def new_inputs(self):
"""Look for another branching using current constraints found."""
# Set of new inputs
inputs = list()
# Get path constraints from the last execution
pco = getPathConstraints()
# We start with any input. T (Top)
previousConstraints = ast.equal(ast.bvtrue(), ast.bvtrue())
# Go through the path constraints
for pc in pco:
# If there is a condition
if pc.isMultipleBranches():
# Get all branches
branches = pc.getBranchConstraints()
for branch in branches:
# Get the constraint of the branch which has been not taken
if branch['isTaken'] == False:
# Ask for a model
models = getModel(
ast.assert_(
ast.land(previousConstraints,
branch['constraint'])))
seed = dict()
for k, v in models.items():
# Get the symbolic variable assigned to the model
symVar = getSymbolicVariableFromId(k)
# Save the new input as seed.
seed.update({symVar.getKindValue(): v.getValue()})
if seed:
inputs.append(seed)
# Update the previous constraints with true branch to keep a good
# path.
previousConstraints = ast.land(previousConstraints,
pc.getTakenPathConstraintAst())
# Clear the path constraints to be clean at the next execution.
clearPathConstraints()
return inputs
def process_constraint(self, cstr):
global cache
# request a model verifying cstr
model = triton.getModel(cstr)
if not model:
return False
# apply model to memory cache
for m in model:
for address in self.inputs:
if model[m].getId() == self.inputs[address].getId():
nCache = []
for c in cache:
if c["start"] <= address < c["start"] + len(c["data"]):
c["data"][address-c["start"]] = model[m].getValue()
nCache.append(c)
cache = nCache
return True
def emulate(self, pc):
"""
Emulate every opcodes from pc.
* Process instruction until the end and search for constraint
resolution on cmp eax, 1 then set the new correct value and keep going.
"""
while pc:
# Fetch opcodes
opcodes = getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcodes(opcodes)
instruction.setAddress(pc)
# Process
processing(instruction)
# 40078B: cmp eax, 1
# eax must be equal to 1 at each round.
if instruction.getAddress() == 0x40078B:
# Slice expressions
rax = getSymbolicExpressionFromId(
getSymbolicRegisterId(REG.RAX))
eax = ast.extract(31, 0, rax.getAst())
# Define constraint
cstr = ast.assert_(
ast.land(getPathConstraintsAst(),
ast.equal(eax, ast.bv(1, 32))))
model = getModel(cstr)
solution = str()
for k, v in model.items():
value = v.getValue()
solution += chr(value)
getSymbolicVariableFromId(k).setConcreteValue(value)
# Next
pc = getConcreteRegisterValue(REG.RIP)
return solution
def process_constraint(self, cstr):
global cache
# request a model verifying cstr
model = triton.getModel(cstr)
if not model:
return False
# apply model to memory cache
for m in model:
for address in self.inputs:
if model[m].getId() == self.inputs[address].getId():
nCache = []
for c in cache:
if c["start"] <= address < c["start"] + len(c["data"]):
c["data"][address -
c["start"]] = model[m].getValue()
nCache.append(c)
cache = nCache
return True
def emulate(self, pc):
"""
Emulate every opcodes from pc.
* Process instruction until the end and search for constraint
resolution on cmp eax, 1 then set the new correct value and keep going.
"""
while pc:
# Fetch opcodes
opcodes = getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcodes(opcodes)
instruction.setAddress(pc)
# Process
processing(instruction)
# 40078B: cmp eax, 1
# eax must be equal to 1 at each round.
if instruction.getAddress() == 0x40078B:
# Slice expressions
rax = getSymbolicExpressionFromId(getSymbolicRegisterId(REG.RAX))
eax = ast.extract(31, 0, rax.getAst())
# Define constraint
cstr = ast.assert_(ast.land(getPathConstraintsAst(), ast.equal(eax, ast.bv(1, 32))))
model = getModel(cstr)
solution = str()
for k, v in model.items():
value = v.getValue()
solution += chr(value)
getSymbolicVariableFromId(k).setConcreteValue(value)
# Next
pc = getConcreteRegisterValue(REG.RIP)
return solution
def new_inputs(self):
"""Look for another branching using current constraints found."""
# Set of new inputs
inputs = list()
# Get path constraints from the last execution
pco = getPathConstraints()
# We start with any input. T (Top)
previousConstraints = ast.equal(ast.bvtrue(), ast.bvtrue())
# Go through the path constraints
for pc in pco:
# If there is a condition
if pc.isMultipleBranches():
# Get all branches
branches = pc.getBranchConstraints()
for branch in branches:
# Get the constraint of the branch which has been not taken
if branch['isTaken'] == False:
# Ask for a model
models = getModel(ast.assert_(ast.land(previousConstraints, branch['constraint'])))
seed = dict()
for k, v in models.items():
# Get the symbolic variable assigned to the model
symVar = getSymbolicVariableFromId(k)
# Save the new input as seed.
seed.update({symVar.getKindValue(): v.getValue()})
if seed:
inputs.append(seed)
# Update the previous constraints with true branch to keep a good
# path.
previousConstraints = ast.land(previousConstraints, pc.getTakenPathConstraintAst())
# Clear the path constraints to be clean at the next execution.
clearPathConstraints()
return inputs