Hugging Face's logo

udiboy1209
/
REMEND

Translation
Fairseq
English
code
decompiler
symbolic-math
neural-decompiler
Model card Files
xet
 Community
REMEND / remend /disassemble.py
udiboy1209's picture
udiboy1209
Fix type in x64 disassembler
2b94efd
raw
history blame contribute delete
19.9 kB
from capstone import *
from capstone.arm import *
from capstone.arm64 import *
from capstone.x86 import *
import cle
import struct
from math import e as CONST_E, pi as CONST_PI
import sympy as sp
from .util import DecodeError
def int2fp32(v):
 if type(v) == int:
 v = struct.unpack("<f", v.to_bytes(4, "little"))
 v = v[0]
 return v
def int2fp64(v):
 if type(v) == int:
 v = struct.unpack("<d", v.to_bytes(8, "little"))
 v = v[0]
 return v
def align4(v):
 return v & (0xFFFFFFFC)
class DisassemblerBase:
 def __init__(self, expr_constants={}, match_constants=False):
 self.loader = None # Load in child class
 self.reg_values = {}
 self.constidx = 0
 self.constants = {}
 self.constaddrs = set()
 self.expr_constants = expr_constants
 self.match_constants = match_constants
def get_function_bytes(self, funcname):
 func = self.loader.find_symbol(funcname)
 if not func:
 raise DecodeError(f"Function {funcname} not found in binary")
 faddr = func.rebased_addr
 if (not isinstance(self, DisassemblerX64)) and faddr % 2 == 1:
 # Unaligned address, aligning
 faddr = faddr - 1
 fbytes = self.loader.memory.load(faddr, func.size)
 self.funcrange = faddr, faddr + func.size
 return faddr, fbytes
def find_constant(self, constants, value):
 for ec in constants:
 if abs(value - constants[ec]) < 1e-5:
 return ec, ""
 elif abs(1/value - constants[ec]) < 1e-5:
 return ec, "1/"
 elif abs(-value - constants[ec]) < 1e-5:
 return ec, "-"
 elif abs(-1/value - constants[ec]) < 1e-5:
 return ec, "-1/"
 return False
def add_constant(self, value, addr=0, size=0):
 # Don't map known constants like e, pi, 0
 if value == 0:
 cname = "CONST=0"
 elif abs(value - CONST_E) < 1e-7:
 cname = "CONST=E"
 elif abs(value - CONST_PI) < 1e-7:
 cname = "CONST=pi"
 elif self.match_constants and \
 (ecmatch := self.find_constant(self.expr_constants, value)):
 # Gives the name and expression of the matched constant
 ecname, ecxpr = ecmatch
 # print(value, ecname, ecxpr, self.expr_constants[ecname])
 cname = f"{ecxpr}CSYM{ecname[1:]}"
 self.constants[ecname] = value
 elif size > 0 and addr in self.constaddrs and \
 (smatch := self.find_constant(self.constants, value)):
 sname, sxpr = smatch
 cname = f"{sxpr}CSYM{sname}"
 else:
 rep = sp.nsimplify(value, [sp.E, sp.pi], tolerance=1e-7)
 if isinstance(rep, sp.Integer) or \
 (isinstance(rep, sp.Rational) and rep.q <= 16):
 cname = f"CONST={rep}"
 elif not self.match_constants:
 cname = f"CSYM{self.constidx}"
 self.constants[self.constidx] = value
 self.constidx += 1
 else:
 raise DecodeError(f"Cannot represent unmatched float {value}")
if size > 0:
 self.constaddrs |= {addr+i for i in range(size)}
 return cname
def disassemble(self, function):
 raise NotImplementedError("Call disassemble on child classes, not base")
class DisassemblerARM32(DisassemblerBase):
 def __init__(self, binpath, expr_constants={}, match_constants=False):
 super().__init__(expr_constants=expr_constants, match_constants=match_constants)
 self.md = Cs(CS_ARCH_ARM, CS_MODE_THUMB)
 self.md.detail = True
 self.loader = cle.Loader(binpath)
def check_mov_imm(self, insn):
 if insn.id not in {ARM_INS_MOV, ARM_INS_MOVW,
 ARM_INS_MOVT, ARM_INS_ADR}:
 return False
 ops = list(insn.operands)
 if len(ops) != 2:
 return False
 if ops[0].type != ARM_OP_REG or ops[1].type != ARM_OP_IMM:
 return False
 imm = ops[1].value.imm
 if imm < 0:
 imm = 2**32 + imm # 2's complement
 if insn.id == ARM_INS_ADR:
 # Add PC value
 imm += insn.address + 4
 return ops[0].value.reg, imm
def check_float_store(self, insn):
 if insn.id not in {ARM_INS_STR, ARM_INS_STRD}:
 return False
 ops = list(insn.operands)
 if insn.id == ARM_INS_STRD:
 dest = ops[0].value.reg
 dest2 = ops[1].value.reg
 if dest not in self.reg_values or dest2 not in self.reg_values:
 return False
 fval = int2fp64((self.reg_values[dest2]<<32) + self.reg_values[dest])
 else:
 dest = ops[0].value.reg
 if dest not in self.reg_values:
 return False
 fval = int2fp32(self.reg_values[dest])
 if abs(fval) < 1e-3 or abs(fval) > 100:
 return False
 return fval
def check_ldrd(self, insn):
 if insn.id != ARM_INS_LDRD:
 return False
 ops = list(insn.operands)
 if len(ops) != 3:
 return False
 if ops[2].type != ARM_OP_MEM:
 return False
 mem = ops[2].value.mem
 if mem.base == ARM_REG_PC:
 addr = align4(insn.address + 4) + mem.disp
 elif mem.base in self.reg_values:
 addr = align4(self.reg_values[mem.base]) + mem.disp
 else:
 return False
 if addr < self.loader.min_addr or addr + 8 > self.loader.max_addr:
 # Out of bounds
 return False
 fhex = self.loader.memory.load(addr, 8)
 fval = struct.unpack("d", fhex)[0]
 return fval, addr, 8
def check_vldr(self, insn):
 if insn.id != ARM_INS_VLDR:
 return False
 ops = list(insn.operands)
 dest = ops[0]
 if ops[1].type != ARM_OP_MEM:
 return False
 mem = ops[1].value.mem
 if mem.base == ARM_REG_PC:
 # Align4(PC) + Imm
 # For whatever reason, in Thumb PC=addr+4
 addr = align4(insn.address + 4) + mem.disp
 elif mem.base in self.reg_values:
 addr = align4(self.reg_values[mem.base]) + mem.disp
 else:
 return False
 if addr < self.loader.min_addr or addr + 8 > self.loader.max_addr:
 # Out of bounds
 return False
 if dest.value.reg >= ARM_REG_D0 and dest.value.reg <= ARM_REG_D31:
 size = 8
 fhex = self.loader.memory.load(addr, 8)
 fval = struct.unpack("d", fhex)[0]
 else:
 size = 4
 fhex = self.loader.memory.load(addr, 4)
 fval = struct.unpack("f", fhex)[0]
 return fval, addr, size
def check_vmov(self, insn):
 # fconsts/d == vmov.f32/f64 (old/new names)
 if insn.id not in {ARM_INS_FCONSTS, ARM_INS_FCONSTD}:
 return False
 ops = list(insn.operands)
 if len(ops) != 2 or ops[1].type != ARM_OP_FP:
 return False
 fval = ops[1].value.fp
 destname = insn.reg_name(ops[0].value.reg)
 asm = f"{insn.mnemonic} {destname}, {fval}"
 return asm, fval
def check_branch_symbol(self, insn):
 if insn.id not in {ARM_INS_B, ARM_INS_BL, ARM_INS_BLX}:
 return False
 ops = list(insn.operands)
 if len(ops) != 1 or ops[0].type != ARM_OP_IMM:
 return False
 addr = ops[0].value.imm
 if addr > self.funcrange[0] and addr < self.funcrange[1]:
 # Self-branch
 func = f"SELF+{hex(addr - self.funcrange[0])}"
 else:
 func = self.loader.find_plt_stub_name(addr)
 if func is None:
 # Some tail call optimized PLT stubs have extra instructions
 # that are not identified by CLE, so check with offset of 4 also.
 func = self.loader.find_plt_stub_name(addr + 4)
 if func is None:
 return False
 asm = f"{insn.mnemonic} <{func}>"
 return asm
def get_function_bytes(self, funcname):
 func = self.loader.find_symbol(funcname)
 if not func:
 raise DecodeError(f"Function {funcname} not found in binary")
 faddr = func.rebased_addr
 if faddr % 2 == 1:
 # Unaligned address, aligning
 faddr = faddr - 1
 fbytes = self.loader.memory.load(faddr, func.size)
 self.funcrange = faddr, faddr + func.size
 return faddr, fbytes
def disassemble(self, funcname):
 funcaddr, funcbytes = self.get_function_bytes(funcname)
disassm = []
for insn in self.md.disasm(funcbytes, funcaddr):
 if insn.address in self.constaddrs:
 # Skip if this is a constant value and not instruction
 continue
cname = None
 asm = None
if vldr := self.check_vldr(insn):
 fval, faddr, fsize = vldr
 cname = self.add_constant(fval, faddr, fsize)
 elif ldrd := self.check_ldrd(insn):
 fval, faddr, fsize = ldrd
 cname = self.add_constant(fval, faddr, fsize)
 elif strfloat := self.check_float_store(insn):
 fval = strfloat
 cname = self.add_constant(fval)
 elif vmovfloat := self.check_vmov(insn):
 asm, fval = vmovfloat
 cname = self.add_constant(fval)
 elif branch := self.check_branch_symbol(insn):
 asm = branch
# Maintain values of immediate moves.
 # Needs to be done after processing current instruction.
 if movimm := self.check_mov_imm(insn):
 reg, imm = movimm
 if insn.id == ARM_INS_MOVT:
 if reg not in self.reg_values:
 self.reg_values[reg] = 0
 self.reg_values[reg] += imm << 16
 else:
 self.reg_values[reg] = imm
 else:
 reads, writes = insn.regs_access()
 for r in writes:
 # Remove this reg if written to
 if r in self.reg_values:
 del self.reg_values[r]
if not asm:
 asm = f"{insn.mnemonic} {insn.op_str}"
 if cname:
 asm += f", {cname}"
 disassm.append(asm)
fulldiss = "; ".join(disassm)
 return fulldiss
class DisassemblerAArch64(DisassemblerBase):
 def __init__(self, binpath, expr_constants={}, match_constants=False):
 super().__init__(expr_constants=expr_constants, match_constants=match_constants)
 self.md = Cs(CS_ARCH_ARM64, CS_MODE_ARM)
 self.md.detail = True
 self.loader = cle.Loader(binpath)
def reg_size_type(self, reg):
 # Bit width and datatype of register
 if reg >= ARM64_REG_W0 and reg <= ARM64_REG_W30:
 return 32, int
 elif reg >= ARM64_REG_X0 and reg <= ARM64_REG_X30:
 return 64, int
 elif reg >= ARM64_REG_S0 and reg <= ARM64_REG_S31:
 return 32, float
 elif reg >= ARM64_REG_D0 and reg <= ARM64_REG_D31:
 return 64, float
 return 0, None
def check_mov_imm(self, insn):
 if insn.id not in {ARM64_INS_ADRP, ARM64_INS_ADR, ARM64_INS_MOV, ARM64_INS_MOVK}:
 return False
ops = insn.operands
 if len(ops) != 2:
 return False
 if ops[0].type != ARM64_OP_REG or ops[1].type != ARM64_OP_IMM:
 return False
imm = ops[1].value.imm
 if ops[1].shift.type == 1: # LSL
 imm <<= ops[1].shift.value
 mask = 0xFFFF << ops[1].shift.value
if insn.id == ARM64_INS_ADRP:
 # imm -= 0x400000 # Subtract global offset for some reason
 # imm = ((insn.address + 4) & (~4095)) + imm
 # Really confused about this, maybe I can use the imm directly
 pass
 elif insn.id == ARM64_INS_ADR:
 imm -= 0x400000 # Subtract global offset for some reason
 imm += insn.address + 4
 elif insn.id == ARM64_INS_MOVK:
 # load previous reg value
 if ops[0].value.reg in self.reg_values:
 curr = self.reg_values[ops[0].value.reg]
 imm = (imm & mask) | (curr & (~mask))
return ops[0].value.reg, imm
def check_fmov(self, insn):
 if insn.id != ARM64_INS_FMOV:
 return False
 ops = insn.operands
 if len(ops) != 2: # or ops[1].type != ARM64_OP_FP:
 return False
destsize, _ = self.reg_size_type(ops[0].value.reg)
 destname = insn.reg_name(ops[0].value.reg)
 if ops[1].type == ARM64_OP_FP:
 fval = ops[1].value.fp
 asm = f"{insn.mnemonic} {destname}, {fval}"
 elif ops[1].type == ARM64_OP_REG:
 reg = ops[1].value.reg
 if reg not in self.reg_values:
 return False
 # TODO datatype
 fhex = self.reg_values[reg]
 if destsize == 64:
 if fhex < 0:
 fhex += 2**64
 fval = int2fp64(fhex)
 elif destsize == 32:
 if fhex < 0:
 fhex += 2**32
 fval = int2fp32(fhex)
 else:
 return False
if abs(fval) < 1e-5 or abs(fval) > 1e5:
 return False
 asm = f"{insn.mnemonic} {insn.op_str}"
 return asm, fval
def check_ldr(self, insn):
 if insn.id != ARM64_INS_LDR:
 return False
 ops = insn.op_str[:-1].split(", ")
 destsize, desttype = self.reg_size_type(insn.operands[0].value.reg)
 if len(ops) < 2 or desttype != float:
 return False
 reg = ops[1]
 if reg[0] != "[" or "sp" in reg:
 return False
 basereg = ARM64_REG_X0 + int(reg[2:]) # Shitty hack, may malfunction
 if basereg not in self.reg_values:
 return False
 base = align4(self.reg_values[basereg])
 if len(ops) == 3:
 offset = ops[2][1:]
 if offset.startswith("0x"):
 offset = int(offset[2:], base=16)
 else:
 offset = int(offset)
 else:
 offset = 0
 addr = base + offset
 if destsize == 64:
 fhex = self.loader.memory.load(addr, 8)
 fval = struct.unpack("d", fhex)[0]
 return fval, addr, 8
 elif destsize == 32:
 fhex = self.loader.memory.load(addr, 4)
 fval = struct.unpack("f", fhex)[0]
 return fval, addr, 4
 else:
 return False
def check_branch_symbol(self, insn):
 if insn.id not in {ARM64_INS_BL, ARM64_INS_B}:
 return False
 ops = insn.operands
 if len(ops) != 1 or ops[0].type != ARM_OP_IMM:
 return False
 addr = ops[0].value.imm
 if addr > self.funcrange[0] and addr < self.funcrange[1]:
 # Self-branch
 func = f"SELF+{hex(addr - self.funcrange[0])}"
 else:
 func = self.loader.find_plt_stub_name(addr)
 if func is None:
 # Some tail call optimized PLT stubs have extra instructions
 # that are not identified by CLE, so check with offset of 4 also.
 func = self.loader.find_plt_stub_name(addr + 4)
 if func is None:
 return False
 asm = f"{insn.mnemonic} <{func}>"
 return asm
def disassemble(self, funcname):
 funcaddr, funcbytes = self.get_function_bytes(funcname)
disassm = []
for insn in self.md.disasm(funcbytes, funcaddr):
 if insn.address in self.constaddrs:
 # Skip if this is a constant value and not instruction
 continue
cname = None
 asm = None
 # Maintain values of immediate moves
 if movimm := self.check_mov_imm(insn):
 reg, imm = movimm
 self.reg_values[reg] = imm
 else:
 reads, writes = insn.regs_access()
 for r in writes:
 # Remove this reg if written to
 if r in self.reg_values:
 del self.reg_values[r]
if fmov := self.check_fmov(insn):
 asm, fval = fmov
 cname = self.add_constant(fval)
 elif ldr := self.check_ldr(insn):
 fval, faddr, fsize = ldr
 cname = self.add_constant(fval, faddr, fsize)
 elif branch := self.check_branch_symbol(insn):
 asm = branch
if not asm:
 asm = f"{insn.mnemonic} {insn.op_str}"
 if cname:
 asm += f", {cname}"
 disassm.append(asm)
fulldiss = "; ".join(disassm)
 return fulldiss
class DisassemblerX64(DisassemblerBase):
 def __init__(self, binpath, expr_constants={}, match_constants=False):
 super().__init__(expr_constants=expr_constants, match_constants=match_constants)
 self.md = Cs(CS_ARCH_X86, CS_MODE_64)
 self.md.detail = True
 self.loader = cle.Loader(binpath)
def check_call_symbol(self, insn):
 if insn.id != X86_INS_CALL:
 return False
 ops = insn.operands
 if len(ops) != 1 or ops[0].type != X86_OP_IMM:
 return False
 addr = ops[0].value.imm
 func = self.loader.find_plt_stub_name(addr)
 if func is None:
 return False
 asm = f"{insn.mnemonic} <{func}>"
 return asm
def check_fload(self, insn):
 # Cannot rely on ID because any instruction
 # can access memory.
 ops = insn.operands
 memops = [op for op in ops
if (op.type == X86_OP_MEM and
 op.value.mem.base == X86_REG_RIP)]
 if len(memops) != 1:
 return False
 mem, size = memops[0].value.mem, memops[0].size
 if size > 8:
 return False
 addr = insn.address + insn.size + mem.disp
 fhex = self.loader.memory.load(addr, size)
 fval = struct.unpack("f" if size == 4 else "d", fhex)[0]
 return fval, addr, size
def disassemble(self, funcname):
 funcaddr, funcbytes = self.get_function_bytes(funcname)
disassm = []
for insn in self.md.disasm(funcbytes, funcaddr):
 asm = None
 cname = None
 if fload := self.check_fload(insn):
 fval, faddr, fsize = fload
 cname = self.add_constant(fval, faddr, fsize)
 elif call := self.check_call_symbol(insn):
 asm = call
if not asm:
 asm = f"{insn.mnemonic} {insn.op_str}"
 if cname:
 asm += f", {cname}"
 disassm.append(asm)
fulldiss = "; ".join(disassm)
 return fulldiss
# Regular
if __name__ == "__main__":
 import argparse
 parser = argparse.ArgumentParser("Pre-process assembly to replace constants and dump")
 parser.add_argument("--bin", required=True)
 parser.add_argument("--func", required=True)
 parser.add_argument("--arch", required=True)
 args = parser.parse_args()
if args.arch == "arm32":
 D = DisassemblerARM32(args.bin)
 elif args.arch == "aarch64":
 D = DisassemblerAArch64(args.bin)
 elif args.arch == "x64":
 D = DisassemblerX64(args.bin)
 diss = D.disassemble(args.func)
 print(diss)
 print(D.constants)