void BswapIRBuilder::reg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1;
auto reg = this->operands[0].getReg().getTritonRegId();
auto regSize = this->operands[0].getReg().getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(reg, regSize);
std::list<smt2lib::smtAstAbstractNode *> bytes;
switch (regSize) {
case QWORD_SIZE:
bytes.push_front(smt2lib::extract(63, 56, op1));
bytes.push_front(smt2lib::extract(55, 48, op1));
bytes.push_front(smt2lib::extract(47, 40, op1));
bytes.push_front(smt2lib::extract(39, 32, op1));
case DWORD_SIZE:
bytes.push_front(smt2lib::extract(31, 24, op1));
bytes.push_front(smt2lib::extract(23, 16, op1));
bytes.push_front(smt2lib::extract(15, 8, op1));
bytes.push_front(smt2lib::extract(7, 0, op1));
break;
default:
throw std::runtime_error("Error: BswapIRBuilder::reg() - Invalid register size");
}
/* Finale expr */
expr = smt2lib::concat(bytes);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg, reg);
}
void SetzIRBuilder::reg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, reg1e, zf;
uint64_t reg = this->operands[0].getValue();
uint64_t regSize = this->operands[0].getSize();
/* Create the SMT semantic */
zf << ap.buildSymbolicFlagOperand(ID_ZF);
reg1e << ap.buildSymbolicRegOperand(reg, regSize);
/* Finale expr */
expr << smt2lib::ite(
smt2lib::equal(
zf.str(),
smt2lib::bvtrue()),
smt2lib::bv(1, BYTE_SIZE_BIT),
smt2lib::bv(0, BYTE_SIZE_BIT));
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint via the concretization */
if (ap.getFlagValue(ID_ZF) == 1)
ap.assignmentSpreadTaintRegReg(se, reg, ID_ZF);
}
void JnlIRBuilder::imm(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, sf, of;
uint64 imm = this->operands[0].getValue();
/* Create the SMT semantic */
sf << ap.buildSymbolicFlagOperand(ID_SF);
of << ap.buildSymbolicFlagOperand(ID_OF);
/*
* Finale expr
* JNL: Jump if not less (SF=OF).
* SMT: (= sf of)
*/
expr << smt2lib::ite(
smt2lib::equal(
sf.str(),
of.str()
),
smt2lib::bv(imm, REG_SIZE_BIT),
smt2lib::bv(this->nextAddress, REG_SIZE_BIT));
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, ID_RIP, REG_SIZE, "RIP");
/* Add the constraint in the PathConstraints list */
ap.addPathConstraint(se->getID());
}
void SetnleIRBuilder::reg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, reg1e, sf, of, zf;
uint64 reg = this->operands[0].getValue();
uint64 regSize = this->operands[0].getSize();
/* Create the flag SMT semantic */
sf << ap.buildSymbolicFlagOperand(ID_SF);
of << ap.buildSymbolicFlagOperand(ID_OF);
zf << ap.buildSymbolicFlagOperand(ID_ZF);
reg1e << ap.buildSymbolicRegOperand(reg, regSize);
/* Finale expr */
expr << smt2lib::ite(
smt2lib::equal(
smt2lib::bvor(smt2lib::bvxor(sf.str(), of.str()), zf.str()),
smt2lib::bvfalse()),
smt2lib::bv(1, BYTE_SIZE_BIT),
smt2lib::bv(0, BYTE_SIZE_BIT));
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint via the concretization */
if (((ap.getFlagValue(ID_SF) ^ ap.getFlagValue(ID_OF)) | ap.getFlagValue(ID_ZF)) == 0) {
if (ap.isRegTainted(ID_SF) == TAINTED)
ap.assignmentSpreadTaintRegReg(se, reg, ID_SF);
else if (ap.isRegTainted(ID_OF) == TAINTED)
ap.assignmentSpreadTaintRegReg(se, reg, ID_OF);
else
ap.assignmentSpreadTaintRegReg(se, reg, ID_ZF);
}
}
void SetleIRBuilder::reg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *sf, *of, *zf;
uint64 reg = this->operands[0].getValue();
uint64 regSize = this->operands[0].getSize();
/* Create the flag SMT semantic */
sf = ap.buildSymbolicFlagOperand(ID_SF);
of = ap.buildSymbolicFlagOperand(ID_OF);
zf = ap.buildSymbolicFlagOperand(ID_ZF);
/* Finale expr */
expr = smt2lib::ite(
smt2lib::equal(
smt2lib::bvor(smt2lib::bvxor(sf, of), zf),
smt2lib::bvtrue()),
smt2lib::bv(1, BYTE_SIZE_BIT),
smt2lib::bv(0, BYTE_SIZE_BIT));
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint via the concretization */
if (((ap.getFlagValue(ID_SF) ^ ap.getFlagValue(ID_OF)) | ap.getFlagValue(ID_ZF)) == 1) {
if (ap.isRegTainted(ID_SF) == TAINTED)
ap.assignmentSpreadTaintRegReg(se, reg, ID_SF);
else if (ap.isRegTainted(ID_OF) == TAINTED)
ap.assignmentSpreadTaintRegReg(se, reg, ID_OF);
else
ap.assignmentSpreadTaintRegReg(se, reg, ID_ZF);
}
}
void CmovnbIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *reg1e, *mem1e, *cf;
uint32 readSize = this->operands[1].getSize();
uint64 mem = this->operands[1].getValue();
uint64 reg = this->operands[0].getValue();
uint64 regSize = this->operands[0].getSize();
/* Create the SMT semantic */
cf = ap.buildSymbolicFlagOperand(ID_CF);
reg1e = ap.buildSymbolicRegOperand(reg, regSize);
mem1e = ap.buildSymbolicMemOperand(mem, readSize);
expr = smt2lib::ite(
smt2lib::equal(
cf,
smt2lib::bvfalse()),
mem1e,
reg1e);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint via the concretization */
if (ap.getFlagValue(ID_CF) == 0)
ap.assignmentSpreadTaintRegMem(se, reg, mem, readSize);
}
void AndIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1, op2;
uint32_t readSize = this->operands[1].getSize();
uint64_t mem = this->operands[1].getValue();
uint64_t reg = this->operands[0].getValue();
uint32_t regSize = this->operands[0].getSize();
/* Create the SMT semantic */
op1 << ap.buildSymbolicRegOperand(reg, regSize);
op2 << ap.buildSymbolicMemOperand(mem, readSize);
// Final expr
expr << smt2lib::bvand(op1.str(), op2.str());
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.aluSpreadTaintRegMem(se, reg, mem, readSize);
/* Add the symbolic flags element to the current inst */
EflagsBuilder::clearFlag(inst, ap, ID_CF, "Clears carry flag");
EflagsBuilder::clearFlag(inst, ap, ID_OF, "Clears overflow flag");
EflagsBuilder::pf(inst, se, ap);
EflagsBuilder::sf(inst, se, ap, regSize);
EflagsBuilder::zf(inst, se, ap, regSize);
}
void RolIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1, *op2;
uint64 reg1 = this->operands[0].getValue();
uint32 regSize1 = this->operands[0].getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(reg1, regSize1);
/*
* Note that SMT2-LIB doesn't support expression as rotate's value.
* The op2 must be the concretization's value.
*/
op2 = smt2lib::decimal(ap.getRegisterValue(ID_RCX) & 0xff); /* 0xff -> There is only CL available */
// Final expr
expr = smt2lib::bvrol(op2, op1);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg1, regSize1);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg1, reg1);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::cfRol(inst, se, ap, op2);
EflagsBuilder::ofRol(inst, se, ap, regSize1, op2);
}
void ShlIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1, op2;
uint64 reg = this->operands[0].getValue();
uint32 regSize = this->operands[0].getSize();
/* Create the SMT semantic */
op1 << ap.buildSymbolicRegOperand(reg, regSize);
op2 << smt2lib::zx(ap.buildSymbolicRegOperand(ID_RCX, 1), (regSize - 1) * REG_SIZE);
/* Finale expr */
expr << smt2lib::bvshl(op1.str(), op2.str());
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg, reg);
/* Add the symbolic flags element to the current inst */
EflagsBuilder::cfShl(inst, se, ap, regSize, op1, op2);
EflagsBuilder::ofShl(inst, se, ap, regSize, op1, op2);
EflagsBuilder::pfShl(inst, se, ap, regSize, op2);
EflagsBuilder::sfShl(inst, se, ap, regSize, op2);
EflagsBuilder::zfShl(inst, se, ap, regSize, op2);
}
void XaddIRBuilder::memReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se1, *se2;
smt2lib::smtAstAbstractNode *expr1, *expr2, *op1, *op2;
uint64 mem1 = this->operands[0].getValue();
uint64 reg2 = this->operands[1].getValue();
uint32 memSize1 = this->operands[0].getSize();
uint32 regSize2 = this->operands[1].getSize();
uint64 tmpMem1Taint = ap.isMemTainted(mem1);
uint64 tmpReg2Taint = ap.isRegTainted(reg2);
/* Create the SMT semantic */
op1 = ap.buildSymbolicMemOperand(mem1, memSize1);
op2 = ap.buildSymbolicRegOperand(reg2, regSize2);
// Final expr
expr1 = op2;
expr2 = smt2lib::bvadd(op1, op2);
/* Create the symbolic expression */
se1 = ap.createMemSE(inst, expr1, mem1, memSize1);
se2 = ap.createRegSE(inst, expr2, reg2, regSize2);
/* Apply the taint */
ap.setTaintMem(se1, mem1, tmpReg2Taint);
ap.setTaintReg(se2, reg2, tmpMem1Taint);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::af(inst, se2, ap, memSize1, op1, op2);
EflagsBuilder::cfAdd(inst, se2, ap, memSize1, op1);
EflagsBuilder::ofAdd(inst, se2, ap, memSize1, op1, op2);
EflagsBuilder::pf(inst, se2, ap, memSize1);
EflagsBuilder::sf(inst, se2, ap, memSize1);
EflagsBuilder::zf(inst, se2, ap, memSize1);
}
void RolIRBuilder::regImm(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1, *op2;
uint64 reg = this->operands[0].getValue();
uint64 imm = this->operands[1].getValue();
uint32 regSize = this->operands[0].getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(reg, regSize);
/*
* Note that SMT2-LIB doesn't support expression as rotate's value.
* The op2 must be the concretization's value.
*/
op2 = smt2lib::decimal(imm);
/* Finale expr */
expr = smt2lib::bvrol(op2, op1);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg, reg);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::cfRol(inst, se, ap, op2);
EflagsBuilder::ofRol(inst, se, ap, regSize, op2);
}
void RorIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1, op2;
uint64 reg1 = this->operands[0].getValue();
uint32 regSize1 = this->operands[0].getSize();
/* Create the SMT semantic */
op1 << ap.buildSymbolicRegOperand(reg1, regSize1);
/*
* Note that SMT2-LIB doesn't support expression as rotate's value.
* The op2 must be the concretization's value.
*/
op2 << (ap.getRegisterValue(ID_RCX) & 0xff); /* 0xff -> There is only CL available */
// Final expr
expr << smt2lib::bvror(op1.str(), op2.str());
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg1, regSize1);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg1, reg1);
/* Add the symbolic flags element to the current inst */
EflagsBuilder::cfRor(inst, se, ap, regSize1, op2);
EflagsBuilder::ofRor(inst, se, ap, regSize1, op2);
}
void RorIRBuilder::regImm(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1, op2;
uint64 reg = this->operands[0].getValue();
uint64 imm = this->operands[1].getValue();
uint32 regSize = this->operands[0].getSize();
/* Create the SMT semantic */
op1 << ap.buildSymbolicRegOperand(reg, regSize);
/*
* Note that SMT2-LIB doesn't support expression as rotate's value.
* The op2 must be the concretization's value.
*/
op2 << imm;
/* Finale expr */
expr << smt2lib::bvror(op1.str(), op2.str());
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg, reg);
/* Add the symbolic flags element to the current inst */
EflagsBuilder::cfRor(inst, se, ap, regSize, op2);
EflagsBuilder::ofRor(inst, se, ap, regSize, op2);
}
void CmovnbeIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, reg1e, reg2e, cf, zf;
uint64 reg1 = this->operands[0].getValue();
uint64 reg2 = this->operands[1].getValue();
uint64 size1 = this->operands[0].getSize();
uint64 size2 = this->operands[1].getSize();
/* Create the SMT semantic */
cf << ap.buildSymbolicFlagOperand(ID_CF);
zf << ap.buildSymbolicFlagOperand(ID_ZF);
reg1e << ap.buildSymbolicRegOperand(reg1, size1);
reg2e << ap.buildSymbolicRegOperand(reg2, size2);
expr << smt2lib::ite(
smt2lib::equal(
smt2lib::bvand(
smt2lib::bvnot(cf.str()),
smt2lib::bvnot(zf.str())
),
smt2lib::bvtrue()),
reg2e.str(),
reg1e.str());
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg1, size1);
/* Apply the taint via the concretization */
if (ap.getFlagValue(ID_CF) == 0 && ap.getFlagValue(ID_ZF) == 0)
ap.assignmentSpreadTaintRegReg(se, reg1, reg2);
}
void CmovnleIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *reg1e, *mem1e, *sf, *of, *zf;
auto mem = this->operands[1].getMem().getAddress();
auto memSize = this->operands[1].getMem().getSize();
auto reg = this->operands[0].getReg().getTritonRegId();
auto regSize = this->operands[0].getReg().getSize();
/* Create the flag SMT semantic */
sf = ap.buildSymbolicFlagOperand(ID_SF);
of = ap.buildSymbolicFlagOperand(ID_OF);
zf = ap.buildSymbolicFlagOperand(ID_ZF);
reg1e = ap.buildSymbolicRegOperand(reg, regSize);
mem1e = ap.buildSymbolicMemOperand(mem, memSize);
expr = smt2lib::ite(
smt2lib::equal(
smt2lib::bvor(smt2lib::bvxor(sf, of), zf),
smt2lib::bvfalse()
),
mem1e,
reg1e);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint via the concretization */
if (((ap.getFlagValue(ID_SF) ^ ap.getFlagValue(ID_OF)) | ap.getFlagValue(ID_ZF)) == 0)
ap.assignmentSpreadTaintRegMem(se, reg, mem, memSize);
}
void XaddIRBuilder::memReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se1, *se2;
std::stringstream expr1, expr2, op1, op2;
uint64_t mem1 = this->operands[0].getValue();
uint64_t reg2 = this->operands[1].getValue();
uint32_t memSize1 = this->operands[0].getSize();
uint32_t regSize2 = this->operands[1].getSize();
uint64_t tmpMem1Taint = ap.isMemTainted(mem1);
uint64_t tmpReg2Taint = ap.isRegTainted(reg2);
/* Create the SMT semantic */
op1 << ap.buildSymbolicMemOperand(mem1, memSize1);
op2 << ap.buildSymbolicRegOperand(reg2, regSize2);
// Final expr
expr1 << op2.str();
expr2 << smt2lib::bvadd(op1.str(), op2.str());
/* Create the symbolic element */
se1 = ap.createMemSE(inst, expr1, mem1, memSize1);
se2 = ap.createRegSE(inst, expr2, reg2, regSize2);
/* Apply the taint */
ap.setTaintMem(se1, mem1, tmpReg2Taint);
ap.setTaintReg(se2, reg2, tmpMem1Taint);
/* Add the symbolic flags element to the current inst */
EflagsBuilder::af(inst, se2, ap, memSize1, op1, op2);
EflagsBuilder::cfAdd(inst, se2, ap, op1);
EflagsBuilder::ofAdd(inst, se2, ap, memSize1, op1, op2);
EflagsBuilder::pf(inst, se2, ap);
EflagsBuilder::sf(inst, se2, ap, memSize1);
EflagsBuilder::zf(inst, se2, ap, memSize1);
}
void JbeIRBuilder::imm(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, cf, zf;
uint64 imm = this->operands[0].getValue();
/* Create the SMT semantic */
cf << ap.buildSymbolicFlagOperand(ID_CF);
zf << ap.buildSymbolicFlagOperand(ID_ZF);
/*
* Finale expr
* JNBE: Jump if below or equal (CF=1 or ZF=1).
* SMT: (= (bvor zf cf) (_ bv1 1))
*/
expr << smt2lib::ite(
smt2lib::equal(
smt2lib::bvor(
cf.str(),
zf.str()
),
smt2lib::bvtrue()
),
smt2lib::bv(imm, REG_SIZE_BIT),
smt2lib::bv(this->nextAddress, REG_SIZE_BIT));
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, ID_RIP, REG_SIZE, "RIP");
/* Add the constraint in the PathConstraints list */
ap.addPathConstraint(se->getID());
}
void ImulIRBuilder::regImm(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1, op2;
uint64 reg = this->operands[0].getValue();
uint64 imm = this->operands[1].getValue();
uint32 regSize = this->operands[0].getSize();
/* Create the SMT semantic */
op1 << ap.buildSymbolicRegOperand(reg, regSize);
op2 << smt2lib::bv(imm, regSize * REG_SIZE);
/* Finale expr */
expr << smt2lib::extract(regSize,
smt2lib::bvmul(
smt2lib::sx(op1.str(), regSize * REG_SIZE),
smt2lib::sx(op2.str(), regSize * REG_SIZE)
)
);
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.aluSpreadTaintRegImm(se, reg);
/* Add the symbolic flags element to the current inst */
EflagsBuilder::cfImul(inst, se, ap, regSize, op1);
EflagsBuilder::ofImul(inst, se, ap, regSize, op1);
EflagsBuilder::sf(inst, se, ap, regSize);
}
void XorIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1, *op2;
uint32 readSize = this->operands[1].getSize();
uint64 mem = this->operands[1].getValue();
uint64 reg = this->operands[0].getValue();
uint32 regSize = this->operands[1].getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(reg, regSize);
op2 = ap.buildSymbolicMemOperand(mem, readSize);
// Final expr
expr = smt2lib::bvxor(op1, op2);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.aluSpreadTaintRegMem(se, reg, mem, readSize);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::clearFlag(inst, ap, ID_CF, "Clears carry flag");
EflagsBuilder::clearFlag(inst, ap, ID_OF, "Clears overflow flag");
EflagsBuilder::pf(inst, se, ap, regSize);
EflagsBuilder::sf(inst, se, ap, regSize);
EflagsBuilder::zf(inst, se, ap, regSize);
}
void ShrIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1, *op2;
auto reg = this->operands[0].getReg().getTritonRegId();
auto regSize = this->operands[0].getReg().getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(reg, regSize);
/* op2 = 8 bits register (CL) */
op2 = smt2lib::zx((regSize - BYTE_SIZE) * REG_SIZE, ap.buildSymbolicRegOperand(ID_RCX, 1));
/* Finale expr */
expr = smt2lib::bvlshr(op1, op2);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg, reg);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::cfShr(inst, se, ap, regSize, op1, op2);
EflagsBuilder::ofShr(inst, se, ap, regSize, op1, op2);
EflagsBuilder::pfShl(inst, se, ap, regSize, op2); /* Same that shl */
EflagsBuilder::sfShl(inst, se, ap, regSize, op2); /* Same that shl */
EflagsBuilder::zfShl(inst, se, ap, regSize, op2); /* Same that shl */
}
void SetoIRBuilder::reg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *of;
auto reg = this->operands[0].getReg().getTritonRegId();
auto regSize = this->operands[0].getReg().getSize();
/* Create the SMT semantic */
of = ap.buildSymbolicFlagOperand(ID_OF);
/* Finale expr */
expr = smt2lib::ite(
smt2lib::equal(
of,
smt2lib::bvtrue()),
smt2lib::bv(1, BYTE_SIZE_BIT),
smt2lib::bv(0, BYTE_SIZE_BIT));
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint via the concretization */
if (ap.getFlagValue(ID_OF) == 1)
ap.assignmentSpreadTaintRegReg(se, reg, ID_OF);
}
void CallIRBuilder::imm(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr1, expr2;
uint64_t imm = this->operands[0].getValue();
uint64_t memDst = this->operands[1].getValue(); // The dst memory write
uint32_t writeSize = this->operands[1].getSize();
/* Create the SMT semantic side effect */
alignStack(inst, ap, writeSize);
/* Create the SMT semantic */
/* *RSP = Next_RIP */
expr1 << smt2lib::bv(this->nextAddress, writeSize * REG_SIZE);
/* Create the symbolic element */
se = ap.createMemSE(inst, expr1, memDst, writeSize, "Saved RIP");
/* Apply the taint */
ap.assignmentSpreadTaintMemImm(se, memDst, writeSize);
/* Create the SMT semantic */
/* RIP = imm */
expr2 << smt2lib::bv(imm, writeSize * REG_SIZE);
/* Create the symbolic element */
se = ap.createRegSE(inst, expr2, ID_RIP, REG_SIZE, "RIP");
/* Apply the taint */
ap.assignmentSpreadTaintRegImm(se, ID_RIP);
}
void CmovnleIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, reg1e, mem1e, sf, of, zf;
uint32 readSize = this->operands[1].getSize();
uint64 mem = this->operands[1].getValue();
uint64 reg = this->operands[0].getValue();
uint64 regSize = this->operands[0].getSize();
/* Create the flag SMT semantic */
sf << ap.buildSymbolicFlagOperand(ID_SF);
of << ap.buildSymbolicFlagOperand(ID_OF);
zf << ap.buildSymbolicFlagOperand(ID_ZF);
reg1e << ap.buildSymbolicRegOperand(reg, regSize);
mem1e << ap.buildSymbolicMemOperand(mem, readSize);
expr << smt2lib::ite(
smt2lib::equal(
smt2lib::bvor(smt2lib::bvxor(sf.str(), of.str()), zf.str()),
smt2lib::bvfalse()
),
mem1e.str(),
reg1e.str());
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint via the concretization */
if (((ap.getFlagValue(ID_SF) ^ ap.getFlagValue(ID_OF)) | ap.getFlagValue(ID_ZF)) == 0)
ap.assignmentSpreadTaintRegMem(se, reg, mem, readSize);
}
void SbbIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1, op2, op3;
uint64 reg1 = this->operands[0].getValue();
uint64 reg2 = this->operands[1].getValue();
uint32 regSize1 = this->operands[0].getSize();
uint32 regSize2 = this->operands[1].getSize();
/* Create the SMT semantic */
op1 << ap.buildSymbolicRegOperand(reg1, regSize1);
op2 << ap.buildSymbolicRegOperand(reg2, regSize2);
op3 << ap.buildSymbolicFlagOperand(ID_CF, regSize1);
/* Final expr */
expr << smt2lib::bvsub(op1.str(), smt2lib::bvadd(op2.str(), op3.str()));
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg1, regSize1);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg1, reg2);
/* Add the symbolic flags element to the current inst */
EflagsBuilder::af(inst, se, ap, regSize1, op1, op2);
EflagsBuilder::cfSub(inst, se, ap, op1, op2);
EflagsBuilder::ofSub(inst, se, ap, regSize1, op1, op2);
EflagsBuilder::pf(inst, se, ap);
EflagsBuilder::sf(inst, se, ap, regSize1);
EflagsBuilder::zf(inst, se, ap, regSize1);
}
void ImulIRBuilder::regImm(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1, *op2;
auto reg = this->operands[0].getReg().getTritonRegId();
auto imm = this->operands[1].getImm().getValue();
auto regSize = this->operands[0].getReg().getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(reg, regSize);
op2 = smt2lib::bv(imm, regSize * REG_SIZE);
/* Finale expr */
expr = smt2lib::bvmul(
smt2lib::sx(regSize * REG_SIZE, op1),
smt2lib::sx(regSize * REG_SIZE, op2)
);
/* Create the symbolic expression */
se = ap.createRegSE(inst, smt2lib::extract((regSize * REG_SIZE) - 1, 0, expr), reg, regSize);
/* Apply the taint */
ap.aluSpreadTaintRegImm(se, reg);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::cfImul(inst, se, ap, regSize, expr);
EflagsBuilder::ofImul(inst, se, ap, regSize, expr);
EflagsBuilder::sf(inst, se, ap, regSize);
}
void SubIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1, *op2;
auto mem = this->operands[1].getMem();
auto memSize = this->operands[1].getMem().getSize();
auto reg = this->operands[0].getReg();
auto regSize = this->operands[0].getReg().getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(reg, regSize);
op2 = ap.buildSymbolicMemOperand(mem, memSize);
// Final expr
expr = smt2lib::bvsub(op1, op2);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.aluSpreadTaintRegMem(se, reg, mem, memSize);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::af(inst, se, ap, regSize, op1, op2);
EflagsBuilder::cfSub(inst, se, ap, regSize, op1, op2);
EflagsBuilder::ofSub(inst, se, ap, regSize, op1, op2);
EflagsBuilder::pf(inst, se, ap, regSize);
EflagsBuilder::sf(inst, se, ap, regSize);
EflagsBuilder::zf(inst, se, ap, regSize);
}
void JlIRBuilder::imm(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *sf, *of;
auto imm = this->operands[0].getImm().getValue();
/* Create the SMT semantic */
sf = ap.buildSymbolicFlagOperand(ID_SF);
of = ap.buildSymbolicFlagOperand(ID_OF);
/*
* Finale expr
* JL: Jump if less (SF^OF).
* SMT: ( = (bvxor sf of) True)
*/
expr = smt2lib::ite(
smt2lib::equal(
smt2lib::bvxor(sf, of),
smt2lib::bvtrue()
),
smt2lib::bv(imm, REG_SIZE_BIT),
smt2lib::bv(this->nextAddress, REG_SIZE_BIT));
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, ID_RIP, REG_SIZE, "RIP");
/* Add the constraint in the PathConstraints list */
ap.addPathConstraint(se->getID());
}
void AdcIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1, op2, op3;
uint32 readSize = this->operands[1].getSize();
uint64 mem = this->operands[1].getValue();
uint64 reg = this->operands[0].getValue();
uint32 regSize = this->operands[0].getSize();
/* Create the SMT semantic */
op1 << ap.buildSymbolicRegOperand(reg, regSize);
op2 << ap.buildSymbolicMemOperand(mem, readSize);
op3 << ap.buildSymbolicFlagOperand(ID_CF, regSize);
// Final expr
expr << smt2lib::bvadd(smt2lib::bvadd(op1.str(), op2.str()), op3.str());
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.aluSpreadTaintRegMem(se, reg, mem, readSize);
/* Add the symbolic flags element to the current inst */
EflagsBuilder::af(inst, se, ap, regSize, op1, op2);
EflagsBuilder::cfAdd(inst, se, ap, op1);
EflagsBuilder::ofAdd(inst, se, ap, regSize, op1, op2);
EflagsBuilder::pf(inst, se, ap);
EflagsBuilder::sf(inst, se, ap, regSize);
EflagsBuilder::zf(inst, se, ap, regSize);
}
void JnbeIRBuilder::imm(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *cf, *zf;
uint64 imm = this->operands[0].getValue();
/* Create the SMT semantic */
cf = ap.buildSymbolicFlagOperand(ID_CF);
zf = ap.buildSymbolicFlagOperand(ID_ZF);
/*
* Finale expr
* JNBE: Jump if not below or equal (CF=0 and ZF=0).
* SMT: (= (bvand (bvnot zf) (bvnot cf)) (_ bv1 1))
*/
expr = smt2lib::ite(
smt2lib::equal(
smt2lib::bvand(
smt2lib::bvnot(cf),
smt2lib::bvnot(zf)
),
smt2lib::bvtrue()
),
smt2lib::bv(imm, REG_SIZE_BIT),
smt2lib::bv(this->nextAddress, REG_SIZE_BIT));
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, ID_RIP, REG_SIZE, "RIP");
/* Add the constraint in the PathConstraints list */
ap.addPathConstraint(se->getID());
}
void OrIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1, *op2;
auto reg1 = this->operands[0].getReg();
auto reg2 = this->operands[1].getReg();
auto regSize1 = this->operands[0].getReg().getSize();
auto regSize2 = this->operands[1].getReg().getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(reg1, regSize1);
op2 = ap.buildSymbolicRegOperand(reg2, regSize2);
/* Final expr */
expr = smt2lib::bvor(op1, op2);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg1, regSize1);
/* Apply the taint */
ap.aluSpreadTaintRegReg(se, reg1, reg2);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::clearFlag(inst, ap, ID_TMP_CF, "Clears carry flag");
EflagsBuilder::clearFlag(inst, ap, ID_TMP_OF, "Clears overflow flag");
EflagsBuilder::pf(inst, se, ap, regSize1);
EflagsBuilder::sf(inst, se, ap, regSize1);
EflagsBuilder::zf(inst, se, ap, regSize1);
}
