def test_xmm_on_x86(self):
"""Check xmm on 32 bits arch."""
setArchitecture(ARCH.X86)
xmm = Register(REG.XMM1, 0x112233445566778899aabbccddeeff00)
self.assertEqual(xmm.getBitSize(), 128)
self.assertEqual(xmm.getConcreteValue(),
0x112233445566778899aabbccddeeff00)
def init_ctxt(self):
"""Setup memory and register values."""
# Define the address of the serial pointer. The address of the serial
# pointer must be the same that the one hardcoded into the targeted
# function. However, the serial pointer (here 0x900000) is arbitrary.
setConcreteMemoryValue(0x601040, 0x00)
setConcreteMemoryValue(0x601041, 0x00)
setConcreteMemoryValue(0x601042, 0x90)
# Define the serial context. We store the serial content located on our
# arbitrary # serial pointer (0x900000).
setConcreteMemoryValue(0x900000, 0x31)
setConcreteMemoryValue(0x900001, 0x3e)
setConcreteMemoryValue(0x900002, 0x3d)
setConcreteMemoryValue(0x900003, 0x26)
setConcreteMemoryValue(0x900004, 0x31)
# Point RDI on our buffer. The address of our buffer is arbitrary. We
# just need to point the RDI register on it as first argument of our
# targeted function.
setConcreteRegisterValue(Register(REG.RDI, 0x1000))
# Setup stack on an abitrary address.
setConcreteRegisterValue(Register(REG.RSP, 0x7fffffff))
setConcreteRegisterValue(Register(REG.RBP, 0x7fffffff))
def test_xmm_on_x86(self):
"""Check xmm on 32 bits arch."""
setArchitecture(ARCH.X86)
xmm = Register(REG.XMM1, 0x112233445566778899aabbccddeeff00)
self.assertEqual(xmm.getBitSize(), 128)
self.assertEqual(xmm.getConcreteValue(),
0x112233445566778899aabbccddeeff00)
def setUp(self):
"""Define and process the instruction to test."""
setArchitecture(ARCH.X86_64)
self.inst = Instruction()
self.inst.setOpcodes("\x48\x01\xd8") # add rax, rbx
self.inst.setAddress(0x400000)
self.inst.updateContext(Register(REG.RAX, 0x1122334455667788))
self.inst.updateContext(Register(REG.RBX, 0x8877665544332211))
processing(self.inst)
def test_concrete_value(self):
"""Check concrete value modification."""
self.assertEqual(self.reg.getConcreteValue(), 0)
# immutable
self.reg.setConcreteValue(0x1122334455667788)
self.assertEqual(self.reg.getConcreteValue(), 0)
# mutable
reg2 = Register(self.reg)
reg2.setConcreteValue(0x1122334455667788)
self.assertEqual(reg2.getConcreteValue(), 0x1122334455667788)
def test_concrete_value(self):
"""Check concrete value modification."""
self.assertEqual(self.reg.getConcreteValue(), 0)
# immutable
self.reg.setConcreteValue(0x1122334455667788)
self.assertEqual(self.reg.getConcreteValue(), 0)
# mutable
reg2 = Register(self.reg)
reg2.setConcreteValue(0x1122334455667788)
self.assertEqual(reg2.getConcreteValue(), 0x1122334455667788)
def test_register_create(self):
"""Check register creation with value."""
for reg in (REG.AH, REG.AL):
# OK
Register(reg, 0xff)
# Not OK
# TODO : Be more specific on the raise exception type
with self.assertRaises(Exception):
Register(reg, 0xff + 1)
Register(REG.ZF, 1)
with self.assertRaises(Exception):
Register(REG.ZF, 2)
def test_set_concrete_value(self):
"""Check register value modification."""
for reg in (REG.AH, REG.AL):
# OK
reg = Register(reg)
reg.setConcreteValue(0xff)
# Not OK
# TODO : Be more specific on the raise exception type
with self.assertRaises(Exception):
reg.setConcreteValue(0xff + 1)
reg = Register(REG.ZF)
reg.setConcreteValue(1)
with self.assertRaises(Exception):
reg.setConcreteValue(2)
def test_load_indirect_fs(self):
"""Check load from fs with indirect address."""
setArchitecture(ARCH.X86_64)
inst = Instruction()
# mov rax, QWORD PTR fs:[rax]
inst.setOpcodes("\x64\x48\x8B\x00")
inst.setAddress(0x400000)
setConcreteRegisterValue(Register(REG.FS, 0x7fffda8ab700))
setConcreteRegisterValue(Register(REG.RAX, 0xffffffffffffdf90))
processing(inst)
self.assertTrue(inst.getLoadAccess())
load, _ = inst.getLoadAccess()[0]
self.assertEqual(load.getAddress(), 0x7fffda8a9690)
self.assertEqual(load.getBitSize(), 64)
def test_unset_flags(self):
"""Check flags can be unset in any order with a correct result."""
registers = [
REG.ZF, REG.AF, REG.IF, REG.CF, REG.DF, REG.PF, REG.SF, REG.OF,
REG.TF
]
values = [1] * len(registers)
for reg in registers:
setConcreteRegisterValue(Register(reg, 1))
rand_registers = list(registers)
random.shuffle(rand_registers)
# Randomnly unset flags registers and check result is the one expected
for reg in rand_registers:
setConcreteRegisterValue(Register(reg, 0))
values[registers.index(reg)] = 0
self.assertListEqual(
[getConcreteRegisterValue(r) for r in registers], values)
def test_set_get_concrete_value(self):
"""Check setting concrete values"""
for r in self.pr:
if r.getBitSize() == 32:
setConcreteRegisterValue(Register(r, 0xdeadbeaf))
elif r.getBitSize() == 64:
setConcreteRegisterValue(Register(r, 0xabcdef0123456789))
elif r.getBitSize() == 128:
setConcreteRegisterValue(
Register(r, 0xabcdef01234567899876543210fedcba))
elif r.getBitSize() == 256:
setConcreteRegisterValue(
Register(
r,
0xabcdef01234567899876543210fedcbaabcdef01234567899876543210fedcba
))
else:
pass
"""Check getting concrete values"""
for r in self.pr:
if r.getBitSize() == 32:
self.assertEqual(getConcreteRegisterValue(r), 0xdeadbeaf)
elif r.getBitSize() == 64:
self.assertEqual(getConcreteRegisterValue(r),
0xabcdef0123456789)
elif r.getBitSize() == 128:
self.assertEqual(getConcreteRegisterValue(r),
0xabcdef01234567899876543210fedcba)
elif r.getBitSize() == 256:
self.assertEqual(
getConcreteRegisterValue(r),
0xabcdef01234567899876543210fedcbaabcdef01234567899876543210fedcba
)
else:
pass
"""Set everything to zero"""
for r in self.ar:
setConcreteRegisterValue(Register(r, 0))
"""Check if everything is equal to zero"""
for r in self.ar:
self.assertEqual(getConcreteRegisterValue(r), 0)
def test_defcamp_2015(self):
"""Load binary, setup environment and solve challenge with sym eval."""
# Load the binary
binary_file = os.path.join(os.path.dirname(__file__), "misc",
"defcamp-2015-r100.bin")
self.load_binary(binary_file)
# Define a fake stack
setConcreteRegisterValue(Register(REG.RBP, 0x7fffffff))
setConcreteRegisterValue(Register(REG.RSP, 0x6fffffff))
# Define an user input
setConcreteRegisterValue(Register(REG.RDI, 0x10000000))
# Symbolize user inputs (30 bytes)
for index in range(30):
convertMemoryToSymbolicVariable(
MemoryAccess(0x10000000 + index, CPUSIZE.BYTE))
# Emulate from the verification function
solution = self.emulate(0x4006FD)
self.assertEqual(solution, 'Code_Talkers')
def test_emulate(self, concretize=False):
"""Run a dumped simulation and check output registers."""
# Get dumped data
dump = os.path.join(os.path.dirname(__file__), "misc", "emu_1.dump")
with open(dump) as f:
regs, mems = eval(f.read())
# Load memory
for mem in mems:
start = mem['start']
if mem['memory'] is not None:
setConcreteMemoryAreaValue(start, bytearray(mem['memory']))
# setup registers
for reg_name in ("rax", "rbx", "rcx", "rdx", "rdi", "rsi", "rbp",
"rsp", "rip", "r8", "r9", "r10", "r11", "r12", "r13",
"r14", "eflags", "xmm0", "xmm1", "xmm2", "xmm3",
"xmm4", "xmm5", "xmm6", "xmm7", "xmm8", "xmm9",
"xmm10", "xmm11", "xmm12", "xmm13", "xmm14", "xmm15"):
setConcreteRegisterValue(
Register(getattr(REG, reg_name.upper()), regs[reg_name]))
# run the code
pc = getConcreteRegisterValue(REG.RIP)
while pc != 0x409A18:
opcodes = getConcreteMemoryAreaValue(pc, 20)
instruction = Instruction()
instruction.setOpcodes(opcodes)
instruction.setAddress(pc)
# Check if triton doesn't supports this instruction
self.assertTrue(processing(instruction))
pc = getConcreteRegisterValue(REG.RIP)
if concretize:
concretizeAllMemory()
concretizeAllRegister()
rax = getConcreteRegisterValue(REG.RAX)
rbx = getConcreteRegisterValue(REG.RBX)
rcx = getConcreteRegisterValue(REG.RCX)
rdx = getConcreteRegisterValue(REG.RDX)
rsi = getConcreteRegisterValue(REG.RSI)
self.assertEqual(rax, 0)
self.assertEqual(rbx, 0)
self.assertEqual(rcx, 0)
self.assertEqual(rdx, 0x4d2)
self.assertEqual(rsi, 0x3669000000000000)
def test_ymm(self):
"""Check ymm on 64 bits arch."""
ymm = Register(REG.YMM1, 0x112233445566778899aabbccddeeff00)
self.assertEqual(ymm.getBitSize(), 256)
ymm.setConcreteValue(
0x112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00)
self.assertEqual(
ymm.getConcreteValue(),
0x112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00)
def test_zmm(self):
"""Check zmm on 64 bits arch."""
zmm = Register(REG.ZMM2, 0)
self.assertEqual(zmm.getBitSize(), 512)
zmm.setConcreteValue(
0x112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00
)
self.assertEqual(
zmm.getConcreteValue(),
0x112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00
)
def test_load_immediate_fs(self):
"""Check load from fs segment with immediate."""
setArchitecture(ARCH.X86_64)
inst = Instruction()
# mov eax, DWORD PTR fs:0xffffffffffffdf98
inst.setOpcodes("\x64\x8B\x04\x25\x98\xDF\xFF\xFF")
inst.setAddress(0x400000)
setConcreteRegisterValue(Register(REG.FS, 0x7fffda8ab700))
processing(inst)
self.assertTrue(inst.getLoadAccess())
load, _ = inst.getLoadAccess()[0]
self.assertEqual(load.getAddress(), 0x7fffda8a9698)
self.assertEqual(load.getBitSize(), 32)
def test_zmm(self):
"""Check zmm on 64 bits arch."""
zmm = Register(REG.ZMM2, 0)
self.assertEqual(zmm.getBitSize(), 512)
zmm.setConcreteValue(0x112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00)
self.assertEqual(zmm.getConcreteValue(), 0x112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00)
def test_set_concrete_value(self):
"""Check register value modification."""
for reg in (REG.AH, REG.AL):
# OK
reg = Register(reg)
reg.setConcreteValue(0xff)
# Not OK
# TODO : Be more specific on the raise exception type
with self.assertRaises(Exception):
reg.setConcreteValue(0xff + 1)
reg = Register(REG.ZF)
reg.setConcreteValue(1)
with self.assertRaises(Exception):
reg.setConcreteValue(2)
def test_ymm(self):
"""Check ymm on 64 bits arch."""
ymm = Register(REG.YMM1, 0x112233445566778899aabbccddeeff00)
self.assertEqual(ymm.getBitSize(), 256)
ymm.setConcreteValue(0x112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00)
self.assertEqual(ymm.getConcreteValue(), 0x112233445566778899aabbccddeeff00112233445566778899aabbccddeeff00)