Ubuntu Manpages

ESIL

Evaluable Strings Intermediate Language

ESIL (Evaluable Strings Intermediate Language) provides an abstract, stack-based format for representing CPU instruction semantics across various architectures, facilitating instruction emulation for analysis and debugging within the radare2 framework.

Evaluable Strings Intermediate Language (ESIL) adopts a Forth-like syntax, offering a method to describe and emulate the behavior of machine instructions in a platform-agnostic manner. It is particularly useful in reverse engineering, allowing for cross-architecture binary analysis and exploitation through radare2.

At its core, ESIL is a stack-based language where operations manipulate values on a stack. Each CPU instruction gets translated into an ESIL expression that models its behavior. This abstraction layer allows radare2 to emulate code execution without actually running it, making it invaluable for analyzing untrusted binaries or understanding complex code flows.

ESIL expressions use a series of operands and operations, manipulating values on an internal stack. These expressions are executed within an ESIL virtual machine (VM), enabling the simulation of CPU instructions' effects on registers and memory.

The basic components of ESIL syntax are:

  • Uppercase words are special keywords that operate on the ESIL VM (e.g., POP, DUP, TRAP)
  • Lowercase words are register names that can be used for reading or writing through operations
  • Words starting with $ represent internal variables of the VM that are readonly (e.g., $z for zero flag)
  • Numbers can be in base 10 or hexadecimal (with 0x prefix)
  • Operations are separated by commas
  • Results are pushed onto the stack or written to registers/memory

The rest of keywords can be added or removed via ESIL or architecture plugins, but this document describes the common and standard ESIL commands.

Radare2 provides several ways to work with ESIL:

  • The 'e asm.esil=true' option displays ESIL expressions alongside assembly instructions
  • The 'e emu.str=true' option enables string emulation during analysis
  • The 'ae' command family provides ways to evaluate and debug ESIL expressions
  • Visual mode offers ESIL debugging capabilities through VdE command

These features allow users to inspect register states, memory modifications, and operation flow without actually executing the binary code on the CPU.

Radare2 leverages ESIL for detailed emulation of instruction execution, enabling users to step through instructions, inspect changes to registers and memory, and evaluate conditional logic in a controlled environment.

Here are the most commonly used ESIL-related commands:

[expr]
Evaluate an ESIL expression. Note that some expressions contain special characters that can be evaluated by the radare2 shell, so it's better to prefix the command with a single quote ' to skip that parsing.
Initialize the ESIL VM state (required before emulation)
Initialize ESIL VM stack memory
Initialize ESIL program counter to current offset
Show or modify ESIL registers
ESIL Step: execute a single step in ESIL emulation
ESIL Step Over: perform a step over call instructions in ESIL emulation
[addr]
ESIL Step Until: continue ESIL execution until a specified address is reached
[expr]
Enter the interactive visual debugger to debug and emulate an ESIL expression

Typical workflow for ESIL emulation:

aei      # Initialize ESIL VM state
aeim     # Initialize memory for ESIL VM
aeip     # Set program counter to current address
aes      # Start stepping through instructions

The comma-separated words in an ESIL expression can be grouped into different categories:

Prefixed with '$', they represent internal states of the ESIL VM and are used to perform conditional operations:

  • $z - Zero flag: Set when result is zero
  • $c - Carry flag: Set when operation produces a carry
  • $b - Borrow flag: Set when operation requires a borrow
  • $p - Parity flag: Set when result has even parity
  • $s - Sign flag: Set when result is negative
  • $o - Overflow flag: Set when result overflows
  • $$ - Current address being executed
  • $ds, $jt, $js - Used for delay slots and jump targeting
Pop value and destination from stack and perform assignment:

  • = : Strong assignment (updates flags)
  • := : Weak assignment (no flag updates)
Basic math operations:

  • + - Addition
  • - - Subtraction
  • * - Multiplication
  • L* - Long multiplication (128-bit result)
  • / - Division
  • ~/ - Signed division
  • % - Modulo
  • ~% - Signed modulo
  • ~ - Sign extension
  • & - Bitwise AND
  • | - Bitwise OR
  • ^ - Bitwise XOR
  • ! - Logical NOT
  • << - Left shift
  • >> - Right shift
  • <<< - Rotate left
  • >>> - Rotate right
  • <<<< - Arithmetic shift left
  • >>>> - Arithmetic shift right
Compare values and set flags:

  • == - Equality comparison
  • < - Less than
  • <= - Less than or equal
  • > - Greater than
  • >= - Greater than or equal
Conditional expressions and flow control:

  • ?{ - If condition, execute next block if top of stack is non-zero
  • } - End of conditional block
  • }{ - Else statement
  • GOTO - Jump to specified location
  • BREAK - Stop execution
Read from or write to memory:

  • Reading: [1], [2], [4], [8], [16] - Read 1, 2, 4, 8, or 16 bytes
  • Writing: =[1], =[2], =[4], =[8], =[16] - Write 1, 2, 4, 8, or 16 bytes
  • Combined: |=[2], +=[4], &=[4], --=[2] - Read-modify-write operations
  • Special: [*], =[*] - Variable size operations
Special operations to manage the ESIL stack:

  • STACK - Display stack contents
  • POP - Remove top value
  • DUP - Duplicate top value
  • NUM - Push number or register value
  • SWAP - Swap top two values
  • CLEAR - Empty the stack

  • () - Syscall
  • $ - Hardware interrupt
  • #! - Execute radare2 command
  • TRAP - CPU trap
  • BITS - Change bits mode

  • NAN - Check if value is Not-a-Number
  • I2D, U2D - Convert integer to double (signed, unsigned)
  • D2I - Convert double to integer
  • D2F, F2D - Convert between double and float
  • F==, F!=, F<, F<= - Floating point comparisons
  • F+, F-, F*, F/ - Floating point arithmetic
  • -F - Negate floating point value
  • CEIL, FLOOR, ROUND - Rounding operations
  • SQRT - Square root

ESIL expressions are evaluated from left to right, with values being pushed onto or popped from a stack. The following examples demonstrate how common CPU instructions translate to ESIL:

Simply assigns the value 3 to register eax: 
3,eax,=
Adds the value in eax to ebx and stores the result in ebx: 
eax,ebx,+=
This is equivalent to the longer form: 
eax,ebx,+,ebx,=
Performs XOR on eax with itself (effectively zeroing it): 
eax,eax,^=
Writes the value 3 to the memory address in ebx: 
3,ebx,=[1]
Sets flags based on eax value (primarily the zero flag): 
eax,eax,&,zf,=
Jumps to address if zero flag is set: 
zf,?{,0x123456,eip,=,}

Radare2 provides a visual ESIL debugger that allows stepping through ESIL expressions to understand exactly how they work. This is accessed through the 'aev' command or in visual mode with 'VdE'.

The visual ESIL debugger offers several advantages:

  • Step-by-step execution of ESIL expressions
  • Visualization of the stack after each operation
  • Inspection of register and flag changes
  • Memory access monitoring
  • Finer-grained control than regular ESIL emulation

When using the visual ESIL debugger, you can use the following controls:

Step forward one ESIL operation
Reset the ESIL VM state
Quit the debugger

This tool is particularly useful for understanding complex instructions or when debugging emulation issues.

Here are some practical ways to use ESIL in radare2 for analysis and debugging:

To evaluate a simple ESIL expression: 
[0x00000000]> ae 1,1,+
2
To emulate a function and see register changes: 
[0x00000000]> aei      # Initialize ESIL VM
[0x00000000]> aeim     # Initialize memory
[0x00000000]> aeip     # Set PC to current address
[0x00000000]> aes      # Step one instruction
[0x00000000]> aer      # View registers
To debug a complex ESIL expression using the visual debugger: 
[0x00000000]> aev 1,5,+,eax,=
To emulate until a condition is met: 
[0x00000000]> aecu 0x4000  # Continue until address 0x4000

A code-wars like game implemented on top of ESIL used in the r2con conference. Players write small programs that compete in a virtual arena, with the ESIL VM executing and evaluating their behavior.

More information: https://github.com/radareorg/r2wars

radare2(1)

https://www.radare.org/

pancake <pancake@nopcode.org>