miasm icon indicating copy to clipboard operation
miasm copied to clipboard
verified publisher icon cea-sec

Recompile ircfg

Open nofiv opened this issue 4 years ago • 6 comments

Hello, I would like to recompile an ircfg and append the resulting bytes to an existing PE.

I think that it could be also added to Miasm if it was feasible.

I want to modify the export_llvm example based on @commial 's comment in this issue

I'm wondering whether either moving the stack pointer to a global variable and temporary setting its register to a new address (both would be at some static locations in the PE) or simply declaring the function as naked to avoid the unwanted pushes would be enough.

Rest of the registers would be represented with local variables and flags omitted as in the comment.

What do you think?

nofiv avatar Sep 04 '21 08:09 nofiv

the problem is that in native x86, if you have a:

PUSH EAX

it will give an ir something like:

@32[ESP-4] = EAX
ESP = ESP - 4

And from there, even if you manage to bind the variable ESP to the register ESP (which is not possible in llvm), there is few chances (and I mean no changes at all) that those IR instruction will form a PUSH.

serpilliere avatar Sep 04 '21 15:09 serpilliere

I see, that's an unfortunate. Thanks for the information. The binding would be apparently very cumbersome.

What are your thoughts on decompilation by the way? I noticed that a bridge to ghidra was mentioned in this issue, are there any huge issues?

nofiv avatar Sep 04 '21 21:09 nofiv

Hi @nofiv Maybe you wanted to say: "I noticed that the absence of a bridge to ghidra was mentioned in thsi issue"

Right, it's absent. But we accept PR :smile:

serpilliere avatar Sep 06 '21 06:09 serpilliere

Hello @serpilliere , it mentions some @commial 's one way bridge from Miasm IR to Ghidra IR. I thought that it was absent only the other way round 😕

nofiv avatar Sep 06 '21 08:09 nofiv

The other problem is that ghidra uses jython in order to run python in java, which supports only python 2, which is deprecated. So one day, we may drop python2 support so break this possibility for ghidra

serpilliere avatar Sep 07 '21 07:09 serpilliere

if this is a possibility for you, you could generate lifted source code using miasm. this source code can be compiled to native code but needs some special treatment when calling external or native code. i generated source code using miasm that looks like this:

void sub_411140_0_65776(struct vm_cpu* cpu) {
    uint8_t zf = 0;
   if(DEBUG_PRINT_CALLS) printf("[%s] call SP is 0x%p\n", __FUNCTION__, (void*)cpu->ESP);
    goto loc_key_5355;
loc_key_5355:
    {
    cpu->EAX = (*(uint32_t*)((cpu->ESP + 0x8)&0xffffffff));
    }
    {
    zf = (cpu->EAX?0x0:0x1);
    }
    {
    if (zf) { 
        goto loc_key_14748;
    } else {
        goto loc_key_14749;
    }
    }
loc_key_14749:
    {
    cpu->EAX = (*(uint32_t*)(uintptr_t)&dword_4D8BA4_2_158628);
    }
    {
    zf = (cpu->EAX?0x0:0x1);
    }
    {
    if (zf) { 
        goto loc_key_14748;
    } else {
        goto loc_key_14750;
    }
    }
loc_key_14748:
    {
    cpu->EAX = 0x0;
    }
    {
    cpu->ESP = ((cpu->ESP + 0x4)&0xffffffff);
   if(DEBUG_PRINT_CALLS) printf("[%s] return SP is 0x%p\n", __FUNCTION__, (void*)cpu->ESP);
    return;
    }
loc_key_14750:
    {
    cpu->EAX = (*(uint32_t*)((cpu->EAX + 0x1c)&0xffffffff));
    }
    {
    cpu->ECX = (*(uint32_t*)((cpu->ESP + 0x4)&0xffffffff));
    }
    {
    zf = (((uint32_t)cpu->EAX == (uint32_t)cpu->ECX)?1:0);
    }
    {
    if (zf) { 
        goto loc_key_14751;
    } else {
        goto loc_key_14748;
    }
    }
loc_key_14751:
    {
    cpu->EAX = 0x1;
    }
    {
    cpu->ESP = ((cpu->ESP + 0x4)&0xffffffff);
   if(DEBUG_PRINT_CALLS) printf("[%s] return SP is 0x%p\n", __FUNCTION__, (void*)cpu->ESP);
    return;
    }
} // sub_411140_0_65776

to call the code you need to set up a vm_cpu struct.

tly000 avatar Sep 17 '21 15:09 tly000