miasm
Reverse engineering framework
Classes | Functions | Variables
miasm.arch.mep.sem Namespace Reference

Classes

class  ir_mepb
 
class  ir_mepl
 

Functions

def compute_s_inf (arg1, arg2)
 
def compute_u_inf (x, y)
 
def mep_nop ()
 
def mep_nop_2_args (arg1, arg2)
 
def sb (reg_src, deref_dst)
 Load/Store instructions. More...
 
def sh (reg_src, deref_dst)
 
def sw (reg_src, deref_dst)
 
def lb (reg_dst, deref_dst)
 
def lh (reg_dst, deref_dst)
 
def lw (reg_dst, deref_dst)
 
def lbu (reg_dst, deref_dst)
 
def lhu (reg_dst, deref_dst)
 
def extb (reg)
 Byte/Halfword extension instructions. More...
 
def exth (reg)
 
def extub (reg)
 
def extuh (reg)
 
def mov (reg, value)
 Shift amount manipulation instructions. More...
 
def movu (reg, value)
 
def movh (reg, imm16)
 
def add3 (ir, instr, reg_dst, reg_src, reg_or_imm)
 Arithmetic instructions. More...
 
def add (arg1, arg2)
 
def advck3 (r0, rn, rm)
 
def sub (reg1, reg2)
 
def sbvck3 (ir, instr, r0, rn, rm)
 
def neg (reg1, reg2)
 
def slt3 (r0, rn, rm_or_imm5)
 
def sltu3 (r0, rn, rm_or_imm5)
 
def sl1ad3 (r0, rn, rm)
 
def sl2ad3 (r0, rn, rm)
 
def logical_or (rn, rm)
 Logical instructions. More...
 
def logical_and (rn, rm)
 
def xor (rn, rm)
 
def nor (rn, rm)
 
def or3 (rn, rm, imm16)
 
def and3 (rn, rm, imm16)
 
def xor3 (rn, rm, imm16)
 
def sra (rn, rm_or_imm5)
 Shift instruction. More...
 
def srl (rn, rm_or_imm5)
 
def sll (rn, rm_or_imm5)
 
def sll3 (r0, rn, imm5)
 
def fsft (rn, rm)
 
def bra (disp12)
 Branch/Jump instructions. More...
 
def beqz (reg_test, disp8)
 
def bnez (reg_test, disp8)
 
def beqi (reg_test, imm4, disp16)
 
def bnei (reg_test, imm4, disp16)
 
def blti (reg_test, imm4, disp16)
 
def bgei (reg_test, imm4, disp16)
 
def beq (rn, rm, disp16)
 
def bne (rn, rm, disp16)
 
def bsr (disp)
 
def jmp (ir, instr, reg_or_imm)
 
def jsr (reg)
 
def ret ()
 
def repeat (rn, disp17)
 
def erepeat (disp17)
 
def stc (reg, control_reg)
 Control Instructions. More...
 
def ldc (reg, control_reg)
 
def di ()
 
def ei ()
 
def reti ()
 
def swi (imm2)
 
def bsetm (rm_deref, imm3)
 Bit manipulation instruction option. More...
 
def bclrm (rm_deref, imm3)
 
def bnotm (rm_deref, imm3)
 
def btstm (r0, rm_deref, imm3)
 
def tas (rn, rm_deref)
 
def mul (rn, rm)
 Data cache option. More...
 
def mulu (rn, rm)
 
def mulr (rn, rm)
 
def mulru (rn, rm)
 
def madd (rn, rm)
 
def maddu (rn, rm)
 
def maddr (rn, rm)
 
def maddru (rn, rm)
 
def div (rn, rm)
 32-bit divide instruction option More...
 
def divu (rn, rm)
 
def dret ()
 Debug function option. More...
 
def dbreak ()
 
def ldz (rn, rm)
 Leading zero instruction option. More...
 
def smcp (reg_src, deref_dst)
 Coprocessor option. More...
 
def lmcp (reg_dst, deref_src)
 
def swcpi (reg_src, deref_dst)
 
def lwcpi (reg_dst, deref_src)
 
def smcpi (reg_src, deref_dst)
 
def lmcpi (reg_dst, deref_src)
 
def get_mnemo_expr (ir, instr, *args)
 IR MeP definitions. More...
 

Variables

dictionary ctx
 
 sbuild = SemBuilder(ctx)
 
 manual_functions = dict()
 
 rm_ext = rm_or_imm5
 
 sign_mask = i32(0x80000000)
 
 sign_rn = rn & sign_mask
 
 sign_rm = rm_ext & sign_mask
 
 are_both_neg = sign_rn & sign_rm
 
 are_both_pos = ~(sign_rn & sign_rm) >> i32(31)
 
 r0_mixed = i32(1) if sign_rn else i32(0)
 
tuple r0_pos = (i32(1) if "<"(rn, rm_ext) else i32(0)) if are_both_pos else r0_mixed
 
tuple r0 = (i32(0) if "<"(rn, rm_ext) else i32(1)) if are_both_neg else r0_pos
 

Function Documentation

◆ add()

def miasm.arch.mep.sem.add (   arg1,
  arg2 
) 
ADD - Add a register and an immediate.

◆ add3()

def miasm.arch.mep.sem.add3 (   ir,
  instr,
  reg_dst,
  reg_src,
  reg_or_imm 
)

Arithmetic instructions. 

ADD3 - Add two register and store the result to a register, or
          add a register and an immediate and store the result to a register

◆ advck3()

def miasm.arch.mep.sem.advck3 (   r0,
  rn,
  rm 
) 
ADVCK3 - Check addition overflow.
Here is the call graph for this function:

◆ and3()

def miasm.arch.mep.sem.and3 (   rn,
  rm,
  imm16 
) 
AND3 - Logical AND between a register and an immediate

◆ bclrm()

def miasm.arch.mep.sem.bclrm (   rm_deref,
  imm3 
) 
BCLRM - Bit Clear Memory

◆ beq()

def miasm.arch.mep.sem.beq (   rn,
  rm,
  disp16 
) 
BEQ - Branch if the two registers are equal.

◆ beqi()

def miasm.arch.mep.sem.beqi (   reg_test,
  imm4,
  disp16 
) 
BEQI - Branch if the register stores imm4.

◆ beqz()

def miasm.arch.mep.sem.beqz (   reg_test,
  disp8 
) 
BEQZ - Branch if the register stores zero.

◆ bgei()

def miasm.arch.mep.sem.bgei (   reg_test,
  imm4,
  disp16 
) 
BGEI - Branch if the register is greater or equal to imm4.
Here is the call graph for this function:

◆ blti()

def miasm.arch.mep.sem.blti (   reg_test,
  imm4,
  disp16 
) 
BLTI - Branch if the register is lower than imm4.
Here is the call graph for this function:

◆ bne()

def miasm.arch.mep.sem.bne (   rn,
  rm,
  disp16 
) 
BNE - Branch if the two registers are not equal.

◆ bnei()

def miasm.arch.mep.sem.bnei (   reg_test,
  imm4,
  disp16 
) 
BNEI - Branch if the register does not store imm4.

◆ bnez()

def miasm.arch.mep.sem.bnez (   reg_test,
  disp8 
) 
BNEZ - Branch if the register does not store zero.

◆ bnotm()

def miasm.arch.mep.sem.bnotm (   rm_deref,
  imm3 
) 
BNOTM - Bit Not Memory

◆ bra()

def miasm.arch.mep.sem.bra (   disp12)

Branch/Jump instructions. 

BRA - Branch to an address.

◆ bsetm()

def miasm.arch.mep.sem.bsetm (   rm_deref,
  imm3 
)

Bit manipulation instruction option. 

BSETM - Bit Set Memory

◆ bsr()

def miasm.arch.mep.sem.bsr (   disp) 
BSR - Branch to an address, and store the return address.

◆ btstm()

def miasm.arch.mep.sem.btstm (   r0,
  rm_deref,
  imm3 
) 
BTSTM - Bit Test Memory

◆ compute_s_inf()

def miasm.arch.mep.sem.compute_s_inf (   arg1,
  arg2 
) 
Signed comparison operator
Here is the caller graph for this function:

◆ compute_u_inf()

def miasm.arch.mep.sem.compute_u_inf (   x,
  y 
) 
Unsigned comparison operator
Here is the caller graph for this function:

◆ dbreak()

def miasm.arch.mep.sem.dbreak ( ) 
DBREAK - Debug break

◆ di()

def miasm.arch.mep.sem.di ( ) 
DI - Disable Interrupt

◆ div()

def miasm.arch.mep.sem.div (   rn,
  rm 
)

32-bit divide instruction option 

DIV - Signed division

◆ divu()

def miasm.arch.mep.sem.divu (   rn,
  rm 
) 
DIVU - Unsigned division

◆ dret()

def miasm.arch.mep.sem.dret ( )

Debug function option. 

DRET - Debug Exception Return

◆ ei()

def miasm.arch.mep.sem.ei ( ) 
EI - Enable Interrupt

◆ erepeat()

def miasm.arch.mep.sem.erepeat (   disp17) 
EREPEAT - This instruction repeats an instruction block. It sets the RPB
   and RPE control registers. To distinguish from the repeat instruction,
   the least significant bit in the RPE register (ELR) is set to 1.

◆ extb()

def miasm.arch.mep.sem.extb (   reg)

Byte/Halfword extension instructions. 

EXTB - Sign extend a byte

◆ exth()

def miasm.arch.mep.sem.exth (   reg) 
EXTH - Sign extend a word

◆ extub()

def miasm.arch.mep.sem.extub (   reg) 
EXUTB - Zero extend a byte

◆ extuh()

def miasm.arch.mep.sem.extuh (   reg) 
EXTUH - Zero extend a word

◆ fsft()

def miasm.arch.mep.sem.fsft (   rn,
  rm 
)

◆ get_mnemo_expr()

def miasm.arch.mep.sem.get_mnemo_expr (   ir,
  instr,
args 
)

IR MeP definitions. 

Simplify getting the IR from a miasm instruction.
Here is the caller graph for this function:

◆ jmp()

def miasm.arch.mep.sem.jmp (   ir,
  instr,
  reg_or_imm 
) 
JMP - Change PC to a register content or an immediate.
   Note: the behavior in VLIW mode is not implemented

◆ jsr()

def miasm.arch.mep.sem.jsr (   reg) 
JSR - Jump to the register, and store the return address.

◆ lb()

def miasm.arch.mep.sem.lb (   reg_dst,
  deref_dst 
) 
LB - Load Byte from memory

◆ lbu()

def miasm.arch.mep.sem.lbu (   reg_dst,
  deref_dst 
) 
LBU - Load an unsigned Byte from memory

◆ ldc()

def miasm.arch.mep.sem.ldc (   reg,
  control_reg 
) 
LDC - Copy a control register into a general-purpose register.

◆ ldz()

def miasm.arch.mep.sem.ldz (   rn,
  rm 
)

Leading zero instruction option. 

LDZ - Count Leading Zeroes

   Note: this implementation is readable, yet slow. Each bit are tested
   individually, and the results are propagated to other bits.

   Here is the commented implementation for 4-bit integers:
   rm = 0b0001

   # Invert the value
   reversed_rm = ~rm
  -> reversed_rm = 0b1110

   # Test bits individually
   b3 = (reversed_rm & i32(2**3)) >> i32(3) if reversed_rm else i32(0)
  -> b3 = (0b1110 & 0b1000 >> 3) = 1

   b2 = (reversed_rm & i32(2**2)) >> i32(2) if b3 else i32(0)
  -> b2 = (0b1110 & 0b0100 >> 2) = 1

   b1 = (reversed_rm & i32(2**1)) >> i32(1) if b2 else i32(0)
  -> b1 = (0b1110 & 0b0010 >> 1) = 1

   b0 = (reversed_rm & i32(2**0)) >> i32(0) if b1 else i32(0)
  -> b0 = (0b1110 & 0b0001 >> 0) = 0

   # Sum all partial results
   rn = b3 + b2 + b1 + b0
  -> rn = 1 + 1 + 1 + 0 = 3

◆ lh()

def miasm.arch.mep.sem.lh (   reg_dst,
  deref_dst 
) 
LH - Load Halfword from memory

◆ lhu()

def miasm.arch.mep.sem.lhu (   reg_dst,
  deref_dst 
) 
LHU - Load an unsigned Halfword from memory

◆ lmcp()

def miasm.arch.mep.sem.lmcp (   reg_dst,
  deref_src 
) 
LMCP - Load Word from memory to a coprocessor register

◆ lmcpi()

def miasm.arch.mep.sem.lmcpi (   reg_dst,
  deref_src 
) 
LMCPI - Load Word from memory, and increment the address

◆ logical_and()

def miasm.arch.mep.sem.logical_and (   rn,
  rm 
) 
AND - Logical AND between two registers.

◆ logical_or()

def miasm.arch.mep.sem.logical_or (   rn,
  rm 
)

Logical instructions. 

OR - Logical OR between two registers.

◆ lw()

def miasm.arch.mep.sem.lw (   reg_dst,
  deref_dst 
) 
LW - Load Word from memory

◆ lwcpi()

def miasm.arch.mep.sem.lwcpi (   reg_dst,
  deref_src 
) 
LWCPI - Load Word from memory, and increment the address

◆ madd()

def miasm.arch.mep.sem.madd (   rn,
  rm 
) 
MADD - Signed 32-bit multiplication, adding results to HI & LO registers

◆ maddr()

def miasm.arch.mep.sem.maddr (   rn,
  rm 
) 
MADDR - Signed 32-bit multiplication, adding results to HI & LO registers & storing LO in Rn

◆ maddru()

def miasm.arch.mep.sem.maddru (   rn,
  rm 
) 
MADDRU - Unsigned 32-bit multiplication, adding results to HI & LO registers & storing LO in Rn

◆ maddu()

def miasm.arch.mep.sem.maddu (   rn,
  rm 
) 
MADDU - Unsigned 32-bit multiplication, adding results to HI & LO registers

◆ mep_nop()

def miasm.arch.mep.sem.mep_nop ( ) 
Dummy instruction

◆ mep_nop_2_args()

def miasm.arch.mep.sem.mep_nop_2_args (   arg1,
  arg2 
) 
Dummy instruction with two arguments

◆ mov()

def miasm.arch.mep.sem.mov (   reg,
  value 
)

Shift amount manipulation instructions.

Move instructions

MOV - Copy 'value' to a register. The three alternatives are handled.

◆ movh()

def miasm.arch.mep.sem.movh (   reg,
  imm16 
) 
MOVH - Copy a shifted imm16 to a register.

◆ movu()

def miasm.arch.mep.sem.movu (   reg,
  value 
) 
MOV - Copy 'value' to a register. The two alternatives are handled.

◆ mul()

def miasm.arch.mep.sem.mul (   rn,
  rm 
)

Data cache option.

32-bit multiply instruction option

MUL - Signed 32-bit multiplication

◆ mulr()

def miasm.arch.mep.sem.mulr (   rn,
  rm 
) 
MULR - Signed 32-bit multiplication & store LO in Rn

◆ mulru()

def miasm.arch.mep.sem.mulru (   rn,
  rm 
) 
MULRU - Unsigned 32-bit multiplication & store LO in Rn

◆ mulu()

def miasm.arch.mep.sem.mulu (   rn,
  rm 
) 
MUL - Unsigned 32-bit multiplication

◆ neg()

def miasm.arch.mep.sem.neg (   reg1,
  reg2 
) 
NEG - Negate one register.

◆ nor()

def miasm.arch.mep.sem.nor (   rn,
  rm 
) 
NOR - Logical NOR between two registers.

◆ or3()

def miasm.arch.mep.sem.or3 (   rn,
  rm,
  imm16 
) 
OR3 - Logical OR between a register and an immediate

◆ repeat()

def miasm.arch.mep.sem.repeat (   rn,
  disp17 
) 
REPEAT - This instruction repeats an instruction block. It sets the RPB,
   RPE and RPC control registers.

◆ ret()

def miasm.arch.mep.sem.ret ( ) 
RET - Return from a function call.
   Note: the behavior in VLIW mode is not implemented

◆ reti()

def miasm.arch.mep.sem.reti ( ) 
RETI - Return from the exception/interrupt handler.
   Note: the behavior in VLIW mode is not implemented

◆ sb()

def miasm.arch.mep.sem.sb (   reg_src,
  deref_dst 
)

Load/Store instructions. 

SB - Store Byte into memory

◆ sbvck3()

def miasm.arch.mep.sem.sbvck3 (   ir,
  instr,
  r0,
  rn,
  rm 
) 
SBVCK3 - Check subtraction overflow

◆ sh()

def miasm.arch.mep.sem.sh (   reg_src,
  deref_dst 
) 
SH - Store Halfword into memory

◆ sl1ad3()

def miasm.arch.mep.sem.sl1ad3 (   r0,
  rn,
  rm 
) 
SL1AD3 - Shift a register one bit left, then add another one.

◆ sl2ad3()

def miasm.arch.mep.sem.sl2ad3 (   r0,
  rn,
  rm 
) 
SL2AD3 - Shift a register two bits left, then add another one.

◆ sll()

def miasm.arch.mep.sem.sll (   rn,
  rm_or_imm5 
) 
SLL - Shift Left unsigned.

◆ sll3()

def miasm.arch.mep.sem.sll3 (   r0,
  rn,
  imm5 
) 
SLL3 - Shift Left unsigned, with 3 arguments.

◆ slt3()

def miasm.arch.mep.sem.slt3 (   r0,
  rn,
  rm_or_imm5 
) 
SLT3 - Set on less than (signed).
Here is the call graph for this function:

◆ sltu3()

def miasm.arch.mep.sem.sltu3 (   r0,
  rn,
  rm_or_imm5 
) 
SLTU3 - Set on less than (unsigned).
Here is the call graph for this function:

◆ smcp()

def miasm.arch.mep.sem.smcp (   reg_src,
  deref_dst 
)

Coprocessor option. 

SMCP - Store Word to memory from a coprocessor register

◆ smcpi()

def miasm.arch.mep.sem.smcpi (   reg_src,
  deref_dst 
) 
SMCPI - Store Word to memory, and increment the address

◆ sra()

def miasm.arch.mep.sem.sra (   rn,
  rm_or_imm5 
)

Shift instruction. 

SRA - Shift Right signed

◆ srl()

def miasm.arch.mep.sem.srl (   rn,
  rm_or_imm5 
) 
SRL - Shift Right unsigned.

◆ stc()

def miasm.arch.mep.sem.stc (   reg,
  control_reg 
)

Control Instructions. 

STC - Copy a general-purpose register into a control register.

◆ sub()

def miasm.arch.mep.sem.sub (   reg1,
  reg2 
) 
SUB - Subtract one register to another.

◆ sw()

def miasm.arch.mep.sem.sw (   reg_src,
  deref_dst 
) 
SW - Store Word into memory

◆ swcpi()

def miasm.arch.mep.sem.swcpi (   reg_src,
  deref_dst 
) 
SWCPI - Store Word to memory, and increment the address

◆ swi()

def miasm.arch.mep.sem.swi (   imm2) 
SWI - Software Interrupt

◆ tas()

def miasm.arch.mep.sem.tas (   rn,
  rm_deref 
) 
TAS - Load And Set

◆ xor()

def miasm.arch.mep.sem.xor (   rn,
  rm 
) 
XOR - Logical XOR between two registers.

◆ xor3()

def miasm.arch.mep.sem.xor3 (   rn,
  rm,
  imm16 
) 
XOR3 - Logical XOR between a register and an immediate

Variable Documentation

◆ are_both_neg

miasm.arch.mep.sem.are_both_neg = sign_rn & sign_rm

◆ are_both_pos

miasm.arch.mep.sem.are_both_pos = ~(sign_rn & sign_rm) >> i32(31)

◆ ctx

dictionary miasm.arch.mep.sem.ctx
Initial value:
1 = {"PC": PC, "SP": SP, "LP": LP, "SAR": SAR, "TP": TP,
2  "RPB": RPB, "RPE": RPE, "RPC": RPC, "EPC": EPC, "NPC": NPC,
3  "EXC": EXC, "HI": HI, "LO": LO, "PSW": PSW, "DEPC": DEPC, "DBG": DBG,
4  "exception_flags": exception_flags, "compute_s_inf": compute_s_inf,
5  "compute_u_inf": compute_u_inf, "take_jmp": take_jmp,
6  "in_erepeat": in_erepeat, "EXCEPT_DIV_BY_ZERO": EXCEPT_DIV_BY_ZERO}

◆ manual_functions

miasm.arch.mep.sem.manual_functions = dict()

◆ r0

tuple miasm.arch.mep.sem.r0 = (i32(0) if "<"(rn, rm_ext) else i32(1)) if are_both_neg else r0_pos

◆ r0_mixed

miasm.arch.mep.sem.r0_mixed = i32(1) if sign_rn else i32(0)

◆ r0_pos

tuple miasm.arch.mep.sem.r0_pos = (i32(1) if "<"(rn, rm_ext) else i32(0)) if are_both_pos else r0_mixed

◆ rm_ext

miasm.arch.mep.sem.rm_ext = rm_or_imm5

◆ sbuild

miasm.arch.mep.sem.sbuild = SemBuilder(ctx)

◆ sign_mask

miasm.arch.mep.sem.sign_mask = i32(0x80000000)

◆ sign_rm

miasm.arch.mep.sem.sign_rm = rm_ext & sign_mask

◆ sign_rn

miasm.arch.mep.sem.sign_rn = rn & sign_mask