void CmovlIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *reg1e, *mem1e, *sf, *of;
auto memSize = this->operands[1].getMem().getSize();
auto mem = this->operands[1].getMem();
auto reg = this->operands[0].getReg();
auto regSize = this->operands[0].getReg().getSize();
/* Create the flag SMT semantic */
sf = ap.buildSymbolicFlagOperand(ID_TMP_SF);
of = ap.buildSymbolicFlagOperand(ID_TMP_OF);
reg1e = ap.buildSymbolicRegOperand(reg, regSize);
mem1e = ap.buildSymbolicMemOperand(mem, memSize);
expr = smt2lib::ite(
smt2lib::equal(
smt2lib::bvxor(sf, of),
smt2lib::bvtrue()),
mem1e,
reg1e);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint via the concretization */
if (ap.getFlagValue(ID_TMP_SF) ^ ap.getFlagValue(ID_TMP_OF))
ap.assignmentSpreadTaintRegMem(se, reg, mem, memSize);
}
void SetnbeIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *cf, *zf;
auto mem = this->operands[0].getMem();
auto memSize = this->operands[0].getMem().getSize();
/* Create the SMT semantic */
cf = ap.buildSymbolicFlagOperand(ID_TMP_CF);
zf = ap.buildSymbolicFlagOperand(ID_TMP_ZF);
/* Finale expr */
expr = smt2lib::ite(
smt2lib::equal(
smt2lib::bvand(
smt2lib::bvnot(cf),
smt2lib::bvnot(zf)
),
smt2lib::bvtrue()),
smt2lib::bv(1, BYTE_SIZE_BIT),
smt2lib::bv(0, BYTE_SIZE_BIT));
/* Create the symbolic expression */
se = ap.createMemSE(inst, expr, mem, memSize);
/* Apply the taint via the concretization */
if (ap.getFlagValue(ID_TMP_CF) == 0 && ap.getFlagValue(ID_TMP_ZF) == 0) {
if (ap.isRegTainted(ID_TMP_CF) == TAINTED)
ap.assignmentSpreadTaintMemReg(se, mem, ID_TMP_CF, memSize);
else
ap.assignmentSpreadTaintMemReg(se, mem, ID_TMP_ZF, memSize);
}
}
void CmovbeIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *reg1e, *reg2e, *cf, *zf;
uint64 reg1 = this->operands[0].getValue();
uint64 reg2 = this->operands[1].getValue();
uint64 size1 = this->operands[0].getSize();
uint64 size2 = this->operands[1].getSize();
/* Create the SMT semantic */
cf = ap.buildSymbolicFlagOperand(ID_CF);
zf = ap.buildSymbolicFlagOperand(ID_ZF);
reg1e = ap.buildSymbolicRegOperand(reg1, size1);
reg2e = ap.buildSymbolicRegOperand(reg2, size2);
expr = smt2lib::ite(
smt2lib::equal(
smt2lib::bvor(
cf,
zf
),
smt2lib::bvtrue()
),
reg2e,
reg1e);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg1, size1);
/* Apply the taint via the concretization */
if (ap.getFlagValue(ID_CF) | ap.getFlagValue(ID_ZF))
ap.assignmentSpreadTaintRegReg(se, reg1, reg2);
}
void SetleIRBuilder::reg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *sf, *of, *zf;
auto reg = this->operands[0].getReg();
auto regSize = this->operands[0].getReg().getSize();
/* Create the flag SMT semantic */
sf = ap.buildSymbolicFlagOperand(ID_TMP_SF);
of = ap.buildSymbolicFlagOperand(ID_TMP_OF);
zf = ap.buildSymbolicFlagOperand(ID_TMP_ZF);
/* Finale expr */
expr = smt2lib::ite(
smt2lib::equal(
smt2lib::bvor(smt2lib::bvxor(sf, of), zf),
smt2lib::bvtrue()),
smt2lib::bv(1, BYTE_SIZE_BIT),
smt2lib::bv(0, BYTE_SIZE_BIT));
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint via the concretization */
if (((ap.getFlagValue(ID_TMP_SF) ^ ap.getFlagValue(ID_TMP_OF)) | ap.getFlagValue(ID_TMP_ZF)) == 1) {
if (ap.isRegTainted(ID_TMP_SF) == TAINTED)
ap.assignmentSpreadTaintRegReg(se, reg, ID_TMP_SF);
else if (ap.isRegTainted(ID_TMP_OF) == TAINTED)
ap.assignmentSpreadTaintRegReg(se, reg, ID_TMP_OF);
else
ap.assignmentSpreadTaintRegReg(se, reg, ID_TMP_ZF);
}
}
void SetnleIRBuilder::reg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, reg1e, sf, of, zf;
uint64 reg = this->operands[0].getValue();
uint64 regSize = this->operands[0].getSize();
/* Create the flag SMT semantic */
sf << ap.buildSymbolicFlagOperand(ID_SF);
of << ap.buildSymbolicFlagOperand(ID_OF);
zf << ap.buildSymbolicFlagOperand(ID_ZF);
reg1e << ap.buildSymbolicRegOperand(reg, regSize);
/* Finale expr */
expr << smt2lib::ite(
smt2lib::equal(
smt2lib::bvor(smt2lib::bvxor(sf.str(), of.str()), zf.str()),
smt2lib::bvfalse()),
smt2lib::bv(1, BYTE_SIZE_BIT),
smt2lib::bv(0, BYTE_SIZE_BIT));
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint via the concretization */
if (((ap.getFlagValue(ID_SF) ^ ap.getFlagValue(ID_OF)) | ap.getFlagValue(ID_ZF)) == 0) {
if (ap.isRegTainted(ID_SF) == TAINTED)
ap.assignmentSpreadTaintRegReg(se, reg, ID_SF);
else if (ap.isRegTainted(ID_OF) == TAINTED)
ap.assignmentSpreadTaintRegReg(se, reg, ID_OF);
else
ap.assignmentSpreadTaintRegReg(se, reg, ID_ZF);
}
}
void CmovnleIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, reg1e, reg2e, sf, of, zf;
uint64 reg1 = this->operands[0].getValue();
uint64 reg2 = this->operands[1].getValue();
uint64 size1 = this->operands[0].getSize();
uint64 size2 = this->operands[1].getSize();
/* Create the flag SMT semantic */
sf << ap.buildSymbolicFlagOperand(ID_SF);
of << ap.buildSymbolicFlagOperand(ID_OF);
zf << ap.buildSymbolicFlagOperand(ID_ZF);
reg1e << ap.buildSymbolicRegOperand(reg1, size1);
reg2e << ap.buildSymbolicRegOperand(reg2, size2);
expr << smt2lib::ite(
smt2lib::equal(
smt2lib::bvor(smt2lib::bvxor(sf.str(), of.str()), zf.str()),
smt2lib::bvfalse()
),
reg2e.str(),
reg1e.str());
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg1, size1);
/* Apply the taint via the concretization */
if (((ap.getFlagValue(ID_SF) ^ ap.getFlagValue(ID_OF)) | ap.getFlagValue(ID_ZF)) == 0)
ap.assignmentSpreadTaintRegReg(se, reg1, reg2);
}
void CmovlIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, reg1e, mem1e, sf, of;
uint32 readSize = this->operands[1].getSize();
uint64 mem = this->operands[1].getValue();
uint64 reg = this->operands[0].getValue();
uint64 regSize = this->operands[0].getSize();
/* Create the flag SMT semantic */
sf << ap.buildSymbolicFlagOperand(ID_SF);
of << ap.buildSymbolicFlagOperand(ID_OF);
reg1e << ap.buildSymbolicRegOperand(reg, regSize);
mem1e << ap.buildSymbolicMemOperand(mem, readSize);
expr << smt2lib::ite(
smt2lib::equal(
smt2lib::bvxor(sf.str(), of.str()),
smt2lib::bvtrue()),
mem1e.str(),
reg1e.str());
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint via the concretization */
if (ap.getFlagValue(ID_SF) ^ ap.getFlagValue(ID_OF))
ap.assignmentSpreadTaintRegMem(se, reg, mem, readSize);
}
void CmovnleIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *reg1e, *reg2e, *sf, *of, *zf;
auto reg1 = this->operands[0].getReg().getTritonRegId();
auto reg2 = this->operands[1].getReg().getTritonRegId();
auto regSize1 = this->operands[0].getReg().getSize();
auto regSize2 = this->operands[1].getReg().getSize();
/* Create the flag SMT semantic */
sf = ap.buildSymbolicFlagOperand(ID_SF);
of = ap.buildSymbolicFlagOperand(ID_OF);
zf = ap.buildSymbolicFlagOperand(ID_ZF);
reg1e = ap.buildSymbolicRegOperand(reg1, regSize1);
reg2e = ap.buildSymbolicRegOperand(reg2, regSize2);
expr = smt2lib::ite(
smt2lib::equal(
smt2lib::bvor(smt2lib::bvxor(sf, of), zf),
smt2lib::bvfalse()
),
reg2e,
reg1e);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg1, regSize1);
/* Apply the taint via the concretization */
if (((ap.getFlagValue(ID_SF) ^ ap.getFlagValue(ID_OF)) | ap.getFlagValue(ID_ZF)) == 0)
ap.assignmentSpreadTaintRegReg(se, reg1, reg2);
}
void CmovnleIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *reg1e, *mem1e, *sf, *of, *zf;
uint32 readSize = this->operands[1].getSize();
uint64 mem = this->operands[1].getValue();
uint64 reg = this->operands[0].getValue();
uint64 regSize = this->operands[0].getSize();
/* Create the flag SMT semantic */
sf = ap.buildSymbolicFlagOperand(ID_SF);
of = ap.buildSymbolicFlagOperand(ID_OF);
zf = ap.buildSymbolicFlagOperand(ID_ZF);
reg1e = ap.buildSymbolicRegOperand(reg, regSize);
mem1e = ap.buildSymbolicMemOperand(mem, readSize);
expr = smt2lib::ite(
smt2lib::equal(
smt2lib::bvor(smt2lib::bvxor(sf, of), zf),
smt2lib::bvfalse()
),
mem1e,
reg1e);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint via the concretization */
if (((ap.getFlagValue(ID_SF) ^ ap.getFlagValue(ID_OF)) | ap.getFlagValue(ID_ZF)) == 0)
ap.assignmentSpreadTaintRegMem(se, reg, mem, readSize);
}
void SetlIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, mem1e, sf, of;
uint64_t mem = this->operands[0].getValue();
uint64_t memSize = this->operands[0].getSize();
/* Create the flag SMT semantic */
sf << ap.buildSymbolicFlagOperand(ID_SF);
of << ap.buildSymbolicFlagOperand(ID_OF);
mem1e << ap.buildSymbolicMemOperand(mem, memSize);
/* Finale expr */
expr << smt2lib::ite(
smt2lib::equal(
smt2lib::bvxor(sf.str(), of.str()),
smt2lib::bvtrue()),
smt2lib::bv(1, BYTE_SIZE_BIT),
smt2lib::bv(0, BYTE_SIZE_BIT));
/* Create the symbolic element */
se = ap.createMemSE(inst, expr, mem, memSize);
/* Apply the taint via the concretization */
if (ap.getFlagValue(ID_SF) ^ ap.getFlagValue(ID_OF)) {
if (ap.isRegTainted(ID_SF) == TAINTED)
ap.assignmentSpreadTaintMemReg(se, mem, ID_SF, memSize);
else
ap.assignmentSpreadTaintMemReg(se, mem, ID_OF, memSize);
}
}
void SetbIRBuilder::reg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *cf;
auto reg = this->operands[0].getReg();
auto regSize = this->operands[0].getReg().getSize();
/* Create the SMT semantic */
cf = ap.buildSymbolicFlagOperand(ID_TMP_CF);
/* Finale expr */
expr = smt2lib::ite(
smt2lib::equal(
cf,
smt2lib::bvtrue()),
smt2lib::bv(1, BYTE_SIZE_BIT),
smt2lib::bv(0, BYTE_SIZE_BIT));
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint via the concretization */
if (ap.getFlagValue(ID_TMP_CF) == 1)
ap.assignmentSpreadTaintRegReg(se, reg, ID_TMP_CF);
}
void SetsIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *sf;
auto mem = this->operands[0].getMem().getAddress();
auto memSize = this->operands[0].getMem().getSize();
/* Create the SMT semantic */
sf = ap.buildSymbolicFlagOperand(ID_SF);
/* Finale expr */
expr = smt2lib::ite(
smt2lib::equal(
sf,
smt2lib::bvtrue()),
smt2lib::bv(1, BYTE_SIZE_BIT),
smt2lib::bv(0, BYTE_SIZE_BIT));
/* Create the symbolic expression */
se = ap.createMemSE(inst, expr, mem, memSize);
/* Apply the taint via the concretization */
if (ap.getFlagValue(ID_SF) == 1)
ap.assignmentSpreadTaintMemReg(se, mem, ID_SF, memSize);
}
void SetsIRBuilder::reg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, reg1e, sf;
uint64_t reg = this->operands[0].getValue();
uint64_t regSize = this->operands[0].getSize();
/* Create the SMT semantic */
sf << ap.buildSymbolicFlagOperand(ID_SF);
reg1e << ap.buildSymbolicRegOperand(reg, regSize);
/* Finale expr */
expr << smt2lib::ite(
smt2lib::equal(
sf.str(),
smt2lib::bvtrue()),
smt2lib::bv(1, BYTE_SIZE_BIT),
smt2lib::bv(0, BYTE_SIZE_BIT));
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint via the concretization */
if (ap.getFlagValue(ID_SF) == 1)
ap.assignmentSpreadTaintRegReg(se, reg, ID_SF);
}
static PyObject *Triton_getRegs(PyObject *self, PyObject *noargs)
{
PyObject *regs = xPyDict_New();
/* Build all Registers */
for (uint64 regId = ID_RAX; regId < ID_RFLAGS; regId++){
PyObject *reg = xPyDict_New();
if (regId >= ID_XMM0 && regId <= ID_XMM15)
PyDict_SetItemString(reg, "concreteValue", uint128ToPyLongObject(ap.getSSERegisterValue(regId)));
else
PyDict_SetItemString(reg, "concreteValue", Py_BuildValue("k", ap.getRegisterValue(regId)));
PyDict_SetItemString(reg, "symbolicExpr", Py_BuildValue("k", ap.getRegSymbolicID(regId)));
PyDict_SetItem(regs, Py_BuildValue("k", regId), reg);
}
/* Build all Flags */
for (uint64 flagId = ID_AF; flagId <= ID_ZF; flagId++){
PyObject *flag = xPyDict_New();
PyDict_SetItemString(flag, "concreteValue", Py_BuildValue("k", ap.getFlagValue(flagId)));
PyDict_SetItemString(flag, "symbolicExpr", Py_BuildValue("k", ap.getRegSymbolicID(flagId)));
PyDict_SetItem(regs, Py_BuildValue("k", flagId), flag);
}
return regs;
}
void CmovpIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, reg1e, reg2e, pf;
uint64 reg1 = this->operands[0].getValue();
uint64 reg2 = this->operands[1].getValue();
uint64 size1 = this->operands[0].getSize();
uint64 size2 = this->operands[1].getSize();
/* Create the SMT semantic */
pf << ap.buildSymbolicFlagOperand(ID_PF);
reg1e << ap.buildSymbolicRegOperand(reg1, size1);
reg2e << ap.buildSymbolicRegOperand(reg2, size2);
expr << smt2lib::ite(
smt2lib::equal(
pf.str(),
smt2lib::bvtrue()),
reg2e.str(),
reg1e.str());
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg1, size1);
/* Apply the taint via the concretization */
if (ap.getFlagValue(ID_PF) == 1)
ap.assignmentSpreadTaintRegReg(se, reg1, reg2);
}
void SetzIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, mem1e, zf;
uint64_t mem = this->operands[0].getValue();
uint64_t memSize = this->operands[0].getSize();
/* Create the SMT semantic */
zf << ap.buildSymbolicFlagOperand(ID_ZF);
mem1e << ap.buildSymbolicMemOperand(mem, memSize);
/* Finale expr */
expr << smt2lib::ite(
smt2lib::equal(
zf.str(),
smt2lib::bvtrue()),
smt2lib::bv(1, 8),
smt2lib::bv(0, 8));
/* Create the symbolic element */
se = ap.createMemSE(inst, expr, mem, memSize);
/* Apply the taint via the concretization */
if (ap.getFlagValue(ID_ZF) == 1)
ap.assignmentSpreadTaintMemReg(se, mem, ID_ZF, memSize);
}
void CmovpIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *reg1e, *reg2e, *pf;
auto reg1 = this->operands[0].getReg();
auto reg2 = this->operands[1].getReg();
auto regSize1 = this->operands[0].getReg().getSize();
auto regSize2 = this->operands[1].getReg().getSize();
/* Create the SMT semantic */
pf = ap.buildSymbolicFlagOperand(ID_TMP_PF);
reg1e = ap.buildSymbolicRegOperand(reg1, regSize1);
reg2e = ap.buildSymbolicRegOperand(reg2, regSize2);
expr = smt2lib::ite(
smt2lib::equal(
pf,
smt2lib::bvtrue()),
reg2e,
reg1e);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg1, regSize1);
/* Apply the taint via the concretization */
if (ap.getFlagValue(ID_TMP_PF) == 1)
ap.assignmentSpreadTaintRegReg(se, reg1, reg2);
}
static PyObject *Triton_getFlagValue(PyObject *self, PyObject *flagId) {
RegisterOperand flag;
if (!PyLong_Check(flagId) && !PyInt_Check(flagId))
return PyErr_Format(PyExc_TypeError, "getFlagValue(): expected a flag id (IDREF.FLAG) as argument");
if (!ap.getCurrentCtxH())
return PyErr_Format(PyExc_TypeError, "getFlagValue(): Can't call getFlagValue() right now. You must run the program before.");
flag = createTmpFlag(PyLong_AsLong(flagId));
return Py_BuildValue("k", ap.getFlagValue(flag));
}
