Beispiel #1
0
    def __emulate(self, pc: int, countBBlocks: bool):
        targetAddressFound = False
        currentBBlockAddr = pc  # The basic block address that we started to analyze currently
        numNewBasicBlocks = 0  # The number of new basic blocks found by this function (only if countBBlocks was activated)
        newBasicBlocksFound = set()
        basicBlocksPathFoundThisRun = []

        def onBasicBlockFound(addr):
            nonlocal numNewBasicBlocks
            nonlocal newBasicBlocksFound
            nonlocal basicBlocksPathFoundThisRun

            basicBlocksPathFoundThisRun.append(addr)
            # Is this a new basic block ?
            if addr not in self.allBlocksFound:
                numNewBasicBlocks += 1
                newBasicBlocksFound.add(addr)
                self.allBlocksFound.add(addr)

        onBasicBlockFound(currentBBlockAddr)

        logging.info('[+] Starting emulation.')
        while pc and (pc >= self.codeSection_begin
                      and pc <= self.codeSection_end):
            # Fetch opcode
            opcode = self.context.getConcreteMemoryAreaValue(pc, 16)

            # Create the ctx instruction
            instruction = Instruction()
            instruction.setOpcode(opcode)
            instruction.setAddress(pc)

            # Process
            self.context.processing(instruction)
            logging.info(instruction)

            # Next
            prevpc = pc
            pc = self.context.getConcreteRegisterValue(
                self.context.registers.rip)

            if instruction.isControlFlow():
                currentBBlockAddr = pc
                onBasicBlockFound(currentBBlockAddr)
                logging.info(
                    f"Instruction is control flow of type {instruction.getType()}. Addr of the new Basic block {hex(currentBBlockAddr)}"
                )

            if self.TARGET_TO_REACH is not None and pc == self.TARGET_TO_REACH:
                targetAddressFound = True

        logging.info('[+] Emulation done.')
        if countBBlocks:
            logging.info(
                f'===== New basic blocks found: {[hex(intBlock) for intBlock in newBasicBlocksFound]}'
            )

        if basicBlocksPathFoundThisRun[-1] == 0:  # ret instruction
            basicBlocksPathFoundThisRun = basicBlocksPathFoundThisRun[:-1]
        return targetAddressFound, numNewBasicBlocks, basicBlocksPathFoundThisRun
Beispiel #2
0
def emulate(pc, index, y, targetadd):
    Triton.concretizeAllRegister()
    Triton.concretizeAllMemory()
    flag = 0
    Triton.setConcreteRegisterValue(Triton.registers.ebp, 0x6ffffffb)
    Triton.setConcreteRegisterValue(Triton.registers.ebp, 0x6fffffff)
    esp = Triton.buildSymbolicRegister(Triton.registers.ebp).evaluate()
    address = 28
    addressv = 200
    Triton.setConcreteMemoryValue(esp + 12, address)
    Triton.setConcreteMemoryValue(address, addressv)

    for i in range(index + 1):
        Triton.setConcreteMemoryValue(addressv, ord('S'))
        addressv = addressv + 1
    if (y == 1):
        #strin= ""
        for j in range(index):
            print 'F'
            #strin = strin+'F'
        #print strin,hex(targetadd)
        print hex(targetadd)
    while pc:
        opcodes = Triton.getConcreteMemoryAreaValue(pc, 16)
        instruction = Instruction()
        instruction.setOpcode(opcodes)
        instruction.setAddress(pc)
        Triton.processing(instruction)

        if (instruction.isControlFlow()):
            flag = flag + 1

        if instruction.getType() == OPCODE.INT:
            pc = instruction.getNextAddress()
            y = Triton.buildSymbolicRegister(Triton.registers.eax).evaluate()
            if y == 1:
                break
            continue
        pc = Triton.buildSymbolicRegister(Triton.registers.eip).evaluate()

        if (pc == 28):

            return 5

    return 1
Beispiel #3
0
class TestInstruction(unittest.TestCase):

    """Testing the Instruction class."""

    def setUp(self):
        """Define and process the instruction to test."""
        self.Triton = TritonContext()
        self.Triton.setArchitecture(ARCH.X86_64)
        self.inst = Instruction()
        self.inst.setOpcode("\x48\x01\xd8")  # add rax, rbx
        self.inst.setAddress(0x400000)
        self.Triton.setConcreteRegisterValue(self.Triton.registers.rax, 0x1122334455667788)
        self.Triton.setConcreteRegisterValue(self.Triton.registers.rbx, 0x8877665544332211)
        self.Triton.processing(self.inst)

    def test_address(self):
        """Check instruction current and next address."""
        self.assertEqual(self.inst.getAddress(), 0x400000)
        self.assertEqual(self.inst.getNextAddress(), 0x400003)

    def test_memory(self):
        """Check memory access."""
        self.assertListEqual(self.inst.getLoadAccess(), [])
        self.assertListEqual(self.inst.getStoreAccess(), [])
        self.assertFalse(self.inst.isMemoryWrite())
        self.assertFalse(self.inst.isMemoryRead())

    def test_registers(self):
        """Check register access."""
        self.assertEqual(len(self.inst.getReadRegisters()), 2, "access RAX and RBX")
        self.assertEqual(len(self.inst.getWrittenRegisters()), 8, "write in RAX, RIP, AF, XF, OF, PF, SF and ZF")

    def test_taints(self):
        """Check taints attributes."""
        self.assertFalse(self.inst.isTainted())

    def test_prefix(self):
        """Check prefix data."""
        self.assertFalse(self.inst.isPrefixed())
        self.assertEqual(self.inst.getPrefix(), PREFIX.INVALID)

    def test_control_flow(self):
        """Check control flow flags."""
        self.assertFalse(self.inst.isControlFlow(), "It is not a jmp, ret or call")
        self.assertFalse(self.inst.isBranch(), "It is not a jmp")

    def test_condition(self):
        """Check condition flags."""
        self.assertFalse(self.inst.isConditionTaken())

    def test_opcode(self):
        """Check opcode informations."""
        self.assertEqual(self.inst.getOpcode(), "\x48\x01\xd8")
        self.assertEqual(self.inst.getType(), OPCODE.ADD)

    def test_thread(self):
        """Check threads information."""
        self.assertEqual(self.inst.getThreadId(), 0)

    def test_operand(self):
        """Check operand information."""
        self.assertEqual(len(self.inst.getOperands()), 2)
        self.assertEqual(self.inst.getOperands()[0].getName(), "rax")
        self.assertEqual(self.inst.getOperands()[1].getName(), "rbx")
        with self.assertRaises(Exception):
            self.inst.getOperands()[2]

    def test_symbolic(self):
        """Check symbolic information."""
        self.assertEqual(len(self.inst.getSymbolicExpressions()), 8)

    def test_size(self):
        """Check size information."""
        self.assertEqual(self.inst.getSize(), 3)

    def test_disassembly(self):
        """Check disassembly equivalent."""
        self.assertEqual(self.inst.getDisassembly(), "add rax, rbx")
Beispiel #4
0
class TestInstruction(unittest.TestCase):

    """Testing the Instruction class."""

    def setUp(self):
        """Define and process the instruction to test."""
        self.Triton = TritonContext()
        self.Triton.setArchitecture(ARCH.X86_64)
        self.inst = Instruction()
        self.inst.setOpcode(b"\x48\x01\xd8")  # add rax, rbx
        self.inst.setAddress(0x400000)
        self.Triton.setConcreteRegisterValue(self.Triton.registers.rax, 0x1122334455667788)
        self.Triton.setConcreteRegisterValue(self.Triton.registers.rbx, 0x8877665544332211)
        self.Triton.processing(self.inst)

    def test_address(self):
        """Check instruction current and next address."""
        self.assertEqual(self.inst.getAddress(), 0x400000)
        self.assertEqual(self.inst.getNextAddress(), 0x400003)

        inst = Instruction()
        inst.setAddress(-1)
        self.assertEqual(inst.getAddress(), 0xffffffffffffffff)

        inst.setAddress(-2)
        self.assertEqual(inst.getAddress(), 0xfffffffffffffffe)

        inst.setAddress(-3)
        self.assertEqual(inst.getAddress(), 0xfffffffffffffffd)

    def test_memory(self):
        """Check memory access."""
        self.assertListEqual(self.inst.getLoadAccess(), [])
        self.assertListEqual(self.inst.getStoreAccess(), [])
        self.assertFalse(self.inst.isMemoryWrite())
        self.assertFalse(self.inst.isMemoryRead())

    def test_registers(self):
        """Check register access."""
        self.assertEqual(len(self.inst.getReadRegisters()), 2, "access RAX and RBX")
        self.assertEqual(len(self.inst.getWrittenRegisters()), 8, "write in RAX, RIP, AF, XF, OF, PF, SF and ZF")

    def test_taints(self):
        """Check taints attributes."""
        self.assertFalse(self.inst.isTainted())

    def test_prefix(self):
        """Check prefix data."""
        self.assertFalse(self.inst.isPrefixed())
        self.assertEqual(self.inst.getPrefix(), PREFIX.X86.INVALID)

    def test_control_flow(self):
        """Check control flow flags."""
        self.assertFalse(self.inst.isControlFlow(), "It is not a jmp, ret or call")
        self.assertFalse(self.inst.isBranch(), "It is not a jmp")

    def test_condition(self):
        """Check condition flags."""
        self.assertFalse(self.inst.isConditionTaken())

    def test_opcode(self):
        """Check opcode informations."""
        self.assertEqual(self.inst.getOpcode(), b"\x48\x01\xd8")
        self.assertEqual(self.inst.getType(), OPCODE.X86.ADD)

    def test_thread(self):
        """Check threads information."""
        self.assertEqual(self.inst.getThreadId(), 0)

    def test_operand(self):
        """Check operand information."""
        self.assertEqual(len(self.inst.getOperands()), 2)
        self.assertEqual(self.inst.getOperands()[0].getName(), "rax")
        self.assertEqual(self.inst.getOperands()[1].getName(), "rbx")
        with self.assertRaises(Exception):
            self.inst.getOperands()[2]

    def test_symbolic(self):
        """Check symbolic information."""
        self.assertEqual(len(self.inst.getSymbolicExpressions()), 8)

    def test_size(self):
        """Check size information."""
        self.assertEqual(self.inst.getSize(), 3)

    def test_disassembly(self):
        """Check disassembly equivalent."""
        self.assertEqual(self.inst.getDisassembly(), "add rax, rbx")
def emulate(pc, index, y, targetadd):
    Triton.concretizeAllRegister()
    Triton.concretizeAllMemory()
    x = 0
    #Triton.buildSymbolicRegister(Triton.registers.eax).evaluate()
    Triton.setConcreteRegisterValue(Triton.registers.ebp, 0x6ffffffb)
    Triton.setConcreteRegisterValue(Triton.registers.ebp, 0x6fffffff)
    esp = Triton.buildSymbolicRegister(Triton.registers.ebp).evaluate()
    address = 28
    addressv = 234
    Triton.setConcreteMemoryValue(esp + 12, address)
    Triton.setConcreteMemoryValue(address, addressv)
    #Triton.setConcreteMemoryAreaValue(address,CPUSIZE.WORD,addressv)

    #print 'index',index
    for i in range(index + 1):
        #index=index-1
        Triton.setConcreteMemoryValue(addressv, ord('A'))
        #print 'A'
        addressv = addressv + 1
    if (y == 1):
        print 'This Input its is going to given/invalid address'
        strin = ""
        for j in range(index):
            strin = strin + 'A'
        print strin, hex(targetadd)  #, type(targetadd)
        #Triton.setConcreteMemoryValue(MemoryAccess(addressv,CPUSIZE.DWORD),targetadd)
        #inte = int(targetadd[2:3])
        #print unichr(inte)
    #+ targetadd[0]+targetadd[1]+targetadd[2]+targetadd[3]+targetadd[4]+targetadd[5]+targetadd[6]

    #Triton.setConcreteMemoryAreaValue(address,CPUSIZE.WORD,addressv)
    while pc:
        # Fetch opcodes
        opcodes = Triton.getConcreteMemoryAreaValue(pc, 16)
        # Create the Triton instruction
        instruction = Instruction()
        instruction.setOpcode(opcodes)
        instruction.setAddress(pc)

        # Process
        Triton.processing(instruction)
        #print instruction

        if (instruction.isControlFlow()):
            x = x + 1

        if instruction.getType() == OPCODE.INT:
            pc = instruction.getNextAddress()
            y = Triton.buildSymbolicRegister(Triton.registers.eax).evaluate()
            #y = getConcreteRegisterValue(REG.EAX)
            if y == 1:
                break
            continue
        # Next
        pc = Triton.buildSymbolicRegister(Triton.registers.eip).evaluate()
        #print pc
        if (pc == 28):
            #print "reached"
            return 5

    #print 'The number of control transfer instructions are :'
    #print x
    return 1