def handle(self, cur_addr):
cur_addr = canonize_to_exprloc(self.ir_arch.loc_db, cur_addr)
symb_pc = self.eval_expr(self.ir_arch.IRDst)
possibilities = possible_values(symb_pc)
cur_path_constraint = set() # path_constraint for the concrete path
if len(possibilities) == 1:
dst = next(iter(possibilities)).value
dst = canonize_to_exprloc(self.ir_arch.loc_db, dst)
assert dst == cur_addr
else:
for possibility in possibilities:
target_addr = canonize_to_exprloc(self.ir_arch.loc_db,
possibility.value)
path_constraint = set(
) # Set of ExprAssign for the possible path
# Get constraint associated to the possible path
memory_to_add = ModularIntervals(symb_pc.size)
for cons in possibility.constraints:
eaff = cons.to_constraint()
# eaff.get_r(mem_read=True) is not enough
# ExprAssign consider a Memory access in dst as a write
mem = eaff.dst.get_r(mem_read=True)
mem.update(eaff.src.get_r(mem_read=True))
for expr in mem:
if expr.is_mem():
addr_range = expr_range(expr.ptr)
# At upper bounds, add the size of the memory access
# if addr (- [a, b], then @size[addr] reachables
# values are in @8[a, b + size[
for start, stop in addr_range:
stop += expr.size // 8 - 1
full_range = ModularIntervals(
symb_pc.size, [(start, stop)])
memory_to_add.update(full_range)
path_constraint.add(eaff)
if memory_to_add.length > self.MAX_MEMORY_INJECT:
# TODO re-croncretize the constraint or z3-try
raise RuntimeError("Not implemented: too long memory area")
# Inject memory
for start, stop in memory_to_add:
for address in range(start, stop + 1):
expr_mem = ExprMem(
ExprInt(address, self.ir_arch.pc.size), 8)
value = self.eval_expr(expr_mem)
if not value.is_int():
raise TypeError("Rely on a symbolic memory case, " \
"address 0x%x" % address)
path_constraint.add(ExprAssign(expr_mem, value))
if target_addr == cur_addr:
# Add path constraint
cur_path_constraint = path_constraint
elif self.produce_solution(target_addr):
# Looking for a new solution
self.cur_solver.push()
for cons in path_constraint:
trans = self.z3_trans.from_expr(cons)
trans = z3.simplify(trans)
self.cur_solver.add(trans)
result = self.cur_solver.check()
if result == z3.sat:
model = self.cur_solver.model()
self.handle_solution(model, target_addr)
self.cur_solver.pop()
self.handle_correct_destination(cur_addr, cur_path_constraint)
ExprOp("<<<", a[1:2].zeroExtend(8) + ExprInt(1, 8), ExprCond(a[0:1], ExprInt(5, 8), ExprInt(18, 8))),
ExprOp(">>>", ExprInt(4, 8), ExprInt(1, 8)),
ExprOp(">>>", ExprInt(4, 8), ExprInt(14, 8)),
ExprOp(">>>", ExprInt(4, 8), a),
ExprOp(">>>", a, ExprInt(4, 8)),
ExprOp(">>>", a, a),
ExprOp(">>>", a[1:2].zeroExtend(8) + ExprInt(1, 8), ExprCond(a[0:1], ExprInt(5, 8), ExprInt(18, 8))),
# Fuzzed by ExprRandom, with previous bug
ExprSlice(ExprSlice(ExprOp('<<<', ExprInt(0x7FBE84D6, 51), ExprId('WYBZj', 51)), 6, 48), 3, 35),
ExprOp('>>>', ExprOp('-', ExprOp('&', ExprInt(0x347384F7, 32), ExprId('oIkka', 32), ExprId('jSfOB', 32), ExprId('dUXBp', 32), ExprInt(0x7169DEAA, 32))), ExprId('kMVuR', 32)),
ExprOp('|', ExprInt(0x94A3AB47, 32), ExprCompose(ExprId('dTSkf', 21), ExprOp('>>', ExprInt(0x24, 8), ExprId('HTHES', 8)), ExprId('WHNIZ', 1), ExprMem(ExprInt(0x100, 9), 1), ExprId('kPQck', 1))),
ExprOp('<<<', ExprOp('<<<', ExprCompose(ExprId('OOfuB', 6), ExprInt(0x24, 11), ExprInt(0xE8C, 12), ExprId('jbUWR', 1), ExprInt(0x2, 2)), ExprId('mLlTH', 32)), ExprInt(0xE600B6B2, 32)),
]:
computed_range = expr_range(expr)
print(expr, computed_range)
# Trivia checks
assert all(x[1] < (1 << expr.size) for x in computed_range)
# Check against z3
s = z3.Solver()
cond = []
## Constraint expr to be in computed intervals
z3_expr = trans.from_expr(expr)
for mini, maxi in computed_range:
cond.append(z3.And(z3.ULE(mini, z3_expr), z3.ULE(z3_expr, maxi)))
## Ask for a solution outside intervals (should not exists)
ExprOp("<<<", a[1:2].zeroExtend(8) + ExprInt(1, 8), ExprCond(a[0:1], ExprInt(5, 8), ExprInt(18, 8))),
ExprOp(">>>", ExprInt(4, 8), ExprInt(1, 8)),
ExprOp(">>>", ExprInt(4, 8), ExprInt(14, 8)),
ExprOp(">>>", ExprInt(4, 8), a),
ExprOp(">>>", a, ExprInt(4, 8)),
ExprOp(">>>", a, a),
ExprOp(">>>", a[1:2].zeroExtend(8) + ExprInt(1, 8), ExprCond(a[0:1], ExprInt(5, 8), ExprInt(18, 8))),
# Fuzzed by ExprRandom, with previous bug
ExprSlice(ExprSlice(ExprOp('<<<', ExprInt(0x7FBE84D6, 51), ExprId('WYBZj', 51)), 6, 48), 3, 35),
ExprOp('>>>', ExprOp('-', ExprOp('&', ExprInt(0x347384F7, 32), ExprId('oIkka', 32), ExprId('jSfOB', 32), ExprId('dUXBp', 32), ExprInt(0x7169DEAA, 32))), ExprId('kMVuR', 32)),
ExprOp('|', ExprInt(0x94A3AB47, 32), ExprCompose(ExprId('dTSkf', 21), ExprOp('>>', ExprInt(0x24, 8), ExprId('HTHES', 8)), ExprId('WHNIZ', 1), ExprMem(ExprInt(0x100, 9), 1), ExprId('kPQck', 1))),
ExprOp('<<<', ExprOp('<<<', ExprCompose(ExprId('OOfuB', 6), ExprInt(0x24, 11), ExprInt(0xE8C, 12), ExprId('jbUWR', 1), ExprInt(0x2, 2)), ExprId('mLlTH', 32)), ExprInt(0xE600B6B2, 32)),
]:
computed_range = expr_range(expr)
print(expr, computed_range)
# Trivia checks
assert all(x[1] < (1 << expr.size) for x in computed_range)
# Check against z3
s = z3.Solver()
cond = []
## Constraint expr to be in computed intervals
z3_expr = trans.from_expr(expr)
for mini, maxi in computed_range:
cond.append(z3.And(z3.ULE(mini, z3_expr),
z3.ULE(z3_expr, maxi)))
def handle(self, cur_addr):
cur_addr = self.ir_arch.loc_db.canonize_to_exprloc(cur_addr)
symb_pc = self.eval_expr(self.ir_arch.IRDst)
possibilities = possible_values(symb_pc)
cur_path_constraint = set() # path_constraint for the concrete path
if len(possibilities) == 1:
dst = next(iter(possibilities)).value
dst = self.ir_arch.loc_db.canonize_to_exprloc(dst)
assert dst == cur_addr
else:
for possibility in possibilities:
target_addr = self.ir_arch.loc_db.canonize_to_exprloc(
possibility.value
)
path_constraint = set() # Set of ExprAssign for the possible path
# Get constraint associated to the possible path
memory_to_add = ModularIntervals(symb_pc.size)
for cons in possibility.constraints:
eaff = cons.to_constraint()
# eaff.get_r(mem_read=True) is not enough
# ExprAssign consider a Memory access in dst as a write
mem = eaff.dst.get_r(mem_read=True)
mem.update(eaff.src.get_r(mem_read=True))
for expr in mem:
if expr.is_mem():
addr_range = expr_range(expr.ptr)
# At upper bounds, add the size of the memory access
# if addr (- [a, b], then @size[addr] reachables
# values are in @8[a, b + size[
for start, stop in addr_range:
stop += expr.size // 8 - 1
full_range = ModularIntervals(
symb_pc.size,
[(start, stop)]
)
memory_to_add.update(full_range)
path_constraint.add(eaff)
if memory_to_add.length > self.MAX_MEMORY_INJECT:
# TODO re-croncretize the constraint or z3-try
raise RuntimeError("Not implemented: too long memory area")
# Inject memory
for start, stop in memory_to_add:
for address in range(start, stop + 1):
expr_mem = ExprMem(ExprInt(address,
self.ir_arch.pc.size),
8)
value = self.eval_expr(expr_mem)
if not value.is_int():
raise TypeError("Rely on a symbolic memory case, " \
"address 0x%x" % address)
path_constraint.add(ExprAssign(expr_mem, value))
if target_addr == cur_addr:
# Add path constraint
cur_path_constraint = path_constraint
elif self.produce_solution(target_addr):
# Looking for a new solution
self.cur_solver.push()
for cons in path_constraint:
trans = self.z3_trans.from_expr(cons)
trans = z3.simplify(trans)
self.cur_solver.add(trans)
result = self.cur_solver.check()
if result == z3.sat:
model = self.cur_solver.model()
self.handle_solution(model, target_addr)
self.cur_solver.pop()
self.handle_correct_destination(cur_addr, cur_path_constraint)