void SetleIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *sf, *of, *zf;
auto mem = this->operands[0].getMem();
auto memSize = this->operands[0].getMem().getSize();
/* Create the flag SMT semantic */
sf = ap.buildSymbolicFlagOperand(ID_TMP_SF);
of = ap.buildSymbolicFlagOperand(ID_TMP_OF);
zf = ap.buildSymbolicFlagOperand(ID_TMP_ZF);
/* Finale expr */
expr = smt2lib::ite(
smt2lib::equal(
smt2lib::bvor(smt2lib::bvxor(sf, of), zf),
smt2lib::bvtrue()),
smt2lib::bv(1, BYTE_SIZE_BIT),
smt2lib::bv(0, BYTE_SIZE_BIT));
/* Create the symbolic expression */
se = ap.createMemSE(inst, expr, mem, memSize);
/* Apply the taint via the concretization */
if (((ap.getFlagValue(ID_TMP_SF) ^ ap.getFlagValue(ID_TMP_OF)) | ap.getFlagValue(ID_TMP_ZF)) == 1) {
if (ap.isRegTainted(ID_TMP_SF) == TAINTED)
ap.assignmentSpreadTaintMemReg(se, mem, ID_TMP_SF, memSize);
else if (ap.isRegTainted(ID_TMP_OF) == TAINTED)
ap.assignmentSpreadTaintMemReg(se, mem, ID_TMP_OF, memSize);
else
ap.assignmentSpreadTaintMemReg(se, mem, ID_TMP_ZF, memSize);
}
}
void SetnleIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, mem1e, sf, of, zf;
uint64 mem = this->operands[0].getValue();
uint64 memSize = this->operands[0].getSize();
/* Create the flag SMT semantic */
sf << ap.buildSymbolicFlagOperand(ID_SF);
of << ap.buildSymbolicFlagOperand(ID_OF);
zf << ap.buildSymbolicFlagOperand(ID_ZF);
mem1e << ap.buildSymbolicMemOperand(mem, memSize);
/* Finale expr */
expr << smt2lib::ite(
smt2lib::equal(
smt2lib::bvor(smt2lib::bvxor(sf.str(), of.str()), zf.str()),
smt2lib::bvfalse()),
smt2lib::bv(1, BYTE_SIZE_BIT),
smt2lib::bv(0, BYTE_SIZE_BIT));
/* Create the symbolic element */
se = ap.createMemSE(inst, expr, mem, memSize);
/* Apply the taint via the concretization */
if (((ap.getFlagValue(ID_SF) ^ ap.getFlagValue(ID_OF)) | ap.getFlagValue(ID_ZF)) == 0) {
if (ap.isRegTainted(ID_SF) == TAINTED)
ap.assignmentSpreadTaintMemReg(se, mem, ID_SF, memSize);
else if (ap.isRegTainted(ID_OF) == TAINTED)
ap.assignmentSpreadTaintMemReg(se, mem, ID_OF, memSize);
else
ap.assignmentSpreadTaintMemReg(se, mem, ID_ZF, memSize);
}
}
void SetlIRBuilder::reg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, reg1e, sf, of;
uint64_t reg = this->operands[0].getValue();
uint64_t regSize = this->operands[0].getSize();
/* Create the flag SMT semantic */
sf << ap.buildSymbolicFlagOperand(ID_SF);
of << ap.buildSymbolicFlagOperand(ID_OF);
reg1e << ap.buildSymbolicRegOperand(reg, regSize);
/* Finale expr */
expr << smt2lib::ite(
smt2lib::equal(
smt2lib::bvxor(sf.str(), of.str()),
smt2lib::bvtrue()),
smt2lib::bv(1, BYTE_SIZE_BIT),
smt2lib::bv(0, BYTE_SIZE_BIT));
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint via the concretization */
if (ap.getFlagValue(ID_SF) ^ ap.getFlagValue(ID_OF)) {
if (ap.isRegTainted(ID_SF) == TAINTED)
ap.assignmentSpreadTaintRegReg(se, reg, ID_SF);
else
ap.assignmentSpreadTaintRegReg(se, reg, ID_OF);
}
}
void SetnbeIRBuilder::reg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *cf, *zf;
auto reg = this->operands[0].getReg();
auto regSize = this->operands[0].getReg().getSize();
/* Create the SMT semantic */
cf = ap.buildSymbolicFlagOperand(ID_TMP_CF);
zf = ap.buildSymbolicFlagOperand(ID_TMP_ZF);
/* Finale expr */
expr = smt2lib::ite(
smt2lib::equal(
smt2lib::bvand(
smt2lib::bvnot(cf),
smt2lib::bvnot(zf)
),
smt2lib::bvtrue()),
smt2lib::bv(1, BYTE_SIZE_BIT),
smt2lib::bv(0, BYTE_SIZE_BIT));
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint via the concretization */
if (ap.getFlagValue(ID_TMP_CF) == 0 && ap.getFlagValue(ID_TMP_ZF) == 0) {
if (ap.isRegTainted(ID_TMP_CF) == TAINTED)
ap.assignmentSpreadTaintRegReg(se, reg, ID_TMP_CF);
else
ap.assignmentSpreadTaintRegReg(se, reg, ID_TMP_ZF);
}
}
void XaddIRBuilder::memReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se1, *se2;
std::stringstream expr1, expr2, op1, op2;
uint64_t mem1 = this->operands[0].getValue();
uint64_t reg2 = this->operands[1].getValue();
uint32_t memSize1 = this->operands[0].getSize();
uint32_t regSize2 = this->operands[1].getSize();
uint64_t tmpMem1Taint = ap.isMemTainted(mem1);
uint64_t tmpReg2Taint = ap.isRegTainted(reg2);
/* Create the SMT semantic */
op1 << ap.buildSymbolicMemOperand(mem1, memSize1);
op2 << ap.buildSymbolicRegOperand(reg2, regSize2);
// Final expr
expr1 << op2.str();
expr2 << smt2lib::bvadd(op1.str(), op2.str());
/* Create the symbolic element */
se1 = ap.createMemSE(inst, expr1, mem1, memSize1);
se2 = ap.createRegSE(inst, expr2, reg2, regSize2);
/* Apply the taint */
ap.setTaintMem(se1, mem1, tmpReg2Taint);
ap.setTaintReg(se2, reg2, tmpMem1Taint);
/* Add the symbolic flags element to the current inst */
EflagsBuilder::af(inst, se2, ap, memSize1, op1, op2);
EflagsBuilder::cfAdd(inst, se2, ap, op1);
EflagsBuilder::ofAdd(inst, se2, ap, memSize1, op1, op2);
EflagsBuilder::pf(inst, se2, ap);
EflagsBuilder::sf(inst, se2, ap, memSize1);
EflagsBuilder::zf(inst, se2, ap, memSize1);
}
void XaddIRBuilder::memReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se1, *se2;
smt2lib::smtAstAbstractNode *expr1, *expr2, *op1, *op2;
uint64 mem1 = this->operands[0].getValue();
uint64 reg2 = this->operands[1].getValue();
uint32 memSize1 = this->operands[0].getSize();
uint32 regSize2 = this->operands[1].getSize();
uint64 tmpMem1Taint = ap.isMemTainted(mem1);
uint64 tmpReg2Taint = ap.isRegTainted(reg2);
/* Create the SMT semantic */
op1 = ap.buildSymbolicMemOperand(mem1, memSize1);
op2 = ap.buildSymbolicRegOperand(reg2, regSize2);
// Final expr
expr1 = op2;
expr2 = smt2lib::bvadd(op1, op2);
/* Create the symbolic expression */
se1 = ap.createMemSE(inst, expr1, mem1, memSize1);
se2 = ap.createRegSE(inst, expr2, reg2, regSize2);
/* Apply the taint */
ap.setTaintMem(se1, mem1, tmpReg2Taint);
ap.setTaintReg(se2, reg2, tmpMem1Taint);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::af(inst, se2, ap, memSize1, op1, op2);
EflagsBuilder::cfAdd(inst, se2, ap, memSize1, op1);
EflagsBuilder::ofAdd(inst, se2, ap, memSize1, op1, op2);
EflagsBuilder::pf(inst, se2, ap, memSize1);
EflagsBuilder::sf(inst, se2, ap, memSize1);
EflagsBuilder::zf(inst, se2, ap, memSize1);
}
static PyObject *Triton_isRegTainted(PyObject *self, PyObject *reg)
{
if (!PyLong_Check(reg) && !PyInt_Check(reg))
return PyErr_Format(PyExc_TypeError, "isRegTainted(): expected a register id (integer) as argument");
if (ap.isRegTainted(PyInt_AsLong(reg)) == true)
return Py_True;
return Py_False;
}
static PyObject *Triton_isRegTainted(PyObject *self, PyObject *reg) {
if (!PyLong_Check(reg) && !PyInt_Check(reg))
return PyErr_Format(PyExc_TypeError, "isRegTainted(): expected a register id (integer) as argument");
RegisterOperand ro = createTmpReg(PyInt_AsLong(reg));
if (ap.isRegTainted(ro) == true)
Py_RETURN_TRUE;
Py_RETURN_FALSE;
}
void LeaIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *dis2e, *base2e, *index2e, *scale2e;
auto reg = this->operands[0].getReg().getTritonRegId();
auto regSize = this->operands[0].getReg().getSize();
auto displacement = this->operands[1].getDisplacement().getValue();
auto baseReg = this->operands[1].getBaseReg().getTritonRegId();
auto indexReg = this->operands[1].getIndexReg().getTritonRegId();
auto memoryScale = this->operands[1].getMemoryScale().getValue();
/* Base register */
if (baseReg) {
/* If the base register is RIP, we must use nextAddress */
if (baseReg == ID_RIP)
base2e = smt2lib::bv(this->nextAddress, regSize * REG_SIZE);
else
base2e = ap.buildSymbolicRegOperand(baseReg, regSize);
}
else
base2e = smt2lib::bv(0, regSize * REG_SIZE);
/* Index register if it exists */
if (indexReg)
index2e = ap.buildSymbolicRegOperand(indexReg, regSize);
else
index2e = smt2lib::bv(0, regSize * REG_SIZE);
/* Displacement */
dis2e = smt2lib::bv(displacement, regSize * REG_SIZE);
/* Scale */
scale2e = smt2lib::bv(memoryScale, regSize * REG_SIZE);
/* final SMT expression */
/* Effective address = Displacement + BaseReg + IndexReg * Scale */
expr = smt2lib::bvadd(dis2e, smt2lib::bvadd(base2e, smt2lib::bvmul(index2e, scale2e)));
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint via the concretization */
if (ap.isRegTainted(baseReg) == TAINTED)
ap.assignmentSpreadTaintRegReg(se, reg, baseReg);
else
ap.assignmentSpreadTaintRegReg(se, reg, indexReg);
}
