miasm icon indicating copy to clipboard operation
miasm copied to clipboard

Published 20 hours ago verified publisher icon cea-sec

Tell miasm not to simplify a register

Open acheron2302 opened this issue 3 years ago • 5 comments
trafficstars

In the following image, notice ECX, ESP and @32[ESP]. The ECX is suppose to be @32[ESP] and miasm recognise that ESP has an expresion so it simplify to @32[<ESP expression>], but what i want is the expression to become @32[ESP] = 0x3D716DE. How can i do that wihth miasm? image

acheron2302 avatar Mar 11 '22 09:03 acheron2302

Hi @acheron2302 I am afraid I didn't understand the full problem. Can you detail it a bit more ?

serpilliere avatar Mar 19 '22 16:03 serpilliere

@serpilliere sorry for a late respond, on the picture above is the sb.dump() after i run through a block. Here ESP register value is equal to call_func_stack(…) and the memory value that ESP point to is @[ESP] = 0x3d716de the ECX after i run the block suppose to be ECX = @32[ESP] but miasm eval the ESP register to call_func_stack so it turn the ECX into the value above. I want miasm to eval the memory value first not eval the register ESP first so that ECX can be equal to 0x3d716de

acheron2302 avatar Mar 23 '22 16:03 acheron2302

Ok @acheron2302 I think I have it but you might have misinterpreted the symbolic execution result: Imagine you have the following native equivalent code:

EAX = EBX
EBX = 0x12
ECX = [EAX]

After step 1, you have the following state result:

EAX is equal to  EBX (ebx value from the beginning of the execution)

After step 2, you have:

EAX is equal to  EBX (ebx value from the beginning of the execution)
AND:
EBX equals to 0x12

But at this step, EAX is not egual to EBX. correct? And after step 3, you have the resulting state:

EAX is equal to  EBX (ebx value from the beginning of the execution)
EBX equals to 0x12
ECX equals to @32[EBX value from the beginning]

But you cannot conclude that ecx = @32[12] so EAX = @32[12] Tell me if those explanations are clear

serpilliere avatar Mar 24 '22 07:03 serpilliere

Yeah you get the right idea @serpilliere. My following native code look like this:

@[ESP] = <some constant>
EAX, ESP = call <some function>
ECX = @[ESP]

What i want is after i use symbolic execution the value of ECX = <some constant> but the problem is after running through symbolic execution the value get turn into ECX = @[call_func_stack(<some function>)] and @[call_func_stack(<some function>)] doesn't evaluate to any value so is there any way to tell miasm not eval ESP inside @32[ESP] but eval the whole expression first

acheron2302 avatar Mar 25 '22 03:03 acheron2302

Hi @acheron2302 One solution is the following: if you know that the called function doesn't modify @[ESP], and you know if the called function modifify ESP or not, then you can model this knowledge.

To do this, you can subclass the lifter and implement your call_effects. you have an example of this in the example scripts full.py:


class LifterDelModCallStack(machine.lifter_model_call):
        def call_effects(self, addr, instr):
            assignblks, extra = super(LifterDelModCallStack, self).call_effects(addr, instr)
            if not args.calldontmodstack:
                return assignblks, extra
            out = []
            for assignblk in assignblks:
                dct = dict(assignblk)
                dct = {
                    dst:src for (dst, src) in viewitems(dct) if dst != self.sp
                }
                out.append(AssignBlock(dct, assignblk.instr))
            return out, extra

Here, the code will consider that if args.calldontmodstack is the "model" used to tranform a function call won't modifiy ESP. If you know that a a partilar function modifies ESP (for example clean arguments), you can add this to this piece of code to obtain something like:

EAX = call_func_ret(XXXX)
ESP = ESP + 8

Does it resolves your problem?

serpilliere avatar Mar 28 '22 09:03 serpilliere