Tell miasm not to simplify a register

[acheron2302]

In the following image, notice ECX, ESP and @32[ESP]. The ECX is suppose to be @32[ESP] and miasm recognise that ESP has an expresion so it simplify to @32[], but what i want is the expression to become @32[ESP] = 0x3D716DE. How can i do that wihth miasm?

[serpilliere]

Hi @acheron2302
I am afraid I didn't understand the full problem. Can you detail it a bit more ?

[acheron2302]

@serpilliere sorry for a late respond, on the picture above is the sb.dump() after i run through a block.
Here ESP register value is equal to call_func_stack(…)
and the memory value that ESP point to is @[ESP] = 0x3d716de
the ECX after i run the block suppose to be ECX = @32[ESP]
but miasm eval the ESP register to call_func_stack so it turn the ECX into the value above.
I want miasm to eval the memory value first not eval the register ESP first so that ECX can be equal to 0x3d716de

[serpilliere]

Ok @acheron2302 I think I have it but you might have misinterpreted the symbolic execution result:
Imagine you have the following native equivalent code:

EAX = EBX
EBX = 0x12
ECX = [EAX]

After step 1, you have the following state result:

EAX is equal to  EBX (ebx value from the beginning of the execution)

After step 2, you have:

EAX is equal to  EBX (ebx value from the beginning of the execution)
AND:
EBX equals to 0x12

But at this step, EAX is not egual to EBX. correct?
And after step 3, you have the resulting state:

EAX is equal to  EBX (ebx value from the beginning of the execution)
EBX equals to 0x12
ECX equals to @32[EBX value from the beginning]

But you cannot conclude that ecx = @32[12] so EAX = @32[12]
Tell me if those explanations are clear

[acheron2302]

Yeah you get the right idea @serpilliere.
My following native code look like this:

@[ESP] = <some constant>
EAX, ESP = call <some function>
ECX = @[ESP]

What i want is after i use symbolic execution the value of ECX = <some constant> but the problem is after running through symbolic execution the value get turn into ECX = @[call_func_stack(<some function>)] and @[call_func_stack(<some function>)] doesn't evaluate to any value so is there any way to tell miasm not eval ESP inside @32[ESP] but eval the whole expression first

[serpilliere]

Hi @acheron2302
One solution is the following:
if you know that the called function doesn't modify @[ESP], and you know if the called function modifify ESP or not, then you can model this knowledge.

To do this, you can subclass the lifter and implement your call_effects. you have an example of this in the example scripts full.py:

class LifterDelModCallStack(machine.lifter_model_call):
        def call_effects(self, addr, instr):
            assignblks, extra = super(LifterDelModCallStack, self).call_effects(addr, instr)
            if not args.calldontmodstack:
                return assignblks, extra
            out = []
            for assignblk in assignblks:
                dct = dict(assignblk)
                dct = {
                    dst:src for (dst, src) in viewitems(dct) if dst != self.sp
                }
                out.append(AssignBlock(dct, assignblk.instr))
            return out, extra

Here, the code will consider that if args.calldontmodstack is the "model" used to tranform a function call won't modifiy ESP.
If you know that a a partilar function modifies ESP (for example clean arguments), you can add this to this piece of code to obtain something like:

EAX = call_func_ret(XXXX)
ESP = ESP + 8

Does it resolves your problem?