void SetlIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, mem1e, sf, of;
uint64_t mem = this->operands[0].getValue();
uint64_t memSize = this->operands[0].getSize();
/* Create the flag SMT semantic */
sf << ap.buildSymbolicFlagOperand(ID_SF);
of << ap.buildSymbolicFlagOperand(ID_OF);
mem1e << ap.buildSymbolicMemOperand(mem, memSize);
/* Finale expr */
expr << smt2lib::ite(
smt2lib::equal(
smt2lib::bvxor(sf.str(), of.str()),
smt2lib::bvtrue()),
smt2lib::bv(1, BYTE_SIZE_BIT),
smt2lib::bv(0, BYTE_SIZE_BIT));
/* Create the symbolic element */
se = ap.createMemSE(inst, expr, mem, memSize);
/* Apply the taint via the concretization */
if (ap.getFlagValue(ID_SF) ^ ap.getFlagValue(ID_OF)) {
if (ap.isRegTainted(ID_SF) == TAINTED)
ap.assignmentSpreadTaintMemReg(se, mem, ID_SF, memSize);
else
ap.assignmentSpreadTaintMemReg(se, mem, ID_OF, memSize);
}
}
void SetleIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *sf, *of, *zf;
uint64 mem = this->operands[0].getValue();
uint64 memSize = this->operands[0].getSize();
/* Create the flag SMT semantic */
sf = ap.buildSymbolicFlagOperand(ID_SF);
of = ap.buildSymbolicFlagOperand(ID_OF);
zf = ap.buildSymbolicFlagOperand(ID_ZF);
/* Finale expr */
expr = smt2lib::ite(
smt2lib::equal(
smt2lib::bvor(smt2lib::bvxor(sf, of), zf),
smt2lib::bvtrue()),
smt2lib::bv(1, BYTE_SIZE_BIT),
smt2lib::bv(0, BYTE_SIZE_BIT));
/* Create the symbolic expression */
se = ap.createMemSE(inst, expr, mem, memSize);
/* Apply the taint via the concretization */
if (((ap.getFlagValue(ID_SF) ^ ap.getFlagValue(ID_OF)) | ap.getFlagValue(ID_ZF)) == 1) {
if (ap.isRegTainted(ID_SF) == TAINTED)
ap.assignmentSpreadTaintMemReg(se, mem, ID_SF, memSize);
else if (ap.isRegTainted(ID_OF) == TAINTED)
ap.assignmentSpreadTaintMemReg(se, mem, ID_OF, memSize);
else
ap.assignmentSpreadTaintMemReg(se, mem, ID_ZF, memSize);
}
}
void SetnbeIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *cf, *zf;
auto mem = this->operands[0].getMem();
auto memSize = this->operands[0].getMem().getSize();
/* Create the SMT semantic */
cf = ap.buildSymbolicFlagOperand(ID_TMP_CF);
zf = ap.buildSymbolicFlagOperand(ID_TMP_ZF);
/* Finale expr */
expr = smt2lib::ite(
smt2lib::equal(
smt2lib::bvand(
smt2lib::bvnot(cf),
smt2lib::bvnot(zf)
),
smt2lib::bvtrue()),
smt2lib::bv(1, BYTE_SIZE_BIT),
smt2lib::bv(0, BYTE_SIZE_BIT));
/* Create the symbolic expression */
se = ap.createMemSE(inst, expr, mem, memSize);
/* Apply the taint via the concretization */
if (ap.getFlagValue(ID_TMP_CF) == 0 && ap.getFlagValue(ID_TMP_ZF) == 0) {
if (ap.isRegTainted(ID_TMP_CF) == TAINTED)
ap.assignmentSpreadTaintMemReg(se, mem, ID_TMP_CF, memSize);
else
ap.assignmentSpreadTaintMemReg(se, mem, ID_TMP_ZF, memSize);
}
}
void SetzIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, mem1e, zf;
uint64_t mem = this->operands[0].getValue();
uint64_t memSize = this->operands[0].getSize();
/* Create the SMT semantic */
zf << ap.buildSymbolicFlagOperand(ID_ZF);
mem1e << ap.buildSymbolicMemOperand(mem, memSize);
/* Finale expr */
expr << smt2lib::ite(
smt2lib::equal(
zf.str(),
smt2lib::bvtrue()),
smt2lib::bv(1, 8),
smt2lib::bv(0, 8));
/* Create the symbolic element */
se = ap.createMemSE(inst, expr, mem, memSize);
/* Apply the taint via the concretization */
if (ap.getFlagValue(ID_ZF) == 1)
ap.assignmentSpreadTaintMemReg(se, mem, ID_ZF, memSize);
}
void SetsIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *sf;
auto mem = this->operands[0].getMem().getAddress();
auto memSize = this->operands[0].getMem().getSize();
/* Create the SMT semantic */
sf = ap.buildSymbolicFlagOperand(ID_SF);
/* Finale expr */
expr = smt2lib::ite(
smt2lib::equal(
sf,
smt2lib::bvtrue()),
smt2lib::bv(1, BYTE_SIZE_BIT),
smt2lib::bv(0, BYTE_SIZE_BIT));
/* Create the symbolic expression */
se = ap.createMemSE(inst, expr, mem, memSize);
/* Apply the taint via the concretization */
if (ap.getFlagValue(ID_SF) == 1)
ap.assignmentSpreadTaintMemReg(se, mem, ID_SF, memSize);
}
void MovdqaIRBuilder::memReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr;
auto memSize = this->operands[0].getMem().getSize();
auto mem = this->operands[0].getMem();
auto reg = this->operands[1].getReg();
auto regSize = this->operands[1].getReg().getSize();
/* Create the SMT semantic */
expr = ap.buildSymbolicRegOperand(reg, regSize);
/* Create the symbolic expression */
se = ap.createMemSE(inst, expr, mem, memSize);
/* Apply the taint */
ap.assignmentSpreadTaintMemReg(se, mem, reg, memSize);
}
void MovIRBuilder::memReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr;
uint32_t writeSize = this->operands[0].getSize();
uint64_t mem = this->operands[0].getValue();
uint64_t reg = this->operands[1].getValue();
uint64_t regSize = this->operands[1].getSize();
/* Create the SMT semantic */
expr << ap.buildSymbolicRegOperand(reg, regSize);
/* Create the symbolic element */
se = ap.createMemSE(inst, expr, mem, writeSize);
/* Apply the taint */
ap.assignmentSpreadTaintMemReg(se, mem, reg, writeSize);
}
void MovhpdIRBuilder::memReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op2;
uint32 writeSize = this->operands[0].getSize();
uint64 mem = this->operands[0].getValue();
uint64 reg = this->operands[1].getValue();
uint64 regSize = this->operands[1].getSize();
/* Create the SMT semantic */
op2 = ap.buildSymbolicRegOperand(reg, regSize);
expr = smt2lib::extract(127, 64, op2);
/* Create the symbolic expression */
se = ap.createMemSE(inst, expr, mem, writeSize);
/* Apply the taint */
ap.assignmentSpreadTaintMemReg(se, mem, reg, writeSize);
}
void MovlpdIRBuilder::memReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op2;
auto memSize = this->operands[0].getMem().getSize();
auto mem = this->operands[0].getMem().getAddress();
auto reg = this->operands[1].getReg().getTritonRegId();
auto regSize = this->operands[1].getReg().getSize();
/* Create the SMT semantic */
op2 = ap.buildSymbolicRegOperand(reg, regSize);
/* Destination = Source[0..63] */
expr = smt2lib::extract(63, 0, op2);
/* Create the symbolic expression */
se = ap.createMemSE(inst, expr, mem, memSize);
/* Apply the taint */
ap.assignmentSpreadTaintMemReg(se, mem, reg, memSize);
}
void MovhpdIRBuilder::memReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1, op2;
uint32 writeSize = this->operands[0].getSize();
uint64 mem = this->operands[0].getValue();
uint64 reg = this->operands[1].getValue();
uint64 regSize = this->operands[1].getSize();
/* Create the SMT semantic */
op1 << ap.buildSymbolicMemOperand(mem, writeSize);
op2 << ap.buildSymbolicRegOperand(reg, regSize);
expr << smt2lib::extract(127, 64, op2.str());
/* Create the symbolic element */
se = ap.createMemSE(inst, expr, mem, writeSize);
/* Apply the taint */
ap.assignmentSpreadTaintMemReg(se, mem, reg, writeSize);
}
