void ShlIRBuilder::memImm(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1, *op2;
auto memSize = this->operands[0].getMem().getSize();
auto mem = this->operands[0].getMem();
auto imm = this->operands[1].getImm().getValue();
/* Create the SMT semantic */
op1 = ap.buildSymbolicMemOperand(mem, memSize);
op2 = smt2lib::bv(imm, memSize * REG_SIZE);
/* Final expr */
expr = smt2lib::bvshl(op1, op2);
/* Create the symbolic expression */
se = ap.createMemSE(inst, expr, mem, memSize);
/* Apply the taint */
ap.aluSpreadTaintMemMem(se, mem, mem, memSize);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::cfShl(inst, se, ap, memSize, op1, op2);
EflagsBuilder::ofShl(inst, se, ap, memSize, op1, op2);
EflagsBuilder::pfShl(inst, se, ap, memSize, op2);
EflagsBuilder::sfShl(inst, se, ap, memSize, op2);
EflagsBuilder::zfShl(inst, se, ap, memSize, op2);
}
void NegIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1;
auto mem = this->operands[0].getMem();
auto memSize = this->operands[0].getMem().getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicMemOperand(mem, memSize);
/* Finale expr */
expr = smt2lib::bvneg(op1);
/* Create the symbolic expression */
se = ap.createMemSE(inst, expr, mem, memSize);
/* Apply the taint */
ap.aluSpreadTaintMemMem(se, mem, mem, memSize);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::afNeg(inst, se, ap, memSize, op1);
EflagsBuilder::cfNeg(inst, se, ap, memSize, op1);
EflagsBuilder::ofNeg(inst, se, ap, memSize, op1);
EflagsBuilder::pf(inst, se, ap, memSize);
EflagsBuilder::sf(inst, se, ap, memSize);
EflagsBuilder::zf(inst, se, ap, memSize);
}
void RolIRBuilder::memImm(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1, *op2;
uint32 writeSize = this->operands[0].getSize();
uint64 mem = this->operands[0].getValue();
uint64 imm = this->operands[1].getValue();
/* Create the SMT semantic */
op1 = ap.buildSymbolicMemOperand(mem, writeSize);
/*
* Note that SMT2-LIB doesn't support expression as rotate's value.
* The op2 must be the concretization's value.
*/
op2 = smt2lib::decimal(imm);
/* Final expr */
expr = smt2lib::bvrol(op2, op1);
/* Create the symbolic expression */
se = ap.createMemSE(inst, expr, mem, writeSize);
/* Apply the taint */
ap.aluSpreadTaintMemMem(se, mem, mem, writeSize);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::cfRol(inst, se, ap, op2);
EflagsBuilder::ofRol(inst, se, ap, writeSize, op2);
}
void IncIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1, op2;
uint64 mem = this->operands[0].getValue();
uint32 memSize = this->operands[0].getSize();
/* Create the SMT semantic */
op1 << ap.buildSymbolicMemOperand(mem, memSize);
op2 << smt2lib::bv(1, memSize * REG_SIZE);
/* Finale expr */
expr << smt2lib::bvadd(op1.str(), op2.str());
/* Create the symbolic element */
se = ap.createMemSE(inst, expr, mem, memSize);
/* Apply the taint */
ap.aluSpreadTaintMemMem(se, mem, mem, memSize);
/* Add the symbolic flags element to the current inst */
EflagsBuilder::af(inst, se, ap, memSize, op1, op2);
EflagsBuilder::ofAdd(inst, se, ap, memSize, op1, op2);
EflagsBuilder::pf(inst, se, ap);
EflagsBuilder::sf(inst, se, ap, memSize);
EflagsBuilder::zf(inst, se, ap, memSize);
}
void RolIRBuilder::memReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1, *op2;
auto memSize = this->operands[0].getMem().getSize();
auto mem = this->operands[0].getMem();
/* Create the SMT semantic */
op1 = ap.buildSymbolicMemOperand(mem, memSize);
/*
* Note that SMT2-LIB doesn't support expression as rotate's value.
* The op2 must be the concretization's value.
*/
op2 = smt2lib::decimal(ap.getRegisterValue(ID_TMP_RCX) & 0xff); /* 0xff -> There is only CL available */
// Final expr
expr = smt2lib::bvrol(op2, op1);
/* Create the symbolic expression */
se = ap.createMemSE(inst, expr, mem, memSize);
/* Apply the taint */
ap.aluSpreadTaintMemMem(se, mem, mem, memSize);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::cfRol(inst, se, ap, op2);
EflagsBuilder::ofRol(inst, se, ap, memSize, op2);
}
void RorIRBuilder::memImm(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1, op2;
uint32 writeSize = this->operands[0].getSize();
uint64 mem = this->operands[0].getValue();
uint64 imm = this->operands[1].getValue();
/* Create the SMT semantic */
op1 << ap.buildSymbolicMemOperand(mem, writeSize);
/*
* Note that SMT2-LIB doesn't support expression as rotate's value.
* The op2 must be the concretization's value.
*/
op2 << imm;
/* Final expr */
expr << smt2lib::bvror(op1.str(), op2.str());
/* Create the symbolic element */
se = ap.createMemSE(inst, expr, mem, writeSize);
/* Apply the taint */
ap.aluSpreadTaintMemMem(se, mem, mem, writeSize);
/* Add the symbolic flags element to the current inst */
EflagsBuilder::cfRor(inst, se, ap, writeSize, op2);
EflagsBuilder::ofRor(inst, se, ap, writeSize, op2);
}
void ShrIRBuilder::memImm(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1, op2;
uint32_t writeSize = this->operands[0].getSize();
uint64_t mem = this->operands[0].getValue();
uint64_t imm = this->operands[1].getValue();
/* Create the SMT semantic */
op1 << ap.buildSymbolicMemOperand(mem, writeSize);
op2 << smt2lib::bv(imm, writeSize * REG_SIZE);
/* Final expr */
expr << smt2lib::bvlshr(op1.str(), op2.str());
/* Create the symbolic element */
se = ap.createMemSE(inst, expr, mem, writeSize);
/* Apply the taint */
ap.aluSpreadTaintMemMem(se, mem, mem);
/* Add the symbolic flags element to the current inst */
EflagsBuilder::cfShr(inst, se, ap, writeSize, op1, op2);
EflagsBuilder::ofShr(inst, se, ap, writeSize, op1, op2);
EflagsBuilder::pfShl(inst, se, ap, writeSize, op2) /* Same that shl */;
EflagsBuilder::sfShl(inst, se, ap, writeSize, op2) /* Same that shl */;
EflagsBuilder::zfShl(inst, se, ap, writeSize, op2) /* Same that shl */;
}
void NotIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1;
uint64_t mem = this->operands[0].getValue();
uint32_t memSize = this->operands[0].getSize();
/* Create the SMT semantic */
op1 << ap.buildSymbolicMemOperand(mem, memSize);
/* Finale expr */
expr << smt2lib::bvnot(op1.str());
/* Create the symbolic element */
se = ap.createMemSE(inst, expr, mem, memSize);
/* Apply the taint */
ap.aluSpreadTaintMemMem(se, mem, mem);
}
void NotIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1;
auto mem = this->operands[0].getMem().getAddress();
auto memSize = this->operands[0].getMem().getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicMemOperand(mem, memSize);
/* Finale expr */
expr = smt2lib::bvnot(op1);
/* Create the symbolic expression */
se = ap.createMemSE(inst, expr, mem, memSize);
/* Apply the taint */
ap.aluSpreadTaintMemMem(se, mem, mem, memSize);
}
void RcrIRBuilder::memImm(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se1, *se2;
smt2lib::smtAstAbstractNode *expr, *op1, *op2, *cf, *res;
uint32 writeSize = this->operands[0].getSize();
uint64 mem = this->operands[0].getValue();
uint64 imm = this->operands[1].getValue();
/* Create the SMT semantic */
cf = ap.buildSymbolicFlagOperand(ID_CF);
op1 = ap.buildSymbolicMemOperand(mem, writeSize);
/*
* Note that SMT2-LIB doesn't support expression as rotate's value.
* The op2 must be the concretization's value.
*/
op2 = smt2lib::decimal(imm);
/* Rcl expression */
expr = smt2lib::bvror(
op2,
smt2lib::concat(cf, op1)
);
/* Temporary extended expression */
se1 = ap.createSE(inst, expr, "Temporary Extended Expression");
/* Apply the taint */
ap.assignmentSpreadTaintExprMem(se1, mem, writeSize);
/* Result expression */
res = smt2lib::extract((writeSize * REG_SIZE) - 1, 0, expr);
/* Create the symbolic expression */
se2 = ap.createMemSE(inst, res, mem, writeSize);
/* Apply the taint */
ap.aluSpreadTaintMemMem(se2, mem, mem, writeSize);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::cfRcl(inst, se1, ap, writeSize, op2); /* Same as RCL */
EflagsBuilder::ofRor(inst, se2, ap, writeSize, op2); /* Same as ROR */
}
void RclIRBuilder::memReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se1, *se2;
smt2lib::smtAstAbstractNode *expr, *op1, *op2, *cf, *res;
auto memSize = this->operands[0].getMem().getSize();
auto mem = this->operands[0].getMem();
/* Create the SMT semantic */
cf = ap.buildSymbolicFlagOperand(ID_TMP_CF);
op1 = ap.buildSymbolicMemOperand(mem, memSize);
/*
* Note that SMT2-LIB doesn't support expression as rotate's value.
* The op2 must be the concretization's value.
*/
op2 = smt2lib::decimal(ap.getRegisterValue(ID_TMP_RCX) & 0xff); /* 0xff -> There is only CL available */
/* Rcl expression */
expr = smt2lib::bvrol(
op2,
smt2lib::concat(cf, op1)
);
/* Temporary extended expression */
se1 = ap.createSE(inst, expr, "Temporary Extended Expression");
/* Apply the taint */
ap.assignmentSpreadTaintExprMem(se1, mem, memSize);
/* Result expression */
res = smt2lib::extract((memSize * REG_SIZE) - 1, 0, expr);
/* Create the symbolic expression */
se2 = ap.createMemSE(inst, res, mem, memSize);
/* Apply the taint */
ap.aluSpreadTaintMemMem(se2, mem, mem, memSize);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::cfRcl(inst, se1, ap, memSize, op2);
EflagsBuilder::ofRol(inst, se2, ap, memSize, op2); /* Same as ROL */
}
