Ejemplo n.º 1
0
    def test_bind_expr_to_multi_memory(self):
        """Check symbolic expression binded to multiple memory location."""
        # Bind expr to multi memory location (0x100, 0x101, 0x102, 0x103)
        expr1 = newSymbolicExpression(ast.bv(0x11223344, 32))
        mem = MemoryAccess(0x100, CPUSIZE.DWORD)
        assignSymbolicExpressionToMemory(expr1, mem)

        # Check we can get back the same values
        expr2 = getSymbolicExpressionFromId(getSymbolicMemoryId(0x100))
        expr3 = getSymbolicExpressionFromId(getSymbolicMemoryId(0x101))
        expr4 = getSymbolicExpressionFromId(getSymbolicMemoryId(0x102))
        expr5 = getSymbolicExpressionFromId(getSymbolicMemoryId(0x103))

        self.assertEqual(expr2.getAst().evaluate(), 0x44)
        self.assertEqual(expr3.getAst().evaluate(), 0x33)
        self.assertEqual(expr4.getAst().evaluate(), 0x22)
        self.assertEqual(expr5.getAst().evaluate(), 0x11)

        self.assertEqual(getSymbolicMemoryValue(mem), 0x11223344)
Ejemplo n.º 2
0
    def test_bind_expr_to_memory(self):
        """Check symbolic expression binded to memory can be retrieve."""
        # Bind expr1 to 0x100
        expr1 = newSymbolicExpression(ast.bv(0x11, 8))
        mem = MemoryAccess(0x100, CPUSIZE.BYTE)
        assignSymbolicExpressionToMemory(expr1, mem)

        # Get expr from memory
        expr2 = getSymbolicExpressionFromId(getSymbolicMemoryId(0x100))

        self.assertEqual(expr1.getAst().evaluate(), expr2.getAst().evaluate())
Ejemplo n.º 3
0
 def string_constraint(self):
     cstr = selg.triton.getAstContest().equal(
         self.triton.getAstContext().bvtrue(),
         self.triton.getAstContext().bvtrue())
     addrs = [self.inputs for inpt in self.inputs.values()]
     for inpt in addrs[0:-1]:
         symExp = triton.getSymbolicExpressionFromId(inpt.getId()).getAst()
         cstr = triton.getAstContext().land([
             cstr,
             self.triton.getAstContext().land([
                 ast.bvuge(symExp, bv(0x20, 8)),
                 ast.bvuge(symExp, bv(0x7E, 8))
             ])
         ])
     # last char should be 0
     symExp = triton.getSymbolicExpressionFromId(addrs[-1]).getAst()
     cstr = self.triton.getAstContext().land([
         cstr,
         self.triton.getAstContext().lnot(self.triton.getAstContext().equal(
             symExp,
             self.triton.getAstContext().bv(0, 8)))
     ])
     return cstr
Ejemplo n.º 4
0
    def emulate(self, pc):
        """
        Emulate every opcodes from pc.

        * Process instruction until the end and search for constraint
        resolution on cmp eax, 1 then set the new correct value and keep going.
        """
        while pc:
            # Fetch opcodes
            opcodes = getConcreteMemoryAreaValue(pc, 16)

            # Create the Triton instruction
            instruction = Instruction()
            instruction.setOpcodes(opcodes)
            instruction.setAddress(pc)

            # Process
            processing(instruction)

            # 40078B: cmp eax, 1
            # eax must be equal to 1 at each round.
            if instruction.getAddress() == 0x40078B:
                # Slice expressions
                rax = getSymbolicExpressionFromId(
                    getSymbolicRegisterId(REG.RAX))
                eax = ast.extract(31, 0, rax.getAst())

                # Define constraint
                cstr = ast.assert_(
                    ast.land(getPathConstraintsAst(),
                             ast.equal(eax, ast.bv(1, 32))))

                model = getModel(cstr)
                solution = str()
                for k, v in model.items():
                    value = v.getValue()
                    solution += chr(value)
                    getSymbolicVariableFromId(k).setConcreteValue(value)

            # Next
            pc = getConcreteRegisterValue(REG.RIP)
        return solution
Ejemplo n.º 5
0
    def build_jmp_constraint(self, pc=None, take=True):
        _pc = self.get_current_pc()
        if pc:
            _pc = pc

        inst = self.disassemble_inst(_pc)
        if take:
            target = inst.getFirstOperand().getValue()
        else:
            target = _pc + inst.getSize()

        pco = triton.getPathConstraints()
        cstr = triton.ast.equal(triton.ast.bvtrue(), triton.ast.bvtrue())

        for pc in pco:
            if pc.isMultipleBranches():
                branches = pc.getBranchConstraints()
                for branch in branches:

                    taken = branch["isTaken"]
                    src = branch["srcAddr"]
                    dst = branch["dstAddr"]
                    bcstr = branch["constraint"]

                    isPreviousBranchConstraint = (src != _pc) and taken
                    isBranchToTake = src == _pc and dst == target

                    if isPreviousBranchConstraint or isBranchToTake:
                        cstr = triton.ast.land(cstr, bcstr)

        if self.input_type == "string":
            addrs = [self.inputs[inpt] for inpt in self.inputs]
            for inpt in addrs[0:-1]:
                symExp = triton.getSymbolicExpressionFromId(
                    inpt.getId()).getAst()
                cstr = triton.ast.land(
                    cstr,
                    triton.ast.lnot(
                        triton.ast.equal(symExp, triton.ast.bv(0, 8))))

        cstr = triton.ast.assert_(cstr)
        return cstr
Ejemplo n.º 6
0
    def emulate(self, pc):
        """
        Emulate every opcodes from pc.

        * Process instruction until the end and search for constraint
        resolution on cmp eax, 1 then set the new correct value and keep going.
        """
        while pc:
            # Fetch opcodes
            opcodes = getConcreteMemoryAreaValue(pc, 16)

            # Create the Triton instruction
            instruction = Instruction()
            instruction.setOpcodes(opcodes)
            instruction.setAddress(pc)

            # Process
            processing(instruction)

            # 40078B: cmp eax, 1
            # eax must be equal to 1 at each round.
            if instruction.getAddress() == 0x40078B:
                # Slice expressions
                rax = getSymbolicExpressionFromId(getSymbolicRegisterId(REG.RAX))
                eax = ast.extract(31, 0, rax.getAst())

                # Define constraint
                cstr = ast.assert_(ast.land(getPathConstraintsAst(), ast.equal(eax, ast.bv(1, 32))))

                model = getModel(cstr)
                solution = str()
                for k, v in model.items():
                    value = v.getValue()
                    solution += chr(value)
                    getSymbolicVariableFromId(k).setConcreteValue(value)

            # Next
            pc = getConcreteRegisterValue(REG.RIP)
        return solution
Ejemplo n.º 7
0
    def build_jmp_constraint(self, pc=None, take=True):
        _pc = self.get_current_pc()
        if pc:
            _pc = pc

        inst = self.disassemble_inst(_pc)
        if take:
            target = inst.getFirstOperand().getValue()
        else:
            target = _pc + inst.getSize()

        pco = triton.getPathConstraints()
        cstr = triton.ast.equal(triton.ast.bvtrue(), triton.ast.bvtrue())

        for pc in pco:
            if pc.isMultipleBranches():
                branches = pc.getBranchConstraints()
                for branch in branches:

                    taken = branch["isTaken"]
                    src = branch["srcAddr"]
                    dst = branch["dstAddr"]
                    bcstr = branch["constraint"]

                    isPreviousBranchConstraint = (src != _pc) and taken
                    isBranchToTake =  src == _pc and dst == target

                    if isPreviousBranchConstraint or isBranchToTake:
                        cstr = triton.ast.land(cstr, bcstr)

        if self.input_type == "string":
            addrs = [self.inputs[inpt] for inpt in self.inputs]
            for inpt in addrs[0:-1]:
                symExp = triton.getSymbolicExpressionFromId(inpt.getId()).getAst()
                cstr = triton.ast.land(cstr, triton.ast.lnot(triton.ast.equal(symExp, triton.ast.bv(0, 8))))

        cstr = triton.ast.assert_(cstr)
        return cstr
Ejemplo n.º 8
0
    def build_jmp_constraint(self, pc=None, take=True):
        _pc = self.get_current_pc()
        if pc:
            _pc = pc

        inst = self.disassemble_inst(_pc)
        if take:
            target = inst.getOperands()[0].getValue()
        else:
            target = _pc + inst.getSize()

        pco = self.triton.getPathConstraints()
        cstr = self.triton.getAstContext().equal(
            self.triton.getAstContext().bvtrue(),
            self.triton.getAstContext().bvtrue())

        for pc in pco:
            if pc.isMultipleBranches():
                branches = pc.getBranchConstraints()
                for branch in branches:

                    taken = branch["isTaken"]
                    src = branch["srcAddr"]
                    dst = branch["dstAddr"]
                    bcstr = branch["constraint"]

                    isPreviousBranchConstraint = (src != _pc) and taken
                    isBranchToTake = src == _pc and dst == target

                    if isPreviousBranchConstraint or isBranchToTake:
                        cstr = self.triton.getAstContext().land([cstr, bcstr])

        if self.input_type == "nonnull":
            addrs = [self.inputs[inpt] for inpt in self.inputs]
            for inpt in addrs[0:-1]:
                symExp = triton.getSymbolicExpressionFromId(
                    inpt.getId()).getAst()
                cstr = self.triton.getAstContext().land([
                    cstr,
                    self.triton.getAstContext().lnot(
                        self.triton.getAstContext().equal(
                            symExp,
                            self.triton.getAstContext().bv(0, 8)))
                ])
            # last char should be 0
            symExp = triton.getSymbolicExpressionFromId(addrs[-1]).getAst()
            cstr = self.triton.getAstContext().land([
                cstr,
                self.triton.getAstContext().lnot(
                    self.triton.getAstContext().equal(
                        symExp,
                        self.triton.getAstContext().bv(0, 8)))
            ])

        elif self.input_type == "string":
            addrs = [self.inputs[inpt] for inpt in self.inputs]
            for inpt in addrs[0:-1]:
                symExp = triton.getSymbolicExpressionFromId(
                    inpt.getId()).getAst()
                cstr = self.triton.getAstContext().land([
                    cstr,
                    self.triton.getAstContext().land(
                        ast.bvuge(symExp, bv(0x20, 8)),
                        ast.bvuge(symExp, bv(0x7E, 8)))
                ])
            # last char should be 0
            symExp = triton.getSymbolicExpressionFromId(addrs[-1]).getAst()
            cstr = self.triton.getAstContext().land([
                cstr,
                self.triton.getAstContext().lnot(
                    self.triton.getAstContext().equal(
                        symExp,
                        self.triton.getAstContext().bv(0, 8)))
            ])

        # cstr = self.triton.getAstContext().assert_(cstr)
        return cstr