def branch_cannot_be_taken(expression, jump_target):
# init solver
solver = Solver()
# init translator miasm ir -> z3
translator = TranslatorZ3()
# add constraint
solver.add(
translator.from_expr(expression) == translator.from_expr(jump_target))
# check for unsat
return solver.check() == unsat
def __init__(self,
oracle_path: Path,
enforce_equivalence: bool = False,
solver_timeout: int = 1):
"""
Intializes an instance of Simplifier.
Args:
oracle_path: File path to pre-computed simplification oracle.
enforce_equivalence: Flag to enforce semantic equivalence checks before replacements.
solver_timeout: SMT solver timeout in seconds.
"""
# public attributes
self.oracle = SimplificationOracle.load_from_file(oracle_path)
self.enforce_equivalence = enforce_equivalence
self.solver_timeout = solver_timeout
# internal attributes
self._translator_ast = AbstractSyntaxTreeTranslator()
self._translator_z3 = TranslatorZ3()
self._solver = z3.Solver()
self._global_variable_prefix = "global_reg"
# memory_expr = dse.memory_to_expr(0x40000004)
# sb.symbols[machine.mn.regs.EBP] = dse.eval_expr(memory_expr)
symbolic_pc = sb.run_at(ircfg, loc_db._offset_to_loc_key.keys()[0])
print('###### modified state step by step')
for step, info in enumerate(sb.info_ids):
print('###### step', step + 1)
print('\t', info[0])
print('\t### info_ids')
print('\t\t', info[1])
# for reg in info[1]:
# print('\t\t', reg, ':', info[1][reg])
print('\t### info_mems')
print('\t\t', sb.info_mems[step][1])
print()
translator = TranslatorZ3(endianness="<", loc_db=loc_db)
z3_expr_dict = dict()
print('###### z3_expr about variable step by step')
for step, info in enumerate(sb.info_ids):
z3_expr_dict[step + 1] = dict()
for variable in info[1]:
z3_expr_dict[step + 1][variable] = translator.from_expr(
info[1][variable])
for step in z3_expr_dict.keys():
print('###### step', step, sb.info_ids[step - 1][0])
for variable in z3_expr_dict[step]:
print('\t', variable, ':', z3_expr_dict[step][variable])
print()
#
# z3_expr_dst = translator.from_expr(ExprId('zf', 1))
# z3_expr_value = translator.from_expr(sb.info_ids[3][1][ExprId('zf', 1)])
from __future__ import print_function
import z3
from miasm.core.locationdb import LocationDB
from miasm.expression.expression import *
from miasm.ir.translators.z3_ir import Z3Mem, TranslatorZ3
# Some examples of use/unit tests.
loc_db = LocationDB()
translator1 = TranslatorZ3(endianness="<", loc_db=loc_db)
translator2 = TranslatorZ3(endianness=">", loc_db=loc_db)
def equiv(z3_expr1, z3_expr2):
s = z3.Solver()
s.add(z3.Not(z3_expr1 == z3_expr2))
return s.check() == z3.unsat
def check_interp(interp, constraints, bits=32, valbits=8):
"""Checks that a list of @constraints (addr, value) (as python ints)
match a z3 FuncInterp (@interp).
"""
constraints = dict(
(addr, z3.BitVecVal(val, valbits)) for addr, val in constraints)
l = interp.as_list()
for entry in l:
if not isinstance(entry, list) or len(entry) < 2:
continue
addr, value = entry[0], entry[1]
a = ExprId("a", 64)
b = ExprId('b', 32)
c = ExprId('c', 16)
d = ExprId('d', 8)
e = ExprId('e', 1)
left = ExprCond(e + ExprOp('parity', a), ExprMem(a * a, 64), ExprMem(a, 64))
cond = (ExprSlice(ExprSlice(ExprSlice(a, 0, 32) + b, 0, 16) * c, 0, 8) <<
ExprOp('>>>', d, ExprInt(0x5, 8)))
right = ExprCond(cond, a + ExprInt(0x64, 64), ExprInt(0x16, 64))
e = ExprAssign(left, right)
# initialise translators
t_z3 = TranslatorZ3()
t_smt2 = TranslatorSMT2()
# translate to z3
e_z3 = t_z3.from_expr(e)
# translate to smt2
smt2 = t_smt2.to_smt2([t_smt2.from_expr(e)])
# parse smt2 string with z3
smt2_z3 = parse_smt2_string(smt2)
# initialise SMT solver
s = Solver()
# prove equivalence of z3 and smt2 translation
s.add(e_z3 != smt2_z3)