def emulate(Triton, pc):
global variables
global goodBranches
print '[+] Starting emulation.'
while pc:
# Fetch opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
print instruction
# End of the CheckSolution() function
if pc == 0x4025E6:
break
if pc == 0x4025CC:
print '[+] Win'
break
if pc in goodBranches:
astCtxt = Triton.getAstContext()
# Slice expressions
rax = Triton.getSymbolicExpressionFromId(Triton.getSymbolicRegisterId(Triton.registers.rax))
eax = astCtxt.extract(31, 0, rax.getAst())
# Define constraint
cstr = astCtxt.land([
Triton.getPathConstraintsAst(),
astCtxt.equal(eax, astCtxt.bv(goodBranches[pc], 32))
])
print '[+] Asking for a model, please wait...'
model = Triton.getModel(cstr)
# Save new state
for k, v in model.items():
print '[+]', v
variables[k] = v.getValue()
# Go deeper
del goodBranches[pc]
# Restart emulation with a good input.
Triton = initialize()
# Next
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
print '[+] Emulation done.'
return
def test_1(self):
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
ctx.enableMode(MODE.ONLY_ON_TAINTED, False)
self.assertEqual(ctx.isModeEnabled(MODE.ONLY_ON_TAINTED), False)
inst = Instruction("\x48\x89\xc3") # mov rbx, rax
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(len(inst.getReadRegisters()), 1)
self.assertEqual(len(inst.getWrittenRegisters()), 2)
ctx.enableMode(MODE.ONLY_ON_TAINTED, True)
self.assertEqual(ctx.isModeEnabled(MODE.ONLY_ON_TAINTED), True)
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(len(inst.getSymbolicExpressions()), 0)
self.assertEqual(len(inst.getReadRegisters()), 0)
self.assertEqual(len(inst.getReadImmediates()), 0)
self.assertEqual(len(inst.getWrittenRegisters()), 0)
self.assertEqual(len(inst.getLoadAccess()), 0)
self.assertEqual(len(inst.getStoreAccess()), 0)
def test_load_ds(self):
"""Check load from ds segment."""
setArchitecture(ARCH.X86)
inst = Instruction()
# mov ax, ds:word_40213C
inst.setOpcodes("\x66\xA1\x3C\x21\x40\x00")
processing(inst)
self.assertEqual(inst.getOperands()[1].getAddress(), 0x40213C)
self.assertEqual(inst.getOperands()[1].getBitSize(), 16)
def test_3(self):
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
inst = Instruction("\x48\x8b\x18") # mov rbx, qword ptr [rax]
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(len(inst.getReadRegisters()), 1)
self.assertEqual(len(inst.getWrittenRegisters()), 2)
self.assertEqual(len(inst.getLoadAccess()), 1)
self.assertEqual(len(inst.getStoreAccess()), 0)
def test_7(self):
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
ctx.enableMode(MODE.ONLY_ON_SYMBOLIZED, True)
ctx.setConcreteRegisterValue(ctx.registers.rax, 0x1337)
inst = Instruction("\x48\x8b\x18") # mov rbx, qword ptr [rax]
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(inst.getOperands()[1].getAddress(), 0x1337)
self.assertIsNone(inst.getOperands()[1].getLeaAst())
def test_known_issues(self):
"""Check tainting result after processing."""
setArchitecture(ARCH.X86)
taintRegister(REG.EAX)
inst = Instruction()
# lea eax,[esi+eax*1]
inst.setOpcodes("\x8D\x04\x06")
processing(inst)
self.assertTrue(isRegisterTainted(REG.EAX))
self.assertFalse(isRegisterTainted(REG.EBX))
def test_known_issues(self):
"""Check tainting result after processing."""
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86)
Triton.taintRegister(Triton.registers.eax)
inst = Instruction()
# lea eax,[esi+eax*1]
inst.setOpcode("\x8D\x04\x06")
Triton.processing(inst)
self.assertTrue(Triton.isRegisterTainted(Triton.registers.eax))
self.assertFalse(Triton.isRegisterTainted(Triton.registers.ebx))
def test_emulate(self, concretize=False):
"""Run a dumped simulation and check output registers."""
# Get dumped data
dump = os.path.join(os.path.dirname(__file__), "misc", "emu_1.dump")
with open(dump) as f:
regs, mems = eval(f.read())
# Load memory
for mem in mems:
start = mem['start']
if mem['memory'] is not None:
self.Triton.setConcreteMemoryAreaValue(start, bytearray(mem['memory']))
# self.Triton.setup registers
for reg_name in ("rax", "rbx", "rcx", "rdx", "rdi", "rsi", "rbp",
"rsp", "rip", "r8", "r9", "r10", "r11", "r12", "r13",
"r14", "eflags", "xmm0", "xmm1", "xmm2", "xmm3",
"xmm4", "xmm5", "xmm6", "xmm7", "xmm8", "xmm9",
"xmm10", "xmm11", "xmm12", "xmm13", "xmm14", "xmm15"):
self.Triton.setConcreteRegisterValue(self.Triton.getRegister(getattr(REG.X86_64, reg_name.upper())), regs[reg_name])
# run the code
pc = self.Triton.getConcreteRegisterValue(self.Triton.registers.rip)
while pc != 0x409A18:
opcode = self.Triton.getConcreteMemoryAreaValue(pc, 20)
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Check if triton doesn't supports this instruction
self.assertTrue(self.Triton.processing(instruction))
self.assertTrue(checkAstIntegrity(instruction))
pc = self.Triton.getConcreteRegisterValue(self.Triton.registers.rip)
if concretize:
self.Triton.concretizeAllMemory()
self.Triton.concretizeAllRegister()
rax = self.Triton.getConcreteRegisterValue(self.Triton.registers.rax)
rbx = self.Triton.getConcreteRegisterValue(self.Triton.registers.rbx)
rcx = self.Triton.getConcreteRegisterValue(self.Triton.registers.rcx)
rdx = self.Triton.getConcreteRegisterValue(self.Triton.registers.rdx)
rsi = self.Triton.getConcreteRegisterValue(self.Triton.registers.rsi)
self.assertEqual(rax, 0)
self.assertEqual(rbx, 0)
self.assertEqual(rcx, 0)
self.assertEqual(rdx, 0x4d2)
self.assertEqual(rsi, 0x3669000000000000)
def test_2(self):
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
ctx.enableMode(MODE.ONLY_ON_TAINTED, True)
ctx.taintRegister(ctx.registers.rax)
inst = Instruction("\x48\x89\xc3") # mov rbx, rax
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(len(inst.getReadRegisters()), 1)
self.assertEqual(len(inst.getWrittenRegisters()), 2)
self.assertEqual(len(inst.getLoadAccess()), 0)
self.assertEqual(len(inst.getStoreAccess()), 0)
def test_4(self):
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
ctx.enableMode(MODE.ONLY_ON_SYMBOLIZED, True)
ctx.convertRegisterToSymbolicVariable(ctx.registers.rax)
inst = Instruction("\x48\x8b\x18") # mov rbx, qword ptr [rax]
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(len(inst.getReadRegisters()), 1)
self.assertEqual(len(inst.getWrittenRegisters()), 0)
self.assertEqual(len(inst.getLoadAccess()), 0)
self.assertEqual(len(inst.getStoreAccess()), 0)
def setUp(self):
"""Define the arch."""
self.ctx = TritonContext()
self.ctx.setArchitecture(ARCH.X86_64)
self.inst1 = Instruction("\x48\x31\xd8") # xor rax, rbx
self.ctx.setConcreteRegisterValue(self.ctx.registers.al, 0x10)
self.ctx.setConcreteRegisterValue(self.ctx.registers.bl, 0x55)
self.inst2 = Instruction("\x48\x89\x03") # mov [rbx], rax
self.ctx.processing(self.inst1)
self.ctx.processing(self.inst2)
self.expr1 = self.inst1.getSymbolicExpressions()[0]
self.expr2 = self.inst2.getSymbolicExpressions()[8]
def test_trace(trace):
Triton.setArchitecture(ARCH.X86)
symbolization_init()
astCtxt = Triton.getAstContext()
for opcode in trace:
instruction = Instruction()
instruction.setOpcode(opcode)
Triton.processing(instruction)
print instruction.getDisassembly()
if instruction.isBranch():
# Opaque Predicate AST
op_ast = Triton.getPathConstraintsAst()
# Try another model
model = Triton.getModel(astCtxt.lnot(op_ast))
if model:
print "not an opaque predicate"
else:
if instruction.isConditionTaken():
print "opaque predicate: always taken"
else:
print "opaque predicate: never taken"
print '----------------------------------'
return
def test_pop_esp(self):
"""Check pop on esp processing."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86)
# mov esp, 0x19fe00
inst1 = Instruction('\xBC\x00\xFE\x19\x00')
# mov dword ptr [esp], 0x11111111
inst2 = Instruction('\xC7\x04\x24\x11\x11\x11\x11')
# pop dword ptr [esp]
inst3 = Instruction('\x8F\x04\x24')
self.Triton.processing(inst1)
self.Triton.processing(inst2)
self.Triton.processing(inst3)
self.assertEqual(inst3.getOperands()[0].getAddress(), 0x19fe04, "esp has been poped")
self.assertEqual(inst3.getStoreAccess()[0][0].getAddress(), 0x19fe04, "inst3 set the value in 0x19fe04")
self.assertEqual(inst3.getStoreAccess()[0][1].evaluate(), 0x11111111, "And this value is 0x11111111")
def setUp(self):
"""Define and process the instruction to test."""
setArchitecture(ARCH.X86_64)
self.inst = Instruction()
self.inst.setOpcodes("\x48\x01\xd8") # add rax, rbx
self.inst.setAddress(0x400000)
self.inst.updateContext(Register(REG.RAX, 0x1122334455667788))
self.inst.updateContext(Register(REG.RBX, 0x8877665544332211))
processing(self.inst)
def setUp(self):
"""Define and process the instruction to test."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.inst = Instruction()
self.inst.setOpcode("\x48\x01\xd8") # add rax, rbx
self.inst.setAddress(0x400000)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rax, 0x1122334455667788)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rbx, 0x8877665544332211)
self.Triton.processing(self.inst)
def run(ip):
while ip in function:
# Build an instruction
inst = Instruction()
# Setup opcode
inst.setOpcode(function[ip])
# Setup Address
inst.setAddress(ip)
# Process everything
Triton.processing(inst)
# Display instruction
#print inst
# Next instruction
ip = Triton.getRegisterAst(Triton.registers.rip).evaluate()
return
def test_pop(self):
"""Check the pop instruction processing."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86)
# mov esp, 0x19fe00
inst1 = Instruction('\xBC\x00\xFE\x19\x00')
# mov edi, 0x19fe00
inst2 = Instruction('\xBF\x00\xFE\x19\x00')
# mov dword ptr [esp], 0x11111111
inst3 = Instruction('\xC7\x04\x24\x11\x11\x11\x11')
# pop dword ptr [edi]
inst4 = Instruction('\x8F\x07')
self.Triton.processing(inst1)
self.Triton.processing(inst2)
self.Triton.processing(inst3)
self.Triton.processing(inst4)
self.assertEqual(inst4.getOperands()[0].getAddress(), 0x19fe00, "poping edi doesn't change it")
self.assertEqual(inst4.getStoreAccess()[0][0].getAddress(), 0x19fe00, "inst4 store the new value in 0x19fe00 (edi value)")
self.assertEqual(inst4.getStoreAccess()[0][1].evaluate(), 0x11111111, "The stored value is 0x11111111")
def emulate(pc):
print '[+] Starting emulation.'
while pc:
# Fetch opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
print instruction
if instruction.getType() == OPCODE.HLT:
break
# Simulate routines
hookingHandler()
# Next
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
print '[+] Emulation done.'
return
def test_backup(self):
"""
Check Symbolics value are saved when engine is disable.
* Also check reseting a disable symbolic engines doesn't crash.
"""
inst = Instruction()
# update RAX
inst.setOpcode("\x48\xFF\xC0")
self.Triton.processing(inst)
self.assertEqual(self.Triton.getSymbolicRegisterValue(self.Triton.registers.rax), 1)
# This call triton::api.backupSymbolicEngine()
self.Triton.enableSymbolicEngine(False)
inst = Instruction()
# update RAX again
inst.setOpcode("\x48\xFF\xC0")
self.Triton.processing(inst)
self.assertEqual(self.Triton.getConcreteRegisterValue(self.Triton.registers.rax), 2, "concrete value is updated")
self.assertEqual(self.Triton.getSymbolicRegisterValue(self.Triton.registers.rax), 1)
self.assertEqual(self.Triton.getSymbolicRegisterValue(self.Triton.registers.rax), 1, "Symbolic value is not update")
# Try to reset engine after a backup to test if the bug #385 is fixed.
self.Triton.resetEngines()
def emulate(pc):
count = 0
while pc:
# Fetch opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
count += 1
#print instruction
if instruction.getType() == OPCODE.HLT:
break
# Simulate routines
hookingHandler()
# Next
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
debug('Instruction executed: %d' %(count))
return
def emulate(self, pc):
"""
Emulate every opcode from pc.
Process instruction until the end
"""
while pc:
# Fetch opcode
opcode = self.Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
ret = self.Triton.processing(instruction)
if instruction.getType() == OPCODE.HLT:
break
self.assertTrue(ret)
self.assertTrue(checkAstIntegrity(instruction))
# Simulate routines
self.hooking_handler()
# Next
pc = self.Triton.getConcreteRegisterValue(self.Triton.registers.rip)
return
def emulate(self, pc):
"""
Emulate every opcode from pc.
Process instruction until the end
"""
while pc:
# Fetch opcode
opcode = self.Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
self.assertTrue(self.Triton.processing(instruction))
# Next
pc = self.Triton.getConcreteRegisterValue(self.Triton.registers.rip)
return
def run(ip):
while ip in function:
# Build an instruction
inst = Instruction()
# Setup opcode
inst.setOpcode(function[ip])
# Setup Address
inst.setAddress(ip)
# Process everything
Triton.processing(inst)
# Display instruction
print 'Curr ip:', inst
# Next instruction
ip = Triton.buildSymbolicRegister(Triton.registers.rip).evaluate()
print 'Next ip:', hex(ip)
print
return
def test_load_immediate_fs(self):
"""Check load from fs segment with immediate."""
setArchitecture(ARCH.X86_64)
inst = Instruction()
# mov eax, DWORD PTR fs:0xffffffffffffdf98
inst.setOpcodes("\x64\x8B\x04\x25\x98\xDF\xFF\xFF")
inst.setAddress(0x400000)
setConcreteRegisterValue(Register(REG.FS, 0x7fffda8ab700))
processing(inst)
self.assertTrue(inst.getLoadAccess())
load, _ = inst.getLoadAccess()[0]
self.assertEqual(load.getAddress(), 0x7fffda8a9698)
self.assertEqual(load.getBitSize(), 32)
def test_mov_xmm_to_memory(self):
"""Check move and xmm register to memory do not crash."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
# movhpd QWORD PTR [rax], xmm1
self.Triton.processing(Instruction(b"\x66\x0F\x17\x08"))
# movhpd xmm1, QWORD PTR [rax]
self.Triton.processing(Instruction(b"\x66\x0F\x16\x08"))
# movhps QWORD PTR [rax], xmm1
self.Triton.processing(Instruction(b"\x0F\x17\x08"))
# movhps xmm1, QWORD PTR [rax]
self.Triton.processing(Instruction(b"\x0F\x16\x08"))
# movlpd QWORD PTR [rax], xmm1
self.Triton.processing(Instruction(b"\x66\x0F\x13\x08"))
# movlpd xmm1, QWORD PTR [rax]
self.Triton.processing(Instruction(b"\x66\x0F\x12\x08"))
# movlps QWORD PTR [rax], xmm1
self.Triton.processing(Instruction(b"\x0F\x13\x08"))
# movlps xmm1, QWORD PTR [rax]
self.Triton.processing(Instruction(b"\x0F\x12\x08"))
def test_pop(self):
"""Check the pop instruction processing."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86)
# mov esp, 0x19fe00
inst1 = Instruction(b'\xBC\x00\xFE\x19\x00')
# mov edi, 0x19fe00
inst2 = Instruction(b'\xBF\x00\xFE\x19\x00')
# mov dword ptr [esp], 0x11111111
inst3 = Instruction(b'\xC7\x04\x24\x11\x11\x11\x11')
# pop dword ptr [edi]
inst4 = Instruction(b'\x8F\x07')
self.Triton.processing(inst1)
self.Triton.processing(inst2)
self.Triton.processing(inst3)
self.Triton.processing(inst4)
self.assertEqual(inst4.getOperands()[0].getAddress(), 0x19fe00, "poping edi doesn't change it")
self.assertEqual(inst4.getStoreAccess()[0][0].getAddress(), 0x19fe00, "inst4 store the new value in 0x19fe00 (edi value)")
self.assertEqual(inst4.getStoreAccess()[0][1].evaluate(), 0x11111111, "The stored value is 0x11111111")
def test_1(self):
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
ctx.setMode(MODE.ONLY_ON_SYMBOLIZED, False)
inst = Instruction(b"\x48\x89\xc3") # mov rbx, rax
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(len(inst.getReadRegisters()), 1)
self.assertEqual(len(inst.getWrittenRegisters()), 2)
ctx.setMode(MODE.ONLY_ON_SYMBOLIZED, True)
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(len(inst.getReadRegisters()), 0)
self.assertEqual(len(inst.getWrittenRegisters()), 0)
self.assertEqual(len(inst.getLoadAccess()), 0)
self.assertEqual(len(inst.getStoreAccess()), 0)
def test_load_indirect_fs(self):
"""Check load from fs with indirect address."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
inst = Instruction()
# mov rax, QWORD PTR fs:[rax]
inst.setOpcode("\x64\x48\x8B\x00")
inst.setAddress(0x400000)
self.Triton.setConcreteRegisterValue(self.Triton.registers.fs,
0x7fffda8ab700)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rax,
0xffffffffffffdf90)
self.Triton.processing(inst)
self.assertTrue(inst.getLoadAccess())
load, _ = inst.getLoadAccess()[0]
self.assertEqual(load.getAddress(), 0x7fffda8a9690)
self.assertEqual(load.getBitSize(), 64)
def setUp(self):
"""Define the arch."""
self.ctx = TritonContext()
self.ctx.setArchitecture(ARCH.X86)
trace = [
"\x25\xff\xff\xff\x3f", # and eax, 0x3fffffff
"\x81\xe3\xff\xff\xff\x3f", # and ebx, 0x3fffffff
"\x31\xd1", # xor ecx, edx
"\x31\xfa", # xor edx, edi
"\x31\xD8", # xor eax, ebx
"\x0F\x84\x55\x00\x00\x00", # je 0x55
]
self.ctx.convertRegisterToSymbolicVariable(self.ctx.registers.eax)
self.ctx.convertRegisterToSymbolicVariable(self.ctx.registers.ebx)
for opcodes in trace:
self.ctx.processing(Instruction(opcodes))
def test_5(self):
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
ctx.setMode(MODE.ONLY_ON_SYMBOLIZED, True)
ctx.symbolizeMemory(MemoryAccess(0, CPUSIZE.QWORD))
inst = Instruction(b"\x48\x8b\x18") # mov rbx, qword ptr [rax]
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(len(inst.getReadRegisters()), 0)
self.assertEqual(len(inst.getWrittenRegisters()), 1)
self.assertEqual(len(inst.getLoadAccess()), 1)
self.assertEqual(len(inst.getStoreAccess()), 0)
def test_4(self):
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
ctx.enableMode(MODE.ONLY_ON_SYMBOLIZED, True)
ctx.convertRegisterToSymbolicVariable(ctx.registers.rax)
inst = Instruction(b"\x48\x8b\x18") # mov rbx, qword ptr [rax]
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(len(inst.getReadRegisters()), 1)
self.assertEqual(len(inst.getWrittenRegisters()), 0)
self.assertEqual(len(inst.getLoadAccess()), 0)
self.assertEqual(len(inst.getStoreAccess()), 0)
def test_2(self):
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
ctx.enableMode(MODE.ONLY_ON_TAINTED, True)
ctx.taintRegister(ctx.registers.rax)
inst = Instruction("\x48\x89\xc3") # mov rbx, rax
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(len(inst.getReadRegisters()), 1)
self.assertEqual(len(inst.getWrittenRegisters()), 2)
self.assertEqual(len(inst.getLoadAccess()), 0)
self.assertEqual(len(inst.getStoreAccess()), 0)
def test_load_indirect_fs(self):
"""Check load from fs with indirect address."""
setArchitecture(ARCH.X86_64)
inst = Instruction()
# mov rax, QWORD PTR fs:[rax]
inst.setOpcodes("\x64\x48\x8B\x00")
inst.setAddress(0x400000)
setConcreteRegisterValue(Register(REG.FS, 0x7fffda8ab700))
setConcreteRegisterValue(Register(REG.RAX, 0xffffffffffffdf90))
processing(inst)
self.assertTrue(inst.getLoadAccess())
load, _ = inst.getLoadAccess()[0]
self.assertEqual(load.getAddress(), 0x7fffda8a9690)
self.assertEqual(load.getBitSize(), 64)
def test_pop_esp(self):
"""Check pop on esp processing."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86)
# mov esp, 0x19fe00
inst1 = Instruction(b'\xBC\x00\xFE\x19\x00')
# mov dword ptr [esp], 0x11111111
inst2 = Instruction(b'\xC7\x04\x24\x11\x11\x11\x11')
# pop dword ptr [esp]
inst3 = Instruction(b'\x8F\x04\x24')
self.Triton.processing(inst1)
self.Triton.processing(inst2)
self.Triton.processing(inst3)
self.assertEqual(inst3.getOperands()[0].getAddress(), 0x19fe04, "esp has been poped")
self.assertEqual(inst3.getStoreAccess()[0][0].getAddress(), 0x19fe04, "inst3 set the value in 0x19fe04")
self.assertEqual(inst3.getStoreAccess()[0][1].evaluate(), 0x11111111, "And this value is 0x11111111")
def test5():
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86)
astCtxt = Triton.getAstContext()
# rax is now symbolic
Triton.symbolizeRegister(Triton.registers.eax)
# process instruction
Triton.processing(Instruction(b"\x83\xc0\x07")) # add eax, 0x7
# get rax ast
eaxAst = Triton.getSymbolicRegister(Triton.registers.eax).getAst()
# constraint
c = eaxAst ^ 0x11223344 == 0xdeadbeaf
print('Test 5:', Triton.getModel(c)[0])
return
def test6():
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86)
astCtxt = Triton.getAstContext()
# rax is now symbolic
var = Triton.convertRegisterToSymbolicVariable(Triton.registers.eax)
var.setAlias("eax")
# process instruction
Triton.processing(Instruction("\x83\xc0\x07")) # add eax, 0x7
# get rax ast
eaxAst = Triton.getSymbolicRegister(Triton.registers.eax).getAst()
# constraint
c = eaxAst ^ 0x11223344 == 0xdeadbeaf
print 'Test 6:', Triton.getModel(c)[0]
return
def emulate(pc):
astCtxt = Triton.getAstContext()
print '[+] Starting emulation.'
while pc:
# Fetch opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
print instruction
# 40078B: cmp eax, 1
# eax must be equal to 1 at each round.
if instruction.getAddress() == 0x40078B:
# Slice expressions
rax = Triton.getSymbolicRegister(Triton.registers.rax)
eax = astCtxt.extract(31, 0, rax.getAst())
# Define constraint
cstr = astCtxt.land([
Triton.getPathConstraintsAst(),
astCtxt.equal(eax, astCtxt.bv(1, 32))
])
print '[+] Asking for a model, please wait...'
model = Triton.getModel(cstr)
for k, v in model.items():
value = v.getValue()
Triton.setConcreteVariableValue(
Triton.getSymbolicVariableFromId(k), value)
print '[+] Symbolic variable %02d = %02x (%c)' % (k, value,
chr(value))
# Next
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
print '[+] Emulation done.'
return
def emulate(self, pc):
"""
Emulate every opcodes from pc.
* Process instruction until the end and search for constraint
resolution on cmp eax, 1 then set the new correct value and keep going.
"""
while pc:
# Fetch opcodes
opcodes = getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcodes(opcodes)
instruction.setAddress(pc)
# Process
processing(instruction)
# 40078B: cmp eax, 1
# eax must be equal to 1 at each round.
if instruction.getAddress() == 0x40078B:
# Slice expressions
rax = getSymbolicExpressionFromId(
getSymbolicRegisterId(REG.RAX))
eax = ast.extract(31, 0, rax.getAst())
# Define constraint
cstr = ast.assert_(
ast.land(getPathConstraintsAst(),
ast.equal(eax, ast.bv(1, 32))))
model = getModel(cstr)
solution = str()
for k, v in model.items():
value = v.getValue()
solution += chr(value)
getSymbolicVariableFromId(k).setConcreteValue(value)
# Next
pc = getConcreteRegisterValue(REG.RIP)
return solution
def run(pc, seed):
global seeds
while pc:
if pc in seeds and seeds[pc] == 0:
print("get one")
seeds[pc] = seed
flag = 0
# Build an instruction
inst = Instruction()
# Setup opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
inst.setOpcode(opcode)
inst.setAddress(pc)
arr = [elem.encode("hex") for elem in inst.getOpcode()]
if arr[:4] == ['f3', '0f', '1e', 'fa']:
pc += 4
continue
if arr[:3] == ['0f', '01', 'd0']:
pc += 3
continue
if arr[0] == 'f4':
print("abort")
break
# Setup Address
Triton.processing(inst)
# hookingHandler(Triton)
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
for seedr in seeds.values():
if seedr == 0:
flag = 1
break
if flag == 0:
break
def emulate(pc):
count = 0
while pc:
# Fetch opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
count += 1
#print(instruction)
# NOTE: Here is the solution of the challenge. The flag is decoded
# and written into the memory. So, let's track all memory STORE of
# 1 byte.
for mem, memAst in instruction.getStoreAccess():
if mem.getSize() == CPUSIZE.BYTE:
sys.stdout.write(chr(Triton.getConcreteMemoryValue(mem)))
# End of solution
if instruction.getType() == OPCODE.X86.HLT:
break
# Simulate routines
hookingHandler()
# Next
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
debug('Instruction executed: %d' % (count))
return
def emulate(pc, w):
while pc:
opcodes = Triton.getConcreteMemoryAreaValue(pc, 16)
instruction = Instruction()
instruction.setOpcode(opcodes)
instruction.setAddress(pc)
Triton.processing(instruction)
symvar = [
chr(0x41),
chr(0x41),
chr(0x41),
chr(0x41),
chr(0x41),
chr(0x41),
chr(0x0b),
chr(0x84),
chr(0),
chr(0x04),
chr(0),
chr(0x08)
]
if sys.argv[3].startswith("0x"):
target = int(sys.argv[3][2:], 16)
#print 'tahrget',target
i = 1
if pc == target:
print '=======================================Address found with following seeds================================================'
for address, value in seed.items():
print 'i won'
if (address == 1879048195):
print 'argc ', value
else:
x = address - 22528 - 16383
y = int(x / 100)
z = int(x % 100)
print 'argv[', y, '][', z, '] ', value
i = i + 1
w = 11
break
#else:
#print 'chill'''
#print '[+] Emulation done.'
return w
def emulate(self, pc):
"""
Emulate every opcode from pc.
* Process instruction until the end and search for constraint
resolution on cmp eax, 1 then self.Triton.set the new correct value and keep going.
"""
astCtxt = self.Triton.getAstContext()
while pc:
# Fetch opcode
opcode = self.Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
self.Triton.processing(instruction)
self.assertTrue(checkAstIntegrity(instruction))
# 40078B: cmp eax, 1
# eax must be equal to 1 at each round.
if instruction.getAddress() == 0x40078B:
# Slice expressions
rax = self.Triton.getSymbolicRegister(self.Triton.registers.rax)
eax = astCtxt.extract(31, 0, rax.getAst())
# Define constraint
cstr = astCtxt.land([self.Triton.getPathPredicate(), astCtxt.equal(eax, astCtxt.bv(1, 32))])
model = self.Triton.getModel(cstr)
solution = str()
for k, v in list(sorted(model.items())):
value = v.getValue()
solution += chr(value)
self.Triton.setConcreteVariableValue(self.Triton.getSymbolicVariable(k), value)
# Next
pc = self.Triton.getConcreteRegisterValue(self.Triton.registers.rip)
return solution
def process(code):
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86_64)
for (addr, opcode) in code:
# Build an instruction
inst = Instruction()
# Setup opcode
inst.setOpcode(opcode)
# Setup Address
inst.setAddress(addr)
# Process everything
Triton.processing(inst)
print(inst)
for expr in inst.getSymbolicExpressions():
print('\t', expr)
for k, v in list(Triton.getSymbolicRegisters().items()):
if 'rax' in str(Triton.getRegister(k)):
print(Triton.getRegister(k), v)
def run(ip):
while ip in function:
# Build an instruction
inst = Instruction()
# Setup opcode
inst.setOpcode(function[ip])
# Setup Address
inst.setAddress(ip)
# Process everything
Triton.processing(inst)
# Display instruction
#print(inst)
# Next instruction
ip = Triton.getRegisterAst(Triton.registers.rip).evaluate()
return
def emulate(pc):
astCtxt = Triton.getAstContext()
print '[+] Starting emulation.'
while pc:
# Fetch opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
print instruction
# 40078B: cmp eax, 1
# eax must be equal to 1 at each round.
if instruction.getAddress() == 0x40078B:
# Slice expressions
rax = Triton.getSymbolicRegister(Triton.registers.rax)
eax = astCtxt.extract(31, 0, rax.getAst())
# Define constraint
cstr = astCtxt.land([
Triton.getPathConstraintsAst(),
astCtxt.equal(eax, astCtxt.bv(1, 32))
])
print '[+] Asking for a model, please wait...'
model = Triton.getModel(cstr)
for k, v in model.items():
value = v.getValue()
Triton.setConcreteVariableValue(Triton.getSymbolicVariableFromId(k), value)
print '[+] Symbolic variable %02d = %02x (%c)' %(k, value, chr(value))
# Next
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
print '[+] Emulation done.'
return
def emulate(self, pc):
"""
Emulate every opcode from pc.
* Process instruction until the end and search for constraint
resolution on cmp eax, 1 then self.Triton.set the new correct value and keep going.
"""
astCtxt = self.Triton.getAstContext()
while pc:
# Fetch opcode
opcode = self.Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
self.Triton.processing(instruction)
self.assertTrue(checkAstIntegrity(instruction))
# 40078B: cmp eax, 1
# eax must be equal to 1 at each round.
if instruction.getAddress() == 0x40078B:
# Slice expressions
rax = self.Triton.getSymbolicRegister(self.Triton.registers.rax)
eax = astCtxt.extract(31, 0, rax.getAst())
# Define constraint
cstr = astCtxt.land([self.Triton.getPathConstraintsAst(), astCtxt.equal(eax, astCtxt.bv(1, 32))])
model = self.Triton.getModel(cstr)
solution = str()
for k, v in model.items():
value = v.getValue()
solution += chr(value)
self.Triton.setConcreteVariableValue(self.Triton.getSymbolicVariableFromId(k), value)
# Next
pc = self.Triton.getConcreteRegisterValue(self.Triton.registers.rip)
return solution
def emulate(self, pc):
"""
Emulate every opcode from pc.
Process instruction until the end
"""
while pc:
# Fetch opcode
opcode = self.Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
self.assertTrue(self.Triton.processing(instruction))
# Next
pc = self.Triton.getConcreteRegisterValue(self.Triton.registers.rip)
return
def emulate(self, pc):
"""
Emulate every opcodes from pc.
* Process instruction until the end and search for constraint
resolution on cmp eax, 1 then set the new correct value and keep going.
"""
while pc:
# Fetch opcodes
opcodes = getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcodes(opcodes)
instruction.setAddress(pc)
# Process
processing(instruction)
# 40078B: cmp eax, 1
# eax must be equal to 1 at each round.
if instruction.getAddress() == 0x40078B:
# Slice expressions
rax = getSymbolicExpressionFromId(getSymbolicRegisterId(REG.RAX))
eax = ast.extract(31, 0, rax.getAst())
# Define constraint
cstr = ast.assert_(ast.land(getPathConstraintsAst(), ast.equal(eax, ast.bv(1, 32))))
model = getModel(cstr)
solution = str()
for k, v in model.items():
value = v.getValue()
solution += chr(value)
getSymbolicVariableFromId(k).setConcreteValue(value)
# Next
pc = getConcreteRegisterValue(REG.RIP)
return solution
def run(ip):
while ip in function:
# Build an instruction
inst = Instruction()
# Setup opcode
inst.setOpcode(function[ip])
# Setup Address
inst.setAddress(ip)
# Process everything
Triton.processing(inst)
# Display instruction
print 'Curr ip:', inst
# Next instruction
ip = Triton.buildSymbolicRegister(Triton.registers.rip).evaluate()
print 'Next ip:', hex(ip)
print
return
def runR(pc, binary):
seed = {}
while pc:
# Build an instruction
inst = Instruction()
# Setup opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
inst.setOpcode(opcode)
inst.setAddress(pc)
arr = [elem.encode("hex") for elem in inst.getOpcode()]
# endbr64
if arr[:4] == ['f3', '0f', '1e', 'fa']:
pc += 4
continue
if arr[:3] == ['0f', '01', 'd0']:
pc += 3
continue
if arr[0] == 'f4':
print("abort")
break
if arr[0] == 'e8':
offset = 0
offset += int(arr[4], 16)
offset = offset << 8
offset += int(arr[3], 16)
offset = offset << 8
offset += int(arr[2], 16)
offset = offset << 8
offset += int(arr[1], 16)
faddr = offset + pc + 5
faddr = faddr & 0xffffffff
print(str(hex(pc)) + " calling: " + str(hex(faddr)))
try:
fclose_addr = binary.get_function_address("fclose")
if fclose_addr == faddr:
pc += 5
continue
except:
pass
try:
fgets_addr = binary.get_function_address("fgets")
if fgets_addr == faddr:
adr = Triton.getConcreteRegisterValue(Triton.registers.rdi)
num = Triton.getConcreteRegisterValue(Triton.registers.rsi)
for i in range(num):
seed[adr + i] = 0
pc += 5
continue
except:
pass
try:
fread_addr = binary.get_function_address("fread")
if fread_addr == faddr:
print("fread at " + str(hex(pc)))
adr = Triton.getConcreteRegisterValue(Triton.registers.rdi)
num = Triton.getConcreteRegisterValue(
Triton.registers.rsi
) * Triton.getConcreteRegisterValue(Triton.registers.rdx)
for i in range(num):
seed[adr + i] = 0
pc += 5
continue
except:
pass
try:
printf_addr = binary.get_function_address("printf")
if printf_addr == faddr:
pc += 5
continue
except:
pass
try:
fprintf_addr = binary.get_function_address("fprintf")
if fprintf_addr == faddr:
pc += 5
continue
except:
pass
Triton.processing(inst)
# Setup Address
# hookingHandler(Triton)
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
return seed
def test_mix_high_low_register(self):
"""Check operation on lower and higher register."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
inst = Instruction(b"\x00\xDC") # add ah,bl
self.Triton.processing(inst)
def test_address(self):
"""Check instruction current and next address."""
self.assertEqual(self.inst.getAddress(), 0x400000)
self.assertEqual(self.inst.getNextAddress(), 0x400003)
inst = Instruction()
inst.setAddress(-1)
self.assertEqual(inst.getAddress(), 0xffffffffffffffff)
inst.setAddress(-2)
self.assertEqual(inst.getAddress(), 0xfffffffffffffffe)
inst.setAddress(-3)
self.assertEqual(inst.getAddress(), 0xfffffffffffffffd)
class TestInstruction(unittest.TestCase):
"""Testing the Instruction class."""
def setUp(self):
"""Define and process the instruction to test."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.inst = Instruction()
self.inst.setOpcode(b"\x48\x01\xd8") # add rax, rbx
self.inst.setAddress(0x400000)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rax, 0x1122334455667788)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rbx, 0x8877665544332211)
self.Triton.processing(self.inst)
def test_address(self):
"""Check instruction current and next address."""
self.assertEqual(self.inst.getAddress(), 0x400000)
self.assertEqual(self.inst.getNextAddress(), 0x400003)
inst = Instruction()
inst.setAddress(-1)
self.assertEqual(inst.getAddress(), 0xffffffffffffffff)
inst.setAddress(-2)
self.assertEqual(inst.getAddress(), 0xfffffffffffffffe)
inst.setAddress(-3)
self.assertEqual(inst.getAddress(), 0xfffffffffffffffd)
def test_memory(self):
"""Check memory access."""
self.assertListEqual(self.inst.getLoadAccess(), [])
self.assertListEqual(self.inst.getStoreAccess(), [])
self.assertFalse(self.inst.isMemoryWrite())
self.assertFalse(self.inst.isMemoryRead())
def test_registers(self):
"""Check register access."""
self.assertEqual(len(self.inst.getReadRegisters()), 2, "access RAX and RBX")
self.assertEqual(len(self.inst.getWrittenRegisters()), 8, "write in RAX, RIP, AF, XF, OF, PF, SF and ZF")
def test_taints(self):
"""Check taints attributes."""
self.assertFalse(self.inst.isTainted())
def test_prefix(self):
"""Check prefix data."""
self.assertFalse(self.inst.isPrefixed())
self.assertEqual(self.inst.getPrefix(), PREFIX.X86.INVALID)
def test_control_flow(self):
"""Check control flow flags."""
self.assertFalse(self.inst.isControlFlow(), "It is not a jmp, ret or call")
self.assertFalse(self.inst.isBranch(), "It is not a jmp")
def test_condition(self):
"""Check condition flags."""
self.assertFalse(self.inst.isConditionTaken())
def test_opcode(self):
"""Check opcode informations."""
self.assertEqual(self.inst.getOpcode(), b"\x48\x01\xd8")
self.assertEqual(self.inst.getType(), OPCODE.X86.ADD)
def test_thread(self):
"""Check threads information."""
self.assertEqual(self.inst.getThreadId(), 0)
def test_operand(self):
"""Check operand information."""
self.assertEqual(len(self.inst.getOperands()), 2)
self.assertEqual(self.inst.getOperands()[0].getName(), "rax")
self.assertEqual(self.inst.getOperands()[1].getName(), "rbx")
with self.assertRaises(Exception):
self.inst.getOperands()[2]
def test_symbolic(self):
"""Check symbolic information."""
self.assertEqual(len(self.inst.getSymbolicExpressions()), 8)
def test_size(self):
"""Check size information."""
self.assertEqual(self.inst.getSize(), 3)
def test_disassembly(self):
"""Check disassembly equivalent."""
self.assertEqual(self.inst.getDisassembly(), "add rax, rbx")
def run(pc, func_spec, seed):
global addrs
flag = 0
while pc:
inst = Instruction()
# Setup opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
inst.setOpcode(opcode)
inst.setAddress(pc)
arr = [elem.encode("hex") for elem in inst.getOpcode()]
if arr[:4] == ['f3', '0f', '1e', 'fa']:
pc += 4
continue
if arr[:3] == ['0f', '01', 'd0']:
pc += 3
continue
if arr[0] == 'f4':
print("abort")
break
if arr[0] == 'e8':
offset = 0
offset += int(arr[4], 16)
offset = offset << 8
offset += int(arr[3], 16)
offset = offset << 8
offset += int(arr[2], 16)
offset = offset << 8
offset += int(arr[1], 16)
faddr = offset + pc + 5
faddr = faddr & 0xffffffff
try:
fclose_addr = gbinary.get_function_address("fclose")
if fclose_addr == faddr:
pc += 5
continue
except:
pass
try:
fgets_addr = gbinary.get_function_address("fgets")
if fgets_addr == faddr:
adr = Triton.getConcreteRegisterValue(Triton.registers.rdi)
num = Triton.getConcreteRegisterValue(Triton.registers.rsi)
for i in range(num):
if adr + i not in seed:
seed[adr + i] = 0
pc += 5
continue
except:
pass
try:
fread_addr = gbinary.get_function_address("fread")
if fread_addr == faddr:
adr = Triton.getConcreteRegisterValue(Triton.registers.rdi)
num = Triton.getConcreteRegisterValue(
Triton.registers.rsi
) * Triton.getConcreteRegisterValue(Triton.registers.rdx)
for i in range(num):
if adr + i not in seed:
print("new fread")
seed[adr + i] = 0
pc += 5
continue
except:
pass
try:
printf_addr = gbinary.get_function_address("printf")
if printf_addr == faddr:
pc += 5
continue
except:
pass
try:
fprintf_addr = gbinary.get_function_address("fprintf")
if fprintf_addr == faddr:
pc += 5
continue
except:
pass
if arr[0] == 'e8' and flag == 0:
offset = 0
offset += int(arr[4], 16)
offset = offset << 8
offset += int(arr[3], 16)
offset = offset << 8
offset += int(arr[2], 16)
offset = offset << 8
offset += int(arr[1], 16)
addr = offset + pc + 5
addr = addr & 0xffffffff
if addr in func_spec:
last_op = addr
if func_spec[addr][0] in ["==", ">=", "<="]:
Triton.setConcreteRegisterValue(Triton.registers.rax,
func_spec[addr][1])
if func_spec[addr][0] == '>':
Triton.setConcreteRegisterValue(Triton.registers.rax,
func_spec[addr][1] + 1)
if func_spec[addr][0] == '!=':
Triton.setConcreteRegisterValue(Triton.registers.rax,
func_spec[addr][1] + 1)
if func_spec[addr][0] == '<':
Triton.setConcreteRegisterValue(Triton.registers.rax,
func_spec[addr][1] - 1)
flag = 1
pc += 5
continue
Triton.processing(inst)
gflag = 0
for addr in func_spec:
if addr not in addrs:
gflag = 1
break
if gflag == 0:
break
if flag == 2:
addrs[last_op] = pc
flag = 0
if flag == 1:
if inst.isBranch():
flag = 2
# hookingHandler(Triton)
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
def emulate(Triton, pc):
count = 0
while pc:
# Fetch opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
count += 1
# Handle nested memory reads
if instruction.isMemoryRead():
memory_access, read__memory_ast_node = instruction.getLoadAccess()[0]
read_register, read_register_ast_node = instruction.getReadRegisters()[0]
written_register, write_register_ast_node = instruction.getWrittenRegisters()[0]
if read_register.getName() != "unknown":
expression = read_register_ast_node.getSymbolicExpression()
expression_ast = expression.getAst()
#import pdb
#pdb.set_trace()
if expression_ast.getType() == AST_NODE.VARIABLE:
variable = expression_ast.getSymbolicVariable()
alias = variable.getAlias()
displacement = memory_access.getDisplacement().getValue()
newalias = "(%s)[0x%x]" % (alias, displacement)
#newalias = "(%s)[0]" % alias
Triton.symbolizeRegister(written_register, newalias)
elif expression_ast.getType() == AST_NODE.CONCAT:
import pdb
pdb.set_trace()
pass
else:
import pdb
pdb.set_trace()
raise Exception("Unexpected ast node")
print("Emulating %s" % (instruction))
#print instruction
if instruction.getType() == OPCODE.X86.RET:
break
# Next
pc = Triton.getConcreteRegisterValue(Triton.registers.eip)
print('Instructions executed: %d' %(count))
return
(0x400011, b"\x66\x0F\xD7\xD1"), # pmovmskb edx, xmm1
(0x400015, b"\x89\xd0"), # mov eax, edx
(0x400017, b"\x80\xf4\x99"), # xor ah, 0x99
(0x40001a, b"\xC5\xFD\x6F\xCA"), # vmovdqa ymm1, ymm2
]
if __name__ == '__main__':
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86_64)
for (addr, opcode) in code:
# Build an instruction
inst = Instruction()
# Setup opcode
inst.setOpcode(opcode)
# Setup Address
inst.setAddress(addr)
# Process everything
Triton.processing(inst)
# Display instruction
print(inst)
# Display symbolic expressions
for expr in inst.getSymbolicExpressions():
def run(pc, seed):
global flagr
prev=None
prevpc=0
while pc:
inst = Instruction()
# Setup opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
inst.setOpcode(opcode)
inst.setAddress(pc)
arr = [elem.encode("hex") for elem in inst.getOpcode()]
Triton.processing(inst)
if pc==0x403cec:
print("new ok")
if prevpc not in visited_branch and prev!=None and prev.isBranch():
visited_branch.add(prevpc)
print("new branch "+str(hex(prevpc)))
break
prev=inst
prevpc=pc
print("inst: "+str(inst))
if arr[:4] == ['f3', '0f', '1e', 'fa']:
pc += 4
continue
if arr[:3] == ['0f', '01', 'd0']:
pc += 3
continue
if arr[0] == 'f4':
print("abort")
break
if arr[0] == 'e8':
offset = 0
offset += int(arr[4], 16)
offset = offset << 8
offset += int(arr[3], 16)
offset = offset << 8
offset += int(arr[2], 16)
offset = offset << 8
offset += int(arr[1], 16)
faddr = offset + pc + 5
faddr = faddr & 0xffffffff
# print(str(hex(pc))+ " calling "+str(hex(faddr)))
try:
printf_addr = gbinary.get_function_address("printf")
if printf_addr == faddr:
pc += 5
continue
except:
pass
try:
fprintf_addr = gbinary.get_function_address("fprintf")
if fprintf_addr == faddr:
pc += 5
continue
except:
pass
try:
fread_addr = gbinary.get_function_address("fread")
if fread_addr == faddr:
adr = Triton.getConcreteRegisterValue(Triton.registers.rdi)
num = Triton.getConcreteRegisterValue(
Triton.registers.rsi
) * Triton.getConcreteRegisterValue(Triton.registers.rdx)
for i in range(num):
if adr + i not in seed:
# Triton.symbolizeMemory(MemoryAccess(adr + i, 1))
seed[adr + i] = 0
pc += 5
Triton.setConcreteRegisterValue(Triton.registers.rax, num)
continue
except:
pass
try:
fseek_addr = gbinary.get_function_address("fseek")
if fseek_addr == faddr:
Triton.setConcreteRegisterValue(Triton.registers.rax, 0)
pc += 5
continue
except:
pass
pc = Triton.getRegisterAst(Triton.registers.rip).evaluate()
return seed
def seed_emulate(self, ip):
"""Emulate one run of the function with already self.Triton.setup memory."""
function = {
# <serial> function
# push rbp
0x40056d: b"\x55",
# mov rbp,rsp
0x40056e: b"\x48\x89\xe5",
# mov QWORD PTR [rbp-0x18],rdi
0x400571: b"\x48\x89\x7d\xe8",
# mov DWORD PTR [rbp-0x4],0x0
0x400575: b"\xc7\x45\xfc\x00\x00\x00\x00",
# jmp 4005bd <check+0x50>
0x40057c: b"\xeb\x3f",
# mov eax,DWORD PTR [rbp-0x4]
0x40057e: b"\x8b\x45\xfc",
# movsxd rdx,eax
0x400581: b"\x48\x63\xd0",
# mov rax,QWORD PTR [rbp-0x18]
0x400584: b"\x48\x8b\x45\xe8",
# add rax,rdx
0x400588: b"\x48\x01\xd0",
# movzx eax,BYTE PTR [rax]
0x40058b: b"\x0f\xb6\x00",
# movsx eax,al
0x40058e: b"\x0f\xbe\xc0",
# sub eax,0x1
0x400591: b"\x83\xe8\x01",
# xor eax,0x55
0x400594: b"\x83\xf0\x55",
# mov ecx,eax
0x400597: b"\x89\xc1",
# mov rdx,QWORD PTR [rip+0x200aa0] # 601040 <serial>
0x400599: b"\x48\x8b\x15\xa0\x0a\x20\x00",
# mov eax,DWORD PTR [rbp-0x4]
0x4005a0: b"\x8b\x45\xfc",
# cdqe
0x4005a3: b"\x48\x98",
# add rax,rdx
0x4005a5: b"\x48\x01\xd0",
# movzx eax,BYTE PTR [rax]
0x4005a8: b"\x0f\xb6\x00",
# movsx eax,al
0x4005ab: b"\x0f\xbe\xc0",
# cmp ecx,eax
0x4005ae: b"\x39\xc1",
# je 4005b9 <check+0x4c>
0x4005b0: b"\x74\x07",
# mov eax,0x1
0x4005b2: b"\xb8\x01\x00\x00\x00",
# jmp 4005c8 <check+0x5b>
0x4005b7: b"\xeb\x0f",
# add DWORD PTR [rbp-0x4],0x1
0x4005b9: b"\x83\x45\xfc\x01",
# cmp DWORD PTR [rbp-0x4],0x4
0x4005bd: b"\x83\x7d\xfc\x04",
# jle 40057e <check+0x11>
0x4005c1: b"\x7e\xbb",
# mov eax,0x0
0x4005c3: b"\xb8\x00\x00\x00\x00",
# pop rbp
0x4005c8: b"\x5d",
# ret
0x4005c9: b"\xc3",
}
while ip in function:
# Build an instruction
inst = Instruction()
# Setup opcode
inst.setOpcode(function[ip])
# Setup Address
inst.setAddress(ip)
# Process everything
self.Triton.processing(inst)
self.assertTrue(checkAstIntegrity(inst))
# Next instruction
ip = self.Triton.getRegisterAst(self.Triton.registers.rip).evaluate()
class TestInstruction(unittest.TestCase):
"""Testing the Instruction class."""
def setUp(self):
"""Define and process the instruction to test."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.inst = Instruction()
self.inst.setOpcode("\x48\x01\xd8") # add rax, rbx
self.inst.setAddress(0x400000)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rax, 0x1122334455667788)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rbx, 0x8877665544332211)
self.Triton.processing(self.inst)
def test_address(self):
"""Check instruction current and next address."""
self.assertEqual(self.inst.getAddress(), 0x400000)
self.assertEqual(self.inst.getNextAddress(), 0x400003)
def test_memory(self):
"""Check memory access."""
self.assertListEqual(self.inst.getLoadAccess(), [])
self.assertListEqual(self.inst.getStoreAccess(), [])
self.assertFalse(self.inst.isMemoryWrite())
self.assertFalse(self.inst.isMemoryRead())
def test_registers(self):
"""Check register access."""
self.assertEqual(len(self.inst.getReadRegisters()), 2, "access RAX and RBX")
self.assertEqual(len(self.inst.getWrittenRegisters()), 8, "write in RAX, RIP, AF, XF, OF, PF, SF and ZF")
def test_taints(self):
"""Check taints attributes."""
self.assertFalse(self.inst.isTainted())
def test_prefix(self):
"""Check prefix data."""
self.assertFalse(self.inst.isPrefixed())
self.assertEqual(self.inst.getPrefix(), PREFIX.INVALID)
def test_control_flow(self):
"""Check control flow flags."""
self.assertFalse(self.inst.isControlFlow(), "It is not a jmp, ret or call")
self.assertFalse(self.inst.isBranch(), "It is not a jmp")
def test_condition(self):
"""Check condition flags."""
self.assertFalse(self.inst.isConditionTaken())
def test_opcode(self):
"""Check opcode informations."""
self.assertEqual(self.inst.getOpcode(), "\x48\x01\xd8")
self.assertEqual(self.inst.getType(), OPCODE.ADD)
def test_thread(self):
"""Check threads information."""
self.assertEqual(self.inst.getThreadId(), 0)
def test_operand(self):
"""Check operand information."""
self.assertEqual(len(self.inst.getOperands()), 2)
self.assertEqual(self.inst.getOperands()[0].getName(), "rax")
self.assertEqual(self.inst.getOperands()[1].getName(), "rbx")
with self.assertRaises(Exception):
self.inst.getOperands()[2]
def test_symbolic(self):
"""Check symbolic information."""
self.assertEqual(len(self.inst.getSymbolicExpressions()), 8)
def test_size(self):
"""Check size information."""
self.assertEqual(self.inst.getSize(), 3)
def test_disassembly(self):
"""Check disassembly equivalent."""
self.assertEqual(self.inst.getDisassembly(), "add rax, rbx")
def seed_emulate(self, ip):
"""Emulate one run of the function with already self.Triton.setup memory."""
function = {
# <serial> function
# push rbp
0x40056d: "\x55",
# mov rbp,rsp
0x40056e: "\x48\x89\xe5",
# mov QWORD PTR [rbp-0x18],rdi
0x400571: "\x48\x89\x7d\xe8",
# mov DWORD PTR [rbp-0x4],0x0
0x400575: "\xc7\x45\xfc\x00\x00\x00\x00",
# jmp 4005bd <check+0x50>
0x40057c: "\xeb\x3f",
# mov eax,DWORD PTR [rbp-0x4]
0x40057e: "\x8b\x45\xfc",
# movsxd rdx,eax
0x400581: "\x48\x63\xd0",
# mov rax,QWORD PTR [rbp-0x18]
0x400584: "\x48\x8b\x45\xe8",
# add rax,rdx
0x400588: "\x48\x01\xd0",
# movzx eax,BYTE PTR [rax]
0x40058b: "\x0f\xb6\x00",
# movsx eax,al
0x40058e: "\x0f\xbe\xc0",
# sub eax,0x1
0x400591: "\x83\xe8\x01",
# xor eax,0x55
0x400594: "\x83\xf0\x55",
# mov ecx,eax
0x400597: "\x89\xc1",
# mov rdx,QWORD PTR [rip+0x200aa0] # 601040 <serial>
0x400599: "\x48\x8b\x15\xa0\x0a\x20\x00",
# mov eax,DWORD PTR [rbp-0x4]
0x4005a0: "\x8b\x45\xfc",
# cdqe
0x4005a3: "\x48\x98",
# add rax,rdx
0x4005a5: "\x48\x01\xd0",
# movzx eax,BYTE PTR [rax]
0x4005a8: "\x0f\xb6\x00",
# movsx eax,al
0x4005ab: "\x0f\xbe\xc0",
# cmp ecx,eax
0x4005ae: "\x39\xc1",
# je 4005b9 <check+0x4c>
0x4005b0: "\x74\x07",
# mov eax,0x1
0x4005b2: "\xb8\x01\x00\x00\x00",
# jmp 4005c8 <check+0x5b>
0x4005b7: "\xeb\x0f",
# add DWORD PTR [rbp-0x4],0x1
0x4005b9: "\x83\x45\xfc\x01",
# cmp DWORD PTR [rbp-0x4],0x4
0x4005bd: "\x83\x7d\xfc\x04",
# jle 40057e <check+0x11>
0x4005c1: "\x7e\xbb",
# mov eax,0x0
0x4005c3: "\xb8\x00\x00\x00\x00",
# pop rbp
0x4005c8: "\x5d",
# ret
0x4005c9: "\xc3",
}
while ip in function:
# Build an instruction
inst = Instruction()
# Setup opcode
inst.setOpcode(function[ip])
# Setup Address
inst.setAddress(ip)
# Process everything
self.Triton.processing(inst)
self.assertTrue(checkAstIntegrity(inst))
# Next instruction
ip = self.Triton.getRegisterAst(self.Triton.registers.rip).evaluate()
