[![Build Status](https://travis-ci.org/cea-sec/miasm.svg)](https://travis-ci.org/cea-sec/miasm)
[![Build status](https://ci.appveyor.com/api/projects/status/g845jr23nt18uf29/branch/master?svg=true)](https://ci.appveyor.com/project/cea-sec/miasm)
[![Miasm tests](https://github.com/cea-sec/miasm/actions/workflows/tests.yml/badge.svg?branch=master)](https://github.com/cea-sec/miasm/actions/workflows/tests.yml?branch=master)
[![Code Climate](https://codeclimate.com/github/cea-sec/miasm/badges/gpa.svg)](https://codeclimate.com/github/cea-sec/miasm)
[![Join the chat at https://gitter.im/cea-sec/miasm](https://badges.gitter.im/cea-sec/miasm.svg)](https://gitter.im/cea-sec/miasm?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
<p align="center">
<img src="https://raw.githubusercontent.com/cea-sec/miasm/master/doc/logo_miasm.png">
</p>
What is Miasm?
==============
Miasm is a free and open source (GPLv2) reverse engineering framework.
Miasm aims to analyze / modify / generate binary programs. Here is
a non exhaustive list of features:
* Opening / modifying / generating PE / ELF 32 / 64 LE / BE
* Assembling / Disassembling X86 / ARM / MIPS / SH4 / MSP430
* Representing assembly semantic using intermediate language
* Emulating using JIT (dynamic code analysis, unpacking, ...)
* Expression simplification for automatic de-obfuscation
* ...
See the official [blog](http://miasm.re) for more examples and demos.
Table of Contents
=================
- [What is Miasm?](#user-content-what-is-miasm)
- [Basic examples](#user-content-basic-examples)
- [Assembling / Disassembling](#user-content-assembling--disassembling)
- [Intermediate representation](#user-content-intermediate-representation)
- [Emulation](#user-content-emulation)
- [Symbolic execution](#user-content-symbolic-execution)
- [How does it work?](#user-content-how-does-it-work)
- [Documentation](#user-content-documentation)
- [Obtaining Miasm](#user-content-obtaining-miasm)
- [Software requirements](#user-content-software-requirements)
- [Configuration](#user-content-configuration)
- [Windows & IDA](#user-content-windows--ida)
- [Testing](#user-content-testing)
- [They already use Miasm](#user-content-they-already-use-miasm)
- [Misc](#user-content-misc)
Basic examples
==============
Assembling / Disassembling
--------------------------
Import Miasm x86 architecture:
```pycon
>>> from miasm.arch.x86.arch import mn_x86
>>> from miasm.core.locationdb import LocationDB
```
Get a location db:
```pycon
>>> loc_db = LocationDB()
```
Assemble a line:
```pycon
>>> l = mn_x86.fromstring('XOR ECX, ECX', loc_db, 32)
>>> print(l)
XOR ECX, ECX
>>> mn_x86.asm(l)
['1\xc9', '3\xc9', 'g1\xc9', 'g3\xc9']
```
Modify an operand:
```pycon
>>> l.args[0] = mn_x86.regs.EAX
>>> print(l)
XOR EAX, ECX
>>> a = mn_x86.asm(l)
>>> print(a)
['1\xc8', '3\xc1', 'g1\xc8', 'g3\xc1']
```
Disassemble the result:
```pycon
>>> print(mn_x86.dis(a[0], 32))
XOR EAX, ECX
```
Using `Machine` abstraction:
```pycon
>>> from miasm.analysis.machine import Machine
>>> mn = Machine('x86_32').mn
>>> print(mn.dis('\x33\x30', 32))
XOR ESI, DWORD PTR [EAX]
```
For MIPS:
```pycon
>>> mn = Machine('mips32b').mn
>>> print(mn.dis(b'\x97\xa3\x00 ', "b"))
LHU V1, 0x20(SP)
```
Intermediate representation
---------------------------
Create an instruction:
```pycon
>>> machine = Machine('arml')
>>> instr = machine.mn.dis('\x00 \x88\xe0', 'l')
>>> print(instr)
ADD R2, R8, R0
```
Create an intermediate representation object:
```pycon
>>> lifter = machine.lifter_model_call(loc_db)
```
Create an empty ircfg:
```pycon
>>> ircfg = lifter.new_ircfg()
```
Add instruction to the pool:
```pycon
>>> lifter.add_instr_to_ircfg(instr, ircfg)
```
Print current pool:
```pycon
>>> for lbl, irblock in ircfg.blocks.items():
... print(irblock)
loc_0:
R2 = R8 + R0
IRDst = loc_4
```
Working with IR, for instance by getting side effects:
```pycon
>>> for lbl, irblock in ircfg.blocks.items():
... for assignblk in irblock:
... rw = assignblk.get_rw()
... for dst, reads in rw.items():
... print('read: ', [str(x) for x in reads])
... print('written:', dst)
... print()
...
read: ['R8', 'R0']
written: R2
read: []
written: IRDst
```
More information on Miasm IR is in the [corresponding Jupyter Notebook](https://github.com/cea-sec/miasm/blob/master/doc/expression/expression.ipynb).
Emulation
---------
Giving a shellcode:
```pycon
00000000 8d4904 lea ecx, [ecx+0x4]
00000003 8d5b01 lea ebx, [ebx+0x1]
00000006 80f901 cmp cl, 0x1
00000009 7405 jz 0x10
0000000b 8d5bff lea ebx, [ebx-1]
0000000e eb03 jmp 0x13
00000010 8d5b01 lea ebx, [ebx+0x1]
00000013 89d8 mov eax, ebx
00000015 c3 ret
>>> s = b'\x8dI\x04\x8d[\x01\x80\xf9\x01t\x05\x8d[\xff\xeb\x03\x8d[\x01\x89\xd8\xc3'
```
Import the shellcode thanks to the `Container` abstraction:
```pycon
>>> from miasm.analysis.binary import Container
>>> c = Container.from_string(s, loc_db)
>>> c
<miasm.analysis.binary.ContainerUnknown object at 0x7f34cefe6090>
```
Disassembling the shellcode at address `0`:
```pycon
>>> from miasm.analysis.machine import Machine
>>> machine = Machine('x86_32')
>>> mdis = machine.dis_engine(c.bin_stream, loc_db=loc_db)
>>> asmcfg = mdis.dis_multiblock(0)
>>> for block in asmcfg.blocks:
... print(block)
...
loc_0
LEA ECX, DWORD PTR [ECX + 0x4]
LEA EBX, DWORD PTR [EBX + 0x1]
CMP CL, 0x1
JZ loc_10
-> c_next:loc_b c_to:loc_10
loc_10
LEA EBX, DWORD PTR [EBX + 0x1]
-> c_next:loc_13
loc_b
LEA EBX, DWORD PTR [EBX + 0xFFFFFFFF]
JMP loc_13
-> c_to:loc_13
loc_13
MOV EAX, EBX
RET
```
Initializing the JIT engine with a stack:
```pycon
>>> jitter = machine.jitter(loc_db, jit_type='python')
>>> jitter.init_stack()
```
Add the shellcode in an arbitrary memory location:
```pycon
>>> run_addr = 0x40000000
>>> from miasm.jitter.csts import PAGE_READ, PAGE_WRITE
>>> jitter.vm.add_memory_page(run_addr, PAGE_READ | PAGE_WRITE, s)
```
Create a sentinelle to catch the return of the shellcode:
```Python
def code_sentinelle(jitter):
jitter.running = False
jitter.pc = 0
return True
>>> jitter.add_breakpoint(0x1337beef, code_sentinelle)
>>> jitter.push_uint32_t(0x1337beef)
```
Active logs:
```pycon
>>> jitter.set_trace_log()
```
Run at arbitrary address:
```pycon
>>> jitter.init_run(run_addr)
>>> jitter.continue_run()
RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFF8 RBP 0000000000000000
zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000000
40000000 LEA ECX, DWORD PTR [ECX+0x4]
RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000004 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFF8 RBP 0000000000000000
zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
....
4000000e JMP loc_0000000040000013:0x40000013
RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000004 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFF8 RBP 0000000000000000
zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000013
40000013 MOV EAX, EBX
RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000004 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFF8 RBP 0000000000000000
zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000013
40000015 RET
>>>
```
Interacting with the jitter:
```pycon
>>> jitter.vm
ad 1230000 size 10000 RW_ hpad 0x2854b40
ad 40000000 size 16 RW_ hpad 0x25e0ed0
>>> hex(jitter.cpu.EAX)
'0x0L'
>>> jitter.cpu.ESI = 12
```
Symbolic execution
------------------
Initializing the IR pool:
```pycon
>>> lifter = machine.lifter_model_call(loc_db)
>>> ircfg = lifter.new_ircfg_from_asmcfg(asmcfg)
```
Initializing the engine with default symbolic values:
```pycon
>>> from miasm.ir.symbexec import SymbolicExecutionEngine
>>> sb = SymbolicExecutionEngine(lifter)
```
Launching the execution:
```pycon
>>> symbolic_pc = sb.run_at(ircfg, 0)
>>> print(symbolic_pc)
((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)
```
Same, with step logs (only changes are displayed):
```pycon
>>> sb = SymbolicExecutionEngine(lifter, machine.mn.regs.regs_init)
>>> symbolic_pc = sb.run_at(ircfg, 0, step=True)
Instr LEA ECX, DWORD PTR [ECX + 0x4]
Assignblk:
ECX = ECX + 0x4
________________________________________________________________________________
ECX = ECX + 0x4
________________________________________________________________________________
Instr LEA EBX, DWORD PTR [EBX + 0x1]
Assignblk:
EBX = EBX + 0x1
________________________________________________________________________________
EBX = EBX + 0x1
ECX = ECX + 0x4
________________________________________________________________________________
Instr CMP CL, 0x1
Assignblk:
zf = (ECX[0:8] + -0x1)?(0x0,0x1)
nf = (ECX[0:8] + -0x1)[7:8]
pf = parity((ECX[0:8] + -0x1) & 0xFF)
of = ((ECX[0:8] ^ (ECX[0:8] + -0x1)) & (ECX[0:8] ^ 0x1))[7:8]
cf = (((ECX[0:8] ^ 0x1) ^ (ECX[0:8] + -0x1)) ^ ((ECX[0:8] ^ (ECX[0:8] + -0x1)) & (ECX[0:8] ^ 0x1)))[7:8]
af = ((ECX[0:8] ^ 0x1) ^ (ECX[0:8] + -0x1))[4:5]
________________________________________________________________________________
af = (((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[4:5]
pf = parity((ECX + 0x4)[0:8] + 0xFF)
zf = ((ECX + 0x4)[0:8] + 0xFF)?(0x0,0x1)
ECX = ECX + 0x4
of = ((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1))[7:8]
nf = ((ECX + 0x4)[0:8] + 0xFF)[7:8]
cf = (((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1)) ^ ((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[7:8]
EBX = EBX + 0x1
________________________________________________________________________________
Instr JZ loc_key_1
Assignblk:
IRDst = zf?(loc_key_1,loc_key_2)
EIP = zf?(loc_key_1,loc_key_2)
________________________________________________________________________________
af = (((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[4:5]
EIP = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)
pf = parity((ECX + 0x4)[0:8] + 0xFF)
IRDst = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)
zf = ((ECX + 0x4)[0:8] + 0xFF)?(0x0,0x1)
ECX = ECX + 0x4
of = ((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1))[7:8]
nf = ((ECX + 0x4)[0:8] + 0xFF)[7:8]
cf = (((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1)) ^ ((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[7:8]
EBX = EBX + 0x1
________________________________________________________________________________
>>>
```
Retry execution with a concrete ECX. Here, the symbolic / concolic execution reach the shellcode's end:
```pycon
>>> from miasm.expression.expression import ExprInt
>>> sb.symbols[machine.mn.regs.ECX] = ExprInt(-3, 32)
>>> symbolic_pc = sb.run_at(ircfg, 0, step=True)
Instr LEA ECX, DWORD PTR [ECX + 0x4]
Assignblk:
ECX = ECX + 0x4
________________________________________________________________________________
af = (((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[4:5]
EIP = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)
pf = parity((ECX + 0x4)[0:8] + 0xFF)
IRDst = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)
zf = ((ECX + 0x4)[0:8] + 0xFF)?(0x0,0x1)
ECX = 0x1
of = ((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1))[7:8]
nf = ((ECX + 0x4)[0:8] + 0xFF)[7:8]
cf = (((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1)) ^ ((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[7:8]
EBX = EBX + 0x1
________________________________________________________________________________
Instr LEA EBX, DWORD PTR [EBX + 0x1]
Assignblk:
EBX = EBX + 0x1
________________________________________________________________________________
af = (((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[4:5]
EIP = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)
pf = parity((ECX + 0x4)[0:8] + 0xFF)
IRDst = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)
zf = ((ECX + 0x4)[0:8] + 0xFF)?(0x0,0x1)
ECX = 0x1
of = ((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1))[7:8]
nf = ((ECX + 0x4)[0:8] + 0xFF)[7:8]
cf = (((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1)) ^ ((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[7:8]
EBX = EBX + 0x2
________________________________________________________________________________
Instr CMP CL, 0x1
Assignblk:
zf = (ECX[0:8] + -0x1)?(0x0,0x1)
nf = (ECX[0:8] + -0x1)[7:8]
pf = parity((ECX[0:8] + -0x1) & 0xFF)
of = ((ECX[0:8] ^ (ECX[0:8] + -0x1)) & (ECX[0:8] ^ 0x1))[7:8]
cf = (((ECX[0:8] ^ 0x1) ^ (ECX[0:8] + -0x1)) ^ ((ECX[0:8] ^ (ECX[0:8] + -0x1)) & (ECX[0:8] ^ 0x1)))[7:8]
af = ((ECX[0:8] ^ 0x1) ^ (ECX[0:8] + -0x1))[4:5]
________________________________________________________________________________
af = 0x0
EIP = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)
pf = 0x1
IRDst = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)
zf = 0x1
ECX = 0x1
of = 0x0
nf = 0x0
cf = 0x0
EBX = EBX + 0x2
________________________________________________________________________________
Instr JZ loc_key_1
Assignblk:
IRDst = zf?(loc_key_1,loc_key_2)
EIP = zf?(loc_key_1,loc_key_2)
________________________________________________________________________________
af = 0x0
EIP = 0x10
pf = 0x1
IRDst = 0x10
zf = 0x1
ECX = 0x1
of = 0x0
nf = 0x0
cf = 0x0
EBX = EBX + 0x2
________________________________________________________________________________
Instr LEA EBX, DWORD PTR [EBX + 0x1]
Assignblk:
EBX = EBX + 0x1
________________________________________________________________________________
af = 0x0
EIP = 0x10
pf = 0x1
IRDst = 0x10
zf = 0x1
ECX = 0x1
of = 0x0
nf = 0x0
cf = 0x0
EBX = EBX + 0x3
________________________________________________________________________________
Instr LEA EBX, DWORD PTR [EBX + 0x1]
Assignblk:
IRDst = loc_key_3
________________________________________________________________________________
af = 0x0
EIP = 0x10
pf = 0x1
IRDst = 0x13
zf = 0x1
ECX = 0x1
of = 0x0
nf = 0x0
cf = 0x0
EBX = EBX + 0x3
________________________________________________________________________________
Instr MOV EAX, EBX
Assignblk:
EAX = EBX
________________________________________________________________________________
af = 0x0
EIP = 0x10
pf = 0x1
IRDst = 0x13
zf = 0x1
ECX = 0x1
of = 0x0
nf = 0x0
cf = 0x0
EBX = EBX + 0x3
EAX = EBX + 0x3
________________________________________________________________________________
Instr RET
Assignblk:
IRDst = @32[ESP[0:32]]
ESP = {ESP[0:32] + 0x4 0 32}
EIP = @32[ESP[0:32]]
________________________________________________________________________________
af = 0x0
EIP = @32[ESP]
pf = 0x1
IRDst = @32[ESP]
zf = 0x1
ECX = 0x1
of = 0x0
nf = 0x0
cf = 0x0
EBX = EBX + 0x3
ESP = ESP + 0x4
EAX = EBX + 0x3
________________________________________________________________________________
>>>
```
How does it work?
=================
Miasm embeds its own disassembler, intermediate language and
instruction semantic. It is written in Python.
To emulate code, it uses LLVM, GCC, Clang or Python to JIT the
intermediate representation. It can emulate shellcodes and all or parts of
binaries. Python callbacks can be executed to interact with the execution, for
instance to emulate library functions effects.
Documentation
=============
TODO
An auto-generated documentation is available:
* [Doxygen](http://miasm.re/miasm_doxygen)
* [pdoc](http://miasm.re/miasm_pdoc)
Obtaining Miasm
===============
* Clone the repository: [Miasm on GitHub](https://github.com/cea-sec/miasm/)
* Get one of the Docker images at [Docker Hub](https://registry.hub.docker.com/u/miasm/)
Software requirements
---------------------
Miasm uses:
* python-pyparsing
* python-dev
* optionally python-pycparser (version >= 2.17)
To enable code JIT, one of the following module is mandatory:
* GCC
* Clang
* LLVM with Numba llvmlite, see below
'optional' Miasm can also use:
* Z3, the [Theorem Prover](https://github.com/Z3Prover/z3)
Configuration
-------------
To use the jitter, GCC or LLVM is recommended
* GCC (any version)
* Clang (any version)
* LLVM
* Debian (testing/unstable): Not tested
* Debian stable/Ubuntu/Kali/whatever: `pip install llvmlite` or install from [llvmlite](https://github.com/numba/llvmlite)
* Windows: Not tested
* Build and install Miasm:
```pycon
$ cd miasm_directory
$ python setup.py build
$ sudo python setup.py install
```
If something goes wrong during one of the jitter modules compilation, Miasm will
skip the error and disable the corresponding module (see the compilation
output).
Windows & IDA
-------------
Most of Miasm's IDA plugins use a subset of Miasm functionality.
A quick way to have them working is to add:
* `pyparsing.py` to `C:\...\IDA\python\` or `pip install pyparsing`
* `miasm/miasm` directory to `C:\...\IDA\python\`
All features excepting JITter related ones will be available. For a more complete installation, please refer to above paragraphs.
Testing
=======
Miasm comes with a set of regression tests. To run all of them:
```pycon
cd miasm_directory/test
# Run tests using our own test runner
python test_all.py
# Run tests using standard frameworks (slower, require 'parameterized')
python -m unittest test_all.py # sequential, requires 'unittest'
python -m pytest test_all.py # sequential, requires 'pytest'
python -m pytest -n auto test_all.py # parallel, requires 'pytest' and 'pytest-xdist'
```
Some options can be specified:
* Mono threading: `-m`
* Code coverage instrumentation: `-c`
* Only fast tests: `-t long` (excludes the long tests)
They already use Miasm
======================
Tools
-----
* [Sibyl](https://github.com/cea-sec/Sibyl): A function divination tool
* [R2M2](https://github.com/guedou/r2m2): Use miasm as a radare2 plugin
* [CGrex](https://github.com/mechaphish/cgrex): Targeted patcher for CGC binaries
* [ethRE](https://github.com/jbcayrou/ethRE): Reversing tool for Ethereum EVM (with corresponding Miasm2 architecture)
Blog posts / papers / conferences
---------------------------------
* [Deobfuscation: recovering an OLLVM-protected program](http://blog.quarkslab.com/deobfuscation-recovering-an-ollvm-protected-program.html)
* [Taming a Wild Nanomite-protected MIPS Binary With Symbolic Execution: No Such Crackme](https://doar-e.github.io/blog/2014/10/11/taiming-a-wild-nanomite-protected-mips-binary-with-symbolic-execution-no-such-crackme/)
* [Génération rapide de DGA avec Miasm](https://www.lexsi.com/securityhub/generation-rapide-de-dga-avec-miasm/): Quick computation of DGA (French article)
* [Enabling Client-Side Crash-Resistance to Overcome Diversification and Information Hiding](https://www.internetsociety.org/sites/default/files/blogs-media/enabling-client-side-crash-resistance-overcome-diversification-information-hiding.pdf): Detect undirected call potential arguments
* [Miasm: Framework de reverse engineering](https://www.sstic.org/2012/presentation/miasm_framework_de_reverse_engineering/) (French)
* [Tutorial miasm](https://www.sstic.org/2014/presentation/Tutorial_miasm/) (French video)
* [Graphes de dépendances : Petit Poucet style](https://www.sstic.org/2016/presentation/graphes_de_dpendances__petit_poucet_style/): DepGraph (French)
Books
-----
* [Practical Reverse Engineering: X86, X64, Arm, Windows Kernel, Reversing Tools, and Obfuscation](http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118787315,subjectCd-CSJ0.html): Introduction to Miasm (Chapter 5 "Obfuscation")
* [BlackHat Python - Appendix](https://github.com/oreilly-japan/black-hat-python-jp-support/tree/master/appendix-A): Japan security book's samples
Raw data
{
"_id": null,
"home_page": "http://miasm.re",
"name": "miasm",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "reverse engineering,disassembler,emulator,symbolic execution,intermediate representation,assembler",
"author": "Fabrice Desclaux",
"author_email": "serpilliere@droid-corp.org",
"download_url": "https://files.pythonhosted.org/packages/9d/53/706e9d24936f53dace112f01130c6e46773551dd19cfd6118c1b35fbb836/miasm-0.1.5.tar.gz",
"platform": null,
"description": "[![Build Status](https://travis-ci.org/cea-sec/miasm.svg)](https://travis-ci.org/cea-sec/miasm)\n[![Build status](https://ci.appveyor.com/api/projects/status/g845jr23nt18uf29/branch/master?svg=true)](https://ci.appveyor.com/project/cea-sec/miasm)\n[![Miasm tests](https://github.com/cea-sec/miasm/actions/workflows/tests.yml/badge.svg?branch=master)](https://github.com/cea-sec/miasm/actions/workflows/tests.yml?branch=master)\n[![Code Climate](https://codeclimate.com/github/cea-sec/miasm/badges/gpa.svg)](https://codeclimate.com/github/cea-sec/miasm)\n[![Join the chat at https://gitter.im/cea-sec/miasm](https://badges.gitter.im/cea-sec/miasm.svg)](https://gitter.im/cea-sec/miasm?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)\n\n<p align=\"center\">\n<img src=\"https://raw.githubusercontent.com/cea-sec/miasm/master/doc/logo_miasm.png\">\n</p>\n\n\nWhat is Miasm?\n==============\n\nMiasm is a free and open source (GPLv2) reverse engineering framework.\nMiasm aims to analyze / modify / generate binary programs. Here is\na non exhaustive list of features:\n\n* Opening / modifying / generating PE / ELF 32 / 64 LE / BE\n* Assembling / Disassembling X86 / ARM / MIPS / SH4 / MSP430\n* Representing assembly semantic using intermediate language\n* Emulating using JIT (dynamic code analysis, unpacking, ...)\n* Expression simplification for automatic de-obfuscation\n* ...\n\nSee the official [blog](http://miasm.re) for more examples and demos.\n\nTable of Contents\n=================\n\n- [What is Miasm?](#user-content-what-is-miasm)\n- [Basic examples](#user-content-basic-examples)\n\t- [Assembling / Disassembling](#user-content-assembling--disassembling)\n\t- [Intermediate representation](#user-content-intermediate-representation)\n\t- [Emulation](#user-content-emulation)\n\t- [Symbolic execution](#user-content-symbolic-execution)\n- [How does it work?](#user-content-how-does-it-work)\n- [Documentation](#user-content-documentation)\n- [Obtaining Miasm](#user-content-obtaining-miasm)\n\t- [Software requirements](#user-content-software-requirements)\n\t- [Configuration](#user-content-configuration)\n\t- [Windows & IDA](#user-content-windows--ida)\n- [Testing](#user-content-testing)\n- [They already use Miasm](#user-content-they-already-use-miasm)\n- [Misc](#user-content-misc)\n\n\nBasic examples\n==============\n\nAssembling / Disassembling\n--------------------------\n\nImport Miasm x86 architecture:\n```pycon\n>>> from miasm.arch.x86.arch import mn_x86\n>>> from miasm.core.locationdb import LocationDB\n```\nGet a location db:\n\n```pycon\n>>> loc_db = LocationDB()\n```\nAssemble a line:\n```pycon\n>>> l = mn_x86.fromstring('XOR ECX, ECX', loc_db, 32)\n>>> print(l)\nXOR ECX, ECX\n>>> mn_x86.asm(l)\n['1\\xc9', '3\\xc9', 'g1\\xc9', 'g3\\xc9']\n```\nModify an operand:\n```pycon\n>>> l.args[0] = mn_x86.regs.EAX\n>>> print(l)\nXOR EAX, ECX\n>>> a = mn_x86.asm(l)\n>>> print(a)\n['1\\xc8', '3\\xc1', 'g1\\xc8', 'g3\\xc1']\n```\nDisassemble the result:\n```pycon\n>>> print(mn_x86.dis(a[0], 32))\nXOR EAX, ECX\n```\nUsing `Machine` abstraction:\n\n```pycon\n>>> from miasm.analysis.machine import Machine\n>>> mn = Machine('x86_32').mn\n>>> print(mn.dis('\\x33\\x30', 32))\nXOR ESI, DWORD PTR [EAX]\n```\n\nFor MIPS:\n```pycon\n>>> mn = Machine('mips32b').mn\n>>> print(mn.dis(b'\\x97\\xa3\\x00 ', \"b\"))\nLHU V1, 0x20(SP)\n```\nIntermediate representation\n---------------------------\n\nCreate an instruction:\n\n```pycon\n>>> machine = Machine('arml')\n>>> instr = machine.mn.dis('\\x00 \\x88\\xe0', 'l')\n>>> print(instr)\nADD R2, R8, R0\n```\n\nCreate an intermediate representation object:\n```pycon\n>>> lifter = machine.lifter_model_call(loc_db)\n```\nCreate an empty ircfg:\n```pycon\n>>> ircfg = lifter.new_ircfg()\n```\nAdd instruction to the pool:\n```pycon\n>>> lifter.add_instr_to_ircfg(instr, ircfg)\n```\n\nPrint current pool:\n```pycon\n>>> for lbl, irblock in ircfg.blocks.items():\n... print(irblock)\nloc_0:\nR2 = R8 + R0\n\nIRDst = loc_4\n\n```\nWorking with IR, for instance by getting side effects:\n```pycon\n>>> for lbl, irblock in ircfg.blocks.items():\n... for assignblk in irblock:\n... rw = assignblk.get_rw()\n... for dst, reads in rw.items():\n... print('read: ', [str(x) for x in reads])\n... print('written:', dst)\n... print()\n...\nread: ['R8', 'R0']\nwritten: R2\n\nread: []\nwritten: IRDst\n\n```\n\nMore information on Miasm IR is in the [corresponding Jupyter Notebook](https://github.com/cea-sec/miasm/blob/master/doc/expression/expression.ipynb).\n\nEmulation\n---------\n\nGiving a shellcode:\n```pycon\n00000000 8d4904 lea ecx, [ecx+0x4]\n00000003 8d5b01 lea ebx, [ebx+0x1]\n00000006 80f901 cmp cl, 0x1\n00000009 7405 jz 0x10\n0000000b 8d5bff lea ebx, [ebx-1]\n0000000e eb03 jmp 0x13\n00000010 8d5b01 lea ebx, [ebx+0x1]\n00000013 89d8 mov eax, ebx\n00000015 c3 ret\n>>> s = b'\\x8dI\\x04\\x8d[\\x01\\x80\\xf9\\x01t\\x05\\x8d[\\xff\\xeb\\x03\\x8d[\\x01\\x89\\xd8\\xc3'\n```\nImport the shellcode thanks to the `Container` abstraction:\n\n```pycon\n>>> from miasm.analysis.binary import Container\n>>> c = Container.from_string(s, loc_db)\n>>> c\n<miasm.analysis.binary.ContainerUnknown object at 0x7f34cefe6090>\n```\n\nDisassembling the shellcode at address `0`:\n\n```pycon\n>>> from miasm.analysis.machine import Machine\n>>> machine = Machine('x86_32')\n>>> mdis = machine.dis_engine(c.bin_stream, loc_db=loc_db)\n>>> asmcfg = mdis.dis_multiblock(0)\n>>> for block in asmcfg.blocks:\n... print(block)\n...\nloc_0\nLEA ECX, DWORD PTR [ECX + 0x4]\nLEA EBX, DWORD PTR [EBX + 0x1]\nCMP CL, 0x1\nJZ loc_10\n-> c_next:loc_b c_to:loc_10\nloc_10\nLEA EBX, DWORD PTR [EBX + 0x1]\n-> c_next:loc_13\nloc_b\nLEA EBX, DWORD PTR [EBX + 0xFFFFFFFF]\nJMP loc_13\n-> c_to:loc_13\nloc_13\nMOV EAX, EBX\nRET\n```\n\nInitializing the JIT engine with a stack:\n\n```pycon\n>>> jitter = machine.jitter(loc_db, jit_type='python')\n>>> jitter.init_stack()\n```\n\nAdd the shellcode in an arbitrary memory location:\n```pycon\n>>> run_addr = 0x40000000\n>>> from miasm.jitter.csts import PAGE_READ, PAGE_WRITE\n>>> jitter.vm.add_memory_page(run_addr, PAGE_READ | PAGE_WRITE, s)\n```\n\nCreate a sentinelle to catch the return of the shellcode:\n\n```Python\ndef code_sentinelle(jitter):\n jitter.running = False\n jitter.pc = 0\n return True\n\n>>> jitter.add_breakpoint(0x1337beef, code_sentinelle)\n>>> jitter.push_uint32_t(0x1337beef)\n```\n\nActive logs:\n\n```pycon\n>>> jitter.set_trace_log()\n```\n\nRun at arbitrary address:\n\n```pycon\n>>> jitter.init_run(run_addr)\n>>> jitter.continue_run()\nRAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000\nRSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFF8 RBP 0000000000000000\nzf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000\nRIP 0000000040000000\n40000000 LEA ECX, DWORD PTR [ECX+0x4]\nRAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000004 RDX 0000000000000000\nRSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFF8 RBP 0000000000000000\nzf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000\n....\n4000000e JMP loc_0000000040000013:0x40000013\nRAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000004 RDX 0000000000000000\nRSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFF8 RBP 0000000000000000\nzf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000\nRIP 0000000040000013\n40000013 MOV EAX, EBX\nRAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000004 RDX 0000000000000000\nRSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFF8 RBP 0000000000000000\nzf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000\nRIP 0000000040000013\n40000015 RET\n>>>\n\n```\n\nInteracting with the jitter:\n\n```pycon\n>>> jitter.vm\nad 1230000 size 10000 RW_ hpad 0x2854b40\nad 40000000 size 16 RW_ hpad 0x25e0ed0\n\n>>> hex(jitter.cpu.EAX)\n'0x0L'\n>>> jitter.cpu.ESI = 12\n```\n\nSymbolic execution\n------------------\n\nInitializing the IR pool:\n\n```pycon\n>>> lifter = machine.lifter_model_call(loc_db)\n>>> ircfg = lifter.new_ircfg_from_asmcfg(asmcfg)\n```\n\nInitializing the engine with default symbolic values:\n\n```pycon\n>>> from miasm.ir.symbexec import SymbolicExecutionEngine\n>>> sb = SymbolicExecutionEngine(lifter)\n```\n\nLaunching the execution:\n\n```pycon\n>>> symbolic_pc = sb.run_at(ircfg, 0)\n>>> print(symbolic_pc)\n((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)\n```\n\nSame, with step logs (only changes are displayed):\n\n```pycon\n>>> sb = SymbolicExecutionEngine(lifter, machine.mn.regs.regs_init)\n>>> symbolic_pc = sb.run_at(ircfg, 0, step=True)\nInstr LEA ECX, DWORD PTR [ECX + 0x4]\nAssignblk:\nECX = ECX + 0x4\n________________________________________________________________________________\nECX = ECX + 0x4\n________________________________________________________________________________\nInstr LEA EBX, DWORD PTR [EBX + 0x1]\nAssignblk:\nEBX = EBX + 0x1\n________________________________________________________________________________\nEBX = EBX + 0x1\nECX = ECX + 0x4\n________________________________________________________________________________\nInstr CMP CL, 0x1\nAssignblk:\nzf = (ECX[0:8] + -0x1)?(0x0,0x1)\nnf = (ECX[0:8] + -0x1)[7:8]\npf = parity((ECX[0:8] + -0x1) & 0xFF)\nof = ((ECX[0:8] ^ (ECX[0:8] + -0x1)) & (ECX[0:8] ^ 0x1))[7:8]\ncf = (((ECX[0:8] ^ 0x1) ^ (ECX[0:8] + -0x1)) ^ ((ECX[0:8] ^ (ECX[0:8] + -0x1)) & (ECX[0:8] ^ 0x1)))[7:8]\naf = ((ECX[0:8] ^ 0x1) ^ (ECX[0:8] + -0x1))[4:5]\n________________________________________________________________________________\naf = (((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[4:5]\npf = parity((ECX + 0x4)[0:8] + 0xFF)\nzf = ((ECX + 0x4)[0:8] + 0xFF)?(0x0,0x1)\nECX = ECX + 0x4\nof = ((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1))[7:8]\nnf = ((ECX + 0x4)[0:8] + 0xFF)[7:8]\ncf = (((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1)) ^ ((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[7:8]\nEBX = EBX + 0x1\n________________________________________________________________________________\nInstr JZ loc_key_1\nAssignblk:\nIRDst = zf?(loc_key_1,loc_key_2)\nEIP = zf?(loc_key_1,loc_key_2)\n________________________________________________________________________________\naf = (((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[4:5]\nEIP = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)\npf = parity((ECX + 0x4)[0:8] + 0xFF)\nIRDst = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)\nzf = ((ECX + 0x4)[0:8] + 0xFF)?(0x0,0x1)\nECX = ECX + 0x4\nof = ((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1))[7:8]\nnf = ((ECX + 0x4)[0:8] + 0xFF)[7:8]\ncf = (((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1)) ^ ((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[7:8]\nEBX = EBX + 0x1\n________________________________________________________________________________\n>>>\n```\n\n\nRetry execution with a concrete ECX. Here, the symbolic / concolic execution reach the shellcode's end:\n\n```pycon\n>>> from miasm.expression.expression import ExprInt\n>>> sb.symbols[machine.mn.regs.ECX] = ExprInt(-3, 32)\n>>> symbolic_pc = sb.run_at(ircfg, 0, step=True)\nInstr LEA ECX, DWORD PTR [ECX + 0x4]\nAssignblk:\nECX = ECX + 0x4\n________________________________________________________________________________\naf = (((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[4:5]\nEIP = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)\npf = parity((ECX + 0x4)[0:8] + 0xFF)\nIRDst = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)\nzf = ((ECX + 0x4)[0:8] + 0xFF)?(0x0,0x1)\nECX = 0x1\nof = ((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1))[7:8]\nnf = ((ECX + 0x4)[0:8] + 0xFF)[7:8]\ncf = (((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1)) ^ ((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[7:8]\nEBX = EBX + 0x1\n________________________________________________________________________________\nInstr LEA EBX, DWORD PTR [EBX + 0x1]\nAssignblk:\nEBX = EBX + 0x1\n________________________________________________________________________________\naf = (((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[4:5]\nEIP = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)\npf = parity((ECX + 0x4)[0:8] + 0xFF)\nIRDst = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)\nzf = ((ECX + 0x4)[0:8] + 0xFF)?(0x0,0x1)\nECX = 0x1\nof = ((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1))[7:8]\nnf = ((ECX + 0x4)[0:8] + 0xFF)[7:8]\ncf = (((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1)) ^ ((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[7:8]\nEBX = EBX + 0x2\n________________________________________________________________________________\nInstr CMP CL, 0x1\nAssignblk:\nzf = (ECX[0:8] + -0x1)?(0x0,0x1)\nnf = (ECX[0:8] + -0x1)[7:8]\npf = parity((ECX[0:8] + -0x1) & 0xFF)\nof = ((ECX[0:8] ^ (ECX[0:8] + -0x1)) & (ECX[0:8] ^ 0x1))[7:8]\ncf = (((ECX[0:8] ^ 0x1) ^ (ECX[0:8] + -0x1)) ^ ((ECX[0:8] ^ (ECX[0:8] + -0x1)) & (ECX[0:8] ^ 0x1)))[7:8]\naf = ((ECX[0:8] ^ 0x1) ^ (ECX[0:8] + -0x1))[4:5]\n________________________________________________________________________________\naf = 0x0\nEIP = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)\npf = 0x1\nIRDst = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)\nzf = 0x1\nECX = 0x1\nof = 0x0\nnf = 0x0\ncf = 0x0\nEBX = EBX + 0x2\n________________________________________________________________________________\nInstr JZ loc_key_1\nAssignblk:\nIRDst = zf?(loc_key_1,loc_key_2)\nEIP = zf?(loc_key_1,loc_key_2)\n________________________________________________________________________________\naf = 0x0\nEIP = 0x10\npf = 0x1\nIRDst = 0x10\nzf = 0x1\nECX = 0x1\nof = 0x0\nnf = 0x0\ncf = 0x0\nEBX = EBX + 0x2\n________________________________________________________________________________\nInstr LEA EBX, DWORD PTR [EBX + 0x1]\nAssignblk:\nEBX = EBX + 0x1\n________________________________________________________________________________\naf = 0x0\nEIP = 0x10\npf = 0x1\nIRDst = 0x10\nzf = 0x1\nECX = 0x1\nof = 0x0\nnf = 0x0\ncf = 0x0\nEBX = EBX + 0x3\n________________________________________________________________________________\nInstr LEA EBX, DWORD PTR [EBX + 0x1]\nAssignblk:\nIRDst = loc_key_3\n________________________________________________________________________________\naf = 0x0\nEIP = 0x10\npf = 0x1\nIRDst = 0x13\nzf = 0x1\nECX = 0x1\nof = 0x0\nnf = 0x0\ncf = 0x0\nEBX = EBX + 0x3\n________________________________________________________________________________\nInstr MOV EAX, EBX\nAssignblk:\nEAX = EBX\n________________________________________________________________________________\naf = 0x0\nEIP = 0x10\npf = 0x1\nIRDst = 0x13\nzf = 0x1\nECX = 0x1\nof = 0x0\nnf = 0x0\ncf = 0x0\nEBX = EBX + 0x3\nEAX = EBX + 0x3\n________________________________________________________________________________\nInstr RET\nAssignblk:\nIRDst = @32[ESP[0:32]]\nESP = {ESP[0:32] + 0x4 0 32}\nEIP = @32[ESP[0:32]]\n________________________________________________________________________________\naf = 0x0\nEIP = @32[ESP]\npf = 0x1\nIRDst = @32[ESP]\nzf = 0x1\nECX = 0x1\nof = 0x0\nnf = 0x0\ncf = 0x0\nEBX = EBX + 0x3\nESP = ESP + 0x4\nEAX = EBX + 0x3\n________________________________________________________________________________\n>>>\n```\n\n\n\nHow does it work?\n=================\n\nMiasm embeds its own disassembler, intermediate language and\ninstruction semantic. It is written in Python.\n\nTo emulate code, it uses LLVM, GCC, Clang or Python to JIT the\nintermediate representation. It can emulate shellcodes and all or parts of\nbinaries. Python callbacks can be executed to interact with the execution, for\ninstance to emulate library functions effects.\n\nDocumentation\n=============\n\nTODO\n\nAn auto-generated documentation is available:\n* [Doxygen](http://miasm.re/miasm_doxygen)\n* [pdoc](http://miasm.re/miasm_pdoc)\n\nObtaining Miasm\n===============\n\n* Clone the repository: [Miasm on GitHub](https://github.com/cea-sec/miasm/)\n* Get one of the Docker images at [Docker Hub](https://registry.hub.docker.com/u/miasm/)\n\nSoftware requirements\n---------------------\n\nMiasm uses:\n\n* python-pyparsing\n* python-dev\n* optionally python-pycparser (version >= 2.17)\n\nTo enable code JIT, one of the following module is mandatory:\n* GCC\n* Clang\n* LLVM with Numba llvmlite, see below\n\n'optional' Miasm can also use:\n* Z3, the [Theorem Prover](https://github.com/Z3Prover/z3)\n\nConfiguration\n-------------\n\nTo use the jitter, GCC or LLVM is recommended\n* GCC (any version)\n* Clang (any version)\n* LLVM\n * Debian (testing/unstable): Not tested\n * Debian stable/Ubuntu/Kali/whatever: `pip install llvmlite` or install from [llvmlite](https://github.com/numba/llvmlite)\n * Windows: Not tested\n* Build and install Miasm:\n```pycon\n$ cd miasm_directory\n$ python setup.py build\n$ sudo python setup.py install\n```\n\nIf something goes wrong during one of the jitter modules compilation, Miasm will\nskip the error and disable the corresponding module (see the compilation\noutput).\n\nWindows & IDA\n-------------\n\nMost of Miasm's IDA plugins use a subset of Miasm functionality.\nA quick way to have them working is to add:\n* `pyparsing.py` to `C:\\...\\IDA\\python\\` or `pip install pyparsing`\n* `miasm/miasm` directory to `C:\\...\\IDA\\python\\`\n\nAll features excepting JITter related ones will be available. For a more complete installation, please refer to above paragraphs.\n\nTesting\n=======\n\nMiasm comes with a set of regression tests. To run all of them:\n\n```pycon\ncd miasm_directory/test\n\n# Run tests using our own test runner\npython test_all.py\n\n# Run tests using standard frameworks (slower, require 'parameterized')\npython -m unittest test_all.py # sequential, requires 'unittest'\npython -m pytest test_all.py # sequential, requires 'pytest'\npython -m pytest -n auto test_all.py # parallel, requires 'pytest' and 'pytest-xdist'\n```\n\nSome options can be specified:\n\n* Mono threading: `-m`\n* Code coverage instrumentation: `-c`\n* Only fast tests: `-t long` (excludes the long tests)\n\nThey already use Miasm\n======================\n\nTools\n-----\n\n* [Sibyl](https://github.com/cea-sec/Sibyl): A function divination tool\n* [R2M2](https://github.com/guedou/r2m2): Use miasm as a radare2 plugin\n* [CGrex](https://github.com/mechaphish/cgrex): Targeted patcher for CGC binaries\n* [ethRE](https://github.com/jbcayrou/ethRE): Reversing tool for Ethereum EVM (with corresponding Miasm2 architecture)\n\nBlog posts / papers / conferences\n---------------------------------\n\n* [Deobfuscation: recovering an OLLVM-protected program](http://blog.quarkslab.com/deobfuscation-recovering-an-ollvm-protected-program.html)\n* [Taming a Wild Nanomite-protected MIPS Binary With Symbolic Execution: No Such Crackme](https://doar-e.github.io/blog/2014/10/11/taiming-a-wild-nanomite-protected-mips-binary-with-symbolic-execution-no-such-crackme/)\n* [G\u00e9n\u00e9ration rapide de DGA avec Miasm](https://www.lexsi.com/securityhub/generation-rapide-de-dga-avec-miasm/): Quick computation of DGA (French article)\n* [Enabling Client-Side Crash-Resistance to Overcome Diversification and Information Hiding](https://www.internetsociety.org/sites/default/files/blogs-media/enabling-client-side-crash-resistance-overcome-diversification-information-hiding.pdf): Detect undirected call potential arguments\n* [Miasm: Framework de reverse engineering](https://www.sstic.org/2012/presentation/miasm_framework_de_reverse_engineering/) (French)\n* [Tutorial miasm](https://www.sstic.org/2014/presentation/Tutorial_miasm/) (French video)\n* [Graphes de d\u00e9pendances : Petit Poucet style](https://www.sstic.org/2016/presentation/graphes_de_dpendances__petit_poucet_style/): DepGraph (French)\n\nBooks\n-----\n\n* [Practical Reverse Engineering: X86, X64, Arm, Windows Kernel, Reversing Tools, and Obfuscation](http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118787315,subjectCd-CSJ0.html): Introduction to Miasm (Chapter 5 \"Obfuscation\")\n* [BlackHat Python - Appendix](https://github.com/oreilly-japan/black-hat-python-jp-support/tree/master/appendix-A): Japan security book's samples\n",
"bugtrack_url": null,
"license": "GPLv2",
"summary": "Machine code manipulation library",
"version": "0.1.5",
"split_keywords": [
"reverse engineering",
"disassembler",
"emulator",
"symbolic execution",
"intermediate representation",
"assembler"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "9d53706e9d24936f53dace112f01130c6e46773551dd19cfd6118c1b35fbb836",
"md5": "733fc92a4f027035a325f3c820f173b6",
"sha256": "e90d5886cdff7601747e8c6ae0e874356436d848e5be2a44642de9d29762dc75"
},
"downloads": -1,
"filename": "miasm-0.1.5.tar.gz",
"has_sig": false,
"md5_digest": "733fc92a4f027035a325f3c820f173b6",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 618342,
"upload_time": "2023-04-18T21:29:15",
"upload_time_iso_8601": "2023-04-18T21:29:15.470434Z",
"url": "https://files.pythonhosted.org/packages/9d/53/706e9d24936f53dace112f01130c6e46773551dd19cfd6118c1b35fbb836/miasm-0.1.5.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-04-18 21:29:15",
"github": false,
"gitlab": false,
"bitbucket": false,
"lcname": "miasm"
}