def test_mask_eq_constant():
# <Bool ((0#48 .. (0x0 .. sim_data_4_31_8[0:0])[15:0]) & 0xffff) == 0x0>
a = claripy.BVS("sim_data", 8, explicit_name=True)
expr = (claripy.ZeroExt(
48, claripy.Extract(15, 0, claripy.Concat(claripy.BVV(0, 63), a[0:0])))
& 0xffff) == 0x0
assert expr.op == "__eq__"
assert expr.args[0].op == "Extract"
assert expr.args[0].args[0] == 0 and expr.args[0].args[1] == 0
assert expr.args[0].args[2] is a
assert expr.args[1].op == "BVV" and expr.args[1].args == (0, 1)
# the highest bit of the mask (0x1fff) is not aligned to 8
# we want the mask to be BVV(16, 0x1fff) instead of BVV(13, 0x1fff)
a = claripy.BVS("sim_data", 8, explicit_name=True)
expr = (claripy.ZeroExt(
48, claripy.Extract(15, 0, claripy.Concat(claripy.BVV(0, 63), a[0:0])))
& 0x1fff) == 0x0
assert expr.op == "__eq__"
assert expr.args[0].op == "__and__"
_, arg1 = expr.args[0].args
assert arg1.size() == 16
assert arg1.args[0] == 0x1fff
def test_and_mask_comparing_against_constant_simplifier():
# A & mask == b ==> Extract(_, _, A) == Extract(_, _, b) iff high bits of a and b are zeros
a = claripy.BVS('a', 8)
b = claripy.BVV(0x10, 32)
expr = claripy.ZeroExt(24, a) & 0xffff == b
assert expr is (a == 16)
expr = claripy.Concat(claripy.BVV(0, 24), a) & 0xffff == b
assert expr is (a == 16)
# A & mask != b ==> Extract(_, _, A) != Extract(_, _, b) iff high bits of a and b are zeros
a = claripy.BVS('a', 8)
b = claripy.BVV(0x102000aa, 32)
expr = claripy.ZeroExt(24, a) & 0xffff == b
assert expr.is_false()
expr = claripy.Concat(claripy.BVV(0, 24), a) & 0xffff == b
assert expr.is_false()
# A & 0 == 0 ==> true
a = claripy.BVS('a', 32)
b = claripy.BVV(0, 32)
expr = (a & 0) == b
assert expr.is_true()
expr = (a & 0) == claripy.BVV(1, 32)
assert expr.is_false()
def _handle_DivMod(self, expr):
args, r = self._binop_get_args(expr)
if args is None: return r
expr_0, expr_1 = args
if self._is_top(expr_0) or self._is_top(expr_1):
return self._top(expr.result_size(self.tyenv))
signed = "U" in expr.op # Iop_DivModU64to32 vs Iop_DivMod
from_size = expr_0.size()
to_size = expr_1.size()
if signed:
quotient = (expr_0.SDiv(
claripy.SignExt(from_size - to_size, expr_1)))
remainder = (expr_1.SMod(
claripy.SignExt(from_size - to_size, expr_1)))
quotient_size = to_size
remainder_size = to_size
return claripy.Concat(
claripy.Extract(remainder_size - 1, 0, remainder),
claripy.Extract(quotient_size - 1, 0, quotient))
else:
quotient = (expr_0 // claripy.ZeroExt(from_size - to_size, expr_1))
remainder = (expr_0 % claripy.ZeroExt(from_size - to_size, expr_1))
quotient_size = to_size
remainder_size = to_size
return claripy.Concat(
claripy.Extract(remainder_size - 1, 0, remainder),
claripy.Extract(quotient_size - 1, 0, quotient))
def _ail_handle_Mull(self, expr):
arg0, arg1 = expr.operands
r0 = self._expr(arg0)
r1 = self._expr(arg1)
if r0.data.concrete and r1.data.concrete:
# constants
result_size = expr.bits
if r0.data.size() < result_size:
if expr.signed:
r0.data = claripy.SignExt(result_size - r0.data.size(),
r0.data)
else:
r0.data = claripy.ZeroExt(result_size - r0.data.size(),
r0.data)
if r1.data.size() < result_size:
if expr.signed:
r1.data = claripy.SignExt(result_size - r1.data.size(),
r1.data)
else:
r1.data = claripy.ZeroExt(result_size - r1.data.size(),
r1.data)
return RichR(r0.data * r1.data,
typevar=typeconsts.int_type(result_size),
type_constraints=None)
r = self.state.top(expr.bits)
return RichR(
r,
typevar=r0.typevar, # FIXME: the size is probably changed
)
def _ail_handle_DivMod(self, expr: ailment.Expr.BinaryOp):
arg0, arg1 = expr.operands
r0 = self._expr(arg0)
r1 = self._expr(arg1)
from_size = expr.bits
to_size = r1.bits
if expr.signed:
quotient = r0.data.SDiv(
claripy.SignExt(from_size - to_size, r1.data))
remainder = r0.data.SMod(
claripy.SignExt(from_size - to_size, r1.data))
quotient_size = to_size
remainder_size = to_size
r = claripy.Concat(
claripy.Extract(remainder_size - 1, 0, remainder),
claripy.Extract(quotient_size - 1, 0, quotient))
else:
quotient = (r0.data //
claripy.ZeroExt(from_size - to_size, r1.data))
remainder = (r0.data %
claripy.ZeroExt(from_size - to_size, r1.data))
quotient_size = to_size
remainder_size = to_size
r = claripy.Concat(
claripy.Extract(remainder_size - 1, 0, remainder),
claripy.Extract(quotient_size - 1, 0, quotient))
return RichR(r,
# typevar=r0.typevar, # FIXME: Handle typevars for DivMod
)
def _op_divmod(self, args):
# TODO: handle signdness
#try:
quotient = (args[0] /
claripy.ZeroExt(self._from_size - self._to_size, args[1]))
remainder = (args[0] %
claripy.ZeroExt(self._from_size - self._to_size, args[1]))
quotient_size = self._to_size
remainder_size = self._to_size
return claripy.Concat(
claripy.Extract(remainder_size - 1, 0, remainder),
claripy.Extract(quotient_size - 1, 0, quotient))
def _ail_handle_Convert(self, expr: ailment.Expr.Convert) -> MultiValues:
to_conv: MultiValues = self._expr(expr.operand)
bits = expr.to_bits
size = bits // self.arch.byte_width
if len(to_conv.values) == 1 and 0 in to_conv.values:
values = to_conv.values[0]
else:
top = self.state.top(expr.to_bits)
# annotate it
dummy_atom = MemoryLocation(0,
size,
endness=self.arch.memory_endness)
top = self.state.annotate_with_def(
top, Definition(dummy_atom, ExternalCodeLocation()))
# add use
self.state.add_use(dummy_atom, self._codeloc())
return MultiValues(offset_to_values={0: {top}})
converted = set()
for v in values:
if expr.to_bits < expr.from_bits:
conv = v[expr.to_bits - 1:0]
elif expr.to_bits > expr.from_bits:
conv = claripy.ZeroExt(expr.to_bits - expr.from_bits, v)
else:
conv = v
converted.add(conv)
return MultiValues(offset_to_values={0: converted})
def _op_mapped(self, args):
if self._from_size is not None:
sized_args = []
for a in args:
s = a.size()
if s == self._from_size:
sized_args.append(a)
elif s < self._from_size:
if self.is_signed:
sized_args.append(
claripy.SignExt(self._from_size - s, a))
else:
sized_args.append(
claripy.ZeroExt(self._from_size - s, a))
elif s > self._from_size:
raise SimOperationError(
"operation %s received too large an argument" %
self.name)
else:
sized_args = args
if self._generic_name in operation_map: # bitwise/arithmetic/shift operations
o = operation_map[self._generic_name]
else:
raise SimOperationError(
"op_mapped called with invalid mapping, for %s" % self.name)
if o == '__div__' and self.is_signed:
# yikes!!!!!!!
return claripy.SDiv(*sized_args)
return getattr(claripy.ast.BV, o)(*sized_args)
def load_stack_variable(self,
sp_offset: int,
size,
endness=None) -> Optional[PropValue]:
# normalize sp_offset to handle negative offsets
sp_offset += 0x65536
sp_offset &= (1 << self.arch.bits) - 1
try:
value, labels = self._stack_variables.load_with_labels(
sp_offset, size=size, endness=endness)
except SimMemoryMissingError as ex:
# the stack variable does not exist - however, maybe some portion of it exists!
if ex.missing_addr > sp_offset:
# some data exist. load again
try:
value, labels = self._stack_variables.load_with_labels(
sp_offset,
size=ex.missing_addr - sp_offset,
endness=endness)
# then we zero-extend both the value and labels
if value is not None and len(
labels) == 1 and labels[0][0] == 0:
value = claripy.ZeroExt(
ex.missing_size * self.arch.byte_width, value)
offset, offset_in_expr, size, label = labels[0]
labels = ((offset, offset_in_expr,
size + ex.missing_size, label), )
except SimMemoryMissingError:
# failed again... welp
return None
else:
return None
prop_value = PropValue.from_value_and_labels(value, labels)
return prop_value
def test_fucked_extract():
not_fucked = claripy.Reverse(claripy.Concat(claripy.BVS('file_/dev/stdin_6_0_16_8', 8, explicit_name=True), claripy.BVS('file_/dev/stdin_6_1_17_8', 8, explicit_name=True)))
m = claripy.backends.vsa.max(not_fucked)
assert m > 0
zx = claripy.ZeroExt(16, not_fucked)
pre_fucked = claripy.Reverse(zx)
m = claripy.backends.vsa.max(pre_fucked)
assert m > 0
#print(zx, claripy.backends.vsa.convert(zx))
#print(pre_fucked, claripy.backends.vsa.convert(pre_fucked))
f****d = pre_fucked[31:16]
m = claripy.backends.vsa.max(f****d)
assert m > 0
# here's another case
wtf = (
(
claripy.Reverse(
claripy.Concat(
claripy.BVS('w', 8), claripy.BVS('x', 8), claripy.BVS('y', 8), claripy.BVS('z', 8)
)
) & claripy.BVV(15, 32)
) + claripy.BVV(48, 32)
)[7:0]
m = claripy.backends.vsa.max(wtf)
assert m > 0
def fclose(state):
# 4th Lifecycle: TA_InvokeCommandEntryPoint
# FCLOSE
lifecylce_cmd_id = claripy.BVV(
LifecycleCommandIds.INVOKE_COMMAND, 32).append_annotation(
UserInput("lifecycle_cmd_id")) # cmd_id for InvokeCommand
invoke_cmd_id = claripy.BVV(InvokeCommandIds.FCLOSE, 32).append_annotation(
UserInput("invoke_cmd_id")) # cmd_id for FCLOSE in InvokeCommand
param0_a = state.globals['current_object_handle_ptr'].append_annotation(
UserInput("param0_a_fclose")
) # needs to be set to the memory, where the file was opened with f_open
param0_b = claripy.BVV(0x0,
32).append_annotation(UserInput("param0_b_fclose"))
param0_type = claripy.BVV(TEECParamType.TEEC_VALUE_INPUT,
16).append_annotation(
UserInput("param0_type_fclose"))
param0 = TCParam(param0_type, param0_a, param0_b)
param1 = create_empty_param("fclose_1", True)
param2 = create_empty_param("fclose_2", True)
param3 = create_empty_param("fclose_3", True)
params = TCParams(param0, param1, param2, param3)
store_symbolic_params(state, params)
param_types = claripy.ZeroExt(16, params.get_param_type())
prepare_msg_recv_return(state, lifecylce_cmd_id, invoke_cmd_id,
param_types, params)
def _op_mapped(self, args):
if self._from_size is not None:
sized_args = []
for a in args:
s = a.size()
if s == self._from_size:
sized_args.append(a)
elif s < self._from_size:
if self.is_signed:
sized_args.append(
claripy.SignExt(self._from_size - s, a))
else:
sized_args.append(
claripy.ZeroExt(self._from_size - s, a))
elif s > self._from_size:
raise SimOperationError(
"operation %s received too large an argument" %
self.name)
else:
sized_args = args
if self._generic_name in bitwise_operation_map:
o = bitwise_operation_map[self._generic_name]
elif self._generic_name in arithmetic_operation_map:
o = arithmetic_operation_map[self._generic_name]
elif self._generic_name in shift_operation_map:
o = shift_operation_map[self._generic_name]
else:
raise SimOperationError(
"op_mapped called with invalid mapping, for %s" % self.name)
return getattr(claripy.ast.BV, o)(*sized_args).reduced
def test_extract_zeroext():
x = claripy.BVS('x', 8)
expr = claripy.Extract(31, 0, claripy.ZeroExt(56, x)) <= claripy.BVV(
0xe, 32)
s, r = claripy.balancer.Balancer(claripy.backends.vsa, expr).compat_ret
assert s is True
assert len(r) == 1
assert r[0][0] is x
def _handle_32HLto64(self, expr):
args, r = self._binop_get_args(expr)
if args is None:
if r is not None:
# the size of r should be 32 but we need to return a 64-bit expression
assert r.size() == 32
r = claripy.ZeroExt(32, r)
return r
return None
def _op_divmod(self, args):
if self.is_signed:
quotient = (args[0].SDiv(claripy.SignExt(self._from_size - self._to_size, args[1])))
remainder = (args[0].SMod(claripy.SignExt(self._from_size - self._to_size, args[1])))
quotient_size = self._to_size
remainder_size = self._to_size
return claripy.Concat(
claripy.Extract(remainder_size - 1, 0, remainder),
claripy.Extract(quotient_size - 1, 0, quotient)
)
else:
quotient = (args[0] / claripy.ZeroExt(self._from_size - self._to_size, args[1]))
remainder = (args[0] % claripy.ZeroExt(self._from_size - self._to_size, args[1]))
quotient_size = self._to_size
remainder_size = self._to_size
return claripy.Concat(
claripy.Extract(remainder_size - 1, 0, remainder),
claripy.Extract(quotient_size - 1, 0, quotient)
)
def open_session(state):
# 1st Lifecycle: TA_OpenSessionEntryPoint
lifecylce_cmd_id = claripy.BVV(
LifecycleCommandIds.OPEN_SESSION, 32).append_annotation(
UserInput("lifecycle_cmd_id")) # cmd_id for OpenSession
test = True
if test:
param2_buf = b"\x00\x00\x00\x00"
param3_buf = b"/system/bin/tee_test_store\x00"
else:
signature = "" \
+ "E02C5AB97A2B3A8A5996223CDE06B82B2D4FF5B15CAF65B860D5C7A3D68995AB08620BB75A22FE7673A8A1ABA03E17B651D1FC4D5CBDBAE9E7" \
+ "3EEEAF5A1D4D2FB73E7000231E0DB2166D0FC5DD97E705FD66546C9DA38ED4EFA2CCCDD238AD32E39821242B0195DF01D9B97242DBF209EDA8" \
+ "E446E043244B84E6BFCA79D7BB3C1924CDD248EDBD600EFF8F73001A89A4C663DB8970E3288B9431524C361E853B8FA29E04E61EBE6FBDBD87" \
+ "CDBD3EEB47B027B5851BDEAA13A23F43967A030E747EA432652CBB34FDDE61049BF5060C813FB0E93F6BAD9D36F4D4551195EA3BB49E9201AA" \
+ "6DF975AE169E214905DE2579D7CC3C3EAC4594B14AC19D7E39C5C267"
signature_bytes = bytes.fromhex(signature)
exponent = struct.pack("<I", 0x0) + b"\x03"
param2_buf = struct.pack(
"<I", len(signature_bytes)) + signature_bytes + exponent
param3_buf = b"com.huawei.hidisk\x00"
param2_len = claripy.BVV(len(param2_buf), 32).append_annotation(
UserInput("param2_len_open_session"))
param3_len = claripy.BVV(len(param3_buf) - 1, 32).append_annotation(
UserInput("param3_len_open_session")) # -1 because of nullbyte
param2_buf = claripy.BVV(param2_buf,
len(param2_buf) * 8).append_annotation(
UserInput("param2_buf_open_session"))
param3_buf = claripy.BVV(param3_buf,
len(param3_buf) * 8).append_annotation(
UserInput("param3_buf_open_session"))
param2_type = claripy.BVV(TEECParamType.TEEC_MEMREF_TEMP_INPUT,
16).append_annotation(
UserInput("param2_type_open_session"))
param3_type = claripy.BVV(TEECParamType.TEEC_MEMREF_TEMP_INPUT,
16).append_annotation(
UserInput("param3_type_open_session"))
param0 = TCParam(TEECParamType.TEEC_NONE, None, None)
param1 = TCParam(TEECParamType.TEEC_NONE, None, None)
param2 = TCParam(param2_type, param2_buf, param2_len)
param3 = TCParam(param3_type, param3_buf, param3_len)
params = TCParams(param0, param1, param2, param3)
invoke_cmd_id = 0
param_types = claripy.ZeroExt(16, params.get_param_type())
prepare_msg_recv_return(state, lifecylce_cmd_id, invoke_cmd_id,
param_types, params)
def test_zeroext_extract_comparing_against_constant_simplifier():
a = claripy.BVS('a', 8, explicit_name=True)
b = claripy.BVV(0x28, 16)
expr = claripy.Extract(15, 0, claripy.ZeroExt(24, a)) == b
assert expr is (a == claripy.BVV(0x28, 8))
expr = claripy.Extract(7, 0, claripy.ZeroExt(24,
a)) == claripy.BVV(0x28, 8)
assert expr is (a == claripy.BVV(0x28, 8))
expr = claripy.Extract(7, 0, claripy.ZeroExt(1, a)) == claripy.BVV(0x28, 8)
assert expr is (a == claripy.BVV(0x28, 8))
expr = claripy.Extract(6, 0, claripy.ZeroExt(24,
a)) == claripy.BVV(0x28, 7)
assert expr.op == "__eq__"
assert expr.args[0].op == "Extract" and expr.args[0].args[
0] == 6 and expr.args[0].args[1] == 0
assert expr.args[0].args[2] is a
assert expr.args[1].args == (0x28, 7)
expr = claripy.Extract(15, 0, claripy.Concat(claripy.BVV(0, 48), a)) == b
assert expr is (a == claripy.BVV(0x28, 8))
bb = claripy.BVV(0x28, 24)
d = claripy.BVS('d', 8, explicit_name=True)
expr = claripy.Extract(23, 0, claripy.Concat(claripy.BVV(0, 24), d)) == bb
assert expr is (d == claripy.BVV(0x28, 8))
dd = claripy.BVS('dd', 23, explicit_name=True)
expr = claripy.Extract(23, 0, claripy.Concat(claripy.BVV(0, 2), dd)) == bb
assert expr is (dd == claripy.BVV(0x28, 23))
# this was incorrect before
# claripy issue #201
expr = claripy.Extract(31, 8,
claripy.Concat(claripy.BVV(0, 24),
dd)) == claripy.BVV(0xffff, 24)
assert expr is not (dd == claripy.BVV(0xffff, 23))
def test_complex_case_2():
x = claripy.BVS('x', 32)
expr = claripy.ZeroExt(
31,
claripy.If(
claripy.BVV(0xc, 32) < x, claripy.BVV(1, 1),
claripy.BVV(0, 1))) == claripy.BVV(0, 32)
s, r = claripy.balancer.Balancer(claripy.backends.vsa, expr).compat_ret
assert s is True
assert len(r) == 1
assert r[0][0] is x
def _handle_DivMod(self, expr):
arg0, arg1 = expr.args
r0 = self._expr(arg0)
r1 = self._expr(arg1)
result_size = expr.result_size(self.tyenv)
if r0.data.concrete and r1.data.concrete:
# constants
try:
signed = "U" in expr.op # Iop_DivModU64to32 vs Iop_DivMod
from_size = r0.data.size()
to_size = r1.data.size()
if signed:
quotient = (r0.data.SDiv(
claripy.SignExt(from_size - to_size, r1.data)))
remainder = (r0.data.SMod(
claripy.SignExt(from_size - to_size, r1.data)))
quotient_size = to_size
remainder_size = to_size
result = claripy.Concat(
claripy.Extract(remainder_size - 1, 0, remainder),
claripy.Extract(quotient_size - 1, 0, quotient))
else:
quotient = (r0.data //
claripy.ZeroExt(from_size - to_size, r1.data))
remainder = (r0.data %
claripy.ZeroExt(from_size - to_size, r1.data))
quotient_size = to_size
remainder_size = to_size
result = claripy.Concat(
claripy.Extract(remainder_size - 1, 0, remainder),
claripy.Extract(quotient_size - 1, 0, quotient))
return RichR(result)
except ZeroDivisionError:
pass
r = self.state.top(result_size)
return RichR(r)
def extend_size(self, o):
cur_size = o.size()
if cur_size < self._output_size_bits:
l.debug("Extending output of %s from %d to %d bits", self.name, cur_size, self._output_size_bits)
ext_size = self._output_size_bits - cur_size
if self._to_signed == 'S' or (self._from_signed == 'S' and self._to_signed is None):
return claripy.SignExt(ext_size, o)
else:
return claripy.ZeroExt(ext_size, o)
elif cur_size > self._output_size_bits:
__import__('ipdb').set_trace()
raise SimOperationError('output of %s is too big', self.name)
else:
return o
def test_complex_guy():
guy_wide = claripy.widen(
claripy.union(
claripy.union(
claripy.union(claripy.BVV(0L, 32), claripy.BVV(1, 32)),
claripy.union(claripy.BVV(0L, 32), claripy.BVV(1, 32)) +
claripy.BVV(1, 32)),
claripy.union(
claripy.union(claripy.BVV(0L, 32), claripy.BVV(1, 32)),
claripy.union(claripy.BVV(0L, 32), claripy.BVV(1, 32)) +
claripy.BVV(1, 32)) + claripy.BVV(1, 32)),
claripy.union(
claripy.union(
claripy.union(
claripy.union(claripy.BVV(0L, 32), claripy.BVV(1, 32)),
claripy.union(claripy.BVV(0L, 32), claripy.BVV(1, 32)) +
claripy.BVV(1, 32)),
claripy.union(
claripy.union(claripy.BVV(0L, 32), claripy.BVV(1, 32)),
claripy.union(claripy.BVV(0L, 32), claripy.BVV(1, 32)) +
claripy.BVV(1, 32)) + claripy.BVV(1, 32)),
claripy.union(
claripy.union(
claripy.union(claripy.BVV(0L, 32), claripy.BVV(1, 32)),
claripy.union(claripy.BVV(0L, 32), claripy.BVV(1, 32)) +
claripy.BVV(1, 32)),
claripy.union(
claripy.union(claripy.BVV(0L, 32), claripy.BVV(1, 32)),
claripy.union(claripy.BVV(0L, 32), claripy.BVV(1, 32)) +
claripy.BVV(1, 32)) + claripy.BVV(1, 32)) +
claripy.BVV(1, 32)))
guy_inc = guy_wide + claripy.BVV(1, 32)
guy_zx = claripy.ZeroExt(32, guy_inc)
s, r = claripy.balancer.Balancer(claripy.backends.vsa,
guy_inc <= claripy.BVV(39, 32)).compat_ret
assert s
assert r[0][0] is guy_wide
assert claripy.backends.vsa.min(r[0][1]) == 0
assert set(claripy.backends.vsa.eval(r[0][1], 1000)) == set([4294967295] +
range(39))
s, r = claripy.balancer.Balancer(claripy.backends.vsa,
guy_zx <= claripy.BVV(39, 64)).compat_ret
assert r[0][0] is guy_wide
assert claripy.backends.vsa.min(r[0][1]) == 0
assert set(claripy.backends.vsa.eval(r[0][1], 1000)) == set([4294967295] +
range(39))
def close_session(cls, state):
""" 7th Lifecylce: TA_CloseSessionEntryPoint """
lifecylce_cmd_id = claripy.BVV(
LifecycleCommandIds.CLOSE_SESSION, 32).append_annotation(
UserInput("lifecycle_cmd_id")) # cmd_id for CloseSession
param0 = TCParam(TEECParamType.TEEC_NONE, None, None)
param1 = TCParam(TEECParamType.TEEC_NONE, None, None)
param2 = TCParam(TEECParamType.TEEC_NONE, None, None)
param3 = TCParam(TEECParamType.TEEC_NONE, None, None)
params = TCParams(param0, param1, param2, param3)
invoke_cmd_id = 0
param_types = claripy.ZeroExt(16, params.get_param_type())
cls.prepare_msg_recv_return(state, lifecylce_cmd_id, invoke_cmd_id,
param_types, params)
def extend_size(self, o):
cur_size = o.size()
if cur_size == self._output_size_bits:
return o
if cur_size < self._output_size_bits:
ext_size = self._output_size_bits - cur_size
if self._to_signed == 'S' or (self._from_signed == 'S'
and self._to_signed is None):
return claripy.SignExt(ext_size, o)
else:
return claripy.ZeroExt(ext_size, o)
# if cur_size > self._output_size_bits:
# breakpoint here. it should never happen!
__import__('ipdb').set_trace()
raise SimOperationError('output of %s is too big' % self.name)
def test_complex_case_1():
#
"""
<Bool (0#31 .. (if (0x8 < (0#32 .. (0xfffffffe + reg_284_0_32{UNINITIALIZED}))) then 1 else 0)) == 0x0>
Created by VEX running on the following S390X assembly:
0x40062c: ahik %r2, %r11, -2
0x400632: clijh %r2, 8, 0x40065c
IRSB {
t0:Ity_I32 t1:Ity_I32 t2:Ity_I32 t3:Ity_I32 t4:Ity_I32 t5:Ity_I32 t6:Ity_I64 t7:Ity_I64 t8:Ity_I64 t9:Ity_I64 t10:Ity_I32 t11:Ity_I1 t12:Ity_I64 t13:Ity_I64 t14:Ity_I64 t15:Ity_I32 t16:Ity_I1
00 | ------ IMark(0x40062c, 6, 0) ------
01 | t0 = GET:I32(r11_32)
02 | t1 = Add32(0xfffffffe,t0)
03 | PUT(352) = 0x0000000000000003
04 | PUT(360) = 0xfffffffffffffffe
05 | t13 = 32Sto64(t0)
06 | t7 = t13
07 | PUT(368) = t7
08 | PUT(376) = 0x0000000000000000
09 | PUT(r2_32) = t1
10 | PUT(ia) = 0x0000000000400632
11 | ------ IMark(0x400632, 6, 0) ------
12 | t14 = 32Uto64(t1)
13 | t8 = t14
14 | t16 = CmpLT64U(0x0000000000000008,t8)
15 | t15 = 1Uto32(t16)
16 | t10 = t15
17 | t11 = CmpNE32(t10,0x00000000)
18 | if (t11) { PUT(ia) = 0x40065c; Ijk_Boring }
NEXT: PUT(ia) = 0x0000000000400638; Ijk_Boring
}
"""
x = claripy.BVS('x', 32)
expr = claripy.ZeroExt(
31,
claripy.If(
claripy.BVV(0x8, 32) < claripy.BVV(0xfffffffe, 32) + x,
claripy.BVV(1, 1), claripy.BVV(0, 1))) == claripy.BVV(0, 32)
s, r = claripy.balancer.Balancer(claripy.backends.vsa, expr).compat_ret
assert s is True
assert len(r) == 1
assert r[0][0] is x
def _ail_handle_Div(self, expr):
arg0, arg1 = expr.operands
r0 = self._expr(arg0)
r1 = self._expr(arg1)
from_size = expr.bits
to_size = r1.bits
if expr.signed:
remainder = r0.data.SMod(claripy.SignExt(from_size - to_size, r1.data))
else:
remainder = r0.data % claripy.ZeroExt(from_size - to_size, r1.data)
return RichR(remainder,
# typevar=r0.typevar, # FIXME: Handle typevars for Div
)
def test_complex_guy():
guy_wide = claripy.widen(
claripy.union(
claripy.union(
claripy.union(claripy.BVV(0L, 32), claripy.BVV(1, 32)),
claripy.union(claripy.BVV(0L, 32), claripy.BVV(1, 32)) +
claripy.BVV(1, 32)),
claripy.union(
claripy.union(claripy.BVV(0L, 32), claripy.BVV(1, 32)),
claripy.union(claripy.BVV(0L, 32), claripy.BVV(1, 32)) +
claripy.BVV(1, 32)) + claripy.BVV(1, 32)),
claripy.union(
claripy.union(
claripy.union(
claripy.union(claripy.BVV(0L, 32), claripy.BVV(1, 32)),
claripy.union(claripy.BVV(0L, 32), claripy.BVV(1, 32)) +
claripy.BVV(1, 32)),
claripy.union(
claripy.union(claripy.BVV(0L, 32), claripy.BVV(1, 32)),
claripy.union(claripy.BVV(0L, 32), claripy.BVV(1, 32)) +
claripy.BVV(1, 32)) + claripy.BVV(1, 32)),
claripy.union(
claripy.union(
claripy.union(claripy.BVV(0L, 32), claripy.BVV(1, 32)),
claripy.union(claripy.BVV(0L, 32), claripy.BVV(1, 32)) +
claripy.BVV(1, 32)),
claripy.union(
claripy.union(claripy.BVV(0L, 32), claripy.BVV(1, 32)),
claripy.union(claripy.BVV(0L, 32), claripy.BVV(1, 32)) +
claripy.BVV(1, 32)) + claripy.BVV(1, 32)) +
claripy.BVV(1, 32)))
guy_inc = guy_wide + claripy.BVV(1, 32)
guy_zx = claripy.ZeroExt(32, guy_inc)
s, r = claripy.balancer.Balancer(claripy.backends.vsa,
guy_inc <= claripy.BVV(39, 32)).compat_ret
assert s
assert r[0][0] is guy_wide
assert claripy.backends.vsa.min(r[0][1]) == 0
assert claripy.backends.vsa.max(r[0][1]) == 38
s, r = claripy.balancer.Balancer(claripy.backends.vsa,
guy_zx <= claripy.BVV(39, 64)).compat_ret
assert r[0][0] is guy_wide
assert claripy.backends.vsa.min(r[0][1]) == 0
assert claripy.backends.vsa.max(r[0][1]) == 38
def fopen(state):
# 2nd Lifecycle: TA_InvokeCommandEntryPoint
# FOPEN
lifecylce_cmd_id = claripy.BVV(
LifecycleCommandIds.INVOKE_COMMAND, 32).append_annotation(
UserInput("lifecycle_cmd_id")) # cmd_id for InvokeCommand
invoke_cmd_id = claripy.BVV(InvokeCommandIds.FOPEN, 32).append_annotation(
UserInput("invoke_cmd_id")) # cmd_id for FOPEN in InvokeCommand
param0_buf = b"sec_storage_data/test\x00"
param0_len = claripy.BVV(len(param0_buf) - 1, 32).append_annotation(
UserInput(src="param0_len_fopen")) # -1 because of nullbyte
param0_buf = claripy.BVV(param0_buf,
len(param0_buf) * 8).append_annotation(
UserInput("param0_buf_fopen"))
param0_type = claripy.BVV(TEECParamType.TEEC_MEMREF_TEMP_INPUT,
16).append_annotation(
UserInput("param0_type_fopen"))
param1_a = claripy.BVV(
DataFlags.TEE_DATA_FLAG_ACCESS_READ
| DataFlags.TEE_DATA_FLAG_ACCESS_WRITE
| DataFlags.TEE_DATA_FLAG_CREATE,
32).append_annotation(UserInput("param1_a_fopen_flags"))
param1_b = claripy.BVV(0,
32).append_annotation(UserInput("param1_b_fopen"))
param1_type = claripy.BVV(TEECParamType.TEEC_VALUE_INPUT,
16).append_annotation(
UserInput("param1_type_fopen"))
param0 = TCParam(param0_type, param0_buf, param0_len)
param1 = TCParam(param1_type, param1_a, param1_b)
param0 = create_empty_param("fopen_0", True)
param1 = create_empty_param("fopen_1", True)
param2 = create_empty_param("fopen_2", True)
param3 = create_empty_param("fopen_3", True)
params = TCParams(param0, param1, param2, param3)
store_symbolic_params(state, params)
param_types = claripy.ZeroExt(16, params.get_param_type())
prepare_msg_recv_return(state, lifecylce_cmd_id, invoke_cmd_id,
param_types, params)
def extend_size(self, o):
cur_size = o.size()
target_size = self._output_size_bits
if self._vector_count is not None:
# phrased this awkward way to account for vectorized widening multiply
target_size //= self._vector_count
if cur_size == target_size:
return o
if cur_size < target_size:
ext_size = target_size - cur_size
if self._to_signed == 'S' or (self._to_signed is None and self._from_signed == 'S') or (self._to_signed is None and self._vector_signed == 'S'):
return claripy.SignExt(ext_size, o)
else:
return claripy.ZeroExt(ext_size, o)
# if cur_size > target_size:
# it should never happen!
raise SimOperationError('output of %s is too big' % self.name)
def close_session(cls, state):
""" 7th Lifecylce: TA_CloseSessionEntryPoint """
lifecylce_cmd_id = claripy.BVV(
LifecycleCommandIds.CLOSE_SESSION, 32).append_annotation(
UserInput("lifecycle_cmd_id")) # cmd_id for CloseSession
param0 = cls.create_empty_param()
param1 = cls.create_empty_param()
param2 = cls.create_empty_param()
param3 = cls.create_empty_param()
params = TCParams(param0, param1, param2, param3)
invoke_cmd_id = 0
cls.store_symbolic_params(state, params)
param_types = claripy.ZeroExt(16, params.get_param_type())
cls.prepare_msg_recv_return(state, lifecylce_cmd_id, invoke_cmd_id,
param_types, params)
def open_session(state):
# 1st Lifecycle: TA_OpenSessionEntryPoint
lifecylce_cmd_id = claripy.BVV(
LifecycleCommandIds.OPEN_SESSION, 32).append_annotation(
UserInput("lifecycle_cmd_id")) # cmd_id for OpenSession
param2_len = claripy.BVS("param2_len", 32).append_annotation(
UserInput("param2_len_open_session"))
param3_len = claripy.BVS("param3_len", 32).append_annotation(
UserInput("param3_len_open_session")) # -1 because of nullbyte
state.solver.add(claripy.And(param2_len >= 0, param2_len <= MAX_STRLEN))
state.solver.add(claripy.And(param3_len >= 0, param3_len <= MAX_STRLEN))
param2_buf = claripy.BVS("param2_buf", MAX_STRLEN * 8).append_annotation(
UserInput("param2_buf_open_session"))
param3_buf = claripy.BVS("param3_buf", MAX_STRLEN * 8).append_annotation(
UserInput("param3_buf_open_session"))
param2_type = claripy.BVV(TEECParamType.TEEC_MEMREF_TEMP_INPUT,
16).append_annotation(
UserInput("param2_type_open_session"))
param3_type = claripy.BVV(TEECParamType.TEEC_MEMREF_TEMP_INPUT,
16).append_annotation(
UserInput("param3_type_open_session"))
"""
param2_type = claripy.BVS("param2_type", 16).append_annotation(UserInput("param2_type_open_session"))
param3_type = claripy.BVS("param3_type", 16).append_annotation(UserInput("param3_type_open_session"))
"""
param0 = TCParam(TEECParamType.TEEC_NONE, None, None)
param1 = TCParam(TEECParamType.TEEC_NONE, None, None)
param2 = TCParam(param2_type, param2_buf, param2_len, True)
param3 = TCParam(param3_type, param3_buf, param3_len, True)
params = TCParams(param0, param1, param2, param3)
invoke_cmd_id = 0
store_symbolic_params(state, params)
param_types = claripy.ZeroExt(16, params.get_param_type(
)) # param_types has 16 bit, but needs to be extended to architecture size
# TODO: store param_types to symbolics here
prepare_msg_recv_return(state, lifecylce_cmd_id, invoke_cmd_id,
param_types, params)
