void LeaveIRBuilder::none(Inst &inst) const {
SymbolicExpression *se1, *se2;
smt2lib::smtAstAbstractNode *expr1, *expr2;
auto mem = this->operands[0].getMem(); // The src memory read
auto memSize = this->operands[0].getMem().getSize();
// RSP = RBP; -----------------------------
expr1 = ap.buildSymbolicRegOperand(ID_TMP_RBP, REG_SIZE);
/* Create the symbolic expression */
se1 = ap.createRegSE(inst, expr1, ID_TMP_RSP, REG_SIZE);
/* Apply the taint */
ap.assignmentSpreadTaintRegReg(se1, ID_TMP_RSP, ID_TMP_RBP);
// RSP = RBP; -----------------------------
// RBP = Pop(); ---------------------------
expr2 = ap.buildSymbolicMemOperand(mem, memSize);
/* Create the symbolic expression */
se2 = ap.createRegSE(inst, expr2, ID_TMP_RBP, REG_SIZE);
/* Apply the taint */
ap.assignmentSpreadTaintRegMem(se2, ID_TMP_RBP, mem, memSize);
// RBP = Pop(); ---------------------------
/* Add the symbolic expression to the current inst */
alignStack(inst, memSize);
}
void LeaveIRBuilder::none(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se1, *se2;
std::stringstream expr1, expr2;
uint64 readMem = this->operands[0].getValue(); // The src memory read
uint32 readSize = this->operands[0].getSize();
// RSP = RBP; -----------------------------
expr1 << ap.buildSymbolicRegOperand(ID_RBP, REG_SIZE);
/* Create the symbolic element */
se1 = ap.createRegSE(inst, expr1, ID_RSP, REG_SIZE);
/* Apply the taint */
ap.assignmentSpreadTaintRegReg(se1, ID_RSP, ID_RBP);
// RSP = RBP; -----------------------------
// RBP = Pop(); ---------------------------
expr2 << ap.buildSymbolicMemOperand(readMem, readSize);
/* Create the symbolic element */
se2 = ap.createRegSE(inst, expr2, ID_RBP, REG_SIZE);
/* Apply the taint */
ap.assignmentSpreadTaintRegMem(se2, ID_RBP, readMem, readSize);
// RBP = Pop(); ---------------------------
/* Add the symbolic element to the current inst */
alignStack(inst, ap, readSize);
}
void CallIRBuilder::imm(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr1, expr2;
uint64_t imm = this->operands[0].getValue();
uint64_t memDst = this->operands[1].getValue(); // The dst memory write
uint32_t writeSize = this->operands[1].getSize();
/* Create the SMT semantic side effect */
alignStack(inst, ap, writeSize);
/* Create the SMT semantic */
/* *RSP = Next_RIP */
expr1 << smt2lib::bv(this->nextAddress, writeSize * REG_SIZE);
/* Create the symbolic element */
se = ap.createMemSE(inst, expr1, memDst, writeSize, "Saved RIP");
/* Apply the taint */
ap.assignmentSpreadTaintMemImm(se, memDst, writeSize);
/* Create the SMT semantic */
/* RIP = imm */
expr2 << smt2lib::bv(imm, writeSize * REG_SIZE);
/* Create the symbolic element */
se = ap.createRegSE(inst, expr2, ID_RIP, REG_SIZE, "RIP");
/* Apply the taint */
ap.assignmentSpreadTaintRegImm(se, ID_RIP);
}
void RetIRBuilder::imm(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1;
uint64_t imm = this->operands[0].getValue();
uint64_t memSrc = this->operands[1].getValue(); // The dst memory read
uint32_t readSize = this->operands[1].getSize();
/* Create the SMT semantic */
op1 << ap.buildSymbolicMemOperand(memSrc, readSize);
/* Finale expr */
expr << op1.str();
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, ID_RIP, REG_SIZE, "RIP");
/* Apply the taint */
ap.assignmentSpreadTaintRegMem(se, ID_RIP, memSrc, readSize);
/* Create the SMT semantic side effect */
alignStack(inst, ap);
alignStack(inst, ap, imm);
}
void PushIRBuilder::mem(Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1;
auto mem1 = this->operands[0].getMem(); // Mem pushed
auto memSize1 = this->operands[0].getMem().getSize();
auto mem2 = this->operands[1].getMem(); // The dst memory writing
auto memSize2 = this->operands[1].getMem().getSize();
/* Create the SMT semantic side effect */
alignStack(inst, memSize2);
/* Create the SMT semantic */
op1 = ap.buildSymbolicMemOperand(mem1, memSize1);
/* Finale expr */
expr = op1;
/* Create the symbolic expression */
se = ap.createMemSE(inst, expr, mem2, memSize2);
/* Apply the taint */
ap.assignmentSpreadTaintMemMem(se, mem2, mem1, memSize1);
}
void PushIRBuilder::imm(Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1;
auto imm = this->operands[0].getImm().getValue(); // Imm pushed
auto mem = this->operands[1].getMem(); // The dst memory writing
auto memSize = this->operands[1].getMem().getSize();
/* Create the SMT semantic side effect */
alignStack(inst, memSize);
/* Create the SMT semantic */
/* OP_1 */
op1 = smt2lib::bv(imm, memSize * BYTE_SIZE_BIT);
/* Finale expr */
expr = op1;
/* Create the symbolic expression */
se = ap.createMemSE(inst, expr, mem, memSize);
/* Apply the taint */
ap.assignmentSpreadTaintMemImm(se, mem, memSize);
}
void PushIRBuilder::reg(Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1;
auto reg = this->operands[0].getReg(); // Reg pushed
auto mem = this->operands[1].getMem(); // The dst memory writing
auto regSize = this->operands[0].getReg().getSize();
auto memSize = this->operands[1].getMem().getSize();
/* Create the SMT semantic side effect */
alignStack(inst, memSize);
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(reg, regSize);
/* Finale expr */
expr = op1;
/* Create the symbolic expression */
se = ap.createMemSE(inst, expr, mem, memSize);
/* Apply the taint */
ap.assignmentSpreadTaintMemReg(se, mem, reg, memSize);
}
