[angr] Pyvex and ARM

Fish Wang fish at cs.ucsb.edu
Mon May 2 09:18:14 PDT 2016


Hi Iarovyi,

 

Just read your code snippet. There are two things that are questionable.

 

-          I assume your input_string is a two-byte buffer, where you should use backslashes (\) instead of slashes, like 
input_string = “\x01\x68”

-          Your ARM machine code is in fact in THUMB mode. If you want to pass it to PyVEX, the address (the second parameter to pyvex.IRSB()) must be an odd number. 0 won’t work.

 

If you are not using PyVEX for any specific reason, I would suggest using angr.Project() to load the binary, and use angr.Lifter to lift machine code and print out the disassembly.

 

Best,

Fish

 

From: angr [mailto:angr-bounces at lists.cs.ucsb.edu] On Behalf Of Дмитрий Яровой
Sent: Monday, May 2, 2016 4:10 PM
To: angr at lists.cs.ucsb.edu
Subject: [angr] Pyvex and ARM

 

Dear all,

 

I'm trying to convert ARM binary into VEX code using pyvex library. Unfortunately, I got strange results that don't look like correct ones. 

 

I'm using the following python code:

 

input_string = "/x01/x68" 
irsb = pyvex.IRSB(input_string, 0, archinfo.ArchARM("Iend_LE")) 
irsb.pp()

 

and substitute input_string with interesting bytes.

 

So for instance, "/x01/x68" are disassembled by IDA 6.8.1 into "LDR R3, [R0]". Same result gives online disassembler. While pyvex returns me:

 

IRSB { 

  t0:Ity_I32 t1:Ity_I32 t2:Ity_I32 t3:Ity_I32 t4:Ity_I32 t5:Ity_I32 t6:Ity_I32 t7
:Ity_I32 

  00 | IR-NoOp 
  01 | IR-NoOp 
  02 | IR-NoOp 
  03 | IR-NoOp 
  04 | IR-NoOp 
  05 | IR-NoOp 
  06 | IR-NoOp 
  07 | IR-NoOp 
  08 | IR-NoOp 
  09 | IR-NoOp 
  10 | IR-NoOp 
  11 | IR-NoOp 
  12 | IR-NoOp 
  13 | IR-NoOp 
  14 | IR-NoOp 
  15 | ------ IMark(0x0, 0, 0) ------ 
  16 | t2 = GET:I32(cc_op) 
  17 | t1 = Or32(t2,0x00000030) 
  18 | t3 = GET:I32(cc_dep1) 
  19 | t4 = GET:I32(cc_dep2) 
  20 | t5 = GET:I32(cc_ndep) 
  21 | t6 = armg_calculate_condition(t1,t3,t4,t5):Ity_I32 
  22 | t0 = t6 
  23 | PUT(pc) = 0x00000000 
  24 | t7 = GET:I32(pc) 
  NEXT: PUT(pc) = t7; Ijk_NoDecode 
}

Similar problems arise in case of other assembler operation, for instance: "/x78/x44" are disassembled into "ADD R0, PC". Pyvex code is

 

 IRSB { 

  t0:Ity_I32 t1:Ity_I32 t2:Ity_I32 t3:Ity_I32 t4:Ity_I32 t5:Ity_I32 t6:Ity_I32 t7
:Ity_I32 t8:Ity_I32 t9:Ity_I32 t10:Ity_I32 t11:Ity_I1 t12:Ity_I1 t13:Ity_I32 t14:I
ty_I32 t15:Ity_I32 t16:Ity_I32 t17:Ity_I32 t18:Ity_I32 t19:Ity_I32 t20:Ity_I32 t21
:Ity_I32 t22:Ity_I32 t23:Ity_I32 t24:Ity_I32 t25:Ity_I32 t26:Ity_I32 t27:Ity_I32 t
28:Ity_I32 t29:Ity_I32 t30:Ity_I32 t31:Ity_I32 t32:Ity_I32 t33:Ity_I32 t34:Ity_I32
t35:Ity_I32 t36:Ity_I32 t37:Ity_I32 t38:Ity_I32 t39:Ity_I32 t40:Ity_I1 t41:Ity_I3
2 t42:Ity_I32 t43:Ity_I32 t44:Ity_I32 t45:Ity_I1 t46:Ity_I32 

  00 | IR-NoOp 
  01 | IR-NoOp 
  02 | IR-NoOp 
  03 | IR-NoOp 
  04 | IR-NoOp 
  05 | IR-NoOp 
  06 | IR-NoOp 
  07 | IR-NoOp 
  08 | IR-NoOp 
  09 | IR-NoOp 
  10 | IR-NoOp 
  11 | IR-NoOp 
  12 | IR-NoOp 
  13 | IR-NoOp 
  14 | IR-NoOp 
  15 | ------ IMark(0x0, 4, 0) ------ 
  16 | t6 = GET:I32(cc_op) 
  17 | t5 = Or32(t6,0x00000030) 
  18 | t7 = GET:I32(cc_dep1) 
  19 | t8 = GET:I32(cc_dep2) 
  20 | t9 = GET:I32(cc_ndep) 
  21 | t10 = armg_calculate_condition(t5,t7,t8,t9):Ity_I32 
  22 | t0 = t10 
  23 | t12 = 32to1(t0) 
  24 | t11 = Not1(t12) 
  25 | if (t11) { PUT(pc) = 0x4; Ijk_Boring } 
  26 | t1 = GET:I32(r7) 
  27 | t2 = t1 
  28 | t13 = Sub32(t1,0x00000024) 
  29 | PUT(r7) = t13 
  30 | t15 = Sub32(t2,0x00000000) 
  31 | t14 = LDle:I32(t15) 
  32 | PUT(lr) = t14 
  33 | t17 = Sub32(t2,0x00000004) 
  34 | t16 = LDle:I32(t17) 
  35 | PUT(sp) = t16 
  36 | t19 = Sub32(t2,0x00000008) 
  37 | t18 = LDle:I32(t19) 
  38 | PUT(r12) = t18 
  39 | t21 = Sub32(t2,0x0000000c) 
  40 | t20 = LDle:I32(t21) 
  41 | PUT(r11) = t20 
  42 | t23 = Sub32(t2,0x00000010) 
  43 | t22 = LDle:I32(t23) 
  44 | PUT(r5) = t22 
  45 | t25 = Sub32(t2,0x00000014) 
  46 | t24 = LDle:I32(t25) 
  47 | PUT(r3) = t24 
  48 | t27 = Sub32(t2,0x00000018) 
  49 | t26 = LDle:I32(t27) 
  50 | PUT(r2) = t26 
  51 | t29 = Sub32(t2,0x0000001c) 
  52 | t28 = LDle:I32(t29) 
  53 | PUT(r1) = t28 
  54 | t31 = Sub32(t2,0x00000020) 
  55 | t30 = LDle:I32(t31) 
  56 | PUT(r0) = t30 
  57 | PUT(pc) = 0x00000004 
  58 | ------ IMark(0x4, 4, 0) ------ 
  59 | t33 = GET:I32(cc_op) 
  60 | t32 = Or32(t33,0x00000030) 
  61 | t34 = GET:I32(cc_dep1) 
  62 | t35 = GET:I32(cc_dep2) 
  63 | t36 = GET:I32(cc_ndep) 
  64 | t37 = armg_calculate_condition(t32,t34,t35,t36):Ity_I32 
  65 | t3 = t37 
  66 | t38 = GET:I32(r4) 
  67 | t39 = GET:I32(r7) 
  68 | t40 = CmpNE32(t3,0x00000000) 
  69 | t4 = if (t40) ILGop_Ident32(LDle(t38)) else t39 
  70 | PUT(r7) = t4 
  71 | t42 = GET:I32(r4) 
  72 | t44 = GET:I32(r4) 
  73 | t43 = Sub32(t44,0x0000082f) 
  74 | t45 = CmpNE32(t3,0x00000000) 
  75 | t41 = ITE(t45,t43,t42) 
  76 | PUT(r4) = t41 
  77 | PUT(pc) = 0x00000008 
  78 | t46 = GET:I32(pc) 
  NEXT: PUT(pc) = t46; Ijk_Boring 
}

Could you clarify whether it is some kind of a bug or am I doing something wrong?

 

Thanks in advance for your help.

 

Sincerely yours,

 

Iarovyi Dmytro

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cs.ucsb.edu/pipermail/angr/attachments/20160503/a43c6652/attachment-0001.html>


More information about the angr mailing list