void TestIRBuilder::memReg(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *op1, *op2; auto memSize = this->operands[0].getMem().getSize(); auto mem = this->operands[0].getMem(); auto reg = this->operands[1].getReg(); auto regSize = this->operands[1].getReg().getSize(); /* Create the SMT semantic */ op1 = ap.buildSymbolicMemOperand(mem, memSize); op2 = ap.buildSymbolicRegOperand(reg, regSize); // Final expr expr = smt2lib::bvand(op1, op2); /* Create the symbolic expression */ se = ap.createSE(inst, expr); /* Apply the taint */ ap.assignmentSpreadTaintExprRegMem(se, reg, mem, memSize); /* Add the symbolic flags expression to the current inst */ EflagsBuilder::clearFlag(inst, ap, ID_TMP_CF, "Clears carry flag"); EflagsBuilder::clearFlag(inst, ap, ID_TMP_OF, "Clears overflow flag"); EflagsBuilder::pf(inst, se, ap, memSize); EflagsBuilder::sf(inst, se, ap, memSize); EflagsBuilder::zf(inst, se, ap, memSize); }
void TestIRBuilder::memReg(AnalysisProcessor &ap, Inst &inst) const { SymbolicElement *se; std::stringstream expr, op1, op2; uint32 readSize = this->operands[0].getSize(); uint64 mem = this->operands[0].getValue(); uint64 reg = this->operands[1].getValue(); uint32 regSize = this->operands[1].getSize(); /* Create the SMT semantic */ op1 << ap.buildSymbolicMemOperand(mem, readSize); op2 << ap.buildSymbolicRegOperand(reg, regSize); // Final expr expr << smt2lib::bvand(op1.str(), op2.str()); /* Create the symbolic element */ se = ap.createSE(inst, expr); /* Apply the taint */ ap.assignmentSpreadTaintExprRegMem(se, reg, mem, readSize); /* Add the symbolic flags element to the current inst */ EflagsBuilder::clearFlag(inst, ap, ID_CF, "Clears carry flag"); EflagsBuilder::clearFlag(inst, ap, ID_OF, "Clears overflow flag"); EflagsBuilder::pf(inst, se, ap); EflagsBuilder::sf(inst, se, ap, readSize); EflagsBuilder::zf(inst, se, ap, readSize); }
void CmpIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *op1, *op2; uint32 readSize = this->operands[1].getSize(); uint64 mem = this->operands[1].getValue(); uint64 reg = this->operands[0].getValue(); uint32 regSize = this->operands[0].getSize(); /* Create the SMT semantic */ op1 = ap.buildSymbolicRegOperand(reg, regSize); op2 = ap.buildSymbolicMemOperand(mem, readSize); /* Final expr */ expr = smt2lib::bvsub(op1, op2); /* Create the symbolic expression */ se = ap.createSE(inst, expr); /* Apply the taint */ ap.assignmentSpreadTaintExprRegMem(se, reg, mem, readSize); /* Add the symbolic flags expression to the current inst */ EflagsBuilder::af(inst, se, ap, regSize, op1, op2); EflagsBuilder::cfSub(inst, se, ap, op1, op2); EflagsBuilder::ofSub(inst, se, ap, regSize, op1, op2); EflagsBuilder::pf(inst, se, ap, regSize); EflagsBuilder::sf(inst, se, ap, regSize); EflagsBuilder::zf(inst, se, ap, regSize); }