Porting ESIL analysis to RzIL

[Rot127]

Tracker

• RzIL debug "emulation" in visual mode #3676

ESIL vs. RzIL

ESIL only allowed for concrete emulation. While RzIL now allows for concrete, abstract and symbolic emulation.
This brings way more options on the table. And also makes some old commands obsolete, because the result of them can be found more elegantly with another emulation types.

Emulation mode

Each mode can solve certain analysis related problems

• Concrete execution/emulation
  • Debugging
  • Find statically resolvable xrefs
  • Fuzzing
  • Emulating functions with a given set of inputs
  • ...
• Abstract:
  • Find stack references.
  • Statically resolvable xrefs.
  • Heap references (by default not across function boundaries).
  • ...
• Symbolic:
  • Resolve operand dependencies within procedures (r15 at instruction 0x100 depends on r0 at procedure entry).
  • ...

To replace ESIL, (some) concrete analysis steps are ported first.

Commands to port

List of commands and a categorization what to port to RzIL and what not.

Worth porting to RzIL

Command	Meaning	Port
ae	evaluate ESIL expression	Yes. Basically % but allow to use reg names as operands.
aecs	continue until syscall	Yes
aecc	continue until call	Yes
aef	emulate function	Yes
aefa	emulate function to find out args in given or current offset	Yes? See notes about emualation modes.
aeim	initialize ESIL VM stack (aeim- remove)	Yes.
aets	ESIL Trace session	Yes. Though re-implement. Emulation with snapshots essentially.
aeb	Enumlate block	Yes.
aesb	Debugging, step back	Yes. Possible?
aesuo	step until given opcode type	Yes.

Implemented, but no command/API

Command	Meaning	Comment
ae	analyse esil accesses (regs, mem..)	RzIL events (next point)
aea	Show operand usage or mem rw for a given range of instructions.	RzIL events are not accessible via command.
aec	continue until ^C	Needs a hotkey and a check in the VM to cancel the emulation.
aeso	step over	Done, not accessible in visual mode.
aess	step over	Done (run until), not accessible in visual mode.

Don't port, maybe implement from scratch

Command	Meaning	Issue
aek	Emulation statistics	#4729
aecue	Continue emulation only if condition is true (conditional breakpoints).	#4731

Don't port

Command	Meaning	Port
aepc	change esil PC to this address	No. Duplicate of aeziv.
ae??	show ESIL help	No. Should be documented or docs are linked in help.
aeC	appcall in esil (sets SP to value X and "calls" address)	No -> To messy, is not general enough (e.g. ignores calling convention).
aecb	continue back until breakpoint	No -> It restores a "tracepoint" or snapshot of the VM at the previous breakpoint. This should be refactored to an emulation with snapshots. Or reversable execution.
aeip	initialize ESIL program counter to curseek	No. RzIL VM inits by default to current seek.
aeli	list loaded ESIL interrupts	No. New interrupt system with RzIL
aeli	load ESIL interrupts from shared object	No.
aelir	remove ESIL interrupt and free it if needed	No.
aesue	step until esil expression match	No. Same as constraint based emulation.
aex	evaluate opcode expression	No? Can't come up with a scenario this is useful.

Done

Command	Meaning	Port
aecu	continue until address	Done: aezsu
aei	initialize ESIL VM state (aei- to deinitialize)	Done: aezi
aesou	step over until given address	Done: aezsu
aesu	step until given address	Done: aezsu
aes	perform emulated debugger step	Done: aezs
aesp	evaluate N instr from offset X	Done: aezi + aezs