def send_to_fuzz(entrypoint, exploration_memory, exploration_registers,
from_memory_addr, dst_addr, q):
"""send a request to the fuzzer
:param dst_addr (int): The destination address you wishe to reach
"""
fuzz = Fuzz(exploration_memory, exploration_registers, from_memory_addr,
dst_addr, q)
fuzzer = Tracer(program_name, False)
# set triton parameter
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
ctx.enableMode(MODE.ALIGNED_MEMORY, True)
ctx.setAstRepresentationMode(AST_REPRESENTATION.PYTHON)
fuzzer.tracer_init(ctx)
# add fuzz callback
fuzzer.add_start_callback(fuzz.start)
fuzzer.add_instruction_callback(fuzz.get_instruction)
fuzzer.add_end_callback(fuzz.end)
fuzzer.add_memory_callback(fuzz.fuzz_memory)
fuzzer.add_register_callback(fuzz.fuzz_register)
p = multiprocessing.Process(target=fuzzer.start,
args=(ctx, 30, entrypoint))
# return [p,ctx,fuzzer, exploration_memory]
return p
def initialize():
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86_64)
# Define optimizations
Triton.enableMode(MODE.ALIGNED_MEMORY, True)
# Load the binary
loadBinary(Triton, os.path.join(os.path.dirname(__file__),
'serial_killer'))
# Define a fake stack
Triton.setConcreteRegisterValue(Triton.registers.rbp, 0x7fffffff)
Triton.setConcreteRegisterValue(Triton.registers.rsp, 0x6fffffff)
# Define an user input
Triton.setConcreteRegisterValue(Triton.registers.rdi, 0x10000000)
# Symbolize user inputs
for index in range(KEY_SIZE):
Triton.setConcreteMemoryValue(
MemoryAccess(0x10000000 + index, CPUSIZE.BYTE), variables[index])
Triton.convertMemoryToSymbolicVariable(
MemoryAccess(0x10000000 + index, CPUSIZE.BYTE))
return Triton
def setUp(self):
"""Define the arch."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.v0 = self.Triton.newSymbolicVariable(8)
self.v1 = self.Triton.newSymbolicVariable(16)
self.v2 = self.Triton.newSymbolicVariable(32, "test com")
def test_taint_union_memory_memory(self):
"""Check tainting union memory U memory."""
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86_64)
Triton.taintMemory(MemoryAccess(0x2000, 4))
self.assertTrue(Triton.isMemoryTainted(MemoryAccess(0x2000, 4)))
Triton.taintUnionMemoryMemory(MemoryAccess(0x2000, 4),
MemoryAccess(0x3000, 4))
self.assertTrue(Triton.isMemoryTainted(MemoryAccess(0x2000, 4)))
self.assertFalse(Triton.isMemoryTainted(MemoryAccess(0x3000, 4)))
Triton.untaintMemory(MemoryAccess(0x2000, 4))
self.assertFalse(Triton.isMemoryTainted(MemoryAccess(0x2000, 4)))
Triton.taintUnionMemoryMemory(MemoryAccess(0x2000, 4),
MemoryAccess(0x3000, 4))
self.assertFalse(Triton.isMemoryTainted(MemoryAccess(0x2000, 4)))
self.assertFalse(Triton.isMemoryTainted(MemoryAccess(0x3000, 4)))
Triton.taintMemory(MemoryAccess(0x3000, 4))
Triton.taintUnionMemoryMemory(MemoryAccess(0x2000, 4),
MemoryAccess(0x3000, 4))
self.assertTrue(Triton.isMemoryTainted(MemoryAccess(0x2000, 4)))
self.assertTrue(Triton.isMemoryTainted(MemoryAccess(0x3000, 4)))
def test_taint_union_memory_register(self):
"""Check tainting union memory U register."""
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86_64)
Triton.taintMemory(MemoryAccess(0x2000, 4))
self.assertTrue(Triton.isMemoryTainted(MemoryAccess(0x2000, 4)))
Triton.taintUnionMemoryRegister(MemoryAccess(0x2000, 4),
Triton.registers.rax)
self.assertTrue(Triton.isMemoryTainted(MemoryAccess(0x2000, 4)))
self.assertFalse(Triton.isRegisterTainted(Triton.registers.rax))
Triton.untaintMemory(MemoryAccess(0x2000, 4))
self.assertFalse(Triton.isMemoryTainted(MemoryAccess(0x2000, 4)))
self.assertFalse(Triton.isRegisterTainted(Triton.registers.rax))
Triton.taintUnionMemoryRegister(MemoryAccess(0x2000, 4),
Triton.registers.rax)
self.assertFalse(Triton.isMemoryTainted(MemoryAccess(0x2000, 4)))
self.assertFalse(Triton.isRegisterTainted(Triton.registers.rax))
Triton.taintRegister(Triton.registers.rax)
Triton.taintUnionMemoryRegister(MemoryAccess(0x2000, 4),
Triton.registers.rax)
self.assertTrue(Triton.isMemoryTainted(MemoryAccess(0x2000, 4)))
self.assertTrue(Triton.isRegisterTainted(Triton.registers.rax))
def test_taint_assignement_register_register(self):
"""Check tainting assignment register <- register."""
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86_64)
self.assertFalse(Triton.isRegisterTainted(Triton.registers.rax))
Triton.taintRegister(Triton.registers.rax)
self.assertTrue(Triton.isRegisterTainted(Triton.registers.rax))
Triton.taintAssignmentRegisterRegister(Triton.registers.rax,
Triton.registers.rax)
self.assertTrue(Triton.isRegisterTainted(Triton.registers.rax))
Triton.untaintRegister(Triton.registers.rax)
self.assertFalse(Triton.isRegisterTainted(Triton.registers.rax))
Triton.taintAssignmentRegisterRegister(Triton.registers.rax,
Triton.registers.rax)
self.assertFalse(Triton.isRegisterTainted(Triton.registers.rax))
self.assertFalse(Triton.isRegisterTainted(Triton.registers.rbx))
Triton.taintRegister(Triton.registers.rbx)
self.assertTrue(Triton.isRegisterTainted(Triton.registers.rbx))
Triton.taintAssignmentRegisterRegister(Triton.registers.rax,
Triton.registers.rbx)
self.assertTrue(Triton.isRegisterTainted(Triton.registers.rax))
def test_taint_assignement_memory_register(self):
"""Check tainting assignment memory <- register."""
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86_64)
Triton.taintMemory(MemoryAccess(0x2000, 8))
self.assertTrue(Triton.isMemoryTainted(MemoryAccess(0x2000, 8)))
Triton.taintAssignmentMemoryRegister(MemoryAccess(0x2002, 2),
Triton.registers.ax)
self.assertTrue(Triton.isMemoryTainted(MemoryAccess(0x2000, 1)))
self.assertTrue(Triton.isMemoryTainted(MemoryAccess(0x2001, 1)))
self.assertFalse(Triton.isMemoryTainted(MemoryAccess(0x2002, 1)))
self.assertFalse(Triton.isMemoryTainted(MemoryAccess(0x2003, 1)))
self.assertTrue(Triton.isMemoryTainted(MemoryAccess(0x2004, 1)))
self.assertTrue(Triton.isMemoryTainted(MemoryAccess(0x2005, 1)))
self.assertTrue(Triton.isMemoryTainted(MemoryAccess(0x2006, 1)))
self.assertTrue(Triton.isMemoryTainted(MemoryAccess(0x2007, 1)))
Triton.taintMemory(MemoryAccess(0x2000, 8))
self.assertTrue(Triton.isMemoryTainted(MemoryAccess(0x2000, 8)))
Triton.taintAssignmentMemoryRegister(MemoryAccess(0x1fff, 8),
Triton.registers.rax)
self.assertFalse(Triton.isMemoryTainted(MemoryAccess(0x1fff, 1)))
self.assertFalse(Triton.isMemoryTainted(MemoryAccess(0x2000, 1)))
self.assertFalse(Triton.isMemoryTainted(MemoryAccess(0x2001, 1)))
self.assertFalse(Triton.isMemoryTainted(MemoryAccess(0x2002, 1)))
self.assertFalse(Triton.isMemoryTainted(MemoryAccess(0x2003, 1)))
self.assertFalse(Triton.isMemoryTainted(MemoryAccess(0x2004, 1)))
self.assertFalse(Triton.isMemoryTainted(MemoryAccess(0x2005, 1)))
self.assertFalse(Triton.isMemoryTainted(MemoryAccess(0x2006, 1)))
self.assertTrue(Triton.isMemoryTainted(MemoryAccess(0x2007, 1)))
def test_taint_assignement_memory_memory(self):
"""Check tainting assignment memory <- memory."""
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86_64)
Triton.taintMemory(MemoryAccess(0x2000, 1))
self.assertTrue(Triton.isMemoryTainted(MemoryAccess(0x2000, 1)))
Triton.taintAssignmentMemoryMemory(MemoryAccess(0x1000, 1),
MemoryAccess(0x2000, 1))
self.assertTrue(Triton.isMemoryTainted(MemoryAccess(0x1000, 1)))
self.assertTrue(Triton.isMemoryTainted(MemoryAccess(0x2000, 1)))
Triton.taintAssignmentMemoryMemory(MemoryAccess(0x1000, 1),
MemoryAccess(0x3000, 1))
Triton.taintAssignmentMemoryMemory(MemoryAccess(0x2000, 1),
MemoryAccess(0x3000, 1))
self.assertFalse(Triton.isMemoryTainted(MemoryAccess(0x1000, 1)))
self.assertFalse(Triton.isMemoryTainted(MemoryAccess(0x2000, 1)))
Triton.taintMemory(MemoryAccess(0x2000, 4))
self.assertTrue(Triton.isMemoryTainted(MemoryAccess(0x2000, 4)))
Triton.taintAssignmentMemoryMemory(MemoryAccess(0x2001, 2),
MemoryAccess(0x3000, 1))
self.assertTrue(Triton.isMemoryTainted(MemoryAccess(0x2000, 1)))
self.assertFalse(Triton.isMemoryTainted(MemoryAccess(0x2001, 1)))
self.assertFalse(Triton.isMemoryTainted(MemoryAccess(0x2001, 1)))
self.assertTrue(Triton.isMemoryTainted(MemoryAccess(0x2000, 1)))
def test_taint_union_register_register(self):
"""Check tainting union register U register."""
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86_64)
self.assertFalse(Triton.isRegisterTainted(Triton.registers.rax))
Triton.taintRegister(Triton.registers.rax)
self.assertTrue(Triton.isRegisterTainted(Triton.registers.rax))
Triton.taintUnionRegisterRegister(Triton.registers.rax,
Triton.registers.rbx)
self.assertTrue(Triton.isRegisterTainted(Triton.registers.rax))
self.assertFalse(Triton.isRegisterTainted(Triton.registers.rbx))
Triton.taintRegister(Triton.registers.rbx)
Triton.taintUnionRegisterRegister(Triton.registers.rax,
Triton.registers.rbx)
self.assertTrue(Triton.isRegisterTainted(Triton.registers.rax))
self.assertTrue(Triton.isRegisterTainted(Triton.registers.rbx))
Triton.untaintRegister(Triton.registers.rax)
Triton.taintRegister(Triton.registers.rbx)
Triton.taintUnionRegisterRegister(Triton.registers.rax,
Triton.registers.rbx)
self.assertTrue(Triton.isRegisterTainted(Triton.registers.rax))
self.assertTrue(Triton.isRegisterTainted(Triton.registers.rbx))
Triton.untaintRegister(Triton.registers.rax)
Triton.untaintRegister(Triton.registers.rbx)
Triton.taintUnionRegisterRegister(Triton.registers.rax,
Triton.registers.rbx)
self.assertFalse(Triton.isRegisterTainted(Triton.registers.rax))
self.assertFalse(Triton.isRegisterTainted(Triton.registers.rbx))
def setUp(self):
"""Define the arch and modes."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.Triton.enableMode(MODE.ALIGNED_MEMORY, True)
self.Triton.enableMode(MODE.AST_DICTIONARIES, True)
super(TestSymbolicEngineAlignedAst, self).setUp()
def setUp(self):
"""Define the arch and modes."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.Triton.setMode(MODE.ALIGNED_MEMORY, True)
self.Triton.setMode(MODE.ONLY_ON_SYMBOLIZED, True)
super(TestSymbolicEngineAlignedOnlySymbolized, self).setUp()
def test_get_concrete_register_value(self):
global flag
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
flag = False
self.Triton.addCallback(CALLBACK.GET_CONCRETE_REGISTER_VALUE,
self.cb_flag)
self.Triton.processing(Instruction(b"\x48\x89\xd8")) # mov rax, rbx
self.assertTrue(flag)
flag = False
self.Triton.removeCallback(CALLBACK.GET_CONCRETE_REGISTER_VALUE,
self.cb_flag)
self.Triton.processing(Instruction(b"\x48\x89\xd8")) # mov rax, rbx
self.assertFalse(flag)
# Remove all callbacks
flag = False
self.Triton.addCallback(CALLBACK.GET_CONCRETE_REGISTER_VALUE,
self.cb_flag)
self.Triton.processing(Instruction(b"\x48\x89\xd8")) # mov rax, rbx
self.assertTrue(flag)
flag = False
self.Triton.clearCallbacks()
self.Triton.processing(Instruction(b"\x48\x89\xd8")) # mov rax, rbx
self.assertFalse(flag)
def test_1(self):
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
ctx.setMode(MODE.ONLY_ON_TAINTED, False)
self.assertEqual(ctx.isModeEnabled(MODE.ONLY_ON_TAINTED), False)
inst = Instruction(b"\x48\x89\xc3") # mov rbx, rax
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(len(inst.getReadRegisters()), 1)
self.assertEqual(len(inst.getWrittenRegisters()), 2)
ctx.setMode(MODE.ONLY_ON_TAINTED, True)
self.assertEqual(ctx.isModeEnabled(MODE.ONLY_ON_TAINTED), True)
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(len(inst.getSymbolicExpressions()), 0)
self.assertEqual(len(inst.getReadRegisters()), 0)
self.assertEqual(len(inst.getReadImmediates()), 0)
self.assertEqual(len(inst.getWrittenRegisters()), 0)
self.assertEqual(len(inst.getLoadAccess()), 0)
self.assertEqual(len(inst.getStoreAccess()), 0)
def setUp(self):
"""Define the arch and modes."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.Triton.setMode(MODE.ALIGNED_MEMORY, True)
self.Triton.setMode(MODE.AST_OPTIMIZATIONS, True)
super(TestSymbolicEngineAlignedSymOpti, self).setUp()
def test_method_callback_removal(self):
# regression test for #809
import sys
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
cb = self.method_callback.__func__
cb_initial_refcnt = sys.getrefcount(cb)
self.Triton.addCallback(CALLBACK.GET_CONCRETE_MEMORY_VALUE,
self.method_callback)
self.Triton.removeCallback(CALLBACK.GET_CONCRETE_MEMORY_VALUE,
self.method_callback)
self.assertTrue(cb_initial_refcnt == sys.getrefcount(cb))
cb = self.method_callback
cb_initial_refcnt = tuple(
sys.getrefcount(x) for x in (cb, cb.__self__, cb.__func__))
self.Triton.addCallback(CALLBACK.GET_CONCRETE_MEMORY_VALUE,
self.method_callback)
self.Triton.removeCallback(CALLBACK.GET_CONCRETE_MEMORY_VALUE,
self.method_callback)
cb_new_refcnt = tuple(
sys.getrefcount(x) for x in (cb, cb.__self__, cb.__func__))
self.assertTrue(cb_initial_refcnt == cb_new_refcnt)
self.Triton.addCallback(CALLBACK.GET_CONCRETE_MEMORY_VALUE,
self.method_callback)
self.Triton.getConcreteMemoryAreaValue(0x1000, 1)
self.Triton.removeCallback(CALLBACK.GET_CONCRETE_MEMORY_VALUE,
self.method_callback)
cb_new_refcnt = tuple(
sys.getrefcount(x) for x in (cb, cb.__self__, cb.__func__))
self.assertTrue(cb_initial_refcnt == cb_new_refcnt)
def setUp(self):
"""Define the arch and modes."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.Triton.setMode(MODE.ALIGNED_MEMORY, True)
self.Triton.setMode(MODE.TAINT_THROUGH_POINTERS, True)
super(TestSymbolicEngineAlignedAndTaintPtr, self).setUp()
def test2():
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86)
astCtxt = Triton.getAstContext()
x = Triton.newSymbolicVariable(32)
c = ((astCtxt.variable(x) ^ 0x40) - 1 == 0x10)
print('Test 2:', Triton.getModel(c)[0])
return
def setUp(self):
"""Define and process the instruction to test."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.inst = Instruction()
self.inst.setOpcode(b"\x48\x01\xd8") # add rax, rbx
self.inst.setAddress(0x400000)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rax, 0x1122334455667788)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rbx, 0x8877665544332211)
self.Triton.processing(self.inst)
def test4():
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86)
astCtxt = Triton.getAstContext()
x = Triton.newSymbolicVariable(8)
c = astCtxt.variable(x) * astCtxt.variable(x) - 1 == 0x20
print('Test 4:', Triton.getModels(c, 10))
return
def test_taint_set_memory(self):
"""Set taint memory"""
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86_64)
self.assertFalse(Triton.isMemoryTainted(0x1000))
Triton.setTaintMemory(MemoryAccess(0x1000, 1), True)
self.assertTrue(Triton.isMemoryTainted(0x1000))
Triton.setTaintMemory(MemoryAccess(0x1000, 1), False)
self.assertFalse(Triton.isMemoryTainted(0x1000))
def test_taint_set_register(self):
"""Set taint register"""
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86_64)
self.assertFalse(Triton.isRegisterTainted(Triton.registers.rax))
Triton.setTaintRegister(Triton.registers.rax, True)
self.assertTrue(Triton.isRegisterTainted(Triton.registers.rax))
Triton.setTaintRegister(Triton.registers.rax, False)
self.assertFalse(Triton.isRegisterTainted(Triton.registers.rax))
def test_load_ds(self):
"""Check load from ds segment."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86)
inst = Instruction()
# mov ax, ds:word_40213C
inst.setOpcode(b"\x66\xA1\x3C\x21\x40\x00")
self.Triton.processing(inst)
self.assertEqual(inst.getOperands()[1].getAddress(), 0x40213C)
self.assertEqual(inst.getOperands()[1].getBitSize(), 16)
def test_method_callback_removal(self):
# regression test for #809
import sys
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
cb = self.method_callback.__func__
cb_initial_refcnt = sys.getrefcount(cb)
self.Triton.addCallback(CALLBACK.GET_CONCRETE_MEMORY_VALUE,
self.method_callback)
self.Triton.removeCallback(CALLBACK.GET_CONCRETE_MEMORY_VALUE,
self.method_callback)
self.assertTrue(cb_initial_refcnt == sys.getrefcount(cb))
def test1():
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86)
astCtxt = Triton.getAstContext()
x = Triton.newSymbolicVariable(32)
c = astCtxt.equal(
astCtxt.bvsub(astCtxt.bvxor(astCtxt.variable(x), astCtxt.bv(0x40, 32)),
astCtxt.bv(1, 32)), astCtxt.bv(0x10, 32))
print('Test 1:', Triton.getModel(c)[0])
return
def setUp(self):
"""Define the arch."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.astCtxt = self.Triton.getAstContext()
self.sv1 = self.Triton.newSymbolicVariable(8)
self.sv2 = self.Triton.newSymbolicVariable(8)
self.v1 = self.astCtxt.variable(self.sv1)
self.v2 = self.astCtxt.variable(self.sv2)
def test_3(self):
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
inst = Instruction(b"\x48\x8b\x18") # mov rbx, qword ptr [rax]
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(len(inst.getReadRegisters()), 1)
self.assertEqual(len(inst.getWrittenRegisters()), 2)
self.assertEqual(len(inst.getLoadAccess()), 1)
self.assertEqual(len(inst.getStoreAccess()), 0)
def test_7(self):
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
ctx.enableMode(MODE.ONLY_ON_SYMBOLIZED, True)
ctx.setConcreteRegisterValue(ctx.registers.rax, 0x1337)
inst = Instruction(b"\x48\x8b\x18") # mov rbx, qword ptr [rax]
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(inst.getOperands()[1].getAddress(), 0x1337)
self.assertIsNone(inst.getOperands()[1].getLeaAst())
def main():
entrypoint = 0x401094
fuzzed_address = set()
queue = multiprocessing.Queue()
process = list()
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
ctx.enableMode(MODE.ALIGNED_MEMORY, True)
ctx.setAstRepresentationMode(AST_REPRESENTATION.PYTHON)
exploration = Exploration()
tracer = Tracer(program_name, True)
tracer.tracer_init(ctx)
# Sets callbacks
tracer.add_start_callback(exploration.start)
tracer.add_instruction_callback(exploration.get_instruction)
tracer.add_end_callback(exploration.end)
tracer.add_memory_callback(exploration.symbolized_memory_input)
tracer.add_register_callback(exploration.symbolized_register_input)
for i in range(30):
tracer.start(ctx, 1, entrypoint)
if exploration.fuzz_is_needed is True:
untaken_branch = set(exploration.get_untaken_branch())
for i in untaken_branch:
if i not in fuzzed_address:
if exploration.untaken_branch[i] != 0:
process.append(
send_to_fuzz(
entrypoint,
copy.deepcopy(exploration.exploration_memory),
copy.deepcopy(
exploration.exploration_registers),
copy.copy(exploration.untaken_branch[i]), i,
queue))
process[-1].start()
process[-1].join()
fuzzed_address.add(i)
try:
new_inputs = queue.get(block=True, timeout=5)
exploration.add_fuzz_inputs(new_inputs[0], new_inputs[1])
except Queue.Empty:
print(map(hex, exploration.get_untaken_branch()))
print("Can't find more branch")
break
exploration.show_exploration()
def test_known_issues(self):
"""Check tainting result after processing."""
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86)
Triton.taintRegister(Triton.registers.eax)
inst = Instruction()
# lea eax,[esi+eax*1]
inst.setOpcode(b"\x8D\x04\x06")
Triton.processing(inst)
self.assertTrue(Triton.isRegisterTainted(Triton.registers.eax))
self.assertFalse(Triton.isRegisterTainted(Triton.registers.ebx))
def test3():
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86)
astCtxt = Triton.getAstContext()
x = Triton.newSymbolicVariable(8)
c = astCtxt.land([
astCtxt.variable(x) * astCtxt.variable(x) - 1 == 0x20,
astCtxt.variable(x) != 0x11
])
print('Test 3:', Triton.getModel(c)[0])
return
