Examples with ReilOperand com.google.security.zynamics.reil.ReilOperand used on opensource projects

Example 6 with ReilOperand

use of com.google.security.zynamics.reil.ReilOperand in project binnavi by google.

the class RegisterTrackingTransformationProvider method transformNormalInstructionBackward.

private Pair<RegisterSetLatticeElement, RegisterSetLatticeElement> transformNormalInstructionBackward(final ReilInstruction ins, final RegisterSetLatticeElement state) {
    final ReilOperand in1 = ins.getFirstOperand();
    final ReilOperand in2 = ins.getSecondOperand();
    final ReilOperand out = ins.getThirdOperand();
    final Set<String> inputRegisters = new TreeSet<String>();
    if (in1.getType() == OperandType.REGISTER) {
        inputRegisters.add(in1.getValue());
    }
    if (in2.getType() == OperandType.REGISTER) {
        inputRegisters.add(in2.getValue());
    }
    final RegisterSetLatticeElement outputstate = state.copy();
    if (state.isTainted(out.getValue())) {
        if (inputRegisters.isEmpty()) {
            outputstate.untaint(out.getValue());
        } else {
            outputstate.untaint(out.getValue());
            outputstate.addReadReg(out.getValue());
            for (final String register : inputRegisters) {
                outputstate.taint(register);
            }
        }
    }
    // edge of a conditional branch.
    return new Pair<RegisterSetLatticeElement, RegisterSetLatticeElement>(outputstate, null);
}

Example 7 with ReilOperand

use of com.google.security.zynamics.reil.ReilOperand in project binnavi by google.

the class CmpxchgTranslator method translate.

/**
   * Translates a CMPXCHG instruction to REIL code.
   *
   * @param environment A valid translation environment.
   * @param instruction The CMPXCHG instruction to translate.
   * @param instructions The generated REIL code will be added to this list
   *
   * @throws InternalTranslationException if any of the arguments are null the passed instruction is
   *         not a CMPXCHG instruction
   *
   */
@Override
public void translate(final ITranslationEnvironment environment, final IInstruction instruction, final List<ReilInstruction> instructions) throws InternalTranslationException {
    TranslationHelpers.checkTranslationArguments(environment, instruction, instructions, "cmpxchg");
    Preconditions.checkArgument(instruction.getOperands().size() == 2, "Error: Argument instruction is not a cmp instruction (invalid number of operands)");
    final long baseOffset = instruction.getAddress().toLong() * 0x100;
    long offset = baseOffset;
    final List<? extends IOperandTree> operands = instruction.getOperands();
    final IOperandTree targetOperand = operands.get(0);
    final IOperandTree sourceOperand = operands.get(1);
    // Load first operand.
    final TranslationResult targetResult = Helpers.translateOperand(environment, offset, targetOperand, true);
    instructions.addAll(targetResult.getInstructions());
    // Adjust the offset of the next REIL instruction.
    offset = baseOffset + instructions.size();
    // Load second operand.
    final TranslationResult sourceResult = Helpers.translateOperand(environment, offset, sourceOperand, true);
    instructions.addAll(sourceResult.getInstructions());
    // Adjust the offset of the next REIL instruction.
    offset = baseOffset + instructions.size();
    // Compare the first operand to AL/AX/EAX
    String xaxRegister;
    switch(targetResult.getSize()) {
        case BYTE:
            xaxRegister = "al";
            break;
        case WORD:
            xaxRegister = "ax";
            break;
        case DWORD:
            xaxRegister = "eax";
            break;
        default:
            throw new InternalTranslationException("Error: The first operand has to be BYTE/WORD/DWORD !");
    }
    String comparisonResult = environment.getNextVariableString();
    OperandSize currentSize = targetResult.getSize();
    // Subtract the first operand from AL/AX/EAX
    instructions.add(ReilHelpers.createSub(baseOffset + instructions.size(), currentSize, xaxRegister, currentSize, targetResult.getRegister(), currentSize, comparisonResult));
    // Set the ZF if the two values were equal
    instructions.add(ReilHelpers.createBisz(baseOffset + instructions.size(), currentSize, comparisonResult, OperandSize.BYTE, Helpers.ZERO_FLAG));
    // The control flow is as follows:
    // Jump to secondWriteBack if not equal
    // firstWriteBack
    // Jump to terminatingNop (avoid falling through from the first case)
    // secondWriteBack
    // terminatingNop
    // firstWriteBack: if the content of AL/AX/EAX is equal to the source operand,
    // move sourceOperand to targetOperand.
    final List<ReilInstruction> firstWriteBack = new ArrayList<ReilInstruction>();
    Helpers.writeBack(environment, // reserve space for the first JCC
    baseOffset + instructions.size() + 1, targetOperand, sourceResult.getRegister(), sourceResult.getSize(), targetResult.getAddress(), targetResult.getType(), firstWriteBack);
    // Jump to secondWriteBack if not equal.
    // Reserve space for the two JCC and firstWriteBack when calculating target address.
    final long secondWriteBackOffset = instructions.size() + firstWriteBack.size() + 3;
    final String secondWriteBackGoal = String.format("%d.%d", instruction.getAddress().toLong(), secondWriteBackOffset);
    instructions.add(ReilHelpers.createJcc(baseOffset + instructions.size(), currentSize, comparisonResult, OperandSize.ADDRESS, secondWriteBackGoal));
    // Add the mov code that's executed if the condition is true.
    instructions.addAll(firstWriteBack);
    // Create an operand representing the AL/AX/EAX register so that we can write back to it.
    ReilOperandNode xAXOperandRoot = new ReilOperandNode(currentSize.toSizeString(), ExpressionType.SIZE_PREFIX);
    ReilOperandNode xAXOperandLeaf = new ReilOperandNode(xaxRegister, ExpressionType.REGISTER);
    ReilOperandNode.link(xAXOperandRoot, xAXOperandLeaf);
    ReilOperand xAXOperand = new ReilOperand(xAXOperandRoot);
    // secondWriteBack: if the content of AL/AX/EAX is not equal to the source operand,
    // move targetOperand to AL/AX/EAX.
    final List<ReilInstruction> secondWriteBack = new ArrayList<ReilInstruction>();
    Helpers.writeBack(environment, // reserve space for the second JCC
    baseOffset + instructions.size() + 1, xAXOperand, targetResult.getRegister(), currentSize, null, /* Memory address of the writeBack target. Empty since target is a register. */
    TranslationResultType.REGISTER, secondWriteBack);
    // Jump to terminatingNop (avoid falling through from firstWriteBack).
    // Reserve addresses for JCC and for secondWriteBack when calculating target address.
    final long terminatingNopOffset = instructions.size() + secondWriteBack.size() + 2;
    final String terminatingNopGoal = String.format("%d.%d", instruction.getAddress().toLong(), terminatingNopOffset);
    instructions.add(ReilHelpers.createJcc(baseOffset + instructions.size(), OperandSize.BYTE, "1", OperandSize.ADDRESS, terminatingNopGoal));
    // Add the mov code that's executed if the condition is true.
    instructions.addAll(secondWriteBack);
    // Add a terminating NOP, this makes it easier to get a target for the conditional jump.
    instructions.add(ReilHelpers.createNop(baseOffset + instructions.size()));
}

Example 8 with ReilOperand

use of com.google.security.zynamics.reil.ReilOperand in project binnavi by google.

the class TranslatorREIL method translate.

/**
   * Translates a REIL instruction to REIL code
   * 
   * @param environment A valid translation environment
   * @param instruction The REIL instruction to translate
   * 
   * @return The list of REIL instructions the REIL instruction was translated to
   * 
   * @throws InternalTranslationException An internal translation error occured
   * @throws IllegalArgumentException Any of the arguments passed to the function are invalid
   * 
   */
@Override
public List<ReilInstruction> translate(final ITranslationEnvironment environment, final InstructionType instruction, final List<ITranslationExtension<InstructionType>> extensions) throws InternalTranslationException {
    Preconditions.checkNotNull(environment, "Error: Argument environment can't be null");
    Preconditions.checkNotNull(instruction, "Error: Argument instruction can't be null");
    final IAddress offset = ReilHelpers.toReilAddress(instruction.getAddress());
    final String mnemonic = instruction.getMnemonic();
    final ReilOperand firstOperand = convert(instruction.getOperands().get(0));
    final ReilOperand secondOperand = convert(instruction.getOperands().get(1));
    final ReilOperand thirdOperand = convert(instruction.getOperands().get(2));
    return Lists.newArrayList(new ReilInstruction(offset, mnemonic, firstOperand, secondOperand, thirdOperand));
}

Example 9 with ReilOperand

use of com.google.security.zynamics.reil.ReilOperand in project binnavi by google.

the class AndSimplifier method simplifyAnd.

public static ValueTrackerElement simplifyAnd(final ReilInstruction instruction, final ReilOperand firstOperand, final ReilOperand secondOperand, final BitwiseAnd previousAnd, final ValueTrackerElement state, final IElementGenerator generator) {
    final ReilOperand thirdOperand = instruction.getThirdOperand();
    final Register targetRegister = new Register(thirdOperand.getValue());
    if (isTruncateMask(previousAnd.getLhs(), firstOperand.getSize())) {
        // (0xFFFFFFFF & X) + Y => (X + Y) & 0xFFFFFFFF
        // final Addition newAddition = new Addition(previousAnd.getRhs(), new Literal(new
        // BigInteger(secondOperand.getValue())));
        final IValueElement newAddition = generator.generate(previousAnd.getRhs(), new Literal(new BigInteger(secondOperand.getValue())));
        final BitwiseAnd newBitwiseAnd = new BitwiseAnd(new Literal(newAddition.evaluate()), previousAnd.getLhs());
        return state.update(instruction, targetRegister, newBitwiseAnd);
    } else if (isTruncateMask(previousAnd.getRhs(), firstOperand.getSize())) {
        // (X & 0xFFFFFFFF) + Y => (X + Y) & 0xFFFFFFFF
        final IValueElement previousLhs = previousAnd.getLhs();
        if (previousLhs instanceof Undefined) {
            return state.update(instruction, targetRegister, new Undefined());
        } else {
            // final Addition newAddition = new Addition(previousLhs, new Literal(new
            // BigInteger(secondOperand.getValue())));
            final IValueElement newAddition = generator.generate(previousLhs, new Literal(new BigInteger(secondOperand.getValue())));
            final BitwiseAnd newBitwiseAnd = new BitwiseAnd(newAddition.getSimplified(), previousAnd.getRhs());
            return state.update(instruction, targetRegister, newBitwiseAnd);
        }
    } else {
        final IValueElement previousState = state.getState(firstOperand.getValue());
        // final IValueElement addition = new Addition(previousState, new Literal(new
        // BigInteger(secondOperand.getValue())));
        final IValueElement addition = generator.generate(previousState, new Literal(new BigInteger(secondOperand.getValue())));
        return state.update(instruction, targetRegister, addition);
    }
}

Example 10 with ReilOperand

use of com.google.security.zynamics.reil.ReilOperand in project binnavi by google.

the class BaseTransformer method transformRegisters.

/**
   * Transforms MNEM R1, R2, R3 to (R3 => COMBINE(R1, R2))
   * 
   * @param instruction The instruction in question.
   * @param incomingState The incoming state from the parents of the instruction.
   * @param generator Combines the input operand values of the instruction.
   * 
   * @return The new state of the graph node that represents the instruction.
   */
protected static ValueTrackerElement transformRegisters(final ReilInstruction instruction, final ValueTrackerElement incomingState, final IElementGenerator generator) {
    final ReilOperand firstOperand = instruction.getFirstOperand();
    final ReilOperand secondOperand = instruction.getSecondOperand();
    final ReilOperand thirdOperand = instruction.getThirdOperand();
    final IValueElement previousState1 = incomingState.getState(firstOperand.getValue());
    final IValueElement previousState2 = incomingState.getState(secondOperand.getValue());
    final IValueElement outputValue = getOutputValue(firstOperand, previousState1, secondOperand, previousState2, generator);
    return incomingState.update(instruction, new Register(thirdOperand.getValue()), outputValue);
}