miasm icon indicating copy to clipboard operation
miasm copied to clipboard

Published 20 hours ago verified publisher icon cea-sec

some SSE issues

Open expend20 opened this issue 6 years ago • 4 comments

Hey! I'm trying to run jitter through this code:

loc_400a31
MOVSD      XMM1, QWORD PTR [RIP + 0x1B7]
MULSD      XMM1, XMM3
MULSD      XMM1, XMM3
MULSD      XMM1, XMM4
MULSD      XMM1, XMM4
MOVAPD     XMM0, XMM3
MULSD      XMM0, XMM0
MOVAPD     XMM2, XMM4
MULSD      XMM2, XMM2
ADDSD      XMM2, XMM0
MOVAPD     XMM0, XMM5
MULSD      XMM0, XMM0
SUBSD      XMM2, XMM0
MULSD      XMM2, XMM2
SUBSD      XMM1, XMM2
XORPS      XMM0, XMM0
SQRTSD     XMM0, XMM1
UCOMISD    XMM0, XMM0
JNP        loc_400ab5
->	c_next:loc_400a7e 	c_to:loc_400ab5

If I use --jitter=python it stuck at second instruction with:

00400A31 MOVSD      XMM1, QWORD PTR [RIP + 0x1B7]
RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000 RSI 0000000000000000 RDI 0000000000000000 RSP 000000000013FFF8 RBP 0000000000000000 RIP 0000000000400A39
R8  0000000000000000 R9  0000000000000000 R10 0000000000000000 R11 0000000000000000 R12 0000000000000000 R13 0000000000000000 R14 0000000000000000 R15 0000000000000000 zf 0 nf 0 of 0 cf 0
00400A39 MULSD      XMM1, XMM3
Traceback (most recent call last):
  File "sandbox_elf.py", line 52, in <module>
    sb.run()
  File "/mnt/hgfs/tmp/miasm2/analysis/sandbox.py", line 643, in run
    super(Sandbox_Linux_x86_64, self).run(addr)
  File "/mnt/hgfs/tmp/miasm2/analysis/sandbox.py", line 126, in run
    self.jitter.continue_run()
  File "/mnt/hgfs/tmp/miasm2/jitter/jitload.py", line 387, in continue_run
    return self.run_iterator.next()
  File "/mnt/hgfs/tmp/miasm2/jitter/jitload.py", line 358, in runiter_once
    self.pc = self.run_at(self.pc)
  File "/mnt/hgfs/tmp/miasm2/jitter/jitload.py", line 315, in run_at
    set(self.breakpoints_handler.callbacks.keys())
  File "/mnt/hgfs/tmp/miasm2/jitter/jitcore.py", line 190, in run_at
    self.options["max_exec_per_call"])
  File "/mnt/hgfs/tmp/miasm2/jitter/jitcore_python.py", line 217, in exec_wrapper
    return fc_ptr(cpu)
  File "/mnt/hgfs/tmp/miasm2/jitter/jitcore_python.py", line 139, in myfunc
    exec_engine.update_cpu_from_engine()
  File "/mnt/hgfs/tmp/miasm2/jitter/emulatedsymbexec.py", line 92, in update_cpu_from_engine
    raise ValueError("A simplification is missing: %s" % value)
ValueError: A simplification is missing: {fmul(0x4010000000000000, 0x0) 0 64, 0x0 64 128}

If I use --jitter=llvm it stuck at first instruction with:

Traceback (most recent call last):
  File "sandbox_elf.py", line 52, in <module>
    sb.run()
  File "/mnt/hgfs/tmp/miasm2/analysis/sandbox.py", line 643, in run
    super(Sandbox_Linux_x86_64, self).run(addr)
  File "/mnt/hgfs/tmp/miasm2/analysis/sandbox.py", line 126, in run
    self.jitter.continue_run()
  File "/mnt/hgfs/tmp/miasm2/jitter/jitload.py", line 387, in continue_run
    return self.run_iterator.next()
  File "/mnt/hgfs/tmp/miasm2/jitter/jitload.py", line 358, in runiter_once
    self.pc = self.run_at(self.pc)
  File "/mnt/hgfs/tmp/miasm2/jitter/jitload.py", line 315, in run_at
    set(self.breakpoints_handler.callbacks.keys())
  File "/mnt/hgfs/tmp/miasm2/jitter/jitcore.py", line 176, in run_at
    cur_block = self.disasm_and_jit_block(offset, cpu.vmmngr)
  File "/mnt/hgfs/tmp/miasm2/jitter/jitcore.py", line 153, in disasm_and_jit_block
    self.add_block(cur_block)
  File "/mnt/hgfs/tmp/miasm2/jitter/jitcore_llvm.py", line 94, in add_block
    func.from_asmblock(block)
  File "/mnt/hgfs/tmp/miasm2/jitter/llvmconvert.py", line 1626, in from_asmblock
    self.gen_irblock(instr_attrib, irblocks_attributes[index], instr_offsets, new_irblock)
  File "/mnt/hgfs/tmp/miasm2/jitter/llvmconvert.py", line 1436, in gen_irblock
    values[dst] = self.add_ir(src)
  File "/mnt/hgfs/tmp/miasm2/jitter/llvmconvert.py", line 1094, in add_ir
    raise NotImplementedError('Unknown op: %s' % op)
NotImplementedError: Unknown op: ucomisd_pf

Any ideas?

expend20 avatar Mar 25 '19 09:03 expend20

Yep: the ucomisd_pf operator is not currently implemented in Miasm :cry:

serpilliere avatar Mar 26 '19 08:03 serpilliere

if it's possible to add vectorized opcodes, it would be super cool

.text:00000001400017FA vmovdqu ymm0, cs:ymmword_140015960
.text:0000000140001802 vmovdqu [rbp+40h+var_20], ymm0
.text:0000000140001807 imul    rax, [rbp+40h+var_40], 20h
.text:000000014000180C mov     rcx, [rsp+60h+arg_0]
.text:0000000140001811 vmovdqu ymm0, [rbp+40h+var_20]
.text:0000000140001816 vmovdqu ymmword ptr [rcx+rax+800h], ymm0

expend20 avatar Aug 22 '19 18:08 expend20

Hi @expend20 !

We will try to look at this (and the flags :smile: ) quickly By the way, you can try to add yourself some semantics if you whish: in this case I will help you making it work!

serpilliere avatar Aug 27 '19 04:08 serpilliere

Hi @serpilliere!

and the flags

You got it, all those examples are from ctfs :D

By the way, you can try to add yourself some semantics if you whish: in this case I will help you making it work!

I can try, are there any intoduction tips/tricks/howtos/starting points? I'm a bit overwhelmed with code base and components of the project for now.

expend20 avatar Aug 27 '19 09:08 expend20