def cafter(instruction):
# movzx esi,BYTE PTR [rax]
# RAX points on the user password
if instruction.getAddress() == 0x400572:
rsiId = getRegSymbolicID(IDREF.REG.RSI)
convertExprToSymVar(rsiId, 64)
# mov eax,DWORD PTR [rbp-0x4]
# RAX must be equal to 0xad6d to win
if instruction.getAddress() == 0x4005c5:
print '[+] Please wait, computing in progress...'
raxId = getRegSymbolicID(IDREF.REG.RAX)
raxExpr = getFullExpression(getSymExpr(raxId).getAst())
# We want printable characters
expr = smt2lib.compound([
smt2lib.smtAssert(smt2lib.bvugt(smt2lib.variable('SymVar_0'), smt2lib.bv(96, 64))),
smt2lib.smtAssert(smt2lib.bvult(smt2lib.variable('SymVar_0'), smt2lib.bv(123, 64))),
smt2lib.smtAssert(smt2lib.bvugt(smt2lib.variable('SymVar_1'), smt2lib.bv(96, 64))),
smt2lib.smtAssert(smt2lib.bvult(smt2lib.variable('SymVar_1'), smt2lib.bv(123, 64))),
smt2lib.smtAssert(smt2lib.bvugt(smt2lib.variable('SymVar_2'), smt2lib.bv(96, 64))),
smt2lib.smtAssert(smt2lib.bvult(smt2lib.variable('SymVar_2'), smt2lib.bv(123, 64))),
smt2lib.smtAssert(smt2lib.bvugt(smt2lib.variable('SymVar_3'), smt2lib.bv(96, 64))),
smt2lib.smtAssert(smt2lib.bvult(smt2lib.variable('SymVar_3'), smt2lib.bv(123, 64))),
smt2lib.smtAssert(smt2lib.bvugt(smt2lib.variable('SymVar_4'), smt2lib.bv(96, 64))),
smt2lib.smtAssert(smt2lib.bvult(smt2lib.variable('SymVar_4'), smt2lib.bv(123, 64))),
smt2lib.smtAssert(smt2lib.equal(raxExpr, smt2lib.bv(0xad6d, 64))) # collision: (assert (= rax 0xad6d)
])
# Get max 20 different models
models = getModels(expr, 20)
for model in models:
print {k: "0x%x, '%c'" % (v, v) for k, v in model.items()}
def cafter(instruction):
# movzx esi,BYTE PTR [rax]
# RAX points on the user password
if instruction.getAddress() == 0x400572:
convertRegToSymVar(IDREF.REG.RSI, IDREF.CPUSIZE.QWORD_BIT)
# mov eax,DWORD PTR [rbp-0x4]
# RAX must be equal to 0xad6d to win
if instruction.getAddress() == 0x4005c5:
print '[+] Please wait, computing in progress...'
raxId = getRegSymbolicID(IDREF.REG.RAX)
raxExpr = getFullExpression(getSymExpr(raxId).getAst())
# We want printable characters
expr = smt2lib.compound([
smt2lib.smtAssert(
smt2lib.bvugt(smt2lib.variable('SymVar_0'),
smt2lib.bv(96, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvult(smt2lib.variable('SymVar_0'),
smt2lib.bv(123, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvugt(smt2lib.variable('SymVar_1'),
smt2lib.bv(96, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvult(smt2lib.variable('SymVar_1'),
smt2lib.bv(123, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvugt(smt2lib.variable('SymVar_2'),
smt2lib.bv(96, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvult(smt2lib.variable('SymVar_2'),
smt2lib.bv(123, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvugt(smt2lib.variable('SymVar_3'),
smt2lib.bv(96, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvult(smt2lib.variable('SymVar_3'),
smt2lib.bv(123, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvugt(smt2lib.variable('SymVar_4'),
smt2lib.bv(96, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvult(smt2lib.variable('SymVar_4'),
smt2lib.bv(123, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.equal(raxExpr,
smt2lib.bv(0xad6d, IDREF.CPUSIZE.QWORD_BIT))
) # collision: (assert (= rax 0xad6d)
])
# Get max 20 different models
models = getModels(expr, 20)
for model in models:
print {k: "0x%x, '%c'" % (v, v) for k, v in model.items()}
def cafter(instruction):
print '%#x: %s' %(instruction.address, instruction.assembly)
# [R:1] 0x400798: movsx eax, byte ptr [rcx+rax*1] R:0x7fffb63d610a: 41 (0x41)
# [W:8] 0x40079c: mov qword ptr [rbp-0x50], rax W:0x7fffb63d52b0: 41 00 00 00 00 00 00 00 (0x41)
# [R:8] 0x400891: mov rax, qword ptr [rbp-0x50] R:0x7fffb63d52b0: 41 00 00 00 00 00 00 00 (0x41)
if instruction.address == 0x400891:
raxId = getRegSymbolicID(IDREF.REG.RAX)
convertExprToSymVar(raxId, 64)
if instruction.address == 0x400b69:
zfId = getRegSymbolicID(IDREF.FLAG.ZF)
zfExpr = getFullExpression(getSymExpr(zfId).ast)
expr = smt2lib.compound([
smt2lib.smtAssert(smt2lib.bvugt(smt2lib.string('SymVar_0'), smt2lib.bv(96, 64))), # printable char
smt2lib.smtAssert(smt2lib.bvult(smt2lib.string('SymVar_0'), smt2lib.bv(123, 64))), # printable char
smt2lib.smtAssert(smt2lib.equal(zfExpr, smt2lib.bvtrue())) # (assert (= zf true)
])
print getModel(expr)
return
def cbefore(instruction):
if instruction.getAddress() == TritonExecution.entryPoint:
TritonExecution.AddrAfterEP = instruction.getNextAddress()
if instruction.getAddress() == TritonExecution.AddrAfterEP:
TritonExecution.myPC = [] # Reset the path constraint
TritonExecution.input = TritonExecution.worklist.pop(
) # Take the first input
TritonExecution.inputTested.append(
TritonExecution.input) # Add this input to the tested input
return
if instruction.getAddress(
) == TritonExecution.entryPoint and not isSnapshotEnabled():
print "[+] Take Snapshot"
takeSnapshot()
return
if instruction.isBranch() and instruction.getRoutineName(
) in TritonExecution.whitelist:
addr1 = instruction.getNextAddress(
) # next address next from the current one
addr2 = instruction.getOperands()[0].getImm().getValue(
) # Address in the instruction condition (branch taken)
ripId = getRegSymbolicID(
IDREF.REG.RIP
) # Get the reference of the RIP symbolic register
# [PC id, address taken, address not taken]
if instruction.isBranchTaken():
TritonExecution.myPC.append([ripId, addr2, addr1])
else:
TritonExecution.myPC.append([ripId, addr1, addr2])
return
if instruction.getAddress() == TritonExecution.exitPoint:
print "[+] Exit point"
# SAGE algorithm
# http://research.microsoft.com/en-us/um/people/pg/public_psfiles/ndss2008.pdf
for j in range(TritonExecution.input.bound,
len(TritonExecution.myPC)):
expr = []
for i in range(0, j):
ripId = TritonExecution.myPC[i][0]
symExp = getFullExpression(getSymExpr(ripId).getAst())
addr = TritonExecution.myPC[i][1]
expr.append(
smt2lib.smtAssert(
smt2lib.equal(
symExp,
smt2lib.bv(addr, IDREF.CPUSIZE.QWORD_BIT))))
ripId = TritonExecution.myPC[j][0]
symExp = getFullExpression(getSymExpr(ripId).getAst())
addr = TritonExecution.myPC[j][2]
expr.append(
smt2lib.smtAssert(
smt2lib.equal(
symExp, smt2lib.bv(addr,
IDREF.CPUSIZE.QWORD_BIT))))
expr = smt2lib.compound(expr)
model = getModel(expr)
if len(model) > 0:
newInput = deepcopy(TritonExecution.input)
newInput.setBound(j + 1)
for k, v in model.items():
symVar = getSymVar(k)
newInput.addDataAddress(symVar.getKindValue(), v)
print newInput.dataAddr
isPresent = False
for inp in TritonExecution.worklist:
if inp.dataAddr == newInput.dataAddr:
isPresent = True
break
if not isPresent:
TritonExecution.worklist.append(newInput)
# If there is input to test in the worklist, we restore the snapshot
if len(TritonExecution.worklist) > 0 and isSnapshotEnabled():
print "[+] Restore snapshot"
restoreSnapshot()
return
return
def cbefore(instruction):
if instruction.getAddress() == TritonExecution.entryPoint:
TritonExecution.AddrAfterEP = instruction.getNextAddress()
if instruction.getAddress() == TritonExecution.AddrAfterEP:
TritonExecution.myPC = [] # Reset the path constraint
TritonExecution.input = TritonExecution.worklist.pop() # Take the first input
TritonExecution.inputTested.append(TritonExecution.input) # Add this input to the tested input
return
if instruction.getAddress() == TritonExecution.entryPoint and not isSnapshotEnabled():
print "[+] Take Snapshot"
takeSnapshot()
return
if getRoutineName(instruction.getAddress()) in TritonExecution.whitelist and instruction.isBranch() and instruction.getType() != OPCODE.JMP and instruction.getOperands()[0].getType() == OPERAND.IMM:
addr1 = instruction.getNextAddress() # next address next from the current one
addr2 = instruction.getOperands()[0].getValue() # Address in the instruction condition (branch taken)
ripId = getSymbolicRegisterId(REG.RIP) # Get the reference of the RIP symbolic register
# [PC id, address taken, address not taken]
if instruction.isConditionTaken():
TritonExecution.myPC.append([ripId, addr2, addr1])
else:
TritonExecution.myPC.append([ripId, addr1, addr2])
return
if instruction.getAddress() == TritonExecution.exitPoint:
print "[+] Exit point"
# SAGE algorithm
# http://research.microsoft.com/en-us/um/people/pg/public_psfiles/ndss2008.pdf
for j in range(TritonExecution.input.bound, len(TritonExecution.myPC)):
expr = []
for i in range(0,j):
ripId = TritonExecution.myPC[i][0]
symExp = getFullAst(getSymbolicExpressionFromId(ripId).getAst())
addr = TritonExecution.myPC[i][1]
expr.append(smt2lib.smtAssert(smt2lib.equal(symExp, smt2lib.bv(addr, CPUSIZE.QWORD_BIT))))
ripId = TritonExecution.myPC[j][0]
symExp = getFullAst(getSymbolicExpressionFromId(ripId).getAst())
addr = TritonExecution.myPC[j][2]
expr.append(smt2lib.smtAssert(smt2lib.equal(symExp, smt2lib.bv(addr, CPUSIZE.QWORD_BIT))))
expr = smt2lib.compound(expr)
model = getModel(expr)
if len(model) > 0:
newInput = deepcopy(TritonExecution.input)
newInput.setBound(j + 1)
for k,v in model.items():
symVar = getSymbolicVariableFromId(k)
newInput.addDataAddress(symVar.getKindValue(), v.getValue())
print newInput.dataAddr
isPresent = False
for inp in TritonExecution.worklist:
if inp.dataAddr == newInput.dataAddr:
isPresent = True
break
if not isPresent:
TritonExecution.worklist.append(newInput)
# If there is input to test in the worklist, we restore the snapshot
if len(TritonExecution.worklist) > 0 and isSnapshotEnabled():
print "[+] Restore snapshot"
restoreSnapshot()
return
return
