def test_AND_1(self): ''' Instruction AND Groups: 0x7ffff7de390a: and rax, 0xfc000000 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de390a] = '\x48' mem[0x7ffff7de390b] = '\x25' mem[0x7ffff7de390c] = '\x00' mem[0x7ffff7de390d] = '\x00' mem[0x7ffff7de390e] = '\x00' mem[0x7ffff7de390f] = '\xfc' cpu.PF = True cpu.RAX = 0x7ffff7ff7658 cpu.OF = False cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de390a cpu.SF = False cpu.execute() self.assertEqual(mem[0x7ffff7de390a], b'\x48') self.assertEqual(mem[0x7ffff7de390b], b'\x25') self.assertEqual(mem[0x7ffff7de390c], b'\x00') self.assertEqual(mem[0x7ffff7de390d], b'\x00') self.assertEqual(mem[0x7ffff7de390e], b'\x00') self.assertEqual(mem[0x7ffff7de390f], b'\xfc') self.assertEqual(cpu.PF, True) self.assertEqual(cpu.RAX, 0x7ffff4000000) self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 0x7ffff7de3910) self.assertEqual(cpu.SF, False)
def test_DEC_1(self): ''' Instruction DEC_1 Groups: mode64 0x41e10a: dec ecx ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0041e000, 0x1000, 'rwx') mem[0x0041e10a] = '\xff' mem[0x0041e10b] = '\xc9' cpu.AF = False cpu.OF = False cpu.ZF = False cpu.RIP = 0x41e10a cpu.PF = False cpu.SF = False cpu.ECX = 0xd cpu.execute() self.assertItemsEqual(mem[0x41e10a:0x41e10c], to_bytelist(b'\xff\xc9')) self.assertEqual(cpu.AF, False) self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.RIP, 4317452) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.SF, False) self.assertEqual(cpu.ECX, 12)
def test_cache_004(self): import random cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) #alloc/map a little mem addr = mem.mmap(0x1000, 0x1000, 'rwx') self.assertEqual(addr, 0x1000) memory = bytearray(0x1000) written = set() for _ in range(1000): address = random.randint(0x1000,0x2000-8) [written.add(i) for i in range(address,address+8)] value = random.randint(0x0,0xffffffffffffffff) memory[address-0x1000:address-0x1000+8] = list(struct.pack('<Q',value)) cpu.write_int(address, value, 64) if random.randint(0,10) > 5: cpu.read_int(random.randint(0x1000,0x2000-8), random.choice([8,16,32,64])) written = list(written) random.shuffle(written) for address in written: size = random.choice([8,16,32,64]) if address > 0x2000-(size // 8): continue pattern = {8:'B', 16:'<H', 32:'<L', 64:'<Q'} [size] start = address - 0x1000 self.assertEqual(cpu.read_int(address, size), struct.unpack(pattern, bytes(memory[start:start + (size // 8)]))[0])
def test_cache_005(self): cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) #alloc/map a little mem addr = mem.mmap(0x1000, 0x1000, 'rwx') self.assertEqual(addr, 0x1000) self.assertRaises(Exception, cpu.write_int, 0x1000-1, 0x414243445464748, 64) self.assertRaises(Exception, cpu.write_int, 0x2000-7, 0x414243445464748, 64) self.assertRaises(Exception, cpu.read_int, 0x1000-1, 0x414243445464748, 64) self.assertRaises(Exception, cpu.read_int, 0x2000-7, 0x414243445464748, 64) #alloc/map a little mem addr = mem.mmap(0x7000, 0x1000, 'r') self.assertEqual(addr, 0x7000) self.assertRaises(Exception, cpu.write_int, 0x7000-1, 0x414243445464748, 64) self.assertRaises(Exception, cpu.write_int, 0x8000-7, 0x414243445464748, 64) self.assertRaises(Exception, cpu.read_int, 0x7000-1, 0x414243445464748, 64) self.assertRaises(Exception, cpu.read_int, 0x8000-7, 0x414243445464748, 64) self.assertRaises(Exception, cpu.write_int, 0x7100, 0x414243445464748, 64) #alloc/map a little mem addr = mem.mmap(0xf000, 0x1000, 'w') self.assertEqual(addr, 0xf000) self.assertRaises(Exception, cpu.write_int, 0xf000-1, 0x414243445464748, 64) self.assertRaises(Exception, cpu.write_int, 0x10000-7, 0x414243445464748, 64) self.assertRaises(Exception, cpu.read_int, 0xf000-1, 0x414243445464748, 64) self.assertRaises(Exception, cpu.read_int, 0x10000-7, 0x414243445464748, 64) self.assertRaises(Exception, cpu.read_int, 0xf100, 0x414243445464748, 64)
def test_cache_001(self): cs = ConstraintSet() mem = SMemory64(ConstraintSet()) cpu = AMD64Cpu(mem) mem.mmap(0x1000,0x1000,'rwx') cpu.write_int(0x1000, 0x4142434445464748, 64) #print cpu.mem_cache cpu.write_int(0x1004, 0x5152535455565758, 64) #print cpu.mem_cache cpu.write_int(0x1008, 0x6162636465666768, 64) #print cpu.mem_cache #print hex(cpu.read_int(0x1000,32)) #print hex(cpu.read_int(0x1000,32)) #print hex(cpu.read_int(0x1000,32)) #print hex(cpu.read_int(0x1000,32)) #print hex(cpu.read_int(0x1000,32)) self.assertEqual(cpu.read_int(0x1000,32), 0x45464748) cpu.write_int( 0x1000, 0x45464748,32) self.assertEqual(cpu.read_int(0x1000,32), 0x45464748) self.assertEqual(cpu.read_int(0x1004,32), 0x55565758) self.assertEqual(cpu.read_int(0x1008,32), 0x65666768) self.assertEqual(cpu.read_int(0x1008,64), 0x6162636465666768) self.assertEqual(cpu.read_int(0x1000,64), 0x5556575845464748) #cpu.writeback() for i in range(0x10): self.assertEqual(mem[i+0x1000], b'HGFEXWVUhgfedcba'[i:i+1]) self.assertEqual(mem.read(0x1000,0x10), to_bytelist(b'HGFEXWVUhgfedcba'))
def test_le_or(self): cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x1000,0x1000,'rwx') cpu.write_int(0x1000, 0x4142434445464748, 64) cpu.write_int(0x1000, cpu.read_int(0x1000, 32) | 0, 32) addr1 = cs.new_bitvec(64) cs.add(addr1 == 0x1004) cpu.write_int(addr1, 0x58, 8) self.assertEqual(cpu.read_int(0x1000,32), 0x45464748) addr1 = cs.new_bitvec(64) cs.add(addr1 == 0x1000) cpu.write_int(addr1, 0x59, 8) solutions = solver.get_all_values(cs, cpu.read_int(0x1000,32)) self.assertEqual(len(solutions), 1) self.assertEqual(solutions[0], 0x45464759) cpu.write_int(0x1000, cpu.read_int(0x1000,32) | 0, 32) cpu.write_int(0x1000, cpu.read_int(0x1000,32) | 0, 32) cpu.write_int(0x1000, cpu.read_int(0x1000,32) | 0, 32) solutions = solver.get_all_values(cs, cpu.read_int(0x1000,32)) self.assertEqual(len(solutions), 1) self.assertEqual(solutions[0], 0x45464759)
def test_DEC_1(self): """ Instruction DEC_1 Groups: mode64 0x41e10a: dec ecx """ mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0041E000, 0x1000, "rwx") mem[0x0041E10A] = "\xff" mem[0x0041E10B] = "\xc9" cpu.AF = False cpu.OF = False cpu.ZF = False cpu.RIP = 0x41E10A cpu.PF = False cpu.SF = False cpu.ECX = 0xD cpu.execute() self.assertItemsEqual(mem[0x41E10A:0x41E10C], to_bytelist(b"\xff\xc9")) self.assertEqual(cpu.AF, False) self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.RIP, 4317452) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.SF, False) self.assertEqual(cpu.ECX, 12)
def test_AND_1(self): """ Instruction AND Groups: 0x7ffff7de390a: and rax, 0xfc000000 """ mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7FFFF7DE3000, 0x1000, "rwx") mem[0x7FFFF7DE390A] = "\x48" mem[0x7FFFF7DE390B] = "\x25" mem[0x7FFFF7DE390C] = "\x00" mem[0x7FFFF7DE390D] = "\x00" mem[0x7FFFF7DE390E] = "\x00" mem[0x7FFFF7DE390F] = "\xfc" cpu.PF = True cpu.RAX = 0x7FFFF7FF7658 cpu.OF = False cpu.ZF = False cpu.CF = False cpu.RIP = 0x7FFFF7DE390A cpu.SF = False cpu.execute() self.assertEqual(mem[0x7FFFF7DE390A], b"\x48") self.assertEqual(mem[0x7FFFF7DE390B], b"\x25") self.assertEqual(mem[0x7FFFF7DE390C], b"\x00") self.assertEqual(mem[0x7FFFF7DE390D], b"\x00") self.assertEqual(mem[0x7FFFF7DE390E], b"\x00") self.assertEqual(mem[0x7FFFF7DE390F], b"\xfc") self.assertEqual(cpu.PF, True) self.assertEqual(cpu.RAX, 0x7FFFF4000000) self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 0x7FFFF7DE3910) self.assertEqual(cpu.SF, False)
def setUp(self): mem32 = SMemory32(ConstraintSet()) mem32.mmap(0x1000, 0x1000, 'rw ') mem64 = SMemory64(ConstraintSet()) mem64.mmap(0x1000, 0x1000, 'rw ') self._cpu_arm = Armv7Cpu(mem32) self._cpu_arm.SP = 0x1080 self._cpu_arm.func_abi = Armv7CdeclAbi(self._cpu_arm) self._cpu_arm.syscall_abi = Armv7LinuxSyscallAbi(self._cpu_arm) self._cpu_x86 = I386Cpu(mem32) self._cpu_x86.ESP = 0x1080 self._cpu_x86.func_abi = I386CdeclAbi(self._cpu_x86) self._cpu_x86.syscall_abi = I386LinuxSyscallAbi(self._cpu_x86) self._cpu_x64 = AMD64Cpu(mem64) self._cpu_x64.RSP = 0x1080 self._cpu_x64.func_abi = SystemVAbi(self._cpu_x64) self._cpu_x64.syscall_abi = AMD64LinuxSyscallAbi(self._cpu_x64) def write(mem, where, val, size): mem[where:where + size // 8] = [ Operators.CHR(Operators.EXTRACT(val, offset, 8)) for offset in range(0, size, 8) ] for val in range(0, 0x100, 4): write(mem32, 0x1000 + val, val, 32) for val in range(0, 0x100, 8): write(mem64, 0x1000 + val, val, 64)
def test_cache_003(self): cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) # alloc/map a little mem addr = mem.mmap(0x1000, 0x1000, "rwx") self.assertEqual(addr, 0x1000) cpu.write_int(0x1000, 0x4142434445464748, 64) cpu.write_int(0x1008, 0x6162636465666768, 64) self.assertEqual(cpu.read_int(0x1000, 64), 0x4142434445464748) self.assertEqual(cpu.read_int(0x1008, 64), 0x6162636465666768) for i in range(8): self.assertEqual(cpu.read_int(0x1000 + i, 8), ord("HGFEDCBA"[i])) for i in range(8): self.assertEqual(cpu.read_int(0x1008 + i, 8), ord("hgfedcba"[i])) addr1 = cs.new_bitvec(64) cs.add(addr1 == 0x1004) cpu.write_int(addr1, 0x58, 8) # 48 47 46 45 58 43 42 41 68 67 66 65 64 63 62 61 value = cpu.read_int(0x1004, 16) self.assertItemsEqual(solver.get_all_values(cs, value), [0x4358]) addr2 = cs.new_bitvec(64) cs.add(Operators.AND(addr2 >= 0x1000, addr2 <= 0x100C)) cpu.write_int(addr2, 0x5959, 16) solutions = solver.get_all_values(cs, cpu.read_int(addr2, 32)) self.assertEqual(len(solutions), 0x100C - 0x1000 + 1) self.assertEqual( set(solutions), set( [ 0x45465959, 0x41425959, 0x58455959, 0x65665959, 0x67685959, 0x43585959, 0x68415959, 0x42435959, 0x66675959, 0x62635959, 0x64655959, 0x63645959, 0x61625959, ] ), )
def test_cache_002(self): cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) #alloc/map a little mem addr = mem.mmap(0x1000, 0x1000, 'rwx') self.assertEqual(addr, 0x1000) cpu.write_int(0x1000, 0x4142434445464748, 64) cpu.write_int(0x1004, 0x5152535455565758, 64) cpu.write_int(0x1008, 0x6162636465666768, 64) self.assertEqual(cpu.read_int(0x1000,32), 0x45464748) self.assertEqual(cpu.read_int(0x1004,32), 0x55565758) self.assertEqual(cpu.read_int(0x1008,32), 0x65666768) self.assertEqual(cpu.read_int(0x1008,64), 0x6162636465666768) self.assertEqual(cpu.read_int(0x1000,64), 0x5556575845464748) #cpu.writeback() for i in range(0x10): self.assertEqual(mem[i+0x1000], b'HGFEXWVUhgfedcba'[i:i+1])