cle — Binary Loader

CLE is an extensible binary loader. Its main goal is to take an executable program and any libraries it depends on and produce an address space where that program is loaded and ready to run.

The primary interface to CLE is the Loader class.

Loading Interface

class cle.loader.Loader(main_binary, auto_load_libs=True, concrete_target=None, force_load_libs=(), skip_libs=(), main_opts=None, lib_opts=None, ld_path=(), use_system_libs=True, ignore_import_version_numbers=True, case_insensitive=False, rebase_granularity=1048576, except_missing_libs=False, aslr=False, perform_relocations=True, load_debug_info=False, page_size=1, preload_libs=(), arch=None)

Bases: object

The loader loads all the objects and exports an abstraction of the memory of the process. What you see here is an address space with loaded and rebased binaries.

Parameters

main_binary – The path to the main binary you’re loading, or a file-like object with the binary in it.

The following parameters are optional.

Parameters

• auto_load_libs – Whether to automatically load shared libraries that loaded objects depend on.

• load_debug_info – Whether to automatically parse DWARF data and search for debug symbol files.

• concrete_target – Whether to instantiate a concrete target for a concrete execution of the process. if this is the case we will need to instantiate a SimConcreteEngine that wraps the ConcreteTarget provided by the user.

• force_load_libs – A list of libraries to load regardless of if they’re required by a loaded object.

• skip_libs – A list of libraries to never load, even if they’re required by a loaded object.

• main_opts – A dictionary of options to be used loading the main binary.

• lib_opts – A dictionary mapping library names to the dictionaries of options to be used when loading them.

• ld_path – A list of paths in which we can search for shared libraries.

• use_system_libs – Whether or not to search the system load path for requested libraries. Default True.

• ignore_import_version_numbers – Whether libraries with different version numbers in the filename will be considered equivalent, for example libc.so.6 and libc.so.0

• case_insensitive – If this is set to True, filesystem loads will be done case-insensitively regardless of the case-sensitivity of the underlying filesystem.

• rebase_granularity – The alignment to use for rebasing shared objects

• except_missing_libs – Throw an exception when a shared library can’t be found.

• aslr – Load libraries in symbolic address space. Do not use this option.

• page_size – The granularity with which data is mapped into memory. Set to 0x1000 if you are working in an environment where data will always be memory mapped in a page-graunlar way.

• preload_libs – Similar to force_load_libs but will provide for symbol resolution, with precedence over any dependencies.

Variables

• memory (cle.memory.Clemory) – The loaded, rebased, and relocated memory of the program.

• main_object – The object representing the main binary (i.e., the executable).

• shared_objects – A dictionary mapping loaded library names to the objects representing them.

• all_objects – A list containing representations of all the different objects loaded.

• requested_names – A set containing the names of all the different shared libraries that were marked as a dependency by somebody.

• initial_load_objects – A list of all the objects that were loaded as a result of the initial load request.

When reference is made to a dictionary of options, it requires a dictionary with zero or more of the following keys:

• backend : “elf”, “pe”, “mach-o”, “blob” : which loader backend to use

• arch : The archinfo.Arch object to use for the binary

• base_addr : The address to rebase the object at

• entry_point : The entry point to use for the object

More keys are defined on a per-backend basis.

memory: Optional[Clemory]

main_object: Optional[Backend]

tls: Optional[ThreadManager]

close()

property max_addr

The maximum address loaded as part of any loaded object (i.e., the whole address space).

property min_addr

The minimum address loaded as part of any loaded object (i.e., the whole address space).

property initializers

Return a list of all the initializers that should be run before execution reaches the entry point, in the order they should be run.

property finalizers

Return a list of all the finalizers that should be run before the program exits. I’m not sure what order they should be run in.

property linux_loader_object

If the linux dynamic loader is present in memory, return it

property elfcore_object

If a corefile was loaded, this returns the actual core object instead of the main binary

property extern_object

Return the extern object used to provide addresses to unresolved symbols and angr internals.

Accessing this property will load this object into memory if it was not previously present.

proposed model for how multiple extern objects should work:

1. extern objects are a linked list. the one in loader._extern_object is the head of the list

2. each round of explicit loads generates a new extern object if it has unresolved dependencies. this object has exactly the size necessary to hold all its exports.

3. All requests for size are passed down the chain until they reach an object which has the space to service it or an object which has not yet been mapped. If all objects have been mapped and are full, a new extern object is mapped with a fixed size.

property kernel_object: KernelObject

Return the object used to provide addresses to syscalls.

Accessing this property will load this object into memory if it was not previously present.

property all_elf_objects

Return a list of every object that was loaded from an ELF file.

property all_pe_objects

Return a list of every object that was loaded from an ELF file.

property missing_dependencies

Return a set of every name that was requested as a shared object dependency but could not be loaded

property auto_load_libs

describe_addr(addr) → str

Returns a textual description of what’s in memory at the provided address

find_object(spec, extra_objects=())

If the given library specification has been loaded, return its object, otherwise return None.

find_object_containing(addr, membership_check=True)

Return the object that contains the given address, or None if the address is unmapped.

Parameters

• addr (int) – The address that should be contained in the object.

• membership_check (bool) – Whether a membership check should be performed or not (True by default). This option can be set to False if you are certain that the target object does not have “holes”.

Returns

The object or None.

find_segment_containing(addr, skip_pseudo_objects=True)

Find the section object that the address belongs to.

Parameters

• addr (int) – The address to test

• skip_pseudo_objects (bool) – Skip objects that CLE adds during loading.

Returns

The section that the address belongs to, or None if the address does not belong to any section, or if section information is not available.

Return type

cle.Segment

find_section_containing(addr, skip_pseudo_objects=True)

Find the section object that the address belongs to.

Parameters

• addr (int) – The address to test.

• skip_pseudo_objects (bool) – Skip objects that CLE adds during loading.

Returns

The section that the address belongs to, or None if the address does not belong to any section, or if section information is not available.

Return type

cle.Section

find_loadable_containing(addr, skip_pseudo_objects=True)

Find the section or segment object the address belongs to. Sections will only be used if the corresponding object does not have segments.

Parameters

• addr – The address to test

• skip_pseudo_objects – Skip objects that CLE adds during loading.

Returns

The section or segment that the address belongs to, or None if the address does not belong to any section or segment.

find_section_next_to(addr, skip_pseudo_objects=True)

Find the next section after the given address.

Parameters

• addr (int) – The address to test.

• skip_pseudo_objects (bool) – Skip objects that CLE adds during loading.

Returns

The next section that goes after the given address, or None if there is no section after the address, or if section information is not available.

Return type

cle.Section

find_symbol(thing, fuzzy=False)

Search for the symbol with the given name or address.

Parameters

• thing – Either the name or address of a symbol to look up

• fuzzy – Set to True to return the first symbol before or at the given address

Returns

A cle.backends.Symbol object if found, None otherwise.

property symbols

find_all_symbols(name, exclude_imports=True, exclude_externs=False, exclude_forwards=True)

Iterate over all symbols present in the set of loaded binaries that have the given name

Parameters

• name – The name to search for

• exclude_imports – Whether to exclude import symbols. Default True.

• exclude_externs – Whether to exclude symbols in the extern object. Default False.

• exclude_forwards – Whether to exclude forward symbols. Default True.

find_plt_stub_name(addr)

Return the name of the PLT stub starting at addr.

find_relevant_relocations(name)

Iterate through all the relocations referring to the symbol with the given name

perform_irelative_relocs(resolver_func)

Use this method to satisfy IRelative relocations in the binary that require execution of loaded code.

Note that this does NOT handle IFunc symbols, which must be handled separately. (this could be changed, but at the moment it’s desirable to support lazy IFunc resolution, since emulation is usually slow)

Parameters

resolver_func – A callback function that takes an address, runs the code at that address, and returns the return value from the emulated function.

dynamic_load(spec)

Load a file into the address space. Note that the sematics of auto_load_libs and except_missing_libs apply at all times.

Parameters

spec – The path to the file to load. May be an absolute path, a relative path, or a name to search in the load path.

Returns

A list of all the objects successfully loaded, which may be empty if this object was previously loaded. If the object specified in spec failed to load for any reason, including the file not being found, return None.

get_loader_symbolic_constraints()

Do not use this method.

Backends

class cle.backends.FunctionHintSource

Bases: object

Enums that describe the source of function hints.

EH_FRAME = 0

EXTERNAL_EH_FRAME = 1

class cle.backends.FunctionHint(addr, size, source)

Bases: object

Describes a function hint.

Variables

• addr (int) – Address of the function.

• size (int) – Size of the function.

• source (int) – Source of this hint.

addr

size

source

class cle.backends.ExceptionHandling(start_addr, size, handler_addr=None, type_=None, func_addr=None)

Bases: object

Describes an exception handling.

Exception handlers are usually language-specific. In C++, it is usually implemented as try {} catch {} blocks.

Variables

• start_addr (int) – The beginning of the try block.

• size (int) – Size of the try block.

• handler_addr (Optional[int]) – Address of the exception handler code.

• type – Type of the exception handler. Optional.

• func_addr (Optional[int]) – Address of the function. Optional.

start_addr

size

handler_addr

type

func_addr

class cle.backends.Backend(binary, binary_stream, loader=None, is_main_bin=False, entry_point=None, arch=None, base_addr=None, force_rebase=False, has_memory=True, **kwargs)

Bases: object

Main base class for CLE binary objects.

An alternate interface to this constructor exists as the static method cle.loader.Loader.load_object()

Variables

• binary – The path to the file this object is loaded from

• binary_basename – The basename of the filepath, or a short representation of the stream it was loaded from

• is_main_bin – Whether this binary is loaded as the main executable

• segments – A listing of all the loaded segments in this file

• sections – A listing of all the demarked sections in the file

• sections_map – A dict mapping from section name to section

• imports – A mapping from symbol name to import relocation

• resolved_imports – A list of all the import symbols that are successfully resolved

• relocs – A list of all the relocations in this binary

• irelatives – A list of tuples representing all the irelative relocations that need to be performed. The first item in the tuple is the address of the resolver function, and the second item is the address of where to write the result. The destination address is an RVA.

• jmprel – A mapping from symbol name to the address of its jump slot relocation, i.e. its GOT entry.

• arch (archinfo.arch.Arch) – The architecture of this binary

• os (str) – The operating system this binary is meant to run under

• mapped_base (int) – The base address of this object in virtual memory

• deps – A list of names of shared libraries this binary depends on

• linking – ‘dynamic’ or ‘static’

• linked_base – The base address this object requests to be loaded at

• pic (bool) – Whether this object is position-independent

• execstack (bool) – Whether this executable has an executable stack

• provides (str) – The name of the shared library dependancy that this object resolves

• symbols (list) – A list of symbols provided by this object, sorted by address

• has_memory – Whether this backend is backed by a Clemory or not. As it stands now, a backend should still define min_addr and max_addr even if has_memory is False.

Parameters

• binary – The path to the binary to load

• binary_stream – The open stream to this binary. The reference to this will be held until you call close.

• is_main_bin – Whether this binary should be loaded as the main executable

is_default = False

loader: Loader

close()

set_arch(arch)

property image_base_delta

property entry

property segments: Regions

property sections

property symbols_by_addr

rebase(new_base)

Rebase backend’s regions to the new base where they were mapped by the loader

relocate()

Apply all resolved relocations to memory.

The meaning of “resolved relocations” is somewhat subtle - there is a linking step which attempts to resolve each relocation, currently only present in the main internal loading function since the calculation of which objects should be available

contains_addr(addr)

Is addr in one of the binary’s segments/sections we have loaded? (i.e. is it mapped into memory ?)

find_loadable_containing(addr)

find_segment_containing(addr)

Returns the segment that contains addr, or None.

find_section_containing(addr)

Returns the section that contains addr or None.

addr_to_offset(addr)

offset_to_addr(offset)

property min_addr

This returns the lowest virtual address contained in any loaded segment of the binary.

property max_addr

This returns the highest virtual address contained in any loaded segment of the binary.

property initializers

Stub function. Should be overridden by backends that can provide initializer functions that ought to be run before execution reaches the entry point. Addresses should be rebased.

property finalizers

Stub function. Like initializers, but with finalizers.

property threads

If this backend represents a dump of a running program, it may contain one or more thread contexts, i.e. register files. This property should contain a list of names for these threads, which should be unique.

thread_registers(thread=None)

If this backend represents a dump of a running program, it may contain one or more thread contexts, i.e. register files. This method should return the register file for a given thread (as named in Backend.threads) as a dict mapping register names (as seen in archinfo) to numbers. If the thread is not specified, it should return the context for a “default” thread. If there are no threads, it should return an empty dict.

initial_register_values()

Deprecated

get_symbol(name)

Stub function. Implement to find the symbol with name name.

static extract_soname(path)

Extracts the shared object identifier from the path, or returns None if it cannot.

classmethod is_compatible(stream)

Determine quickly whether this backend can load an object from this stream

classmethod check_compatibility(spec, obj)

Performs a minimal static load of spec and returns whether it’s compatible with other_obj

classmethod check_magic_compatibility(stream)

Check if a stream of bytes contains the same magic number as the main object

cle.backends.register_backend(name, cls)

class cle.backends.symbol.SymbolType(value)

Bases: Enum

ABI-agnostic symbol types

TYPE_OTHER = 0

TYPE_NONE = 1

TYPE_FUNCTION = 2

TYPE_OBJECT = 3

TYPE_SECTION = 4

TYPE_TLS_OBJECT = 5

class cle.backends.symbol.SymbolSubType(value)

Bases: Enum

Abstract base class for ABI-specific symbol types

to_base_type() → SymbolType

A subclass’ ABI-specific mapping to :SymbolType:

class cle.backends.symbol.Symbol(owner: Backend, name: str, relative_addr: int, size: int, sym_type: SymbolType)

Bases: object

Representation of a symbol from a binary file. Smart enough to rebase itself.

There should never be more than one Symbol instance representing a single symbol. To make sure of this, only use the cle.backends.Backend.get_symbol() to create new symbols.

Variables

• owner (cle.backends.Backend) – The object that contains this symbol

• name (str) – The name of this symbol

• addr (int) – The un-based address of this symbol, an RVA

• size (int) – The size of this symbol

• _type (SymbolType) – The ABI-agnostic type of this symbol

• resolved (bool) – Whether this import symbol has been resolved to a real symbol

• resolvedby (None or cle.backends.Symbol) – The real symbol this import symbol has been resolve to

• resolvewith (str) – The name of the library we must use to resolve this symbol, or None if none is required.

Not documenting this since if you try calling it, you’re wrong.

resolve(obj)

property type: SymbolType

The ABI-agnostic SymbolType. Must be overridden by derived types.

property subtype: SymbolSubType

A subclass’ ABI-specific types

property rebased_addr

The address of this symbol in the global memory space

property linked_addr

property is_function

Whether this symbol is a function

is_static = False

is_common = False

is_import = False

is_export = False

is_local = False

is_weak = False

is_extern = False

is_forward = False

resolve_forwarder()

If this symbol is a forwarding export, return the symbol the forwarding refers to, or None if it cannot be found

property owner_obj

class cle.backends.regions.Regions(lst=None)

Bases: object

A container class acting as a list of regions (sections or segments). Additionally, it keeps an sorted list of all regions that are mapped into memory to allow fast lookups.

We assume none of the regions overlap with others.

property raw_list: List[Region]

Get the internal list. Any change to it is not tracked, and therefore _sorted_list will not be updated. Therefore you probably does not want to modify the list.

Returns

The internal list container.

Return type

list

property max_addr: Optional[int]

Get the highest address of all regions.

Returns

The highest address of all regions, or None if there is no region available.

Return type

int or None

append(region: Region)

Append a new Region instance into the list.

Parameters

region (Region) – The region to append.

remove(region: Region) → None

Remove an existing Region instance from the list.

Parameters

region (Region) – The region to remove.

find_region_containing(addr) → Optional[Region]

Find the region that contains a specific address. Returns None if none of the regions covers the address.

Parameters

addr (int) – The address.

Returns

The region that covers the specific address, or None if no such region is found.

Return type

Region or None

find_region_next_to(addr)

Find the next region after the given address.

Parameters

addr (int) – The address to test.

Returns

The next region that goes after the given address, or None if there is no section after the address,

Return type

Region or None

class cle.backends.region.Region(offset, vaddr, filesize, memsize)

Bases: object

A region of memory that is mapped in the object’s file.

Variables

• offset – The offset into the file the region starts.

• vaddr – The virtual address.

• filesize – The size of the region in the file.

• memsize – The size of the region when loaded into memory.

The prefix v- on a variable or parameter name indicates that it refers to the virtual, loaded memory space, while a corresponding variable without the v- refers to the flat zero-based memory of the file.

When used next to each other, addr and offset refer to virtual memory address and file offset, respectively.

vaddr: int

memsize: int

filesize: int

contains_addr(addr)

Does this region contain this virtual address?

contains_offset(offset)

Does this region contain this offset into the file?

addr_to_offset(addr)

Convert a virtual memory address into a file offset

offset_to_addr(offset)

Convert a file offset into a virtual memory address

property max_addr

The maximum virtual address of this region

property min_addr

The minimum virtual address of this region

property max_offset

The maximum file offset of this region

min_offset()

The minimum file offset of this region

property is_readable: bool

property is_writable: bool

property is_executable: bool

class cle.backends.region.Segment(offset, vaddr, filesize, memsize)

Bases: Region

vaddr: int

memsize: int

filesize: int

class cle.backends.region.EmptySegment(vaddr, memsize, is_readable=True, is_writable=True, is_executable=False)

Bases: Segment

A segment with no static content, and permissions

property is_executable

property is_writable

property is_readable

property only_contains_uninitialized_data

Whether this section is initialized to zero after the executable is loaded.

vaddr: int

memsize: int

filesize: int

class cle.backends.region.Section(name, offset, vaddr, size)

Bases: Region

Simple representation of a loaded section.

Variables

name (str) – The name of the section

Parameters

• name (str) – The name of the section

• offset (int) – The offset into the binary file this section begins

• vaddr (int) – The address in virtual memory this section begins

• size (int) – How large this section is

property is_readable

Whether this section has read permissions

property is_writable

Whether this section has write permissions

property is_executable

Whether this section has execute permissions

vaddr: int

memsize: int

filesize: int

property only_contains_uninitialized_data

Whether this section is initialized to zero after the executable is loaded.

class cle.backends.elf.elf.ELFSymbol(owner, symb)

Bases: Symbol

Represents a symbol for the ELF format.

Variables

• binding (str) – The binding of this symbol as an ELF enum string

• section – The section associated with this symbol, or None

• _subtype – The ELFSymbolType of this symbol

property subtype: ELFSymbolType

class cle.backends.elf.elf.ELF(*args, addend=None, debug_symbols=None, discard_section_headers=False, discard_program_headers=False, **kwargs)

Bases: MetaELF

The main loader class for statically loading ELF executables. Uses the pyreadelf library where useful.

Useful backend options:

• debug_symbols: Provides the path to a separate file which contains the binary’s debug symbols

• discard_section_headers: Do not parse section headers. Use this if they are corrupted or malicious.

• discard_program_headers: Do not parse program headers. Use this if the binary is for a platform whose ELF

  loader only looks at section headers, but whose toolchain generates program headers anyway.

is_default = True

imports: Dict[str, 'Relocation']

relocs: List[Relocation]

close()

classmethod check_compatibility(spec, obj)

classmethod check_magic_compatibility(stream)

static is_compatible(stream)

static extract_arch(reader)

property initializers

property finalizers

property symbols_by_name

get_symbol(symid, symbol_table=None)

Gets a Symbol object for the specified symbol.

Parameters

symid – Either an index into .dynsym or the name of a symbol.

rebase(new_base)

loader: Loader

symbols: sortedcontainers.SortedKeyList[Symbol]

arch: Optional[archinfo.Arch]

exception_handlings: List[ExceptionHandling]

function_hints: List[FunctionHint]

memory: Clemory

class cle.backends.elf.elfcore.ELFCore(*args, executable=None, remote_file_mapping=None, remote_file_mapper=None, **kwargs)

Bases: ELF

Loader class for ELF core files.

One key pain point when analyzing a core dump generated on a remote machine is that the paths to binaries are absolute (and may not exist or be the same on your local machine).

Therefore, you can use the options `remote_file_mapping to specify a dict mapping (easy if there are a small number of mappings) or remote_file_mapper to specify a function that accepts a remote file name and returns the local file name (useful if there are many mappings).

If you specify both remote_file_mapping and remote_file_mapper, remote_file_mapping is applied first, then the result is passed to remote_file_mapper.

Parameters

• executable – Optional path to the main binary of the core dump. If not supplied, ELFCore will attempt to figure it out automatically from the core dump.

• remote_file_mapping – Optional dict that maps specific file names in the core dump to other file names.

• remote_file_mapper – Optional function that is used to map every file name in the core dump to whatever is returned from this function.

is_default = True

static is_compatible(stream)

property threads

thread_registers(thread=None)

loader: Loader

symbols: sortedcontainers.SortedKeyList[Symbol]

imports: Dict[str, 'Relocation']

relocs: List[Relocation]

arch: Optional[archinfo.Arch]

exception_handlings: List[ExceptionHandling]

function_hints: List[FunctionHint]

memory: Clemory

variables: Optional[List[Variable]]

compilation_units: Optional[List[CompilationUnit]]

References

• http://www.hexblog.com/wp-content/uploads/2012/06/Recon-2012-Skochinsky-Compiler-Internals.pdf

• https://www.airs.com/blog/archives/460

• https://www.airs.com/blog/archives/464

class cle.backends.elf.lsda.ExceptionTableHeader(lp_start, ttype_encoding, ttype_offset, call_site_encoding, call_site_table_len)

Bases: object

lp_start

ttype_encoding

ttype_offset

call_site_encoding

call_site_table_len

class cle.backends.elf.lsda.CallSiteEntry(cs_start, cs_len, cs_lp, cs_action)

Bases: object

cs_start

cs_len

cs_lp

cs_action

class cle.backends.elf.lsda.LSDAExceptionTable(stream, bits, little_endian=True)

Bases: object

LSDA exception table parser.

TODO: Much of this class should be eventually moved to pyelftools.

parse_lsda(address, offset)

class cle.backends.elf.metaelf.MetaELF(*args, **kwargs)

Bases: Backend

A base class that implements functions used by all backends that can load an ELF.

supported_filetypes = ['elf']

property plt

Maps names to addresses.

property reverse_plt

Maps addresses to names.

property is_ppc64_abiv1

Returns whether the arch is PowerPC64 ABIv1.

Returns

True if PowerPC64 ABIv1, False otherwise.

property is_ppc64_abiv2

Returns whether the arch is PowerPC64 ABIv2.

Returns

True if PowerPC64 ABIv2, False otherwise.

property ppc64_initial_rtoc

Get initial rtoc value for PowerPC64 architecture.

static extract_soname(path)

static get_text_offset(path)

Offset of .text in the binary.

loader: Loader

symbols: sortedcontainers.SortedKeyList[Symbol]

imports: Dict[str, 'Relocation']

relocs: List[Relocation]

arch: Optional[archinfo.Arch]

exception_handlings: List[ExceptionHandling]

function_hints: List[FunctionHint]

memory: Clemory

cle.backends.elf.symbol.maybedecode(string)

class cle.backends.elf.symbol.ELFSymbol(owner, symb)

Bases: Symbol

Represents a symbol for the ELF format.

Variables

• binding (str) – The binding of this symbol as an ELF enum string

• section – The section associated with this symbol, or None

• _subtype – The ELFSymbolType of this symbol

property subtype: ELFSymbolType

class cle.backends.elf.symbol_type.ELFSymbolType(value)

Bases: SymbolSubType

ELF-specific symbol types

This is just a nice way to allow for just specifying the int for default types: ELFSymbolType(10) rather than ELFSymbolType((10,None)).

Idea courtesy: https://stackoverflow.com/q/24105268/1137728.

We don’t need to implement the str parsing like the SO link above since Enum already has built-in item access: ELFSymbolType[‘STT_FUNC’].

STT_NOTYPE = (0, None)

STT_OBJECT = (1, None)

STT_FUNC = (2, None)

STT_SECTION = (3, None)

STT_FILE = (4, None)

STT_COMMON = (5, None)

STT_TLS = (6, None)

STT_LOOS = (10, None)

STT_HIOS = (12, None)

STT_LOPROC = (13, None)

STT_HIPROC = (15, None)

STT_GNU_IFUNC = (10, 'gnu')

property elf_value

property os_proc

property is_custom_os_proc

cle.backends.elf.regions.maybedecode(string)

class cle.backends.elf.regions.ELFSegment(readelf_seg, relro=False)

Bases: Segment

Represents a segment for the ELF format.

property is_readable

property is_writable

property is_executable

property is_relro

vaddr: int

memsize: int

filesize: int

class cle.backends.elf.regions.ELFSection(readelf_sec, remap_offset=0)

Bases: Section

SHF_WRITE = 1

SHF_ALLOC = 2

SHF_EXECINSTR = 4

SHF_STRINGS = 32

SHT_NULL = 'SHT_NULL'

property is_readable

property is_active

property is_writable

property occupies_memory

property is_executable

property is_strings

property only_contains_uninitialized_data

vaddr: int

memsize: int

filesize: int

class cle.backends.elf.hashtable.ELFHashTable(symtab, stream, offset, arch)

Bases: object

Functions to do lookup from a HASH section of an ELF file.

Information: http://docs.oracle.com/cd/E23824_01/html/819-0690/chapter6-48031.html

Parameters

• symtab – The symbol table to perform lookups from (as a pyelftools SymbolTableSection).

• stream – A file-like object to read from the ELF’s memory.

• offset – The offset in the object where the table starts.

• arch – The ArchInfo object for the ELF file.

get(k)

Perform a lookup. Returns a pyelftools Symbol object, or None if there is no match.

Parameters

k – The string to look up.

static elf_hash(key)

class cle.backends.elf.hashtable.GNUHashTable(symtab, stream, offset, arch)

Bases: object

Functions to do lookup from a GNU_HASH section of an ELF file.

Information: https://blogs.oracle.com/ali/entry/gnu_hash_elf_sections

Parameters

• symtab – The symbol table to perform lookups from (as a pyelftools SymbolTableSection).

• stream – A file-like object to read from the ELF’s memory.

• offset – The offset in the object where the table starts.

• arch – The ArchInfo object for the ELF file.

get(k)

Perform a lookup. Returns a pyelftools Symbol object, or None if there is no match.

Parameters

k – The string to look up

static gnu_hash(key)

class cle.backends.elf.variable.Variable(name: Optional[str], type_: Optional[VariableType], decl_file: Optional[str], decl_line: Optional[int], addr: Optional[int] = None, sort: str = '')

Bases: object

Variable for DWARF from a DW_TAG_variable or DW_TAG_formal_parameter

class cle.backends.elf.subprogram.Subprogram(name, low_pc, high_pc)

Bases: object

DW_TAG_subprogram for DWARF

local_variables: List[Variable] = []

class cle.backends.elf.variable_type.VariableType(name: str, byte_size: int)

Bases: object

DW_TAG_base_type for DWARF

static read_from_die(die: DIE)

class cle.backends.elf.compilation_unit.CompilationUnit(name, comp_dir, low_pc, high_pc, language)

Bases: object

CompilationUnit for DWARF See http://dwarfstd.org/doc/DWARF5.pdf page 60

class cle.backends.named_region.NamedRegion(name, start, end, is_readable=True, is_writable=True, is_executable=False, **kwargs)

Bases: Backend

A NamedRegion represents a region of memory that has a name, a location, but no static content.

This region also has permissions; with no memory, these obviously don’t do anything on their own, but they help inform any other code that relies on CLE (e.g., angr)

This can be used as a placeholder for memory that should exist in CLE’s view, but for which it does not need data, like RAM, MMIO, etc

Create a NamedRegion.

Parameters

• name – The name of the region

• start – The start address of the region

• end – The end address (exclusive) of the region

• is_readable – Whether the region is readable

• is_writable – Whether the region is writable

• is_executable – Whether the region is executable

• kwargs –

is_default = False

has_memory = False

static is_compatible(stream)

property min_addr

property max_addr

function_name(addr)

NamedRegions don’t support function names.

contains_addr(addr)

classmethod check_compatibility(spec, obj)

loader: Loader

symbols: sortedcontainers.SortedKeyList[Symbol]

imports: Dict[str, 'Relocation']

relocs: List[Relocation]

arch: Optional[archinfo.Arch]

exception_handlings: List[ExceptionHandling]

function_hints: List[FunctionHint]

memory: Clemory

class cle.backends.pe.pe.PE(*args, **kwargs)

Bases: Backend

Representation of a PE (i.e. Windows) binary.

is_default = True

static is_compatible(stream)

classmethod check_magic_compatibility(stream)

classmethod check_compatibility(spec, obj)

close()

get_symbol(name)

Look up the symbol with the given name. Symbols can be looked up by ordinal with the name "ordinal.%d" % num

loader: Loader

symbols: sortedcontainers.SortedKeyList[Symbol]

imports: Dict[str, 'Relocation']

relocs: List[Relocation]

arch: Optional[archinfo.Arch]

exception_handlings: List[ExceptionHandling]

function_hints: List[FunctionHint]

memory: Clemory

class cle.backends.pe.symbol.WinSymbol(owner, name, addr, is_import, is_export, ordinal_number, forwarder)

Bases: Symbol

Represents a symbol for the PE format.

resolve_forwarder()

class cle.backends.pe.regions.PESection(pe_section, remap_offset=0)

Bases: Section

Represents a section for the PE format.

filesize: int

property is_readable

property is_writable

property is_executable

property only_contains_uninitialized_data

vaddr: int

memsize: int

class cle.backends.macho.macho.MachO(*args, **kwargs)

Bases: Backend

Mach-O binaries for CLE

The Mach-O format is notably different from other formats, as such: * Sections are always part of a segment, self.sections will thus be empty * Symbols cannot be categorized like in ELF * Symbol resolution must be handled by the binary * Rebasing cannot be done statically (i.e. self.mapped_base is ignored for now) * …

is_default = True

MH_MAGIC_64 = 4277009103

MH_CIGAM_64 = 3489328638

MH_MAGIC = 4277009102

MH_CIGAM = 3472551422

ncmds: int

sizeofcmds: int

classmethod is_compatible(stream)

is_thumb_interworking(address)

Returns true if the given address is a THUMB interworking address

decode_thumb_interworking(address)

Decodes a thumb interworking address

find_segment_by_name(name)

do_binding()

get_string(start)

Loads a string from the string table

parse_lc_str(f, start, limit: Optional[int] = None)

Parses a lc_str data structure

S

alias of TypeVar(‘S’, bound=Union[Structure, Union])

get_symbol_by_address_fuzzy(address)

Locates a symbol by checking the given address against sym.addr, sym.bind_xrefs and sym.symbol_stubs

get_symbol(name, include_stab=False, fuzzy=False)

Returns all symbols matching name.

Note that especially when include_stab=True there may be multiple symbols with the same name, therefore this method always returns an array.

Parameters

• name – the name of the symbol

• include_stab – Include debugging symbols NOT RECOMMENDED

• fuzzy – Replace exact match with “contains”-style match

get_symbol_by_insertion_order(idx: int) → AbstractMachOSymbol

Parameters

idx – idx when this symbol was inserted

Returns

get_segment_by_name(name)

Searches for a MachOSegment with the given name and returns it :param name: Name of the sought segment :return: MachOSegment or None

class cle.backends.macho.macho.MachOSection(offset, vaddr, size, vsize, segname, sectname, align, reloff, nreloc, flags, r1, r2, parent_segment: Optional[MachOSegment] = None)

Bases: Section

Mach-O Section, only defined within the context of a Mach-O Segment.

• offset is the offset into the file the region starts

• vaddr (or just addr) is the virtual address

• filesize (or just size) is the size of the region in the file

• memsize (or vsize) is the size of the region when loaded into memory

• segname is the corresponding segment’s name without padding

• sectname is the section’s name without padding

• align is the sections alignment as a power of 2

• reloff is the file offset to the section’s relocation entries

• nreloc is the number of relocation entries for this section

• flags is a bit vector containing per-section flags

• r1 and r2 are values for the reserved1 and reserved2 fields respectively

filesize: int

memsize: int

property type

property attributes

property is_readable

Always true, because sections should always be readable :return:

property is_writable

Returns the permission of the parent segment, because MachO sections simply inherit that :return:

property is_executable

Returns the permission of the parent segment, because MachO sections simply inherit that :return:

property only_contains_uninitialized_data

I actually don’t know if this is true, but it seems like a saner assumption than true :return:

vaddr: int

class cle.backends.macho.macho.MachOSegment(offset, vaddr, size, vsize, segname, nsect, sections, flags, initprot, maxprot)

Bases: Segment

Mach-O Segment

• offset is the offset into the file the region starts

• vaddr (or just addr) is the virtual address

• filesize (or just size) is the size of the region in the file

• memsize (or vsize) is the size of the region when loaded into memory

• segname is the segment’s name without padding

• nsect is the number of sections contained in this segment

• sections is an array of MachOSections

• flags is a bit vector containing per-segment flags

• initprot and maxprot are initial and maximum permissions respectively

get_section_by_name(name)

Searches for a section by name within this segment :param name: Name of the section :return: MachOSection or None

property is_readable

property is_writable

property is_executable

vaddr: int

memsize: int

filesize: int

class cle.backends.macho.symbol.AbstractMachOSymbol(owner: Backend, name: str, relative_addr: int, size: int, sym_type: SymbolType)

Bases: Symbol

Base class for Mach-O symbols. Defines the minimum common properties all types of mach-o symbols must have

property library_ordinal

property is_stab

property library_name

class cle.backends.macho.symbol.SymbolTableSymbol(owner: MachO, symtab_offset, n_strx, n_type, n_sect, n_desc, n_value)

Bases: AbstractMachOSymbol

“Regular” symbol. Made to be (somewhat) compatible with backends.Symbol. A SymbolTableSymbol is an entry in the binary’s symbol table.

Note that ELF-specific fields from backends.Symbol are not used and semantics of the remaining fields differ in many cases. As a result most stock functionality from Angr and related libraries WILL NOT WORK PROPERLY on MachOSymbol.

Much of the code below is based on heuristics as official documentation is sparse, consider yourself warned!

owner: MachO

property library_name

property segment_name

property section_name

property value

property referenced_symbol_index

For indirect symbols n_value contains an index into the string table indicating the referenced symbol’s name

is_weak()

property is_function

property rebased_addr

property is_stab

property is_private_external

property is_external

property sym_type

property is_common

property common_align

property reference_type

property library_ordinal

property is_no_dead_strip

property is_desc_discarded

property is_weak_referenced

property is_weak_defined

property is_reference_to_weak

property is_thumb_definition

property is_symbol_resolver

property is_alt_entry

class cle.backends.macho.symbol.DyldBoundSymbol(owner, name, lib_ordinal)

Bases: AbstractMachOSymbol

The new kind of symbol handling introduced with ios15

Based on the constructor of BindingSymbol

property library_name

property is_function

property rebased_addr

demangled_name()

property library_ordinal

class cle.backends.macho.symbol.BindingSymbol(owner, name, lib_ordinal)

Bases: AbstractMachOSymbol

“Binding” symbol. Made to be (somewhat) compatible with backends.Symbol. A BindingSymbol is an imported symbol discovered during the binding process.

Note that ELF-specific fields from backends.Symbol are not used and semantics of the remaining fields differ in many cases. As a result most stock functionality from Angr and related libraries WILL NOT WORK PROPERLY on MachOSymbol.

Much of the code below is based on heuristics as official documentation is sparse, consider yourself warned!

property library_name

property is_function

property rebased_addr

demangled_name()

property library_ordinal

class cle.backends.macho.section.MachOSection(offset, vaddr, size, vsize, segname, sectname, align, reloff, nreloc, flags, r1, r2, parent_segment: Optional[MachOSegment] = None)

Bases: Section

Mach-O Section, only defined within the context of a Mach-O Segment.

• offset is the offset into the file the region starts

• vaddr (or just addr) is the virtual address

• filesize (or just size) is the size of the region in the file

• memsize (or vsize) is the size of the region when loaded into memory

• segname is the corresponding segment’s name without padding

• sectname is the section’s name without padding

• align is the sections alignment as a power of 2

• reloff is the file offset to the section’s relocation entries

• nreloc is the number of relocation entries for this section

• flags is a bit vector containing per-section flags

• r1 and r2 are values for the reserved1 and reserved2 fields respectively

filesize: int

memsize: int

property type

property attributes

property is_readable

Always true, because sections should always be readable :return:

property is_writable

Returns the permission of the parent segment, because MachO sections simply inherit that :return:

property is_executable

Returns the permission of the parent segment, because MachO sections simply inherit that :return:

property only_contains_uninitialized_data

I actually don’t know if this is true, but it seems like a saner assumption than true :return:

vaddr: int

class cle.backends.macho.segment.MachOSegment(offset, vaddr, size, vsize, segname, nsect, sections, flags, initprot, maxprot)

Bases: Segment

Mach-O Segment

• offset is the offset into the file the region starts

• vaddr (or just addr) is the virtual address

• filesize (or just size) is the size of the region in the file

• memsize (or vsize) is the size of the region when loaded into memory

• segname is the segment’s name without padding

• nsect is the number of sections contained in this segment

• sections is an array of MachOSections

• flags is a bit vector containing per-segment flags

• initprot and maxprot are initial and maximum permissions respectively

get_section_by_name(name)

Searches for a section by name within this segment :param name: Name of the section :return: MachOSection or None

property is_readable

property is_writable

property is_executable

vaddr: int

memsize: int

filesize: int

cle.backends.macho.binding.chh(x)

cle.backends.macho.binding.read_uleb(blob: bytes, offset: int) → Tuple[int, int]

Reads a number encoded as uleb128

cle.backends.macho.binding.read_sleb(blob, offset)

Reads a number encoded as sleb128

class cle.backends.macho.binding.BindingState(is_64)

Bases: object

State object

add_address_ov(address, addend)

this is a very ugly klugde. It is needed because dyld relies on overflow semantics and represents several negative offsets through BIG ulebs

check_address_bounds()

class cle.backends.macho.binding.BindingHelper(binary)

Bases: object

Factors out binding logic from MachO. Intended to work in close conjunction with MachO not for standalone use

binary: MachO

do_normal_bind(blob: bytes)

Performs non-lazy, non-weak bindings :param blob: Blob containing binding opcodes

do_lazy_bind(blob)

Performs lazy binding

cle.backends.macho.binding.n_opcode_done(s: BindingState, _b: MachO, _i: int, _blob: bytes) → BindingState

cle.backends.macho.binding.n_opcode_set_dylib_ordinal_imm(s: BindingState, _b: MachO, i: int, _blob: bytes) → BindingState

cle.backends.macho.binding.n_opcode_set_dylib_ordinal_uleb(s: BindingState, _b: MachO, _i: int, blob: bytes) → BindingState

cle.backends.macho.binding.n_opcode_set_dylib_special_imm(s: BindingState, _b: MachO, i: int, _blob: bytes) → BindingState

cle.backends.macho.binding.n_opcode_set_trailing_flags_imm(s: BindingState, _b: MachO, i: int, blob: bytes) → BindingState

cle.backends.macho.binding.n_opcode_set_type_imm(s: BindingState, _b: MachO, i: int, _blob: bytes) → BindingState

cle.backends.macho.binding.n_opcode_set_addend_sleb(s: BindingState, _b: MachO, _i: int, blob: bytes) → BindingState

cle.backends.macho.binding.n_opcode_set_segment_and_offset_uleb(s: BindingState, b: MachO, i: int, blob: bytes) → BindingState

cle.backends.macho.binding.l_opcode_set_segment_and_offset_uleb(s: BindingState, b: MachO, i: int, blob: bytes) → BindingState

cle.backends.macho.binding.n_opcode_add_addr_uleb(s: BindingState, _b: MachO, _i: int, blob: bytes) → BindingState

cle.backends.macho.binding.n_opcode_do_bind(s: BindingState, b: MachO, _i: int, _blob: bytes) → BindingState

cle.backends.macho.binding.l_opcode_do_bind(s: BindingState, b: MachO, _i: int, _blob: bytes) → BindingState

cle.backends.macho.binding.n_opcode_do_bind_add_addr_uleb(s: BindingState, b: MachO, _i: int, blob: bytes) → BindingState

cle.backends.macho.binding.n_opcode_do_bind_add_addr_imm_scaled(s: BindingState, b: MachO, i: int, _blob: bytes) → BindingState

cle.backends.macho.binding.n_opcode_do_bind_uleb_times_skipping_uleb(s: BindingState, b: MachO, _i: int, blob: bytes) → BindingState

class cle.backends.macho.binding.MachORelocation(owner: Backend, symbol: AbstractMachOSymbol, relative_addr: int, data)

Bases: Relocation

Generic Relocation for MachO. For now it just deals with symbols

resolve_symbol(solist, thumb=False, extern_object=None, **kwargs)

property dest_addr

mach-o rebasing is hard to handle, so this behaviour differs from other relocations

property value

cle.backends.macho.binding.default_binding_handler(state: BindingState, binary: MachO)

Binds location to the symbol with the given name and library ordinal

class cle.backends.macho.macho_load_commands.LoadCommands(value)

Bases: IntEnum

Enum for all the Load Commands used inside the MachO Binary

LC_REQ_DYLD = 2147483648

LC_SEGMENT = 1

LC_SYMTAB = 2

LC_SYMSEG = 3

LC_THREAD = 4

LC_UNIXTHREAD = 5

LC_LOADFVMLIB = 6

LC_IDFVMLIB = 7

LC_IDENT = 8

LC_FVMFILE = 9

LC_PREPAGE = 10

LC_DYSYMTAB = 11

LC_LOAD_DYLIB = 12

LC_ID_DYLIB = 13

LC_LOAD_DYLINKER = 14

LC_ID_DYLINKER = 15

LC_PREBOUND_DYLIB = 16

LC_ROUTINES = 17

LC_SUB_FRAMEWORK = 18

LC_SUB_UMBRELLA = 19

LC_SUB_CLIENT = 20

LC_SUB_LIBRARY = 21

LC_TWOLEVEL_HINTS = 22

LC_PREBIND_CKSUM = 23

LC_LOAD_WEAK_DYLIB = 2147483672

LC_SEGMENT_64 = 25

LC_ROUTINES_64 = 26

LC_UUID = 27

LC_RPATH = 2147483676

LC_CODE_SIGNATURE = 29

LC_SEGMENT_SPLIT_INFO = 30

LC_REEXPORT_DYLIB = 2147483679

LC_LAZY_LOAD_DYLIB = 32

LC_ENCRYPTION_INFO = 33

LC_DYLD_INFO = 34

LC_DYLD_INFO_ONLY = 2147483682

LC_LOAD_UPWARD_DYLIB = 2147483683

LC_VERSION_MIN_MACOSX = 36

LC_VERSION_MIN_IPHONEOS = 37

LC_FUNCTION_STARTS = 38

LC_DYLD_ENVIRONMENT = 39

LC_MAIN = 2147483688

LC_DATA_IN_CODE = 41

LC_SOURCE_VERSION = 42

LC_DYLIB_CODE_SIGN_DRS = 43

LC_ENCRYPTION_INFO_64 = 44

LC_LINKER_OPTION = 45

LC_LINKER_OPTIMIZATION_HINT = 46

LC_VERSION_MIN_TVOS = 47

LC_VERSION_MIN_WATCHOS = 48

LC_NOTE = 49

LC_BUILD_VERSION = 50

LC_DYLD_EXPORTS_TRIE = 2147483699

LC_DYLD_CHAINED_FIXUPS = 2147483700

class cle.backends.macho.structs.HelperStruct

Bases: Structure

Subclass of ctypes.Structure that adds a helpful repr method for debugging

class cle.backends.macho.structs.DyldImportFormats(value)

Bases: IntEnum

https://github.com/apple-opensource/dyld/blob/852.2/include/mach-o/fixup-chains.h#L249-L254

DYLD_CHAINED_IMPORT = 1

DYLD_CHAINED_IMPORT_ADDEND = 2

DYLD_CHAINED_IMPORT_ADDEND64 = 3

class cle.backends.macho.structs.DyldChainedPtrFormats(value)

Bases: IntEnum

https://github.com/apple-opensource/dyld/blob/852.2/include/mach-o/fixup-chains.h#L89-L104

DYLD_CHAINED_PTR_ARM64E = 1

DYLD_CHAINED_PTR_64 = 2

DYLD_CHAINED_PTR_32 = 3

DYLD_CHAINED_PTR_32_CACHE = 4

DYLD_CHAINED_PTR_32_FIRMWARE = 5

DYLD_CHAINED_PTR_64_OFFSET = 6

DYLD_CHAINED_PTR_ARM64E_KERNEL = 7

DYLD_CHAINED_PTR_64_KERNEL_CACHE = 8

DYLD_CHAINED_PTR_ARM64E_USERLAND = 9

DYLD_CHAINED_PTR_ARM64E_FIRMWARE = 10

DYLD_CHAINED_PTR_X86_64_KERNEL_CACHE = 11

DYLD_CHAINED_PTR_ARM64E_USERLAND24 = 12

class cle.backends.macho.structs.dyld_chained_ptr_arm64e_auth_rebase

Bases: HelperStruct

https://github.com/apple-opensource/dyld/blob/852.2/include/mach-o/fixup-chains.h#L128-L138

class cle.backends.macho.structs.dyld_chained_ptr_arm64e_auth_bind

Bases: HelperStruct

https://github.com/apple-opensource/dyld/blob/852.2/include/mach-o/fixup-chains.h#L140-L151

class cle.backends.macho.structs.dyld_chained_ptr_arm64e_rebase

Bases: HelperStruct

https://github.com/apple-opensource/dyld/blob/852.2/include/mach-o/fixup-chains.h#L107-L115

class cle.backends.macho.structs.dyld_chained_ptr_arm64e_bind

Bases: HelperStruct

https://github.com/apple-opensource/dyld/blob/852.2/include/mach-o/fixup-chains.h#L117-L126

class cle.backends.macho.structs.dyld_chained_ptr_arm64e_bind24

Bases: HelperStruct

https://github.com/apple-opensource/dyld/blob/852.2/include/mach-o/fixup-chains.h#L164-L173

class cle.backends.macho.structs.dyld_chained_ptr_arm64e_auth_bind24

Bases: HelperStruct

https://github.com/apple-opensource/dyld/blob/852.2/include/mach-o/fixup-chains.h#L175-L186

class cle.backends.macho.structs.Arm64e

Bases: Union

named after the Union Arm64e from dyld MachOLoaded.h https://github.com/apple-opensource/dyld/blob/852.2/dyld3/MachOLoaded.h#L89-L103

authRebase: dyld_chained_ptr_arm64e_auth_rebase

Structure/Union member

authBind: dyld_chained_ptr_arm64e_auth_bind

Structure/Union member

rebase: dyld_chained_ptr_arm64e_rebase

Structure/Union member

bind: dyld_chained_ptr_arm64e_bind

Structure/Union member

bind24: dyld_chained_ptr_arm64e_bind24

Structure/Union member

authBind24: dyld_chained_ptr_arm64e_auth_bind24

Structure/Union member

static check_valid_pointer_format(pointer_format: DyldChainedPtrFormats) → bool

helper to check if a pointer format is relevant for this :param pointer_format: :return:

class cle.backends.macho.structs.dyld_chained_ptr_64_rebase

Bases: HelperStruct

https://github.com/apple-opensource/dyld/blob/852.2/include/mach-o/fixup-chains.h#L153-L161

target: int

Structure/Union member

high8: int

Structure/Union member

next: int

Structure/Union member

bind: int

Structure/Union member

property unpackedTarget

class cle.backends.macho.structs.dyld_chained_ptr_64_bind

Bases: HelperStruct

https://github.com/apple-opensource/dyld/blob/852.2/include/mach-o/fixup-chains.h#L189-L197

ordinal: int

Structure/Union member

addend: int

Structure/Union member

next: int

Structure/Union member

bind: int

Structure/Union member

class cle.backends.macho.structs.Generic64

Bases: Union

named after the Union Generic64 from dyld MachOLoaded.h https://github.com/apple-opensource/dyld/blob/852.2/dyld3/MachOLoaded.h#L105-L111

rebase: dyld_chained_ptr_64_rebase

Structure/Union member

bind: dyld_chained_ptr_64_bind

Structure/Union member

static check_valid_pointer_format(pointer_format: DyldChainedPtrFormats) → bool

class cle.backends.macho.structs.ChainedFixupPointerOnDisk

Bases: Union

the ChainedFixupPointerOnDisk union from dyld MachOLoaded.h https://github.com/apple-opensource/dyld/blob/852.2/dyld3/MachOLoaded.h#L87-L141

generic64: Generic64

Structure/Union member

arm64e: Arm64e

Structure/Union member

isBind(pointer_format: DyldChainedPtrFormats) → Optional[Tuple[int, int]]

Port of ChainedFixupPointerOnDisk::isBind(uint16_t pointerFormat, uint32_t& bindOrdinal, int64_t& addend) https://github.com/apple-opensource/dyld/blob/852.2/dyld3/MachOLoaded.cpp#L1098-L1147 Returns None if not a bind (so if struct.isBind() works), :return:

isRebase(pointer_format: DyldChainedPtrFormats, preferredLoadAddress: int) → Optional[int]

port of ChainedFixupPointerOnDisk::isRebase( uint16_t pointerFormat, uint64_t preferedLoadAddress, uint64_t& targetRuntimeOffset) https://github.com/apple-opensource/dyld/blob/852.2/dyld3/MachOLoaded.cpp#L1046-L1096 :param pointer_format: :param preferredLoadAddress: I think that’s just the requested base address :return:

class cle.backends.macho.structs.DyldImportStruct

Bases: HelperStruct

Meta Struct for the different kind of import structs and the fields they are all guaranteed to have

lib_ordinal: int

weak_import: bool

name_offset: int

static get_struct(pointer: DyldImportFormats) → Type[DyldImportStruct]

class cle.backends.macho.structs.dyld_chained_import

Bases: DyldImportStruct

Struct for symbol format DYLD_CHAINED_IMPORT

lib_ordinal: int

Structure/Union member

name_offset: int

Structure/Union member

weak_import: bool

Structure/Union member

class cle.backends.macho.structs.dyld_chained_import_addend

Bases: DyldImportStruct

https://github.com/apple-opensource/dyld/blob/852.2/include/mach-o/fixup-chains.h#L264-L271

addend: int

Structure/Union member

lib_ordinal: int

Structure/Union member

name_offset: int

Structure/Union member

weak_import: bool

Structure/Union member

class cle.backends.macho.structs.dyld_chained_import_addend64

Bases: DyldImportStruct

https://github.com/apple-opensource/dyld/blob/852.2/include/mach-o/fixup-chains.h#L273-L281

addend: int

Structure/Union member

lib_ordinal: int

Structure/Union member

name_offset: int

Structure/Union member

reserved

Structure/Union member

weak_import: bool

Structure/Union member

class cle.backends.macho.structs.dyld_chained_fixups_header

Bases: HelperStruct

https://github.com/apple-opensource/dyld/blob/852.2/include/mach-o/fixup-chains.h#L36-L46

fixups_version: int

Structure/Union member

starts_offset: int

Structure/Union member

imports_offset: int

Structure/Union member

symbols_offset: int

Structure/Union member

imports_count: int

Structure/Union member

imports_format: DyldImportFormats

Structure/Union member

symbols_format: int

Structure/Union member

class cle.backends.macho.structs.dyld_chained_starts_in_image

Bases: Structure

https://github.com/apple-opensource/dyld/blob/852.2/include/mach-o/fixup-chains.h#L48-L54

seg_count: int

Structure/Union member

seg_info_offset: Array

Structure/Union member

class cle.backends.macho.structs.dyld_chained_starts_in_segment

Bases: HelperStruct

https://github.com/apple-opensource/dyld/blob/852.2/include/mach-o/fixup-chains.h#L56-L72

page_size: int

Structure/Union member

segment_offset: int

Structure/Union member

max_valid_pointer: int

Structure/Union member

page_count: int

Structure/Union member

page_start: int

Structure/Union member

property pointer_format: DyldChainedPtrFormats

exception cle.backends.minidump.MinidumpMissingStreamError(stream, message=None)

Bases: Exception

class cle.backends.minidump.Minidump(*args, **kwargs)

Bases: Backend

is_default = True

close()

static is_compatible(stream)

property threads

thread_registers(thread=None)

loader: Loader

symbols: sortedcontainers.SortedKeyList[Symbol]

imports: Dict[str, 'Relocation']

relocs: List[Relocation]

arch: Optional[archinfo.Arch]

exception_handlings: List[ExceptionHandling]

function_hints: List[FunctionHint]

memory: Clemory

get_thread_registers_by_id(thread_id)

class cle.backends.cgc.cgc.CGC(binary, binary_stream, *args, **kwargs)

Bases: ELF

Backend to support the CGC elf format used by the Cyber Grand Challenge competition.

See : https://github.com/CyberGrandChallenge/libcgcef/blob/master/cgc_executable_format.md

is_default = True

static is_compatible(stream)

supported_filetypes = ['cgc']

loader: Loader

symbols: sortedcontainers.SortedKeyList[Symbol]

imports: Dict[str, 'Relocation']

relocs: List[Relocation]

arch: Optional[archinfo.Arch]

exception_handlings: List[ExceptionHandling]

function_hints: List[FunctionHint]

memory: Clemory

variables: Optional[List[Variable]]

compilation_units: Optional[List[CompilationUnit]]

class cle.backends.cgc.backedcgc.FakeSegment(start, size)

Bases: Segment

vaddr: int

memsize: int

filesize: int

class cle.backends.cgc.backedcgc.BackedCGC(*args, memory_backer=None, register_backer=None, writes_backer=None, permissions_map=None, current_allocation_base=None, **kwargs)

Bases: CGC

This is a backend for CGC executables that allows user provide a memory backer and a register backer as the initial state of the running binary.

Parameters

• path – File path to CGC executable.

• memory_backer – A dict of memory content, with beginning address of each segment as key and actual memory content as data.

• register_backer – A dict of all register contents. EIP will be used as the entry point of this executable.

• permissions_map – A dict of memory region to permission flags

• current_allocation_base – An integer representing the current address of the top of the CGC heap.

is_default = True

static is_compatible(stream)

property threads

thread_registers(thread=None)

loader: Loader

symbols: sortedcontainers.SortedKeyList[Symbol]

imports: Dict[str, 'Relocation']

relocs: List[Relocation]

arch: Optional[archinfo.Arch]

exception_handlings: List[ExceptionHandling]

function_hints: List[FunctionHint]

memory: Clemory

variables: Optional[List[Variable]]

compilation_units: Optional[List[CompilationUnit]]

class cle.backends.blob.Blob(*args, offset=None, segments=None, **kwargs)

Bases: Backend

Representation of a binary blob, i.e. an executable in an unknown file format.

Parameters

• arch – (required) an archinfo.Arch for the binary blob.

• offset – Skip this many bytes from the beginning of the file.

• segments – List of tuples describing how to map data into memory. Tuples are of (file_offset, mem_addr, size).

You can’t specify both offset and segments.

is_default = True

static is_compatible(stream)

property min_addr

property max_addr

function_name(addr)

Blobs don’t support function names.

contains_addr(addr)

in_which_segment(addr)

Blobs don’t support segments.

classmethod check_compatibility(spec, obj)

loader: Loader

symbols: sortedcontainers.SortedKeyList[Symbol]

imports: Dict[str, 'Relocation']

relocs: List[Relocation]

arch: Optional[archinfo.Arch]

exception_handlings: List[ExceptionHandling]

function_hints: List[FunctionHint]

memory: Clemory

class cle.backends.ihex.Hex(*args, **kwargs)

Bases: Backend

A loader for Intel Hex Objects See https://en.wikipedia.org/wiki/Intel_HEX

is_default = True

static parse_record(line)

static coalesce_regions(regions)

loader: Loader

symbols: sortedcontainers.SortedKeyList[Symbol]

imports: Dict[str, 'Relocation']

relocs: List[Relocation]

arch: Optional[archinfo.Arch]

exception_handlings: List[ExceptionHandling]

function_hints: List[FunctionHint]

memory: Clemory

static is_compatible(stream)

class cle.backends.binja.BinjaSymbol(owner, sym)

Bases: Symbol

BINJA_FUNC_SYM_TYPES = []

BINJA_DATA_SYM_TYPES = []

BINJA_IMPORT_TYPES = []

class cle.backends.binja.BinjaReloc(owner: Backend, symbol: Symbol, relative_addr: int)

Bases: Relocation

property value

class cle.backends.binja.BinjaBin(binary, *args, **kwargs)

Bases: Backend

Get information from binaries using Binary Ninja. Basing this on idabin.py, but will try to be more complete. TODO: add more features as Binary Ninja’s feature set improves

is_default = True

BINJA_ARCH_MAP = {'aarch64': <Arch AARCH64 (LE)>, 'armv7': <Arch ARMEL (LE)>, 'armv7eb': <Arch ARMEL (BE)>, 'mips32': <Arch MIPS32 (BE)>, 'mipsel32': <Arch MIPS32 (LE)>, 'ppc': <Arch PPC32 (BE)>, 'ppc_le': <Arch PPC32 (LE)>, 'thumb2': <Arch ARMEL (LE)>, 'thumb2eb': <Arch ARMEL (BE)>, 'x86': <Arch X86 (LE)>, 'x86_64': <Arch AMD64 (LE)>}

static is_compatible(stream)

in_which_segment(addr)

Return the segment name at address addr.

get_symbol_addr(sym)

Get the address of the symbol sym from IDA.

Returns

An address.

function_name(addr)

Return the function name at address addr.

property min_addr

this is probably not “right”)

Type

Get the min address of the binary. (note

property max_addr

Get the max address of the binary.

property entry

get_strings()

Extract strings from binary (Binary Ninja).

Returns

An array of strings.

set_got_entry(name, newaddr)

Resolve import name with address newaddr. That is, update the GOT entry for name with newaddr.

close()

Release the BinaryView we created in __init__ :return: None

loader: Loader

symbols: sortedcontainers.SortedKeyList[Symbol]

imports: Dict[str, 'Relocation']

relocs: List[Relocation]

arch: Optional[archinfo.Arch]

exception_handlings: List[ExceptionHandling]

function_hints: List[FunctionHint]

memory: Clemory

class cle.backends.externs.ExternSegment(map_size)

Bases: Segment

addr_to_offset(addr)

offset_to_addr(offset)

contains_offset(offset)

is_readable = True

is_writable = True

is_executable = True

vaddr: int

memsize: int

filesize: int

class cle.backends.externs.TOCRelocation(owner: Backend, symbol: Symbol, relative_addr: int)

Bases: Relocation

property value

class cle.backends.externs.ExternObject(loader, map_size=0, tls_size=0)

Bases: Backend

rebase(new_base)

make_extern(name, size=0, alignment=None, thumb=False, sym_type=SymbolType.TYPE_FUNCTION, point_to=None, libname=None) → Symbol

get_pseudo_addr(name) → int

allocate(size=1, alignment=8, thumb=False, tls=False) → int

property max_addr

make_import(name, sym_type)

loader: Loader

symbols: sortedcontainers.SortedKeyList[Symbol]

imports: Dict[str, 'Relocation']

relocs: List[Relocation]

arch: Optional[archinfo.Arch]

exception_handlings: List[ExceptionHandling]

function_hints: List[FunctionHint]

memory: Clemory

class cle.backends.externs.KernelObject(loader, map_size=32768)

Bases: Backend

add_name(name, addr)

property max_addr

loader: Loader

symbols: sortedcontainers.SortedKeyList[Symbol]

imports: Dict[str, 'Relocation']

relocs: List[Relocation]

arch: Optional[archinfo.Arch]

exception_handlings: List[ExceptionHandling]

function_hints: List[FunctionHint]

memory: Clemory

class cle.backends.externs.PointToPrecise(owner: Backend, name: str, relative_addr: int, size: int, sym_type: SymbolType)

Bases: PointTo

Not documenting this since if you try calling it, you’re wrong.

pointto_precise = None

relocations()

class cle.backends.externs.simdata.SimData(owner: Backend, name: str, relative_addr: int, size: int, sym_type: SymbolType)

Bases: Symbol

A SimData class is used to provide data when there is an unresolved data import symbol.

To use it, subclass this class and implement the below attributes and methods.

Variables

• name – The name of the symbol to provide

• libname – The name of the library from which the symbol originally comes (currently unused).

• type – The type of the symbol, usually SymbolType.TYPE_OBJECT.

Use the below register method to register SimData subclasses with CLE.

NOTE: SimData.type hides the Symbol.type instance property

Not documenting this since if you try calling it, you’re wrong.

name: str = NotImplemented

type: SymbolType = NotImplemented

libname: str = NotImplemented

classmethod static_size(owner) → int

Implement me: return the size of the symbol in bytes before it gets constructed

Parameters

owner – The ExternObject owning the symbol-to-be. Useful to get at owner.arch.

value() → bytes

Implement me: the initial value of the bytes in memory for the symbol. Should return a bytestring of the same length as static_size returned. (owner is self.owner now)

relocations() → List[Relocation]

Maybe implement me: If you like, return a list of relocation objects to apply. To create new import symbols, use self.owner.make_extern_import.

cle.backends.externs.simdata.register(simdata_cls: Type[SimData])

Register the given SimData class with CLE so it may be used during loading

cle.backends.externs.simdata.lookup(name: str, libname) → Optional[Type[SimData]]

class cle.backends.externs.simdata.common.StaticData(owner: Backend, name: str, relative_addr: int, size: int, sym_type: SymbolType)

Bases: SimData

A simple SimData utility class to use when you have a SimData which should provide just a static set of bytes. To use, implement the following:

Variables

• name – The name of the symbol to provide.

• libname – The name of the library from which the symbol originally comes (currently unused).

• data – The bytes to provide

Not documenting this since if you try calling it, you’re wrong.

type: SymbolType = 3

data: bytes = NotImplemented

classmethod static_size(owner)

value()

class cle.backends.externs.simdata.common.StaticWord(owner: Backend, name: str, relative_addr: int, size: int, sym_type: SymbolType)

Bases: SimData

A simple SimData utility class to use when you have a SimData which should provide just a static integer. To use, implement the following:

Variables

• name – The name of the symbol to provide.

• libname – The name of the library from which the symbol originally comes (currently unused).

• word – The value to provide

• wordsize – (optional) The size of the value in bytes, default the CPU wordsize

Not documenting this since if you try calling it, you’re wrong.

type: SymbolType = 3

word: int = NotImplemented

wordsize: int = None

classmethod static_size(owner)

value()

class cle.backends.externs.simdata.common.PointTo(owner: Backend, name: str, relative_addr: int, size: int, sym_type: SymbolType)

Bases: SimData

A simple SimData utility class to use when you have a SimData which should provide just a pointer to some other symbol. To use, implement the following:

Variables

• name – The name of the symbol to provide.

• libname – The name of the library from which the symbol originally comes (currently unused).

• pointto_name – The name of the symbol to point to

• pointto_type – The type of the symbol to point to (usually SymbolType.TYPE_FUNCTION or SymbolType.TYPE_OBJECT)

• addend – (optional) an integer to be added to the symbol’s address before storage

Not documenting this since if you try calling it, you’re wrong.

pointto_name: str = NotImplemented

pointto_type: SymbolType = NotImplemented

type: SymbolType = 3

addend: int = 0

classmethod static_size(owner)

value()

relocations()

class cle.backends.externs.simdata.common.SimDataSimpleRelocation(owner, symbol, addr, addend, preresolved=False)

Bases: Relocation

A relocation used to implement PointTo. Pretty simple.

resolve_symbol(solist, **kwargs)

property value

Constant values for lifecycle of Apk.

class cle.backends.java.apk.Apk(apk_path, binary_stream, entry_point=None, entry_point_params=(), android_sdk=None, supported_jni_archs=None, jni_libs=None, jni_libs_ld_path=None, **options)

Bases: Soot

Backend for lifting Apk’s to Soot.

Parameters

• apk_path – Path to APK.

• android_sdk – Path to Android SDK folder (e.g. “/home/angr/android/platforms”)

The following parameters are optional

Parameters

• entry_point – Fully qualified name of method that should be used as the entry point.

• supported_jni_archs – List of supported JNI architectures (ABIs) in descending order of preference.

• jni_libs – Name(s) of JNI libs to load (if any). If not specified, we try to extract JNI libs from the APK.

• jni_libs_ld_path – Path(s) where to find libs defined by param jni_libs. Note: Directory of the APK is added by default.

is_default = True

get_callbacks(class_name: str, callback_names: List[str]) → List[None]

Get callback methods from the name of callback methods.

Parameters

• class_name – Name of the class.

• callback_names – Name list of the callbacks.

Returns

The method object which is callback.

Return type

list[pysoot.sootir.soot_method.SootMethod]

loader: Loader

symbols: sortedcontainers.SortedKeyList[Symbol]

imports: Dict[str, 'Relocation']

relocs: List[Relocation]

arch: Optional[archinfo.Arch]

exception_handlings: List[ExceptionHandling]

function_hints: List[FunctionHint]

memory: Clemory

static is_compatible(stream)

class cle.backends.java.jar.Jar(jar_path, binary_stream, entry_point=None, entry_point_params=('java.lang.String[]',), jni_libs=None, jni_libs_ld_path=None, **kwargs)

Bases: Soot

Backend for lifting JARs to Soot.

Parameters

jar_path – Path to JAR.

The following parameters are optional

Parameters

• entry_point – Fully qualified name of method that should be used as the entry point. If not specified, we try to parse it from the manifest.

• additional_jars – Additional JARs.

• additional_jar_roots – Additional JAR roots.

• jni_libs – Name(s) of JNI libs to load (if any).

• jni_libs_ld_path – Path(s) where to find libs defined by param jni_libs. Note: Directory of the JAR is added by default.

is_default = True

static is_compatible(stream)

get_manifest(binary_path=None)

Load the MANIFEST.MF file

Returns

A dict of meta info

Return type

dict

loader: Loader

symbols: sortedcontainers.SortedKeyList[Symbol]

imports: Dict[str, 'Relocation']

relocs: List[Relocation]

arch: Optional[archinfo.Arch]

exception_handlings: List[ExceptionHandling]

function_hints: List[FunctionHint]

memory: Clemory

class cle.backends.java.soot.Soot(*args, entry_point=None, entry_point_params=(), input_format=None, additional_jars=None, additional_jar_roots=None, jni_libs_ld_path=None, jni_libs=None, android_sdk=None, **kwargs)

Bases: Backend

The basis backend for lifting and loading bytecode from JARs and APKs to Soot IR.

Note that self.min_addr will be 0 and self.max_addr will be 1. Hopefully no other object will be mapped at address 0.

property max_addr

property entry

property classes

get_soot_class(cls_name, none_if_missing=False)

Get Soot class object.

Parameters

cls_name (str) – Name of the class.

Returns

The class object.

Return type

pysoot.soot.SootClass

get_soot_method(thing, class_name=None, params=(), none_if_missing=False)

Get Soot method object.

Parameters

• thing – Descriptor or the method, or name of the method.

• class_name (str) – Name of the class. If not specified, class name can be parsed from method_name.

Returns

Soot method that satisfy the criteria.

property main_methods

Find all Main methods in this binary.

Returns

All main methods in each class.

Return type

iterator

static is_zip_archive(stream)

loader: Loader

symbols: sortedcontainers.SortedKeyList[Symbol]

imports: Dict[str, 'Relocation']

relocs: List[Relocation]

arch: Optional[archinfo.Arch]

exception_handlings: List[ExceptionHandling]

function_hints: List[FunctionHint]

memory: Clemory

class cle.backends.xbe.XBESection(name, file_offset, file_size, virtual_addr, virtual_size, xbe_sec)

Bases: Section

filesize: int

property is_readable

Whether this section has read permissions

property is_writable

Whether this section has write permissions

property is_executable

Whether this section has execute permissions

property only_contains_uninitialized_data

We load every section in, they’re all initialized

vaddr: int

memsize: int

class cle.backends.xbe.XBE(*args, **kwargs)

Bases: Backend

The main loader class for statically loading XBE executables.

is_default = True

close()

static is_compatible(stream)

property min_addr

property max_addr

classmethod check_compatibility(spec, obj)

loader: Loader

symbols: sortedcontainers.SortedKeyList[Symbol]

imports: Dict[str, 'Relocation']

relocs: List[Relocation]

arch: Optional[archinfo.Arch]

exception_handlings: List[ExceptionHandling]

function_hints: List[FunctionHint]

memory: Clemory

class cle.backends.static_archive.StaticArchive(*args, **kwargs)

Bases: Backend

classmethod is_compatible(stream)

is_default = True

arch: Optional[archinfo.Arch]

loader: Loader

symbols: sortedcontainers.SortedKeyList[Symbol]

imports: Dict[str, 'Relocation']

relocs: List[Relocation]

exception_handlings: List[ExceptionHandling]

function_hints: List[FunctionHint]

memory: Clemory

Relocations

CLE’s loader implements program relocation data on a plugin basis. If you would like to add more relocation implementations, do so by subclassing the Relocation class and overriding any relevant methods or properties. Put your subclasses in a module in the relocations subpackage of the appropraite backend package. The name of the subclass will be used to determine when to use it! Look at the existing versions for details.

class cle.backends.relocation.Relocation(owner: Backend, symbol: Symbol, relative_addr: int)

Bases: object

A representation of a relocation in a binary file. Smart enough to relocate itself.

Variables

• owner – The binary this relocation was originaly found in, as a cle object

• symbol – The Symbol object this relocation refers to

• relative_addr – The address in owner this relocation would like to write to

• resolvedby – If the symbol this relocation refers to is an import symbol and that import has been resolved, this attribute holds the symbol from a different binary that was used to resolve the import.

• resolved – Whether the application of this relocation was successful

AUTO_HANDLE_NONE = False

resolve_symbol(solist: List[Any], thumb=False, extern_object=None, **kwargs)

resolve(obj, **kwargs)

property rebased_addr

The address in the global memory space this relocation would like to write to

property linked_addr

property dest_addr

property value

relocate()

Applies this relocation. Will make changes to the memory object of the object it came from.

This implementation is a generic version that can be overridden in subclasses.

property owner_obj

cle.backends.elf.relocation.load_relocations()

cle.backends.elf.relocation.get_relocation(arch, r_type)

class cle.backends.elf.relocation.elfreloc.ELFReloc(owner, symbol, relative_addr, addend=None)

Bases: Relocation

property addend

resolvedby: Optional[Symbol]

resolved: bool

property value

class cle.backends.elf.relocation.mips64.R_MIPS_64(owner, symbol, relative_addr, addend=None)

Bases: GenericAbsoluteAddendReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.mips64.R_MIPS_REL32(owner, symbol, relative_addr, addend=None)

Bases: GenericRelativeReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.mips64.R_MIPS_COPY(owner, symbol, relative_addr, addend=None)

Bases: GenericCopyReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.mips64.R_MIPS_TLS_DTPMOD64(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSModIdReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.mips64.R_MIPS_TLS_DTPREL64(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSDoffsetReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.mips64.R_MIPS_TLS_TPREL64(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSOffsetReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.generic.GenericTLSDoffsetReloc(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

property value

resolve_symbol(solist, **kwargs)

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.generic.GenericTLSOffsetReloc(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

AUTO_HANDLE_NONE = True

relocate()

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.generic.GenericTLSDescriptorReloc(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

RESOLVER_ADDR = NotImplemented

AUTO_HANDLE_NONE = True

relocate()

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.generic.GenericTLSModIdReloc(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

AUTO_HANDLE_NONE = True

relocate()

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.generic.GenericIRelativeReloc(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

AUTO_HANDLE_NONE = True

relocate()

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.generic.GenericAbsoluteAddendReloc(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.generic.GenericPCRelativeAddendReloc(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.generic.GenericJumpslotReloc(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.generic.GenericRelativeReloc(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

AUTO_HANDLE_NONE = True

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.generic.GenericAbsoluteReloc(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.generic.GenericCopyReloc(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

resolve_symbol(solist, **kwargs)

relocate()

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.generic.MipsGlobalReloc(owner, symbol, relative_addr, addend=None)

Bases: GenericAbsoluteReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.generic.MipsLocalReloc(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

AUTO_HANDLE_NONE = True

resolve_symbol(solist, **kwargs)

relocate()

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.generic.RelocTruncate32Mixin

Bases: object

A mix-in class for relocations that cover a 32-bit field regardless of the architecture’s address word length.

check_zero_extend = False

check_sign_extend = False

relocate()

class cle.backends.elf.relocation.generic.RelocGOTMixin

Bases: object

A mix-in class which will cause the symbol to be resolved to a pointer to the symbol instead of the symbol

resolve(symbol, extern_object=None, **kwargs)

class cle.backends.elf.relocation.ppc.R_PPC_ADDR32(owner, symbol, relative_addr, addend=None)

Bases: GenericAbsoluteAddendReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_ADDR24(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 0x2 Calculation: (S + A) >> 2 Field: low24*

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_ADDR16(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 0x3 Calculation: S+A Field: half16*

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_ADDR16_LO(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 0x4 Calculation: #lo(S + A) Field: half16

property value

relocate()

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_ADDR16_HI(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 0x5 Calculation: #hi(S + A) Field: half16

property value

relocate()

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_ADDR16_HA(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 0x6 Calculation: #ha(S + A) Field: half16

property value

relocate()

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_ADDR14(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 0x7 Calculation: (S + A) >> 2 Field: low14*

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_ADDR14_BRTAKEN(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 0x8 Calculation: (S + A) >> 2 Field: low14*

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_ADDR14_BRNTAKEN(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 0x9 Calculation: (S + A) >> 2 Field: low14*

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_REL24(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 0xa Calculation: (S + A - P) >> 2 Field: low24* R_PPC_REL24 is a special type of relocation. The instruction must be modified for this type. This relocation type resolves branch-and-link instructions. Prior to relocation, all instances of the branch-and-link instruction will consist of the following bytecode: 48 00 00 01. The problem with this is that all instances will result in calls to the current address - thus an infinite loop. After calculating the relocation result in R_PPC_REL24, you will have an address offset to the call. The result must be resolved to the correct instruction encoding.

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_REL14(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 0xb Calculation: (S + A - P) >> 2 Field: low14*

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_REL14_BRTAKEN(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 0xc Calculation: (S + A - P) >> 2 Field: low14*

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_REL14_BRNTAKEN(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 0xd Calculation: (S + A - P) >> 2 Field: low14*

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_COPY(owner, symbol, relative_addr, addend=None)

Bases: GenericCopyReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_GLOB_DAT(owner, symbol, relative_addr, addend=None)

Bases: GenericJumpslotReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_JMP_SLOT(owner, symbol, relative_addr, addend=None)

Bases: GenericJumpslotReloc

relocate()

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_RELATIVE(owner, symbol, relative_addr, addend=None)

Bases: GenericRelativeReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_UADDR32(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 0x18 Calculation: S + A Field: word32

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_UADDR16(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 0x19 Calculation: S + A Field: half16*

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_REL32(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 0x1a Calculation: S + A - P Field: word32

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_SECTOFF(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 0x21 Calculation: R + A Field: half16*

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_SECTOFF_LO(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 0x22 Calculation: #lo(R + A) Field: half16

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_SECTOFF_HI(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 0x23 Calculation: #hi(R + A) Field: half16

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_SECTOFF_HA(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 0x24 Calculation: #ha(R + A) Field: half16

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_ADDR30(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 0x25 Calculation: (S + A - P) >> 2 Field: word30

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_DTPMOD32(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSModIdReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_DTPREL32(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSDoffsetReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.ppc.R_PPC_TPREL32(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSOffsetReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.pcc64.R_PPC64_JMP_SLOT(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

relocate()

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.pcc64.R_PPC64_RELATIVE(owner, symbol, relative_addr, addend=None)

Bases: GenericRelativeReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.pcc64.R_PPC64_IRELATIVE(owner, symbol, relative_addr, addend=None)

Bases: GenericIRelativeReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.pcc64.R_PPC64_ADDR64(owner, symbol, relative_addr, addend=None)

Bases: GenericAbsoluteAddendReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.pcc64.R_PPC64_GLOB_DAT(owner, symbol, relative_addr, addend=None)

Bases: GenericJumpslotReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.pcc64.R_PPC64_DTPMOD64(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSModIdReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.pcc64.R_PPC64_DTPREL64(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSDoffsetReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.pcc64.R_PPC64_TPREL64(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSOffsetReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.pcc64.R_PPC64_REL24(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 10 Calculation: (S + A - P) >> 2 Field: low24*

property value

relocate()

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.pcc64.R_PPC64_TOC16_LO(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 48 Calculation: #lo(S + A - .TOC.) Field: half16

property value

relocate()

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.pcc64.R_PPC64_TOC16_HI(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 49 Calculation: #hi(S + A - .TOC.) Field: half16

property value

relocate()

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.pcc64.R_PPC64_TOC16_HA(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 50 Calculation: #ha(S + A - .TOC.) Field: half16

property value

relocate()

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.pcc64.R_PPC64_TOC(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 51 Calculation: .TOC. Field: doubleword64

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.i386.R_386_32(owner, symbol, relative_addr, addend=None)

Bases: GenericAbsoluteAddendReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.i386.R_386_PC32(owner, symbol, relative_addr, addend=None)

Bases: GenericPCRelativeAddendReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.i386.R_386_COPY(owner, symbol, relative_addr, addend=None)

Bases: GenericCopyReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.i386.R_386_GLOB_DAT(owner, symbol, relative_addr, addend=None)

Bases: GenericJumpslotReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.i386.R_386_JMP_SLOT(owner, symbol, relative_addr, addend=None)

Bases: GenericJumpslotReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.i386.R_386_RELATIVE(owner, symbol, relative_addr, addend=None)

Bases: GenericRelativeReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.i386.R_386_IRELATIVE(owner, symbol, relative_addr, addend=None)

Bases: GenericIRelativeReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.i386.R_386_TLS_DTPMOD32(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSModIdReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.i386.R_386_TLS_TPOFF(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSOffsetReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.i386.R_386_TLS_DTPOFF32(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSDoffsetReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.amd64.R_X86_64_64(owner, symbol, relative_addr, addend=None)

Bases: GenericAbsoluteAddendReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.amd64.R_X86_64_COPY(owner, symbol, relative_addr, addend=None)

Bases: GenericCopyReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.amd64.R_X86_64_RELATIVE(owner, symbol, relative_addr, addend=None)

Bases: GenericRelativeReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.amd64.R_X86_64_IRELATIVE(owner, symbol, relative_addr, addend=None)

Bases: GenericIRelativeReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.amd64.R_X86_64_GLOB_DAT(owner, symbol, relative_addr, addend=None)

Bases: GenericJumpslotReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.amd64.R_X86_64_JUMP_SLOT(owner, symbol, relative_addr, addend=None)

Bases: GenericJumpslotReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.amd64.R_X86_64_DTPMOD64(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSModIdReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.amd64.R_X86_64_DTPOFF64(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSDoffsetReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.amd64.R_X86_64_TPOFF64(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSOffsetReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.amd64.R_X86_64_PC32(owner, symbol, relative_addr, addend=None)

Bases: RelocTruncate32Mixin, GenericPCRelativeAddendReloc

check_sign_extend = True

class cle.backends.elf.relocation.amd64.R_X86_64_32(owner, symbol, relative_addr, addend=None)

Bases: RelocTruncate32Mixin, GenericAbsoluteAddendReloc

check_zero_extend = True

class cle.backends.elf.relocation.amd64.R_X86_64_32S(owner, symbol, relative_addr, addend=None)

Bases: RelocTruncate32Mixin, GenericAbsoluteAddendReloc

check_sign_extend = True

class cle.backends.elf.relocation.amd64.R_X86_64_PLT32(owner, symbol, relative_addr, addend=None)

Bases: RelocTruncate32Mixin, GenericPCRelativeAddendReloc

check_sign_extend = True

class cle.backends.elf.relocation.amd64.R_X86_64_GOTPCREL(owner, symbol, relative_addr, addend=None)

Bases: RelocGOTMixin, RelocTruncate32Mixin, GenericPCRelativeAddendReloc

check_sign_extend = True

class cle.backends.elf.relocation.amd64.R_X86_64_GOTPCRELX(owner, symbol, relative_addr, addend=None)

Bases: RelocGOTMixin, RelocTruncate32Mixin, GenericPCRelativeAddendReloc

check_sign_extend = True

class cle.backends.elf.relocation.amd64.R_X86_64_REX_GOTPCRELX(owner, symbol, relative_addr, addend=None)

Bases: RelocGOTMixin, RelocTruncate32Mixin, GenericPCRelativeAddendReloc

check_sign_extend = True

class cle.backends.elf.relocation.mips.R_MIPS_32(owner, symbol, relative_addr, addend=None)

Bases: GenericAbsoluteAddendReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.mips.R_MIPS_REL32(owner, symbol, relative_addr, addend=None)

Bases: GenericRelativeReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.mips.R_MIPS_JUMP_SLOT(owner, symbol, relative_addr, addend=None)

Bases: GenericAbsoluteReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.mips.R_MIPS_GLOB_DAT(owner, symbol, relative_addr, addend=None)

Bases: GenericAbsoluteReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.mips.R_MIPS_TLS_DTPMOD32(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSModIdReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.mips.R_MIPS_TLS_TPREL32(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSOffsetReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.mips.R_MIPS_TLS_DTPREL32(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSDoffsetReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.mips.R_MIPS_HI16(owner, symbol, relative_addr, addend=None)

Bases: GenericAbsoluteReloc

relocate()

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.mips.R_MIPS_LO16(owner, symbol, relative_addr, addend=None)

Bases: GenericAbsoluteReloc

relocate()

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm.R_ARM_CALL(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocate R_ARM_CALL symbols via instruction modification. It additionally handles R_ARM_PC24 and R_ARM_JUMP24. The former is deprecated and is now just the same as R_ARM_CALL.

R_ARM_JUMP24 doesn’t need the Thumb check. Technically, if the Thumb check succeeds on R_ARM_JUMP24, it’s a bad call that shouldn’t have been generated by the linker, so we may as well as just treat it like R_ARM_CALL.

• Class: Static

• Type: ARM (R_ARM_CALL, R_ARM_JUMP24); Deprecated (R_ARM_PC24)

• Code: 1 (R_ARM_PC24), 28 (R_ARM_CALL), 29 (R_ARM_JUMP24)

• Operation: ((S + A) | T) - P - S is the address of the symbol - A is the addend - P is the target location (place being relocated) - T is 1 if the symbol is of type STT_FUNC and addresses a Thumb instruction

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm.R_ARM_PREL31(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocate R_ARM_PREL31 symbols via instruction modification. The difference between this and R_ARM_CALL/R_ARM_PC24/R_ARM_JUMP24 is that it’s a data relocation

• Class: Static

• Type: Data

• Code: 42

• Operation: ((S + A) | T) - P - S is the address of the symbol - A is the addend - P is the target location (place being relocated) - T is 1 if the symbol is of type STT_FUNC and addresses a Thumb instruction

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm.R_ARM_REL32(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocate R_ARM_REL32 symbols. This is essentially the same as generic.GenericPCRelativeAddendReloc with the addition of a check for whether or not the target is Thumb.

• Class: Static

• Type: Data

• Code: 3

• Operation: ((S + A) | T) - P - S is the address of the symbol - A is the addend - P is the target location (place being relocated) - T is 1 if the symbol is of type STT_FUNC and addresses a Thumb instruction

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm.R_ARM_ABS32(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocate R_ARM_ABS32 symbols. This is essentially the same as generic.GenericAbsoluteAddendReloc with the addition of a check for whether or not the target is Thumb.

• Class: Static

• Type: Data

• Code: 3

• Operation: (S + A) | T - S is the address of the symbol - A is the addend - T is 1 if the symbol is of type STT_FUNC and addresses a Thumb instruction

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm.R_ARM_MOVW_ABS_NC(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocate R_ARM_MOVW_ABS_NC symbols.

• Class: Static

• Type: Instruction

• Code: 43

• Operation: (S + A) | T - S is the address of the symbol - A is the addend - T is 1 if the symbol is of type STT_FUNC and addresses a Thumb instruction

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm.R_ARM_MOVT_ABS(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocate R_ARM_MOVT_ABS symbols.

• Class: Static

• Type: Instruction

• Code: 44

• Operation: S + A - S is the address of the symbol - A is the addend

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm.R_ARM_THM_CALL(*args, **kwargs)

Bases: ELFReloc

Relocate R_ARM_THM_CALL symbols via instruction modification.

• Class: Static

• Type: ARM (R_ARM_THM_CALL)

• Code: 10

• Operation: ((S + A) | T) - P - S is the address of the symbol - A is the addend - P is the target location (place being relocated) - T is 1 if the symbol is of type STT_FUNC and addresses a Thumb instruction (This bit is entirely irrelevant because the 1-bit of the address gets shifted off in the encoding)

• Encoding: See http://hermes.wings.cs.wisc.edu/files/Thumb-2SupplementReferenceManual.pdf - Page 71 (3-31) has the chart - It appears that it mistakenly references the I1 and I2 bits as J1 and J2 in the chart (see the notes at the bottom of the page – the ranges don’t make sense) - However, the J1/J2 bits are XORed with !S bit in this case (see vex implementation: https://github.com/angr/vex/blob/6d1252c7ce8fe8376318b8f8bb8034058454c841/priv/guest_arm_toIR.c#L19219 ) - Implementation appears correct with the bits placed into offset[23:22]

resolve_symbol(solist, **kwargs)

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm.R_ARM_COPY(owner, symbol, relative_addr, addend=None)

Bases: GenericCopyReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm.R_ARM_GLOB_DAT(owner, symbol, relative_addr, addend=None)

Bases: GenericJumpslotReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm.R_ARM_JUMP_SLOT(owner, symbol, relative_addr, addend=None)

Bases: GenericJumpslotReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm.R_ARM_RELATIVE(owner, symbol, relative_addr, addend=None)

Bases: GenericRelativeReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm.R_ARM_ABS32_NOI(owner, symbol, relative_addr, addend=None)

Bases: GenericAbsoluteAddendReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm.R_ARM_REL32_NOI(owner, symbol, relative_addr, addend=None)

Bases: GenericPCRelativeAddendReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm.R_ARM_TLS_DTPMOD32(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSModIdReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm.R_ARM_TLS_DTPOFF32(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSDoffsetReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm.R_ARM_TLS_TPOFF32(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSOffsetReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm.R_ARM_JUMP24(owner, symbol, relative_addr, addend=None)

Bases: R_ARM_CALL

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm.R_ARM_PC24(owner, symbol, relative_addr, addend=None)

Bases: R_ARM_CALL

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm.R_ARM_THM_JUMP24(*args, **kwargs)

Bases: R_ARM_THM_CALL

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm.R_ARM_THM_JUMP19(*args, **kwargs)

Bases: R_ARM_THM_CALL

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm.R_ARM_THM_JUMP6(*args, **kwargs)

Bases: R_ARM_THM_CALL

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm64.R_AARCH64_ABS64(owner, symbol, relative_addr, addend=None)

Bases: GenericAbsoluteAddendReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm64.R_AARCH64_COPY(owner, symbol, relative_addr, addend=None)

Bases: GenericCopyReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm64.R_AARCH64_GLOB_DAT(owner, symbol, relative_addr, addend=None)

Bases: GenericJumpslotReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm64.R_AARCH64_JUMP_SLOT(owner, symbol, relative_addr, addend=None)

Bases: GenericJumpslotReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm64.R_AARCH64_RELATIVE(owner, symbol, relative_addr, addend=None)

Bases: GenericRelativeReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm64.R_AARCH64_IRELATIVE(owner, symbol, relative_addr, addend=None)

Bases: GenericIRelativeReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm64.R_AARCH64_TLS_DTPREL(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSDoffsetReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm64.R_AARCH64_TLS_DTPMOD(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSModIdReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm64.R_AARCH64_TLS_TPREL(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSOffsetReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm64.R_AARCH64_TLSDESC(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSDescriptorReloc

RESOLVER_ADDR = 18446744073709551104

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm64.R_AARCH64_CALL26(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 283 Calculation: (S + A - P)

property value

relocate()

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm64.R_AARCH64_ADR_PREL_PG_HI21(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 275 Calculation: Page(S + A) - Page(P)

property value

relocate()

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.arm64.R_AARCH64_ADD_ABS_LO12_NC(owner, symbol, relative_addr, addend=None)

Bases: ELFReloc

Relocation Type: 275 Calculation: (S + A)

property value

relocate()

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.s390x.R_390_GLOB_DAT(owner, symbol, relative_addr, addend=None)

Bases: GenericJumpslotReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.s390x.R_390_JMP_SLOT(owner, symbol, relative_addr, addend=None)

Bases: GenericJumpslotReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.s390x.R_390_RELATIVE(owner, symbol, relative_addr, addend=None)

Bases: GenericRelativeReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.s390x.R_390_64(owner, symbol, relative_addr, addend=None)

Bases: GenericAbsoluteAddendReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.s390x.R_390_TLS_TPOFF(owner, symbol, relative_addr, addend=None)

Bases: GenericTLSOffsetReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.s390x.R_390_IRELATIVE(owner, symbol, relative_addr, addend=None)

Bases: GenericIRelativeReloc

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.elf.relocation.s390x.R_390_COPY(owner, symbol, relative_addr, addend=None)

Bases: GenericCopyReloc

resolvedby: Optional[Symbol]

resolved: bool

cle.backends.pe.relocation.load_relocations()

cle.backends.pe.relocation.get_relocation(arch, r_type)

class cle.backends.pe.relocation.pereloc.PEReloc(owner, symbol, addr, resolvewith=None)

Bases: Relocation

AUTO_HANDLE_NONE = True

resolve_symbol(solist, bypass_compatibility=False, extern_object=None, **kwargs)

relocate()

property value

property is_base_reloc

These relocations are ignored by the linker if the executable is loaded at its preferred base address. There is no associated symbol with base relocations.

property is_import

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.pe.relocation.generic.DllImport(owner, symbol, addr, resolvewith=None)

Bases: PEReloc

There’s nothing special to be done for DLL imports but this class provides a unique name to the relocation type.

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.pe.relocation.generic.IMAGE_REL_BASED_ABSOLUTE(owner, symbol, addr, resolvewith=None)

Bases: PEReloc

relocate()

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.pe.relocation.generic.IMAGE_REL_BASED_HIGHADJ(owner, addr, next_rva)

Bases: PEReloc

property value

In all the other cases, we can ignore the relocation difference part of the calculation because we simply use to_mva() to get our rebased address. In this case, however, we have to adjust the un-rebased address first.

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.pe.relocation.generic.IMAGE_REL_BASED_HIGHLOW(owner, symbol, addr, resolvewith=None)

Bases: PEReloc

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.pe.relocation.generic.IMAGE_REL_BASED_DIR64(owner, symbol, addr, resolvewith=None)

Bases: PEReloc

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.pe.relocation.generic.IMAGE_REL_BASED_HIGH(owner, symbol, addr, resolvewith=None)

Bases: PEReloc

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.pe.relocation.generic.IMAGE_REL_BASED_LOW(owner, symbol, addr, resolvewith=None)

Bases: PEReloc

property value

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.pe.relocation.i386.IMAGE_REL_BASED_HIGHADJ(owner, addr, next_rva)

Bases: IMAGE_REL_BASED_HIGHADJ

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.pe.relocation.i386.IMAGE_REL_BASED_DIR64(owner, symbol, addr, resolvewith=None)

Bases: IMAGE_REL_BASED_DIR64

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.pe.relocation.i386.IMAGE_REL_BASED_HIGHLOW(owner, symbol, addr, resolvewith=None)

Bases: IMAGE_REL_BASED_HIGHLOW

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.pe.relocation.i386.IMAGE_REL_BASED_HIGH(owner, symbol, addr, resolvewith=None)

Bases: IMAGE_REL_BASED_HIGH

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.pe.relocation.i386.IMAGE_REL_BASED_LOW(owner, symbol, addr, resolvewith=None)

Bases: IMAGE_REL_BASED_LOW

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.pe.relocation.amd64.IMAGE_REL_BASED_HIGHADJ(owner, addr, next_rva)

Bases: IMAGE_REL_BASED_HIGHADJ

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.pe.relocation.amd64.IMAGE_REL_BASED_DIR64(owner, symbol, addr, resolvewith=None)

Bases: IMAGE_REL_BASED_DIR64

resolvedby: Optional[Symbol]

resolved: bool

class cle.backends.pe.relocation.amd64.IMAGE_REL_BASED_HIGHLOW(owner, symbol, addr, resolvewith=None)

Bases: IMAGE_REL_BASED_HIGHLOW

resolvedby: Optional[Symbol]