Created
December 28, 2020 00:48
-
-
Save dbwodlf3/8e2ae9b38e75a9f49ecb502f58a2a7a3 to your computer and use it in GitHub Desktop.
patterns in smc LLVM IR
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ================================================================================ | |
| SMC Patterns in LLVM IR | |
| ================================================================================ | |
| 1. Write Executable Memory | |
| x86_smc1.out.ll | |
| 1.1. store ____, @data_memory | |
| x86_smc3.out.ll | |
| 1.2. store ____, bitcast (@data_memory) | |
| gcc_m64_PIE_smc21.ll | |
| 1.3. store ____, inttoptr ( constantInt ) | |
| x86_smc3.out.ll | |
| 1.4. store ____, %variable | |
| Features!!! | |
| Mcsema 에서 Lift 할 시에, ConstantInt로 최적화가 되어버림. -> PIE 반영이 안됨. 실행은 안될지 모르지만, 분석하는데에는 | |
| 문제 없음. 사실상 NO-PIE 처럼 분석됨. | |
| ================================================================================ | |
| 2. Call Data Address | |
| clang_m64_smc10.ll | |
| 2.1. call void (...) %variable | |
| clang_m64_smc12.ll | |
| 2.2. call void (...) bitcast ( @global_variable ) | |
| 2.3. call remill_function_call (____, %variable, ____) | |
| ================================================================================ | |
| 3. Variables | |
| 패턴중에 Variable 이 나오는 경우, 해당 Variable이 Critical 인지 아닌지 알아야 함.. | |
| 3.1. store ____, %variable의 경우. | |
| 3.1.1. x86_smc3 | |
| ``` | |
| (값 저장) | |
| store i8* @data_804813a, i8** @EDI_2296_55ccbaa41840 | |
| (값 불러오기) | |
| %14 = load i8*, i8** @EDI_2296_55ccbaa41840 | |
| %16 = bitcast i8* %14 to i16* | |
| (쓰기) | |
| store i16 %13, i16* %16 | |
| ``` | |
| 3.1.2. clang_smc15 | |
| ``` | |
| %2 = alloca i64*, align 8 | |
| (값 저장) | |
| store i64* inttoptr (i64 4195623 to i64*), i64** %2, align 8 | |
| (값 불러오기) | |
| %4 = load i64*, i64** %2, align 8 | |
| (쓰기) | |
| store i64 -8029759185026510704, i64* %4, align 8 | |
| ``` | |
| 3.1.3. clang_smc16 | |
| ``` | |
| %2 = alloca i64*, align 8 | |
| (값 저장) | |
| store i64* bitcast (i8* getelementptr (i8, i8* bitcast (i64* @key to i8*), i64 -2099609) to i64*), i64** %2, align 8 | |
| (값 불러오기) | |
| %4 = load i64*, i64** %2, align 8 | |
| (쓰기) | |
| store i64 -8029759185026510704, i64* %4, align 8 | |
| ``` | |
| 3.1.4. clang_smc17 | |
| ``` | |
| %2 = alloca i8*, align 8 | |
| (값 저장) | |
| store i8* getelementptr inbounds (i8, i8* bitcast (i32 ()* @main to i8*), i64 107), i8** %2, align 8 | |
| (값 불러오기) | |
| %3 = load i8*, i8** %2, align 8 | |
| (쓰기) | |
| store i8 -112, i8* %3, align 1 | |
| ``` | |
| 3.1.5. gcc_m64_PIE_smc15 | |
| ``` | |
| (값 저장) | |
| %1 = load i64, i64* @RSP_2312_563f25f511d8, align 8, !tbaa !1240 | |
| %28 = add i64 %1, -16 | |
| %29 = inttoptr i64 %28 to i64* | |
| store i64 ptrtoint (i8* @data_400527 to i64), i64* %29, align 8 | |
| (값 불러오기) | |
| %33 = load i64, i64* @RBP_2328_563f25f511d8, align 8 | |
| %34 = add i64 %33, -8 | |
| %35 = inttoptr i64 %34 to i64** | |
| %36 = load i64*, i64** %35, align 8 | |
| (쓰기) | |
| store i64 -8029759185026510704, i64* %36, align 8 | |
| ``` | |
| 3.1.6. gcc_m64_PIE_smc16 | |
| ``` | |
| (값 저장) | |
| %1 = load i64, i64* @RSP_2312_564d295651c8, align 8, !tbaa !1240 | |
| %28 = add i64 %1, -16 | |
| %29 = inttoptr i64 %28 to i64* | |
| store i64 1663, i64* %29, align 8 | |
| (값 불러오기) | |
| %33 = load i64, i64* @RBP_2328_564d295651c8, align 8 | |
| %34 = add i64 %33, -8 | |
| %35 = inttoptr i64 %34 to i64** | |
| %36 = load i64*, i64** %35, align 8 | |
| (쓰기) | |
| store i64 -8029759185026510704, i64* %36, align 8 | |
| ``` | |
| 3.2. call void (...) %variable의 경우.\ | |
| 3.2.1. clang_smc10 | |
| ```` | |
| %6 = getelementptr inbounds [24 x i8], [24 x i8]* %2, i64 0, i64 0 | |
| %7 = bitcast i8* %6 to void (...)* | |
| call void (...) %7() | |
| ``` | |
| 3.3. call remill_function_call (____, %variable, ____)의 경우. | |
| 3.3.1. gcc_m64_PIE_smc10 | |
| ``` | |
| (RBP에 저장) | |
| %1 = load i64, i64* @RSP_2312_55bbbb4f90b8, align 8, !tbaa !1240 | |
| %2 = add i64 %1, -8 | |
| %4 = sub i64 %2, 32 | |
| %5 = inttoptr i64 %4 to i64* | |
| store i64 7075083857039864136, i64* %5 | |
| (RBP으로 Jump) | |
| %19 = load i64, i64* @RBP_2328_55bbbb4f90b8 | |
| %20 = sub i64 %19, 32 | |
| %24 = call %struct.Memory* @__remill_function_call(%struct.State* @__mcsema_reg_state, i64 %20, %struct.Memory* %18) | |
| ``` | |
| 3.3.2. gcc_m64_PIE_smc11 | |
| ``` | |
| (RBP에 저장) | |
| %13 = load i64, i64* @RBP_2328_558a76e561c8, align 8 | |
| %14 = add i64 %13, -16 | |
| %15 = inttoptr i64 %14 to i64* | |
| store i64 2116, i64* %15, align 8 | |
| (RBP으로 점프) | |
| %20 = load i64, i64* @RBP_2328_558a76e561c8, align 8 | |
| %21 = add i64 %20, -16 | |
| %22 = inttoptr i64 %21 to i64* | |
| %23 = load i64, i64* %22, align 8 | |
| %27 = call %struct.Memory* @__remill_function_call(%struct.State* @__mcsema_reg_state, i64 %23, %struct.Memory* %19) | |
| ``` | |
| 3.3.3. gcc_m64_smc13 | |
| ``` | |
| (RBP에 저장) | |
| %12 = load i64, i64* bitcast (i8* @data_858 to i64*), align 8 | |
| store i64 %12, i64* %5, align 8 | |
| (RBP으로 점프) | |
| %16 = load i64, i64* @RBP_2328_56553a1b01c8, align 8 | |
| %17 = add i64 %16, -16 | |
| store i64 %17, i64* @RIP_2472_56553a1b01c8, align 8, !tbaa !1216 | |
| %21 = call %struct.Memory* @__remill_function_call(%struct.State* @__mcsema_reg_state, i64 %17, %struct.Memory* %15) | |
| ``` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment