class TestRAXBitvector(unittest.TestCase):
"""Testing the Bitvector class."""
def setUp(self):
"""Define the arch."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.bv = self.Triton.registers.rax.getBitvector()
def test_high(self):
"""Check the highest bit."""
self.assertEqual(self.bv.getHigh(), 63)
def test_low(self):
"""Check the lower bit."""
self.assertEqual(self.bv.getLow(), 0)
def test_size(self):
"""Check the vector size."""
self.assertEqual(self.bv.getVectorSize(), 64)
def test_maxValue(self):
"""Check the max value of the vector."""
self.assertEqual(self.bv.getMaxValue(), 0xffffffffffffffff)
class TestImmediate64(unittest.TestCase):
"""Testing the Immediate class."""
def setUp(self):
"""Define the arch and Immediate to test."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.imm = Immediate(0x0123456789abcdef, CPUSIZE.QWORD)
def test_bit_size(self):
"""Check the bitsize."""
self.assertEqual(self.imm.getBitSize(), 64)
def test_size(self):
"""Check the size."""
self.assertEqual(self.imm.getSize(), 8)
def test_value(self):
"""Check immediate value with different size."""
self.assertEqual(self.imm.getValue(), 0x0123456789abcdef)
def test_type(self):
"""Check immadiate type."""
self.assertEqual(self.imm.getType(), OPERAND.IMM)
class TestNegativeImmediate(unittest.TestCase):
"""Testing the Immediate class."""
def setUp(self):
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
def test_value(self):
"""Check immediate value with different size."""
self.imm = Immediate(-4, CPUSIZE.BYTE)
self.assertEqual(self.imm.getValue(), 0xfc)
self.imm = Immediate(-4, CPUSIZE.WORD)
self.assertEqual(self.imm.getValue(), 0xfffc)
self.imm = Immediate(-4, CPUSIZE.DWORD)
self.assertEqual(self.imm.getValue(), 0xfffffffc)
self.imm = Immediate(-4, CPUSIZE.QWORD)
self.assertEqual(self.imm.getValue(), 0xfffffffffffffffc)
self.imm = Immediate(0x7123456789abcdef, CPUSIZE.QWORD)
self.assertEqual(self.imm.getValue(), 0x7123456789abcdef)
self.imm = Immediate(0x8123456789abcdef, CPUSIZE.QWORD)
self.assertEqual(self.imm.getValue(), 0x8123456789abcdef)
class TestSymbolicEngineAligned(BaseTestSimulation, unittest.TestCase):
"""Testing the symbolic emulation engine with ALIGNED_MEMORY."""
def setUp(self):
"""Define the arch and modes."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.Triton.enableMode(MODE.ALIGNED_MEMORY, True)
super(TestSymbolicEngineAligned, self).setUp()
def setUp(self):
"""Define the arch and modes."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.Triton.enableMode(MODE.ALIGNED_MEMORY, True)
self.Triton.enableMode(MODE.ONLY_ON_SYMBOLIZED, True)
self.Triton.enableMode(MODE.AST_OPTIMIZATIONS, True)
super(TestSymbolicEngineAlignedOnlySymbolizedSymOpti, self).setUp()
class TestSymbolicEngineSymOpti(BaseTestSimulation, unittest.TestCase):
"""Testing the symbolic emulation engine without optimization."""
def setUp(self):
"""Define the arch."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.Triton.enableMode(MODE.AST_OPTIMIZATIONS, True)
super(TestSymbolicEngineSymOpti, self).setUp()
class TestSymbolicEngineConstantFolding(BaseTestSimulation, unittest.TestCase):
"""Testing the symbolic emulation engine with CONSTANT_FOLDING."""
def setUp(self):
"""Define the arch and modes."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.Triton.setMode(MODE.CONSTANT_FOLDING, True)
super(TestSymbolicEngineConstantFolding, self).setUp()
class TestArchitecture(unittest.TestCase):
"""Testing the architectures."""
def test_modify_arch(self):
"""Check we can change arch at anytime."""
self.ctx = TritonContext()
for _ in xrange(10):
self.ctx.setArchitecture(
random.choice((ARCH.X86_64, ARCH.X86, ARCH.AARCH64)))
class TestSymbolicEngineOnlySymbolized(BaseTestSimulation, unittest.TestCase):
"""Testing the symbolic emulation engine with ONLY_ON_SYMBOLIZED."""
def setUp(self):
"""Define the arch and modes."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.Triton.enableMode(MODE.ONLY_ON_SYMBOLIZED, True)
super(TestSymbolicEngineOnlySymbolized, self).setUp()
class TestSymbolicEngineNoOptim(BaseTestSimulation, unittest.TestCase):
"""Testing the symbolic emulation engine without optimization."""
def setUp(self):
"""Define the arch."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
super(TestSymbolicEngineNoOptim, self).setUp()
class TestArchitecture(unittest.TestCase):
"""Testing the architectures."""
def test_modify_arch(self):
"""Check we can change arch at anytime."""
self.Triton = TritonContext()
for _ in xrange(10):
self.Triton.setArchitecture(random.choice((ARCH.X86_64, ARCH.X86)))
class TestSymbolicEngineNoOptim(BaseTestSimulation, unittest.TestCase):
"""Testing the symbolic emulation engine without optimization."""
def setUp(self):
"""Define the arch."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
super(TestSymbolicEngineNoOptim, self).setUp()
def test_taint_set_memory(self):
"""Set taint memory"""
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86_64)
self.assertFalse(Triton.isMemoryTainted(0x1000))
Triton.setTaintMemory(MemoryAccess(0x1000, 1), True)
self.assertTrue(Triton.isMemoryTainted(0x1000))
Triton.setTaintMemory(MemoryAccess(0x1000, 1), False)
self.assertFalse(Triton.isMemoryTainted(0x1000))
def test_taint_set_register(self):
"""Set taint register"""
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86_64)
self.assertFalse(Triton.isRegisterTainted(Triton.registers.rax))
Triton.setTaintRegister(Triton.registers.rax, True)
self.assertTrue(Triton.isRegisterTainted(Triton.registers.rax))
Triton.setTaintRegister(Triton.registers.rax, False)
self.assertFalse(Triton.isRegisterTainted(Triton.registers.rax))
def setUp(self):
"""Define and process the instruction to test."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.inst = Instruction()
self.inst.setOpcode(b"\x48\x01\xd8") # add rax, rbx
self.inst.setAddress(0x400000)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rax, 0x1122334455667788)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rbx, 0x8877665544332211)
self.Triton.processing(self.inst)
class TestSymbolicEngineOnlySymbolized(BaseTestSimulation, unittest.TestCase):
"""Testing the symbolic emulation engine with ONLY_ON_SYMBOLIZED."""
def setUp(self):
"""Define the arch and modes."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.Triton.enableMode(MODE.ONLY_ON_SYMBOLIZED, True)
super(TestSymbolicEngineOnlySymbolized, self).setUp()
class TestSymbolicEngineAligned(BaseTestSimulation, unittest.TestCase):
"""Testing the symbolic emulation engine with ALIGNED_MEMORY."""
def setUp(self):
"""Define the arch and modes."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.Triton.enableMode(MODE.ALIGNED_MEMORY, True)
super(TestSymbolicEngineAligned, self).setUp()
class TestIR(unittest.TestCase):
"""Test IR."""
def emulate(self, pc):
"""
Emulate every opcode from pc.
Process instruction until the end
"""
while pc:
# Fetch opcode
opcode = self.Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
self.assertTrue(self.Triton.processing(instruction))
# Next
pc = self.Triton.getConcreteRegisterValue(self.Triton.registers.rip)
return
def load_binary(self, filename):
"""Load in memory every opcode from an elf program."""
import lief
#lief.Logger.disable()
binary = lief.parse(filename)
phdrs = binary.segments
for phdr in phdrs:
size = phdr.physical_size
vaddr = phdr.virtual_address
self.Triton.setConcreteMemoryAreaValue(vaddr, phdr.content)
def test_ir(self):
"""Load binary, setup environment and emulate the ir test suite."""
self.Triton = TritonContext()
# Set arch
self.Triton.setArchitecture(ARCH.X86_64)
# Load the binary
binary_file = os.path.join(os.path.dirname(__file__), "misc", "ir-test-suite.bin")
self.load_binary(binary_file)
# Define a fake stack
self.Triton.setConcreteRegisterValue(self.Triton.registers.rbp, 0x7fffffff)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rsp, 0x6fffffff)
self.emulate(0x40065c)
return
def test_taint_assignement_register_immediate(self):
"""Check tainting assignment register <- immediate."""
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86_64)
self.assertFalse(Triton.isRegisterTainted(Triton.registers.rax))
Triton.taintRegister(Triton.registers.rax)
self.assertTrue(Triton.isRegisterTainted(Triton.registers.rax))
Triton.taintAssignmentRegisterImmediate(Triton.registers.rax)
self.assertFalse(Triton.isRegisterTainted(Triton.registers.rax))
class TestSymbolicVariable(unittest.TestCase):
"""Testing symbolic variable."""
def setUp(self):
"""Define the arch."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.v0 = self.Triton.newSymbolicVariable(8)
self.v1 = self.Triton.newSymbolicVariable(16)
self.v2 = self.Triton.newSymbolicVariable(32, "test com")
def test_id(self):
"""Test IDs"""
self.assertEqual(self.v0.getId(), 0)
self.assertEqual(self.v1.getId(), 1)
self.assertEqual(self.v2.getId(), 2)
def test_kind(self):
"""Test kind"""
self.assertEqual(self.v0.getKind(), SYMEXPR.UNDEF)
self.assertEqual(self.v1.getKind(), SYMEXPR.UNDEF)
self.assertEqual(self.v2.getKind(), SYMEXPR.UNDEF)
def test_name(self):
"""Test name"""
self.assertEqual(self.v0.getName(), "SymVar_0")
self.assertEqual(self.v1.getName(), "SymVar_1")
self.assertEqual(self.v2.getName(), "SymVar_2")
def test_bitsize(self):
"""Test name"""
self.assertEqual(self.v0.getBitSize(), 8)
self.assertEqual(self.v1.getBitSize(), 16)
self.assertEqual(self.v2.getBitSize(), 32)
def test_comment(self):
"""Test comment"""
self.assertEqual(self.v0.getComment(), "")
self.assertEqual(self.v1.getComment(), "")
self.assertEqual(self.v2.getComment(), "test com")
self.v0.setComment("test v0")
self.v1.setComment("test v1")
self.assertEqual(self.v0.getComment(), "test v0")
self.assertEqual(self.v1.getComment(), "test v1")
self.assertEqual(self.v2.getComment(), "test com")
def test_str(self):
"""Test variable representation"""
self.assertEqual(str(self.v0), "SymVar_0:8")
self.assertEqual(str(self.v1), "SymVar_1:16")
self.assertEqual(str(self.v2), "SymVar_2:32")
def test_3(self):
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
inst = Instruction("\x48\x8b\x18") # mov rbx, qword ptr [rax]
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(len(inst.getReadRegisters()), 1)
self.assertEqual(len(inst.getWrittenRegisters()), 2)
self.assertEqual(len(inst.getLoadAccess()), 1)
self.assertEqual(len(inst.getStoreAccess()), 0)
class TestIR(unittest.TestCase):
"""Test IR."""
def emulate(self, pc):
"""
Emulate every opcode from pc.
Process instruction until the end
"""
while pc:
# Fetch opcode
opcode = self.Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
self.assertTrue(self.Triton.processing(instruction))
# Next
pc = self.Triton.getConcreteRegisterValue(self.Triton.registers.rip)
return
def load_binary(self, filename):
"""Load in memory every opcode from an elf program."""
import lief
binary = lief.parse(filename)
phdrs = binary.segments
for phdr in phdrs:
size = phdr.physical_size
vaddr = phdr.virtual_address
self.Triton.setConcreteMemoryAreaValue(vaddr, phdr.content)
def test_ir(self):
"""Load binary, setup environment and emulate the ir test suite."""
self.Triton = TritonContext()
# Set arch
self.Triton.setArchitecture(ARCH.X86_64)
# Load the binary
binary_file = os.path.join(os.path.dirname(__file__), "misc", "ir-test-suite.bin")
self.load_binary(binary_file)
# Define a fake stack
self.Triton.setConcreteRegisterValue(self.Triton.registers.rbp, 0x7fffffff)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rsp, 0x6fffffff)
self.emulate(0x40065c)
return
class TestSymbolicEngineAst(BaseTestSimulation, unittest.TestCase):
"""Testing the symbolic engine with AST Dictionnary."""
def setUp(self):
"""Define the arch and modes."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.Triton.enableMode(MODE.AST_DICTIONARIES, True)
super(TestSymbolicEngineAst, self).setUp()
@unittest.skip("segfault")
def test_defcamp_2015(self):
pass
def test_method_callback_removal(self):
# regression test for #809
import sys
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
cb = self.method_callback.__func__
cb_initial_refcnt = sys.getrefcount(cb)
self.Triton.addCallback(CALLBACK.GET_CONCRETE_MEMORY_VALUE,
self.method_callback)
self.Triton.removeCallback(CALLBACK.GET_CONCRETE_MEMORY_VALUE,
self.method_callback)
self.assertTrue(cb_initial_refcnt == sys.getrefcount(cb))
def test_3(self):
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
inst = Instruction(b"\x48\x8b\x18") # mov rbx, qword ptr [rax]
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(len(inst.getReadRegisters()), 1)
self.assertEqual(len(inst.getWrittenRegisters()), 2)
self.assertEqual(len(inst.getLoadAccess()), 1)
self.assertEqual(len(inst.getStoreAccess()), 0)
def setUp(self):
"""Define the arch."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.astCtxt = self.Triton.getAstContext()
self.sv1 = self.Triton.newSymbolicVariable(8)
self.sv2 = self.Triton.newSymbolicVariable(8)
self.v1 = self.astCtxt.variable(self.sv1)
self.v2 = self.astCtxt.variable(self.sv2)
def test_load_ds(self):
"""Check load from ds segment."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86)
inst = Instruction()
# mov ax, ds:word_40213C
inst.setOpcode(b"\x66\xA1\x3C\x21\x40\x00")
self.Triton.processing(inst)
self.assertEqual(inst.getOperands()[1].getAddress(), 0x40213C)
self.assertEqual(inst.getOperands()[1].getBitSize(), 16)
class TestSymbolicVariable(unittest.TestCase):
"""Testing symbolic variable."""
def setUp(self):
"""Define the arch."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.v0 = self.Triton.newSymbolicVariable(8)
self.v1 = self.Triton.newSymbolicVariable(16)
self.v2 = self.Triton.newSymbolicVariable(32, "test com")
def test_id(self):
"""Test IDs"""
self.assertEqual(self.v0.getId(), 0)
self.assertEqual(self.v1.getId(), 1)
self.assertEqual(self.v2.getId(), 2)
def test_kind(self):
"""Test kind"""
self.assertEqual(self.v0.getKind(), SYMEXPR.UNDEF)
self.assertEqual(self.v1.getKind(), SYMEXPR.UNDEF)
self.assertEqual(self.v2.getKind(), SYMEXPR.UNDEF)
def test_name(self):
"""Test name"""
self.assertEqual(self.v0.getName(), "SymVar_0")
self.assertEqual(self.v1.getName(), "SymVar_1")
self.assertEqual(self.v2.getName(), "SymVar_2")
def test_bitsize(self):
"""Test name"""
self.assertEqual(self.v0.getBitSize(), 8)
self.assertEqual(self.v1.getBitSize(), 16)
self.assertEqual(self.v2.getBitSize(), 32)
def test_comment(self):
"""Test comment"""
self.assertEqual(self.v0.getComment(), "")
self.assertEqual(self.v1.getComment(), "")
self.assertEqual(self.v2.getComment(), "test com")
self.v0.setComment("test v0")
self.v1.setComment("test v1")
self.assertEqual(self.v0.getComment(), "test v0")
self.assertEqual(self.v1.getComment(), "test v1")
self.assertEqual(self.v2.getComment(), "test com")
def test_str(self):
"""Test variable representation"""
self.assertEqual(str(self.v0), "SymVar_0:8")
self.assertEqual(str(self.v1), "SymVar_1:16")
self.assertEqual(str(self.v2), "SymVar_2:32")
def test_known_issues(self):
"""Check tainting result after processing."""
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86)
Triton.taintRegister(Triton.registers.eax)
inst = Instruction()
# lea eax,[esi+eax*1]
inst.setOpcode(b"\x8D\x04\x06")
Triton.processing(inst)
self.assertTrue(Triton.isRegisterTainted(Triton.registers.eax))
self.assertFalse(Triton.isRegisterTainted(Triton.registers.ebx))
def setUp(self):
"""Define the arch."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.astCtxt = self.Triton.getAstContext()
self.sv1 = self.Triton.newSymbolicVariable(8)
self.sv2 = self.Triton.newSymbolicVariable(8)
self.v1 = self.astCtxt.variable(self.sv1)
self.v2 = self.astCtxt.variable(self.sv2)
self.Triton.setConcreteSymbolicVariableValue(self.sv1, 0xaa)
self.Triton.setConcreteSymbolicVariableValue(self.sv2, 0x55)
self.node = [
# Overloaded operators
(self.v1 & self.v2),
(self.v1 + self.v2),
(self.v1 - self.v2),
(self.v1 ^ self.v2),
(self.v1 | self.v2),
(self.v1 * self.v2),
(self.v1 << self.v2),
(self.v1 >> self.v2),
(~self.v1),
(-self.v1),
(self.v1 == self.v2),
(self.v1 != self.v2),
(self.v1 <= self.v2),
(self.v1 >= self.v2),
(self.v1 < self.v2),
(self.v1 > self.v2),
# AST API
self.astCtxt.bvashr(self.v1, self.v2),
self.astCtxt.bvnand(self.v1, self.v2),
self.astCtxt.bvnor(self.v1, self.v2),
self.astCtxt.bvrol(3, self.v1),
self.astCtxt.bvror(2, self.v2),
self.astCtxt.distinct(self.v1, self.v2),
self.astCtxt.equal(self.v1, self.v2),
self.astCtxt.sx(8, self.v1),
self.astCtxt.zx(8, self.v1),
# recent z3 version
#bvsdiv(self.v1, self.v2),
#bvsmod(self.v1, self.v2),
#bvsrem(self.v1, self.v2),
#bvudiv(self.v1, self.v2),
#bvurem(self.v1, self.v2),
]
class TestRegisterObject(unittest.TestCase):
"""Test register object"""
def setUp(self):
"""Define the arch."""
self.x86 = TritonContext(ARCH.X86)
self.x64 = TritonContext(ARCH.X86_64)
self.arm = TritonContext(ARCH.ARM32)
self.aarch = TritonContext(ARCH.AARCH64)
def test_object(self):
self.assertEqual(self.x86.registers.eax, self.x86.getRegister('eax'))
self.assertEqual(self.x64.registers.rax, self.x64.getRegister('RaX'))
self.assertEqual(self.arm.registers.r0, self.arm.getRegister('R0'))
self.assertEqual(self.aarch.registers.x9, self.aarch.getRegister('x9'))
def send_to_fuzz(entrypoint, exploration_memory, exploration_registers,
from_memory_addr, dst_addr, q):
"""send a request to the fuzzer
:param dst_addr (int): The destination address you wishe to reach
"""
fuzz = Fuzz(exploration_memory, exploration_registers, from_memory_addr,
dst_addr, q)
fuzzer = Tracer(program_name, False)
# set triton parameter
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
ctx.enableMode(MODE.ALIGNED_MEMORY, True)
ctx.setAstRepresentationMode(AST_REPRESENTATION.PYTHON)
fuzzer.tracer_init(ctx)
# add fuzz callback
fuzzer.add_start_callback(fuzz.start)
fuzzer.add_instruction_callback(fuzz.get_instruction)
fuzzer.add_end_callback(fuzz.end)
fuzzer.add_memory_callback(fuzz.fuzz_memory)
fuzzer.add_register_callback(fuzz.fuzz_register)
p = multiprocessing.Process(target=fuzzer.start,
args=(ctx, 30, entrypoint))
# return [p,ctx,fuzzer, exploration_memory]
return p
class TestAstDictionaries(unittest.TestCase):
"""Testing the AST_DICTIONARIES."""
def setUp(self):
"""Define the arch."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.Triton.enableMode(MODE.AST_DICTIONARIES, True)
self.astCtxt = self.Triton.getAstContext()
def test_dictionaries(self):
# d is empty
d = self.Triton.getAstDictionariesStats()
for k, v in d.items():
self.assertEqual(v, 0)
bv1 = self.astCtxt.bv(1, 8)
bv2 = self.astCtxt.bv(2, 8)
d = self.Triton.getAstDictionariesStats()
self.assertEqual(d['bv'], 2)
self.assertEqual(d['decimal'], 3)
self.assertEqual(d['allocatedDictionaries'], 5)
self.assertEqual(d['allocatedNodes'], 6)
# Same allocation
bv1 = self.astCtxt.bv(1, 8)
bv2 = self.astCtxt.bv(2, 8)
d = self.Triton.getAstDictionariesStats()
self.assertEqual(d['bv'], 2)
self.assertEqual(d['decimal'], 3)
self.assertEqual(d['allocatedDictionaries'], 5)
self.assertEqual(d['allocatedNodes'], 12)
class TestAstDictionaries(unittest.TestCase):
"""Testing the AST_DICTIONARIES."""
def setUp(self):
"""Define the arch."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.Triton.enableMode(MODE.AST_DICTIONARIES, True)
self.astCtxt = self.Triton.getAstContext()
def test_dictionaries(self):
# d is empty
d = self.Triton.getAstDictionariesStats()
for k, v in d.items():
self.assertEqual(v, 0)
bv1 = self.astCtxt.bv(1, 8)
bv2 = self.astCtxt.bv(2, 8)
d = self.Triton.getAstDictionariesStats()
self.assertEqual(d['bv'], 2)
self.assertEqual(d['decimal'], 3)
self.assertEqual(d['allocatedDictionaries'], 5)
self.assertEqual(d['allocatedNodes'], 6)
# Same allocation
bv1 = self.astCtxt.bv(1, 8)
bv2 = self.astCtxt.bv(2, 8)
d = self.Triton.getAstDictionariesStats()
self.assertEqual(d['bv'], 2)
self.assertEqual(d['decimal'], 3)
self.assertEqual(d['allocatedDictionaries'], 5)
self.assertEqual(d['allocatedNodes'], 12)
class TestSymbolicEngineAst(BaseTestSimulation, unittest.TestCase):
"""Testing the symbolic engine with AST Dictionnary."""
def setUp(self):
"""Define the arch and modes."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.Triton.enableMode(MODE.AST_DICTIONARIES, True)
super(TestSymbolicEngineAst, self).setUp()
@unittest.skip("segfault")
def test_defcamp_2015(self):
pass
def test_6(self):
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
ctx.enableMode(MODE.ONLY_ON_SYMBOLIZED, True)
ctx.convertRegisterToSymbolicVariable(ctx.registers.rax)
ctx.convertMemoryToSymbolicVariable(MemoryAccess(0, CPUSIZE.QWORD))
inst = Instruction("\x48\x8b\x18") # mov rbx, qword ptr [rax]
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(len(inst.getReadRegisters()), 1)
self.assertEqual(len(inst.getWrittenRegisters()), 1)
self.assertEqual(len(inst.getLoadAccess()), 1)
self.assertEqual(len(inst.getStoreAccess()), 0)
def test_7(self):
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
ctx.enableMode(MODE.ONLY_ON_SYMBOLIZED, True)
ctx.setConcreteRegisterValue(ctx.registers.rax, 0x1337)
inst = Instruction(b"\x48\x8b\x18") # mov rbx, qword ptr [rax]
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(inst.getOperands()[1].getAddress(), 0x1337)
self.assertIsNone(inst.getOperands()[1].getLeaAst())
def setUp(self):
"""Define the arch."""
self.ctx = TritonContext()
self.ctx.setArchitecture(ARCH.X86_64)
self.inst1 = Instruction("\x48\x31\xd8") # xor rax, rbx
self.ctx.setConcreteRegisterValue(self.ctx.registers.al, 0x10)
self.ctx.setConcreteRegisterValue(self.ctx.registers.bl, 0x55)
self.inst2 = Instruction("\x48\x89\x03") # mov [rbx], rax
self.ctx.processing(self.inst1)
self.ctx.processing(self.inst2)
self.expr1 = self.inst1.getSymbolicExpressions()[0]
self.expr2 = self.inst2.getSymbolicExpressions()[8]
def setUp(self):
"""Define the arch and modes."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.Triton.enableMode(MODE.ALIGNED_MEMORY, True)
self.Triton.enableMode(MODE.TAINT_THROUGH_POINTERS, True)
super(TestSymbolicEngineAlignedAndTaintPtr, self).setUp()
def setUp(self):
"""Define the arch and modes."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.Triton.enableMode(MODE.ALIGNED_MEMORY, True)
self.Triton.enableMode(MODE.AST_DICTIONARIES, True)
super(TestSymbolicEngineAlignedAst, self).setUp()
def setUp(self):
"""Define the arch and modes."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.Triton.enableMode(MODE.ALIGNED_MEMORY, True)
self.Triton.enableMode(MODE.ONLY_ON_SYMBOLIZED, True)
super(TestSymbolicEngineAlignedOnlySymbolized, self).setUp()
def setUp(self):
"""Define the arch."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.v0 = self.Triton.newSymbolicVariable(8)
self.v1 = self.Triton.newSymbolicVariable(16)
self.v2 = self.Triton.newSymbolicVariable(32, "test com")
def test_get_concrete_register_value(self):
global flag
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
flag = False
self.Triton.addCallback(self.cb_flag, CALLBACK.GET_CONCRETE_REGISTER_VALUE)
self.Triton.processing(Instruction("\x48\x89\xd8")) # mov rax, rbx
self.assertTrue(flag)
flag = False
self.Triton.removeCallback(self.cb_flag, CALLBACK.GET_CONCRETE_REGISTER_VALUE)
self.Triton.processing(Instruction("\x48\x89\xd8")) # mov rax, rbx
self.assertFalse(flag)
# Remove all callbacks
flag = False
self.Triton.addCallback(self.cb_flag, CALLBACK.GET_CONCRETE_REGISTER_VALUE)
self.Triton.processing(Instruction("\x48\x89\xd8")) # mov rax, rbx
self.assertTrue(flag)
flag = False
self.Triton.removeAllCallbacks()
self.Triton.processing(Instruction("\x48\x89\xd8")) # mov rax, rbx
self.assertFalse(flag)
def test_get_concrete_memory_value(self):
global flag
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
flag = False
self.Triton.addCallback(self.cb_flag, CALLBACK.GET_CONCRETE_MEMORY_VALUE)
# movabs rax, qword ptr [0x1000]
self.Triton.processing(Instruction("\x48\xa1\x00\x10\x00\x00\x00\x00\x00\x00"))
self.assertTrue(flag)
flag = False
self.Triton.removeCallback(self.cb_flag, CALLBACK.GET_CONCRETE_MEMORY_VALUE)
# movabs rax, qword ptr [0x1000]
self.Triton.processing(Instruction("\x48\xa1\x00\x10\x00\x00\x00\x00\x00\x00"))
self.assertFalse(flag)
def test_ir(self):
"""Load binary, setup environment and emulate the ir test suite."""
self.Triton = TritonContext()
# Set arch
self.Triton.setArchitecture(ARCH.X86_64)
# Load the binary
binary_file = os.path.join(os.path.dirname(__file__), "misc", "ir-test-suite.bin")
self.load_binary(binary_file)
# Define a fake stack
self.Triton.setConcreteRegisterValue(self.Triton.registers.rbp, 0x7fffffff)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rsp, 0x6fffffff)
self.emulate(0x40065c)
return
class TestSymbolicEngineDisable(BaseTestSimulation, unittest.TestCase):
"""Testing the emulation with the symbolic engine disabled."""
def setUp(self):
"""Define the arch and modes."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.Triton.enableSymbolicEngine(False)
super(TestSymbolicEngineDisable, self).setUp()
@unittest.skip("Not possible")
def test_seed_coverage(self):
pass
@unittest.skip("Not possible")
def test_defcamp_2015(self):
pass
def main():
code = [(0x1000, "\x83\xc4\x08"), (0x1003, "\x5b"), (0x1004, "\xc3")]
ctxt = TritonContext()
ctxt.setArchitecture(ARCH.X86)
#load instructions
for (addr, opcode) in code:
inst = Instruction()
inst.setOpcode(opcode)
inst.setAddress(addr)
if not ctxt.processing(inst):
print "Fail an instruction"
print inst
expr = inst.getSymbolicExpressions()[0]
print expr
def test_known_issues(self):
"""Check tainting result after processing."""
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86)
Triton.taintRegister(Triton.registers.eax)
inst = Instruction()
# lea eax,[esi+eax*1]
inst.setOpcode("\x8D\x04\x06")
Triton.processing(inst)
self.assertTrue(Triton.isRegisterTainted(Triton.registers.eax))
self.assertFalse(Triton.isRegisterTainted(Triton.registers.ebx))
def test_4(self):
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
ctx.enableMode(MODE.ONLY_ON_SYMBOLIZED, True)
ctx.convertRegisterToSymbolicVariable(ctx.registers.rax)
inst = Instruction(b"\x48\x8b\x18") # mov rbx, qword ptr [rax]
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(len(inst.getReadRegisters()), 1)
self.assertEqual(len(inst.getWrittenRegisters()), 0)
self.assertEqual(len(inst.getLoadAccess()), 0)
self.assertEqual(len(inst.getStoreAccess()), 0)
class TestAHRegister(unittest.TestCase):
"""Testing the Register class with AH."""
def setUp(self):
"""Define arch and register to check."""
self.ctx = TritonContext()
self.ctx.setArchitecture(ARCH.X86_64)
self.reg = self.ctx.registers.ah
def test_size(self):
"""Check register size."""
self.assertEqual(self.reg.getSize(), 1)
def test_bitvector(self):
"""Check bitvector information."""
self.assertEqual(self.reg.getBitvector().getHigh(), 15)
self.assertEqual(self.reg.getBitvector().getLow(), 8)
self.assertEqual(self.reg.getBitvector().getVectorSize(), 8)
def test_parent(self):
"""Check parent register on multiple arch."""
self.assertEqual(self.ctx.getParentRegister(self.reg).getName(), "rax")
self.ctx.setArchitecture(ARCH.X86)
self.reg = self.ctx.registers.ah
self.assertEqual(self.ctx.getParentRegister(self.reg).getName(), "eax")
self.assertEqual(self.ctx.getParentRegister(self.reg).getBitSize(), 32)
class TestAHRegister(unittest.TestCase):
"""Testing the Register class with AH."""
def setUp(self):
"""Define arch and register to check."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.reg = self.Triton.registers.ah
def test_size(self):
"""Check register size."""
self.assertEqual(self.reg.getSize(), 1)
def test_bitvector(self):
"""Check bitvector information."""
self.assertEqual(self.reg.getBitvector().getHigh(), 15)
self.assertEqual(self.reg.getBitvector().getLow(), 8)
self.assertEqual(self.reg.getBitvector().getVectorSize(), 8)
def test_parent(self):
"""Check parent register on multiple arch."""
self.assertEqual(self.Triton.getParentRegister(self.reg).getName(), "rax")
self.Triton.setArchitecture(ARCH.X86)
self.reg = self.Triton.registers.ah
self.assertEqual(self.Triton.getParentRegister(self.reg).getName(), "eax")
self.assertEqual(self.Triton.getParentRegister(self.reg).getBitSize(), 32)
def test_5(self):
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
ctx.setMode(MODE.ONLY_ON_SYMBOLIZED, True)
ctx.symbolizeMemory(MemoryAccess(0, CPUSIZE.QWORD))
inst = Instruction(b"\x48\x8b\x18") # mov rbx, qword ptr [rax]
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(len(inst.getReadRegisters()), 0)
self.assertEqual(len(inst.getWrittenRegisters()), 1)
self.assertEqual(len(inst.getLoadAccess()), 1)
self.assertEqual(len(inst.getStoreAccess()), 0)
def test_2(self):
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
ctx.setMode(MODE.ONLY_ON_SYMBOLIZED, True)
ctx.symbolizeRegister(ctx.registers.rax)
inst = Instruction(b"\x48\x89\xc3") # mov rbx, rax
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(len(inst.getReadRegisters()), 1)
self.assertEqual(len(inst.getWrittenRegisters()), 1)
self.assertEqual(len(inst.getLoadAccess()), 0)
self.assertEqual(len(inst.getStoreAccess()), 0)
def test_2(self):
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
self.assertEqual(ctx.isModeEnabled(MODE.ONLY_ON_TAINTED), False)
ctx.enableMode(MODE.ONLY_ON_TAINTED, True)
self.assertEqual(ctx.isModeEnabled(MODE.ONLY_ON_TAINTED), True)
ctx.taintRegister(ctx.registers.rax)
inst = Instruction("\x48\x89\xc3") # mov rbx, rax
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(len(inst.getReadRegisters()), 1)
self.assertEqual(len(inst.getWrittenRegisters()), 2)
self.assertEqual(len(inst.getLoadAccess()), 0)
self.assertEqual(len(inst.getStoreAccess()), 0)
class TestSymbolicEngineDisable(BaseTestSimulation, unittest.TestCase):
"""Testing the emulation with the symbolic engine disabled."""
def setUp(self):
"""Define the arch and modes."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.Triton.enableSymbolicEngine(False)
super(TestSymbolicEngineDisable, self).setUp()
@unittest.skip("Not possible")
def test_seed_coverage(self):
pass
@unittest.skip("Not possible")
def test_defcamp_2015(self):
pass
def setUp(self):
"""Define and process the instruction to test."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.inst = Instruction()
self.inst.setOpcode("\x48\x01\xd8") # add rax, rbx
self.inst.setAddress(0x400000)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rax, 0x1122334455667788)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rbx, 0x8877665544332211)
self.Triton.processing(self.inst)
def test_7(self):
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
ctx.enableMode(MODE.ONLY_ON_SYMBOLIZED, True)
ctx.setConcreteRegisterValue(ctx.registers.rax, 0x1337)
inst = Instruction("\x48\x8b\x18") # mov rbx, qword ptr [rax]
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(inst.getOperands()[1].getAddress(), 0x1337)
self.assertIsNone(inst.getOperands()[1].getLeaAst())
def test5():
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86)
astCtxt = Triton.getAstContext()
# rax is now symbolic
Triton.convertRegisterToSymbolicVariable(Triton.registers.eax)
# process instruction
Triton.processing(Instruction("\x83\xc0\x07")) # add eax, 0x7
# get rax ast
eaxAst = Triton.getSymbolicRegister(Triton.registers.eax).getAst()
# constraint
c = eaxAst ^ 0x11223344 == 0xdeadbeaf
print 'Test 5:', Triton.getModel(c)[0]
return
def test_load_ds(self):
"""Check load from ds segment."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86)
inst = Instruction()
# mov ax, ds:word_40213C
inst.setOpcode("\x66\xA1\x3C\x21\x40\x00")
self.Triton.processing(inst)
self.assertEqual(inst.getOperands()[1].getAddress(), 0x40213C)
self.assertEqual(inst.getOperands()[1].getBitSize(), 16)
