void ImulIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *op1, *op2, *op3; uint64 imm = 0; auto reg1 = this->operands[0].getReg(); auto regSize1 = this->operands[0].getReg().getSize(); auto mem2 = this->operands[1].getMem(); auto memSize2 = this->operands[1].getMem().getSize(); if (this->operands[2].getType() == IRBuilderOperand::IMM) imm = this->operands[2].getImm().getValue(); /* Create the SMT semantic */ op1 = ap.buildSymbolicRegOperand(reg1, regSize1); op2 = ap.buildSymbolicMemOperand(mem2, memSize2); op3 = smt2lib::bv(imm, memSize2 * REG_SIZE); /* Case 1 */ if (this->operands[0].isReadOnly()) { /* Expr */ expr = smt2lib::bvmul( smt2lib::sx(memSize2 * REG_SIZE, op2), smt2lib::sx(regSize1 * REG_SIZE, op1) ); switch (regSize1) { case BYTE_SIZE: /* RAX */ se = ap.createRegSE(inst, smt2lib::extract(WORD_SIZE_BIT - 1, 0, expr), ID_TMP_RAX, WORD_SIZE); ap.aluSpreadTaintRegMem(se, ID_TMP_RAX, mem2, memSize2); break; case WORD_SIZE: /* RDX */ se = ap.createRegSE(inst, smt2lib::extract(DWORD_SIZE_BIT - 1, WORD_SIZE_BIT, expr), ID_TMP_RDX, WORD_SIZE); ap.aluSpreadTaintRegMem(se, ID_TMP_RDX, mem2, memSize2); /* RAX */ se = ap.createRegSE(inst, smt2lib::extract(WORD_SIZE_BIT - 1, 0, expr), ID_TMP_RAX, WORD_SIZE); ap.aluSpreadTaintRegMem(se, ID_TMP_RAX, mem2, memSize2); break; case DWORD_SIZE: /* RDX */ se = ap.createRegSE(inst, smt2lib::extract(QWORD_SIZE_BIT - 1, DWORD_SIZE_BIT, expr), ID_TMP_RDX, DWORD_SIZE); ap.aluSpreadTaintRegMem(se, ID_TMP_RDX, mem2, memSize2); /* RAX */ se = ap.createRegSE(inst, smt2lib::extract(DWORD_SIZE_BIT - 1, 0, expr), ID_TMP_RAX, DWORD_SIZE); ap.aluSpreadTaintRegMem(se, ID_TMP_RAX, mem2, memSize2); break; case QWORD_SIZE: /* RDX */ se = ap.createRegSE(inst, smt2lib::extract(DQWORD_SIZE_BIT - 1, QWORD_SIZE_BIT, expr), ID_TMP_RDX, QWORD_SIZE); ap.aluSpreadTaintRegMem(se, ID_TMP_RDX, mem2, memSize2); /* RAX */ se = ap.createRegSE(inst, smt2lib::extract(QWORD_SIZE_BIT - 1, 0, expr), ID_TMP_RAX, QWORD_SIZE); ap.aluSpreadTaintRegMem(se, ID_TMP_RAX, mem2, memSize2); break; default: throw std::runtime_error("ImulIRBuilder::reg - Invalid operand size"); } } /* Case 2 */ else if (this->operands[0].isReadAndWrite()) { /* Expr */ expr = smt2lib::bvmul( smt2lib::sx(regSize1 * REG_SIZE, op1), smt2lib::sx(memSize2 * REG_SIZE, op2) ); /* Create the symbolic expression */ se = ap.createRegSE(inst, smt2lib::extract((regSize1 * REG_SIZE) - 1, 0, expr), reg1, regSize1); /* Apply the taint */ ap.aluSpreadTaintRegMem(se, reg1, mem2, memSize2); } /* Case 3 */ else if (this->operands[0].isWriteOnly()) { /* Expr */ expr = smt2lib::bvmul( smt2lib::sx(memSize2 * REG_SIZE, op2), smt2lib::sx(memSize2 * REG_SIZE, op3) ); /* Create the symbolic expression */ se = ap.createRegSE(inst, smt2lib::extract((regSize1 * REG_SIZE) - 1, 0, expr), reg1, regSize1); /* Apply the taint */ ap.aluSpreadTaintRegMem(se, reg1, mem2, memSize2); } else { throw std::runtime_error("ImulIRBuilder::regReg - Invalid operand"); } /* Add the symbolic flags expression to the current inst */ EflagsBuilder::cfImul(inst, se, ap, regSize1, expr); EflagsBuilder::ofImul(inst, se, ap, regSize1, expr); EflagsBuilder::sf(inst, se, ap, regSize1); }
static PyObject *Triton_restoreSnapshot(PyObject *self, PyObject *noarg) { ap.restoreSnapshot(); return Py_None; }
static PyObject *Triton_takeSnapshot(PyObject *self, PyObject *noarg) { ap.takeSnapshot(); return Py_None; }
static PyObject *Triton_disableSnapshot(PyObject *self, PyObject *noarg) { ap.disableSnapshot(); return Py_None; }
static PyObject *Triton_isSnapshotEnabled(PyObject *self, PyObject *noarg) { if (ap.isSnapshotEnabled() == true) return Py_True; return Py_False; }
void SetleIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *sf, *of, *zf; auto mem = this->operands[0].getMem(); auto memSize = this->operands[0].getMem().getSize(); /* Create the flag SMT semantic */ sf = ap.buildSymbolicFlagOperand(ID_TMP_SF); of = ap.buildSymbolicFlagOperand(ID_TMP_OF); zf = ap.buildSymbolicFlagOperand(ID_TMP_ZF); /* Finale expr */ expr = smt2lib::ite( smt2lib::equal( smt2lib::bvor(smt2lib::bvxor(sf, of), zf), smt2lib::bvtrue()), smt2lib::bv(1, BYTE_SIZE_BIT), smt2lib::bv(0, BYTE_SIZE_BIT)); /* Create the symbolic expression */ se = ap.createMemSE(inst, expr, mem, memSize); /* Apply the taint via the concretization */ if (((ap.getFlagValue(ID_TMP_SF) ^ ap.getFlagValue(ID_TMP_OF)) | ap.getFlagValue(ID_TMP_ZF)) == 1) { if (ap.isRegTainted(ID_TMP_SF) == TAINTED) ap.assignmentSpreadTaintMemReg(se, mem, ID_TMP_SF, memSize); else if (ap.isRegTainted(ID_TMP_OF) == TAINTED) ap.assignmentSpreadTaintMemReg(se, mem, ID_TMP_OF, memSize); else ap.assignmentSpreadTaintMemReg(se, mem, ID_TMP_ZF, memSize); } }
static PyObject *Triton_concretizeAllReg(PyObject *self, PyObject *noarg) { ap.concretizeAllReg(); return Py_True; }
void DivIRBuilder::reg(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *result, *dividend, *divisor, *mod; auto reg = this->operands[0].getReg().getTritonRegId(); auto regSize = this->operands[0].getReg().getSize(); /* Create the SMT semantic */ divisor = ap.buildSymbolicRegOperand(reg, regSize); switch (regSize) { case BYTE_SIZE: /* AX */ dividend = ap.buildSymbolicRegOperand(ID_RAX, WORD_SIZE); /* res = AX / Source */ result = smt2lib::bvudiv(dividend, smt2lib::zx(BYTE_SIZE_BIT, divisor)); /* mod = AX % Source */ mod = smt2lib::bvurem(dividend, smt2lib::zx(BYTE_SIZE_BIT, divisor)); /* AH = mod */ /* AL = res */ expr = smt2lib::concat( smt2lib::extract(7, 0, mod), /* AH = mod */ smt2lib::extract(7, 0, result) /* AL = res */ ); /* Create the symbolic expression */ se = ap.createRegSE(inst, expr, ID_RAX, WORD_SIZE); /* Apply the taint */ ap.aluSpreadTaintRegReg(se, ID_RAX, reg); break; case WORD_SIZE: /* DX:AX */ dividend = smt2lib::concat(ap.buildSymbolicRegOperand(ID_RDX, WORD_SIZE), ap.buildSymbolicRegOperand(ID_RAX, WORD_SIZE)); /* res = DX:AX / Source */ result = smt2lib::extract(15, 0, smt2lib::bvudiv(dividend, smt2lib::zx(WORD_SIZE_BIT, divisor))); /* mod = DX:AX % Source */ mod = smt2lib::extract(15, 0, smt2lib::bvurem(dividend, smt2lib::zx(WORD_SIZE_BIT, divisor))); /* Create the symbolic expression for AX */ se = ap.createRegSE(inst, result, ID_RAX, WORD_SIZE); /* Apply the taint for AX */ ap.aluSpreadTaintRegReg(se, ID_RAX, reg); /* Create the symbolic expression for DX */ se = ap.createRegSE(inst, mod, ID_RDX, WORD_SIZE); /* Apply the taint for DX */ ap.aluSpreadTaintRegReg(se, ID_RDX, reg); break; case DWORD_SIZE: /* EDX:EAX */ dividend = smt2lib::concat(ap.buildSymbolicRegOperand(ID_RDX, DWORD_SIZE), ap.buildSymbolicRegOperand(ID_RAX, DWORD_SIZE)); /* res = EDX:EAX / Source */ result = smt2lib::extract(31, 0, smt2lib::bvudiv(dividend, smt2lib::zx(DWORD_SIZE_BIT, divisor))); /* mod = EDX:EAX % Source */ mod = smt2lib::extract(31, 0, smt2lib::bvurem(dividend, smt2lib::zx(DWORD_SIZE_BIT, divisor))); /* Create the symbolic expression for EAX */ se = ap.createRegSE(inst, result, ID_RAX, DWORD_SIZE); /* Apply the taint for EAX */ ap.aluSpreadTaintRegReg(se, ID_RAX, reg); /* Create the symbolic expression for EDX */ se = ap.createRegSE(inst, mod, ID_RDX, DWORD_SIZE); /* Apply the taint for EDX */ ap.aluSpreadTaintRegReg(se, ID_RDX, reg); break; case QWORD_SIZE: /* RDX:RAX */ dividend = smt2lib::concat(ap.buildSymbolicRegOperand(ID_RDX, QWORD_SIZE), ap.buildSymbolicRegOperand(ID_RAX, QWORD_SIZE)); /* res = RDX:RAX / Source */ result = smt2lib::extract(63, 0, smt2lib::bvudiv(dividend, smt2lib::zx(QWORD_SIZE_BIT, divisor))); /* mod = RDX:RAX % Source */ mod = smt2lib::extract(63, 0, smt2lib::bvurem(dividend, smt2lib::zx(QWORD_SIZE_BIT, divisor))); /* Create the symbolic expression for RAX */ se = ap.createRegSE(inst, result, ID_RAX, QWORD_SIZE); /* Apply the taint for RAX */ ap.aluSpreadTaintRegReg(se, ID_RAX, reg); /* Create the symbolic expression for RDX */ se = ap.createRegSE(inst, mod, ID_RDX, QWORD_SIZE); /* Apply the taint for RDX */ ap.aluSpreadTaintRegReg(se, ID_RDX, reg); break; } }
void IdivIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const { SymbolicElement *se; std::stringstream expr, result, dividend, divisor, mod; uint64 mem = this->operands[0].getValue(); uint32 memSize = this->operands[0].getSize(); /* Create the SMT semantic */ divisor << ap.buildSymbolicMemOperand(mem, memSize); switch (memSize) { case BYTE_SIZE: /* AX */ dividend << ap.buildSymbolicRegOperand(ID_RAX, WORD_SIZE); /* res = AX / Source */ result << smt2lib::bvsdiv(dividend.str(), smt2lib::sx(divisor.str(), BYTE_SIZE_BIT)); /* mod = AX % Source */ mod << smt2lib::bvsrem(dividend.str(), smt2lib::sx(divisor.str(), BYTE_SIZE_BIT)); /* AH = mod */ /* AL = res */ expr << smt2lib::concat( smt2lib::extract(7, 0, mod.str()), /* AH = mod */ smt2lib::extract(7, 0, result.str()) /* AL = res */ ); /* Create the symbolic element */ se = ap.createRegSE(inst, expr, ID_RAX, WORD_SIZE); /* Apply the taint */ ap.aluSpreadTaintRegMem(se, ID_RAX, mem, memSize); break; case WORD_SIZE: /* DX:AX */ dividend << smt2lib::concat(ap.buildSymbolicRegOperand(ID_RDX, WORD_SIZE), ap.buildSymbolicRegOperand(ID_RAX, WORD_SIZE)); /* res = DX:AX / Source */ result << smt2lib::extract(15, 0, smt2lib::bvsdiv(dividend.str(), smt2lib::sx(divisor.str(), WORD_SIZE_BIT))); /* mod = DX:AX % Source */ mod << smt2lib::extract(15, 0, smt2lib::bvsrem(dividend.str(), smt2lib::sx(divisor.str(), WORD_SIZE_BIT))); /* Create the symbolic element for AX */ se = ap.createRegSE(inst, result, ID_RAX, WORD_SIZE); /* Apply the taint for AX */ ap.aluSpreadTaintRegMem(se, ID_RAX, mem, memSize); /* Create the symbolic element for DX */ se = ap.createRegSE(inst, mod, ID_RDX, WORD_SIZE); /* Apply the taint for DX */ ap.aluSpreadTaintRegMem(se, ID_RDX, mem, memSize); break; case DWORD_SIZE: /* EDX:EAX */ dividend << smt2lib::concat(ap.buildSymbolicRegOperand(ID_RDX, DWORD_SIZE), ap.buildSymbolicRegOperand(ID_RAX, DWORD_SIZE)); /* res = EDX:EAX / Source */ result << smt2lib::extract(31, 0, smt2lib::bvsdiv(dividend.str(), smt2lib::sx(divisor.str(), DWORD_SIZE_BIT))); /* mod = EDX:EAX % Source */ mod << smt2lib::extract(31, 0, smt2lib::bvsrem(dividend.str(), smt2lib::sx(divisor.str(), DWORD_SIZE_BIT))); /* Create the symbolic element for EAX */ se = ap.createRegSE(inst, result, ID_RAX, DWORD_SIZE); /* Apply the taint for EAX */ ap.aluSpreadTaintRegMem(se, ID_RAX, mem, memSize); /* Create the symbolic element for EDX */ se = ap.createRegSE(inst, mod, ID_RDX, DWORD_SIZE); /* Apply the taint for EDX */ ap.aluSpreadTaintRegMem(se, ID_RDX, mem, memSize); break; case QWORD_SIZE: /* RDX:RAX */ dividend << smt2lib::concat(ap.buildSymbolicRegOperand(ID_RDX, QWORD_SIZE), ap.buildSymbolicRegOperand(ID_RDX, QWORD_SIZE)); /* res = RDX:RAX / Source */ result << smt2lib::extract(63, 0, smt2lib::bvsdiv(dividend.str(), smt2lib::sx(divisor.str(), QWORD_SIZE_BIT))); /* mod = RDX:RAX % Source */ mod << smt2lib::extract(63, 0, smt2lib::bvsrem(dividend.str(), smt2lib::sx(divisor.str(), QWORD_SIZE_BIT))); /* Create the symbolic element for RAX */ se = ap.createRegSE(inst, result, ID_RAX, QWORD_SIZE); /* Apply the taint for RAX */ ap.aluSpreadTaintRegMem(se, ID_RAX, mem, memSize); /* Create the symbolic element for RDX */ se = ap.createRegSE(inst, mod, ID_RDX, QWORD_SIZE); /* Apply the taint for RDX */ ap.aluSpreadTaintRegMem(se, ID_RDX, mem, memSize); break; } }
void MulIRBuilder::reg(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *op1, *op2, *rax, *rdx; auto reg = this->operands[0].getReg(); auto regSize = this->operands[0].getReg().getSize(); /* Create the SMT semantic */ op1 = ap.buildSymbolicRegOperand(ID_TMP_RAX, regSize); op2 = ap.buildSymbolicRegOperand(reg, regSize); switch (regSize) { /* AX = AL * r/m8 */ case BYTE_SIZE: /* Final expr */ expr = smt2lib::bvmul( smt2lib::zx(BYTE_SIZE_BIT, op1), smt2lib::zx(BYTE_SIZE_BIT, op2) ); /* Create the symbolic expression */ se = ap.createRegSE(inst, expr, ID_TMP_RAX, WORD_SIZE); /* Apply the taint */ ap.aluSpreadTaintRegReg(se, ID_TMP_RAX, reg); /* Add the symbolic flags expression to the current inst */ rax = smt2lib::extract((WORD_SIZE_BIT - 1), BYTE_SIZE_BIT, expr); EflagsBuilder::cfMul(inst, se, ap, regSize, rax); EflagsBuilder::ofMul(inst, se, ap, regSize, rax); break; /* DX:AX = AX * r/m16 */ case WORD_SIZE: /* Final expr */ expr = smt2lib::bvmul( smt2lib::zx(WORD_SIZE_BIT, op1), smt2lib::zx(WORD_SIZE_BIT, op2) ); rax = smt2lib::extract((WORD_SIZE_BIT - 1), 0, expr); rdx = smt2lib::extract((DWORD_SIZE_BIT - 1), WORD_SIZE_BIT, expr); /* Create the symbolic expression for AX */ se = ap.createRegSE(inst, rax, ID_TMP_RAX, WORD_SIZE); /* Apply the taint */ ap.aluSpreadTaintRegReg(se, ID_TMP_RAX, reg); /* Create the symbolic expression for DX */ se = ap.createRegSE(inst, rdx, ID_TMP_RDX, WORD_SIZE); /* Apply the taint */ ap.aluSpreadTaintRegReg(se, ID_TMP_RDX, reg); /* Add the symbolic flags expression to the current inst */ EflagsBuilder::cfMul(inst, se, ap, regSize, rdx); EflagsBuilder::ofMul(inst, se, ap, regSize, rdx); break; /* EDX:EAX = EAX * r/m32 */ case DWORD_SIZE: /* Final expr */ expr = smt2lib::bvmul( smt2lib::zx(DWORD_SIZE_BIT, op1), smt2lib::zx(DWORD_SIZE_BIT, op2) ); rax = smt2lib::extract((DWORD_SIZE_BIT - 1), 0, expr); rdx = smt2lib::extract((QWORD_SIZE_BIT - 1), DWORD_SIZE_BIT, expr); /* Create the symbolic expression for EAX */ se = ap.createRegSE(inst, rax, ID_TMP_RAX, DWORD_SIZE); /* Apply the taint */ ap.aluSpreadTaintRegReg(se, ID_TMP_RAX, reg); /* Create the symbolic expression for EDX */ se = ap.createRegSE(inst, rdx, ID_TMP_RDX, DWORD_SIZE); /* Apply the taint */ ap.aluSpreadTaintRegReg(se, ID_TMP_RDX, reg); /* Add the symbolic flags expression to the current inst */ EflagsBuilder::cfMul(inst, se, ap, regSize, rdx); EflagsBuilder::ofMul(inst, se, ap, regSize, rdx); break; /* RDX:RAX = RAX * r/m64 */ case QWORD_SIZE: /* Final expr */ expr = smt2lib::bvmul( smt2lib::zx(QWORD_SIZE_BIT, op1), smt2lib::zx(QWORD_SIZE_BIT, op2) ); rax = smt2lib::extract((QWORD_SIZE_BIT - 1), 0, expr); rdx = smt2lib::extract((DQWORD_SIZE_BIT - 1), QWORD_SIZE_BIT, expr); /* Create the symbolic expression for RAX */ se = ap.createRegSE(inst, rax, ID_TMP_RAX, QWORD_SIZE); /* Apply the taint */ ap.aluSpreadTaintRegReg(se, ID_TMP_RAX, reg); /* Create the symbolic expression for RDX */ se = ap.createRegSE(inst, rdx, ID_TMP_RDX, QWORD_SIZE); /* Apply the taint */ ap.aluSpreadTaintRegReg(se, ID_TMP_RDX, reg); /* Add the symbolic flags expression to the current inst */ EflagsBuilder::cfMul(inst, se, ap, regSize, rdx); EflagsBuilder::ofMul(inst, se, ap, regSize, rdx); break; } }
void SetnleIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const { SymbolicElement *se; std::stringstream expr, mem1e, sf, of, zf; uint64 mem = this->operands[0].getValue(); uint64 memSize = this->operands[0].getSize(); /* Create the flag SMT semantic */ sf << ap.buildSymbolicFlagOperand(ID_SF); of << ap.buildSymbolicFlagOperand(ID_OF); zf << ap.buildSymbolicFlagOperand(ID_ZF); mem1e << ap.buildSymbolicMemOperand(mem, memSize); /* Finale expr */ expr << smt2lib::ite( smt2lib::equal( smt2lib::bvor(smt2lib::bvxor(sf.str(), of.str()), zf.str()), smt2lib::bvfalse()), smt2lib::bv(1, BYTE_SIZE_BIT), smt2lib::bv(0, BYTE_SIZE_BIT)); /* Create the symbolic element */ se = ap.createMemSE(inst, expr, mem, memSize); /* Apply the taint via the concretization */ if (((ap.getFlagValue(ID_SF) ^ ap.getFlagValue(ID_OF)) | ap.getFlagValue(ID_ZF)) == 0) { if (ap.isRegTainted(ID_SF) == TAINTED) ap.assignmentSpreadTaintMemReg(se, mem, ID_SF, memSize); else if (ap.isRegTainted(ID_OF) == TAINTED) ap.assignmentSpreadTaintMemReg(se, mem, ID_OF, memSize); else ap.assignmentSpreadTaintMemReg(se, mem, ID_ZF, memSize); } }
static PyObject *Triton_isSnapshotEnabled(PyObject *self, PyObject *noarg) { if (ap.isSnapshotEnabled() == true) Py_RETURN_TRUE; Py_RETURN_FALSE; }
static PyObject *Triton_concretizeAllReg(PyObject *self, PyObject *noarg) { ap.concretizeAllReg(); Py_RETURN_TRUE; }
static PyObject *Triton_restoreSnapshot(PyObject *self, PyObject *noarg) { ap.setSnapshotRestoreFlag(true); Py_INCREF(Py_None); return Py_None; }