Ejemplo n.º 1
0
void JnsIRBuilder::imm(AnalysisProcessor &ap, Inst &inst) const {
  SymbolicExpression *se;
  smt2lib::smtAstAbstractNode *expr, *sf;
  auto imm = this->operands[0].getImm().getValue();

  /* Create the SMT semantic */
  sf = ap.buildSymbolicFlagOperand(ID_TMP_SF);

  /* Finale expr */
  expr = smt2lib::ite(
            smt2lib::equal(
              sf,
              smt2lib::bvfalse()),
            smt2lib::bv(imm, REG_SIZE_BIT),
            smt2lib::bv(this->nextAddress, REG_SIZE_BIT));

  /* Create the symbolic expression */
  se = ap.createRegSE(inst, expr, ID_TMP_RIP, REG_SIZE, "RIP");

  /* Apply the taint */
  ap.aluSpreadTaintRegReg(se, ID_TMP_RIP, ID_TMP_SF);

  /* Add the constraint in the PathConstraints list */
  ap.addPathConstraint(se->getID());
}
Ejemplo n.º 2
0
SymbolicExpression *AnalysisProcessor::createFlagSE(Inst &inst, smt2lib::smtAstAbstractNode *expr, RegisterOperand &flag, std::string comment) {
  uint64 flagId = flag.getTritonRegId();
  SymbolicExpression *se = this->symEngine.newSymbolicExpression(expr, comment);
  this->symEngine.symbolicReg[flagId] = se->getID();
  inst.addExpression(se);
  return se;
}
Ejemplo n.º 3
0
void JleIRBuilder::imm(Inst &inst) const {
  SymbolicExpression *se;
  smt2lib::smtAstAbstractNode *expr, *sf, *of, *zf;
  auto imm = this->operands[0].getImm().getValue();

  /* Create the SMT semantic */
  sf = ap.buildSymbolicFlagOperand(ID_TMP_SF);
  of = ap.buildSymbolicFlagOperand(ID_TMP_OF);
  zf = ap.buildSymbolicFlagOperand(ID_TMP_ZF);

  /* 
   * Finale expr
   * JLE: Jump if less or equal ((SF^OF | ZF) == 1).
   * SMT: ( = (bvor (bvxor sf of) zf) TRUE)
   */
  expr = smt2lib::ite(
            smt2lib::equal(
                smt2lib::bvor(smt2lib::bvxor(sf, of), zf),
                smt2lib::bvtrue()
            ),
            smt2lib::bv(imm, REG_SIZE_BIT),
            smt2lib::bv(this->nextAddress, REG_SIZE_BIT));

  /* Create the symbolic expression */
  se = ap.createRegSE(inst, expr, ID_TMP_RIP, REG_SIZE, "Program Counter");

  /* Apply the taint */
  ap.aluSpreadTaintRegReg(se, ID_TMP_RIP, ID_TMP_SF);
  ap.aluSpreadTaintRegReg(se, ID_TMP_RIP, ID_TMP_OF);
  ap.aluSpreadTaintRegReg(se, ID_TMP_RIP, ID_TMP_ZF);

  /* Add the constraint in the PathConstraints list */
  ap.addPathConstraint(se->getID());

}
Ejemplo n.º 4
0
SymbolicExpression *AnalysisProcessor::createRegSE(Inst &inst, smt2lib::smtAstAbstractNode *expr, uint64 regID, std::string comment)
{
  SymbolicExpression *se = this->symEngine.newSymbolicExpression(expr, comment);
  this->symEngine.symbolicReg[regID] = se->getID();
  inst.addExpression(se);
  return se;
}
Ejemplo n.º 5
0
static PyObject *SymbolicExpression_getComment(PyObject *self, PyObject *noarg) {
  SymbolicExpression *expression = PySymbolicExpression_AsSymbolicExpression(self);
  if (expression->getComment().empty() == false)
    return PyString_FromFormat("%s", expression->getComment().c_str());
  Py_INCREF(Py_None);
  return Py_None;
}
Ejemplo n.º 6
0
SymbolicExpression *AnalysisProcessor::createRegSE(Inst &inst, smt2lib::smtAstAbstractNode *expr, uint64 regID, uint64 regSize)
{
  smt2lib::smtAstAbstractNode *finalExpr = nullptr, *origReg = nullptr;

  origReg = this->buildSymbolicRegOperand(regID, REG_SIZE);

  switch (regSize) {
    case BYTE_SIZE:
      finalExpr = smt2lib::concat(smt2lib::extract(63, 8, origReg), expr);
      break;

    case WORD_SIZE:
      finalExpr = smt2lib::concat(smt2lib::extract(63, 16, origReg), expr);
      break;

    case DWORD_SIZE:
      /* In AMD64, if a reg32 is written, it clears the 32-bit MSB of the corresponding register (Thx Wisk!) */
      finalExpr = smt2lib::zx(DWORD_SIZE_BIT, expr);
      break;

    case QWORD_SIZE:
    case DQWORD_SIZE:
      finalExpr = expr;
      break;
  }

  SymbolicExpression *se = this->symEngine.newSymbolicExpression(finalExpr);
  this->symEngine.symbolicReg[regID] = se->getID();
  inst.addExpression(se);

  return se;
}
Ejemplo n.º 7
0
void JnbeIRBuilder::imm(AnalysisProcessor &ap, Inst &inst) const {
  SymbolicExpression *se;
  smt2lib::smtAstAbstractNode *expr, *cf, *zf;
  auto imm = this->operands[0].getImm().getValue();

  /* Create the SMT semantic */
  cf = ap.buildSymbolicFlagOperand(ID_CF);
  zf = ap.buildSymbolicFlagOperand(ID_ZF);

  /* 
   * Finale expr
   * JNBE: Jump if not below or equal (CF =0 and ZF =0).
   * SMT: ( = (bvand (bvnot zf) (bvnot cf)) (_ bv1 1))
   */
  expr = smt2lib::ite(
            smt2lib::equal(
              smt2lib::bvand(
                smt2lib::bvnot(cf),
                smt2lib::bvnot(zf)
              ),
              smt2lib::bvtrue()
            ),
            smt2lib::bv(imm, REG_SIZE_BIT),
            smt2lib::bv(this->nextAddress, REG_SIZE_BIT));

  /* Create the symbolic expression */
  se = ap.createRegSE(inst, expr, ID_RIP, REG_SIZE, "RIP");

  /* Add the constraint in the PathConstraints list */
  ap.addPathConstraint(se->getID());
}
Ejemplo n.º 8
0
SymbolicExpression *AnalysisProcessor::createMemSE(Inst &inst, smt2lib::smtAstAbstractNode *expr, uint64 address, uint64 writeSize, std::string comment)
{
  SymbolicExpression *ret = nullptr;
  smt2lib::smtAstAbstractNode *tmp;

  /*
   * As the x86's memory can be accessed without alignment, each byte of the
   * memory must be assigned to an unique reference.
   */
  while (writeSize){
    /* Extract each byte if the size > 1 byte (8 bits) */
    if (writeSize > BYTE_SIZE){
      tmp = smt2lib::extract(((writeSize * REG_SIZE) - 1), ((writeSize * REG_SIZE) - REG_SIZE), expr);
      SymbolicExpression *se = symEngine.newSymbolicExpression(tmp, "byte reference");
      inst.addExpression(se);
      /* Assign memory with little endian */
      this->symEngine.addMemoryReference((address + writeSize) - 1, se->getID());
    }
    /* Otherwise keep the full formula */
    else {
      SymbolicExpression *se = symEngine.newSymbolicExpression(expr, comment);
      inst.addExpression(se);
      this->symEngine.addMemoryReference(address, se->getID());
      ret = se;
    }
    writeSize--;
  }

  return ret;
}
Ejemplo n.º 9
0
SymbolicVariable *SymbolicEngine::convertRegToSymVar(uint64 regId, uint64 symVarSize, std::string symVarComment) {
  SymbolicVariable   *symVar = nullptr;
  SymbolicExpression *expression = nullptr;
  uint64             regSymId = UNSET;

  if (regId >= ID_LAST_ITEM)
    throw std::runtime_error("SymbolicEngine::convertRegToSymVar() - Invalid register ID");

  regSymId = this->getRegSymbolicID(regId);
  if (regSymId == UNSET) {
    symVar = this->addSymbolicVariable(SymVar::kind::REG, regId, symVarSize, symVarComment);

    smt2lib::smtAstAbstractNode *tmp = smt2lib::variable(symVar->getSymVarName());
    if (tmp == nullptr)
      throw std::runtime_error("convertRegToSymVar can't create smtAstAbstractNode (nullptr)");

    SymbolicExpression *se = this->newSymbolicExpression(tmp);
    if (se == nullptr)
      throw std::runtime_error("convertRegToSymVar can't create symbolic expression (nullptr)");

    this->symbolicReg[regId] = se->getID();
  }

  else {
    expression = this->getExpressionFromId(regSymId);
    if (expression == nullptr)
      return nullptr;
    symVar = this->addSymbolicVariable(SymVar::kind::REG, regId, symVarSize, symVarComment);
    expression->setExpression(smt2lib::variable(symVar->getSymVarName()));
  }

  return symVar;
}
Ejemplo n.º 10
0
void JlIRBuilder::imm(AnalysisProcessor &ap, Inst &inst) const {
  SymbolicExpression *se;
  smt2lib::smtAstAbstractNode *expr, *sf, *of;
  auto imm = this->operands[0].getImm().getValue();

  /* Create the SMT semantic */
  sf = ap.buildSymbolicFlagOperand(ID_SF);
  of = ap.buildSymbolicFlagOperand(ID_OF);

  /* 
   * Finale expr
   * JL: Jump if less (SF^OF).
   * SMT: ( = (bvxor sf of) True)
   */
  expr = smt2lib::ite(
            smt2lib::equal(
                smt2lib::bvxor(sf, of),
                smt2lib::bvtrue()
            ),
            smt2lib::bv(imm, REG_SIZE_BIT),
            smt2lib::bv(this->nextAddress, REG_SIZE_BIT));

  /* Create the symbolic expression */
  se = ap.createRegSE(inst, expr, ID_RIP, REG_SIZE, "RIP");

  /* Add the constraint in the PathConstraints list */
  ap.addPathConstraint(se->getID());
}
Ejemplo n.º 11
0
void JbeIRBuilder::imm(Inst &inst) const {
  SymbolicExpression *se;
  smt2lib::smtAstAbstractNode *expr, *cf, *zf;
  auto imm = this->operands[0].getImm().getValue();

  /* Create the SMT semantic */
  cf = ap.buildSymbolicFlagOperand(ID_TMP_CF);
  zf = ap.buildSymbolicFlagOperand(ID_TMP_ZF);

  /* 
   * Finale expr
   * JNBE: Jump if below or equal (CF =1 or ZF =1).
   * SMT: ( = (bvor zf cf) (_ bv1 1))
   */
  expr = smt2lib::ite(
            smt2lib::equal(
              smt2lib::bvor(
                cf,
                zf
              ),
              smt2lib::bvtrue()
            ),
            smt2lib::bv(imm, REG_SIZE_BIT),
            smt2lib::bv(this->nextAddress, REG_SIZE_BIT));

  /* Create the symbolic expression */
  se = ap.createRegSE(inst, expr, ID_TMP_RIP, REG_SIZE, "Program Counter");

  /* Apply the taint */
  ap.aluSpreadTaintRegReg(se, ID_TMP_RIP, ID_TMP_CF);
  ap.aluSpreadTaintRegReg(se, ID_TMP_RIP, ID_TMP_ZF);

  /* Add the constraint in the PathConstraints list */
  ap.addPathConstraint(se->getID());
}
Ejemplo n.º 12
0
SymbolicExpression *AnalysisProcessor::createRegSE(Inst &inst, smt2lib::smtAstAbstractNode *expr, RegisterOperand &reg, uint64 regSize, std::string comment) {
  uint64 regId = reg.getTritonRegId();
  smt2lib::smtAstAbstractNode *finalExpr = nullptr, *origReg = nullptr;

  origReg = this->buildSymbolicRegOperand(reg, REG_SIZE, 63, 0);

  switch (regSize) {
    case BYTE_SIZE:
      if (reg.getLow() == 0)
        finalExpr = smt2lib::concat(smt2lib::extract(63, 8, origReg), expr);
      else
        finalExpr = smt2lib::concat(smt2lib::extract(63, 16, origReg), smt2lib::concat(expr, smt2lib::extract(7, 0, origReg)));
      break;

    case WORD_SIZE:
      finalExpr = smt2lib::concat(smt2lib::extract(63, 16, origReg), expr);
      break;

    case DWORD_SIZE:
      /* In AMD64, if a reg32 is written, it clears the 32-bit MSB of the corresponding register (Thx Wisk!) */
      finalExpr = smt2lib::zx(DWORD_SIZE_BIT, expr);
      break;

    case QWORD_SIZE:
    case DQWORD_SIZE:
      finalExpr = expr;
      break;
  }

  SymbolicExpression *se = this->symEngine.newSymbolicExpression(finalExpr, comment);
  this->symEngine.symbolicReg[regId] = se->getID();
  inst.addExpression(se);

  return se;
}
Ejemplo n.º 13
0
SymbolicExpression *AnalysisProcessor::createMemSE(Inst &inst, smt2lib::smtAstAbstractNode *expr, MemoryOperand &mem, uint64 writeSize, std::string comment) {
  SymbolicExpression *se = nullptr;
  smt2lib::smtAstAbstractNode *tmp;
  std::list<smt2lib::smtAstAbstractNode *> ret;
  uint64 address = mem.getAddress();

  /*
   * As the x86's memory can be accessed without alignment, each byte of the
   * memory must be assigned to an unique reference.
   */
  while (writeSize) {
    /* Extract each byte of the memory */
    tmp = smt2lib::extract(((writeSize * REG_SIZE) - 1), ((writeSize * REG_SIZE) - REG_SIZE), expr);
    se  = symEngine.newSymbolicExpression(tmp, "byte reference");
    ret.push_back(tmp);
    inst.addExpression(se);
    /* Assign memory with little endian */
    this->symEngine.addMemoryReference((address + writeSize) - 1, se->getID());
    writeSize--;
  }

  /* If there is only one reference, we return the symbolic expression */
  if (ret.size() == 1)
    return se;

  /* Otherwise, we return the concatenation of all symbolic expressions */
  return symEngine.newSymbolicExpression(smt2lib::concat(ret), "concat reference");
}
Ejemplo n.º 14
0
/*
 * Converts an expression ID to a symbolic variable.
 * e.g:
 * #43 = (_ bv10 8)
 * convertExprToSymVar(43, 8)
 * #43 = SymVar_4
 */
SymbolicVariable *SymbolicEngine::convertExprToSymVar(uint64 exprId, uint64 symVarSize, std::string symVarComment) {
  SymbolicVariable    *symVar = nullptr;
  SymbolicExpression  *expression = this->getExpressionFromId(exprId);

  if (expression == nullptr)
    return nullptr;

  symVar = this->addSymbolicVariable(SymVar::kind::UNDEF, 0, symVarSize, symVarComment);

  expression->setExpression(smt2lib::variable(symVar->getSymVarName()));

  return symVar;
}
Ejemplo n.º 15
0
// Note: symVarSize is in BYTE.
SymbolicVariable *SymbolicEngine::convertMemToSymVar(uint64 memAddr, uint64 symVarSize, std::string symVarComment)
{
  SymbolicVariable   *symVar       = nullptr;
  SymbolicExpression *expression   = nullptr;
  smt2lib::smtAstAbstractNode *tmp = nullptr;
  uint64 memSymId                  = UNSET;

  uint64 size_quotient   = symVarSize;
  memSymId = this->getMemSymbolicID(memAddr);

  // First we create a symbolic variable
  symVar = this->addSymbolicVariable(SymVar::kind::MEM, memAddr, symVarSize * 8, symVarComment);
  smt2lib::smtAstAbstractNode *symVarNode = smt2lib::variable(symVar->getSymVarName());

  if (symVarNode == nullptr)
    throw std::runtime_error("convertMemToSymVar can't create smtAstAbstractNode (nullptr)");

  std::list<smt2lib::smtAstAbstractNode *> symMemChunk;
  while (size_quotient) {
      tmp = smt2lib::extract((REG_SIZE * size_quotient - 1), (REG_SIZE * size_quotient - REG_SIZE), symVarNode);
      symMemChunk.push_back(tmp);

      if (tmp == nullptr)
        throw std::runtime_error("convertMemToSymVar can't create extract (nullptr)");

      if (memSymId == UNSET) {
        if (size_quotient > 1 or symVarSize == 1) {
          expression = this->newSymbolicExpression(tmp, "byte reference");
        } else {
          smt2lib::smtAstAbstractNode *concat = smt2lib::concat(symMemChunk);
          expression = this->newSymbolicExpression(concat);
        }
      } else {
        expression = this->getExpressionFromId(memSymId);
        expression->setExpression(tmp);
      }

      if (expression == nullptr)
        throw std::runtime_error("convertMemToSymVar can't create symbolic expression (nullptr)");

      this->addMemoryReference((memAddr + size_quotient) - 1, expression->getID());

      size_quotient--;
  }

  return symVar;
}
Ejemplo n.º 16
0
SymbolicVariable *SymbolicEngine::convertMemToSymVar(uint64 memAddr, uint64 symVarSize, std::string symVarComment)
{
  SymbolicVariable   *symVar = nullptr;
  SymbolicExpression *expression = nullptr;
  uint64             memSymId = UNSET;

  memSymId = this->getMemSymbolicID(memAddr);
  if (memSymId == UNSET)
    throw std::runtime_error("SymbolicEngine::convertMemToSymVar() - This memory address is UNSET");

  expression = this->getExpressionFromId(memSymId);

  if (expression == nullptr)
    return nullptr;

  symVar = this->addSymbolicVariable(SymVar::kind::MEM, memAddr, symVarSize, symVarComment);

  expression->setExpression(smt2lib::variable(symVar->getSymVarName()));

  return symVar;
}
Ejemplo n.º 17
0
void JbIRBuilder::imm(AnalysisProcessor &ap, Inst &inst) const {
  SymbolicExpression *se;
  smt2lib::smtAstAbstractNode *expr, *cf;
  uint64 imm   = this->operands[0].getValue();

  /* Create the SMT semantic */
  cf = ap.buildSymbolicFlagOperand(ID_CF);

  /* Finale expr */
  expr = smt2lib::ite(
            smt2lib::equal(
              cf,
              smt2lib::bvtrue()),
            smt2lib::bv(imm, REG_SIZE_BIT),
            smt2lib::bv(this->nextAddress, REG_SIZE_BIT));

  /* Create the symbolic expression */
  se = ap.createRegSE(inst, expr, ID_RIP, REG_SIZE, "RIP");

  /* Add the constraint in the PathConstraints list */
  ap.addPathConstraint(se->getID());
}
Ejemplo n.º 18
0
SymbolicVariable *SymbolicEngine::convertRegToSymVar(uint64 regId, uint64 symVarSize, std::string symVarComment)
{
  SymbolicVariable   *symVar = nullptr;
  SymbolicExpression *expression = nullptr;
  uint64             regSymId = UNSET;

  if (regId >= ID_LAST_ITEM)
    throw std::runtime_error("SymbolicEngine::convertRegToSymVar() - Invalid register ID");

  regSymId = this->getRegSymbolicID(regId);
  if (regSymId == UNSET)
    throw std::runtime_error("SymbolicEngine::convertRegToSymVar() - This register ID is UNSET");

  expression = this->getExpressionFromId(regSymId);

  if (expression == nullptr)
    return nullptr;

  symVar = this->addSymbolicVariable(SymVar::kind::REG, regId, symVarSize, symVarComment);

  expression->setExpression(smt2lib::variable(symVar->getSymVarName()));

  return symVar;
}
Ejemplo n.º 19
0
static PyObject *SymbolicExpression_getNewAst(PyObject *self, PyObject *noarg) {
  SymbolicExpression *expression = PySymbolicExpression_AsSymbolicExpression(self);
  return PySmtAstNode(smt2lib::newInstance(expression->getExpression()));
}
Ejemplo n.º 20
0
static PyObject *SymbolicExpression_getKind(PyObject *self, PyObject *noarg) {
  SymbolicExpression *expression = PySymbolicExpression_AsSymbolicExpression(self);
  return Py_BuildValue("k", expression->getKind());
}
Ejemplo n.º 21
0
static PyObject *SymbolicExpression_getAst(PyObject *self, PyObject *noarg) {
  SymbolicExpression *expression = PySymbolicExpression_AsSymbolicExpression(self);
  return PySmtAstNode(expression->getExpression());
}
Ejemplo n.º 22
0
static PyObject *SymbolicExpression_isMem(PyObject *self, PyObject *noarg) {
  SymbolicExpression *expression = PySymbolicExpression_AsSymbolicExpression(self);
  if (expression->isMem() == true)
    Py_RETURN_TRUE;
  Py_RETURN_FALSE;
}