some question about mcsema

[Qixue Xiao]

Hi,

I learned from a friend that mcsema is a good tool to translate
binary to llvm bytecode.

I had tested it today. And I have some questions as follows:

1. mcsema has been tested on obj and dll file on github documents,
but why not tested on elf and exe? Maybe it not work well on them?
Why?

2. I build mcsema on ubuntu 14.04, but I cannot translate an .obj or
.so file to bytecode successfully.
A Segmentation fault took place when I generated cfg using
bin_descend, the commands I used as follows:
./bin_descend -p ~/mcsema/mc-sema/binary_common/CFG.proto -d
-entry-symbol=start -i=/tmp/test.o

3. Then I used get_cfg.py to get the CFG file of kernel32.dll on
Windows, And I copy the CFG file to my ubuntu, and use cft_to_bc to
tranalate it. However, there was another error as follows:
===================
。。。。
shouldSubtractImageBase: Not on Win32
shouldSubtractImageBase: Not on Win32
shouldSubtractImageBase: Not on Win32
shouldSubtractImageBase: Not on Win32
shouldSubtractImageBase: Not on Win32
error:
map::at
=========================
the commad I used is :
./cfg_to_bc -i /tmp/a.cfg -o /tmp/a.bc

How could I to solver them?

Last, I have an important thing want to know: the bytecode(LLVM IR),
which be translated by mcsema, whether could be analyzed using LLVM
passes and KLEE(a symbolic executor based on LLVM bytecode) ?

Thanks very much.

Best Regards

xqx

[Artem Dinaburg]

On Aug 3, 2015, at 6:27 AM, Qixue Xiao <s2e...@gmail.com> wrote:

Hi,

I learned from a friend  that  mcsema is a good tool to translate
binary to llvm bytecode.

I had tested it today. And I have some questions as follows:

1. mcsema has been tested on obj and dll file on  github documents,
but why not tested on elf and exe? Maybe it  not work well on them?
Why?

The scope of the project was originally only translating .obj and .dll, so those were the main targets. We do have support for ELF (see https://github.com/trailofbits/mcsema/blob/master/mc-sema/tests/linked_elf_test.sh). Currently .exe support may "just work", but I have not tried it.

2. I build mcsema on ubuntu 14.04,  but I cannot translate an .obj or
.so file to bytecode successfully.
A Segmentation fault took place when I generated cfg using
bin_descend, the commands I used as follows:
./bin_descend -p ~/mcsema/mc-sema/binary_common/CFG.proto -d
-entry-symbol=start -i=/tmp/test.o

Can you share what was in your sample file? Also, if possible, see if you can use IDA to recover the CFG, its considerably better than bin_descend, but I understand that it may be hard to get an IDA license.

3. Then I used get_cfg.py to get the CFG file of kernel32.dll on
Windows, And I copy the CFG file to my ubuntu, and use cft_to_bc to
tranalate it. However, there was another error as follows:
===================
。。。。
shouldSubtractImageBase: Not on Win32
shouldSubtractImageBase: Not on Win32
shouldSubtractImageBase: Not on Win32
shouldSubtractImageBase: Not on Win32
shouldSubtractImageBase: Not on Win32
error:
map::at
=========================
the commad I used is :
./cfg_to_bc -i /tmp/a.cfg -o /tmp/a.bc

How could I to solver them?

I haven't run the kernel32 demo in a while, and have yet to try recovering on windows and translating on Linux. Does specifying `-mtriple=i686-pc-win32` on the command line help at all? By default the tools assume that you are translating code for the same OS as you are running the tool on, but this can be overriden via `-mtriple`.

Last, I have an important thing want to know: the bytecode(LLVM IR),
which be translated by mcsema, whether could be analyzed using LLVM
passes and KLEE(a symbolic executor based on LLVM bytecode) ?

Yes, see: http://blog.trailofbits.com/2014/12/04/close-encounters-with-symbolic-execution-part-2/

Thanks very much.

Best Regards

xqx

--
You received this message because you are subscribed to the Google Groups "mcsema-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mcsema-dev+...@googlegroups.com.
To post to this group, send email to mcsem...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mcsema-dev/CAL2OCeXO_euOOpdL0cGRn%3DT6LEsLbVAxoxUp30%3DB98uy5ruxXA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Qixue Xiao]

Thanks for your reply.

I have translated ELF file to llvm IR successfully by referring the
"linked_elf_test.sh" script.

#####
However, It could not translate a DLL or PE file to LLVM IR on linux
system, even if I specified "-mtriple=i686-pc-win32".
I do it as follows:
1, I get the cfg file by IDA from windows using get_cfg.py . So I
could get the kernel32.cfg and test_exe.cfg.
2, I copied kernel32.cfg and test_exe.cfg to ubuntu which shipped with
mcsema. And the command I used as follows:
```
cfg_to_bc -mtriple=i686-pc-win32 -i test.cfg
-driver=mcsema_main,main,2,return,C -o test.bc
```
the errors are as follows:
===================================
....
shouldSubtractImageBase: Not on amd64
shouldSubtractImageBase: Not on amd64
error:
map::at
==================================

the cfg files are attached.

What is wrong in my work ?

#####
Another question:
when analyzing the tranlated bytecode, could mcsema give out the
virtual address of the origin ELF file with a specified LLVM IR
instruction ?
How to do it ?
Thanks.

Best Regards!

xqx

[Artem Dinaburg]

Hi,

I will have to try this out later. I am busy for the next few days, but I will look into it when I'm free. It should work. Do you have a Windows VM you can test in to see if that works?

Artem

> <kernel32.cfg><test.cfg>

[Qixue Xiao]

Thanks very much!
I am not practiced in using Windows, So I think it will take much time
to compile mcsema on it.
Would you have shared a Windows VM img for your users ?


Best Regargs!

xqx