def reset(self): triton.resetEngines() triton.clearPathConstraints() triton.setArchitecture(self.arch) triton.enableMode(triton.MODE.ALIGNED_MEMORY, True) triton.enableMode(triton.MODE.ONLY_ON_SYMBOLIZED, True) triton.addCallback(self.memoryCaching, triton.CALLBACK.GET_CONCRETE_MEMORY_VALUE) triton.addCallback(self.constantFolding, triton.CALLBACK.SYMBOLIC_SIMPLIFICATION) for r in self.regs: if r in self.triton_regs: triton.setConcreteRegisterValue( triton.Register(self.triton_regs[r], self.regs[r] & ((1 << self.triton_regs[r].getBitSize()) - 1)) ) for m in cache: self.write_mem(m['start'], m["data"]) for address in self.inputs: self.inputs[address] = triton.convertMemoryToSymbolicVariable( triton.MemoryAccess( address, triton.CPUSIZE.BYTE ) )
def reset(self): triton.resetEngines() triton.clearPathConstraints() triton.setArchitecture(self.arch) triton.enableMode(triton.MODE.ALIGNED_MEMORY, True) triton.enableMode(triton.MODE.ONLY_ON_SYMBOLIZED, True) triton.addCallback(self.memoryCaching, triton.CALLBACK.GET_CONCRETE_MEMORY_VALUE) triton.addCallback(self.constantFolding, triton.CALLBACK.SYMBOLIC_SIMPLIFICATION) for r in self.regs: if r in self.triton_regs: triton.setConcreteRegisterValue( triton.Register( self.triton_regs[r], self.regs[r] & ((1 << self.triton_regs[r].getBitSize()) - 1))) for m in cache: self.write_mem(m['start'], m["data"]) for address in self.inputs: self.inputs[address] = triton.convertMemoryToSymbolicVariable( triton.MemoryAccess(address, triton.CPUSIZE.BYTE))
# 0x400597: mov ecx, eax # 0x400599: mov rdx, qword ptr [rip+0x200aa0] # 0x4005a0: mov eax, dword ptr [rbp-0x4] # 0x4005a3: cdqe # 0x4005a5: add rax, rdx # 0x4005a8: movzx eax, byte ptr [rax] # 0x4005ab: movsx eax, al # 0x4005ae: cmp ecx, eax # 0x4005b0: jz 0x4005b9 # 0x4005b2: mov eax, 0x1 # 0x4005b7: jmp 0x4005c8 # 0x4005c8: pop rbp # loose # $ def cafter(instruction): print '%#x: %s' %(instruction.address, instruction.assembly) return if __name__ == '__main__': # Start the symbolic analysis from the 0x40056d to 0x4005c9 triton.startAnalysisFromOffset(0x56d) triton.stopAnalysisFromOffset(0x5c9) triton.addCallback(cafter, triton.IDREF.CALLBACK.AFTER) triton.runProgram()
import triton def fini(): triton.saveTrace('trace.log') if __name__ == '__main__': # Start the symbolic analysis from the 'check' function triton.startAnalysisFromSymbol('check') # When the instruction is over, call the fini function triton.addCallback(fini, triton.IDREF.CALLBACK.FINI) # Run the instrumentation - Never returns triton.runProgram()
# 0x400594: xor eax, 0x55 # 0x400597: mov ecx, eax # 0x400599: mov rdx, qword ptr [rip+0x200aa0] # 0x4005a0: mov eax, dword ptr [rbp-0x4] # 0x4005a3: cdqe # 0x4005a5: add rax, rdx # 0x4005a8: movzx eax, byte ptr [rax] # 0x4005ab: movsx eax, al # 0x4005ae: cmp ecx, eax # 0x4005b0: jz 0x4005b9 # 0x4005b2: mov eax, 0x1 # 0x4005b7: jmp 0x4005c8 # 0x4005c8: pop rbp # loose # $ def cafter(instruction): print '%#x: %s' % (instruction.getAddress(), instruction.getDisassembly()) return if __name__ == '__main__': # Start the symbolic analysis from the 0x40056d to 0x4005c9 triton.startAnalysisFromOffset(0x56d) triton.stopAnalysisFromOffset(0x5c9) triton.addCallback(cafter, triton.IDREF.CALLBACK.AFTER) triton.runProgram()