1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
## yaxpeax-eval
[![crate](https://img.shields.io/crates/v/yaxpeax-eval.svg?logo=rust)](https://crates.io/crates/yaxpeax-eval)
`yaxpeax-eval` is the repo providing `yaxeval`, a tool to execute machine code with preconditions and report state at exit.
currently, `yaxeval` works by spawning a thread and executing the provided machine code on the local physical processor. there is some boring glue for architecture-dependent state setting and reporting. this means that `yaxeval` supports, or is close to supporting, whatever physical processor you would run it on.
i am interested in using qemu-user as an alternate execution backend for cross-platform emulation. `yaxeval` should be able to use qemu-user just the same for setup and reporting by using qemu's gdbserver.
## usage
if you just want to build and use it, `cargo install yaxpeax-eval` should get you started. otherwise, clone this repo and a `cargo build` will work as well. `yaxeval <x86 machine code>` is a good starting point:
```
yaxpeax-eval> ./target/release/yaxeval b878563412
loaded code...
00007f774b497000: mov eax, 0x12345678
00007f774b497005: 🏁 (int 0x3)
running...
rax: 0000000000000000
to -> 0000000012345678
rip: 00007f774b497000
to -> 00007f774b497006
```
initial register state is generally zeroes, with exception of `rip`, which by default points to whatever address an unrestricted `mmap` could find.
inital register values, including `rip`, can be specified explicitly:
```
yaxpeax-eval> ./target/release/yaxeval --regs rax=4,rcx=5,rip=0x123456789a,eflags=0x246 03c133c9
loaded code...
000000123456789a: add eax, ecx
000000123456789c: xor ecx, ecx
000000123456789e: 🏁 (int 0x3)
running...
rax: 0000000000000004
to -> 0000000000000009
rcx: 0000000000000005
to -> 0000000000000000
rip: 000000123456789a
to -> 000000123456789f
```
and if the provided code disastrously crashes, `yaxeval` will try to say a bit about what occurred:
```
yaxpeax-eval> ./target/release/yaxeval --regs rax=4,rcx=5,rip=0x123456789a,eflags=0x246 0000
loaded code...
000000123456789a: add byte [rax], al
000000123456789c: 🏁 (int 0x3)
running...
eflags: 00000246
to -> 00010246
sigsegv at unexpected address: 000000123456789a
```
## aspirations
* accept some config to map memory regions other than the implicitly-initialized code region
* machine-friendly input/output formats
* mode to single-step through provided code?
|