void CmovnsIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, reg1e, mem1e, sf;
uint32_t readSize = this->operands[1].getSize();
uint64_t mem = this->operands[1].getValue();
uint64_t reg = this->operands[0].getValue();
uint64_t regSize = this->operands[0].getSize();
/* Create the SMT semantic */
sf << ap.buildSymbolicFlagOperand(ID_SF);
reg1e << ap.buildSymbolicRegOperand(reg, regSize);
mem1e << ap.buildSymbolicMemOperand(mem, readSize);
expr << smt2lib::ite(
smt2lib::equal(
sf.str(),
smt2lib::bvfalse()),
mem1e.str(),
reg1e.str());
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint via the concretization */
if (ap.getFlagValue(ID_SF) == 0)
ap.assignmentSpreadTaintRegMem(se, reg, mem, readSize);
}
void LeaveIRBuilder::none(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se1, *se2;
std::stringstream expr1, expr2;
uint64 readMem = this->operands[0].getValue(); // The src memory read
uint32 readSize = this->operands[0].getSize();
// RSP = RBP; -----------------------------
expr1 << ap.buildSymbolicRegOperand(ID_RBP, REG_SIZE);
/* Create the symbolic element */
se1 = ap.createRegSE(inst, expr1, ID_RSP, REG_SIZE);
/* Apply the taint */
ap.assignmentSpreadTaintRegReg(se1, ID_RSP, ID_RBP);
// RSP = RBP; -----------------------------
// RBP = Pop(); ---------------------------
expr2 << ap.buildSymbolicMemOperand(readMem, readSize);
/* Create the symbolic element */
se2 = ap.createRegSE(inst, expr2, ID_RBP, REG_SIZE);
/* Apply the taint */
ap.assignmentSpreadTaintRegMem(se2, ID_RBP, readMem, readSize);
// RBP = Pop(); ---------------------------
/* Add the symbolic element to the current inst */
alignStack(inst, ap, readSize);
}
void CmovlIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *reg1e, *mem1e, *sf, *of;
auto memSize = this->operands[1].getMem().getSize();
auto mem = this->operands[1].getMem();
auto reg = this->operands[0].getReg();
auto regSize = this->operands[0].getReg().getSize();
/* Create the flag SMT semantic */
sf = ap.buildSymbolicFlagOperand(ID_TMP_SF);
of = ap.buildSymbolicFlagOperand(ID_TMP_OF);
reg1e = ap.buildSymbolicRegOperand(reg, regSize);
mem1e = ap.buildSymbolicMemOperand(mem, memSize);
expr = smt2lib::ite(
smt2lib::equal(
smt2lib::bvxor(sf, of),
smt2lib::bvtrue()),
mem1e,
reg1e);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint via the concretization */
if (ap.getFlagValue(ID_TMP_SF) ^ ap.getFlagValue(ID_TMP_OF))
ap.assignmentSpreadTaintRegMem(se, reg, mem, memSize);
}
void CmovnbIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *reg1e, *mem1e, *cf;
uint32 readSize = this->operands[1].getSize();
uint64 mem = this->operands[1].getValue();
uint64 reg = this->operands[0].getValue();
uint64 regSize = this->operands[0].getSize();
/* Create the SMT semantic */
cf = ap.buildSymbolicFlagOperand(ID_CF);
reg1e = ap.buildSymbolicRegOperand(reg, regSize);
mem1e = ap.buildSymbolicMemOperand(mem, readSize);
expr = smt2lib::ite(
smt2lib::equal(
cf,
smt2lib::bvfalse()),
mem1e,
reg1e);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint via the concretization */
if (ap.getFlagValue(ID_CF) == 0)
ap.assignmentSpreadTaintRegMem(se, reg, mem, readSize);
}
void MovdqaIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr;
auto memSize = this->operands[1].getMem().getSize();
auto mem = this->operands[1].getMem();
auto reg = this->operands[0].getReg();
auto regSize = this->operands[0].getReg().getSize();
/* Create the SMT semantic */
expr = ap.buildSymbolicMemOperand(mem, memSize);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.assignmentSpreadTaintRegMem(se, reg, mem, memSize);
}
void MovIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr;
uint32_t readSize = this->operands[1].getSize();
uint64_t mem = this->operands[1].getValue();
uint64_t reg = this->operands[0].getValue();
uint64_t regSize = this->operands[0].getSize();
/* Create the SMT semantic */
expr << ap.buildSymbolicMemOperand(mem, readSize);
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.assignmentSpreadTaintRegMem(se, reg, mem, readSize);
}
void MovzxIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1;
auto memSize = this->operands[1].getMem().getSize();
auto mem = this->operands[1].getMem().getAddress();
auto reg = this->operands[0].getReg().getTritonRegId();
auto regSize = this->operands[0].getReg().getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicMemOperand(mem, memSize);
/* Final expr */
expr = smt2lib::zx((regSize * REG_SIZE) - (memSize * REG_SIZE), op1);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.assignmentSpreadTaintRegMem(se, reg, mem, memSize);
}
void RetIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1;
uint64_t memSrc = this->operands[0].getValue(); // The dst memory read
uint32_t readSize = this->operands[0].getSize();
/* Create the SMT semantic */
op1 << ap.buildSymbolicMemOperand(memSrc, readSize);
/* Finale expr */
expr << op1.str();
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, ID_RIP, REG_SIZE, "RIP");
/* Apply the taint */
ap.assignmentSpreadTaintRegMem(se, ID_RIP, memSrc, readSize);
/* Create the SMT semantic side effect */
alignStack(inst, ap);
}
void MovlpdIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1, *op2;
auto memSize = this->operands[1].getMem().getSize();
auto mem = this->operands[1].getMem().getAddress();
auto reg = this->operands[0].getReg().getTritonRegId();
auto regSize = this->operands[0].getReg().getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(reg, regSize);
op2 = ap.buildSymbolicMemOperand(mem, memSize);
expr = smt2lib::concat(
smt2lib::extract(127, 64, op1), /* Destination[64..127] unchanged */
smt2lib::extract(63, 0, op2) /* Destination[0..63] = Source */
);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.assignmentSpreadTaintRegMem(se, reg, mem, memSize);
}
void MovhpdIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1, op2;
uint32 readSize = this->operands[1].getSize();
uint64 mem = this->operands[1].getValue();
uint64 reg = this->operands[0].getValue();
uint64 regSize = this->operands[0].getSize();
/* Create the SMT semantic */
op1 << ap.buildSymbolicRegOperand(reg, regSize);
op2 << ap.buildSymbolicMemOperand(mem, readSize);
expr << smt2lib::concat(
smt2lib::extract(63, 0, op2.str()), /* Destination[64..127] = Source */
smt2lib::extract(63, 0, op1.str()) /* Destination[0..63] unchanged */
);
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.assignmentSpreadTaintRegMem(se, reg, mem, readSize);
}
