def cleanup_exp(exp): if type(exp) != tuple: return exp # mask_shl storage -> storage if opcode(exp) == 'mask_shl' and \ opcode(exp[4]) == 'storage' and \ exp[1] == exp[4][1] and \ type(exp[2]) == int and \ exp[2] == minus_op(exp[3]) and \ exp[2] == exp[4][2]: return cleanup_exp(exp[4]) if exp[:4] == ('mask_shl', 160, 0, 0) and \ exp[4] in ('caller', ): return exp[4] if opcode(exp) == 'bool' and type(exp[1]) == int: return 1 if exp[1] != 0 else 0 # mask_shl, 200, 56, 0, "'supportsInterface(bytes4)'" -> supportsInterface(bytes4) if opcode(exp) == 'mask_shl' and \ type(exp[1]) == int and \ type(exp[2]) == int and \ type(exp[3]) == int and \ type(exp[4]) == str and \ exp[1]+exp[2] == 256 and \ exp[3] == 0 and \ exp[4][0] == exp[4][-1] == "'": s = exp[4][1:-1] if len(s) * 8 == exp[1]: return s if exp[:4] == ('mask_shl', 256, 0, 0): e = cleanup_exp(exp[4]) if type(e) == int and e < 0x100**32: return e if opcode(e) == 'sha3': return e # ^ should be more generic # if opcode(exp) == 'iszero' and \ # opcode(exp[1]) == 'eq': # return ('Neq', ) + cleanup_exp(exp[1][1:]) if opcode(exp) == 'mul' and exp[1] == 1: if len(exp) == 3: assert False return cleanup_exp(exp[2]) else: assert len(exp) > 3, exp return ('mul', ) + tuple([cleanup_exp(x) for x in exp[2:]]) return tuple([cleanup_exp(x) for x in exp])
def pretty_adds(exp): if opcode(exp) != "add": return prettify(exp, add_color=add_color) if type(exp[1]) == float: real = exp[1] if int(real) == real: real = int(real) # 32.0 -> 32 symbolic = exp[2:] res = " + ".join( [prettify(x, add_color=add_color) for x in symbolic]) if real > 0: res += " + " + prettify(real) elif real < 0: res += " - " + prettify(-real) elif type(exp[1]) == int: real = to_real_int(exp[1]) symbolic = exp[2:] res = " + ".join( [prettify(x, add_color=add_color) for x in symbolic]) if real > 0: res += " + " + prettify(real) elif real < 0: res += " - " + prettify(-real) else: res = "" for x in exp[1:]: if res == "": res = prettify(x, add_color=add_color) elif opcode(x) == "mul" and type(x[1]) == int and x[1] < 0: res += " - " + prettify(minus_op(x), add_color=add_color) else: res += " + " + prettify(x, add_color=add_color) if parentheses: return f"({res})" else: return res
def pretty_adds(exp): if opcode(exp) != 'add': return prettify(exp, add_color = add_color) if type(exp[1]) == float: real = exp[1] if int(real) == real: real = int(real) # 32.0 -> 32 symbolic = exp[2:] res = ' + '.join([prettify(x, add_color=add_color) for x in symbolic]) if real > 0: res += ' + ' + prettify(real) elif real < 0: res += ' - ' + prettify(-real) elif type(exp[1]) == int: real = to_real_int(exp[1]) symbolic = exp[2:] res = ' + '.join([prettify(x, add_color=add_color) for x in symbolic]) if real > 0: res += ' + ' + prettify(real) elif real < 0: res += ' - ' + prettify(-real) else: res = '' for x in exp[1:]: if res == '': res = prettify(x, add_color=add_color) elif opcode(x) == 'mul' and type(x[1]) == int and x[1] < 0: res += ' - ' + prettify(minus_op(x), add_color=add_color) else: res += ' + ' + prettify(x, add_color=add_color) if parentheses: return f'({res})' else: return res
def apply_stack(self, ret, line): def trace(exp, *format_args): try: logger.debug("Trace: %s", str(exp).format(*format_args)) except Exception: pass if type(exp) == str: ret.append(exp.format(*format_args)) else: ret.append(exp) stack = self.stack op = line[1] previous_len = stack.len() if "--verbose" in sys.argv or "--explain" in sys.argv: trace(C.asm(" " + str(stack))) trace("") if "push" not in op and "dup" not in op and "swap" not in op: trace("[{}] {}", line[0], C.asm(op)) else: if type(line[2]) == str: trace("[{}] {} {}", line[0], C.asm(op), C.asm(" ”" + line[2] + "”")) elif line[2] > 0x1000000000: trace("[{}] {} {}", line[0], C.asm(op), C.asm(hex(line[2]))) else: trace("[{}] {} {}", line[0], C.asm(op), C.asm(str(line[2]))) param = 0 if len(line) > 2: param = line[2] if op in [ "exp", "and", "eq", "div", "lt", "gt", "slt", "sgt", "mod", "xor", "signextend", "smod", "sdiv", ]: stack.append(arithmetic.eval(( op, stack.pop(), stack.pop(), ))) elif op[:4] == "push": stack.append(param) elif op == "pop": stack.pop() elif op == "dup": stack.dup(param) elif op == "mul": stack.append(mul_op(stack.pop(), stack.pop())) elif op == "or": stack.append(or_op(stack.pop(), stack.pop())) elif op == "add": stack.append(add_op(stack.pop(), stack.pop())) elif op == "sub": left = stack.pop() right = stack.pop() if type(left) == int and type(right) == int: stack.append(arithmetic.sub(left, right)) else: stack.append(sub_op(left, right)) elif op in ["mulmod", "addmod"]: stack.append(("mulmod", stack.pop(), stack.pop(), stack.pop())) elif op == "shl": off = stack.pop() exp = stack.pop() if all_concrete(off, exp): stack.append(exp << off) else: stack.append(mask_op(exp, shl=off)) elif op == "shr": off = stack.pop() exp = stack.pop() if all_concrete(off, exp): stack.append(exp >> off) else: stack.append(mask_op(exp, offset=minus_op(off), shr=off)) elif op == "sar": off = stack.pop() exp = stack.pop() if all_concrete(off, exp): sign = exp & (1 << 255) if off >= 256: if sign: stack.append(2**256 - 1) else: stack.append(0) else: shifted = exp >> off if sign: shifted |= (2**256 - 1) << (256 - off) stack.append(shifted) else: # FIXME: This won't give the right result... stack.append(mask_op(exp, offset=minus_op(off), shr=off)) elif op in ["not", "iszero"]: stack.append((op, stack.pop())) elif op == "sha3": p = stack.pop() n = stack.pop() res = mem_load(p, n) self.counter += 1 vname = f"_{self.counter}" vval = ( "sha3", res, ) trace(("setvar", vname, vval)) stack.append(("var", vname)) elif op == "calldataload": stack.append(( "cd", stack.pop(), )) elif op == "byte": val = stack.pop() num = stack.pop() off = sub_op(256, to_bytes(num)) stack.append(mask_op(val, 8, off, shr=off)) elif op == "selfbalance": stack.append(( "balance", "address", )) elif op == "balance": addr = stack.pop() if opcode(addr) == "mask_shl" and addr[:4] == ("mask_shl", 160, 0, 0): stack.append(( "balance", addr[4], )) else: stack.append(( "balance", addr, )) elif op == "swap": stack.swap(param) elif op[:3] == "log": p = stack.pop() s = stack.pop() topics = [] param = int(op[3]) for i in range(param): el = stack.pop() topics.append(el) trace(( "log", mem_load(p, s), ) + tuple(topics)) elif op == "sload": sloc = stack.pop() stack.append(("storage", 256, 0, sloc)) elif op == "sstore": sloc = stack.pop() val = stack.pop() trace(("store", 256, 0, sloc, val)) elif op == "mload": memloc = stack.pop() self.counter += 1 vname = f"_{self.counter}" trace(("setvar", vname, ("mem", ("range", memloc, 32)))) stack.append(("var", vname)) elif op == "mstore": memloc = stack.pop() val = stack.pop() trace(( "setmem", ("range", memloc, 32), val, )) elif op == "mstore8": memloc = stack.pop() val = stack.pop() trace(( "setmem", ("range", memloc, 8), val, )) elif op == "extcodecopy": addr = stack.pop() mem_pos = stack.pop() code_pos = stack.pop() data_len = stack.pop() trace(( "setmem", ("range", mem_pos, data_len), ("extcodecopy", addr, ("range", code_pos, data_len)), )) elif op == "codecopy": mem_pos = stack.pop() call_pos = stack.pop() data_len = stack.pop() if (type(call_pos), type(data_len)) == ( int, int, ) and call_pos + data_len < len(self.loader.binary): res = 0 for i in range(call_pos - 1, call_pos + data_len - 1): res = res << 8 res += self.loader.binary[ i] # this breaks with out of range for some contracts # may be because we're usually getting compiled code binary # and not runtime binary trace(("setmem", ("range", mem_pos, data_len), res)) # ('bytes', data_len, res))) else: trace(( "setmem", ("range", mem_pos, data_len), ( "code.data", call_pos, data_len, ), )) elif op == "codesize": stack.append(len(self.loader.binary)) elif op == "calldatacopy": mem_pos = stack.pop() call_pos = stack.pop() data_len = stack.pop() if data_len != 0: call_data = ("call.data", call_pos, data_len) # call_data = mask_op(('call.data', bits(add_op(data_len, call_pos))), size=bits(data_len), shl=bits(call_pos)) trace(("setmem", ("range", mem_pos, data_len), call_data)) elif op == "returndatacopy": mem_pos = stack.pop() ret_pos = stack.pop() data_len = stack.pop() if data_len != 0: return_data = ("ext_call.return_data", ret_pos, data_len) # return_data = mask_op(('ext_call.return_data', bits(add_op(data_len, ret_pos))), size=bits(data_len), shl=bits(ret_pos)) trace(("setmem", ("range", mem_pos, data_len), return_data)) elif op == "call": self.handle_call(op, trace) elif op == "staticcall": self.handle_call(op, trace) elif op == "delegatecall": gas = stack.pop() addr = stack.pop() arg_start = stack.pop() arg_len = stack.pop() ret_start = stack.pop() ret_len = stack.pop() call_trace = ( "delegatecall", gas, addr, ) # arg_start, arg_len, ret_start, ret_len) if arg_len == 0: fname = None fparams = None elif arg_len == 4: fname = mem_load(arg_start, 4) fparams = 0 else: fname = mem_load(arg_start, 4) fparams = mem_load(add_op(arg_start, 4), sub_op(arg_len, 4)) call_trace += (fname, fparams) trace(call_trace) self.call_len = ret_len stack.append("delegate.return_code") if 0 != ret_len: return_data = ("delegate.return_data", 0, ret_len) trace(("setmem", ("range", ret_start, ret_len), return_data)) elif op == "callcode": gas = stack.pop() addr = stack.pop() value = stack.pop() arg_start = stack.pop() arg_len = stack.pop() ret_start = stack.pop() ret_len = stack.pop() call_trace = ( "callcode", gas, addr, value, ) if arg_len == 0: fname = None fparams = None elif arg_len == 4: fname = mem_load(arg_start, 4) fparams = 0 else: fname = mem_load(arg_start, 4) fparams = mem_load(add_op(arg_start, 4), sub_op(arg_len, 4)) call_trace += (fname, fparams) trace(call_trace) self.call_len = ret_len stack.append("callcode.return_code") if 0 != ret_len: return_data = ("callcode.return_data", 0, ret_len) trace(("setmem", ("range", ret_start, ret_len), return_data)) elif op == "create": wei, mem_start, mem_len = stack.pop(), stack.pop(), stack.pop() call_trace = ("create", wei) code = mem_load(mem_start, mem_len) call_trace += (code, ) trace(call_trace) stack.append("create.new_address") elif op == "create2": wei, mem_start, mem_len, salt = ( stack.pop(), stack.pop(), stack.pop(), stack.pop(), ) call_trace = ("create2", wei, ("mem", ("range", mem_start, mem_len)), salt) trace(call_trace) stack.append("create2.new_address") elif op == "pc": stack.append(line[0]) elif op == "msize": self.counter += 1 vname = f"_{self.counter}" trace(("setvar", vname, "msize")) stack.append(("var", vname)) elif op in ("extcodesize", "extcodehash", "blockhash"): stack.append(( op, stack.pop(), )) elif op in [ "callvalue", "caller", "address", "number", "gas", "origin", "timestamp", "chainid", "difficulty", "gasprice", "coinbase", "gaslimit", "calldatasize", "returndatasize", ]: stack.append(op) else: # TODO: Maybe raise an error directly? assert op not in [ "jump", "jumpi", "revert", "return", "stop", "jumpdest", "UNKNOWN", ] if stack.len() - previous_len != opcode_dict.stack_diffs[op]: logger.error("line: %s", line) logger.error("stack: %s", stack) logger.error( "expected %s, got %s stack diff", opcode_dict.stack_diffs[op], stack.len() - previous_len, ) assert False, f"opcode {op} not processed correctly" stack.cleanup()
return ('map', ('data', *terms), ('loc', loc)) elif e ~ ('sha3', :idx, int:loc): return ('map', idx, ('loc', loc)) else: return e storages = stor_replace_f(storages, simplify_sha3) ''' is add a struct or a loc? ''' res = [] for s in storages: if s ~ ('stor', :size, ('mask_shl', :o_size, :o_off, :o_shl, :arr_idx), :idx) and size == 2**o_shl: new_osize = minus_op(o_size) if idx ~ ('add', int:num, _): idx = num s = ('stor', size, 0, ('array', ('mask_shl', o_size+o_shl, o_off, 0, arr_idx), ('loc', idx))) res.append(s) storages = res storages = stor_replace_f(storages, mask_to_mul) res = [] for s in storages: assert s ~ ('stor', :size, :offset, :idx) if idx ~ ('add', int:num, *terms) and get_loc(terms) is not None:
def apply_stack(self, ret, line): def trace(exp, *format_args): if '--verbose' in sys.argv: # otherwise breaks sometimes, e.g. 0x00a159d41a5bc12dce2f8AcA8e5BB5Beb8F6ABc8.update logger.debug("Trace: %s", str(exp).format(*format_args)) if type(exp) == str: ret.append(exp.format(*format_args)) else: ret.append(exp) def trace_extend(l): assert type(l) == list for r in l: trace(r) stack = self.stack op = line[1] previous_len = stack.len() if '--verbose' in sys.argv or '--explain' in sys.argv: trace(C.asm(' '+str(stack))) trace('') if "push" not in op and "dup" not in op and "swap" not in op: trace('[{}] {}',line[0],C.asm(op)) else: if type(line[2]) == str: trace('[{}] {} {}',line[0],C.asm(op),C.asm(" ”"+line[2]+"”")) elif line[2] > 0x1000000000: trace('[{}] {} {}',line[0],C.asm(op),C.asm(hex(line[2]))) else: trace('[{}] {} {}',line[0],C.asm(op),C.asm(str(line[2]))) assert op not in ['jump', 'jumpi', 'revert', 'return', 'stop', 'jumpdest'] param = 0 if len(line)>2: param = line[2] if op in ['exp', 'and', 'eq', 'div', 'lt', 'gt', 'slt', 'sgt', 'mod', 'xor', 'signextend', 'smod', 'sdiv']: stack.append(arithmetic.eval((op, stack.pop(), stack.pop(),))) if op in ['mulmod', 'addmod']: stack.append(('mulmod', stack.pop(), stack.pop(), stack.pop())) if op == 'mul': stack.append(mul_op(stack.pop(), stack.pop())) if op == 'or': stack.append(or_op(stack.pop(), stack.pop())) if op == 'shl': off = stack.pop() exp = stack.pop() if all_concrete(off, exp): stack.append(exp << off) else: stack.append(mask_op(exp, shl = off)) if op == 'shr': off = stack.pop() exp = stack.pop() if all_concrete(off, exp): stack.append(exp >> off) else: stack.append(mask_op(exp, offset=minus_op(off), shr = off)) if op == 'add': stack.append(add_op(stack.pop(), stack.pop())) if op == 'sub': left = stack.pop() right = stack.pop() if type(left) == int and type(right) == int: stack.append(arithmetic.sub(left, right)) else: stack.append(sub_op(left, right)) elif op in ['not', 'iszero']: stack.append((op, stack.pop())) elif op == 'sha3': p = stack.pop() n = stack.pop() res = mem_load(p, n) self.counter += 1 vname = f'_{self.counter}' vval = ('sha3', res, ) trace(('setvar', vname, vval)) stack.append(('var', vname)) elif op == 'calldataload': stack.append(('cd', stack.pop(),)) elif op == 'byte': val = stack.pop() num = stack.pop() off = sub_op(256, to_bytes(num)) stack.append(mask_op(val, 8, off, shr=off)) elif op == 'balance': addr = stack.pop() if opcode(addr) == 'mask_shl' and addr[:4] == ('mask_shl', 160, 0, 0): stack.append(('balance', addr[4],)) else: stack.append(('balance', addr,)) elif op == 'swap': stack.swap(param) elif op[:3] == 'log': p = stack.pop() s = stack.pop() topics = [] param = int(op[3]) for i in range(param): el = stack.pop() topics.append(el) trace(('log', mem_load(p, s), ) + tuple(topics)) elif op == 'sload': sloc = stack.pop() stack.append(('storage', 256, 0, sloc)) elif op == 'sstore': sloc = stack.pop() val = stack.pop() trace(('store', 256, 0, sloc, val)) elif op == 'mload': memloc = stack.pop() loaded = mem_load(memloc) self.counter += 1 vname = f'_{self.counter}' trace(('setvar', vname, ('mem', ('range', memloc, 32)))) stack.append(('var',vname)) elif op == 'mstore': memloc = stack.pop() val = stack.pop() trace(('setmem', ('range', memloc, 32), val,)) elif op == 'mstore8': memloc = stack.pop() val = stack.pop() trace(('setmem', ('range', memloc, 8), val,)) elif op == 'extcodecopy': addr = stack.pop() mem_pos = stack.pop() code_pos = stack.pop() data_len = stack.pop() trace(('setmem', ('range', mem_pos, data_len), ('extcodecopy', addr, ('range', code_pos, data_len)))) elif op == 'codecopy': mem_pos = stack.pop() call_pos = stack.pop() data_len = stack.pop() if (type(call_pos), type(data_len)) == (int, int) and call_pos+data_len < len(self.loader.binary): res = 0 for i in range(call_pos-1, call_pos+data_len-1): res = res << 8 res += self.loader.binary[i] # this breaks with out of range for some contracts # may be because we're usually getting compiled code binary # and not runtime binary trace(('setmem', ('range', mem_pos, data_len), res))# ('bytes', data_len, res))) else: trace(('setmem', ('range', mem_pos, data_len), ('code.data', call_pos, data_len, ),)) elif op == 'codesize': stack.append(len(self.loader.binary)) elif op == 'calldatacopy': mem_pos = stack.pop() call_pos = stack.pop() data_len = stack.pop() if data_len != 0: call_data = ('call.data', call_pos, data_len) # call_data = mask_op(('call.data', bits(add_op(data_len, call_pos))), size=bits(data_len), shl=bits(call_pos)) trace(('setmem', ('range', mem_pos, data_len), call_data)) elif op == 'returndatacopy': mem_pos = stack.pop() ret_pos = stack.pop() data_len = stack.pop() if data_len != 0: return_data = ('ext_call.return_data', ret_pos, data_len) # return_data = mask_op(('ext_call.return_data', bits(add_op(data_len, ret_pos))), size=bits(data_len), shl=bits(ret_pos)) trace(('setmem', ('range', mem_pos, data_len), return_data)) elif op == 'call': self.handle_call(op, trace) elif op == 'staticcall': self.handle_call(op, trace) elif op == 'delegatecall': gas = stack.pop() addr = stack.pop() arg_start = stack.pop() arg_len = stack.pop() ret_start = stack.pop() ret_len = stack.pop() call_trace = ('delegatecall', gas, addr, ) # arg_start, arg_len, ret_start, ret_len) if arg_len == 0: fname = None fparams = None elif arg_len == 4: fname = mem_load( arg_start, 4 ) fparams = 0 else: fname = mem_load( arg_start, 4 ) fparams = mem_load( add_op(arg_start, 4), sub_op(arg_len, 4)) call_trace += (fname, fparams) trace(call_trace) self.call_len = ret_len stack.append('delegate.return_code') if 0 != ret_len: return_data = ('delegate.return_data', 0, ret_len) trace(('setmem', ('range', ret_start, ret_len), return_data)) elif op == 'callcode': gas = stack.pop() addr = stack.pop() value = stack.pop() arg_start = stack.pop() arg_len = stack.pop() ret_start = stack.pop() ret_len = stack.pop() call_trace = ('callcode', gas, addr, value, ) if arg_len == 0: fname = None fparams = None elif arg_len == 4: fname = mem_load( arg_start, 4 ) fparams = 0 else: fname = mem_load( arg_start, 4 ) fparams = mem_load( add_op(arg_start, 4), sub_op(arg_len, 4)) call_trace += (fname, fparams) trace(call_trace) self.call_len = ret_len stack.append('callcode.return_code') if 0 != ret_len: return_data = ('callcode.return_data', 0, ret_len) trace(('setmem', ('range', ret_start, ret_len), return_data)) elif op == 'create': wei, mem_start, mem_len = stack.pop(), stack.pop(), stack.pop() call_trace = ('create', wei) code = mem_load(mem_start, mem_len) call_trace += (code, ) trace(call_trace) stack.append('create.new_address') elif op == 'create2': wei, mem_start, mem_len, salt = stack.pop(), stack.pop(), stack.pop(), stack.pop() call_trace = ('create2', wei, ('mem', ('range', mem_start, mem_len)), salt) trace(call_trace) stack.append('create2.new_address') elif op[:4] == 'push': stack.append(param) elif op == 'pc': stack.append(line[0]) elif op == 'pop': stack.pop() elif op == 'dup': stack.dup(param) elif op == 'msize': self.counter += 1 vname = f'_{self.counter}' trace(('setvar', vname, 'msize')) stack.append(('var',vname)) elif op in ('extcodesize', 'extcodehash', 'blockhash'): stack.append((op, stack.pop(),)) elif op in ['callvalue', 'caller', 'address', 'number', 'gas', 'origin', 'timestamp', 'difficulty', 'gasprice', 'coinbase', 'gaslimit', 'calldatasize', 'returndatasize']: stack.append(op) if stack.len() - previous_len != opcode_dict.stack_diffs[op]: logger.error('line: %s', line) logger.error('stack: %s', stack) logger.error('expected %s, got %s stack diff', opcode_dict.stack_diffs[op], stack.len() - org_len) assert False, f'opcode {op} not processed correctly' stack.cleanup()