[angr] Pyvex and ARM

Дмитрий Яровой yardmetr at gmail.com
Mon May 2 01:10:15 PDT 2016


Dear all,

I'm trying to convert ARM binary into VEX code using pyvex library.
Unfortunately, I got strange results that don't look like correct ones.

I'm using the following python code:

input_string = "/x01/x68"
irsb = pyvex.IRSB(input_string, 0, archinfo.ArchARM("Iend_LE"))
irsb.pp()

and substitute input_string with interesting bytes.

So for instance, "/x01/x68" are disassembled by IDA 6.8.1 into "LDR R3, [R0]".
Same result gives online disassembler. While pyvex returns me:

IRSB {
  t0:Ity_I32 t1:Ity_I32 t2:Ity_I32 t3:Ity_I32 t4:Ity_I32 t5:Ity_I32
t6:Ity_I32 t7
:Ity_I32

  00 | IR-NoOp
  01 | IR-NoOp
  02 | IR-NoOp
  03 | IR-NoOp
  04 | IR-NoOp
  05 | IR-NoOp
  06 | IR-NoOp
  07 | IR-NoOp
  08 | IR-NoOp
  09 | IR-NoOp
  10 | IR-NoOp
  11 | IR-NoOp
  12 | IR-NoOp
  13 | IR-NoOp
  14 | IR-NoOp
  15 | ------ IMark(0x0, 0, 0) ------
  16 | t2 = GET:I32(cc_op)
  17 | t1 = Or32(t2,0x00000030)
  18 | t3 = GET:I32(cc_dep1)
  19 | t4 = GET:I32(cc_dep2)
  20 | t5 = GET:I32(cc_ndep)
  21 | t6 = armg_calculate_condition(t1,t3,t4,t5):Ity_I32
  22 | t0 = t6
  23 | PUT(pc) = 0x00000000
  24 | t7 = GET:I32(pc)
  NEXT: PUT(pc) = t7; Ijk_NoDecode
}

Similar problems arise in case of other assembler operation, for instance: "
/x78/x44" are disassembled into "ADD R0, PC". Pyvex code is

 IRSB {
  t0:Ity_I32 t1:Ity_I32 t2:Ity_I32 t3:Ity_I32 t4:Ity_I32 t5:Ity_I32
t6:Ity_I32 t7
:Ity_I32 t8:Ity_I32 t9:Ity_I32 t10:Ity_I32 t11:Ity_I1 t12:Ity_I1
t13:Ity_I32 t14:I
ty_I32 t15:Ity_I32 t16:Ity_I32 t17:Ity_I32 t18:Ity_I32 t19:Ity_I32
t20:Ity_I32 t21
:Ity_I32 t22:Ity_I32 t23:Ity_I32 t24:Ity_I32 t25:Ity_I32 t26:Ity_I32
t27:Ity_I32 t
28:Ity_I32 t29:Ity_I32 t30:Ity_I32 t31:Ity_I32 t32:Ity_I32 t33:Ity_I32
t34:Ity_I32
t35:Ity_I32 t36:Ity_I32 t37:Ity_I32 t38:Ity_I32 t39:Ity_I32 t40:Ity_I1
t41:Ity_I3
2 t42:Ity_I32 t43:Ity_I32 t44:Ity_I32 t45:Ity_I1 t46:Ity_I32

  00 | IR-NoOp
  01 | IR-NoOp
  02 | IR-NoOp
  03 | IR-NoOp
  04 | IR-NoOp
  05 | IR-NoOp
  06 | IR-NoOp
  07 | IR-NoOp
  08 | IR-NoOp
  09 | IR-NoOp
  10 | IR-NoOp
  11 | IR-NoOp
  12 | IR-NoOp
  13 | IR-NoOp
  14 | IR-NoOp
  15 | ------ IMark(0x0, 4, 0) ------
  16 | t6 = GET:I32(cc_op)
  17 | t5 = Or32(t6,0x00000030)
  18 | t7 = GET:I32(cc_dep1)
  19 | t8 = GET:I32(cc_dep2)
  20 | t9 = GET:I32(cc_ndep)
  21 | t10 = armg_calculate_condition(t5,t7,t8,t9):Ity_I32
  22 | t0 = t10
  23 | t12 = 32to1(t0)
  24 | t11 = Not1(t12)
  25 | if (t11) { PUT(pc) = 0x4; Ijk_Boring }
  26 | t1 = GET:I32(r7)
  27 | t2 = t1
  28 | t13 = Sub32(t1,0x00000024)
  29 | PUT(r7) = t13
  30 | t15 = Sub32(t2,0x00000000)
  31 | t14 = LDle:I32(t15)
  32 | PUT(lr) = t14
  33 | t17 = Sub32(t2,0x00000004)
  34 | t16 = LDle:I32(t17)
  35 | PUT(sp) = t16
  36 | t19 = Sub32(t2,0x00000008)
  37 | t18 = LDle:I32(t19)
  38 | PUT(r12) = t18
  39 | t21 = Sub32(t2,0x0000000c)
  40 | t20 = LDle:I32(t21)
  41 | PUT(r11) = t20
  42 | t23 = Sub32(t2,0x00000010)
  43 | t22 = LDle:I32(t23)
  44 | PUT(r5) = t22
  45 | t25 = Sub32(t2,0x00000014)
  46 | t24 = LDle:I32(t25)
  47 | PUT(r3) = t24
  48 | t27 = Sub32(t2,0x00000018)
  49 | t26 = LDle:I32(t27)
  50 | PUT(r2) = t26
  51 | t29 = Sub32(t2,0x0000001c)
  52 | t28 = LDle:I32(t29)
  53 | PUT(r1) = t28
  54 | t31 = Sub32(t2,0x00000020)
  55 | t30 = LDle:I32(t31)
  56 | PUT(r0) = t30
  57 | PUT(pc) = 0x00000004
  58 | ------ IMark(0x4, 4, 0) ------
  59 | t33 = GET:I32(cc_op)
  60 | t32 = Or32(t33,0x00000030)
  61 | t34 = GET:I32(cc_dep1)
  62 | t35 = GET:I32(cc_dep2)
  63 | t36 = GET:I32(cc_ndep)
  64 | t37 = armg_calculate_condition(t32,t34,t35,t36):Ity_I32
  65 | t3 = t37
  66 | t38 = GET:I32(r4)
  67 | t39 = GET:I32(r7)
  68 | t40 = CmpNE32(t3,0x00000000)
  69 | t4 = if (t40) ILGop_Ident32(LDle(t38)) else t39
  70 | PUT(r7) = t4
  71 | t42 = GET:I32(r4)
  72 | t44 = GET:I32(r4)
  73 | t43 = Sub32(t44,0x0000082f)
  74 | t45 = CmpNE32(t3,0x00000000)
  75 | t41 = ITE(t45,t43,t42)
  76 | PUT(r4) = t41
  77 | PUT(pc) = 0x00000008
  78 | t46 = GET:I32(pc)
  NEXT: PUT(pc) = t46; Ijk_Boring
}

Could you clarify whether it is some kind of a bug or am I doing something
wrong?

Thanks in advance for your help.

Sincerely yours,

Iarovyi Dmytro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cs.ucsb.edu/pipermail/angr/attachments/20160502/ddd96964/attachment.html>


More information about the angr mailing list