def test_backup(self):
"""
Check Symbolics value are saved when engine is disable.
* Also check reseting a disable symbolic engines doesn't crash.
"""
inst = Instruction()
# update RAX
inst.setOpcodes("\x48\xFF\xC0")
processing(inst)
self.assertEqual(getSymbolicRegisterValue(REG.RAX), 1)
# This call triton::api.backupSymbolicEngine()
enableSymbolicEngine(False)
inst = Instruction()
# update RAX again
inst.setOpcodes("\x48\xFF\xC0")
processing(inst)
self.assertEqual(getConcreteRegisterValue(REG.RAX), 2, "concrete value is updated")
self.assertEqual(getSymbolicRegisterValue(REG.RAX), 1, "Symbolic value is not update")
# Try to reset engine after a backup to test if the bug #385 is fixed.
resetEngines()
def setUp(self):
"""Define and process the instruction to test."""
setArchitecture(ARCH.X86_64)
self.inst = Instruction()
self.inst.setOpcodes("\x48\x01\xd8") # add rax, rbx
self.inst.setAddress(0x400000)
self.inst.updateContext(Register(REG.RAX, 0x1122334455667788))
self.inst.updateContext(Register(REG.RBX, 0x8877665544332211))
processing(self.inst)
def test_load_ds(self):
"""Check load from ds segment."""
setArchitecture(ARCH.X86)
inst = Instruction()
# mov ax, ds:word_40213C
inst.setOpcodes("\x66\xA1\x3C\x21\x40\x00")
processing(inst)
self.assertEqual(inst.getOperands()[1].getAddress(), 0x40213C)
self.assertEqual(inst.getOperands()[1].getBitSize(), 16)
def test_known_issues(self):
"""Check tainting result after processing."""
setArchitecture(ARCH.X86)
taintRegister(REG.EAX)
inst = Instruction()
# lea eax,[esi+eax*1]
inst.setOpcodes("\x8D\x04\x06")
processing(inst)
self.assertTrue(isRegisterTainted(REG.EAX))
self.assertFalse(isRegisterTainted(REG.EBX))
def test_known_issues(self):
"""Check tainting result after processing."""
setArchitecture(ARCH.X86)
taintRegister(REG.EAX)
inst = Instruction()
# lea eax,[esi+eax*1]
inst.setOpcodes("\x8D\x04\x06")
processing(inst)
self.assertTrue(isRegisterTainted(REG.EAX))
self.assertFalse(isRegisterTainted(REG.EBX))
def process_inst(self, pc=None):
_pc = self.get_current_pc()
if pc:
_pc = pc
opcodes = self.read_mem(_pc, 16)
# Create the Triton instruction
inst = triton.Instruction()
inst.setOpcodes(opcodes)
inst.setAddress(_pc)
# execute instruction
triton.processing(inst)
return inst
def process_inst(self, pc=None):
_pc = self.get_current_pc()
if pc:
_pc = pc
opcodes = triton.getConcreteMemoryAreaValue(_pc, 16)
# Create the Triton instruction
inst = triton.Instruction()
inst.setOpcodes(opcodes)
inst.setAddress(_pc)
# execute instruction
triton.processing(inst)
return inst
def test_load_immediate_fs(self):
"""Check load from fs segment with immediate."""
setArchitecture(ARCH.X86_64)
inst = Instruction()
# mov eax, DWORD PTR fs:0xffffffffffffdf98
inst.setOpcodes("\x64\x8B\x04\x25\x98\xDF\xFF\xFF")
inst.setAddress(0x400000)
setConcreteRegisterValue(Register(REG.FS, 0x7fffda8ab700))
processing(inst)
self.assertTrue(inst.getLoadAccess())
load, _ = inst.getLoadAccess()[0]
self.assertEqual(load.getAddress(), 0x7fffda8a9698)
self.assertEqual(load.getBitSize(), 32)
def test_load_indirect_fs(self):
"""Check load from fs with indirect address."""
setArchitecture(ARCH.X86_64)
inst = Instruction()
# mov rax, QWORD PTR fs:[rax]
inst.setOpcodes("\x64\x48\x8B\x00")
inst.setAddress(0x400000)
setConcreteRegisterValue(Register(REG.FS, 0x7fffda8ab700))
setConcreteRegisterValue(Register(REG.RAX, 0xffffffffffffdf90))
processing(inst)
self.assertTrue(inst.getLoadAccess())
load, _ = inst.getLoadAccess()[0]
self.assertEqual(load.getAddress(), 0x7fffda8a9690)
self.assertEqual(load.getBitSize(), 64)
def emulate(self, pc):
"""
Emulate every opcodes from pc.
* Process instruction until the end and search for constraint
resolution on cmp eax, 1 then set the new correct value and keep going.
"""
while pc:
# Fetch opcodes
opcodes = getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcodes(opcodes)
instruction.setAddress(pc)
# Process
processing(instruction)
# 40078B: cmp eax, 1
# eax must be equal to 1 at each round.
if instruction.getAddress() == 0x40078B:
# Slice expressions
rax = getSymbolicExpressionFromId(
getSymbolicRegisterId(REG.RAX))
eax = ast.extract(31, 0, rax.getAst())
# Define constraint
cstr = ast.assert_(
ast.land(getPathConstraintsAst(),
ast.equal(eax, ast.bv(1, 32))))
model = getModel(cstr)
solution = str()
for k, v in model.items():
value = v.getValue()
solution += chr(value)
getSymbolicVariableFromId(k).setConcreteValue(value)
# Next
pc = getConcreteRegisterValue(REG.RIP)
return solution
def test_urem(self):
code = [
"\xbf\xAB\x00\x00\x00", # mov edi, 0xAB
"\xf7\xff", # idiv edi
"\x83\xfa\x00" # cmp edx, 0x00
]
TT.setArchitecture(TT.ARCH.X86_64)
rax = TT.convertRegisterToSymbolicVariable(TT.REG.RAX)
rax = tritonast2arybo(TAst.variable(rax))
rdx = TT.convertRegisterToSymbolicVariable(TT.REG.RDX)
rdx = tritonast2arybo(TAst.variable(rdx))
for opcodes in code:
inst = TT.Instruction(opcodes)
TT.processing(inst)
exprs = TT.sliceExpressions(TT.getSymbolicRegisters()[TT.REG.RDX])
e = tritonexprs2arybo(exprs)
to_llvm_function(e, [rax.v, rdx.v])
def emulate(self, pc):
"""
Emulate every opcodes from pc.
* Process instruction until the end and search for constraint
resolution on cmp eax, 1 then set the new correct value and keep going.
"""
while pc:
# Fetch opcodes
opcodes = getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcodes(opcodes)
instruction.setAddress(pc)
# Process
processing(instruction)
# 40078B: cmp eax, 1
# eax must be equal to 1 at each round.
if instruction.getAddress() == 0x40078B:
# Slice expressions
rax = getSymbolicExpressionFromId(getSymbolicRegisterId(REG.RAX))
eax = ast.extract(31, 0, rax.getAst())
# Define constraint
cstr = ast.assert_(ast.land(getPathConstraintsAst(), ast.equal(eax, ast.bv(1, 32))))
model = getModel(cstr)
solution = str()
for k, v in model.items():
value = v.getValue()
solution += chr(value)
getSymbolicVariableFromId(k).setConcreteValue(value)
# Next
pc = getConcreteRegisterValue(REG.RIP)
return solution
def test_emulate(self, concretize=False):
"""Run a dumped simulation and check output registers."""
# Get dumped data
dump = os.path.join(os.path.dirname(__file__), "misc", "emu_1.dump")
with open(dump) as f:
regs, mems = eval(f.read())
# Load memory
for mem in mems:
start = mem['start']
if mem['memory'] is not None:
setConcreteMemoryAreaValue(start, bytearray(mem['memory']))
# setup registers
for reg_name in ("rax", "rbx", "rcx", "rdx", "rdi", "rsi", "rbp",
"rsp", "rip", "r8", "r9", "r10", "r11", "r12", "r13",
"r14", "eflags", "xmm0", "xmm1", "xmm2", "xmm3",
"xmm4", "xmm5", "xmm6", "xmm7", "xmm8", "xmm9",
"xmm10", "xmm11", "xmm12", "xmm13", "xmm14", "xmm15"):
setConcreteRegisterValue(
Register(getattr(REG, reg_name.upper()), regs[reg_name]))
# run the code
pc = getConcreteRegisterValue(REG.RIP)
while pc != 0x409A18:
opcodes = getConcreteMemoryAreaValue(pc, 20)
instruction = Instruction()
instruction.setOpcodes(opcodes)
instruction.setAddress(pc)
# Check if triton doesn't supports this instruction
self.assertTrue(processing(instruction))
pc = getConcreteRegisterValue(REG.RIP)
if concretize:
concretizeAllMemory()
concretizeAllRegister()
rax = getConcreteRegisterValue(REG.RAX)
rbx = getConcreteRegisterValue(REG.RBX)
rcx = getConcreteRegisterValue(REG.RCX)
rdx = getConcreteRegisterValue(REG.RDX)
rsi = getConcreteRegisterValue(REG.RSI)
self.assertEqual(rax, 0)
self.assertEqual(rbx, 0)
self.assertEqual(rcx, 0)
self.assertEqual(rdx, 0x4d2)
self.assertEqual(rsi, 0x3669000000000000)
def test_emulate(self, concretize=False):
"""Run a dumped simulation and check output registers."""
# Get dumped data
dump = os.path.join(os.path.dirname(__file__), "misc", "emu_1.dump")
with open(dump) as f:
regs, mems = eval(f.read())
# Load memory
for mem in mems:
start = mem['start']
if mem['memory'] is not None:
setConcreteMemoryAreaValue(start, bytearray(mem['memory']))
# setup registers
for reg_name in ("rax", "rbx", "rcx", "rdx", "rdi", "rsi", "rbp",
"rsp", "rip", "r8", "r9", "r10", "r11", "r12", "r13",
"r14", "eflags", "xmm0", "xmm1", "xmm2", "xmm3",
"xmm4", "xmm5", "xmm6", "xmm7", "xmm8", "xmm9",
"xmm10", "xmm11", "xmm12", "xmm13", "xmm14", "xmm15"):
setConcreteRegisterValue(Register(getattr(REG, reg_name.upper()), regs[reg_name]))
# run the code
pc = getConcreteRegisterValue(REG.RIP)
while pc != 0x409A18:
opcodes = getConcreteMemoryAreaValue(pc, 20)
instruction = Instruction()
instruction.setOpcodes(opcodes)
instruction.setAddress(pc)
# Check if triton doesn't supports this instruction
self.assertTrue(processing(instruction))
pc = getConcreteRegisterValue(REG.RIP)
if concretize:
concretizeAllMemory()
concretizeAllRegister()
rax = getConcreteRegisterValue(REG.RAX)
rbx = getConcreteRegisterValue(REG.RBX)
rcx = getConcreteRegisterValue(REG.RCX)
rdx = getConcreteRegisterValue(REG.RDX)
rsi = getConcreteRegisterValue(REG.RSI)
self.assertEqual(rax, 0)
self.assertEqual(rbx, 0)
self.assertEqual(rcx, 0)
self.assertEqual(rdx, 0x4d2)
self.assertEqual(rsi, 0x3669000000000000)
def test_pop(self):
"""Check the pop instruction processing."""
setArchitecture(ARCH.X86)
# mov esp, 0x19fe00
inst1 = Instruction('\xBC\x00\xFE\x19\x00')
# mov edi, 0x19fe00
inst2 = Instruction('\xBF\x00\xFE\x19\x00')
# mov dword ptr [esp], 0x11111111
inst3 = Instruction('\xC7\x04\x24\x11\x11\x11\x11')
# pop dword ptr [edi]
inst4 = Instruction('\x8F\x07')
processing(inst1)
processing(inst2)
processing(inst3)
processing(inst4)
self.assertEqual(inst4.getOperands()[0].getAddress(), 0x19fe00, "poping edi doesn't change it")
self.assertEqual(inst4.getOperands()[0].getConcreteValue(), 0x11111111, "pointed value in edi is the previously pointed value by esp")
self.assertEqual(inst4.getStoreAccess()[0][0].getAddress(), 0x19fe00, "inst4 store the new value in 0x19fe00 (edi value)")
self.assertEqual(inst4.getStoreAccess()[0][1].evaluate(), 0x11111111, "The stored value is 0x11111111")
def test_pop_esp(self):
"""Check pop on esp processing."""
setArchitecture(ARCH.X86)
# mov esp, 0x19fe00
inst1 = Instruction('\xBC\x00\xFE\x19\x00')
# mov dword ptr [esp], 0x11111111
inst2 = Instruction('\xC7\x04\x24\x11\x11\x11\x11')
# pop dword ptr [esp]
inst3 = Instruction('\x8F\x04\x24')
processing(inst1)
processing(inst2)
processing(inst3)
self.assertEqual(inst3.getOperands()[0].getAddress(), 0x19fe04, "esp has been poped")
self.assertEqual(inst3.getOperands()[0].getConcreteValue(), 0x11111111, "new value is still 0x11111111")
self.assertEqual(inst3.getStoreAccess()[0][0].getAddress(), 0x19fe04, "inst3 set the value in 0x19fe04")
self.assertEqual(inst3.getStoreAccess()[0][1].evaluate(), 0x11111111, "And this value is 0x11111111")
import triton as TT
from arybo.tools import triton2arybo
TT.setArchitecture(TT.ARCH.X86_64)
TT.convertRegisterToSymbolicVariable(TT.REG.RAX)
TT.convertRegisterToSymbolicVariable(TT.REG.RBX)
inst = TT.Instruction()
inst.setOpcodes("\x48\x31\xd8") # xor rax, rbx
TT.processing(inst)
rax_ast = TT.buildSymbolicRegister(TT.REG.RAX)
rax_ast = TT.getFullAst(rax_ast)
print(rax_ast)
e = triton2arybo(rax_ast)
print(e)
def seed_emulate(self, ip):
"""Emulate one run of the function with already setup memory."""
function = {
# <serial> function
# push rbp
0x40056d: "\x55",
# mov rbp,rsp
0x40056e: "\x48\x89\xe5",
# mov QWORD PTR [rbp-0x18],rdi
0x400571: "\x48\x89\x7d\xe8",
# mov DWORD PTR [rbp-0x4],0x0
0x400575: "\xc7\x45\xfc\x00\x00\x00\x00",
# jmp 4005bd <check+0x50>
0x40057c: "\xeb\x3f",
# mov eax,DWORD PTR [rbp-0x4]
0x40057e: "\x8b\x45\xfc",
# movsxd rdx,eax
0x400581: "\x48\x63\xd0",
# mov rax,QWORD PTR [rbp-0x18]
0x400584: "\x48\x8b\x45\xe8",
# add rax,rdx
0x400588: "\x48\x01\xd0",
# movzx eax,BYTE PTR [rax]
0x40058b: "\x0f\xb6\x00",
# movsx eax,al
0x40058e: "\x0f\xbe\xc0",
# sub eax,0x1
0x400591: "\x83\xe8\x01",
# xor eax,0x55
0x400594: "\x83\xf0\x55",
# mov ecx,eax
0x400597: "\x89\xc1",
# mov rdx,QWORD PTR [rip+0x200aa0] # 601040 <serial>
0x400599: "\x48\x8b\x15\xa0\x0a\x20\x00",
# mov eax,DWORD PTR [rbp-0x4]
0x4005a0: "\x8b\x45\xfc",
# cdqe
0x4005a3: "\x48\x98",
# add rax,rdx
0x4005a5: "\x48\x01\xd0",
# movzx eax,BYTE PTR [rax]
0x4005a8: "\x0f\xb6\x00",
# movsx eax,al
0x4005ab: "\x0f\xbe\xc0",
# cmp ecx,eax
0x4005ae: "\x39\xc1",
# je 4005b9 <check+0x4c>
0x4005b0: "\x74\x07",
# mov eax,0x1
0x4005b2: "\xb8\x01\x00\x00\x00",
# jmp 4005c8 <check+0x5b>
0x4005b7: "\xeb\x0f",
# add DWORD PTR [rbp-0x4],0x1
0x4005b9: "\x83\x45\xfc\x01",
# cmp DWORD PTR [rbp-0x4],0x4
0x4005bd: "\x83\x7d\xfc\x04",
# jle 40057e <check+0x11>
0x4005c1: "\x7e\xbb",
# mov eax,0x0
0x4005c3: "\xb8\x00\x00\x00\x00",
# pop rbp
0x4005c8: "\x5d",
# ret
0x4005c9: "\xc3",
}
while ip in function:
# Build an instruction
inst = Instruction()
# Setup opcodes
inst.setOpcodes(function[ip])
# Setup Address
inst.setAddress(ip)
# Process everything
processing(inst)
# Next instruction
ip = buildSymbolicRegister(REG.RIP).evaluate()
def test_exprs_xor_5C(self):
# Based on djo's example
# This is the xor_5C example compiled with optimisations for x86-4
code = [
"\x41\xB8\xE5\xFF\xFF\xFF",
"\x89\xF8",
"\xBA\x26\x00\x00\x00",
"\x41\x0F\xAF\xC0",
"\xB9\xED\xFF\xFF\xFF",
"\x89\xC7",
"\x89\xD0",
"\x83\xEF\x09",
"\x0F\xAF\xC7",
"\x89\xC2",
"\x89\xF8",
"\x0F\xAF\xC1",
"\xB9\x4B\x00\x00\x00",
"\x8D\x44\x02\x2A",
"\x0F\xB6\xC0",
"\x89\xC2",
"\xF7\xDA",
"\x8D\x94\x12\xFF\x00\x00\x00",
"\x81\xE2\xFE\x00\x00\x00",
"\x01\xD0",
"\x8D\x14\x00",
"\x8D\x54\x02\x4D",
"\x0F\xB6\xF2",
"\x6B\xF6\x56",
"\x83\xC6\x24",
"\x83\xE6\x46",
"\x89\xF0",
"\x0F\xAF\xC1",
"\xB9\xE7\xFF\xFF\xFF",
"\x89\xC6",
"\x89\xD0",
"\xBA\x3A\x00\x00\x00",
"\x0F\xAF\xC1",
"\x89\xC1",
"\x89\xD0",
"\x8D\x4C\x0E\x76",
"\xBE\x63\x00\x00\x00",
"\x0F\xAF\xC1",
"\x89\xC2",
"\x89\xC8",
"\x0F\xAF\xC6",
"\x83\xEA\x51",
"\xBE\x2D\x00\x00\x00",
"\x83\xE2\xF4",
"\x89\xC1",
"\x8D\x4C\x0A\x2E",
"\x89\xC8",
"\x25\x94\x00\x00\x00",
"\x01\xC0",
"\x29\xC8",
"\xB9\x67\x00\x00\x00",
"\x0F\xAF\xC1",
"\x8D\x48\x0D",
"\x0F\xB6\xD1",
"\x69\xD2\xAE\x00\x00\x00",
"\x83\xCA\x22",
"\x89\xD0",
"\x41\x0F\xAF\xC0",
"\x89\xC2",
"\x89\xC8",
"\x0F\xAF\xC6",
"\x8D\x44\x02\xC2",
"\x0F\xB6\xC0",
"\x2D\xF7\x00\x00\x00",
"\x69\xC0\xED\x00\x00\x00",
"\x0F\xB6\xC0",
]
TT.setArchitecture(TT.ARCH.X86_64)
rdi = TT.convertRegisterToSymbolicVariable(TT.REG.RDI)
rdi = tritonast2arybo(TAst.variable(rdi), use_exprs=False)
for opcodes in code:
inst = TT.Instruction(opcodes)
TT.processing(inst)
rax_ast = TT.buildSymbolicRegister(TT.REG.RAX)
rax_ast = TT.getFullAst(rax_ast)
rax_ast = TT.simplify(rax_ast, True)
# Check that this gives a xor 5C
e = tritonast2arybo(rax_ast, use_exprs=self.use_expr, use_esf=False)
if self.use_expr:
e = eval_expr(e)
self.assertEqual(e, ((rdi & 0xff) ^ 0x5C).vec)
def test_mix_high_low_register(self):
"""Check operation on lower and higher register."""
setArchitecture(ARCH.X86_64)
inst = Instruction("\x00\xDC") # add ah,bl
processing(inst)
def test_mov_xmm_to_memory(self):
"""Check move and xmm register to memory do not crash."""
setArchitecture(ARCH.X86_64)
# movhpd QWORD PTR [rax], xmm1
processing(Instruction("\x66\x0F\x17\x08"))
# movhpd xmm1, QWORD PTR [rax]
processing(Instruction("\x66\x0F\x16\x08"))
# movhps QWORD PTR [rax], xmm1
processing(Instruction("\x0F\x17\x08"))
# movhps xmm1, QWORD PTR [rax]
processing(Instruction("\x0F\x16\x08"))
# movlpd QWORD PTR [rax], xmm1
processing(Instruction("\x66\x0F\x13\x08"))
# movlpd xmm1, QWORD PTR [rax]
processing(Instruction("\x66\x0F\x12\x08"))
# movlps QWORD PTR [rax], xmm1
processing(Instruction("\x0F\x13\x08"))
# movlps xmm1, QWORD PTR [rax]
processing(Instruction("\x0F\x12\x08"))
def seed_emulate(self, ip):
"""Emulate one run of the function with already setup memory."""
function = {
# <serial> function
# push rbp
0x40056d: "\x55",
# mov rbp,rsp
0x40056e: "\x48\x89\xe5",
# mov QWORD PTR [rbp-0x18],rdi
0x400571: "\x48\x89\x7d\xe8",
# mov DWORD PTR [rbp-0x4],0x0
0x400575: "\xc7\x45\xfc\x00\x00\x00\x00",
# jmp 4005bd <check+0x50>
0x40057c: "\xeb\x3f",
# mov eax,DWORD PTR [rbp-0x4]
0x40057e: "\x8b\x45\xfc",
# movsxd rdx,eax
0x400581: "\x48\x63\xd0",
# mov rax,QWORD PTR [rbp-0x18]
0x400584: "\x48\x8b\x45\xe8",
# add rax,rdx
0x400588: "\x48\x01\xd0",
# movzx eax,BYTE PTR [rax]
0x40058b: "\x0f\xb6\x00",
# movsx eax,al
0x40058e: "\x0f\xbe\xc0",
# sub eax,0x1
0x400591: "\x83\xe8\x01",
# xor eax,0x55
0x400594: "\x83\xf0\x55",
# mov ecx,eax
0x400597: "\x89\xc1",
# mov rdx,QWORD PTR [rip+0x200aa0] # 601040 <serial>
0x400599: "\x48\x8b\x15\xa0\x0a\x20\x00",
# mov eax,DWORD PTR [rbp-0x4]
0x4005a0: "\x8b\x45\xfc",
# cdqe
0x4005a3: "\x48\x98",
# add rax,rdx
0x4005a5: "\x48\x01\xd0",
# movzx eax,BYTE PTR [rax]
0x4005a8: "\x0f\xb6\x00",
# movsx eax,al
0x4005ab: "\x0f\xbe\xc0",
# cmp ecx,eax
0x4005ae: "\x39\xc1",
# je 4005b9 <check+0x4c>
0x4005b0: "\x74\x07",
# mov eax,0x1
0x4005b2: "\xb8\x01\x00\x00\x00",
# jmp 4005c8 <check+0x5b>
0x4005b7: "\xeb\x0f",
# add DWORD PTR [rbp-0x4],0x1
0x4005b9: "\x83\x45\xfc\x01",
# cmp DWORD PTR [rbp-0x4],0x4
0x4005bd: "\x83\x7d\xfc\x04",
# jle 40057e <check+0x11>
0x4005c1: "\x7e\xbb",
# mov eax,0x0
0x4005c3: "\xb8\x00\x00\x00\x00",
# pop rbp
0x4005c8: "\x5d",
# ret
0x4005c9: "\xc3",
}
while ip in function:
# Build an instruction
inst = Instruction()
# Setup opcodes
inst.setOpcodes(function[ip])
# Setup Address
inst.setAddress(ip)
# Process everything
processing(inst)
# Next instruction
ip = buildSymbolicRegister(REG.RIP).evaluate()
