A patched version of VEX to work with PyVEX.
License: GNU General Public License v2.0
This is a mirror of libVEX (of the Valgrind project: valgrind.org) for use with PyVEX (https://github.com/angr/pyvex).
Have you run across this one before? I got it with a CFGFast of a large binary (I'd include it if it weren't so large). The analysis appears to continue.
vex: the `impossible' happened:
segmentGuestRegOffset(x86)
Traceback:
/home/w/proj/hoff/angr-dev/pyvex/pyvex/../pyvex_c/pyvex_static.so(+0xd9040) [0x7f474540e040]
/home/w/proj/hoff/angr-dev/pyvex/pyvex/../pyvex_c/pyvex_static.so(+0xd9509) [0x7f474540e509]
/home/w/proj/hoff/angr-dev/pyvex/pyvex/../pyvex_c/pyvex_static.so(+0xefdca) [0x7f4745424dca]
/home/w/proj/hoff/angr-dev/pyvex/pyvex/../pyvex_c/pyvex_static.so(disInstr_X86+0xd9) [0x7f47454340c9]
/home/w/proj/hoff/angr-dev/pyvex/pyvex/../pyvex_c/pyvex_static.so(bb_to_IR+0x2f0) [0x7f47453fc150]
/home/w/proj/hoff/angr-dev/pyvex/pyvex/../pyvex_c/pyvex_static.so(LibVEX_Translate+0x44f) [0x7f47453a9ddf]
/home/w/proj/hoff/angr-dev/pyvex/pyvex/../pyvex_c/pyvex_static.so(+0x686f4) [0x7f474539d6f4]
/home/w/proj/hoff/angr-dev/pyvex/pyvex/../pyvex_c/pyvex_static.so(vex_count_instructions+0xe8) [0x7f474539d835]
/home/w/proj/hoff/angr-dev/pyvex/pyvex/../pyvex_c/pyvex_static.so(vex_block_bytes+0x108) [0x7f474539db1a]
There is mismatch in two different instruction description on file: vex/pub/libvex_ir.h
Line 111:
PUT(0) = t1 # put %eax
Line 155:
STle(t3) = t0
First one has incorrect assignment direction from my understanding, that should be
PUT(12) = t1
Patch for Windows build using make installed from choco. Might just be make version opinions. Feel free to close, just wanted to document for others.
1c1
< !include common.mk
---
> include common.mk
7c7
< !if "$(MULTIARCH)" == "1"
---
> ifeq "$(MULTIARCH)" "1"
9c9
< !else
---
> else
11c11
< !endif
---
> endif
34c34
< pub\libvex_guest_offsets.h: $(PUB_HEADERS) auxprogs/genoffsets.c
---
> pub/libvex_guest_offsets.h: $(PUB_HEADERS) auxprogs/genoffsets.cHi,
I need some guidance regarding VEX IR for API calls of ELF files for MIPS/ARM binaries. I have seen VEX IR for different assembly instructions however unable to understand it for functions calls in VEX representation.
In Opt: Support disabling cross-instruction optimizations, libvex_guest_offsets.h was included in ir_opt.c, but this file was not generated when make -f Makefile-gcc all or nmake /f Makefile-msvc all.
Looking at an instruction using gs a 64 bit address of some memory and then reading at an ebp offset from that:
In [40]: angr.load_shellcode(b'eg\x0f\xb6m\x00','amd64').factory.block(0).pp()
0x0: movzx ebp, byte ptr gs:[ebp]
vex decides this memory access should be truncated to 32 bits (at 04):
In [41]: angr.load_shellcode(b'eg\x0f\xb6m\x00','amd64').factory.block(0).vex.pp()
IRSB {
t0:Ity_I64 t1:Ity_I64 t2:Ity_I32 t3:Ity_I64 t4:Ity_I64 t5:Ity_I64 t6:Ity_I64 t7:Ity_I64 t8:Ity_I32 t9:Ity_I8 t10:Ity_I64
00 | ------ IMark(0x0, 6, 0) ------
01 | t4 = GET:I64(gs)
02 | t6 = GET:I64(rbp)
03 | t3 = Add64(t6,t4)
04 | t2 = 64to32(t3)
05 | t1 = 32Uto64(t2)
06 | t9 = LDle:I8(t1)
07 | t8 = 8Uto32(t9)
08 | t7 = 32Uto64(t8)
09 | PUT(rbp) = t7
NEXT: PUT(rip) = 0x0000000000000006; Ijk_Boring
}
but Pcode doesn't:
In [42]: angr.load_shellcode(b'eg\x0f\xb6m\x00','amd64',engine=angr.engines.UberEnginePcode).factory.block(0).vex.pp()
IRSB {
00 | ------ 00000000, 6 ------
+00 | unique[0x600:8] = sext(EBP)
+01 | unique[0x9c0:8] = GS_OFFSET + unique[0x600:8]
+02 | unique[0x1760:1] = *[ram]unique[0x9c0:8]
+03 | EBP = zext(unique[0x1760:1])
NEXT: 6; Ijk_Boring
}
and I believe my processor doesn't either.
the pyvex package on pypi cheats and downloads the sources from current master.
this results in
I am trying to get a symbolic expression from an ARM64 code performing floating point compares.
The function takes single float argument in reg s0 which I have initialized as FPS('x', FLOAT).
For the ARM64 insns:
00000000000000ec <f_piece0>:
ec: 08 20 20 1e fcmp s0, #0.0
f0: c5 00 00 54 b.pl 0x108 <f_piece0+0x1c>
The IRSB is:
IRSB {
t0:Ity_F32 t1:Ity_F32 t2:Ity_I32 t3:Ity_I64 t4:Ity_I64 t5:Ity_I64 t6:Ity_I64 t7:Ity_I64 t8:Ity_I64 t9:Ity_I64 t10:Ity_I64 t11:Ity_I64 t12:Ity_I64 t13:Ity_I64 t14:Ity_I64 t15:Ity_I64 t16:Ity_I64 t17:Ity_I64 t18:Ity_I64 t19:Ity_I64 t20:Ity_I64 t21:Ity_I64 t22:Ity_I64 t23:Ity_I1 t24:Ity_I64 t25:Ity_I64 t26:Ity_I64 t27:Ity_I64 t28:Ity_I64 t29:Ity_I64 t30:Ity_I64
00 | ------ IMark(0x4000ec, 4, 0) ------
01 | t0 = GET:F32(s0)
02 | t2 = CmpF32(t0,0.000000)
03 | t10 = 32Uto64(t2)
04 | t12 = And64(t10,0x0000000000000001)
05 | t14 = Shr64(t10,0x05)
06 | t13 = And64(t14,0x0000000000000003)
07 | t11 = Or64(t13,t12)
08 | t19 = Xor64(t11,0x0000000000000001)
09 | t18 = Shl64(t19,0x3e)
10 | t17 = Sub64(t18,0x0000000000000001)
11 | t16 = Shr64(t17,0x3d)
12 | t15 = Add64(t16,0x0000000000000001)
13 | t22 = Shr64(t11,0x01)
14 | t21 = And64(t11,t22)
15 | t20 = And64(t21,0x0000000000000001)
16 | t6 = Sub64(t15,t20)
17 | t8 = Shl64(t6,0x1c)
18 | PUT(cc_op) = 0x0000000000000000
19 | PUT(cc_dep1) = t8
20 | PUT(cc_dep2) = 0x0000000000000000
21 | PUT(cc_ndep) = 0x0000000000000000
22 | PUT(pc) = 0x00000000004000f0
23 | ------ IMark(0x4000f0, 4, 0) ------
24 | t29 = arm64g_calculate_condition(0x0000000000000050,t8,0x0000000000000000,0x0000000000000000):Ity_I64
25 | t23 = 64to1(t29)
26 | if (t23) { PUT(pc) = 0x400108; Ijk_Boring }
NEXT: PUT(pc) = 0x00000000004000f4; Ijk_Boring
}
This code essentially converts the value generated by CmpF32 to NZCV bits (ref mk_convert_IRCmpF64Result_to_NZCV in guest_arm64_toIR.c)
When s0 is a symbolic variable, this whole computation stays as is in the constraint added to this IRSB's state. I am looking for a way to simplify this constraint. In other cases, there is a specialization helper which converts some instances of arm64g_calculate_condition to Cmp*.
Is there a way where something similar can be done for floating-point compares too like the one above? I understand this is not just a simple replacement of the arm64g_calculate_condition function but one needs to look back to find the CmpF32.
Hello guys,
a short question for vex. We're dealing a lot with Mach-O files, so basically arm64 and we often stumble upon instructions which can not be decoded.
Is it already possible to add new instructions to libvex or are their still problems with compiling vex for pyvex? If it is, where to start digging into this - if not, where are the problems and what has to be solved?
Being able to add new instructions is going to be one of the core features needed looking into the future.
Best regards,
Andreas
for example on alpine linux.
priv/main_util.c:47:22: fatal error: execinfo.h: No such file or directory
the build error can be avoided by not defining -D LINUX_BACKTRACES in the Makefile.
so it would be nice if you can check if execinfo.h is available or not before trying to use it.
note: to test if a header exists, one does not search for the file in all kinds of directories as python packages usually do. you just try to compile a .c file that contains nothing but
#include <execinfo.h> and if it succeeds then it means it is there.
jvoisin@mim 14:52 ~/Downloads python
Python 2.7.12 (default, Jul 1 2016, 15:12:24)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import angr
>>> proj = angr.Project('carm-cke')
WARNING | 2016-11-16 14:58:38,057 | cle.relocations | Unknown reloc 160 on ARMEL
>>> cfg = proj.analyses.CFG()
WARNING | 2016-11-16 14:58:43,190 | angr.analyses.cfg_fast | "auto_load_libs" is enabled. With libraries loaded in project, CFGFast will cover libraries, which may take significantly more time than expected. You may reload the binary with "auto_load_libs" disabled, or specify "start" and "end" paramenters to limit the scope of CFG recovery.
WARNING | 2016-11-16 14:58:51,523 | simuvex.s_run | Too many possible syscalls. Concretizing to 1.
vex: priv/guest_arm_toIR.c:14656 (disInstr_ARM_WRK): Assertion `0 == (guest_R15_curr_instr_notENC & 3)' failed.
Traceback:
zsh: segmentation fault (core dumped) python
jvoisin@mim 15:00 ~/Downloads
The file being carm-cke.zip
I had compiled vex with mingw32-x64, but when complie the files in pyvex_c of pyvex.dll, there is always a error, multi define of __debugbreak(). Then i find that almost every out file in the libvex.dll has a function added by compiler,it is __debugbreak().
Before v5.6.8.22, that try to compile vex, pyvex with MSVC, with some changes of makefile and some "Assertion" in C files, i can get pyvex.dll with mingw32-x64, but now it seems a little more difficult.
So can the new version of angr works with the old version of pyvex well?
For macos mojave, compile failed for ld (x86_64) error.
Under mac os mojave (10.14+) with darwin kernel 18+.
Undefined symbols for architecture x86_64:
"_IRConst_U32", referenced from:
_zero_division_side_exits in postprocess.o
"_IRConst_U64", referenced from:
_zero_division_side_exits in postprocess.o
"_IRExpr_Binop", referenced from:
_zero_division_side_exits in postprocess.o
"_IRExpr_Const", referenced from:
_mips32_post_processor_fix_unconditional_exit in postprocess.o
_zero_division_side_exits in postprocess.o
"_IRExpr_RdTmp", referenced from:
_zero_division_side_exits in postprocess.o
"_IRStmt_Exit", referenced from:
_zero_division_side_exits in postprocess.o
"_IRStmt_WrTmp", referenced from:
_zero_division_side_exits in postprocess.o
"_LibVEX_Init", referenced from:
_vex_init in pyvex.o
"_LibVEX_Lift", referenced from:
_vex_lift in pyvex.o
"_LibVEX_Update_Control", referenced from:
_vex_lift in pyvex.o
"_LibVEX_default_VexAbiInfo", referenced from:
_vex_init in pyvex.o
"_LibVEX_default_VexArchInfo", referenced from:
_vex_init in pyvex.o
"_LibVEX_default_VexControl", referenced from:
_vex_init in pyvex.o
"_addStmtToIRSB", referenced from:
_irsb_insert in postprocess.o
_zero_division_side_exits in postprocess.o
"_newIRTemp", referenced from:
_zero_division_side_exits in postprocess.o
"_sizeofIRType", referenced from:
_collect_data_references in analysis.o
"_typeOfIRExpr", referenced from:
_get_default_exit_target in analysis.o
_collect_data_references in analysis.o
_zero_division_side_exits in postprocess.o
"_typeOfIRTemp", referenced from:
_collect_data_references in analysis.o
ld: symbol(s) not found for architecture x86_64
Hello VEX developers,
I am running into a problem when symbolic executing the _Z18linear_interpolatefffff function in this attached binary.
In short the instruction I want to execute is
vcmpe.f32 s3, s4
However, in VEX I saw that it is not getting s3 and s4 but registers 140 and d2 instead.
13 | t45 = GET:F32(140)
14 | t44 = F32toF64(t45)
15 | t47 = GET:F32(d2)
16 | t46 = F32toF64(t47)
This resulted in uninitialized registers when symbolic executing in angr, although I had assigned values in s3 and s4.
Are there any options that I should set to make VEX use the ideal registers? Or is it a bug that can be fixed?
To reproduce, I created an angr project, built an CFG, and obtained the entry function node with the following lines:
proj = angr.Project("CubeBlack_AP_Math.cpp.0.o", load_options={"auto_load_libs": False})
cfg = proj.analyses.CFGFast()
node = cfg.model.get_node(proj.loader.find_symbol("_Z18linear_interpolatefffff").rebased_addr)
Then I printed the instructions and VEX of this node with node.block.pp()and node.block.vex.pp() to get the contents.
Thank you,
Wei-Cheng
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.