Can you give a sample example for extracting IR

[bsmondal]

Hi,

Which instruction I have to use to extract IR for a whole x86 binary? It will be better for me if you could give me a simple example.
Thank you.

[rhelmot]

Hello!

There's a bit of a problem here, that VEX itself doesn't really have a representation of a full-program IR. The best we have right now is using the main angr module to construct a control-flow graph via its CFG analysis.

We do keep seeing this problem where we're using an IR that was meant to be used for single blocks but trying to apply it to full-program analysis...

[bsmondal]

Hi
Thanks for your prompt reply. Before your reply I never heard about angr. It looks like the exact what I am looking for. My goal is to extract C data type from IR. Could you please tell me that, is angr a good choice for that or not ?

Thanks for your support and time.

[rhelmot]

I may be a little biased, as I work on the dev team for the project, but I think that angr is an excellent choice for that. In order to do any sort of full-program analysis with the VEX IR, you're going to need a control flow graph that's at least a little bit smart (i.e. has any hope of resolving indirect jumps), which angr provides. Even though it's not 100% accurate, it's pretty good.

Data type recovery is an open field of research at the moment, but so far the best results available have been produced with static analysis tools like angr. I'm actually working on my own datatype recovery analysis using angr, but my needs are probably sufficiently different than yours that you shouldn't wait for me :)

[bsmondal]

Wow .. that's grate. You are doing some excellent job. Here, I have designed a selective execution engine which can execute each function individually inside a binary but for that I need the exact function prototype like argument and return type of a function. That's why I am now interested on type inference in assembly. Could you tell me any tools that can execute each function individually without knowing their exact prototype? From my knowledge I know only XForce and MicroX can execute code fragment by providing random input but they are not open source.
:D

[bsmondal]

One more thing, for datatype recovery, can you help me to find out which section I have to focus in angr. Hope this will make my task faster. Thank you.

[rhelmot]

If by selective execution you mean nothing more than using the original binary as a shared library and jumping into the appropriate function with arguments set, angr can actually do that without knowing the prototype! The execution itself is a little slow (... between ten thousand and a million times slowdown depending on the content) but it also works with symbolic values. The part of angr that can do this is the callable, half-assedly documented here. You can also look at one of our testcases that uses callable here. (it provides prototypes, but they're optional.)

To get started real quick in angr, just make a python virtual environment (mkvirtualenv angr) and then install it from the python package index (pip install angr). Then, in a python interpreter, you can load your binary into a project object. For your purposes you don't want to consider shared libraries, so use import angr; p = angr.Project('path/to/binary', load_options={'auto_load_libs': False}). Then, you can construct a control-flow graph with cfg = p.analyses.CFG(). Actually using the resulting CFG object is documented here.

[bsmondal]

Thank you a lot for your valuable time and suggestion. I do appreciate your quick support . You have saved my lot of time.