Esempio n. 1
0
def sbefore(instruction):
    concretizeAllMem()
    concretizeAllReg()
    for op in instruction.getOperands():
        if op.getType() == IDREF.OPERAND.MEM_R or op.getType(
        ) == IDREF.OPERAND.MEM_W:  # The instruction must have a memory access
            symId = getMemSymbolicID(op.getMem().getAddress())
            if symId == IDREF.MISC.UNSET:  # Case which wasn't handle
                addr = op.getMem().getAddress()
                if addr != 0:  # Check valid address
                    print instruction.getDisassembly(), "at", hex(addr)
                    print "Operand mem size:", op.getMem().getSize()
                    s = convertMemToSymVar(addr,
                                           op.getMem().getBitSize(),
                                           "test")  # convertMemToSymVar
                    print "New symbolic variable:"
                    print "[+] Comment:", s.getComment()
                    print "[+] Size: %d" % (s.getSize())
                    print "[+] Concrete value: 0x%x" % (s.getConcreteValue())
                    print "[+] Address: 0x%x" % (s.getKindValue())
                    memExpr = getFullExpression(
                        getSymExpr(getMemSymbolicID(
                            op.getMem().getAddress())).getAst())
                    expr = smt2lib.smtAssert(
                        smt2lib.equal(memExpr, smt2lib.bv(1, s.getSize())))
                    print expr
                    model = getModel(expr)
                    print model

    return
Esempio n. 2
0
def cafter(instruction):

    if instruction.address == 0x4005ae:
        zfId = getRegSymbolicID(IDREF.FLAG.ZF)
        zfExpr = getBacktrackedSymExpr(zfId)
        expr = smt2lib.smtAssert(smt2lib.equal(zfExpr, smt2lib.bvtrue())) # (assert (= zf True))
        print {k: "0x%x, '%c'" % (v, v) for k, v in getModel(expr).items()}
def cafter(instruction):
    if instruction.address == 0x4005ae:
        zfId    = getRegSymbolicID(IDREF.FLAG.ZF)
        zfExpr  = getBacktrackedSymExpr(zfId)
        expr    = smt2lib.smtAssert(smt2lib.equal(zfExpr, smt2lib.bvtrue())) # (assert (= zf True))
        models  = getModel(expr)
        global password
        for k, v in models.items():
            password.update({getMemoryFromSymVar(k): v})
    return
Esempio n. 4
0
def cafter(instruction):

    if instruction.address == 0x40058b:
        convertExprToSymVar(getRegSymbolicID(IDREF.REG.RAX), 4)

    if instruction.address == 0x4005ae:
        zfId = getRegSymbolicID(IDREF.FLAG.ZF)
        zfExpr = getBacktrackedSymExpr(zfId)
        expr = smt2lib.smtAssert(smt2lib.equal(
            zfExpr, smt2lib.bvtrue()))  # (assert (= zf True))
        print {k: "0x%x, '%c'" % (v, v) for k, v in getModel(expr).items()}
Esempio n. 5
0
def cafter(instruction):

    print '%#x: %s' %(instruction.address, instruction.assembly)

    # [R:1]  0x400798: movsx eax, byte ptr [rcx+rax*1]  R:0x7fffb63d610a: 41 (0x41)
    # [W:8]  0x40079c: mov qword ptr [rbp-0x50], rax    W:0x7fffb63d52b0: 41 00 00 00 00 00 00 00 (0x41)
    # [R:8]  0x400891: mov rax, qword ptr [rbp-0x50]    R:0x7fffb63d52b0: 41 00 00 00 00 00 00 00 (0x41)
    if instruction.address == 0x400891:
        raxId = getRegSymbolicID(IDREF.REG.RAX)
        convertExprToSymVar(raxId, 8)

    if instruction.address == 0x400b69:
        zfId = getRegSymbolicID(IDREF.FLAG.ZF)
        zfExpr = getBacktrackedSymExpr(zfId)
        expr = str()
        expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_0', smt2lib.bv(96, 64)))    # printable char
        expr += smt2lib.smtAssert(smt2lib.bvult('SymVar_0', smt2lib.bv(123, 64)))   # printable char
        expr += smt2lib.smtAssert(smt2lib.equal(zfExpr, smt2lib.bvtrue()))          # (assert (= zf true)
        print getModel(expr)

    return
Esempio n. 6
0
def cafter(instruction):

    print '%#x: %s' % (instruction.address, instruction.assembly)

    # [R:1]  0x400798: movsx eax, byte ptr [rcx+rax*1]  R:0x7fffb63d610a: 41 (0x41)
    # [W:8]  0x40079c: mov qword ptr [rbp-0x50], rax    W:0x7fffb63d52b0: 41 00 00 00 00 00 00 00 (0x41)
    # [R:8]  0x400891: mov rax, qword ptr [rbp-0x50]    R:0x7fffb63d52b0: 41 00 00 00 00 00 00 00 (0x41)
    if instruction.address == 0x400891:
        raxId = getRegSymbolicID(IDREF.REG.RAX)
        convertExprToSymVar(raxId, 8)

    if instruction.address == 0x400b69:
        zfId = getRegSymbolicID(IDREF.FLAG.ZF)
        zfExpr = getBacktrackedSymExpr(zfId)
        expr = str()
        expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_0', smt2lib.bv(
            96, 64)))  # printable char
        expr += smt2lib.smtAssert(
            smt2lib.bvult('SymVar_0', smt2lib.bv(123, 64)))  # printable char
        expr += smt2lib.smtAssert(smt2lib.equal(
            zfExpr, smt2lib.bvtrue()))  # (assert (= zf true)
        print getModel(expr)

    return
Esempio n. 7
0
def cafter(instruction):

    # [R:1]  0x400798: movsx eax, byte ptr [rcx+rax*1]  R:0x7fffb63d610a: 41 (0x41)
    # [W:8]  0x40079c: mov qword ptr [rbp-0x50], rax    W:0x7fffb63d52b0: 41 00 00 00 00 00 00 00 (0x41)
    # [R:8]  0x400891: mov rax, qword ptr [rbp-0x50]    R:0x7fffb63d52b0: 41 00 00 00 00 00 00 00 (0x41)
    if instruction.getAddress() == 0x400891:
        raxId = getRegSymbolicID(IDREF.REG.RAX)
        convertExprToSymVar(raxId, 64)

    if instruction.getAddress() == 0x400b69:
        zfId = getRegSymbolicID(IDREF.FLAG.ZF)
        zfExpr = getFullExpression(getSymExpr(zfId).getAst())
        expr = smt2lib.smtAssert(smt2lib.equal(zfExpr, smt2lib.bvtrue()))
        print getModel(expr)

    return
Esempio n. 8
0
def cafter(instruction):
    
    print '%#x: %s' %(instruction.address, instruction.assembly)

    for se in instruction.symbolicElements:
        if se.isTainted == True:
            print '%s\t -> %s%s' %(_GREEN, se.expression, _ENDC)
        else:
            print '%s\t -> %s%s' %(_ENDC, se.expression, _ENDC)

    if instruction.address == 0x4011ed:
        raxId = getRegSymbolicID(IDREF.REG.RAX)
        raxExpr = getBacktrackedSymExpr(raxId)
        expr = smt2lib.smtAssert(smt2lib.equal(raxExpr, smt2lib.bv(0, 64))) # (assert (= rax 0)
        print expr
        print getModel(expr)
Esempio n. 9
0
def cafter(instruction):

    # 0x40058b: movzx eax, byte ptr [rax]
    if instruction.address == 0x40058b:
        convertRegToSymVar(IDREF.REG.RAX, 32)

    # 0x4005ae: cmp ecx, eax
    if instruction.address == 0x4005ae:
        zfId    = getRegSymbolicID(IDREF.FLAG.ZF)
        zfExpr  = getFullExpression(getSymExpr(zfId).getAst())
        expr    = smt2lib.smtAssert(smt2lib.equal(zfExpr, smt2lib.bvtrue())) # (assert (= zf True))
        models  = getModel(expr)
        global password
        for k, v in models.items():
            password.update({symVarMem: v})

    return
Esempio n. 10
0
def cafter(instruction):

    # 0x40058b: movzx eax, byte ptr [rax]
    if instruction.address == 0x40058b:
        convertRegToSymVar(IDREF.REG.RAX, 4)

    # 0x4005ae: cmp ecx, eax
    if instruction.address == 0x4005ae:
        zfId = getRegSymbolicID(IDREF.FLAG.ZF)
        zfExpr = getBacktrackedSymExpr(zfId)
        expr = smt2lib.smtAssert(smt2lib.equal(
            zfExpr, smt2lib.bvtrue()))  # (assert (= zf True))
        models = getModel(expr)
        global password
        for k, v in models.items():
            password.update({symVarMem: v})

    return
Esempio n. 11
0
def cafter(instruction):

    # 0x40058b: movzx eax, byte ptr [rax]
    if instruction.getAddress() == 0x40058b:
        v = convertRegToSymVar(IDREF.REG.RAX, IDREF.CPUSIZE.DWORD_BIT)
        #print "Concrete value:\t%s\t%c" % (v, v.getConcreteValue())

    # 0x4005ae: cmp ecx, eax
    if instruction.getAddress() == 0x4005ae:
        zfId    = getRegSymbolicID(IDREF.FLAG.ZF)
        zfExpr  = getFullExpression(getSymExpr(zfId).getAst())
        expr    = smt2lib.smtAssert(smt2lib.equal(zfExpr, smt2lib.bvtrue())) # (assert (= zf True))
        models  = getModel(expr)
        global password
        for k, v in models.items():
            password.update({symVarMem: v})

    return
Esempio n. 12
0
def cafter(instruction):

    # 0x40058b: movzx eax, byte ptr [rax]
    if instruction.getAddress() == 0x40058b:
        v = convertRegToSymVar(IDREF.REG.RAX, IDREF.CPUSIZE.DWORD_BIT)
        #print "Concrete value:\t%s\t%c" % (v, v.getConcreteValue())

    # 0x4005ae: cmp ecx, eax
    if instruction.getAddress() == 0x4005ae:
        zfId = getRegSymbolicID(IDREF.FLAG.ZF)
        zfExpr = getFullExpression(getSymExpr(zfId).getAst())
        expr = smt2lib.smtAssert(smt2lib.equal(
            zfExpr, smt2lib.bvtrue()))  # (assert (= zf True))
        models = getModel(expr)
        global password
        for k, v in models.items():
            password.update({symVarMem: v})

    return
Esempio n. 13
0
def sbefore(instruction):
    concretizeAllMem()
    concretizeAllReg()
    for op in instruction.getOperands():
        if op.getType() == IDREF.OPERAND.MEM_R or op.getType() == IDREF.OPERAND.MEM_W: # The instruction must have a memory access
            symId = getMemSymbolicID(op.getMem().getAddress())
            if symId == IDREF.MISC.UNSET: # Case which wasn't handle
                addr = op.getMem().getAddress()
                if addr != 0: # Check valid address
                    print instruction.getDisassembly(), "at", hex(addr)
                    print "Operand mem size:", op.getMem().getSize()
                    s = convertMemToSymVar(addr, op.getMem().getSize(), "test") # convertMemToSymVar
                    print "New symbolic variable:"
                    print "[+] Comment:", s.getComment()
                    print "[+] Size: %d" % (s.getSize())
                    print "[+] Concrete value: 0x%x" % (s.getConcreteValue())
                    print "[+] Address: 0x%x" % (s.getKindValue())
                    memExpr = getFullExpression(getSymExpr(getMemSymbolicID(op.getMem().getAddress())).getAst())
                    expr = smt2lib.smtAssert(smt2lib.equal(memExpr, smt2lib.bv(1, s.getSize())))
                    print expr
                    model = getModel(expr)
                    print model

    return
Esempio n. 14
0
def cafter(instruction):

    # movzx esi,BYTE PTR [rax]
    # RAX points on the user password
    if instruction.address == 0x400572:
        rsiId = getRegSymbolicID(IDREF.REG.RSI)
        convertExprToSymVar(rsiId, 8)

    # mov eax,DWORD PTR [rbp-0x4]
    # RAX must be equal to 0xad6d to win
    if instruction.address == 0x4005c5:
        print '[+] Please wait, computing in progress...'
        raxId = getRegSymbolicID(IDREF.REG.RAX)
        raxExpr = getBacktrackedSymExpr(raxId)
        expr = str()

        # We want printable characters
        # (assert (bvsgt SymVar_0 96)
        # (assert (bvslt SymVar_0 123)
        expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_0', smt2lib.bv(96,
                                                                       64)))
        expr += smt2lib.smtAssert(
            smt2lib.bvult('SymVar_0', smt2lib.bv(123, 64)))

        # (assert (bvsgt SymVar_1 96)
        # (assert (bvslt SymVar_1 123)
        expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_1', smt2lib.bv(96,
                                                                       64)))
        expr += smt2lib.smtAssert(
            smt2lib.bvult('SymVar_1', smt2lib.bv(123, 64)))

        # (assert (bvsgt SymVar_2 96)
        # (assert (bvslt SymVar_2 123)
        expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_2', smt2lib.bv(96,
                                                                       64)))
        expr += smt2lib.smtAssert(
            smt2lib.bvult('SymVar_2', smt2lib.bv(123, 64)))

        # (assert (bvsgt SymVar_3 96)
        # (assert (bvslt SymVar_3 123)
        expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_3', smt2lib.bv(96,
                                                                       64)))
        expr += smt2lib.smtAssert(
            smt2lib.bvult('SymVar_3', smt2lib.bv(123, 64)))

        # (assert (bvsgt SymVar_4 96)
        # (assert (bvslt SymVar_4 123)
        expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_4', smt2lib.bv(96,
                                                                       64)))
        expr += smt2lib.smtAssert(
            smt2lib.bvult('SymVar_4', smt2lib.bv(123, 64)))

        # We want the collision
        # (assert (= rax 0xad6d)
        expr += smt2lib.smtAssert(
            smt2lib.equal(raxExpr, smt2lib.bv(0xad6d, 64)))
        print {k: "0x%x, '%c'" % (v, v) for k, v in getModel(expr).items()}
Esempio n. 15
0
    def cbefore(instruction):
        if instruction.getAddress() == TritonExecution.entryPoint:
            TritonExecution.AddrAfterEP = instruction.getNextAddress()

        if instruction.getAddress() == TritonExecution.AddrAfterEP:
            TritonExecution.myPC = []  # Reset the path constraint
            TritonExecution.input = TritonExecution.worklist.pop(
            )  # Take the first input
            TritonExecution.inputTested.append(
                TritonExecution.input)  # Add this input to the tested input
            return

        if instruction.getAddress(
        ) == TritonExecution.entryPoint and not isSnapshotEnabled():
            print "[+] Take Snapshot"
            takeSnapshot()
            return

        if instruction.isBranch() and instruction.getRoutineName(
        ) in TritonExecution.whitelist:

            addr1 = instruction.getNextAddress(
            )  # next address next from the current one
            addr2 = instruction.getOperands()[0].getImm().getValue(
            )  # Address in the instruction condition (branch taken)

            ripId = getRegSymbolicID(
                IDREF.REG.RIP
            )  # Get the reference of the RIP symbolic register

            # [PC id, address taken, address not taken]
            if instruction.isBranchTaken():
                TritonExecution.myPC.append([ripId, addr2, addr1])
            else:
                TritonExecution.myPC.append([ripId, addr1, addr2])

            return

        if instruction.getAddress() == TritonExecution.exitPoint:
            print "[+] Exit point"

            # SAGE algorithm
            # http://research.microsoft.com/en-us/um/people/pg/public_psfiles/ndss2008.pdf
            for j in range(TritonExecution.input.bound,
                           len(TritonExecution.myPC)):
                expr = []
                for i in range(0, j):
                    ripId = TritonExecution.myPC[i][0]
                    symExp = getFullExpression(getSymExpr(ripId).getAst())
                    addr = TritonExecution.myPC[i][1]
                    expr.append(
                        smt2lib.smtAssert(
                            smt2lib.equal(
                                symExp,
                                smt2lib.bv(addr, IDREF.CPUSIZE.QWORD_BIT))))

                ripId = TritonExecution.myPC[j][0]
                symExp = getFullExpression(getSymExpr(ripId).getAst())
                addr = TritonExecution.myPC[j][2]
                expr.append(
                    smt2lib.smtAssert(
                        smt2lib.equal(
                            symExp, smt2lib.bv(addr,
                                               IDREF.CPUSIZE.QWORD_BIT))))

                expr = smt2lib.compound(expr)
                model = getModel(expr)

                if len(model) > 0:
                    newInput = deepcopy(TritonExecution.input)
                    newInput.setBound(j + 1)

                    for k, v in model.items():
                        symVar = getSymVar(k)
                        newInput.addDataAddress(symVar.getKindValue(), v)
                    print newInput.dataAddr

                    isPresent = False

                    for inp in TritonExecution.worklist:
                        if inp.dataAddr == newInput.dataAddr:
                            isPresent = True
                            break
                    if not isPresent:
                        TritonExecution.worklist.append(newInput)

            # If there is input to test in the worklist, we restore the snapshot
            if len(TritonExecution.worklist) > 0 and isSnapshotEnabled():
                print "[+] Restore snapshot"
                restoreSnapshot()
            return
        return
Esempio n. 16
0
def cafter(instruction):

    # movzx esi,BYTE PTR [rax]
    # RAX points on the user password
    if instruction.getAddress() == 0x400572:
        convertRegToSymVar(IDREF.REG.RSI, 64)

    # mov eax,DWORD PTR [rbp-0x4]
    # RAX must be equal to 0xad6d to win
    if instruction.getAddress() == 0x4005c5:
        print '[+] Please wait, computing in progress...'
        raxId = getRegSymbolicID(IDREF.REG.RAX)
        raxExpr = getFullExpression(getSymExpr(raxId).getAst())

        # We want printable characters
        expr = smt2lib.compound([
            smt2lib.smtAssert(
                smt2lib.bvugt(smt2lib.variable('SymVar_0'), smt2lib.bv(96,
                                                                       64))),
            smt2lib.smtAssert(
                smt2lib.bvult(smt2lib.variable('SymVar_0'),
                              smt2lib.bv(123, 64))),
            smt2lib.smtAssert(
                smt2lib.bvugt(smt2lib.variable('SymVar_1'), smt2lib.bv(96,
                                                                       64))),
            smt2lib.smtAssert(
                smt2lib.bvult(smt2lib.variable('SymVar_1'),
                              smt2lib.bv(123, 64))),
            smt2lib.smtAssert(
                smt2lib.bvugt(smt2lib.variable('SymVar_2'), smt2lib.bv(96,
                                                                       64))),
            smt2lib.smtAssert(
                smt2lib.bvult(smt2lib.variable('SymVar_2'),
                              smt2lib.bv(123, 64))),
            smt2lib.smtAssert(
                smt2lib.bvugt(smt2lib.variable('SymVar_3'), smt2lib.bv(96,
                                                                       64))),
            smt2lib.smtAssert(
                smt2lib.bvult(smt2lib.variable('SymVar_3'),
                              smt2lib.bv(123, 64))),
            smt2lib.smtAssert(
                smt2lib.bvugt(smt2lib.variable('SymVar_4'), smt2lib.bv(96,
                                                                       64))),
            smt2lib.smtAssert(
                smt2lib.bvult(smt2lib.variable('SymVar_4'),
                              smt2lib.bv(123, 64))),
            smt2lib.smtAssert(smt2lib.equal(raxExpr, smt2lib.bv(
                0xad6d, 64)))  # collision: (assert (= rax 0xad6d)
        ])

        # Get max 20 different models
        models = getModels(expr, 20)
        for model in models:
            print {k: "0x%x, '%c'" % (v, v) for k, v in model.items()}
Esempio n. 17
0
def cafter(instruction):

    # movzx esi,BYTE PTR [rax]
    # RAX points on the user password
    if instruction.getAddress() == 0x400572:
        rsiId = getRegSymbolicID(IDREF.REG.RSI)
        convertExprToSymVar(rsiId, 64)

    # mov eax,DWORD PTR [rbp-0x4]
    # RAX must be equal to 0xad6d to win
    if instruction.getAddress() == 0x4005c5:
        print '[+] Please wait, computing in progress...'
        raxId = getRegSymbolicID(IDREF.REG.RAX)
        raxExpr = getFullExpression(getSymExpr(raxId).getAst())

        # We want printable characters
        expr = smt2lib.compound([
                 smt2lib.smtAssert(smt2lib.bvugt(smt2lib.variable('SymVar_0'), smt2lib.bv(96,  64))),
                 smt2lib.smtAssert(smt2lib.bvult(smt2lib.variable('SymVar_0'), smt2lib.bv(123, 64))),
                 smt2lib.smtAssert(smt2lib.bvugt(smt2lib.variable('SymVar_1'), smt2lib.bv(96,  64))),
                 smt2lib.smtAssert(smt2lib.bvult(smt2lib.variable('SymVar_1'), smt2lib.bv(123, 64))),
                 smt2lib.smtAssert(smt2lib.bvugt(smt2lib.variable('SymVar_2'), smt2lib.bv(96,  64))),
                 smt2lib.smtAssert(smt2lib.bvult(smt2lib.variable('SymVar_2'), smt2lib.bv(123, 64))),
                 smt2lib.smtAssert(smt2lib.bvugt(smt2lib.variable('SymVar_3'), smt2lib.bv(96,  64))),
                 smt2lib.smtAssert(smt2lib.bvult(smt2lib.variable('SymVar_3'), smt2lib.bv(123, 64))),
                 smt2lib.smtAssert(smt2lib.bvugt(smt2lib.variable('SymVar_4'), smt2lib.bv(96,  64))),
                 smt2lib.smtAssert(smt2lib.bvult(smt2lib.variable('SymVar_4'), smt2lib.bv(123, 64))),
                 smt2lib.smtAssert(smt2lib.equal(raxExpr, smt2lib.bv(0xad6d, 64)))  # collision: (assert (= rax 0xad6d)
               ])

        # Get max 20 different models
        models = getModels(expr, 20)
        for model in models:
            print {k: "0x%x, '%c'" % (v, v) for k, v in model.items()}
Esempio n. 18
0
def cafter(instruction):
    
    # movzx esi,BYTE PTR [rax]
    # RAX points on the user password
    if instruction.address == 0x400572:
        rsiId = getRegSymbolicID(IDREF.REG.RSI)
        convertExprToSymVar(rsiId, 8)

    # mov eax,DWORD PTR [rbp-0x4]
    # RAX must be equal to 0xad6d to win
    if instruction.address == 0x4005c5:
        print '[+] Please wait, computing in progress...'
        raxId = getRegSymbolicID(IDREF.REG.RAX)
        raxExpr = getBacktrackedSymExpr(raxId)
        expr = str()

        # We want printable characters
        # (assert (bvsgt SymVar_0 96)
        # (assert (bvslt SymVar_0 123)
        expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_0', smt2lib.bv(96, 64)))
        expr += smt2lib.smtAssert(smt2lib.bvult('SymVar_0', smt2lib.bv(123, 64)))

        # (assert (bvsgt SymVar_1 96)
        # (assert (bvslt SymVar_1 123)
        expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_1', smt2lib.bv(96, 64)))
        expr += smt2lib.smtAssert(smt2lib.bvult('SymVar_1', smt2lib.bv(123, 64)))

        # (assert (bvsgt SymVar_2 96)
        # (assert (bvslt SymVar_2 123)
        expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_2', smt2lib.bv(96, 64)))
        expr += smt2lib.smtAssert(smt2lib.bvult('SymVar_2', smt2lib.bv(123, 64)))

        # (assert (bvsgt SymVar_3 96)
        # (assert (bvslt SymVar_3 123)
        expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_3', smt2lib.bv(96, 64)))
        expr += smt2lib.smtAssert(smt2lib.bvult('SymVar_3', smt2lib.bv(123, 64)))

        # (assert (bvsgt SymVar_4 96)
        # (assert (bvslt SymVar_4 123)
        expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_4', smt2lib.bv(96, 64)))
        expr += smt2lib.smtAssert(smt2lib.bvult('SymVar_4', smt2lib.bv(123, 64)))

        # We want the collision
        # (assert (= rax 0xad6d)
        expr += smt2lib.smtAssert(smt2lib.equal(raxExpr, smt2lib.bv(0xad6d, 64)))
        print {k: "0x%x, '%c'" % (v, v) for k, v in getModel(expr).items()}
Esempio n. 19
0
    def cbefore(instruction):
        if instruction.getAddress() == TritonExecution.entryPoint:
            TritonExecution.AddrAfterEP = instruction.getNextAddress()

        if instruction.getAddress() == TritonExecution.AddrAfterEP:
            TritonExecution.myPC = []                                  # Reset the path constraint
            TritonExecution.input = TritonExecution.worklist.pop()     # Take the first input
            TritonExecution.inputTested.append(TritonExecution.input)  # Add this input to the tested input
            return

        if instruction.getAddress() == TritonExecution.entryPoint and not isSnapshotEnabled():
            print "[+] Take Snapshot"
            takeSnapshot()
            return

        if getRoutineName(instruction.getAddress()) in TritonExecution.whitelist and instruction.isBranch() and instruction.getType() != OPCODE.JMP and instruction.getOperands()[0].getType() == OPERAND.IMM:
            addr1 = instruction.getNextAddress()              # next address next from the current one
            addr2 = instruction.getOperands()[0].getValue()   # Address in the instruction condition (branch taken)

            ripId = getSymbolicRegisterId(REG.RIP)            # Get the reference of the RIP symbolic register

            # [PC id, address taken, address not taken]
            if instruction.isConditionTaken():
                TritonExecution.myPC.append([ripId, addr2, addr1])
            else:
                TritonExecution.myPC.append([ripId, addr1, addr2])

            return

        if instruction.getAddress() == TritonExecution.exitPoint:
            print "[+] Exit point"

            # SAGE algorithm
            # http://research.microsoft.com/en-us/um/people/pg/public_psfiles/ndss2008.pdf
            for j in range(TritonExecution.input.bound, len(TritonExecution.myPC)):
                expr = []
                for i in range(0,j):
                    ripId = TritonExecution.myPC[i][0]
                    symExp = getFullAst(getSymbolicExpressionFromId(ripId).getAst())
                    addr = TritonExecution.myPC[i][1]
                    expr.append(smt2lib.smtAssert(smt2lib.equal(symExp, smt2lib.bv(addr,  CPUSIZE.QWORD_BIT))))

                ripId = TritonExecution.myPC[j][0]
                symExp = getFullAst(getSymbolicExpressionFromId(ripId).getAst())
                addr = TritonExecution.myPC[j][2]
                expr.append(smt2lib.smtAssert(smt2lib.equal(symExp, smt2lib.bv(addr,  CPUSIZE.QWORD_BIT))))

                expr = smt2lib.compound(expr)
                model = getModel(expr)

                if len(model) > 0:
                    newInput = deepcopy(TritonExecution.input)
                    newInput.setBound(j + 1)

                    for k,v in model.items():
                        symVar = getSymbolicVariableFromId(k)
                        newInput.addDataAddress(symVar.getKindValue(), v.getValue())
                    print newInput.dataAddr

                    isPresent = False

                    for inp in TritonExecution.worklist:
                        if inp.dataAddr == newInput.dataAddr:
                            isPresent = True
                            break
                    if not isPresent:
                        TritonExecution.worklist.append(newInput)

            # If there is input to test in the worklist, we restore the snapshot
            if len(TritonExecution.worklist) > 0 and isSnapshotEnabled():
                print "[+] Restore snapshot"
                restoreSnapshot()
            return
        return