void SetnleIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const { SymbolicElement *se; std::stringstream expr, mem1e, sf, of, zf; uint64 mem = this->operands[0].getValue(); uint64 memSize = this->operands[0].getSize(); /* Create the flag SMT semantic */ sf << ap.buildSymbolicFlagOperand(ID_SF); of << ap.buildSymbolicFlagOperand(ID_OF); zf << ap.buildSymbolicFlagOperand(ID_ZF); mem1e << ap.buildSymbolicMemOperand(mem, memSize); /* Finale expr */ expr << smt2lib::ite( smt2lib::equal( smt2lib::bvor(smt2lib::bvxor(sf.str(), of.str()), zf.str()), smt2lib::bvfalse()), smt2lib::bv(1, BYTE_SIZE_BIT), smt2lib::bv(0, BYTE_SIZE_BIT)); /* Create the symbolic element */ se = ap.createMemSE(inst, expr, mem, memSize); /* Apply the taint via the concretization */ if (((ap.getFlagValue(ID_SF) ^ ap.getFlagValue(ID_OF)) | ap.getFlagValue(ID_ZF)) == 0) { if (ap.isRegTainted(ID_SF) == TAINTED) ap.assignmentSpreadTaintMemReg(se, mem, ID_SF, memSize); else if (ap.isRegTainted(ID_OF) == TAINTED) ap.assignmentSpreadTaintMemReg(se, mem, ID_OF, memSize); else ap.assignmentSpreadTaintMemReg(se, mem, ID_ZF, memSize); } }
void SetleIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *sf, *of, *zf; auto mem = this->operands[0].getMem(); auto memSize = this->operands[0].getMem().getSize(); /* Create the flag SMT semantic */ sf = ap.buildSymbolicFlagOperand(ID_TMP_SF); of = ap.buildSymbolicFlagOperand(ID_TMP_OF); zf = ap.buildSymbolicFlagOperand(ID_TMP_ZF); /* Finale expr */ expr = smt2lib::ite( smt2lib::equal( smt2lib::bvor(smt2lib::bvxor(sf, of), zf), smt2lib::bvtrue()), smt2lib::bv(1, BYTE_SIZE_BIT), smt2lib::bv(0, BYTE_SIZE_BIT)); /* Create the symbolic expression */ se = ap.createMemSE(inst, expr, mem, memSize); /* Apply the taint via the concretization */ if (((ap.getFlagValue(ID_TMP_SF) ^ ap.getFlagValue(ID_TMP_OF)) | ap.getFlagValue(ID_TMP_ZF)) == 1) { if (ap.isRegTainted(ID_TMP_SF) == TAINTED) ap.assignmentSpreadTaintMemReg(se, mem, ID_TMP_SF, memSize); else if (ap.isRegTainted(ID_TMP_OF) == TAINTED) ap.assignmentSpreadTaintMemReg(se, mem, ID_TMP_OF, memSize); else ap.assignmentSpreadTaintMemReg(se, mem, ID_TMP_ZF, memSize); } }
void CmovnleIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *reg1e, *reg2e, *sf, *of, *zf; uint64 reg1 = this->operands[0].getValue(); uint64 reg2 = this->operands[1].getValue(); uint64 size1 = this->operands[0].getSize(); uint64 size2 = this->operands[1].getSize(); /* Create the flag SMT semantic */ sf = ap.buildSymbolicFlagOperand(ID_SF); of = ap.buildSymbolicFlagOperand(ID_OF); zf = ap.buildSymbolicFlagOperand(ID_ZF); reg1e = ap.buildSymbolicRegOperand(reg1, size1); reg2e = ap.buildSymbolicRegOperand(reg2, size2); expr = smt2lib::ite( smt2lib::equal( smt2lib::bvor(smt2lib::bvxor(sf, of), zf), smt2lib::bvfalse() ), reg2e, reg1e); /* Create the symbolic expression */ se = ap.createRegSE(inst, expr, reg1, size1); /* Apply the taint via the concretization */ if (((ap.getFlagValue(ID_SF) ^ ap.getFlagValue(ID_OF)) | ap.getFlagValue(ID_ZF)) == 0) ap.assignmentSpreadTaintRegReg(se, reg1, reg2); }
void JnleIRBuilder::imm(AnalysisProcessor &ap, Inst &inst) const { SymbolicElement *se; std::stringstream expr, sf, of, zf; uint64 imm = this->operands[0].getValue(); /* Create the SMT semantic */ sf << ap.buildSymbolicFlagOperand(ID_SF); of << ap.buildSymbolicFlagOperand(ID_OF); zf << ap.buildSymbolicFlagOperand(ID_ZF); /* * Finale expr * JNLE: Jump if not less or equal ((SF^OF | ZF) == 0). * SMT: (= (bvor (bvxor sf of) zf) FALSE) */ expr << smt2lib::ite( smt2lib::equal( smt2lib::bvor(smt2lib::bvxor(sf.str(), of.str()), zf.str()), smt2lib::bvfalse() ), smt2lib::bv(imm, REG_SIZE_BIT), smt2lib::bv(this->nextAddress, REG_SIZE_BIT)); /* Create the symbolic element */ se = ap.createRegSE(inst, expr, ID_RIP, REG_SIZE, "RIP"); /* Add the constraint in the PathConstraints list */ ap.addPathConstraint(se->getID()); }
void JleIRBuilder::imm(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *sf, *of, *zf; auto imm = this->operands[0].getImm().getValue(); /* Create the SMT semantic */ sf = ap.buildSymbolicFlagOperand(ID_TMP_SF); of = ap.buildSymbolicFlagOperand(ID_TMP_OF); zf = ap.buildSymbolicFlagOperand(ID_TMP_ZF); /* * Finale expr * JLE: Jump if less or equal ((SF^OF | ZF) == 1). * SMT: ( = (bvor (bvxor sf of) zf) TRUE) */ expr = smt2lib::ite( smt2lib::equal( smt2lib::bvor(smt2lib::bvxor(sf, of), zf), smt2lib::bvtrue() ), smt2lib::bv(imm, REG_SIZE_BIT), smt2lib::bv(this->nextAddress, REG_SIZE_BIT)); /* Create the symbolic expression */ se = ap.createRegSE(inst, expr, ID_TMP_RIP, REG_SIZE, "RIP"); /* Apply the taint */ ap.aluSpreadTaintRegReg(se, ID_TMP_RIP, ID_TMP_SF); ap.aluSpreadTaintRegReg(se, ID_TMP_RIP, ID_TMP_OF); ap.aluSpreadTaintRegReg(se, ID_TMP_RIP, ID_TMP_ZF); /* Add the constraint in the PathConstraints list */ ap.addPathConstraint(se->getID()); }
void CmovnleIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *reg1e, *mem1e, *sf, *of, *zf; auto mem = this->operands[1].getMem().getAddress(); auto memSize = this->operands[1].getMem().getSize(); auto reg = this->operands[0].getReg().getTritonRegId(); auto regSize = this->operands[0].getReg().getSize(); /* Create the flag SMT semantic */ sf = ap.buildSymbolicFlagOperand(ID_SF); of = ap.buildSymbolicFlagOperand(ID_OF); zf = ap.buildSymbolicFlagOperand(ID_ZF); reg1e = ap.buildSymbolicRegOperand(reg, regSize); mem1e = ap.buildSymbolicMemOperand(mem, memSize); expr = smt2lib::ite( smt2lib::equal( smt2lib::bvor(smt2lib::bvxor(sf, of), zf), smt2lib::bvfalse() ), mem1e, reg1e); /* Create the symbolic expression */ se = ap.createRegSE(inst, expr, reg, regSize); /* Apply the taint via the concretization */ if (((ap.getFlagValue(ID_SF) ^ ap.getFlagValue(ID_OF)) | ap.getFlagValue(ID_ZF)) == 0) ap.assignmentSpreadTaintRegMem(se, reg, mem, memSize); }
void CmovnleIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const { SymbolicElement *se; std::stringstream expr, reg1e, mem1e, sf, of, zf; uint32 readSize = this->operands[1].getSize(); uint64 mem = this->operands[1].getValue(); uint64 reg = this->operands[0].getValue(); uint64 regSize = this->operands[0].getSize(); /* Create the flag SMT semantic */ sf << ap.buildSymbolicFlagOperand(ID_SF); of << ap.buildSymbolicFlagOperand(ID_OF); zf << ap.buildSymbolicFlagOperand(ID_ZF); reg1e << ap.buildSymbolicRegOperand(reg, regSize); mem1e << ap.buildSymbolicMemOperand(mem, readSize); expr << smt2lib::ite( smt2lib::equal( smt2lib::bvor(smt2lib::bvxor(sf.str(), of.str()), zf.str()), smt2lib::bvfalse() ), mem1e.str(), reg1e.str()); /* Create the symbolic element */ se = ap.createRegSE(inst, expr, reg, regSize); /* Apply the taint via the concretization */ if (((ap.getFlagValue(ID_SF) ^ ap.getFlagValue(ID_OF)) | ap.getFlagValue(ID_ZF)) == 0) ap.assignmentSpreadTaintRegMem(se, reg, mem, readSize); }
void CmovnsIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *reg1e, *reg2e, *sf; auto reg1 = this->operands[0].getReg().getTritonRegId(); auto reg2 = this->operands[1].getReg().getTritonRegId(); auto regSize1 = this->operands[0].getReg().getSize(); auto regSize2 = this->operands[1].getReg().getSize(); /* Create the SMT semantic */ sf = ap.buildSymbolicFlagOperand(ID_SF); reg1e = ap.buildSymbolicRegOperand(reg1, regSize1); reg2e = ap.buildSymbolicRegOperand(reg2, regSize2); expr = smt2lib::ite( smt2lib::equal( sf, smt2lib::bvfalse()), reg2e, reg1e); /* Create the symbolic expression */ se = ap.createRegSE(inst, expr, reg1, regSize1); /* Apply the taint via the concretization */ if (ap.getFlagValue(ID_SF) == 0) ap.assignmentSpreadTaintRegReg(se, reg1, reg2); }
void JnbeIRBuilder::imm(AnalysisProcessor &ap, Inst &inst) const { SymbolicElement *se; std::stringstream expr, cf, zf; uint64 imm = this->operands[0].getValue(); /* Create the SMT semantic */ cf << ap.buildSymbolicFlagOperand(ID_CF); zf << ap.buildSymbolicFlagOperand(ID_ZF); /* * Finale expr * JNBE: Jump if not below or equal (CF=0 and ZF=0). * SMT: (= (bvand (bvnot zf) (bvnot cf)) (_ bv1 1)) */ expr << smt2lib::ite( smt2lib::equal( smt2lib::bvand( smt2lib::bvnot(cf.str()), smt2lib::bvnot(zf.str()) ), smt2lib::bvtrue() ), smt2lib::bv(imm, REG_SIZE_BIT), smt2lib::bv(this->nextAddress, REG_SIZE_BIT)); /* Create the symbolic element */ se = ap.createRegSE(inst, expr, ID_RIP, REG_SIZE, "RIP"); /* Add the constraint in the PathConstraints list */ ap.addPathConstraint(se->getID()); }
void JnbeIRBuilder::imm(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *cf, *zf; auto imm = this->operands[0].getImm().getValue(); /* Create the SMT semantic */ cf = ap.buildSymbolicFlagOperand(ID_CF); zf = ap.buildSymbolicFlagOperand(ID_ZF); /* * Finale expr * JNBE: Jump if not below or equal (CF =0 and ZF =0). * SMT: ( = (bvand (bvnot zf) (bvnot cf)) (_ bv1 1)) */ expr = smt2lib::ite( smt2lib::equal( smt2lib::bvand( smt2lib::bvnot(cf), smt2lib::bvnot(zf) ), smt2lib::bvtrue() ), smt2lib::bv(imm, REG_SIZE_BIT), smt2lib::bv(this->nextAddress, REG_SIZE_BIT)); /* Create the symbolic expression */ se = ap.createRegSE(inst, expr, ID_RIP, REG_SIZE, "RIP"); /* Add the constraint in the PathConstraints list */ ap.addPathConstraint(se->getID()); }
void SetnzIRBuilder::reg(AnalysisProcessor &ap, Inst &inst) const { SymbolicElement *se; std::stringstream expr, reg1e, zf; uint64 reg = this->operands[0].getValue(); uint64 regSize = this->operands[0].getSize(); /* Create the SMT semantic */ zf << ap.buildSymbolicFlagOperand(ID_ZF); reg1e << ap.buildSymbolicRegOperand(reg, regSize); /* Finale expr */ expr << smt2lib::ite( smt2lib::equal( zf.str(), smt2lib::bvfalse()), smt2lib::bv(1, BYTE_SIZE_BIT), smt2lib::bv(0, BYTE_SIZE_BIT)); /* Create the symbolic element */ se = ap.createRegSE(inst, expr, reg, regSize); /* Apply the taint via the concretization */ if (ap.getFlagValue(ID_ZF) == 0) ap.assignmentSpreadTaintRegReg(se, reg, ID_ZF); }
void JnlIRBuilder::imm(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *sf, *of; uint64 imm = this->operands[0].getValue(); /* Create the SMT semantic */ sf = ap.buildSymbolicFlagOperand(ID_SF); of = ap.buildSymbolicFlagOperand(ID_OF); /* * Finale expr * JNL: Jump if not less (SF=OF). * SMT: (= sf of) */ expr = smt2lib::ite( smt2lib::equal( sf, of ), smt2lib::bv(imm, REG_SIZE_BIT), smt2lib::bv(this->nextAddress, REG_SIZE_BIT)); /* Create the symbolic expression */ se = ap.createRegSE(inst, expr, ID_RIP, REG_SIZE, "RIP"); /* Add the constraint in the PathConstraints list */ ap.addPathConstraint(se->getID()); }
void CmovpIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const { SymbolicElement *se; std::stringstream expr, reg1e, mem1e, pf; uint32 readSize = this->operands[1].getSize(); uint64 mem = this->operands[1].getValue(); uint64 reg = this->operands[0].getValue(); uint64 regSize = this->operands[0].getSize(); /* Create the SMT semantic */ pf << ap.buildSymbolicFlagOperand(ID_PF); reg1e << ap.buildSymbolicRegOperand(reg, regSize); mem1e << ap.buildSymbolicMemOperand(mem, readSize); expr << smt2lib::ite( smt2lib::equal( pf.str(), smt2lib::bvtrue()), mem1e.str(), reg1e.str()); /* Create the symbolic element */ se = ap.createRegSE(inst, expr, reg, regSize); /* Apply the taint via the concretization */ if (ap.getFlagValue(ID_PF) == 1) ap.assignmentSpreadTaintRegMem(se, reg, mem, readSize); }
void AdcIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const { SymbolicElement *se; std::stringstream expr, op1, op2, op3; uint32 readSize = this->operands[1].getSize(); uint64 mem = this->operands[1].getValue(); uint64 reg = this->operands[0].getValue(); uint32 regSize = this->operands[0].getSize(); /* Create the SMT semantic */ op1 << ap.buildSymbolicRegOperand(reg, regSize); op2 << ap.buildSymbolicMemOperand(mem, readSize); op3 << ap.buildSymbolicFlagOperand(ID_CF, regSize); // Final expr expr << smt2lib::bvadd(smt2lib::bvadd(op1.str(), op2.str()), op3.str()); /* Create the symbolic element */ se = ap.createRegSE(inst, expr, reg, regSize); /* Apply the taint */ ap.aluSpreadTaintRegMem(se, reg, mem, readSize); /* Add the symbolic flags element to the current inst */ EflagsBuilder::af(inst, se, ap, regSize, op1, op2); EflagsBuilder::cfAdd(inst, se, ap, op1); EflagsBuilder::ofAdd(inst, se, ap, regSize, op1, op2); EflagsBuilder::pf(inst, se, ap); EflagsBuilder::sf(inst, se, ap, regSize); EflagsBuilder::zf(inst, se, ap, regSize); }
void SbbIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const { SymbolicElement *se; std::stringstream expr, op1, op2, op3; uint64 reg1 = this->operands[0].getValue(); uint64 reg2 = this->operands[1].getValue(); uint32 regSize1 = this->operands[0].getSize(); uint32 regSize2 = this->operands[1].getSize(); /* Create the SMT semantic */ op1 << ap.buildSymbolicRegOperand(reg1, regSize1); op2 << ap.buildSymbolicRegOperand(reg2, regSize2); op3 << ap.buildSymbolicFlagOperand(ID_CF, regSize1); /* Final expr */ expr << smt2lib::bvsub(op1.str(), smt2lib::bvadd(op2.str(), op3.str())); /* Create the symbolic element */ se = ap.createRegSE(inst, expr, reg1, regSize1); /* Apply the taint */ ap.aluSpreadTaintRegReg(se, reg1, reg2); /* Add the symbolic flags element to the current inst */ EflagsBuilder::af(inst, se, ap, regSize1, op1, op2); EflagsBuilder::cfSub(inst, se, ap, op1, op2); EflagsBuilder::ofSub(inst, se, ap, regSize1, op1, op2); EflagsBuilder::pf(inst, se, ap); EflagsBuilder::sf(inst, se, ap, regSize1); EflagsBuilder::zf(inst, se, ap, regSize1); }
void SbbIRBuilder::memImm(AnalysisProcessor &ap, Inst &inst) const { SymbolicElement *se; std::stringstream expr, op1, op2, op3; uint32 writeSize = this->operands[0].getSize(); uint64 mem = this->operands[0].getValue(); uint64 imm = this->operands[1].getValue(); /* Create the SMT semantic */ op1 << ap.buildSymbolicMemOperand(mem, writeSize); op2 << smt2lib::bv(imm, writeSize * REG_SIZE); op3 << ap.buildSymbolicFlagOperand(ID_CF, writeSize); /* Final expr */ expr << smt2lib::bvsub(op1.str(), smt2lib::bvadd(op2.str(), op3.str())); /* Create the symbolic element */ se = ap.createMemSE(inst, expr, mem, writeSize); /* Apply the taint */ ap.aluSpreadTaintMemImm(se, mem, writeSize); /* Add the symbolic flags element to the current inst */ EflagsBuilder::af(inst, se, ap, writeSize, op1, op2); EflagsBuilder::cfSub(inst, se, ap, op1, op2); EflagsBuilder::ofSub(inst, se, ap, writeSize, op1, op2); EflagsBuilder::pf(inst, se, ap); EflagsBuilder::sf(inst, se, ap, writeSize); EflagsBuilder::zf(inst, se, ap, writeSize); }
void JnsIRBuilder::imm(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *sf; auto imm = this->operands[0].getImm().getValue(); /* Create the SMT semantic */ sf = ap.buildSymbolicFlagOperand(ID_TMP_SF); /* Finale expr */ expr = smt2lib::ite( smt2lib::equal( sf, smt2lib::bvfalse()), smt2lib::bv(imm, REG_SIZE_BIT), smt2lib::bv(this->nextAddress, REG_SIZE_BIT)); /* Create the symbolic expression */ se = ap.createRegSE(inst, expr, ID_TMP_RIP, REG_SIZE, "RIP"); /* Apply the taint */ ap.aluSpreadTaintRegReg(se, ID_TMP_RIP, ID_TMP_SF); /* Add the constraint in the PathConstraints list */ ap.addPathConstraint(se->getID()); }
void CmovnbIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *reg1e, *mem1e, *cf; auto memSize = this->operands[1].getMem().getSize(); auto mem = this->operands[1].getMem(); auto reg = this->operands[0].getReg(); auto regSize = this->operands[0].getReg().getSize(); /* Create the SMT semantic */ cf = ap.buildSymbolicFlagOperand(ID_TMP_CF); reg1e = ap.buildSymbolicRegOperand(reg, regSize); mem1e = ap.buildSymbolicMemOperand(mem, memSize); expr = smt2lib::ite( smt2lib::equal( cf, smt2lib::bvfalse()), mem1e, reg1e); /* Create the symbolic expression */ se = ap.createRegSE(inst, expr, reg, regSize); /* Apply the taint via the concretization */ if (ap.getFlagValue(ID_TMP_CF) == 0) ap.assignmentSpreadTaintRegMem(se, reg, mem, memSize); }
void SbbIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *op1, *op2, *op3; auto memSize = this->operands[1].getMem().getSize(); auto mem = this->operands[1].getMem().getAddress(); auto reg = this->operands[0].getReg().getTritonRegId(); auto regSize = this->operands[0].getReg().getSize(); /* Create the SMT semantic */ op1 = ap.buildSymbolicRegOperand(reg, regSize); op2 = ap.buildSymbolicMemOperand(mem, memSize); op3 = ap.buildSymbolicFlagOperand(ID_CF, regSize); /* Final expr */ expr = smt2lib::bvsub(op1, smt2lib::bvadd(op2, op3)); /* Create the symbolic expression */ se = ap.createRegSE(inst, expr, reg, regSize); /* Apply the taint */ ap.aluSpreadTaintRegMem(se, reg, mem, memSize); /* Add the symbolic flags expression to the current inst */ EflagsBuilder::af(inst, se, ap, regSize, op1, op2); EflagsBuilder::cfSub(inst, se, ap, regSize, op1, op2); EflagsBuilder::ofSub(inst, se, ap, regSize, op1, op2); EflagsBuilder::pf(inst, se, ap, regSize); EflagsBuilder::sf(inst, se, ap, regSize); EflagsBuilder::zf(inst, se, ap, regSize); }
void CmovnsIRBuilder::regReg(AnalysisProcessor &ap, Inst &inst) const { SymbolicElement *se; std::stringstream expr, reg1e, reg2e, sf; uint64_t reg1 = this->operands[0].getValue(); uint64_t reg2 = this->operands[1].getValue(); uint64_t size1 = this->operands[0].getSize(); uint64_t size2 = this->operands[1].getSize(); /* Create the SMT semantic */ sf << ap.buildSymbolicFlagOperand(ID_SF); reg1e << ap.buildSymbolicRegOperand(reg1, size1); reg2e << ap.buildSymbolicRegOperand(reg2, size2); expr << smt2lib::ite( smt2lib::equal( sf.str(), smt2lib::bvfalse()), reg2e.str(), reg1e.str()); /* Create the symbolic element */ se = ap.createRegSE(inst, expr, reg1, size1); /* Apply the taint via the concretization */ if (ap.getFlagValue(ID_SF) == 0) ap.assignmentSpreadTaintRegReg(se, reg1, reg2); }
void CmovbeIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *reg1e, *mem1e, *cf, *zf; uint32 readSize = this->operands[1].getSize(); uint64 mem = this->operands[1].getValue(); uint64 reg = this->operands[0].getValue(); uint64 regSize = this->operands[0].getSize(); /* Create the SMT semantic */ cf = ap.buildSymbolicFlagOperand(ID_CF); zf = ap.buildSymbolicFlagOperand(ID_ZF); reg1e = ap.buildSymbolicRegOperand(reg, regSize); mem1e = ap.buildSymbolicMemOperand(mem, readSize); expr = smt2lib::ite( smt2lib::equal( smt2lib::bvor( cf, zf ), smt2lib::bvtrue() ), mem1e, reg1e); /* Create the symbolic expression */ se = ap.createRegSE(inst, expr, reg, regSize); /* Apply the taint via the concretization */ if (ap.getFlagValue(ID_CF) | ap.getFlagValue(ID_ZF)) ap.assignmentSpreadTaintRegMem(se, reg, mem, readSize); }
std::string EflagsExpressions::cfSar(SymbolicElement *parent, AnalysisProcessor &ap, uint32_t bvSize, std::stringstream &op1, std::stringstream &op2) { std::stringstream expr; /* * Create the SMT semantic. * if op2 != 0: * if op2 > bvSize: * cf.id = ((op1 >> (bvSize - 1)) & 1) * else: * cf.id = ((op1 >> (op2 - 1)) & 1) */ expr << smt2lib::ite( smt2lib::equal(op2.str(), smt2lib::bv(0, bvSize)), ap.buildSymbolicFlagOperand(ID_CF), smt2lib::ite( smt2lib::bvugt(op2.str(), smt2lib::bv(bvSize, bvSize)), smt2lib::extract(0, 0, smt2lib::bvlshr(op1.str(), smt2lib::bvsub(smt2lib::bv(bvSize, bvSize), smt2lib::bv(1, bvSize)))), smt2lib::extract(0, 0, smt2lib::bvlshr(op1.str(), smt2lib::bvsub(op2.str(), smt2lib::bv(1, bvSize)))) ) ); return expr.str(); }
std::string EflagsExpressions::ofShl(SymbolicElement *parent, AnalysisProcessor &ap, uint32_t bvSize, std::stringstream &op1, std::stringstream &op2) { std::stringstream expr; /* * Create the SMT semantic. * of = bit_cast((op1 >> (bvSize - 1)) ^ (op1 >> (bvSize - 2)), int1(1)); if op2 == 1 */ expr << smt2lib::ite( smt2lib::equal(op2.str(), smt2lib::bv(1, bvSize)), smt2lib::extract(0, 0, smt2lib::bvxor( smt2lib::bvlshr(op1.str(), smt2lib::bvsub(smt2lib::bv(bvSize, bvSize), smt2lib::bv(1, bvSize))), smt2lib::bvlshr(op1.str(), smt2lib::bvsub(smt2lib::bv(bvSize, bvSize), smt2lib::bv(2, bvSize))) ) ), ap.buildSymbolicFlagOperand(ID_OF) ); return expr.str(); }
void SetlIRBuilder::reg(AnalysisProcessor &ap, Inst &inst) const { SymbolicElement *se; std::stringstream expr, reg1e, sf, of; uint64_t reg = this->operands[0].getValue(); uint64_t regSize = this->operands[0].getSize(); /* Create the flag SMT semantic */ sf << ap.buildSymbolicFlagOperand(ID_SF); of << ap.buildSymbolicFlagOperand(ID_OF); reg1e << ap.buildSymbolicRegOperand(reg, regSize); /* Finale expr */ expr << smt2lib::ite( smt2lib::equal( smt2lib::bvxor(sf.str(), of.str()), smt2lib::bvtrue()), smt2lib::bv(1, BYTE_SIZE_BIT), smt2lib::bv(0, BYTE_SIZE_BIT)); /* Create the symbolic element */ se = ap.createRegSE(inst, expr, reg, regSize); /* Apply the taint via the concretization */ if (ap.getFlagValue(ID_SF) ^ ap.getFlagValue(ID_OF)) { if (ap.isRegTainted(ID_SF) == TAINTED) ap.assignmentSpreadTaintRegReg(se, reg, ID_SF); else ap.assignmentSpreadTaintRegReg(se, reg, ID_OF); } }
void SetzIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const { SymbolicElement *se; std::stringstream expr, mem1e, zf; uint64_t mem = this->operands[0].getValue(); uint64_t memSize = this->operands[0].getSize(); /* Create the SMT semantic */ zf << ap.buildSymbolicFlagOperand(ID_ZF); mem1e << ap.buildSymbolicMemOperand(mem, memSize); /* Finale expr */ expr << smt2lib::ite( smt2lib::equal( zf.str(), smt2lib::bvtrue()), smt2lib::bv(1, 8), smt2lib::bv(0, 8)); /* Create the symbolic element */ se = ap.createMemSE(inst, expr, mem, memSize); /* Apply the taint via the concretization */ if (ap.getFlagValue(ID_ZF) == 1) ap.assignmentSpreadTaintMemReg(se, mem, ID_ZF, memSize); }
void SetnbeIRBuilder::reg(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *cf, *zf; auto reg = this->operands[0].getReg(); auto regSize = this->operands[0].getReg().getSize(); /* Create the SMT semantic */ cf = ap.buildSymbolicFlagOperand(ID_TMP_CF); zf = ap.buildSymbolicFlagOperand(ID_TMP_ZF); /* Finale expr */ expr = smt2lib::ite( smt2lib::equal( smt2lib::bvand( smt2lib::bvnot(cf), smt2lib::bvnot(zf) ), smt2lib::bvtrue()), smt2lib::bv(1, BYTE_SIZE_BIT), smt2lib::bv(0, BYTE_SIZE_BIT)); /* Create the symbolic expression */ se = ap.createRegSE(inst, expr, reg, regSize); /* Apply the taint via the concretization */ if (ap.getFlagValue(ID_TMP_CF) == 0 && ap.getFlagValue(ID_TMP_ZF) == 0) { if (ap.isRegTainted(ID_TMP_CF) == TAINTED) ap.assignmentSpreadTaintRegReg(se, reg, ID_TMP_CF); else ap.assignmentSpreadTaintRegReg(se, reg, ID_TMP_ZF); } }
void SetbIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *cf; auto mem = this->operands[0].getMem(); auto memSize = this->operands[0].getMem().getSize(); /* Create the SMT semantic */ cf = ap.buildSymbolicFlagOperand(ID_TMP_CF); /* Finale expr */ expr = smt2lib::ite( smt2lib::equal( cf, smt2lib::bvtrue()), smt2lib::bv(1, BYTE_SIZE_BIT), smt2lib::bv(0, BYTE_SIZE_BIT)); /* Create the symbolic expression */ se = ap.createMemSE(inst, expr, mem, memSize); /* Apply the taint via the concretization */ if (ap.getFlagValue(ID_TMP_CF) == 1) ap.assignmentSpreadTaintMemReg(se, mem, ID_TMP_CF, memSize); }
void SetsIRBuilder::reg(AnalysisProcessor &ap, Inst &inst) const { SymbolicExpression *se; smt2lib::smtAstAbstractNode *expr, *sf; auto reg = this->operands[0].getReg().getTritonRegId(); auto regSize = this->operands[0].getReg().getSize(); /* Create the SMT semantic */ sf = ap.buildSymbolicFlagOperand(ID_SF); /* Finale expr */ expr = smt2lib::ite( smt2lib::equal( sf, smt2lib::bvtrue()), smt2lib::bv(1, BYTE_SIZE_BIT), smt2lib::bv(0, BYTE_SIZE_BIT)); /* Create the symbolic expression */ se = ap.createRegSE(inst, expr, reg, regSize); /* Apply the taint via the concretization */ if (ap.getFlagValue(ID_SF) == 1) ap.assignmentSpreadTaintRegReg(se, reg, ID_SF); }
void CmcIRBuilder::none(AnalysisProcessor &ap, Inst &inst) const { std::stringstream expr, op1; /* Create the SMT semantic */ op1 << ap.buildSymbolicFlagOperand(ID_CF); /* Finale expr */ expr << smt2lib::bvnot(op1.str()); /* Create the symbolic element */ ap.createRegSE(inst, expr, ID_CF); }
void CmcIRBuilder::none(AnalysisProcessor &ap, Inst &inst) const { smt2lib::smtAstAbstractNode *expr, *op1; /* Create the SMT semantic */ op1 = ap.buildSymbolicFlagOperand(ID_TMP_CF); /* Finale expr */ expr = smt2lib::bvnot(op1); /* Create the symbolic expression */ ap.createFlagSE(inst, expr, ID_TMP_CF); }