{
    "info": {
        "author": "",
        "author_email": "",
        "bugtrack_url": null,
        "classifiers": [],
        "description": "pytcg\n=====\n\nStatus: Very early, but working!  So far it's able to translate from 32-bit x86\nto TCG ops and print out some op info. Pythonification is next!\n\nNow it's accessible from the following:\n`pip install pytcg`\n\n## Build libtcg\n\nBefore using pytcg, you'll need to build libtcg. You can do this by:\n\n    cd libtcg\n    ./build.sh\n\nThis will clone the Qemu repository with the libtcg patches, build, and extract\nthe necessary files into this directory.\n\nSee the [libtcg](https://github.com/angr-tcg/qemu) repo for more info.\n\n## Setup Python Virtual Environment\n\nSetup your Python virtual environment with something like:\n\n    sudo apt-get install python3-venv\n    python3 -m venv env\n    source env/bin/activate\n    pip install -r requirements.txt\n\nIf you have the angr virtual environment already set up, you can use that too\n(via `workon angr`) since the pytcg requirements are a subset of angr's.\n\n## Run\n\nThere's a simple Makefile to build the FFI and run basic interface testing:\n\n    make\n\n## Overview of Qemu sources\n\nLibtcg interface is located at qemu/libtcg/libtcg.c. The frontend (which does\nguest binary to TCG translation) is located at qemu/target/i386/translate.c.\n\n## Debugging Qemu\n\nIf you want to step through the real TCG generation code, fire up ipython in\none terminal, get the process id, then in another terminal fire up gdb and\nattach to the ipython process. Then you can set breakpoints on code generation\nfunctions, etc.\n\n## Example op pretty-print\n\nInput assembly:\n```nasm\n     1                                  bits 32\n     2                                  org 0xb0000000\n     3                                  \n     4 00000000 B990320000              mov ecx, 0x3290\n     5                                  loop:\n     6 00000005 890E                    mov dword [esi], ecx\n     7 00000007 49                      dec ecx\n     8 00000008 75FB                    jnz loop\n```\n\n* `#` Prefixes a comment\n* `---` Denotes an original instruction boundary address\n\n```\n# mov ecx, 0x3290\n--- 00000000b0000000 0000000000000000\n movi_i64 tmp0,$0x3290\n ext32u_i64 rcx,tmp0\n\n# loop: mov dword [esi], ecx\n--- 00000000b0000005 0000000000000000\n add_i64 tmp2,rsi,ds_base\n ext32u_i64 tmp2,tmp2\n mov_i64 tmp0,rcx\n qemu_st_i64 tmp0,tmp2,leul,0\n\n\n# dec ecx\n--- 00000000b0000007 0000000000000000\n mov_i64 tmp0,rcx\n movi_i64 tmp11,$0xffffffffffffffff\n add_i64 tmp0,tmp0,tmp11\n ext32u_i64 rcx,tmp0\n call cc_compute_c,$0x50,$1,cc_src,cc_dst,cc_src,cc_src2,cc_op\n mov_i64 cc_dst,tmp0\n discard cc_src2\n discard cc_op\n\n\n# jnz loop\n--- 00000000b0000008 0000000000000020\n ext32u_i64 tmp0,cc_dst\n movi_i32 cc_op,$0x20\n movi_i64 tmp11,$0x0\n brcond_i64 tmp0,tmp11,ne,$L0\n \n movi_i64 tmp3,$0xb000000a   # Load address of next EIP (jump not taken)\n st_i64 tmp3,env,$0x80       # Load addr into EIP (stored in env+0x80)\n br $L1                      # Jump to end of block\n \n set_label $L0\n movi_i64 tmp3,$0xb0000005   # Load address of next EIP (jump taken)\n st_i64 tmp3,env,$0x80       # Load addr into EIP (stored in env+0x80)\n \n set_label $L1\n exit_tb $0x0\n```\n\nFor reference, PyVEX's IR of the same code (very similar of course):\n```python\nimport angr\nmain_opts = {\n    'backend': 'blob',\n    'custom_arch': 'amd64',\n    'custom_entry_point': 0xb0000000,\n    'custom_base_addr': 0xb0000000,\n}\np = angr.Project('pytcg/test/simple_loop.bin', auto_load_libs=False, main_opts=main_opts)\ns = p.factory.entry_state()\nb = s.block()\nb.vex.pp()\n```\n```\nIRSB {\n   t0:Ity_I64 t1:Ity_I64 t2:Ity_I32 t3:Ity_I64 t4:Ity_I1 t5:Ity_I64 t6:Ity_I64 t7:Ity_I64 t8:Ity_I64 t9:Ity_I64 t10:Ity_I64\n\n   00 | ------ IMark(0xb0000000, 5, 0) ------\n   01 | PUT(rcx) = 0x0000000000003290\n   02 | PUT(pc) = 0x00000000b0000005\n   03 | ------ IMark(0xb0000005, 2, 0) ------\n   04 | t0 = GET:I64(rsi)\n   05 | STle(t0) = 0x00003290\n   06 | PUT(pc) = 0x00000000b0000007\n   07 | ------ IMark(0xb0000007, 3, 0) ------\n   08 | t5 = GET:I64(cc_op)\n   09 | t6 = GET:I64(cc_dep1)\n   10 | t7 = GET:I64(cc_dep2)\n   11 | t8 = GET:I64(cc_ndep)\n   12 | t9 = amd64g_calculate_condition(0x0000000000000004,t5,t6,t7,t8):Ity_I64\n   13 | t4 = 64to1(t9)\n   14 | if (t4) { PUT(pc) = 0xb000000a; Ijk_Boring }\n   NEXT: PUT(rip) = 0x00000000b0000005; Ijk_Boring\n}\n```\n\n## Understanding cc_*\n\nFrom target/i386/cpu.h:\n\n```c\n/* Instead of computing the condition codes after each x86 instruction,\n * QEMU just stores one operand (called CC_SRC), the result\n * (called CC_DST) and the type of operation (called CC_OP). When the\n * condition codes are needed, the condition codes can be calculated\n * using this information. Condition codes are not generated if they\n * are only needed for conditional branches.\n */\n```",
        "description_content_type": "",
        "docs_url": null,
        "download_url": "",
        "downloads": {
            "last_day": -1,
            "last_month": -1,
            "last_week": -1
        },
        "home_page": "https://github.com/angr/pytcg",
        "keywords": "TCG,pytcg,angr,QEMU",
        "license": "",
        "maintainer": "pwnslinger",
        "maintainer_email": "pwnslinger@asu.edu",
        "name": "pytcg",
        "package_url": "https://pypi.org/project/pytcg/",
        "platform": "",
        "project_url": "https://pypi.org/project/pytcg/",
        "project_urls": {
            "Homepage": "https://github.com/angr/pytcg"
        },
        "release_url": "https://pypi.org/project/pytcg/0.0.0.2/",
        "requires_dist": null,
        "requires_python": "",
        "summary": "A Python interface to libtcg and TCG IR",
        "version": "0.0.0.2"
    },
    "last_serial": 3882002,
    "releases": {
        "0.0.0.2": [
            {
                "comment_text": "",
                "digests": {
                    "md5": "89a89a8aec91ba8ab508ecc94624f3ab",
                    "sha256": "3f6a0fab90e6e883c38025b1906ce3c03948f68f27fc78c487555f0573bab3a1"
                },
                "downloads": -1,
                "filename": "pytcg-0.0.0.2.tar.gz",
                "has_sig": false,
                "md5_digest": "89a89a8aec91ba8ab508ecc94624f3ab",
                "packagetype": "sdist",
                "python_version": "source",
                "requires_python": null,
                "size": 24736,
                "upload_time": "2018-05-21T03:21:35",
                "url": "https://files.pythonhosted.org/packages/49/9d/fae0e8f1a2bb6c4e009d34d6d2558d3b16e5b9c815a586ac90dc9dd8ead4/pytcg-0.0.0.2.tar.gz"
            }
        ]
    },
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "md5": "89a89a8aec91ba8ab508ecc94624f3ab",
                "sha256": "3f6a0fab90e6e883c38025b1906ce3c03948f68f27fc78c487555f0573bab3a1"
            },
            "downloads": -1,
            "filename": "pytcg-0.0.0.2.tar.gz",
            "has_sig": false,
            "md5_digest": "89a89a8aec91ba8ab508ecc94624f3ab",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": null,
            "size": 24736,
            "upload_time": "2018-05-21T03:21:35",
            "url": "https://files.pythonhosted.org/packages/49/9d/fae0e8f1a2bb6c4e009d34d6d2558d3b16e5b9c815a586ac90dc9dd8ead4/pytcg-0.0.0.2.tar.gz"
        }
    ]
}