def __init__(self):
# Build and initialize a TritonContext.
self.triton_ctx = triton.TritonContext()
self.triton_ctx.setArchitecture(triton.ARCH.X86_64)
self.triton_ctx.setMode(triton.MODE.ALIGNED_MEMORY, True)
self.triton_ctx.setAstRepresentationMode(
triton.AST_REPRESENTATION.PYTHON)
def __init__(self, context=None):
self.r2p = None
self.comments = {}
self.arch = None
self.inputs = collections.OrderedDict()
self.regs = {}
self.triton_regs = {}
self.commands = {}
self.last_symjump = None
self.input_type = None
self.breakpoints = list()
self.r2p = R2("pimp")
arch = self.r2p.arch
bits = self.r2p.bits
self.arch = tritonarch[arch][bits]
self.trace = collections.Counter()
self.triton = triton.TritonContext()
self.triton.setArchitecture(self.arch)
self.triton.setAstRepresentationMode(triton.AST_REPRESENTATION.PYTHON)
# Hack in order to be able to get triton register ids by name
for r in self.triton.getAllRegisters():
self.triton_regs[r.getName()] = r
if self.arch == triton.ARCH.X86:
self.pcreg = self.triton.registers.eip
elif self.arch == triton.ARCH.X86_64:
self.pcreg = self.triton.registers.rip
else:
raise (ValueError("Architecture not implemented"))
setattr(self.memoryCaching, "memsolver", self.r2p)
def __init__(self):
self.simplifications = set()
self.tc = triton.TritonContext()
self.tc.setArchitecture(triton.ARCH.X86_64)
self.tc.setMode(triton.MODE.ALIGNED_MEMORY, True)
self.ks = keystone.Ks(keystone.KS_ARCH_X86, keystone.KS_MODE_64)
self.tc.addCallback(self.simplify, triton.CALLBACK.SYMBOLIC_SIMPLIFICATION)
self.tc.setMode(triton.MODE.SYMBOLIZE_INDEX_ROTATION, True)
self.pc = self.tc.registers.rip
self.sp = self.tc.registers.rsp
self.psize = triton.CPUSIZE.QWORD
self.ret = self.tc.registers.rax
self.tc.setAstRepresentationMode(triton.AST_REPRESENTATION.PYTHON)
self.regs = [
self.tc.registers.rdi,
self.tc.registers.rsi,
self.tc.registers.rdx,
self.tc.registers.rcx,
self.tc.registers.r8,
self.tc.registers.r9
]
self.syscall_regs = [
self.tc.registers.rax,
self.tc.registers.rbx,
self.tc.registers.rcx,
self.tc.registers.rdx,
self.tc.registers.rsi,
self.tc.registers.rdi,
]
self.ret_types = set([triton.OPCODE.X86.RET])
self.call_types = set([triton.OPCODE.X86.CALL, triton.OPCODE.X86.LCALL])
self.conditional_branch_types = set([
triton.OPCODE.X86.JA,
triton.OPCODE.X86.JBE,
triton.OPCODE.X86.JECXZ,
triton.OPCODE.X86.JL,
triton.OPCODE.X86.JNE,
triton.OPCODE.X86.JNS,
triton.OPCODE.X86.JRCXZ,
triton.OPCODE.X86.JAE,
triton.OPCODE.X86.JCXZ,
triton.OPCODE.X86.JG,
triton.OPCODE.X86.JLE,
triton.OPCODE.X86.JNO,
triton.OPCODE.X86.JO,
triton.OPCODE.X86.JS,
triton.OPCODE.X86.JB,
triton.OPCODE.X86.JE,
triton.OPCODE.X86.JGE,
triton.OPCODE.X86.JNP,
triton.OPCODE.X86.JP
])
self.branch_types = set()
self.branch_types.update(self.conditional_branch_types)
self.branch_types.add(triton.OPCODE.X86.JMP)
def enable_uninitialized_memory_tracker(ql):
# Build and initialize a TritonContext.
ql.triton_ctx = triton.TritonContext()
ql.triton_ctx.setArchitecture(triton.ARCH.X86_64)
ql.triton_ctx.setMode(triton.MODE.ALIGNED_MEMORY, True)
ql.triton_ctx.setAstRepresentationMode(triton.AST_REPRESENTATION.PYTHON)
ql.set_api("SetMem", SetMem_propagate_taint, QL_INTERCEPT.EXIT)
ql.set_api("CopyMem", CopyMem_propagate_taint, QL_INTERCEPT.EXIT)
ql.set_api("SetVariable", SetVariable_propagate_taint, QL_INTERCEPT.EXIT)
ql.set_api("GetVariable", GetVariable_propagate_taint, QL_INTERCEPT.EXIT)
ql.set_api("AllocatePool", AllocatePool_propagate_taint, QL_INTERCEPT.EXIT)
def hook_opcode(ql, address, size):
global cs
# Read instruction.
buf = ql.mem.read(address, size)
instruction = next(cs.disasm(buf, address))
# We are looking for instructions which decrement the stack pointer.
(should_taint, decrement) = is_rsp_decrement(instruction)
if should_taint:
# Taint all stack memory from current rsp to new rsp.
set_taint_range(ql, ql.reg.arch_sp - decrement, ql.reg.arch_sp,
True)
# Sync Triton and Qiling.
sync_triton_ctx(ql)
# Process instruction, propagate taint.
inst = triton.Instruction()
inst.setAddress(address)
inst.setOpcode(bytes(buf))
ql.triton_ctx.processing(inst)
# Hook every opcode.
ql.hook_code(hook_opcode)
def test_urem(self):
code = [
"\xbf\xAB\x00\x00\x00", # mov edi, 0xAB
"\xf7\xff", # idiv edi
"\x83\xfa\x00" # cmp edx, 0x00
]
ctx = TT.TritonContext()
ctx.setArchitecture(TT.ARCH.X86_64)
TAst = ctx.getAstContext()
rax = ctx.convertRegisterToSymbolicVariable(ctx.registers.rax)
rax = tritonast2arybo(TAst.variable(rax))
rdx = ctx.convertRegisterToSymbolicVariable(ctx.registers.rdx)
rdx = tritonast2arybo(TAst.variable(rdx))
for opcodes in code:
inst = TT.Instruction(opcodes)
ctx.processing(inst)
exprs = ctx.sliceExpressions(ctx.getSymbolicRegisters()[TT.REG.X86_64.RDX])
e = tritonexprs2arybo(exprs)
to_llvm_function(e, [rax.v, rdx.v])
def test_exprs_xor_5C(self):
# Based on djo's example
# This is the xor_5C example compiled with optimisations for x86-4
code = [
"\x41\xB8\xE5\xFF\xFF\xFF",
"\x89\xF8",
"\xBA\x26\x00\x00\x00",
"\x41\x0F\xAF\xC0",
"\xB9\xED\xFF\xFF\xFF",
"\x89\xC7",
"\x89\xD0",
"\x83\xEF\x09",
"\x0F\xAF\xC7",
"\x89\xC2",
"\x89\xF8",
"\x0F\xAF\xC1",
"\xB9\x4B\x00\x00\x00",
"\x8D\x44\x02\x2A",
"\x0F\xB6\xC0",
"\x89\xC2",
"\xF7\xDA",
"\x8D\x94\x12\xFF\x00\x00\x00",
"\x81\xE2\xFE\x00\x00\x00",
"\x01\xD0",
"\x8D\x14\x00",
"\x8D\x54\x02\x4D",
"\x0F\xB6\xF2",
"\x6B\xF6\x56",
"\x83\xC6\x24",
"\x83\xE6\x46",
"\x89\xF0",
"\x0F\xAF\xC1",
"\xB9\xE7\xFF\xFF\xFF",
"\x89\xC6",
"\x89\xD0",
"\xBA\x3A\x00\x00\x00",
"\x0F\xAF\xC1",
"\x89\xC1",
"\x89\xD0",
"\x8D\x4C\x0E\x76",
"\xBE\x63\x00\x00\x00",
"\x0F\xAF\xC1",
"\x89\xC2",
"\x89\xC8",
"\x0F\xAF\xC6",
"\x83\xEA\x51",
"\xBE\x2D\x00\x00\x00",
"\x83\xE2\xF4",
"\x89\xC1",
"\x8D\x4C\x0A\x2E",
"\x89\xC8",
"\x25\x94\x00\x00\x00",
"\x01\xC0",
"\x29\xC8",
"\xB9\x67\x00\x00\x00",
"\x0F\xAF\xC1",
"\x8D\x48\x0D",
"\x0F\xB6\xD1",
"\x69\xD2\xAE\x00\x00\x00",
"\x83\xCA\x22",
"\x89\xD0",
"\x41\x0F\xAF\xC0",
"\x89\xC2",
"\x89\xC8",
"\x0F\xAF\xC6",
"\x8D\x44\x02\xC2",
"\x0F\xB6\xC0",
"\x2D\xF7\x00\x00\x00",
"\x69\xC0\xED\x00\x00\x00",
"\x0F\xB6\xC0",
]
ctx = TT.TritonContext()
ctx.setArchitecture(TT.ARCH.X86_64)
TAst = ctx.getAstContext()
rdi = ctx.convertRegisterToSymbolicVariable(ctx.registers.rdi)
rdi = tritonast2arybo(TAst.variable(rdi),use_exprs=False)
for opcodes in code:
inst = TT.Instruction(opcodes)
ctx.processing(inst)
rax_ast = ctx.buildSymbolicRegister(ctx.registers.rax)
rax_ast = ctx.unrollAst(rax_ast)
rax_ast = ctx.simplify(rax_ast, True)
# Check that this gives a xor 5C
e = tritonast2arybo(rax_ast,use_exprs=self.use_expr,use_esf=False)
if self.use_expr:
e = eval_expr(e)
self.assertEqual(e, ((rdi&0xff)^0x5C).vec)
import unittest
import random
import operator
from arybo.lib import MBA, simplify_inplace, expand_esf_inplace
from arybo.lib.mba_exprs import eval_expr
from arybo.lib.exprs_asm import to_llvm_function
from arybo.tools import tritonast2arybo, tritonexprs2arybo, triton_available
if triton_available:
import triton as TT
ctx = TT.TritonContext()
ctx.setArchitecture(TT.ARCH.X86)
TAst = ctx.getAstContext()
class TritonTest():
def setUp(self):
# Initialize the engine
self.mba8 = MBA(8)
self.mba16 = MBA(16)
self.mba8.use_esf = True
self.mba16.use_esf = True
# Useful variables using duringtests
self.x8_t = TAst.variable(ctx.newSymbolicVariable(8))
self.y8_t = TAst.variable(ctx.newSymbolicVariable(8))
self.x16_t = TAst.variable(ctx.newSymbolicVariable(16))
self.y16_t = TAst.variable(ctx.newSymbolicVariable(16))
self.x8 = self.mba8.var(self.x8_t.getValue())
self.y8 = self.mba8.var(self.y8_t.getValue())
self.x16 = self.mba16.var(self.x16_t.getValue())
#!/usr/bin/python2
import triton
BPATH = "xor.elf"
ENTRYPOINT = 0x0000000000401000
SOURCE = 0x0000000000401005
SINK = 0x0000000000401008
# Init Triton
ctx = triton.TritonContext()
ctx.setArchitecture(triton.ARCH.X86_64)
ctx.enableMode(triton.MODE.ALIGNED_MEMORY, True) # Symbolic optimization
ctx.setAstRepresentationMode(triton.AST_REPRESENTATION.PYTHON)
# Load segments into triton.
def loadBinary(path):
import lief
binary = lief.parse(path)
phdrs = binary.segments
for phdr in phdrs:
ctx.setConcreteMemoryAreaValue(phdr.virtual_address, phdr.content)
return
loadBinary(BPATH)
pc = ENTRYPOINT
while (pc):