReilInstruction(com.google.security.zynamics.reil.ReilInstruction)
ArrayList(java.util.ArrayList)
OperandSize(com.google.security.zynamics.reil.OperandSize)
Example 97 with ReilInstruction
use of com.google.security.zynamics.reil.ReilInstruction in project binnavi by google.
the class LeaTranslator method translate.
// TODO: Check the code again
/**
* Translates a LEA instruction to REIL code.
*
* @param environment A valid translation environment.
* @param instruction The LEA instruction to translate.
* @param instructions The generated REIL code will be added to this list
*
* @throws InternalTranslationException if any of the arguments are null the passed instruction is
* not a LAHF instruction
*/
@Override
public void translate(final ITranslationEnvironment environment, final IInstruction instruction, final List<ReilInstruction> instructions) throws InternalTranslationException {
TranslationHelpers.checkTranslationArguments(environment, instruction, instructions, "lea");
if (instruction.getOperands().size() != 2) {
throw new InternalTranslationException("Error: Argument instruction is not a lea instruction (invalid number of operands)");
}
final long baseOffset = instruction.getAddress().toLong() * 0x100;
long offset = baseOffset;
final List<? extends IOperandTree> operands = instruction.getOperands();
final IOperandTree targetOperand = operands.get(0);
final IOperandTree sourceOperand = operands.get(1);
// The first operand must be a register.
final String destination = Helpers.getLeafValue(targetOperand.getRootNode());
final OperandSize size = Helpers.getOperandSize(targetOperand);
// Load the operand.
final TranslationResult sourceResult = Helpers.translateOperand(environment, offset, sourceOperand, false);
String sourceRegister = sourceResult.getRegister() != null ? sourceResult.getRegister() : sourceResult.getAddress();
sourceResult.getType();
final List<ReilInstruction> sourceInstructions = sourceResult.getInstructions();
// The source operand must always be loaded.
instructions.addAll(sourceInstructions);
// Adjust the offset of the next REIL instruction
offset = baseOffset + instructions.size();
if (size == OperandSize.WORD) {
// Destination size is a sub-register
final OperandType operandType = OperandType.getOperandType(sourceRegister);
if (operandType == OperandType.INTEGER_LITERAL) {
// Integer literals can be truncated directly.
sourceRegister = String.valueOf(Long.valueOf(sourceRegister) & 0xFFFF);
} else if (operandType == OperandType.REGISTER) {
// Registers must be truncated later
// => Add an AND instruction that truncates.
final String truncatedValue = environment.getNextVariableString();
final OperandSize registerSize = sourceInstructions.size() == 0 ? Helpers.getRegisterSize(sourceRegister) : environment.getArchitectureSize();
// Add the truncating instruction
instructions.add(ReilHelpers.createAnd(offset, registerSize, sourceRegister, OperandSize.WORD, "65535", OperandSize.WORD, truncatedValue));
offset++;
sourceRegister = truncatedValue;
} else {
// Shouldn't be possible.
assert false;
}
// Write the loaded value into the destination register.
Helpers.writeBack(environment, offset, targetOperand, sourceRegister, size, null, TranslationResultType.REGISTER, instructions);
} else if (size == OperandSize.DWORD) {
// Destination is a DWORD register
// Handling DWORD values is easier. Just add a STR
// instruction that writes the loaded source value
// into the destination register.
instructions.add(ReilHelpers.createStr(offset, size, sourceRegister, size, destination));
// instructions.addAll(Helpers.writeBack(environment, offset, targetOperand, sourceRegister,
// size, null, TranslationResultType.REGISTER));
} else {
assert false;
}
}
Also used :
ReilInstruction(com.google.security.zynamics.reil.ReilInstruction)
IOperandTree(com.google.security.zynamics.zylib.disassembly.IOperandTree)
OperandType(com.google.security.zynamics.reil.OperandType)
InternalTranslationException(com.google.security.zynamics.reil.translators.InternalTranslationException)
TranslationResult(com.google.security.zynamics.reil.translators.TranslationResult)
OperandSize(com.google.security.zynamics.reil.OperandSize)
Example 98 with ReilInstruction
use of com.google.security.zynamics.reil.ReilInstruction in project binnavi by google.
the class RepTranslator method translate.
@Override
public void translate(final ITranslationEnvironment environment, final IInstruction instruction, final List<ReilInstruction> instructions) throws InternalTranslationException {
final long baseOffset = ReilHelpers.toReilAddress(instruction.getAddress()).toLong();
final long offset = baseOffset;
final OperandSize archSize = environment.getArchitectureSize();
final String invertedEcx = environment.getNextVariableString();
final List<ReilInstruction> innerInstructions = new ArrayList<ReilInstruction>();
translator.generate(environment, ReilHelpers.toReilAddress(instruction.getAddress()).toLong() + 2, operandSize, innerInstructions);
final String firstInstruction = String.format("%d.0", instruction.getAddress().toLong());
final String jmpGoal = String.format("%d.%d", instruction.getAddress().toLong(), innerInstructions.size() + 5);
instructions.add(ReilHelpers.createBisz(offset, archSize, "ecx", OperandSize.BYTE, invertedEcx));
instructions.add(ReilHelpers.createJcc(offset + 1, OperandSize.BYTE, invertedEcx, OperandSize.ADDRESS, jmpGoal));
instructions.addAll(innerInstructions);
final String decrementedEcx = environment.getNextVariableString();
final String truncateMask = String.valueOf(TranslationHelpers.getAllBitsMask(OperandSize.DWORD));
instructions.add(ReilHelpers.createSub(baseOffset + instructions.size(), OperandSize.DWORD, "ecx", OperandSize.DWORD, "1", OperandSize.QWORD, decrementedEcx));
instructions.add(ReilHelpers.createAnd(baseOffset + instructions.size(), OperandSize.QWORD, decrementedEcx, OperandSize.DWORD, truncateMask, OperandSize.DWORD, "ecx"));
instructions.add(ReilHelpers.createJcc(baseOffset + instructions.size(), OperandSize.DWORD, "1", OperandSize.ADDRESS, firstInstruction));
instructions.add(ReilHelpers.createNop(baseOffset + instructions.size()));
}
Also used :
ReilInstruction(com.google.security.zynamics.reil.ReilInstruction)
ArrayList(java.util.ArrayList)
OperandSize(com.google.security.zynamics.reil.OperandSize)
Example 99 with ReilInstruction
use of com.google.security.zynamics.reil.ReilInstruction in project binnavi by google.
the class TestFollowZFIncomingBackwards method generateReilGraph.
private void generateReilGraph(final List<List<String>> instructions, final List<String> edges) {
final Map<Long, ReilBlock> blocks = new HashMap<Long, ReilBlock>();
for (final List<String> currentBlockInstructions : instructions) {
final List<ReilInstruction> reilInstructions = new ArrayList<ReilInstruction>();
for (final String addressAndInstruction : currentBlockInstructions) {
final StringTokenizer tokenizer = new StringTokenizer(addressAndInstruction, ": [,]", false);
final long offset = Long.parseLong(tokenizer.nextToken(), 16);
final String mnemonic = tokenizer.nextToken();
if (mnemonic.equalsIgnoreCase("bisz") || mnemonic.equalsIgnoreCase("str") || mnemonic.equalsIgnoreCase("ldm") || mnemonic.equalsIgnoreCase("stm") || mnemonic.equalsIgnoreCase("jcc")) {
final OperandSize firstSize = OperandSize.valueOf(tokenizer.nextToken());
final String firstValue = tokenizer.nextToken();
tokenizer.nextToken();
final OperandSize thirdSize = OperandSize.valueOf(tokenizer.nextToken());
final String thirdValue = tokenizer.nextToken();
if (mnemonic.equalsIgnoreCase("bisz")) {
reilInstructions.add(ReilHelpers.createBisz(offset, firstSize, firstValue, thirdSize, thirdValue));
}
if (mnemonic.equalsIgnoreCase("str")) {
reilInstructions.add(ReilHelpers.createStr(offset, firstSize, firstValue, thirdSize, thirdValue));
}
if (mnemonic.equalsIgnoreCase("jcc")) {
reilInstructions.add(ReilHelpers.createJcc(offset, firstSize, firstValue, thirdSize, thirdValue));
}
if (mnemonic.equalsIgnoreCase("ldm")) {
reilInstructions.add(ReilHelpers.createLdm(offset, firstSize, firstValue, thirdSize, thirdValue));
}
if (mnemonic.equalsIgnoreCase("stm")) {
reilInstructions.add(ReilHelpers.createStm(offset, firstSize, firstValue, thirdSize, thirdValue));
}
} else if (mnemonic.equalsIgnoreCase("nop")) {
reilInstructions.add(ReilHelpers.createNop(offset));
} else {
final OperandSize firstSize = OperandSize.valueOf(tokenizer.nextToken());
final String firstValue = tokenizer.nextToken();
final OperandSize secondSize = OperandSize.valueOf(tokenizer.nextToken());
final String secondValue = tokenizer.nextToken();
final OperandSize thirdSize = OperandSize.valueOf(tokenizer.nextToken());
final String thirdValue = tokenizer.nextToken();
if (mnemonic.equalsIgnoreCase("add")) {
reilInstructions.add(ReilHelpers.createAdd(offset, firstSize, firstValue, secondSize, secondValue, thirdSize, thirdValue));
}
if (mnemonic.equalsIgnoreCase("and")) {
reilInstructions.add(ReilHelpers.createAnd(offset, firstSize, firstValue, secondSize, secondValue, thirdSize, thirdValue));
}
if (mnemonic.equalsIgnoreCase("bsh")) {
reilInstructions.add(ReilHelpers.createBsh(offset, firstSize, firstValue, secondSize, secondValue, thirdSize, thirdValue));
}
if (mnemonic.equalsIgnoreCase("div")) {
reilInstructions.add(ReilHelpers.createDiv(offset, firstSize, firstValue, secondSize, secondValue, thirdSize, thirdValue));
}
if (mnemonic.equalsIgnoreCase("mod")) {
reilInstructions.add(ReilHelpers.createMod(offset, firstSize, firstValue, secondSize, secondValue, thirdSize, thirdValue));
}
if (mnemonic.equalsIgnoreCase("mul")) {
reilInstructions.add(ReilHelpers.createMul(offset, firstSize, firstValue, secondSize, secondValue, thirdSize, thirdValue));
}
if (mnemonic.equalsIgnoreCase("or")) {
reilInstructions.add(ReilHelpers.createOr(offset, firstSize, firstValue, secondSize, secondValue, thirdSize, thirdValue));
}
if (mnemonic.equalsIgnoreCase("sub")) {
reilInstructions.add(ReilHelpers.createSub(offset, firstSize, firstValue, secondSize, secondValue, thirdSize, thirdValue));
}
if (mnemonic.equalsIgnoreCase("xor")) {
reilInstructions.add(ReilHelpers.createXor(offset, firstSize, firstValue, secondSize, secondValue, thirdSize, thirdValue));
}
}
}
blocks.put(reilInstructions.get(0).getAddress().toLong(), new ReilBlock(reilInstructions));
}
final List<ReilEdge> reilEdges = new ArrayList<ReilEdge>();
for (final String edge : edges) {
final StringTokenizer edgeTokenizer = new StringTokenizer(edge, " []->");
final Long sourceAddress = Long.parseLong(edgeTokenizer.nextToken(), 16);
final EdgeType type = Enum.valueOf(EdgeType.class, edgeTokenizer.nextToken().toUpperCase());
final Long targetAddress = Long.parseLong(edgeTokenizer.nextToken(), 16);
final ReilEdge reilEdge = new ReilEdge(blocks.get(sourceAddress), blocks.get(targetAddress), type);
ReilBlock.link(blocks.get(sourceAddress), blocks.get(targetAddress), reilEdge);
}
m_graph1 = new ReilGraph(Lists.newArrayList(blocks.values()), reilEdges);
}
Also used :
ReilGraph(com.google.security.zynamics.reil.ReilGraph)
ReilInstruction(com.google.security.zynamics.reil.ReilInstruction)
HashMap(java.util.HashMap)
ReilEdge(com.google.security.zynamics.reil.ReilEdge)
ReilBlock(com.google.security.zynamics.reil.ReilBlock)
ArrayList(java.util.ArrayList)
EdgeType(com.google.security.zynamics.zylib.gui.zygraph.edges.EdgeType)
StringTokenizer(java.util.StringTokenizer)
OperandSize(com.google.security.zynamics.reil.OperandSize)
Example 100 with ReilInstruction
use of com.google.security.zynamics.reil.ReilInstruction in project binnavi by google.
the class InterpreterTest method testAdd.
@Test
public void testAdd() throws InterpreterException {
final ReilInterpreter interpreter = new ReilInterpreter(Endianness.LITTLE_ENDIAN, new CpuPolicyX86(), new EmptyInterpreterPolicy());
final HashMap<BigInteger, List<ReilInstruction>> instructions = new HashMap<BigInteger, List<ReilInstruction>>();
instructions.put(BigInteger.ZERO, Lists.newArrayList(ReilHelpers.createAdd(0, OperandSize.DWORD, "2147483647", OperandSize.DWORD, "1", OperandSize.QWORD, "t0")));
interpreter.interpret(instructions, BigInteger.ZERO);
assertEquals(BigInteger.valueOf(0x80000000L), interpreter.getVariableValue("t0"));
}
Also used :
ReilInstruction(com.google.security.zynamics.reil.ReilInstruction)
ReilInterpreter(com.google.security.zynamics.reil.interpreter.ReilInterpreter)
HashMap(java.util.HashMap)
CpuPolicyX86(com.google.security.zynamics.reil.interpreter.CpuPolicyX86)
BigInteger(java.math.BigInteger)
List(java.util.List)
EmptyInterpreterPolicy(com.google.security.zynamics.reil.interpreter.EmptyInterpreterPolicy)
Test(org.junit.Test)
Aggregations
ReilInstruction (com.google.security.zynamics.reil.ReilInstruction)144
Test (org.junit.Test)102
TreeSet (java.util.TreeSet)73
ArrayList (java.util.ArrayList)35
IInstruction (com.google.security.zynamics.zylib.disassembly.IInstruction)18
OperandSize (com.google.security.zynamics.reil.OperandSize)16
ReilBlock (com.google.security.zynamics.reil.ReilBlock)16
MockInstruction (com.google.security.zynamics.zylib.disassembly.MockInstruction)16
MockOperandTree (com.google.security.zynamics.zylib.disassembly.MockOperandTree)16
MockOperandTreeNode (com.google.security.zynamics.zylib.disassembly.MockOperandTreeNode)16
ReilEdge (com.google.security.zynamics.reil.ReilEdge)12
HashMap (java.util.HashMap)12
TranslationResult (com.google.security.zynamics.reil.translators.TranslationResult)9
IAddress (com.google.security.zynamics.zylib.disassembly.IAddress)7
List (java.util.List)7
ReilGraph (com.google.security.zynamics.reil.ReilGraph)6
InternalTranslationException (com.google.security.zynamics.reil.translators.InternalTranslationException)6
BigInteger (java.math.BigInteger)6
INaviInstruction (com.google.security.zynamics.binnavi.disassembly.INaviInstruction)5
ValueTrackerElement (com.google.security.zynamics.reil.algorithms.mono.valuetracking.ValueTrackerElement)5
