void JleIRBuilder::imm(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *sf, *of, *zf;
auto imm = this->operands[0].getImm().getValue();
/* Create the SMT semantic */
sf = ap.buildSymbolicFlagOperand(ID_TMP_SF);
of = ap.buildSymbolicFlagOperand(ID_TMP_OF);
zf = ap.buildSymbolicFlagOperand(ID_TMP_ZF);
/*
* Finale expr
* JLE: Jump if less or equal ((SF^OF | ZF) == 1).
* SMT: ( = (bvor (bvxor sf of) zf) TRUE)
*/
expr = smt2lib::ite(
smt2lib::equal(
smt2lib::bvor(smt2lib::bvxor(sf, of), zf),
smt2lib::bvtrue()
),
smt2lib::bv(imm, REG_SIZE_BIT),
smt2lib::bv(this->nextAddress, REG_SIZE_BIT));
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, ID_TMP_RIP, REG_SIZE, "RIP");
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, ID_TMP_RIP, ID_TMP_SF);
ap.aluSpreadTaintRegReg(se, ID_TMP_RIP, ID_TMP_OF);
ap.aluSpreadTaintRegReg(se, ID_TMP_RIP, ID_TMP_ZF);
/* Add the constraint in the PathConstraints list */
ap.addPathConstraint(se->getID());
}
void SubIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1, *op2;
auto reg1 = this->operands[0].getReg();
auto reg2 = this->operands[1].getReg();
auto regSize1 = this->operands[0].getReg().getSize();
auto regSize2 = this->operands[1].getReg().getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(reg1, regSize1);
op2 = ap.buildSymbolicRegOperand(reg2, regSize2);
// Final expr
expr = smt2lib::bvsub(op1, op2);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg1, regSize1);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg1, reg2);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::af(inst, se, ap, regSize1, op1, op2);
EflagsBuilder::cfSub(inst, se, ap, regSize1, op1, op2);
EflagsBuilder::ofSub(inst, se, ap, regSize1, op1, op2);
EflagsBuilder::pf(inst, se, ap, regSize1);
EflagsBuilder::sf(inst, se, ap, regSize1);
EflagsBuilder::zf(inst, se, ap, regSize1);
}
void AddIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1, op2;
uint64_t reg1 = this->operands[0].getValue();
uint64_t reg2 = this->operands[1].getValue();
uint32_t regSize1 = this->operands[0].getSize();
uint32_t regSize2 = this->operands[1].getSize();
/* Create the SMT semantic */
op1 << ap.buildSymbolicRegOperand(reg1, regSize1);
op2 << ap.buildSymbolicRegOperand(reg2, regSize2);
// Final expr
expr << smt2lib::bvadd(op1.str(), op2.str());
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg1, regSize1);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg1, reg2);
/* Add the symbolic flags element to the current inst */
EflagsBuilder::af(inst, se, ap, regSize1, op1, op2);
EflagsBuilder::cfAdd(inst, se, ap, op1);
EflagsBuilder::ofAdd(inst, se, ap, regSize1, op1, op2);
EflagsBuilder::pf(inst, se, ap);
EflagsBuilder::sf(inst, se, ap, regSize1);
EflagsBuilder::zf(inst, se, ap, regSize1);
}
void JnsIRBuilder::imm(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *sf;
auto imm = this->operands[0].getImm().getValue();
/* Create the SMT semantic */
sf = ap.buildSymbolicFlagOperand(ID_TMP_SF);
/* Finale expr */
expr = smt2lib::ite(
smt2lib::equal(
sf,
smt2lib::bvfalse()),
smt2lib::bv(imm, REG_SIZE_BIT),
smt2lib::bv(this->nextAddress, REG_SIZE_BIT));
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, ID_TMP_RIP, REG_SIZE, "RIP");
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, ID_TMP_RIP, ID_TMP_SF);
/* Add the constraint in the PathConstraints list */
ap.addPathConstraint(se->getID());
}
void RolIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1, *op2;
uint64 reg1 = this->operands[0].getValue();
uint32 regSize1 = this->operands[0].getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(reg1, regSize1);
/*
* Note that SMT2-LIB doesn't support expression as rotate's value.
* The op2 must be the concretization's value.
*/
op2 = smt2lib::decimal(ap.getRegisterValue(ID_RCX) & 0xff); /* 0xff -> There is only CL available */
// Final expr
expr = smt2lib::bvrol(op2, op1);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg1, regSize1);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg1, reg1);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::cfRol(inst, se, ap, op2);
EflagsBuilder::ofRol(inst, se, ap, regSize1, op2);
}
void ShlIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1, op2;
uint64 reg = this->operands[0].getValue();
uint32 regSize = this->operands[0].getSize();
/* Create the SMT semantic */
op1 << ap.buildSymbolicRegOperand(reg, regSize);
op2 << smt2lib::zx(ap.buildSymbolicRegOperand(ID_RCX, 1), (regSize - 1) * REG_SIZE);
/* Finale expr */
expr << smt2lib::bvshl(op1.str(), op2.str());
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg, reg);
/* Add the symbolic flags element to the current inst */
EflagsBuilder::cfShl(inst, se, ap, regSize, op1, op2);
EflagsBuilder::ofShl(inst, se, ap, regSize, op1, op2);
EflagsBuilder::pfShl(inst, se, ap, regSize, op2);
EflagsBuilder::sfShl(inst, se, ap, regSize, op2);
EflagsBuilder::zfShl(inst, se, ap, regSize, op2);
}
void RolIRBuilder::regImm(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1, *op2;
uint64 reg = this->operands[0].getValue();
uint64 imm = this->operands[1].getValue();
uint32 regSize = this->operands[0].getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(reg, regSize);
/*
* Note that SMT2-LIB doesn't support expression as rotate's value.
* The op2 must be the concretization's value.
*/
op2 = smt2lib::decimal(imm);
/* Finale expr */
expr = smt2lib::bvrol(op2, op1);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg, reg);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::cfRol(inst, se, ap, op2);
EflagsBuilder::ofRol(inst, se, ap, regSize, op2);
}
void RorIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1, op2;
uint64 reg1 = this->operands[0].getValue();
uint32 regSize1 = this->operands[0].getSize();
/* Create the SMT semantic */
op1 << ap.buildSymbolicRegOperand(reg1, regSize1);
/*
* Note that SMT2-LIB doesn't support expression as rotate's value.
* The op2 must be the concretization's value.
*/
op2 << (ap.getRegisterValue(ID_RCX) & 0xff); /* 0xff -> There is only CL available */
// Final expr
expr << smt2lib::bvror(op1.str(), op2.str());
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg1, regSize1);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg1, reg1);
/* Add the symbolic flags element to the current inst */
EflagsBuilder::cfRor(inst, se, ap, regSize1, op2);
EflagsBuilder::ofRor(inst, se, ap, regSize1, op2);
}
void RorIRBuilder::regImm(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1, op2;
uint64 reg = this->operands[0].getValue();
uint64 imm = this->operands[1].getValue();
uint32 regSize = this->operands[0].getSize();
/* Create the SMT semantic */
op1 << ap.buildSymbolicRegOperand(reg, regSize);
/*
* Note that SMT2-LIB doesn't support expression as rotate's value.
* The op2 must be the concretization's value.
*/
op2 << imm;
/* Finale expr */
expr << smt2lib::bvror(op1.str(), op2.str());
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg, reg);
/* Add the symbolic flags element to the current inst */
EflagsBuilder::cfRor(inst, se, ap, regSize, op2);
EflagsBuilder::ofRor(inst, se, ap, regSize, op2);
}
void ShlIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1, *op2;
auto reg = this->operands[0].getReg();
auto regSize = this->operands[0].getReg().getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(reg, regSize);
/* op2 = 8 bits register (CL) */
op2 = smt2lib::zx((regSize - BYTE_SIZE) * REG_SIZE, ap.buildSymbolicRegOperand(ID_TMP_RCX, 1));
/* Finale expr */
expr = smt2lib::bvshl(op1, op2);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg, reg);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::cfShl(inst, se, ap, regSize, op1, op2);
EflagsBuilder::ofShl(inst, se, ap, regSize, op1, op2);
EflagsBuilder::pfShl(inst, se, ap, regSize, op2);
EflagsBuilder::sfShl(inst, se, ap, regSize, op2);
EflagsBuilder::zfShl(inst, se, ap, regSize, op2);
}
void NegIRBuilder::reg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1;
auto reg = this->operands[0].getReg();
auto regSize = this->operands[0].getReg().getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(reg, regSize);
/* Finale expr */
expr = smt2lib::bvneg(op1);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg, reg);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::afNeg(inst, se, ap, regSize, op1);
EflagsBuilder::cfNeg(inst, se, ap, regSize, op1);
EflagsBuilder::ofNeg(inst, se, ap, regSize, op1);
EflagsBuilder::pf(inst, se, ap, regSize);
EflagsBuilder::sf(inst, se, ap, regSize);
EflagsBuilder::zf(inst, se, ap, regSize);
}
void NegIRBuilder::reg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1, cfExpr;
uint64_t reg = this->operands[0].getValue();
uint32_t regSize = this->operands[0].getSize();
/* Create the SMT semantic */
op1 << ap.buildSymbolicRegOperand(reg, regSize);
/* Finale expr */
expr << smt2lib::bvneg(op1.str());
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg, reg);
/* Add the symbolic flags element to the current inst */
EflagsBuilder::afNeg(inst, se, ap, regSize, op1);
EflagsBuilder::cfNeg(inst, se, ap, regSize, op1);
EflagsBuilder::ofNeg(inst, se, ap, regSize, op1);
EflagsBuilder::pf(inst, se, ap);
EflagsBuilder::sf(inst, se, ap, regSize);
EflagsBuilder::zf(inst, se, ap, regSize);
}
void OrIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1, *op2;
auto reg1 = this->operands[0].getReg();
auto reg2 = this->operands[1].getReg();
auto regSize1 = this->operands[0].getReg().getSize();
auto regSize2 = this->operands[1].getReg().getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(reg1, regSize1);
op2 = ap.buildSymbolicRegOperand(reg2, regSize2);
/* Final expr */
expr = smt2lib::bvor(op1, op2);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg1, regSize1);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg1, reg2);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::clearFlag(inst, ap, ID_TMP_CF, "Clears carry flag");
EflagsBuilder::clearFlag(inst, ap, ID_TMP_OF, "Clears overflow flag");
EflagsBuilder::pf(inst, se, ap, regSize1);
EflagsBuilder::sf(inst, se, ap, regSize1);
EflagsBuilder::zf(inst, se, ap, regSize1);
}
void SarIRBuilder::regImm(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1, *op2;
uint64 reg = this->operands[0].getValue();
uint64 imm = this->operands[1].getValue();
uint32 regSize = this->operands[0].getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(reg, regSize);
op2 = smt2lib::bv(imm, regSize * REG_SIZE);
/* Finale expr */
expr = smt2lib::bvashr(op1, op2);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg, reg);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::cfSar(inst, se, ap, regSize, op1, op2);
EflagsBuilder::ofSar(inst, se, ap, regSize, op2);
EflagsBuilder::pfShl(inst, se, ap, regSize, op2); /* Same that shl */
EflagsBuilder::sfShl(inst, se, ap, regSize, op2); /* Same that shl */
EflagsBuilder::zfShl(inst, se, ap, regSize, op2); /* Same that shl */
}
void BswapIRBuilder::reg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1;
auto reg = this->operands[0].getReg().getTritonRegId();
auto regSize = this->operands[0].getReg().getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(reg, regSize);
std::list<smt2lib::smtAstAbstractNode *> bytes;
switch (regSize) {
case QWORD_SIZE:
bytes.push_front(smt2lib::extract(63, 56, op1));
bytes.push_front(smt2lib::extract(55, 48, op1));
bytes.push_front(smt2lib::extract(47, 40, op1));
bytes.push_front(smt2lib::extract(39, 32, op1));
case DWORD_SIZE:
bytes.push_front(smt2lib::extract(31, 24, op1));
bytes.push_front(smt2lib::extract(23, 16, op1));
bytes.push_front(smt2lib::extract(15, 8, op1));
bytes.push_front(smt2lib::extract(7, 0, op1));
break;
default:
throw std::runtime_error("Error: BswapIRBuilder::reg() - Invalid register size");
}
/* Finale expr */
expr = smt2lib::concat(bytes);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg, reg);
}
void CdqeIRBuilder::none(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1;
/* Create the SMT semantic */
op1 << ap.buildSymbolicRegOperand(ID_RAX, REG_SIZE, 31, 0);
/* Finale expr */
expr << smt2lib::sx(op1.str(), 32);
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, ID_RAX, REG_SIZE);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, ID_RAX, ID_RAX);
}
void CbwIRBuilder::none(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1;
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(ID_TMP_RAX, REG_SIZE, 8, 0);
/* Finale expr */
expr = smt2lib::sx(8, op1);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, ID_TMP_RAX, WORD_SIZE);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, ID_TMP_RAX, ID_TMP_RAX);
}
void NotIRBuilder::reg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1;
uint64_t reg = this->operands[0].getValue();
uint32_t regSize = this->operands[0].getSize();
/* Create the SMT semantic */
op1 << ap.buildSymbolicRegOperand(reg, regSize);
/* Finale expr */
expr << smt2lib::bvnot(op1.str());
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg, reg);
}
void NotIRBuilder::reg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1;
auto reg = this->operands[0].getReg().getTritonRegId();
auto regSize = this->operands[0].getReg().getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(reg, regSize);
/* Finale expr */
expr = smt2lib::bvnot(op1);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg, reg);
}
void ImulIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1, op2, op3;
uint64 reg1 = this->operands[0].getValue();
uint32 regSize1 = this->operands[0].getSize();
uint64 reg2 = this->operands[1].getValue();
uint32 regSize2 = this->operands[1].getSize();
uint64 imm = 0;
if (this->operands[2].getType() == IRBuilderOperand::IMM)
imm = this->operands[2].getValue();
/* Create the SMT semantic */
op1 << ap.buildSymbolicRegOperand(reg1, regSize1);
op2 << ap.buildSymbolicRegOperand(reg2, regSize2);
op3 << smt2lib::bv(imm, regSize2 * REG_SIZE);
/* Finale expr */
if (imm == 0)
expr << smt2lib::extract(regSize1,
smt2lib::bvmul(
smt2lib::sx(op1.str(), regSize1 * REG_SIZE),
smt2lib::sx(op2.str(), regSize2 * REG_SIZE)
)
);
else
expr << smt2lib::extract(regSize1,
smt2lib::bvmul(
smt2lib::sx(op2.str(), regSize1 * REG_SIZE),
smt2lib::sx(op3.str(), regSize2 * REG_SIZE)
)
);
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg1, regSize1);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg1, reg2);
/* Add the symbolic flags element to the current inst */
EflagsBuilder::cfImul(inst, se, ap, regSize1, op1);
EflagsBuilder::ofImul(inst, se, ap, regSize1, op1);
EflagsBuilder::sf(inst, se, ap, regSize1);
}
void RcrIRBuilder::regImm(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se1, *se2;
smt2lib::smtAstAbstractNode *expr, *op1, *op2, *cf, *res;
uint64 reg = this->operands[0].getValue();
uint64 imm = this->operands[1].getValue();
uint32 regSize = this->operands[0].getSize();
/* Create the SMT semantic */
cf = ap.buildSymbolicFlagOperand(ID_CF);
op1 = ap.buildSymbolicRegOperand(reg, regSize);
/*
* Note that SMT2-LIB doesn't support expression as rotate's value.
* The op2 must be the concretization's value.
*/
op2 = smt2lib::decimal(imm);
/* Rcl expression */
expr = smt2lib::bvror(
op2,
smt2lib::concat(cf, op1)
);
/* Temporary extended expression */
se1 = ap.createSE(inst, expr, "Temporary Extended Expression");
/* Apply the taint */
ap.assignmentSpreadTaintExprReg(se1, reg);
/* Result expression */
res = smt2lib::extract((regSize * REG_SIZE) - 1, 0, expr);
/* Create the symbolic expression for the result */
se2 = ap.createRegSE(inst, res, reg, regSize);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se2, reg, reg);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::cfRcl(inst, se1, ap, regSize, op2); /* Same as RCL */
EflagsBuilder::ofRor(inst, se2, ap, regSize, op2); /* Same as ROR */
}
void AndnpsIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1, op2;
uint64 reg1 = this->operands[0].getValue();
uint64 reg2 = this->operands[1].getValue();
uint32 regSize1 = this->operands[0].getSize();
uint32 regSize2 = this->operands[1].getSize();
/* Create the SMT semantic */
op1 << ap.buildSymbolicRegOperand(reg1, regSize1);
op2 << ap.buildSymbolicRegOperand(reg2, regSize2);
// Final expr
expr << smt2lib::bvand(smt2lib::bvnot(op1.str()), op2.str());
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg1, regSize1);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg1, reg2);
}
void AndnpsIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1, *op2;
auto reg1 = this->operands[0].getReg();
auto reg2 = this->operands[1].getReg();
auto regSize1 = this->operands[0].getReg().getSize();
auto regSize2 = this->operands[1].getReg().getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(reg1, regSize1);
op2 = ap.buildSymbolicRegOperand(reg2, regSize2);
// Final expr
expr = smt2lib::bvand(smt2lib::bvnot(op1), op2);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg1, regSize1);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg1, reg2);
}
void RclIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se1, *se2;
smt2lib::smtAstAbstractNode *expr, *op1, *op2, *cf, *res;
auto reg1 = this->operands[0].getReg();
auto regSize1 = this->operands[0].getReg().getSize();
/* Create the SMT semantic */
cf = ap.buildSymbolicFlagOperand(ID_TMP_CF);
op1 = ap.buildSymbolicRegOperand(reg1, regSize1);
/*
* Note that SMT2-LIB doesn't support expression as rotate's value.
* The op2 must be the concretization's value.
*/
op2 = smt2lib::decimal(ap.getRegisterValue(ID_TMP_RCX) & 0xff); /* 0xff -> There is only CL available */
/* Rcl expression */
expr = smt2lib::bvrol(
op2,
smt2lib::concat(cf, op1)
);
/* Temporary extended expression */
se1 = ap.createSE(inst, expr, "Temporary Extended Expression");
/* Apply the taint */
ap.assignmentSpreadTaintExprReg(se1, reg1);
/* Result expression */
res = smt2lib::extract((regSize1 * REG_SIZE) - 1, 0, expr);
/* Create the symbolic expression */
se2 = ap.createRegSE(inst, res, reg1, regSize1);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se2, reg1, reg1);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::cfRcl(inst, se1, ap, regSize1, op2);
EflagsBuilder::ofRol(inst, se2, ap, regSize1, op2); /* Same as ROL */
}
void MulIRBuilder::reg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1, *op2, *rax, *rdx;
auto reg = this->operands[0].getReg();
auto regSize = this->operands[0].getReg().getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(ID_TMP_RAX, regSize);
op2 = ap.buildSymbolicRegOperand(reg, regSize);
switch (regSize) {
/* AX = AL * r/m8 */
case BYTE_SIZE:
/* Final expr */
expr = smt2lib::bvmul(
smt2lib::zx(BYTE_SIZE_BIT, op1),
smt2lib::zx(BYTE_SIZE_BIT, op2)
);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, ID_TMP_RAX, WORD_SIZE);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, ID_TMP_RAX, reg);
/* Add the symbolic flags expression to the current inst */
rax = smt2lib::extract((WORD_SIZE_BIT - 1), BYTE_SIZE_BIT, expr);
EflagsBuilder::cfMul(inst, se, ap, regSize, rax);
EflagsBuilder::ofMul(inst, se, ap, regSize, rax);
break;
/* DX:AX = AX * r/m16 */
case WORD_SIZE:
/* Final expr */
expr = smt2lib::bvmul(
smt2lib::zx(WORD_SIZE_BIT, op1),
smt2lib::zx(WORD_SIZE_BIT, op2)
);
rax = smt2lib::extract((WORD_SIZE_BIT - 1), 0, expr);
rdx = smt2lib::extract((DWORD_SIZE_BIT - 1), WORD_SIZE_BIT, expr);
/* Create the symbolic expression for AX */
se = ap.createRegSE(inst, rax, ID_TMP_RAX, WORD_SIZE);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, ID_TMP_RAX, reg);
/* Create the symbolic expression for DX */
se = ap.createRegSE(inst, rdx, ID_TMP_RDX, WORD_SIZE);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, ID_TMP_RDX, reg);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::cfMul(inst, se, ap, regSize, rdx);
EflagsBuilder::ofMul(inst, se, ap, regSize, rdx);
break;
/* EDX:EAX = EAX * r/m32 */
case DWORD_SIZE:
/* Final expr */
expr = smt2lib::bvmul(
smt2lib::zx(DWORD_SIZE_BIT, op1),
smt2lib::zx(DWORD_SIZE_BIT, op2)
);
rax = smt2lib::extract((DWORD_SIZE_BIT - 1), 0, expr);
rdx = smt2lib::extract((QWORD_SIZE_BIT - 1), DWORD_SIZE_BIT, expr);
/* Create the symbolic expression for EAX */
se = ap.createRegSE(inst, rax, ID_TMP_RAX, DWORD_SIZE);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, ID_TMP_RAX, reg);
/* Create the symbolic expression for EDX */
se = ap.createRegSE(inst, rdx, ID_TMP_RDX, DWORD_SIZE);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, ID_TMP_RDX, reg);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::cfMul(inst, se, ap, regSize, rdx);
EflagsBuilder::ofMul(inst, se, ap, regSize, rdx);
break;
/* RDX:RAX = RAX * r/m64 */
case QWORD_SIZE:
/* Final expr */
expr = smt2lib::bvmul(
smt2lib::zx(QWORD_SIZE_BIT, op1),
smt2lib::zx(QWORD_SIZE_BIT, op2)
);
rax = smt2lib::extract((QWORD_SIZE_BIT - 1), 0, expr);
rdx = smt2lib::extract((DQWORD_SIZE_BIT - 1), QWORD_SIZE_BIT, expr);
/* Create the symbolic expression for RAX */
se = ap.createRegSE(inst, rax, ID_TMP_RAX, QWORD_SIZE);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, ID_TMP_RAX, reg);
/* Create the symbolic expression for RDX */
se = ap.createRegSE(inst, rdx, ID_TMP_RDX, QWORD_SIZE);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, ID_TMP_RDX, reg);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::cfMul(inst, se, ap, regSize, rdx);
EflagsBuilder::ofMul(inst, se, ap, regSize, rdx);
break;
}
}
void ImulIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1, *op2, *op3;
uint64 imm = 0;
auto reg1 = this->operands[0].getReg();
auto regSize1 = this->operands[0].getReg().getSize();
auto reg2 = this->operands[1].getReg();
auto regSize2 = this->operands[1].getReg().getSize();
if (this->operands[2].getType() == IRBuilderOperand::IMM)
imm = this->operands[2].getImm().getValue();
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(reg1, regSize1);
op2 = ap.buildSymbolicRegOperand(reg2, regSize2);
op3 = smt2lib::bv(imm, regSize2 * REG_SIZE);
/* Case 1 */
if (this->operands[0].isReadOnly()) {
/* Expr */
expr = smt2lib::bvmul(
smt2lib::sx(regSize2 * REG_SIZE, op2),
smt2lib::sx(regSize1 * REG_SIZE, op1)
);
switch (regSize1) {
case BYTE_SIZE:
/* RAX */
se = ap.createRegSE(inst, smt2lib::extract(WORD_SIZE_BIT - 1, 0, expr), ID_TMP_RAX, WORD_SIZE);
ap.aluSpreadTaintRegReg(se, ID_TMP_RAX, reg2);
break;
case WORD_SIZE:
/* RDX */
se = ap.createRegSE(inst, smt2lib::extract(DWORD_SIZE_BIT - 1, WORD_SIZE_BIT, expr), ID_TMP_RDX, WORD_SIZE);
ap.aluSpreadTaintRegReg(se, ID_TMP_RDX, reg2);
/* RAX */
se = ap.createRegSE(inst, smt2lib::extract(WORD_SIZE_BIT - 1, 0, expr), ID_TMP_RAX, WORD_SIZE);
ap.aluSpreadTaintRegReg(se, ID_TMP_RAX, reg2);
break;
case DWORD_SIZE:
/* RDX */
se = ap.createRegSE(inst, smt2lib::extract(QWORD_SIZE_BIT - 1, DWORD_SIZE_BIT, expr), ID_TMP_RDX, DWORD_SIZE);
ap.aluSpreadTaintRegReg(se, ID_TMP_RDX, reg2);
/* RAX */
se = ap.createRegSE(inst, smt2lib::extract(DWORD_SIZE_BIT - 1, 0, expr), ID_TMP_RAX, DWORD_SIZE);
ap.aluSpreadTaintRegReg(se, ID_TMP_RAX, reg2);
break;
case QWORD_SIZE:
/* RDX */
se = ap.createRegSE(inst, smt2lib::extract(DQWORD_SIZE_BIT - 1, QWORD_SIZE_BIT, expr), ID_TMP_RDX, QWORD_SIZE);
ap.aluSpreadTaintRegReg(se, ID_TMP_RDX, reg2);
/* RAX */
se = ap.createRegSE(inst, smt2lib::extract(QWORD_SIZE_BIT - 1, 0, expr), ID_TMP_RAX, QWORD_SIZE);
ap.aluSpreadTaintRegReg(se, ID_TMP_RAX, reg2);
break;
default:
throw std::runtime_error("ImulIRBuilder::reg - Invalid operand size");
}
}
/* Case 2 */
else if (this->operands[0].isReadAndWrite()) {
/* Expr */
expr = smt2lib::bvmul(
smt2lib::sx(regSize1 * REG_SIZE, op1),
smt2lib::sx(regSize2 * REG_SIZE, op2)
);
/* Create the symbolic expression */
se = ap.createRegSE(inst, smt2lib::extract((regSize1 * REG_SIZE) - 1, 0, expr), reg1, regSize1);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg1, reg2);
}
/* Case 3 */
else if (this->operands[0].isWriteOnly()) {
/* Expr */
expr = smt2lib::bvmul(
smt2lib::sx(regSize2 * REG_SIZE, op2),
smt2lib::sx(regSize2 * REG_SIZE, op3)
);
/* Create the symbolic expression */
se = ap.createRegSE(inst, smt2lib::extract((regSize1 * REG_SIZE) - 1, 0, expr), reg1, regSize1);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg1, reg2);
}
else {
throw std::runtime_error("ImulIRBuilder::regReg - Invalid operand");
}
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::cfImul(inst, se, ap, regSize1, expr);
EflagsBuilder::ofImul(inst, se, ap, regSize1, expr);
EflagsBuilder::sf(inst, se, ap, regSize1);
}
void DivIRBuilder::reg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *result, *dividend, *divisor, *mod;
auto reg = this->operands[0].getReg().getTritonRegId();
auto regSize = this->operands[0].getReg().getSize();
/* Create the SMT semantic */
divisor = ap.buildSymbolicRegOperand(reg, regSize);
switch (regSize) {
case BYTE_SIZE:
/* AX */
dividend = ap.buildSymbolicRegOperand(ID_RAX, WORD_SIZE);
/* res = AX / Source */
result = smt2lib::bvudiv(dividend, smt2lib::zx(BYTE_SIZE_BIT, divisor));
/* mod = AX % Source */
mod = smt2lib::bvurem(dividend, smt2lib::zx(BYTE_SIZE_BIT, divisor));
/* AH = mod */
/* AL = res */
expr = smt2lib::concat(
smt2lib::extract(7, 0, mod), /* AH = mod */
smt2lib::extract(7, 0, result) /* AL = res */
);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, ID_RAX, WORD_SIZE);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, ID_RAX, reg);
break;
case WORD_SIZE:
/* DX:AX */
dividend = smt2lib::concat(ap.buildSymbolicRegOperand(ID_RDX, WORD_SIZE), ap.buildSymbolicRegOperand(ID_RAX, WORD_SIZE));
/* res = DX:AX / Source */
result = smt2lib::extract(15, 0, smt2lib::bvudiv(dividend, smt2lib::zx(WORD_SIZE_BIT, divisor)));
/* mod = DX:AX % Source */
mod = smt2lib::extract(15, 0, smt2lib::bvurem(dividend, smt2lib::zx(WORD_SIZE_BIT, divisor)));
/* Create the symbolic expression for AX */
se = ap.createRegSE(inst, result, ID_RAX, WORD_SIZE);
/* Apply the taint for AX */
ap.aluSpreadTaintRegReg(se, ID_RAX, reg);
/* Create the symbolic expression for DX */
se = ap.createRegSE(inst, mod, ID_RDX, WORD_SIZE);
/* Apply the taint for DX */
ap.aluSpreadTaintRegReg(se, ID_RDX, reg);
break;
case DWORD_SIZE:
/* EDX:EAX */
dividend = smt2lib::concat(ap.buildSymbolicRegOperand(ID_RDX, DWORD_SIZE), ap.buildSymbolicRegOperand(ID_RAX, DWORD_SIZE));
/* res = EDX:EAX / Source */
result = smt2lib::extract(31, 0, smt2lib::bvudiv(dividend, smt2lib::zx(DWORD_SIZE_BIT, divisor)));
/* mod = EDX:EAX % Source */
mod = smt2lib::extract(31, 0, smt2lib::bvurem(dividend, smt2lib::zx(DWORD_SIZE_BIT, divisor)));
/* Create the symbolic expression for EAX */
se = ap.createRegSE(inst, result, ID_RAX, DWORD_SIZE);
/* Apply the taint for EAX */
ap.aluSpreadTaintRegReg(se, ID_RAX, reg);
/* Create the symbolic expression for EDX */
se = ap.createRegSE(inst, mod, ID_RDX, DWORD_SIZE);
/* Apply the taint for EDX */
ap.aluSpreadTaintRegReg(se, ID_RDX, reg);
break;
case QWORD_SIZE:
/* RDX:RAX */
dividend = smt2lib::concat(ap.buildSymbolicRegOperand(ID_RDX, QWORD_SIZE), ap.buildSymbolicRegOperand(ID_RAX, QWORD_SIZE));
/* res = RDX:RAX / Source */
result = smt2lib::extract(63, 0, smt2lib::bvudiv(dividend, smt2lib::zx(QWORD_SIZE_BIT, divisor)));
/* mod = RDX:RAX % Source */
mod = smt2lib::extract(63, 0, smt2lib::bvurem(dividend, smt2lib::zx(QWORD_SIZE_BIT, divisor)));
/* Create the symbolic expression for RAX */
se = ap.createRegSE(inst, result, ID_RAX, QWORD_SIZE);
/* Apply the taint for RAX */
ap.aluSpreadTaintRegReg(se, ID_RAX, reg);
/* Create the symbolic expression for RDX */
se = ap.createRegSE(inst, mod, ID_RDX, QWORD_SIZE);
/* Apply the taint for RDX */
ap.aluSpreadTaintRegReg(se, ID_RDX, reg);
break;
}
}
void IdivIRBuilder::reg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, result, dividend, divisor, mod;
uint64 reg = this->operands[0].getValue();
uint32 regSize = this->operands[0].getSize();
/* Create the SMT semantic */
divisor << ap.buildSymbolicRegOperand(reg, regSize);
switch (regSize) {
case BYTE_SIZE:
/* AX */
dividend << ap.buildSymbolicRegOperand(ID_RAX, WORD_SIZE);
/* res = AX / Source */
result << smt2lib::bvsdiv(dividend.str(), smt2lib::sx(divisor.str(), BYTE_SIZE_BIT));
/* mod = AX % Source */
mod << smt2lib::bvsrem(dividend.str(), smt2lib::sx(divisor.str(), BYTE_SIZE_BIT));
/* AH = mod */
/* AL = res */
expr << smt2lib::concat(
smt2lib::extract(7, 0, mod.str()), /* AH = mod */
smt2lib::extract(7, 0, result.str()) /* AL = res */
);
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, ID_RAX, WORD_SIZE);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, ID_RAX, reg);
break;
case WORD_SIZE:
/* DX:AX */
dividend << smt2lib::concat(ap.buildSymbolicRegOperand(ID_RDX, WORD_SIZE), ap.buildSymbolicRegOperand(ID_RAX, WORD_SIZE));
/* res = DX:AX / Source */
result << smt2lib::extract(15, 0, smt2lib::bvsdiv(dividend.str(), smt2lib::sx(divisor.str(), WORD_SIZE_BIT)));
/* mod = DX:AX % Source */
mod << smt2lib::extract(15, 0, smt2lib::bvsrem(dividend.str(), smt2lib::sx(divisor.str(), WORD_SIZE_BIT)));
/* Create the symbolic element for AX */
se = ap.createRegSE(inst, result, ID_RAX, WORD_SIZE);
/* Apply the taint for AX */
ap.aluSpreadTaintRegReg(se, ID_RAX, reg);
/* Create the symbolic element for DX */
se = ap.createRegSE(inst, mod, ID_RDX, WORD_SIZE);
/* Apply the taint for DX */
ap.aluSpreadTaintRegReg(se, ID_RDX, reg);
break;
case DWORD_SIZE:
/* EDX:EAX */
dividend << smt2lib::concat(ap.buildSymbolicRegOperand(ID_RDX, DWORD_SIZE), ap.buildSymbolicRegOperand(ID_RAX, DWORD_SIZE));
/* res = EDX:EAX / Source */
result << smt2lib::extract(31, 0, smt2lib::bvsdiv(dividend.str(), smt2lib::sx(divisor.str(), DWORD_SIZE_BIT)));
/* mod = EDX:EAX % Source */
mod << smt2lib::extract(31, 0, smt2lib::bvsrem(dividend.str(), smt2lib::sx(divisor.str(), DWORD_SIZE_BIT)));
/* Create the symbolic element for EAX */
se = ap.createRegSE(inst, result, ID_RAX, DWORD_SIZE);
/* Apply the taint for EAX */
ap.aluSpreadTaintRegReg(se, ID_RAX, reg);
/* Create the symbolic element for EDX */
se = ap.createRegSE(inst, mod, ID_RDX, DWORD_SIZE);
/* Apply the taint for EDX */
ap.aluSpreadTaintRegReg(se, ID_RDX, reg);
break;
case QWORD_SIZE:
/* RDX:RAX */
dividend << smt2lib::concat(ap.buildSymbolicRegOperand(ID_RDX, QWORD_SIZE), ap.buildSymbolicRegOperand(ID_RDX, QWORD_SIZE));
/* res = RDX:RAX / Source */
result << smt2lib::extract(63, 0, smt2lib::bvsdiv(dividend.str(), smt2lib::sx(divisor.str(), QWORD_SIZE_BIT)));
/* mod = RDX:RAX % Source */
mod << smt2lib::extract(63, 0, smt2lib::bvsrem(dividend.str(), smt2lib::sx(divisor.str(), QWORD_SIZE_BIT)));
/* Create the symbolic element for RAX */
se = ap.createRegSE(inst, result, ID_RAX, QWORD_SIZE);
/* Apply the taint for RAX */
ap.aluSpreadTaintRegReg(se, ID_RAX, reg);
/* Create the symbolic element for RDX */
se = ap.createRegSE(inst, mod, ID_RDX, QWORD_SIZE);
/* Apply the taint for RDX */
ap.aluSpreadTaintRegReg(se, ID_RDX, reg);
break;
}
}
