Exemple #1
0
    def reset(self):
        triton.resetEngines()
        triton.clearPathConstraints()
        triton.setArchitecture(self.arch)

        triton.enableMode(triton.MODE.ALIGNED_MEMORY, True)
        triton.enableMode(triton.MODE.ONLY_ON_SYMBOLIZED, True)

        triton.addCallback(self.memoryCaching,
                           triton.CALLBACK.GET_CONCRETE_MEMORY_VALUE)
        triton.addCallback(self.constantFolding,
                           triton.CALLBACK.SYMBOLIC_SIMPLIFICATION)

        for r in self.regs:
            if r in self.triton_regs:
                triton.setConcreteRegisterValue(
                    triton.Register(self.triton_regs[r], self.regs[r] & ((1 << self.triton_regs[r].getBitSize()) - 1))
                )

        for m in cache:
            self.write_mem(m['start'], m["data"])

        for address in self.inputs:
                self.inputs[address] = triton.convertMemoryToSymbolicVariable(
                    triton.MemoryAccess(
                        address,
                        triton.CPUSIZE.BYTE
                    )
                )
Exemple #2
0
    def test_taint_assignement_memory_register(self):
        """Check tainting assignment memory <- register."""
        setArchitecture(ARCH.X86_64)

        taintMemory(MemoryAccess(0x2000, 8))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 8)))

        taintAssignmentMemoryRegister(MemoryAccess(0x2002, 2), REG.AX)
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 1)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2001, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2002, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2003, 1)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2004, 1)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2005, 1)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2006, 1)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2007, 1)))

        taintMemory(MemoryAccess(0x2000, 8))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 8)))

        taintAssignmentMemoryRegister(MemoryAccess(0x1fff, 8), REG.RAX)
        self.assertFalse(isMemoryTainted(MemoryAccess(0x1fff, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2001, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2002, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2003, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2004, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2005, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2006, 1)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2007, 1)))
Exemple #3
0
    def reset(self):
        triton.resetEngines()
        triton.clearPathConstraints()
        triton.setArchitecture(self.arch)

        triton.enableMode(triton.MODE.ALIGNED_MEMORY, True)
        triton.enableMode(triton.MODE.ONLY_ON_SYMBOLIZED, True)

        triton.addCallback(self.memoryCaching,
                           triton.CALLBACK.GET_CONCRETE_MEMORY_VALUE)
        triton.addCallback(self.constantFolding,
                           triton.CALLBACK.SYMBOLIC_SIMPLIFICATION)

        for r in self.regs:
            if r in self.triton_regs:
                triton.setConcreteRegisterValue(
                    triton.Register(
                        self.triton_regs[r], self.regs[r] &
                        ((1 << self.triton_regs[r].getBitSize()) - 1)))

        for m in cache:
            self.write_mem(m['start'], m["data"])

        for address in self.inputs:
            self.inputs[address] = triton.convertMemoryToSymbolicVariable(
                triton.MemoryAccess(address, triton.CPUSIZE.BYTE))
Exemple #4
0
    def __init__(self, context=None):
        self.r2p = R2Plugin("pimp", self)
        arch = self.r2p.arch
        bits = self.r2p.bits
        self.comments = {}
        self.arch = tritonarch[arch][bits]

        self.inputs = {}
        self.regs = {}

        triton.setArchitecture(self.arch)
        triton.setAstRepresentationMode(triton.AST_REPRESENTATION.PYTHON)

        # Hack in order to be able to get triton register ids by name
        self.triton_regs = {}
        for r in triton.getAllRegisters():
            self.triton_regs[r.getName()] = r

        if self.arch == triton.ARCH.X86:
            self.pcreg = triton.REG.EIP
        elif self.arch == triton.ARCH.X86_64:
            self.pcreg = triton.REG.RIP
        else:
            raise (ValueError("Architecture not implemented"))

        setattr(self.memoryCaching, "memsolver", self.r2p)
Exemple #5
0
    def test_taint_union_register_memory(self):
        """Check tainting union register U memory."""
        setArchitecture(ARCH.X86_64)

        self.assertFalse(isRegisterTainted(REG.RAX))
        taintRegister(REG.RAX)
        self.assertTrue(isRegisterTainted(REG.RAX))

        taintUnionRegisterMemory(REG.RAX, MemoryAccess(0x2000, 4))
        self.assertTrue(isRegisterTainted(REG.RAX))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))

        untaintRegister(REG.RAX)
        self.assertFalse(isRegisterTainted(REG.RAX))

        taintUnionRegisterMemory(REG.RAX, MemoryAccess(0x2000, 4))
        self.assertFalse(isRegisterTainted(REG.RAX))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))

        # !T U T
        untaintRegister(REG.RAX)
        taintMemory(MemoryAccess(0x2000, 4))
        taintUnionRegisterMemory(REG.RAX, MemoryAccess(0x2000, 4))
        self.assertTrue(isRegisterTainted(REG.RAX))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))

        # T U T
        taintRegister(REG.RAX)
        taintMemory(MemoryAccess(0x2000, 4))
        taintUnionRegisterMemory(REG.RAX, MemoryAccess(0x2000, 4))
        self.assertTrue(isRegisterTainted(REG.RAX))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
Exemple #6
0
    def test_taint_union_register_register(self):
        """Check tainting union register U register."""
        setArchitecture(ARCH.X86_64)

        self.assertFalse(isRegisterTainted(REG.RAX))
        taintRegister(REG.RAX)
        self.assertTrue(isRegisterTainted(REG.RAX))

        taintUnionRegisterRegister(REG.RAX, REG.RBX)
        self.assertTrue(isRegisterTainted(REG.RAX))
        self.assertFalse(isRegisterTainted(REG.RBX))

        taintRegister(REG.RBX)
        taintUnionRegisterRegister(REG.RAX, REG.RBX)
        self.assertTrue(isRegisterTainted(REG.RAX))
        self.assertTrue(isRegisterTainted(REG.RBX))

        untaintRegister(REG.RAX)
        taintRegister(REG.RBX)
        taintUnionRegisterRegister(REG.RAX, REG.RBX)
        self.assertTrue(isRegisterTainted(REG.RAX))
        self.assertTrue(isRegisterTainted(REG.RBX))

        untaintRegister(REG.RAX)
        untaintRegister(REG.RBX)
        taintUnionRegisterRegister(REG.RAX, REG.RBX)
        self.assertFalse(isRegisterTainted(REG.RAX))
        self.assertFalse(isRegisterTainted(REG.RBX))
Exemple #7
0
    def test_taint_assignement_memory_register(self):
        """Check tainting assignment memory <- register."""
        setArchitecture(ARCH.X86_64)

        taintMemory(MemoryAccess(0x2000, 8))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 8)))

        taintAssignmentMemoryRegister(MemoryAccess(0x2002, 2), REG.AX)
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 1)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2001, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2002, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2003, 1)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2004, 1)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2005, 1)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2006, 1)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2007, 1)))

        taintMemory(MemoryAccess(0x2000, 8))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 8)))

        taintAssignmentMemoryRegister(MemoryAccess(0x1fff, 8), REG.RAX)
        self.assertFalse(isMemoryTainted(MemoryAccess(0x1fff, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2001, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2002, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2003, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2004, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2005, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2006, 1)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2007, 1)))
Exemple #8
0
    def test_taint_union_register_memory(self):
        """Check tainting union register U memory."""
        setArchitecture(ARCH.X86_64)

        self.assertFalse(isRegisterTainted(REG.RAX))
        taintRegister(REG.RAX)
        self.assertTrue(isRegisterTainted(REG.RAX))

        taintUnionRegisterMemory(REG.RAX, MemoryAccess(0x2000, 4))
        self.assertTrue(isRegisterTainted(REG.RAX))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))

        untaintRegister(REG.RAX)
        self.assertFalse(isRegisterTainted(REG.RAX))

        taintUnionRegisterMemory(REG.RAX, MemoryAccess(0x2000, 4))
        self.assertFalse(isRegisterTainted(REG.RAX))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))

        # !T U T
        untaintRegister(REG.RAX)
        taintMemory(MemoryAccess(0x2000, 4))
        taintUnionRegisterMemory(REG.RAX, MemoryAccess(0x2000, 4))
        self.assertTrue(isRegisterTainted(REG.RAX))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))

        # T U T
        taintRegister(REG.RAX)
        taintMemory(MemoryAccess(0x2000, 4))
        taintUnionRegisterMemory(REG.RAX, MemoryAccess(0x2000, 4))
        self.assertTrue(isRegisterTainted(REG.RAX))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
Exemple #9
0
    def test_taint_union_register_register(self):
        """Check tainting union register U register."""
        setArchitecture(ARCH.X86_64)

        self.assertFalse(isRegisterTainted(REG.RAX))
        taintRegister(REG.RAX)
        self.assertTrue(isRegisterTainted(REG.RAX))

        taintUnionRegisterRegister(REG.RAX, REG.RBX)
        self.assertTrue(isRegisterTainted(REG.RAX))
        self.assertFalse(isRegisterTainted(REG.RBX))

        taintRegister(REG.RBX)
        taintUnionRegisterRegister(REG.RAX, REG.RBX)
        self.assertTrue(isRegisterTainted(REG.RAX))
        self.assertTrue(isRegisterTainted(REG.RBX))

        untaintRegister(REG.RAX)
        taintRegister(REG.RBX)
        taintUnionRegisterRegister(REG.RAX, REG.RBX)
        self.assertTrue(isRegisterTainted(REG.RAX))
        self.assertTrue(isRegisterTainted(REG.RBX))

        untaintRegister(REG.RAX)
        untaintRegister(REG.RBX)
        taintUnionRegisterRegister(REG.RAX, REG.RBX)
        self.assertFalse(isRegisterTainted(REG.RAX))
        self.assertFalse(isRegisterTainted(REG.RBX))
Exemple #10
0
    def test_taint_union_memory_memory(self):
        """Check tainting union memory U memory."""
        setArchitecture(ARCH.X86_64)

        taintMemory(MemoryAccess(0x2000, 4))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))

        taintUnionMemoryMemory(MemoryAccess(0x2000, 4),
                               MemoryAccess(0x3000, 4))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x3000, 4)))

        untaintMemory(MemoryAccess(0x2000, 4))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))

        taintUnionMemoryMemory(MemoryAccess(0x2000, 4),
                               MemoryAccess(0x3000, 4))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x3000, 4)))

        taintMemory(MemoryAccess(0x3000, 4))
        taintUnionMemoryMemory(MemoryAccess(0x2000, 4),
                               MemoryAccess(0x3000, 4))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x3000, 4)))
Exemple #11
0
    def test_taint_assignement_memory_memory(self):
        """Check tainting assignment memory <- memory."""
        setArchitecture(ARCH.X86_64)

        taintMemory(MemoryAccess(0x2000, 1))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 1)))

        taintAssignmentMemoryMemory(MemoryAccess(0x1000, 1),
                                    MemoryAccess(0x2000, 1))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x1000, 1)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 1)))

        taintAssignmentMemoryMemory(MemoryAccess(0x1000, 1),
                                    MemoryAccess(0x3000, 1))
        taintAssignmentMemoryMemory(MemoryAccess(0x2000, 1),
                                    MemoryAccess(0x3000, 1))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x1000, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 1)))

        taintMemory(MemoryAccess(0x2000, 4))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))

        taintAssignmentMemoryMemory(MemoryAccess(0x2001, 2),
                                    MemoryAccess(0x3000, 1))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2001, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2001, 1)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 1)))
Exemple #12
0
    def __init__(self, context=None):
        self.r2p = None
        self.comments = {}
        self.arch = None
        self.inputs = collections.OrderedDict()
        self.regs = {}
        self.triton_regs = {}
        self.commands = {}
        self.last_symjump = None
        self.input_type = None

        self.r2p = R2("pimp")
        arch = self.r2p.arch
        bits = self.r2p.bits
        self.arch = tritonarch[arch][bits]
        self.trace = collections.Counter()


        triton.setArchitecture(self.arch)
        triton.setAstRepresentationMode(triton.AST_REPRESENTATION.PYTHON)

        # Hack in order to be able to get triton register ids by name
        for r in triton.getAllRegisters():
            self.triton_regs[r.getName()] = r

        if self.arch == triton.ARCH.X86:
            self.pcreg = triton.REG.EIP
        elif self.arch == triton.ARCH.X86_64:
            self.pcreg = triton.REG.RIP
        else:
            raise(ValueError("Architecture not implemented"))

        setattr(self.memoryCaching, "memsolver", self.r2p)
Exemple #13
0
 def test_xmm_on_x86(self):
     """Check xmm on 32 bits arch."""
     setArchitecture(ARCH.X86)
     xmm = Register(REG.XMM1, 0x112233445566778899aabbccddeeff00)
     self.assertEqual(xmm.getBitSize(), 128)
     self.assertEqual(xmm.getConcreteValue(),
                      0x112233445566778899aabbccddeeff00)
Exemple #14
0
 def test_xmm_on_x86(self):
     """Check xmm on 32 bits arch."""
     setArchitecture(ARCH.X86)
     xmm = Register(REG.XMM1, 0x112233445566778899aabbccddeeff00)
     self.assertEqual(xmm.getBitSize(), 128)
     self.assertEqual(xmm.getConcreteValue(),
                      0x112233445566778899aabbccddeeff00)
Exemple #15
0
    def test_parent(self):
        """Check parent register on multiple arch."""
        self.assertEqual(self.reg.getParent().getName(), "rax")

        setArchitecture(ARCH.X86)
        self.reg = REG.AH
        self.assertEqual(self.reg.getParent().getName(), "eax")
        self.assertEqual(self.reg.getParent().getBitSize(), 32)
Exemple #16
0
    def test_parent(self):
        """Check parent register on multiple arch."""
        self.assertEqual(self.reg.getParent().getName(), "rax")

        setArchitecture(ARCH.X86)
        self.reg = REG.AH
        self.assertEqual(self.reg.getParent().getName(), "eax")
        self.assertEqual(self.reg.getParent().getBitSize(), 32)
Exemple #17
0
 def setUp(self):
     """Define and process the instruction to test."""
     setArchitecture(ARCH.X86_64)
     self.inst = Instruction()
     self.inst.setOpcodes("\x48\x01\xd8")  # add rax, rbx
     self.inst.setAddress(0x400000)
     self.inst.updateContext(Register(REG.RAX, 0x1122334455667788))
     self.inst.updateContext(Register(REG.RBX, 0x8877665544332211))
     processing(self.inst)
Exemple #18
0
    def test_taint_assignement_register_immediate(self):
        """Check tainting assignment register <- immediate."""
        setArchitecture(ARCH.X86_64)

        self.assertFalse(isRegisterTainted(REG.RAX))
        taintRegister(REG.RAX)
        self.assertTrue(isRegisterTainted(REG.RAX))

        taintAssignmentRegisterImmediate(REG.RAX)
        self.assertFalse(isRegisterTainted(REG.RAX))
Exemple #19
0
    def test_taint_assignement_register_immediate(self):
        """Check tainting assignment register <- immediate."""
        setArchitecture(ARCH.X86_64)

        self.assertFalse(isRegisterTainted(REG.RAX))
        taintRegister(REG.RAX)
        self.assertTrue(isRegisterTainted(REG.RAX))

        taintAssignmentRegisterImmediate(REG.RAX)
        self.assertFalse(isRegisterTainted(REG.RAX))
Exemple #20
0
    def test_load_ds(self):
        """Check load from ds segment."""
        setArchitecture(ARCH.X86)

        inst = Instruction()
        # mov ax, ds:word_40213C
        inst.setOpcodes("\x66\xA1\x3C\x21\x40\x00")
        processing(inst)

        self.assertEqual(inst.getOperands()[1].getAddress(), 0x40213C)
        self.assertEqual(inst.getOperands()[1].getBitSize(), 16)
Exemple #21
0
    def test_taint_union_memory_immediate(self):
        """Check tainting union memory U immediate."""
        setArchitecture(ARCH.X86_64)

        taintMemory(MemoryAccess(0x2000, 4))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))

        taintUnionMemoryImmediate(MemoryAccess(0x2000, 4))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))

        untaintMemory(MemoryAccess(0x2000, 4))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))
Exemple #22
0
    def test_known_issues(self):
        """Check tainting result after processing."""
        setArchitecture(ARCH.X86)

        taintRegister(REG.EAX)
        inst = Instruction()
        # lea eax,[esi+eax*1]
        inst.setOpcodes("\x8D\x04\x06")
        processing(inst)

        self.assertTrue(isRegisterTainted(REG.EAX))
        self.assertFalse(isRegisterTainted(REG.EBX))
Exemple #23
0
    def test_known_issues(self):
        """Check tainting result after processing."""
        setArchitecture(ARCH.X86)

        taintRegister(REG.EAX)
        inst = Instruction()
        # lea eax,[esi+eax*1]
        inst.setOpcodes("\x8D\x04\x06")
        processing(inst)

        self.assertTrue(isRegisterTainted(REG.EAX))
        self.assertFalse(isRegisterTainted(REG.EBX))
Exemple #24
0
    def test_taint_union_register_immediate(self):
        """Check tainting union register U immediate."""
        setArchitecture(ARCH.X86_64)

        self.assertFalse(isRegisterTainted(REG.RAX))
        taintRegister(REG.RAX)
        self.assertTrue(isRegisterTainted(REG.RAX))

        taintUnionRegisterImmediate(REG.RAX)
        self.assertTrue(isRegisterTainted(REG.RAX))

        untaintRegister(REG.RAX)
        self.assertFalse(isRegisterTainted(REG.RAX))
        taintUnionRegisterImmediate(REG.RAX)
        self.assertFalse(isRegisterTainted(REG.RAX))
Exemple #25
0
    def test_taint_union_register_immediate(self):
        """Check tainting union register U immediate."""
        setArchitecture(ARCH.X86_64)

        self.assertFalse(isRegisterTainted(REG.RAX))
        taintRegister(REG.RAX)
        self.assertTrue(isRegisterTainted(REG.RAX))

        taintUnionRegisterImmediate(REG.RAX)
        self.assertTrue(isRegisterTainted(REG.RAX))

        untaintRegister(REG.RAX)
        self.assertFalse(isRegisterTainted(REG.RAX))
        taintUnionRegisterImmediate(REG.RAX)
        self.assertFalse(isRegisterTainted(REG.RAX))
Exemple #26
0
    def setUp(self):
        # Initialize the engine
        TT.setArchitecture(TT.ARCH.X86)

        self.mba8 = MBA(8)
        self.mba16 = MBA(16)
        self.mba8.use_esf = True
        self.mba16.use_esf = True
        # Useful variables using duringtests
        self.x8_t = TAst.variable(TT.newSymbolicVariable(8))
        self.y8_t = TAst.variable(TT.newSymbolicVariable(8))
        self.x16_t = TAst.variable(TT.newSymbolicVariable(16))
        self.y16_t = TAst.variable(TT.newSymbolicVariable(16))
        self.x8 = self.mba8.var(self.x8_t.getValue())
        self.y8 = self.mba8.var(self.y8_t.getValue())
        self.x16 = self.mba16.var(self.x16_t.getValue())
        self.y16 = self.mba16.var(self.y16_t.getValue())
Exemple #27
0
    def test_load_immediate_fs(self):
        """Check load from fs segment with immediate."""
        setArchitecture(ARCH.X86_64)

        inst = Instruction()
        # mov eax, DWORD PTR fs:0xffffffffffffdf98
        inst.setOpcodes("\x64\x8B\x04\x25\x98\xDF\xFF\xFF")
        inst.setAddress(0x400000)

        setConcreteRegisterValue(Register(REG.FS, 0x7fffda8ab700))
        processing(inst)

        self.assertTrue(inst.getLoadAccess())

        load, _ = inst.getLoadAccess()[0]
        self.assertEqual(load.getAddress(), 0x7fffda8a9698)
        self.assertEqual(load.getBitSize(), 32)
Exemple #28
0
    def test_taint_get_tainted_registers(self):
        """Get tainted registers"""
        setArchitecture(ARCH.X86_64)

        r = getTaintedRegisters()
        self.assertTrue(len(r) == 0)

        taintRegister(REG.EAX)
        taintRegister(REG.AX)
        taintRegister(REG.RBX)
        taintRegister(REG.CL)
        taintRegister(REG.DI)

        r = getTaintedRegisters()
        self.assertTrue(REG.RAX in r)
        self.assertTrue(REG.RBX in r)
        self.assertTrue(REG.RCX in r)
        self.assertTrue(REG.RDI in r)
Exemple #29
0
    def test_taint_get_tainted_registers(self):
        """Get tainted registers"""
        setArchitecture(ARCH.X86_64)

        r = getTaintedRegisters()
        self.assertTrue(len(r) == 0)

        taintRegister(REG.EAX)
        taintRegister(REG.AX)
        taintRegister(REG.RBX)
        taintRegister(REG.CL)
        taintRegister(REG.DI)

        r = getTaintedRegisters()
        self.assertTrue(REG.RAX in r)
        self.assertTrue(REG.RBX in r)
        self.assertTrue(REG.RCX in r)
        self.assertTrue(REG.RDI in r)
Exemple #30
0
    def test_pop_esp(self):
        """Check pop on esp processing."""
        setArchitecture(ARCH.X86)

        # mov esp, 0x19fe00
        inst1 = Instruction('\xBC\x00\xFE\x19\x00')
        # mov dword ptr [esp], 0x11111111
        inst2 = Instruction('\xC7\x04\x24\x11\x11\x11\x11')
        # pop dword ptr [esp]
        inst3 = Instruction('\x8F\x04\x24')
        processing(inst1)
        processing(inst2)
        processing(inst3)

        self.assertEqual(inst3.getOperands()[0].getAddress(), 0x19fe04, "esp has been poped")
        self.assertEqual(inst3.getOperands()[0].getConcreteValue(), 0x11111111, "new value is still 0x11111111")
        self.assertEqual(inst3.getStoreAccess()[0][0].getAddress(), 0x19fe04, "inst3 set the value in 0x19fe04")
        self.assertEqual(inst3.getStoreAccess()[0][1].evaluate(), 0x11111111, "And this value is 0x11111111")
Exemple #31
0
    def test_load_indirect_fs(self):
        """Check load from fs with indirect address."""
        setArchitecture(ARCH.X86_64)

        inst = Instruction()
        # mov rax, QWORD PTR fs:[rax]
        inst.setOpcodes("\x64\x48\x8B\x00")
        inst.setAddress(0x400000)

        setConcreteRegisterValue(Register(REG.FS, 0x7fffda8ab700))
        setConcreteRegisterValue(Register(REG.RAX, 0xffffffffffffdf90))
        processing(inst)

        self.assertTrue(inst.getLoadAccess())

        load, _ = inst.getLoadAccess()[0]
        self.assertEqual(load.getAddress(), 0x7fffda8a9690)
        self.assertEqual(load.getBitSize(), 64)
Exemple #32
0
    def test_taint_assignement_register_memory(self):
        """Check tainting assignment register <- memory."""
        setArchitecture(ARCH.X86_64)

        self.assertFalse(isRegisterTainted(REG.RAX))
        taintRegister(REG.RAX)
        self.assertTrue(isRegisterTainted(REG.RAX))

        taintAssignmentRegisterMemory(REG.RAX, MemoryAccess(0x2000, 8))
        self.assertFalse(isRegisterTainted(REG.RAX))

        taintMemory(MemoryAccess(0x2000, 8))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 8)))

        taintAssignmentRegisterMemory(REG.RAX, MemoryAccess(0x2000, 8))
        self.assertTrue(isRegisterTainted(REG.RAX))

        taintAssignmentRegisterMemory(REG.RAX, MemoryAccess(0x3000, 8))
        self.assertFalse(isRegisterTainted(REG.RAX))
Exemple #33
0
    def test_taint_register(self):
        """Check over tainting register."""
        setArchitecture(ARCH.X86_64)

        self.assertFalse(isRegisterTainted(REG.RAX))
        taintRegister(REG.RAX)
        self.assertTrue(isRegisterTainted(REG.RAX))
        untaintRegister(REG.RAX)
        self.assertFalse(isRegisterTainted(REG.RAX))

        taintRegister(REG.AH)
        self.assertTrue(isRegisterTainted(REG.RAX))
        self.assertTrue(isRegisterTainted(REG.EAX))
        self.assertTrue(isRegisterTainted(REG.AX))

        untaintRegister(REG.AH)
        self.assertFalse(isRegisterTainted(REG.RAX))
        self.assertFalse(isRegisterTainted(REG.EAX))
        self.assertFalse(isRegisterTainted(REG.AX))
Exemple #34
0
    def test_taint_assignement_register_memory(self):
        """Check tainting assignment register <- memory."""
        setArchitecture(ARCH.X86_64)

        self.assertFalse(isRegisterTainted(REG.RAX))
        taintRegister(REG.RAX)
        self.assertTrue(isRegisterTainted(REG.RAX))

        taintAssignmentRegisterMemory(REG.RAX, MemoryAccess(0x2000, 8))
        self.assertFalse(isRegisterTainted(REG.RAX))

        taintMemory(MemoryAccess(0x2000, 8))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 8)))

        taintAssignmentRegisterMemory(REG.RAX, MemoryAccess(0x2000, 8))
        self.assertTrue(isRegisterTainted(REG.RAX))

        taintAssignmentRegisterMemory(REG.RAX, MemoryAccess(0x3000, 8))
        self.assertFalse(isRegisterTainted(REG.RAX))
Exemple #35
0
    def test_taint_register(self):
        """Check over tainting register."""
        setArchitecture(ARCH.X86_64)

        self.assertFalse(isRegisterTainted(REG.RAX))
        taintRegister(REG.RAX)
        self.assertTrue(isRegisterTainted(REG.RAX))
        untaintRegister(REG.RAX)
        self.assertFalse(isRegisterTainted(REG.RAX))

        taintRegister(REG.AH)
        self.assertTrue(isRegisterTainted(REG.RAX))
        self.assertTrue(isRegisterTainted(REG.EAX))
        self.assertTrue(isRegisterTainted(REG.AX))

        untaintRegister(REG.AH)
        self.assertFalse(isRegisterTainted(REG.RAX))
        self.assertFalse(isRegisterTainted(REG.EAX))
        self.assertFalse(isRegisterTainted(REG.AX))
Exemple #36
0
    def test_mov_xmm_to_memory(self):
        """Check move and xmm register to memory do not crash."""
        setArchitecture(ARCH.X86_64)

        # movhpd QWORD PTR [rax], xmm1
        processing(Instruction("\x66\x0F\x17\x08"))
        # movhpd xmm1, QWORD PTR [rax]
        processing(Instruction("\x66\x0F\x16\x08"))
        # movhps QWORD PTR [rax], xmm1
        processing(Instruction("\x0F\x17\x08"))
        # movhps xmm1, QWORD PTR [rax]
        processing(Instruction("\x0F\x16\x08"))
        # movlpd QWORD PTR [rax], xmm1
        processing(Instruction("\x66\x0F\x13\x08"))
        # movlpd xmm1, QWORD PTR [rax]
        processing(Instruction("\x66\x0F\x12\x08"))
        # movlps QWORD PTR [rax], xmm1
        processing(Instruction("\x0F\x13\x08"))
        # movlps xmm1, QWORD PTR [rax]
        processing(Instruction("\x0F\x12\x08"))
Exemple #37
0
    def test_urem(self):
        code = [
            "\xbf\xAB\x00\x00\x00",  # mov   edi, 0xAB
            "\xf7\xff",  # idiv  edi
            "\x83\xfa\x00"  # cmp   edx, 0x00
        ]

        TT.setArchitecture(TT.ARCH.X86_64)

        rax = TT.convertRegisterToSymbolicVariable(TT.REG.RAX)
        rax = tritonast2arybo(TAst.variable(rax))
        rdx = TT.convertRegisterToSymbolicVariable(TT.REG.RDX)
        rdx = tritonast2arybo(TAst.variable(rdx))

        for opcodes in code:
            inst = TT.Instruction(opcodes)
            TT.processing(inst)

        exprs = TT.sliceExpressions(TT.getSymbolicRegisters()[TT.REG.RDX])
        e = tritonexprs2arybo(exprs)
        to_llvm_function(e, [rax.v, rdx.v])
Exemple #38
0
    def test_taint_get_tainted_memory(self):
        """Get tainted memory"""
        setArchitecture(ARCH.X86_64)

        m = getTaintedMemory()
        self.assertTrue(len(m) == 0)

        taintMemory(0x1000)
        taintMemory(0x2000)
        taintMemory(0x3000)
        taintMemory(MemoryAccess(0x4000, 4))

        m = getTaintedMemory()
        self.assertTrue(0x1000 in m)
        self.assertTrue(0x2000 in m)
        self.assertTrue(0x3000 in m)
        self.assertTrue(0x4000 in m)
        self.assertTrue(0x4001 in m)
        self.assertTrue(0x4002 in m)
        self.assertTrue(0x4003 in m)
        self.assertFalse(0x5000 in m)
Exemple #39
0
    def test_pop(self):
        """Check the pop instruction processing."""
        setArchitecture(ARCH.X86)

        # mov esp, 0x19fe00
        inst1 = Instruction('\xBC\x00\xFE\x19\x00')
        # mov edi, 0x19fe00
        inst2 = Instruction('\xBF\x00\xFE\x19\x00')
        # mov dword ptr [esp], 0x11111111
        inst3 = Instruction('\xC7\x04\x24\x11\x11\x11\x11')
        # pop dword ptr [edi]
        inst4 = Instruction('\x8F\x07')
        processing(inst1)
        processing(inst2)
        processing(inst3)
        processing(inst4)

        self.assertEqual(inst4.getOperands()[0].getAddress(), 0x19fe00, "poping edi doesn't change it")
        self.assertEqual(inst4.getOperands()[0].getConcreteValue(), 0x11111111, "pointed value in edi is the previously pointed value by esp")
        self.assertEqual(inst4.getStoreAccess()[0][0].getAddress(), 0x19fe00, "inst4 store the new value in 0x19fe00 (edi value)")
        self.assertEqual(inst4.getStoreAccess()[0][1].evaluate(), 0x11111111, "The stored value is 0x11111111")
Exemple #40
0
    def test_taint_get_tainted_memory(self):
        """Get tainted memory"""
        setArchitecture(ARCH.X86_64)

        m = getTaintedMemory()
        self.assertTrue(len(m) == 0)

        taintMemory(0x1000)
        taintMemory(0x2000)
        taintMemory(0x3000)
        taintMemory(MemoryAccess(0x4000, 4))

        m = getTaintedMemory()
        self.assertTrue(0x1000 in m)
        self.assertTrue(0x2000 in m)
        self.assertTrue(0x3000 in m)
        self.assertTrue(0x4000 in m)
        self.assertTrue(0x4001 in m)
        self.assertTrue(0x4002 in m)
        self.assertTrue(0x4003 in m)
        self.assertFalse(0x5000 in m)
Exemple #41
0
    def test_taint_assignement_memory_immediate(self):
        """Check tainting assignment memory <- immediate."""
        setArchitecture(ARCH.X86_64)

        taintMemory(0x1000)
        self.assertTrue(isMemoryTainted(0x1000))

        taintAssignmentMemoryImmediate(MemoryAccess(0x1000, 1))
        self.assertFalse(isMemoryTainted(0x1000))

        taintMemory(0x1000)
        self.assertTrue(isMemoryTainted(0x1000))

        taintAssignmentMemoryImmediate(MemoryAccess(0x0fff, 2))
        self.assertFalse(isMemoryTainted(0x1000))

        taintMemory(0x1000)
        self.assertTrue(isMemoryTainted(0x1000))

        taintAssignmentMemoryImmediate(MemoryAccess(0x0ffe, 2))
        self.assertTrue(isMemoryTainted(0x1000))

        taintMemory(MemoryAccess(0x1000, 4))
        self.assertTrue(isMemoryTainted(0x1000))
        self.assertTrue(isMemoryTainted(0x1001))
        self.assertTrue(isMemoryTainted(0x1002))
        self.assertTrue(isMemoryTainted(0x1003))
        self.assertFalse(isMemoryTainted(0x1004))

        taintAssignmentMemoryImmediate(MemoryAccess(0x1001, 1))
        self.assertTrue(isMemoryTainted(0x1000))
        self.assertFalse(isMemoryTainted(0x1001))
        self.assertTrue(isMemoryTainted(0x1002))
        self.assertTrue(isMemoryTainted(0x1003))

        taintAssignmentMemoryImmediate(MemoryAccess(0x1000, 4))
        self.assertFalse(isMemoryTainted(0x1000))
        self.assertFalse(isMemoryTainted(0x1001))
        self.assertFalse(isMemoryTainted(0x1002))
        self.assertFalse(isMemoryTainted(0x1003))
Exemple #42
0
    def test_taint_assignement_memory_immediate(self):
        """Check tainting assignment memory <- immediate."""
        setArchitecture(ARCH.X86_64)

        taintMemory(0x1000)
        self.assertTrue(isMemoryTainted(0x1000))

        taintAssignmentMemoryImmediate(MemoryAccess(0x1000, 1))
        self.assertFalse(isMemoryTainted(0x1000))

        taintMemory(0x1000)
        self.assertTrue(isMemoryTainted(0x1000))

        taintAssignmentMemoryImmediate(MemoryAccess(0x0fff, 2))
        self.assertFalse(isMemoryTainted(0x1000))

        taintMemory(0x1000)
        self.assertTrue(isMemoryTainted(0x1000))

        taintAssignmentMemoryImmediate(MemoryAccess(0x0ffe, 2))
        self.assertTrue(isMemoryTainted(0x1000))

        taintMemory(MemoryAccess(0x1000, 4))
        self.assertTrue(isMemoryTainted(0x1000))
        self.assertTrue(isMemoryTainted(0x1001))
        self.assertTrue(isMemoryTainted(0x1002))
        self.assertTrue(isMemoryTainted(0x1003))
        self.assertFalse(isMemoryTainted(0x1004))

        taintAssignmentMemoryImmediate(MemoryAccess(0x1001, 1))
        self.assertTrue(isMemoryTainted(0x1000))
        self.assertFalse(isMemoryTainted(0x1001))
        self.assertTrue(isMemoryTainted(0x1002))
        self.assertTrue(isMemoryTainted(0x1003))

        taintAssignmentMemoryImmediate(MemoryAccess(0x1000, 4))
        self.assertFalse(isMemoryTainted(0x1000))
        self.assertFalse(isMemoryTainted(0x1001))
        self.assertFalse(isMemoryTainted(0x1002))
        self.assertFalse(isMemoryTainted(0x1003))
Exemple #43
0
    def test_taint_assignement_register_register(self):
        """Check tainting assignment register <- register."""
        setArchitecture(ARCH.X86_64)

        self.assertFalse(isRegisterTainted(REG.RAX))
        taintRegister(REG.RAX)
        self.assertTrue(isRegisterTainted(REG.RAX))

        taintAssignmentRegisterRegister(REG.RAX, REG.RAX)
        self.assertTrue(isRegisterTainted(REG.RAX))

        untaintRegister(REG.RAX)
        self.assertFalse(isRegisterTainted(REG.RAX))
        taintAssignmentRegisterRegister(REG.RAX, REG.RAX)
        self.assertFalse(isRegisterTainted(REG.RAX))

        self.assertFalse(isRegisterTainted(REG.RBX))
        taintRegister(REG.RBX)
        self.assertTrue(isRegisterTainted(REG.RBX))

        taintAssignmentRegisterRegister(REG.RAX, REG.RBX)
        self.assertTrue(isRegisterTainted(REG.RAX))
Exemple #44
0
    def test_taint_assignement_register_register(self):
        """Check tainting assignment register <- register."""
        setArchitecture(ARCH.X86_64)

        self.assertFalse(isRegisterTainted(REG.RAX))
        taintRegister(REG.RAX)
        self.assertTrue(isRegisterTainted(REG.RAX))

        taintAssignmentRegisterRegister(REG.RAX, REG.RAX)
        self.assertTrue(isRegisterTainted(REG.RAX))

        untaintRegister(REG.RAX)
        self.assertFalse(isRegisterTainted(REG.RAX))
        taintAssignmentRegisterRegister(REG.RAX, REG.RAX)
        self.assertFalse(isRegisterTainted(REG.RAX))

        self.assertFalse(isRegisterTainted(REG.RBX))
        taintRegister(REG.RBX)
        self.assertTrue(isRegisterTainted(REG.RBX))

        taintAssignmentRegisterRegister(REG.RAX, REG.RBX)
        self.assertTrue(isRegisterTainted(REG.RAX))
Exemple #45
0
    def test_taint_union_memory_register(self):
        """Check tainting union memory U register."""
        setArchitecture(ARCH.X86_64)

        taintMemory(MemoryAccess(0x2000, 4))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))

        taintUnionMemoryRegister(MemoryAccess(0x2000, 4), REG.RAX)
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
        self.assertFalse(isRegisterTainted(REG.RAX))

        untaintMemory(MemoryAccess(0x2000, 4))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))
        self.assertFalse(isRegisterTainted(REG.RAX))

        taintUnionMemoryRegister(MemoryAccess(0x2000, 4), REG.RAX)
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))
        self.assertFalse(isRegisterTainted(REG.RAX))

        taintRegister(REG.RAX)
        taintUnionMemoryRegister(MemoryAccess(0x2000, 4), REG.RAX)
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
        self.assertTrue(isRegisterTainted(REG.RAX))
Exemple #46
0
    def test_taint_union_memory_register(self):
        """Check tainting union memory U register."""
        setArchitecture(ARCH.X86_64)

        taintMemory(MemoryAccess(0x2000, 4))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))

        taintUnionMemoryRegister(MemoryAccess(0x2000, 4), REG.RAX)
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
        self.assertFalse(isRegisterTainted(REG.RAX))

        untaintMemory(MemoryAccess(0x2000, 4))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))
        self.assertFalse(isRegisterTainted(REG.RAX))

        taintUnionMemoryRegister(MemoryAccess(0x2000, 4), REG.RAX)
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))
        self.assertFalse(isRegisterTainted(REG.RAX))

        taintRegister(REG.RAX)
        taintUnionMemoryRegister(MemoryAccess(0x2000, 4), REG.RAX)
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
        self.assertTrue(isRegisterTainted(REG.RAX))
Exemple #47
0
    def test_taint_memory(self):
        """Check tainting memory."""
        setArchitecture(ARCH.X86_64)

        self.assertFalse(isMemoryTainted(0x1000))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))

        taintMemory(0x1000)
        taintMemory(MemoryAccess(0x2000, 4))

        self.assertTrue(isMemoryTainted(0x1000))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 1)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 2)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2001, 1)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2002, 1)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2003, 1)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2002, 2)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2003, 2)))

        self.assertFalse(isMemoryTainted(MemoryAccess(0x1fff, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2004, 1)))
        self.assertFalse(isMemoryTainted(0x1001))
        self.assertFalse(isMemoryTainted(0x0fff))

        untaintMemory(0x1000)
        untaintMemory(MemoryAccess(0x2000, 4))

        self.assertFalse(isMemoryTainted(0x1000))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 2)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2001, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2002, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2003, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2002, 2)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2003, 2)))
Exemple #48
0
    def test_taint_memory(self):
        """Check tainting memory."""
        setArchitecture(ARCH.X86_64)

        self.assertFalse(isMemoryTainted(0x1000))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))

        taintMemory(0x1000)
        taintMemory(MemoryAccess(0x2000, 4))

        self.assertTrue(isMemoryTainted(0x1000))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 1)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 2)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2001, 1)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2002, 1)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2003, 1)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2002, 2)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2003, 2)))

        self.assertFalse(isMemoryTainted(MemoryAccess(0x1fff, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2004, 1)))
        self.assertFalse(isMemoryTainted(0x1001))
        self.assertFalse(isMemoryTainted(0x0fff))

        untaintMemory(0x1000)
        untaintMemory(MemoryAccess(0x2000, 4))

        self.assertFalse(isMemoryTainted(0x1000))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 2)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2001, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2002, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2003, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2002, 2)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2003, 2)))
Exemple #49
0
    def test_taint_assignement_memory_memory(self):
        """Check tainting assignment memory <- memory."""
        setArchitecture(ARCH.X86_64)

        taintMemory(MemoryAccess(0x2000, 1))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 1)))

        taintAssignmentMemoryMemory(MemoryAccess(0x1000, 1), MemoryAccess(0x2000, 1))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x1000, 1)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 1)))

        taintAssignmentMemoryMemory(MemoryAccess(0x1000, 1), MemoryAccess(0x3000, 1))
        taintAssignmentMemoryMemory(MemoryAccess(0x2000, 1), MemoryAccess(0x3000, 1))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x1000, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 1)))

        taintMemory(MemoryAccess(0x2000, 4))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))

        taintAssignmentMemoryMemory(MemoryAccess(0x2001, 2), MemoryAccess(0x3000, 1))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2001, 1)))
        self.assertFalse(isMemoryTainted(MemoryAccess(0x2001, 1)))
        self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 1)))
Exemple #50
0
 def setUp(self):
     """Define the arch and modes."""
     setArchitecture(ARCH.X86_64)
     enableMode(MODE.ALIGNED_MEMORY, True)
     enableMode(MODE.AST_DICTIONARIES, True)
     super(TestSymboliqueEngineAlignedAst, self).setUp()
Exemple #51
0
 def setUp(self):
     """Define the arch and modes."""
     setArchitecture(ARCH.X86_64)
     enableMode(MODE.AST_DICTIONARIES, True)
     super(TestSymboliqueEngineConcreteAst, self).setUp()
Exemple #52
0
 def setUp(self):
     """Define the architecture and memory access to check."""
     setArchitecture(ARCH.X86_64)
     self.mem = MemoryAccess(0x400f4d3, 8, 0x6162636465666768)
Exemple #53
0
import triton as TT
from arybo.tools import triton2arybo

TT.setArchitecture(TT.ARCH.X86_64)

TT.convertRegisterToSymbolicVariable(TT.REG.RAX)
TT.convertRegisterToSymbolicVariable(TT.REG.RBX)

inst = TT.Instruction()
inst.setOpcodes("\x48\x31\xd8")  # xor rax, rbx
TT.processing(inst)

rax_ast = TT.buildSymbolicRegister(TT.REG.RAX)
rax_ast = TT.getFullAst(rax_ast)
print(rax_ast)

e = triton2arybo(rax_ast)
print(e)