void CmovnsIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const { SymbolicElement *se; std::stringstream expr, reg1e, mem1e, sf; uint32_t readSize = this->operands[1].getSize(); uint64_t mem = this->operands[1].getValue(); uint64_t reg = this->operands[0].getValue(); uint64_t regSize = this->operands[0].getSize(); /* Create the SMT semantic */ sf << ap.buildSymbolicFlagOperand(ID_SF); reg1e << ap.buildSymbolicRegOperand(reg, regSize); mem1e << ap.buildSymbolicMemOperand(mem, readSize); expr << smt2lib::ite( smt2lib::equal( sf.str(), smt2lib::bvfalse()), mem1e.str(), reg1e.str()); /* Create the symbolic element */ se = ap.createRegSE(inst, expr, reg, regSize); /* Apply the taint via the concretization */ if (ap.getFlagValue(ID_SF) == 0) ap.assignmentSpreadTaintRegMem(se, reg, mem, readSize); }
void LeaveIRBuilder::none(AnalysisProcessor &ap, Inst &inst) const { SymbolicElement *se1, *se2; std::stringstream expr1, expr2; uint64 readMem = this->operands[0].getValue(); // The src memory read uint32 readSize = this->operands[0].getSize(); // RSP = RBP; ----------------------------- expr1 << ap.buildSymbolicRegOperand(ID_RBP, REG_SIZE); /* Create the symbolic element */ se1 = ap.createRegSE(inst, expr1, ID_RSP, REG_SIZE); /* Apply the taint */ ap.assignmentSpreadTaintRegReg(se1, ID_RSP, ID_RBP); // RSP = RBP; ----------------------------- // RBP = Pop(); --------------------------- expr2 << ap.buildSymbolicMemOperand(readMem, readSize); /* Create the symbolic element */ se2 = ap.createRegSE(inst, expr2, ID_RBP, REG_SIZE); /* Apply the taint */ ap.assignmentSpreadTaintRegMem(se2, ID_RBP, readMem, readSize); // RBP = Pop(); --------------------------- /* Add the symbolic element to the current inst */ alignStack(inst, ap, readSize); }
void CmovlIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *reg1e, *mem1e, *sf, *of; auto memSize = this->operands[1].getMem().getSize(); auto mem = this->operands[1].getMem(); auto reg = this->operands[0].getReg(); auto regSize = this->operands[0].getReg().getSize(); /* Create the flag SMT semantic */ sf = ap.buildSymbolicFlagOperand(ID_TMP_SF); of = ap.buildSymbolicFlagOperand(ID_TMP_OF); reg1e = ap.buildSymbolicRegOperand(reg, regSize); mem1e = ap.buildSymbolicMemOperand(mem, memSize); expr = smt2lib::ite( smt2lib::equal( smt2lib::bvxor(sf, of), smt2lib::bvtrue()), mem1e, reg1e); /* Create the symbolic expression */ se = ap.createRegSE(inst, expr, reg, regSize); /* Apply the taint via the concretization */ if (ap.getFlagValue(ID_TMP_SF) ^ ap.getFlagValue(ID_TMP_OF)) ap.assignmentSpreadTaintRegMem(se, reg, mem, memSize); }
void CmovnbIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *reg1e, *mem1e, *cf; uint32 readSize = this->operands[1].getSize(); uint64 mem = this->operands[1].getValue(); uint64 reg = this->operands[0].getValue(); uint64 regSize = this->operands[0].getSize(); /* Create the SMT semantic */ cf = ap.buildSymbolicFlagOperand(ID_CF); reg1e = ap.buildSymbolicRegOperand(reg, regSize); mem1e = ap.buildSymbolicMemOperand(mem, readSize); expr = smt2lib::ite( smt2lib::equal( cf, smt2lib::bvfalse()), mem1e, reg1e); /* Create the symbolic expression */ se = ap.createRegSE(inst, expr, reg, regSize); /* Apply the taint via the concretization */ if (ap.getFlagValue(ID_CF) == 0) ap.assignmentSpreadTaintRegMem(se, reg, mem, readSize); }
void MovdqaIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr; auto memSize = this->operands[1].getMem().getSize(); auto mem = this->operands[1].getMem(); auto reg = this->operands[0].getReg(); auto regSize = this->operands[0].getReg().getSize(); /* Create the SMT semantic */ expr = ap.buildSymbolicMemOperand(mem, memSize); /* Create the symbolic expression */ se = ap.createRegSE(inst, expr, reg, regSize); /* Apply the taint */ ap.assignmentSpreadTaintRegMem(se, reg, mem, memSize); }
void MovIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const { SymbolicElement *se; std::stringstream expr; uint32_t readSize = this->operands[1].getSize(); uint64_t mem = this->operands[1].getValue(); uint64_t reg = this->operands[0].getValue(); uint64_t regSize = this->operands[0].getSize(); /* Create the SMT semantic */ expr << ap.buildSymbolicMemOperand(mem, readSize); /* Create the symbolic element */ se = ap.createRegSE(inst, expr, reg, regSize); /* Apply the taint */ ap.assignmentSpreadTaintRegMem(se, reg, mem, readSize); }
void MovzxIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *op1; auto memSize = this->operands[1].getMem().getSize(); auto mem = this->operands[1].getMem().getAddress(); auto reg = this->operands[0].getReg().getTritonRegId(); auto regSize = this->operands[0].getReg().getSize(); /* Create the SMT semantic */ op1 = ap.buildSymbolicMemOperand(mem, memSize); /* Final expr */ expr = smt2lib::zx((regSize * REG_SIZE) - (memSize * REG_SIZE), op1); /* Create the symbolic expression */ se = ap.createRegSE(inst, expr, reg, regSize); /* Apply the taint */ ap.assignmentSpreadTaintRegMem(se, reg, mem, memSize); }
void RetIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const { SymbolicElement *se; std::stringstream expr, op1; uint64_t memSrc = this->operands[0].getValue(); // The dst memory read uint32_t readSize = this->operands[0].getSize(); /* Create the SMT semantic */ op1 << ap.buildSymbolicMemOperand(memSrc, readSize); /* Finale expr */ expr << op1.str(); /* Create the symbolic element */ se = ap.createRegSE(inst, expr, ID_RIP, REG_SIZE, "RIP"); /* Apply the taint */ ap.assignmentSpreadTaintRegMem(se, ID_RIP, memSrc, readSize); /* Create the SMT semantic side effect */ alignStack(inst, ap); }
void MovlpdIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *op1, *op2; auto memSize = this->operands[1].getMem().getSize(); auto mem = this->operands[1].getMem().getAddress(); auto reg = this->operands[0].getReg().getTritonRegId(); auto regSize = this->operands[0].getReg().getSize(); /* Create the SMT semantic */ op1 = ap.buildSymbolicRegOperand(reg, regSize); op2 = ap.buildSymbolicMemOperand(mem, memSize); expr = smt2lib::concat( smt2lib::extract(127, 64, op1), /* Destination[64..127] unchanged */ smt2lib::extract(63, 0, op2) /* Destination[0..63] = Source */ ); /* Create the symbolic expression */ se = ap.createRegSE(inst, expr, reg, regSize); /* Apply the taint */ ap.assignmentSpreadTaintRegMem(se, reg, mem, memSize); }
void MovhpdIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const { SymbolicElement *se; std::stringstream expr, op1, op2; uint32 readSize = this->operands[1].getSize(); uint64 mem = this->operands[1].getValue(); uint64 reg = this->operands[0].getValue(); uint64 regSize = this->operands[0].getSize(); /* Create the SMT semantic */ op1 << ap.buildSymbolicRegOperand(reg, regSize); op2 << ap.buildSymbolicMemOperand(mem, readSize); expr << smt2lib::concat( smt2lib::extract(63, 0, op2.str()), /* Destination[64..127] = Source */ smt2lib::extract(63, 0, op1.str()) /* Destination[0..63] unchanged */ ); /* Create the symbolic element */ se = ap.createRegSE(inst, expr, reg, regSize); /* Apply the taint */ ap.assignmentSpreadTaintRegMem(se, reg, mem, readSize); }