void SetlIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const { SymbolicElement *se; std::stringstream expr, mem1e, sf, of; uint64_t mem = this->operands[0].getValue(); uint64_t memSize = this->operands[0].getSize(); /* Create the flag SMT semantic */ sf << ap.buildSymbolicFlagOperand(ID_SF); of << ap.buildSymbolicFlagOperand(ID_OF); mem1e << ap.buildSymbolicMemOperand(mem, memSize); /* Finale expr */ expr << smt2lib::ite( smt2lib::equal( smt2lib::bvxor(sf.str(), of.str()), smt2lib::bvtrue()), smt2lib::bv(1, BYTE_SIZE_BIT), smt2lib::bv(0, BYTE_SIZE_BIT)); /* Create the symbolic element */ se = ap.createMemSE(inst, expr, mem, memSize); /* Apply the taint via the concretization */ if (ap.getFlagValue(ID_SF) ^ ap.getFlagValue(ID_OF)) { if (ap.isRegTainted(ID_SF) == TAINTED) ap.assignmentSpreadTaintMemReg(se, mem, ID_SF, memSize); else ap.assignmentSpreadTaintMemReg(se, mem, ID_OF, memSize); } }
void SetleIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *sf, *of, *zf; uint64 mem = this->operands[0].getValue(); uint64 memSize = this->operands[0].getSize(); /* Create the flag SMT semantic */ sf = ap.buildSymbolicFlagOperand(ID_SF); of = ap.buildSymbolicFlagOperand(ID_OF); zf = ap.buildSymbolicFlagOperand(ID_ZF); /* Finale expr */ expr = smt2lib::ite( smt2lib::equal( smt2lib::bvor(smt2lib::bvxor(sf, of), zf), smt2lib::bvtrue()), smt2lib::bv(1, BYTE_SIZE_BIT), smt2lib::bv(0, BYTE_SIZE_BIT)); /* Create the symbolic expression */ se = ap.createMemSE(inst, expr, mem, memSize); /* Apply the taint via the concretization */ if (((ap.getFlagValue(ID_SF) ^ ap.getFlagValue(ID_OF)) | ap.getFlagValue(ID_ZF)) == 1) { if (ap.isRegTainted(ID_SF) == TAINTED) ap.assignmentSpreadTaintMemReg(se, mem, ID_SF, memSize); else if (ap.isRegTainted(ID_OF) == TAINTED) ap.assignmentSpreadTaintMemReg(se, mem, ID_OF, memSize); else ap.assignmentSpreadTaintMemReg(se, mem, ID_ZF, memSize); } }
void SetnbeIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *cf, *zf; auto mem = this->operands[0].getMem(); auto memSize = this->operands[0].getMem().getSize(); /* Create the SMT semantic */ cf = ap.buildSymbolicFlagOperand(ID_TMP_CF); zf = ap.buildSymbolicFlagOperand(ID_TMP_ZF); /* Finale expr */ expr = smt2lib::ite( smt2lib::equal( smt2lib::bvand( smt2lib::bvnot(cf), smt2lib::bvnot(zf) ), smt2lib::bvtrue()), smt2lib::bv(1, BYTE_SIZE_BIT), smt2lib::bv(0, BYTE_SIZE_BIT)); /* Create the symbolic expression */ se = ap.createMemSE(inst, expr, mem, memSize); /* Apply the taint via the concretization */ if (ap.getFlagValue(ID_TMP_CF) == 0 && ap.getFlagValue(ID_TMP_ZF) == 0) { if (ap.isRegTainted(ID_TMP_CF) == TAINTED) ap.assignmentSpreadTaintMemReg(se, mem, ID_TMP_CF, memSize); else ap.assignmentSpreadTaintMemReg(se, mem, ID_TMP_ZF, memSize); } }
void SetzIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const { SymbolicElement *se; std::stringstream expr, mem1e, zf; uint64_t mem = this->operands[0].getValue(); uint64_t memSize = this->operands[0].getSize(); /* Create the SMT semantic */ zf << ap.buildSymbolicFlagOperand(ID_ZF); mem1e << ap.buildSymbolicMemOperand(mem, memSize); /* Finale expr */ expr << smt2lib::ite( smt2lib::equal( zf.str(), smt2lib::bvtrue()), smt2lib::bv(1, 8), smt2lib::bv(0, 8)); /* Create the symbolic element */ se = ap.createMemSE(inst, expr, mem, memSize); /* Apply the taint via the concretization */ if (ap.getFlagValue(ID_ZF) == 1) ap.assignmentSpreadTaintMemReg(se, mem, ID_ZF, memSize); }
void SetsIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *sf; auto mem = this->operands[0].getMem().getAddress(); auto memSize = this->operands[0].getMem().getSize(); /* Create the SMT semantic */ sf = ap.buildSymbolicFlagOperand(ID_SF); /* Finale expr */ expr = smt2lib::ite( smt2lib::equal( sf, smt2lib::bvtrue()), smt2lib::bv(1, BYTE_SIZE_BIT), smt2lib::bv(0, BYTE_SIZE_BIT)); /* Create the symbolic expression */ se = ap.createMemSE(inst, expr, mem, memSize); /* Apply the taint via the concretization */ if (ap.getFlagValue(ID_SF) == 1) ap.assignmentSpreadTaintMemReg(se, mem, ID_SF, memSize); }
void MovdqaIRBuilder::memReg(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr; auto memSize = this->operands[0].getMem().getSize(); auto mem = this->operands[0].getMem(); auto reg = this->operands[1].getReg(); auto regSize = this->operands[1].getReg().getSize(); /* Create the SMT semantic */ expr = ap.buildSymbolicRegOperand(reg, regSize); /* Create the symbolic expression */ se = ap.createMemSE(inst, expr, mem, memSize); /* Apply the taint */ ap.assignmentSpreadTaintMemReg(se, mem, reg, memSize); }
void MovIRBuilder::memReg(AnalysisProcessor &ap, Inst &inst) const { SymbolicElement *se; std::stringstream expr; uint32_t writeSize = this->operands[0].getSize(); uint64_t mem = this->operands[0].getValue(); uint64_t reg = this->operands[1].getValue(); uint64_t regSize = this->operands[1].getSize(); /* Create the SMT semantic */ expr << ap.buildSymbolicRegOperand(reg, regSize); /* Create the symbolic element */ se = ap.createMemSE(inst, expr, mem, writeSize); /* Apply the taint */ ap.assignmentSpreadTaintMemReg(se, mem, reg, writeSize); }
void MovhpdIRBuilder::memReg(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *op2; uint32 writeSize = this->operands[0].getSize(); uint64 mem = this->operands[0].getValue(); uint64 reg = this->operands[1].getValue(); uint64 regSize = this->operands[1].getSize(); /* Create the SMT semantic */ op2 = ap.buildSymbolicRegOperand(reg, regSize); expr = smt2lib::extract(127, 64, op2); /* Create the symbolic expression */ se = ap.createMemSE(inst, expr, mem, writeSize); /* Apply the taint */ ap.assignmentSpreadTaintMemReg(se, mem, reg, writeSize); }
void MovlpdIRBuilder::memReg(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *op2; auto memSize = this->operands[0].getMem().getSize(); auto mem = this->operands[0].getMem().getAddress(); auto reg = this->operands[1].getReg().getTritonRegId(); auto regSize = this->operands[1].getReg().getSize(); /* Create the SMT semantic */ op2 = ap.buildSymbolicRegOperand(reg, regSize); /* Destination = Source[0..63] */ expr = smt2lib::extract(63, 0, op2); /* Create the symbolic expression */ se = ap.createMemSE(inst, expr, mem, memSize); /* Apply the taint */ ap.assignmentSpreadTaintMemReg(se, mem, reg, memSize); }
void MovhpdIRBuilder::memReg(AnalysisProcessor &ap, Inst &inst) const { SymbolicElement *se; std::stringstream expr, op1, op2; uint32 writeSize = this->operands[0].getSize(); uint64 mem = this->operands[0].getValue(); uint64 reg = this->operands[1].getValue(); uint64 regSize = this->operands[1].getSize(); /* Create the SMT semantic */ op1 << ap.buildSymbolicMemOperand(mem, writeSize); op2 << ap.buildSymbolicRegOperand(reg, regSize); expr << smt2lib::extract(127, 64, op2.str()); /* Create the symbolic element */ se = ap.createMemSE(inst, expr, mem, writeSize); /* Apply the taint */ ap.assignmentSpreadTaintMemReg(se, mem, reg, writeSize); }