def disassemble(self, addr=None): if not addr is None: pc = addr else: pc = self.read_reg(self.pc) inst = triton.Instruction() inst_code = self.get_area(pc, 16) inst.setOpcode(inst_code) inst.setAddress(pc) self.tc.disassembly(inst) return inst
def process_inst(self, pc=None): _pc = self.get_current_pc() if pc: _pc = pc opcodes = triton.getConcreteMemoryAreaValue(_pc, 16) # Create the Triton instruction inst = triton.Instruction() inst.setOpcodes(opcodes) inst.setAddress(_pc) # execute instruction triton.processing(inst) return inst
def process_inst(self, pc=None): _pc = self.get_current_pc() if pc: _pc = pc opcodes = self.read_mem(_pc, 16) # Create the Triton instruction inst = triton.Instruction() inst.setOpcode(opcodes) inst.setAddress(_pc) # execute instruction self.triton.processing(inst) return inst
def disassemble_inst(self, pc=None): _pc = self.get_current_pc() if pc: _pc = pc opcodes = triton.getConcreteMemoryAreaValue(_pc, 16) # Create the Triton instruction inst = triton.Instruction() inst.setOpcodes(opcodes) inst.setAddress(_pc) # disassemble instruction triton.disassembly(inst) return inst
def disassemble_inst(self, pc=None): _pc = self.get_current_pc() if pc: _pc = pc opcodes = self.read_mem(_pc, 16) # Create the Triton instruction inst = triton.Instruction() inst.setOpcode(opcodes) inst.setAddress(_pc) # disassemble instruction self.triton.disassembly(inst) return inst
def process(self, addr=None): if not addr is None: pc = addr else: pc = self.read_reg(self.pc) inst = triton.Instruction() inst_code = self.get_area(pc, 16) inst.setOpcode(inst_code) inst.setAddress(pc) if not self.tc.processing(inst): raise UnmanagedInstruction(inst) for se in inst.getSymbolicExpressions(): se.setComment(str(inst)) return inst
def hook_opcode(ql, address, size): global cs # Read instruction. buf = ql.mem.read(address, size) instruction = next(cs.disasm(buf, address)) for tainter in ql.tainters.values(): tainter.instruction_hook(ql, instruction) # Sync Triton and Qiling. tainter.sync(ql) # Process instruction, propagate taint. inst = triton.Instruction() inst.setAddress(address) inst.setOpcode(bytes(buf)) tainter.triton_ctx.processing(inst)
def test_urem(self): code = [ "\xbf\xAB\x00\x00\x00", # mov edi, 0xAB "\xf7\xff", # idiv edi "\x83\xfa\x00" # cmp edx, 0x00 ] TT.setArchitecture(TT.ARCH.X86_64) rax = TT.convertRegisterToSymbolicVariable(TT.REG.RAX) rax = tritonast2arybo(TAst.variable(rax)) rdx = TT.convertRegisterToSymbolicVariable(TT.REG.RDX) rdx = tritonast2arybo(TAst.variable(rdx)) for opcodes in code: inst = TT.Instruction(opcodes) TT.processing(inst) exprs = TT.sliceExpressions(TT.getSymbolicRegisters()[TT.REG.RDX]) e = tritonexprs2arybo(exprs) to_llvm_function(e, [rax.v, rdx.v])
def hook_opcode(ql, address, size): global cs # Read instruction. buf = ql.mem.read(address, size) instruction = next(cs.disasm(buf, address)) # We are looking for instructions which decrement the stack pointer. (should_taint, decrement) = is_rsp_decrement(instruction) if should_taint: # Taint all stack memory from current rsp to new rsp. set_taint_range(ql, ql.reg.arch_sp - decrement, ql.reg.arch_sp, True) # Sync Triton and Qiling. sync_triton_ctx(ql) # Process instruction, propagate taint. inst = triton.Instruction() inst.setAddress(address) inst.setOpcode(bytes(buf)) ql.triton_ctx.processing(inst)
import triton as TT from arybo.tools import triton2arybo TT.setArchitecture(TT.ARCH.X86_64) TT.convertRegisterToSymbolicVariable(TT.REG.RAX) TT.convertRegisterToSymbolicVariable(TT.REG.RBX) inst = TT.Instruction() inst.setOpcodes("\x48\x31\xd8") # xor rax, rbx TT.processing(inst) rax_ast = TT.buildSymbolicRegister(TT.REG.RAX) rax_ast = TT.getFullAst(rax_ast) print(rax_ast) e = triton2arybo(rax_ast) print(e)
def test_exprs_xor_5C(self): # Based on djo's example # This is the xor_5C example compiled with optimisations for x86-4 code = [ "\x41\xB8\xE5\xFF\xFF\xFF", "\x89\xF8", "\xBA\x26\x00\x00\x00", "\x41\x0F\xAF\xC0", "\xB9\xED\xFF\xFF\xFF", "\x89\xC7", "\x89\xD0", "\x83\xEF\x09", "\x0F\xAF\xC7", "\x89\xC2", "\x89\xF8", "\x0F\xAF\xC1", "\xB9\x4B\x00\x00\x00", "\x8D\x44\x02\x2A", "\x0F\xB6\xC0", "\x89\xC2", "\xF7\xDA", "\x8D\x94\x12\xFF\x00\x00\x00", "\x81\xE2\xFE\x00\x00\x00", "\x01\xD0", "\x8D\x14\x00", "\x8D\x54\x02\x4D", "\x0F\xB6\xF2", "\x6B\xF6\x56", "\x83\xC6\x24", "\x83\xE6\x46", "\x89\xF0", "\x0F\xAF\xC1", "\xB9\xE7\xFF\xFF\xFF", "\x89\xC6", "\x89\xD0", "\xBA\x3A\x00\x00\x00", "\x0F\xAF\xC1", "\x89\xC1", "\x89\xD0", "\x8D\x4C\x0E\x76", "\xBE\x63\x00\x00\x00", "\x0F\xAF\xC1", "\x89\xC2", "\x89\xC8", "\x0F\xAF\xC6", "\x83\xEA\x51", "\xBE\x2D\x00\x00\x00", "\x83\xE2\xF4", "\x89\xC1", "\x8D\x4C\x0A\x2E", "\x89\xC8", "\x25\x94\x00\x00\x00", "\x01\xC0", "\x29\xC8", "\xB9\x67\x00\x00\x00", "\x0F\xAF\xC1", "\x8D\x48\x0D", "\x0F\xB6\xD1", "\x69\xD2\xAE\x00\x00\x00", "\x83\xCA\x22", "\x89\xD0", "\x41\x0F\xAF\xC0", "\x89\xC2", "\x89\xC8", "\x0F\xAF\xC6", "\x8D\x44\x02\xC2", "\x0F\xB6\xC0", "\x2D\xF7\x00\x00\x00", "\x69\xC0\xED\x00\x00\x00", "\x0F\xB6\xC0", ] TT.setArchitecture(TT.ARCH.X86_64) rdi = TT.convertRegisterToSymbolicVariable(TT.REG.RDI) rdi = tritonast2arybo(TAst.variable(rdi), use_exprs=False) for opcodes in code: inst = TT.Instruction(opcodes) TT.processing(inst) rax_ast = TT.buildSymbolicRegister(TT.REG.RAX) rax_ast = TT.getFullAst(rax_ast) rax_ast = TT.simplify(rax_ast, True) # Check that this gives a xor 5C e = tritonast2arybo(rax_ast, use_exprs=self.use_expr, use_esf=False) if self.use_expr: e = eval_expr(e) self.assertEqual(e, ((rdi & 0xff) ^ 0x5C).vec)
def loadBinary(path): import lief binary = lief.parse(path) phdrs = binary.segments for phdr in phdrs: ctx.setConcreteMemoryAreaValue(phdr.virtual_address, phdr.content) return loadBinary(BPATH) pc = ENTRYPOINT while (pc): oc = ctx.getConcreteMemoryAreaValue(pc, 16) inst = triton.Instruction() inst.setOpcode(oc) inst.setAddress(pc) ctx.processing(inst) if inst.getAddress() == SOURCE: ctx.taintRegister(ctx.getRegister(triton.REG.X86_64.RDI)) print("[!] Tainting register rdi") if inst.getAddress() == SINK: print("[!] After instruction xor rdi, rdi") if ctx.isRegisterTainted(ctx.getRegister(triton.REG.X86_64.RDI)): print("[!] Register rdi is still tainted") else: print("[!] Register rdi was sanitized")